[Openswan Users] can not load private key which is in ipsec.d/private

Laurent Jouannic laurent.jouannic at cbsa.fr
Thu Nov 27 04:23:56 EST 2014


Hi,

I've never used NSS stuff, I'm driving old way, freewan's way :)

Well I found some stuff on this url:

http://sophie.zarb.org/distrib/CentOS/5/i386/rpms/openswan-doc/files/12

NSS bring some new way:

Changes in the certificates usage with Pluto
------------------------------------------------
1) ipsec.conf changes

The only change is "leftcert" field must contain the nick name of the user
cert. For example if the nickname of the user cert is "xyz", then it can be
"leftcert=xyz".

2) ipsec.secrets changes

  : RSA <user-cert-nick-name>

You just need to provide the user cert's nick name. For example if the nickname
of the user cert is "xyz", then

  : RSA xyz

There is no need to provide private key file information or its password.

3) changes in the directories in /etc/ipsec.d/ (cacerts, certs, private)
i)You need not have "private" or "certs" directory.


So

If I anderstood you should have to use some *"* around your /leftcert_value/

: RSA "gateway.openswan.com <http://gateway.openswan.com> - HCA"
=>
: RSA gateway.openswan.com <http://gateway.openswan.com> - HCA

But I guess that some space ' ' isn't welcome, maybe you should change 
your certificate  (strip the ' ') to get gateway.openswan.com 
<http://gateway.openswan.com>-HCA instead of gateway.openswan.com 
<http://gateway.openswan.com> - HCA

Good luck.



