[Openswan Users] can not load private key which is in ipsec.d/private
Laurent Jouannic
laurent.jouannic at cbsa.fr
Thu Nov 27 04:23:56 EST 2014
Hi,
I've never used NSS stuff, I'm driving old way, freewan's way :)
Well I found some stuff on this url:
http://sophie.zarb.org/distrib/CentOS/5/i386/rpms/openswan-doc/files/12
NSS bring some new way:
Changes in the certificates usage with Pluto
------------------------------------------------
1) ipsec.conf changes
The only change is "leftcert" field must contain the nick name of the user
cert. For example if the nickname of the user cert is "xyz", then it can be
"leftcert=xyz".
2) ipsec.secrets changes
: RSA <user-cert-nick-name>
You just need to provide the user cert's nick name. For example if the nickname
of the user cert is "xyz", then
: RSA xyz
There is no need to provide private key file information or its password.
3) changes in the directories in /etc/ipsec.d/ (cacerts, certs, private)
i)You need not have "private" or "certs" directory.
So
If I anderstood you should have to use some *"* around your /leftcert_value/
: RSA "gateway.openswan.com <http://gateway.openswan.com> - HCA"
=>
: RSA gateway.openswan.com <http://gateway.openswan.com> - HCA
But I guess that some space ' ' isn't welcome, maybe you should change
your certificate (strip the ' ') to get gateway.openswan.com
<http://gateway.openswan.com>-HCA instead of gateway.openswan.com
<http://gateway.openswan.com> - HCA
Good luck.
Le 27/11/2014 02:58, Michael Leung a écrit :
>
> : RSA file. Key "password"
>
> I try this too, openswan would considered its a nickname and then try
> to read it from NSS certification DB.
>
> On Nov 26, 2014 11:25 PM, "Laurent Jouannic" <laurent.jouannic at cbsa.fr
> <mailto:laurent.jouannic at cbsa.fr>> wrote:
>
> This line is strange isn't it...
>
> : RSA "gateway.openswan.com <http://gateway.openswan.com> - HCA"
>
> It should be like:
>
> : RSA file.key "pass"
>
> OR
>
> @ID_connection: RSA {
> # RSA 2 pow n bits debian /date/
> # for signatures only, UNSAFE FOR ENCRYPTION
> #pubkey=/pubkey/
> #IN KEY xxxxx
> XYXYXYXYXYYXYYXY
> # blablabla
> Modulus:
> MODMOD
> PublicExponent: 51
> # everything after this point is secret
> PrivateExponent: 0xXXXXXX
> Prime1: 0xXXXXXX
> Prime2: 0xXXXXXX
> Exponent1: 0xXXXXXX
> Exponent2: 0xXXXXXX
> Coefficient: 0xXXXXXX
> }
>
>
>
>
>
> Le 26/11/2014 10:35, Michael Leung a écrit :
>> this is my ipsec.conf
>>
>> version 2.0
>>
>> config setup
>> protostack=netkey
>> nat_traversal=yes
>>
>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>> <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10>
>> oe=off
>> dumpdir=/var/run/pluto/
>> plutostderrlog=/var/log/pluto.log
>>
>> conn L2TP-PSK-NAT
>> rightsubnet=vhost:%priv
>> also=L2TP-PSK-noNAT
>>
>> conn L2TP-PSK-noNAT
>> authby=rsasig
>> pfs=no
>> auto=add
>> keyingtries=3
>> rekey=no
>> ikelifetime=8h
>> keylife=1h
>> type=transport
>>
>> left=10.7.255.154
>> leftsubnet=192.168.7.0/24 <http://192.168.7.0/24>
>> leftprotoport=17/1701
>> leftsendcert=always
>> leftrsasigkey=%cert
>> leftcert="gateway.openswan - HCC"
>>
>> right=%any
>> rightprotoport=17/%any
>> rightrsasigkey=%cert
>>
>>
>> On Wed, Nov 26, 2014 at 5:15 PM, Michael Leung
>> <gbcbooksmj at gmail.com <mailto:gbcbooksmj at gmail.com>> wrote:
>>
>> HI Group
>>
>>
>>
>> following is my ipsec.d/ipsec.secrets content
>> #------------------------------------------------------------
>> : RSA "gateway.openswan.com <http://gateway.openswan.com> - HCA"
>> : RSA vpngateway.key "123123123ly"
>> #--------------------------------------------------------------
>>
>> after starting ipsec setup start
>>
>> we got debug info
>> -----------------------------------
>> could not open host cert with nick name 'vpngateway.key'
>> in NSS DB
>> "/etc/ipsec.d/ipsec.secrets" line 2: NSS certficate not found
>> -----------------------------------
>>
>> i notice that my OS is Centos 6.5 , i installed openswan from
>> yum repository , which means openswan have turn use_nss=true
>> on, so i can understand why we still have NSS certificate not
>> found output
>>
>> but for which i am wondering is
>>
>> we also have this debug output
>>
>> ----------------------------------------
>> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
>> Vendor ID payload [RFC 3947] method set to=109
>> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
>> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,
>> but already using method 109
>> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
>> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
>> but already using method 109
>> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
>> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>> packet from 10.7.60.65:500 <http://10.7.60.65:500>: ignoring
>> Vendor ID payload [FRAGMENTATION 80000000]
>> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
>> Vendor ID payload [Dead Peer Detection]
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: responding to Main Mode from
>> unknown peer 10.7.60.65
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state
>> STATE_MAIN_R0 to state STATE_MAIN_R1
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R1: sent MR1,
>> expecting MI2
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: NAT-Traversal: Result using
>> RFC 3947 (NAT-Traversal): no NAT detected
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state
>> STATE_MAIN_R1 to state STATE_MAIN_R2
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R2: sent MR2,
>> expecting MI3
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: Main mode peer ID is
>> ID_DER_ASN1_DN: 'C=CN, ST=Guangd, O=HCA, OU=HCA,
>> CN=nexus.openswan.com <http://nexus.openswan.com>,
>> E=supurstart at openswan.com <mailto:supurstart at openswan.com>'
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: I am sending my cert
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
>> *"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Can't find the private key
>> from the NSS CERT (err -8177)*
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state
>> STATE_MAIN_R2 to state STATE_MAIN_R3
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R3: sent MR3,
>> ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256
>> prf=oakley_sha group=modp1024}
>>
>> -----------------------------------------------------------------------------
>>
>> seems openswan dont load x509 certificate correctly
>>
>> i have transform x509 certificate to pkcs12 , and import them
>> to NSS DB.
>>
>> -------------------------------------
>> [root at opensips log]# certutil -L -d /etc/ipsec.d/
>>
>> Certificate Nickname Trust Attributes
>> SSL,S/MIME,JAR/XPI
>>
>> nexus.openswan.com <http://nexus.openswan.com> - HCA
>> u,u,u
>> gateway.openswan - HCA u,u,u
>> -------------------------------------
>>
>> please give me some advice.
>>
>>
>> --Michael Leung
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments:https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
> _______________________________________________
> Users at lists.openswan.org <mailto:Users at lists.openswan.org>
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141127/32510f9d/attachment-0001.html>
More information about the Users
mailing list