On Fri, 11 Dec 2020, Manfred wrote:
Subject: [Swan] authentication method: IKEv2_AUTH_ECDSA_P384 not supported in
I2 Auth Payload
I'm trying to configure a connection to use IKEv2 + ECDSA certificates, but
pluto barks the message above. I'm running libreswan 3.29.
I see that it should support ECDSA since 3.26, and the only conf item I could
find is authby=ecdsa (or possibly authby=ecdsa-sha2_384), both of which are
accepted but not described in the man page.
Any pointers to where to find info about this configuration, or hints on what
am I missing?
See
https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-12
We support ECDSA methods only via Digital Signature (RFC 7427) method,
not via the old methods of valie 9,10 and 11.
In the past, each new digital signature format required its own
Authentication Method value. That's why "digital signature" (value 14,
RFC 7427) was written. All new methods are basically going to be supportd
via value 14. See the RFC for why this is much better.
Perhaps the other end has a way to use ECDSA via the new method?
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