Le 27/11/2014 02:58, Michael Leung a écrit :
>
> : RSA file. Key "password"
>
> I try this too, openswan would considered its a nickname and then try 
> to read it from NSS certification DB.
>
> On Nov 26, 2014 11:25 PM, "Laurent Jouannic" <laurent.jouannic at cbsa.fr 
> <mailto:laurent.jouannic at cbsa.fr>> wrote:
>
>     This line is strange isn't it...
>
>     : RSA "gateway.openswan.com <http://gateway.openswan.com> - HCA"
>
>     It should be like:
>
>     : RSA file.key "pass"
>
>     OR
>
>     @ID_connection: RSA       {
>             # RSA 2 pow n bits   debian /date/
>             # for signatures only, UNSAFE FOR ENCRYPTION
>             #pubkey=/pubkey/
>             #IN KEY  xxxxx
>     XYXYXYXYXYYXYYXY
>             # blablabla
>             Modulus:
>         MODMOD
>             PublicExponent: 51
>             # everything after this point is secret
>             PrivateExponent: 0xXXXXXX
>             Prime1: 0xXXXXXX
>             Prime2: 0xXXXXXX
>             Exponent1: 0xXXXXXX
>             Exponent2: 0xXXXXXX
>             Coefficient: 0xXXXXXX
>             }
>
>
>
>
>
>     Le 26/11/2014 10:35, Michael Leung a écrit :
>>     this is my ipsec.conf
>>
>>     version 2.0
>>
>>     config setup
>>             protostack=netkey
>>             nat_traversal=yes
>>            
>>     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>>     <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10>
>>             oe=off
>>             dumpdir=/var/run/pluto/
>>             plutostderrlog=/var/log/pluto.log
>>
>>       conn L2TP-PSK-NAT
>>              rightsubnet=vhost:%priv
>>              also=L2TP-PSK-noNAT
>>
>>     conn L2TP-PSK-noNAT
>>             authby=rsasig
>>             pfs=no
>>             auto=add
>>             keyingtries=3
>>             rekey=no
>>             ikelifetime=8h
>>             keylife=1h
>>             type=transport
>>
>>             left=10.7.255.154
>>             leftsubnet=192.168.7.0/24 <http://192.168.7.0/24>
>>             leftprotoport=17/1701
>>             leftsendcert=always
>>             leftrsasigkey=%cert
>>             leftcert="gateway.openswan - HCC"
>>
>>             right=%any
>>             rightprotoport=17/%any
>>             rightrsasigkey=%cert
>>
>>
>>     On Wed, Nov 26, 2014 at 5:15 PM, Michael Leung
>>     <gbcbooksmj at gmail.com <mailto:gbcbooksmj at gmail.com>> wrote:
>>
>>         HI Group
>>
>>
>>
>>         following is my ipsec.d/ipsec.secrets content
>>         #------------------------------------------------------------
>>         : RSA "gateway.openswan.com <http://gateway.openswan.com> - HCA"
>>         : RSA vpngateway.key "123123123ly"
>>         #--------------------------------------------------------------
>>
>>         after starting ipsec setup start
>>
>>         we got debug info
>>         -----------------------------------
>>             could not open host cert with nick name 'vpngateway.key'
>>         in NSS DB
>>         "/etc/ipsec.d/ipsec.secrets" line 2: NSS certficate not found
>>         -----------------------------------
>>
>>         i notice that my OS is Centos 6.5 , i installed openswan from
>>         yum repository , which means openswan have turn use_nss=true
>>         on, so i can understand why we still have NSS certificate not
>>         found output
>>
>>         but for which i am  wondering is
>>
>>         we also have this debug output
>>
>>         ----------------------------------------
>>         packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
>>         Vendor ID payload [RFC 3947] method set to=109
>>         packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
>>         Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,
>>         but already using method 109
>>         packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
>>         Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
>>         but already using method 109
>>         packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
>>         Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>>         packet from 10.7.60.65:500 <http://10.7.60.65:500>: ignoring
>>         Vendor ID payload [FRAGMENTATION 80000000]
>>         packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
>>         Vendor ID payload [Dead Peer Detection]
>>         "L2TP-PSK-NAT"[1] 10.7.60.65 #1: responding to Main Mode from
>>         unknown peer 10.7.60.65
>>         "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state
>>         STATE_MAIN_R0 to state STATE_MAIN_R1
>>         "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R1: sent MR1,
>>         expecting MI2
>>         "L2TP-PSK-NAT"[1] 10.7.60.65 #1: NAT-Traversal: Result using
>>         RFC 3947 (NAT-Traversal): no NAT detected
>>         "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state
>>         STATE_MAIN_R1 to state STATE_MAIN_R2
>>         "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R2: sent MR2,
>>         expecting MI3
>>         "L2TP-PSK-NAT"[1] 10.7.60.65 #1: Main mode peer ID is
>>         ID_DER_ASN1_DN: 'C=CN, ST=Guangd, O=HCA, OU=HCA,
>>         CN=nexus.openswan.com <http://nexus.openswan.com>,
>>         E=supurstart at openswan.com <mailto:supurstart at openswan.com>'
>>         "L2TP-PSK-NAT"[1] 10.7.60.65 #1: I am sending my cert
>>         "L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
>>         "L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
>>         *"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Can't find the private key
>>         from the NSS CERT (err -8177)*
>>         "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state
>>         STATE_MAIN_R2 to state STATE_MAIN_R3
>>         "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R3: sent MR3,
>>         ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256
>>         prf=oakley_sha group=modp1024}
>>
>>         -----------------------------------------------------------------------------
>>
>>         seems openswan dont load x509 certificate correctly
>>
>>         i have transform x509 certificate to pkcs12 , and import them
>>         to NSS DB.
>>
>>         -------------------------------------
>>         [root at opensips log]# certutil -L -d /etc/ipsec.d/
>>
>>         Certificate Nickname                     Trust Attributes
>>                            SSL,S/MIME,JAR/XPI
>>
>>         nexus.openswan.com <http://nexus.openswan.com> - HCA        
>>                       u,u,u
>>         gateway.openswan - HCA         u,u,u
>>         -------------------------------------
>>
>>         please give me some advice.
>>
>>
>>         --Michael Leung
>>
>>
>>
>>
>>
>>
>>
>>
>>     _______________________________________________
>>     Users at lists.openswan.org  <mailto:Users at lists.openswan.org>
>>     https://lists.openswan.org/mailman/listinfo/users
>>     Micropayments:https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>     Building and Integrating Virtual Private Networks with Openswan:
>>     http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>     _______________________________________________
>     Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>     https://lists.openswan.org/mailman/listinfo/users
>     Micropayments:
>     https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>     Building and Integrating Virtual Private Networks with Openswan:
>     http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141127/32510f9d/attachment-0001.html>


More information about the Users mailing list