#########################################################################
# Scenario: To setup ipsec with certs in tunnel mode using NSS
#########################################################################

GW Mahine 1: w1.x1.y1.z1
GW Mahine 2: w2.x2.y2.z2

w1.x1.y1.z1 <---> w2.x2.y2.z2

Note: In this example setup, both machines are using NSS. If you want to
      use NSS only at one machine, say machine 1, you can use the following
      procedure only at machine 1, and you can use traditional ipsec setup
      at machine 2.

Note2: We are assuming the new default location of the libreswan NSS db to be
       in /var/lib/ipsec/nss . For older versions this directory is /etc/ipsec.d

Note3: It is no longer needed to specify the certificate in the ipsec.secrets
file.

1. Create a new (if not already) nss db on both machines as follows:

ipsec initnss

2. Creating CA certs at both machines:

On machine 1:

certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -d . -t "C,C,C" -x -d sql:<path-to-ipsec.d dir>/ipsec.d

As we want to use the same certificate  "cacert1" at machine 2, it needs to be
exported first. To export the cacert1, do the following at machine 1:

pk12util -o cacert1.p12 -n cacert1 -d sql:/var/lib/ipsec/nss

Copy the file "cacert1.p12" to the machine2 in "/root/" directory.

On machine 2:
Import the "cacert1" as follows:

      cd /root/
      pk12util -i cacert1.p12 -d sql:/var/lib/ipsec/nss
      certutil -M -n cacert1 -t "C, C, C" -d sql:/var/lib/ipsec/nss

Now machine 2 also has the CA certificates "cacert1" in its NSS database.

3. Creating user certs at both machines:

On machine 1:
      certutil -S -k rsa -c cacert1 -n usercert1 -s "CN=usercert1" -v 12 -t "u,u,u" -d sql:/var/lib/ipsec/nss

(Note this cert is signed by "cacert1")

On machine 2:
      certutil -S -k rsa -c cacert1 -n usercert2 -s "CN=usercert2" -v 12 -t "u,u,u" -d sql:/var/lib/ipsec/nss

(Note this cert is signed by "cacert1" too)


4. Preparing ipsec.conf at both machines

ipsec.conf at machine 1:


conn    pluto-1-2
        left=w1.x1.y1.z1
        leftid="CN=usercert1"
        leftsourceip=w1.x1.y1.z1
        leftrsasigkey=%cert
        leftcert=usercert1
        leftnexthop=w2.x2.y2.z2
        right=w2.x2.y2.z2
        rightid="CN=usercert2"
        rightsourceip=w2.x2.y2.z2
        rightrsasigkey=%cert
        rightnexthop=w1.x1.y1.z1
        rekey=no
        esp="aes-sha1"
        ike="aes-sha1"
        auto=add


ipsec.conf at machine 2:


conn    pluto-1-2
        left=w2.x2.y2.z2
        leftid="CN=usercert2"
        leftsourceip=w2.x2.y2.z2
        leftrsasigkey=%cert
        leftcert=usercert2
        leftnexthop=w1.x1.y1.z1
        right=w1.x1.y1.z1
        rightid="CN=usercert1"
        rightsourceip=w1.x1.y1.z1
        rightrsasigkey=%cert
        rightnexthop=w2.x2.y2.z2
        rekey=no
        esp="aes-sha1"
        ike="aes-sha1"
        auto=add

#########################################################################
# Import certificates
#########################################################################
This example show how to import certificates in nss.
Is useful if you want to migrate from openswan to libreswan.

Import a CA:
    certutil -A -i <ca_cert_file>  -n "<ca_cert_alias>" -t "C,C,C" -d /var/lib/ipsec/nss
    example: certutil -A -i CaCert.pem  -n "CaCert" -t "C,C,C" -d /var/lib/ipsec/nss

Import a cert:
    certutil -A -i <cert_file>  -n "<cert_alias>" -t "C,C,C" -d /var/lib/ipsec/nss
    example: certutil -A -i serverCert.pemm  -n "serverCert" -t "C,C,C" -d /var/lib/ipsec/nss


Import a client cert:
    certutil -A -i <cert_file>  -n "<cert_alias>" -t "u,u,u" -d /var/lib/ipsec/nss
    example: certutil -A -i userCert.pem  -n "userCert" -t "u,u,u" -d /var/lib/ipsec/nss

Convert key:
    openssl pkcs12 -export -in userCert.pem -inkey userKey.pem -name "userCert" -out userKey.p12

Import Key:
    ipsec import userKey.p12

Show a list of the current certificates and trust attributes in a certificate database:
    certutil -L -d /var/lib/ipsec/nss



