Hi Andreas, You were correct. Once I enabled OpenSSL on the Linux box those problems went away on my Linux boxes. However, what I am trying to do is change my strongSwan IPSec connections between the server and my road warriors to be Suite B compliant. So I created a set of ECDSA keys and certificates. When I restart IPSec on the Linux server I receive no errors. However, on the Android I get the following:
I/charon ( 2866): 00[CFG] loading ca certificates from '/system/etc/ipsec.d/cacerts' I/charon ( 2866): 00[CFG] loaded ca certificate "C=US, ST=CA, L=Irvine, O=CyverONE, OU=Information Services, CN=IS, N=IS, [email protected]" from '/system/etc/ipsec.d/cacerts/caCyCert.pem' I/charon ( 2866): 00[CFG] loading aa certificates from '/system/etc/ipsec.d/aacerts' I/charon ( 2866): 00[CFG] loading ocsp signer certificates from '/system/etc/ipsec.d/ocspcerts' I/charon ( 2866): 00[CFG] loading attribute certificates from '/system/etc/ipsec.d/acerts' I/charon ( 2866): 00[CFG] loading crls from '/system/etc/ipsec.d/crls' I/charon ( 2866): 00[CFG] loading secrets from '/system/etc/ipsec.secrets' I/charon ( 2866): 00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 1 builders I/charon ( 2866): 00[CFG] loading private key from '/system/etc/ipsec.d/private/keyCyECRmt01.pem' failed I/charon ( 2866): 00[DMN] loaded plugins: openssl fips-prf random pubkey pkcs1 pem xcbc hmac kernel-netlink socket-raw android stroke eap-identity eap-mschapv2 eap-md5 I/charon ( 2866): 00[JOB] spawning 16 worker threads I/charon ( 2866): 09[CFG] received stroke: add connection 'home01' I/charon ( 2866): 09[LIB] OpenSSL X.509 parsing failed I/charon ( 2866): 09[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders I/charon ( 2866): 09[CFG] loading certificate from 'crtCyECRmt01.pem' failed I/charon ( 2866): 09[CFG] added configuration 'home01' I/charon ( 2866): 10[CFG] received stroke: initiate 'home01' I/charon ( 2866): 10[IKE] initiating IKE_SA home01[1] to 68.225.28.68 I/charon ( 2866): 10[IKE] configured DH group ECP_256 not supported I/charon ( 2866): 10[MGR] tried to check-in and delete nonexisting IKE_SA As we can see, I have three problems; It doesn't like my key, it doesn't like my certificate, and it doesn't like the DH group specification. When I do an ipsec statusall I get: ipsec statusall Status of IKEv2 charon daemon (strongSwan 4.6.2): uptime: 21 seconds, since Jun 20 00:24:11 2012 worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: openssl fips-prf random pubkey pkcs1 pem xcbc hmac kernel-netlink socket-raw android stroke eap-identity eap-mschapv2 eap-md5 Listening IP addresses: 2600:1010:8004:783e:0:9:40aa:ca01 xx.xxx.xx.xx 2600:100e:b011:d63c:0:8:73c4:f001 xx.xxx.xxx.xxx Connections: home01: xx.xxx.xxx.xx...xx.xxx.xx.xx home01: local: [[email protected]] uses public key authentication home01: remote: [C=US, ST=CA, L=Irvine, O=CyverONE, OU=Information Services, CN=IS, N=IS, [email protected]] uses any authentication home01: child: dynamic === 10.20.0.0/16 TUNNEL Security Associations (0 up, 0 connecting): none I/charon ( 2717): 10[IKE] configured DH group ECP_256 not supported I/charon ( 2717): 10[MGR] tried to check-in and delete nonexisting IKE_SA And an ipsec listalgs shows: ipsec listalgs List of registered IKEv2 Algorithms: encryption: AES_CBC[openssl] CAMELLIA_CBC[openssl] BLOWFISH_CBC[openssl] 3DES_CBC[openssl] DES_CBC[openssl] DES_ECB[openssl] NULL[openssl] integrity: CAMELLIA_XCBC_96[xcbc] AES_XCBC_96[xcbc] HMAC_SHA1_96[hmac] HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac] HMAC_MD5_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA2_256_128[hmac] HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_192[hmac] HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_256[hmac] aead: hasher: HASH_SHA1[openssl] HASH_MD4[openssl] HASH_MD5[openssl] HASH_SHA224[openssl] HASH_SHA256[openssl] HASH_SHA384[openssl] HASH_SHA512[openssl] prf: PRF_KEYED_SHA1[openssl] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc] PRF_CAMELLIA128_XCBC[xcbc] PRF_HMAC_SHA1[hmac] PRF_HMAC_MD5[hmac] PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac] PRF_HMAC_SHA2_512[hmac] dh-group: MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] MODP_1536[openssl] MODP_3072[openssl] MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl] MODP_1024[openssl] MODP_1024_160[openssl] MODP_768[openssl] MODP_CUSTOM[openssl] random-gen: RNG_STRONG[random] RNG_TRUE[random] My config files follow: ipsec.conf config setup crlcheckinterval=180 strictcrlpolicy=no plutostart=no charondebug="ike 3, knl 3, cfg 3" # # This section contains Default configuration parameters. # conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 ike=aes128-sha256-ecp256! esp=aes128gcm16! # # Next comes the Connection Specific configuration. # conn home01 left=%defaultroute leftsourceip=%config leftcert=crtCyECRmt01.pem [email protected] leftfirewall=yes right=xx.xxx.xx.xx rightsubnet=10.20.0.0/16 rightid="C=US, ST=CA, L=Irvine, O=CyverONE, OU=Information Services, CN=IS, N=IS, [email protected]" auto=start ipsec.secrets : ECDSA keyCyECRmt01.pem Clearly, the ECP algorithms are missing even though the OpenSSL plugin appears to be loading. I believe this to be a problem with the way I have compiled strongSwan for the android but I'm not sure where I went wrong. Hopefully you will have some insights. Thanks, Matt -----Original Message----- From: Andreas Steffen [mailto:[email protected]] Sent: Monday, June 18, 2012 9:10 PM To: Matt Link Cc: [email protected] Subject: Re: [strongSwan] Error Creating ECDSA with PKI Hi Matt, did you enable the openssl plugin (./configure --enable-openssl)? If yes, your OpenSSL library might have ECC disabled. Regards Andreas On 06/19/2012 01:05 AM, Matt Link wrote: > Hi All, > > > > When I run the command: > > > > pki --gen --type ecdsa --size 256 > myKey.der > > > > I get the following error: > > > > building CRED_PRIVATE_KEY - ECDSA failed, tried 1 builders > > > > I'm running strongSwan 4.5.3. I don't find anything else in the logs. > I've probably missed something obvious but any help would be appreciated. > > > > Thanks, > > Matt ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
