[Swan] Libreswan doesn't recognize NSS DB
Computerisms Corporation
bob at computerisms.ca
Thu Dec 12 20:52:10 UTC 2019
On my debian machines I put the NSS database at /etc/ipsec.d, but I have
to use the sql argument:
certutil -L -d sql:/etc/ipsec.d
On 2019-11-27 6:38 p.m., Paul Wouters wrote:
> Debian’s nss db lives in /var/lib/ipsec/nss instead of /etc/ipsec.d
>
> Sent from my iPhone
>
> On Nov 27, 2019, at 22:39, MARSON Ismenia
> <ismenia.marson-ext at sagemcom.com
> <mailto:ismenia.marson-ext at sagemcom.com>> wrote:
>
>> Hi all,
>>
>> I'm using libreswan on debian10, i want to do ipsec with certificate
>> exchange.
>>
>> I follow this instructions
>> https://github.com/libreswan/libreswan/blob/master/docs/nss-howto.txt
>>
>> But libreswan doesn't recognize my user certificate:
>>
>> The error is:
>>
>> root at XXX:/etc/ipsec.d# ipsec auto --add mytunnel
>> 000 left certificate with nickname 'usercert1' was not found in NSS DB
>>
>> But when I list my certificates with certutil I see This:
>>
>> root at XXX:/etc/ipsec.d# certutil -L -d /etc/ipsec.d
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> ipsec-client.ads.local - LOCAL u,u,u
>> cacert1 Cu,Cu,Cu
>> _usercert1 _ u,u,u
>>
>> => the certificate is in NSS DB so i don't understand what is the
>> problem.
>>
>> My conf file is like:
>>
>> root at XXX:/etc/ipsec.d# less my_host-to-host.conf
>> conn mytunnel
>> left="IP_left"
>> leftid="CN=usercert1"
>> leftsourceip="IP_left"
>> leftrsasigkey=%cert
>> leftcert=usercert1
>> leftnexthop="IP_right"
>> right="IP_right"
>> rightid="CN=usercert2"
>> rightsourceip="IP_right"
>> rightrsasigkey=%cert
>> rightnexthop="IP_left"
>> rekey=no
>> esp="aes-sha1"
>> ike="aes-sha1"
>> auto=add
>>
>> Can you help me please?
>>
>>
>> ------------------------------------------------------------------------
>> Ce courriel et les documents qui lui sont joints sont, sauf mention
>> contraire, présumés de nature confidentielle et destinées à l'usage
>> exclusif du ou des destinataire(s) mentionné(s). Si vous n'êtes pas le
>> ou les destinataire(s), vous êtes informé(e) que toute divulgation,
>> reproduction, distribution, toute autre diffusion ou utilisation de
>> cette communication ou de tout ou partie de ces informations est
>> strictement interdite, sauf accord préalable de l’expéditeur. Si ce
>> message vous a été transmis par erreur, merci d’immédiatement en
>> informer l'expéditeur et supprimer de votre système informatique ce
>> courriel ainsi que tous les documents qui y sont attachés. En vous
>> remerciant de votre coopération.
>>
>> This email and any attached documents are, unless otherwise stated,
>> presumed to be confidential and intended for the exclusive use of the
>> recipient(s) mentioned. If you are not the recipient(s), you are
>> informed that any disclosure, reproduction, distribution, any other
>> dissemination or use of this communication or all or part of this
>> information is strictly prohibited, unless agreed beforehand by the
>> sender. If you have received this e-mail in error, please immediately
>> advise the sender and delete this e-mail and all the attached
>> documents from your computer system. Thanking you for your cooperation.
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org <mailto:Swan at lists.libreswan.org>
>> https://lists.libreswan.org/mailman/listinfo/swan
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
More information about the Swan
mailing list