> why it wasn't sending identity before but does sent it now?
The client now offers EAP authentication by omitting the AUTH payload in
the first IKE_AUTH exchange. This allows the server to trigger the
EAP-Identity exchange, followed by EAP-MSCHAPv2.
> and why does authentication fail?
The cli
Hi Mark,
it usually is much easier to use the strongSwan pki tool to generate
ECDSA keys and certificates:
https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPKI
Best regards
Andreas
On 27.05.2015 23:29, Mark M wrote:
Do you know this is an issue? it works fine on the Android device?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Mark,
I remotely remember such an issue from a couple of months ago.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 27.05.2015 um 23:29 schrieb Mar
Do you know this is an issue? it works fine on the Android device?
On Wednesday, May 27, 2015 5:25 PM, Mark M wrote:
Noel,
I got it to work. I had to use ec instead of ecparam for the conversion like
this;
openssl ec -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER -out
c
Noel,
I got it to work. I had to use ec instead of ecparam for the conversion like
this;
openssl ec -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER -out
centos2ecc.key
strongSwan can now load the private key and I can connect with my Android
client using ECDSA SHA384 certs :)
Thank y
Not working,
I am using this method to convert, maybe it is wrong?
[root@CENTOS7 ~]# openssl ecparam -in /etc/pki/eccCA/centos2ecc.key -inform PEM
-outform DER -out centos2ecc.key
I am getting
00[LIB] file coded in unknown format, discarded00[LIB] building
CRED_PRIVATE_KEY - ECDSA failed, tri
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Abi,
Yep.
And that's X509, not RSA here. Different standards.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 27.05.2015 um 23:10 schrieb abi:
> He
Hello Noel.
Looks like I replied to wrong thread, just a misclick. Thank you, I'll
read some theory about RSA fields then.
On 27/05/2015 23:14, Noel Kuntze wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello abi,
"key usage" and "extended key usage" are not the same thing.
They are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Mark,
Okay, what does charon say during daemon startup?
Please create a log witht the following settings and post it here.
You are encouraged to use a pastebin service.
default = 3
mgr = 1
ike = 1
net = 1
enc = 0
cfg = 2
asn = 1
job = 1
Hi Noel,
I did specify the key in ipsec.secrets. I am doing everything the same way I
did with RSA certificates that work fine. Here is my config and how I generated
the ECC keys and certs. I am thinking this is an issue with how I genereated
the ECC keys and certs?
openssl ecparam -genkey -nam
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello abi,
"key usage" and "extended key usage" are not the same thing.
They are different fields. The pki utility does not have the a setting
to set that field to a value, as far as I can remember.
Openssl itself can do that though. I think the AS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Richard,
What are the default openswan ESP cipher settings?
Make sure they match your esp setting in strongswan.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 6
The following flags used for client
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:9F:65:08:93:F3:CC:4E:32:78:37:47:4C:8B:9C:13:DA:A3:94:0D:B0
X509v3 Subject Alternative Name:
DNS:XXX
X509v3 Extended Key Usage:
Same code now fails on EAP authentication (username/password are valid):
May 27 11:29:08 16[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
May 27 11:29:08 16[CFG] <2> looking for an ike config for 1.2.3.4...5.6.7.8
May 27 11:29:08 16[CFG] <2> candidate: %any...%
Hi,
Thanks for your answer. I do set the extended authentication (I do it
programmatically):
NEVPNProtocolIKEv2* p = [[NEVPNProtocolIKEv2 alloc] init];
p.useExtendedAuthentication = @YES;
p.username = @"gilad";
p.passwordReference = < password data >;
p.
Hi,
> What I don't understand is why it is failing on EAP identity when I clearly
> defined 'eap_identity=%any'
> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(MULT_AUTH) ]
> parsed IKE_AUTH requ
Very briefly:
EAP-AKA authentication works fine, tunnel mode is up and also virtul IP is
correctly assigned but the UE is not able to reach the P-CSCF via SIP.
Also into the file attr.conf has been setted the correct attribute:
20=
anyway nothing arrives to the server.
Have You esperience ab
I have a strongswan setup which is failing when I try to login via iOS8
(IKEv2).
What I don't understand is why it is failing on EAP identity when I clearly
defined 'eap_identity=%any'
Any ideas?
May 27 08:15:50 00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux
3.13.0-43-generic
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Mark,
Well, did you enter the ECDSA private key in ipsec.secrets as you did with the
RSA key?
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 27.05
It works !!
For people who have the same issue, here what I did :
openssl asn1parse -i -inform DER -in DERfile -strparse offset -length lgth
-noout -out out.raw
cat out.raw | od --address-radix=n --format=x1 | tr -d ' \n'
Do you know which library am I supposed to use if I want to do the same in
20 matches
Mail list logo
