Hi Mark,
it usually is much easier to use the strongSwan pki tool to generate
ECDSA keys and certificates:
https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPKI
Best regards
Andreas
On 27.05.2015 23:29, Mark M wrote:
Do you know this is an issue? it works fine on the Android device?
On Wednesday, May 27, 2015 5:25 PM, Mark M mark0...@yahoo.com wrote:
Noel,
I got it to work. I had to use ec instead of ecparam for the conversion
like this;
openssl ec -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER
-out centos2ecc.key
strongSwan can now load the private key and I can connect with my
Android client using ECDSA SHA384 certs :)
Thank you very much for the help.
Mark-
On Wednesday, May 27, 2015 5:18 PM, Mark M mark0...@yahoo.com wrote:
Not working,
I am using this method to convert, maybe it is wrong?
[root@CENTOS7 ~]# openssl ecparam -in /etc/pki/eccCA/centos2ecc.key
-inform PEM -outform DER -out centos2ecc.key
I am getting
00[LIB] file coded in unknown format, discarded
00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders
00[CFG] loading private key from
'/etc/strongswan/ipsec.d/private/centos2ecc.der' failed
On Wednesday, May 27, 2015 5:10 PM, Noel Kuntze n...@familie-kuntze.de
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Mark,
Try converting the key from PEM to DER format.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 27.05.2015 um 23:03 schrieb Mark M:
Noel,
Here is a pastebin of the log with the settings you asked for -
http://pastebin.com/4T47jNNA
I am seeing this a problem
1.
00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
2.
00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders
3.
00[CFG] loading private key from
'/etc/strongswan/ipsec.d/private/centos2ecc.key' failed
On Wednesday, May 27, 2015 4:32 PM, Noel Kuntze
n...@familie-kuntze.de mailto:n...@familie-kuntze.de wrote:
Hello Mark,
Okay, what does charon say during daemon startup?
Please create a log witht the following settings and post it here.
You are encouraged to use a pastebin service.
default = 3
mgr = 1
ike = 1
net = 1
enc = 0
cfg = 2
asn = 1
job = 1
knl = 1
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 27.05.2015 um 22:25 schrieb Mark M:
Hi Noel,
I did specify the key in ipsec.secrets. I am doing everything the
same way I did with RSA certificates that work fine. Here is my config
and how I generated the ECC keys and certs. I am thinking this is an
issue with how I genereated the ECC keys and certs?
openssl ecparam -genkey -name secp384r1 -out centos2ecc.key
openssl req -new -key centos2ecc.key -out centos2ecc.csr -config
/etc/pki/newca/opensslc1.cnf -sha384
openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey
eccCA.key -CAcreateserial -out centos2ecc.crt -days 365 -extensions
v3_req -extfile /etc/pki/newca/opensslc1.cnf -sha384
opensslc1.cnf file:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName =
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1=10.X.X.X
IP.2=192.168.1.7
~
ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA centos2.key
: ECDSA centos2ecc.key
[root@CENTOS7 mailto:root@CENTOS7 mailto:root@CENTOS7
mailto:root@CENTOS7 ~]# vi /etc/strongswan/ipsec.conf
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid=C=CH, O=Linux strongSwan CN=peer name
# auto=start
conn %default
keyexchange=ikev2
conn phone1ecc
left=%defaultroute
leftcert=centos2ecc.crt
leftsubnet=0.0.0.0/0
leftid=C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7
leftfirewall=yes
right=%any
rightsourceip=192.168.9.0/24
esp=aes256-sha384-ecp384!
ike=aes256-sha384-ecp384!
auto=add
On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze
n...@familie-kuntze.de mailto:n...@familie-kuntze.de
mailto:n...@familie-kuntze.de mailto:n...@familie-kuntze.de wrote:
Hello Mark,
Well, did