<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Debian’s nss db lives in /var/lib/ipsec/nss instead of /etc/ipsec.d<br><br><div id="AppleMailSignature" dir="ltr">Sent from my iPhone</div><div dir="ltr"><br>On Nov 27, 2019, at 22:39, MARSON Ismenia <<a href="mailto:ismenia.marson-ext@sagemcom.com">ismenia.marson-ext@sagemcom.com</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p>Hi all, <br>
</p>
<p>I'm using libreswan on debian10, i want to do ipsec with certificate exchange.
<br>
</p>
<p>I follow this instructions <a class="moz-txt-link-freetext" href="https://github.com/libreswan/libreswan/blob/master/docs/nss-howto.txt">
https://github.com/libreswan/libreswan/blob/master/docs/nss-howto.txt</a></p>
<p>But libreswan doesn't recognize my user certificate: <br>
</p>
<p>The error is: </p>
<p><a class="moz-txt-link-abbreviated" href="mailto:root@XXX:/etc/ipsec.d#">root@XXX:/etc/ipsec.d#</a> ipsec auto --add mytunnel<br>
000 left certificate with nickname 'usercert1' was not found in NSS DB<br>
</p>
<p>But when I list my certificates with certutil I see This: <br>
</p>
<p><a class="moz-txt-link-abbreviated" href="mailto:root@XXX:/etc/ipsec.d#">root@XXX:/etc/ipsec.d#</a> certutil -L -d /etc/ipsec.d<br>
<br>
Certificate Nickname Trust Attributes<br>
SSL,S/MIME,JAR/XPI<br>
<br>
ipsec-client.ads.local - LOCAL u,u,u<br>
cacert1 Cu,Cu,Cu<br>
<u>usercert1 </u> u,u,u<br>
</p>
<p>=> the certificate is in NSS DB so i don't understand what is the problem. <br>
</p>
<p>My conf file is like: <br>
</p>
<p><a class="moz-txt-link-abbreviated" href="mailto:root@XXX:/etc/ipsec.d#">root@XXX:/etc/ipsec.d#</a> less my_host-to-host.conf
<br>
conn mytunnel<br>
left="IP_left"<br>
leftid="CN=usercert1"<br>
leftsourceip="IP_left"<br>
leftrsasigkey=%cert<br>
leftcert=usercert1<br>
leftnexthop="IP_right"<br>
right="IP_right"<br>
rightid="CN=usercert2"<br>
rightsourceip="IP_right"<br>
rightrsasigkey=%cert<br>
rightnexthop="IP_left"<br>
rekey=no<br>
esp="aes-sha1"<br>
ike="aes-sha1"<br>
auto=add<br>
</p>
<p>Can you help me please? <br>
</p>
<p><br>
</p>
<hr>Ce courriel et les documents qui lui sont joints sont, sauf mention contraire, présumés de nature confidentielle et destinées à l'usage exclusif du ou des destinataire(s) mentionné(s). Si vous n'êtes pas le ou les destinataire(s), vous êtes informé(e) que toute divulgation, reproduction, distribution, toute autre diffusion ou utilisation de cette communication ou de tout ou partie de ces informations est strictement interdite, sauf accord préalable de l’expéditeur. Si ce message vous a été transmis par erreur, merci d’immédiatement en informer l'expéditeur et supprimer de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés. En vous remerciant de votre coopération.<br>
<br>
This email and any attached documents are, unless otherwise stated, presumed to be confidential and intended for the exclusive use of the recipient(s) mentioned. If you are not the recipient(s), you are informed that any disclosure, reproduction, distribution, any other dissemination or use of this communication or all or part of this information is strictly prohibited, unless agreed beforehand by the sender. If you have received this e-mail in error, please immediately advise the sender and delete this e-mail and all the attached documents from your computer system. Thanking you for your cooperation.<br>
</div></blockquote><blockquote type="cite"><div dir="ltr"><span>_______________________________________________</span><br><span>Swan mailing list</span><br><span><a href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a></span><br><span><a href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br></div></blockquote></body></html>