Hi Noel,
I did specify the key in ipsec.secrets. I am doing everything the same way I
did with RSA certificates that work fine. Here is my config and how I generated
the ECC keys and certs. I am thinking this is an issue with how I genereated
the ECC keys and certs?
openssl ecparam -genkey -name secp384r1 -out centos2ecc.key
openssl req -new -key centos2ecc.key -out centos2ecc.csr -config
/etc/pki/newca/opensslc1.cnf -sha384
openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey eccCA.key
-CAcreateserial -out centos2ecc.crt -days 365 -extensions v3_req -extfile
/etc/pki/newca/opensslc1.cnf -sha384
opensslc1.cnf file:
[req]distinguished_name = req_distinguished_namereq_extensions = v3_req
[req_distinguished_name]countryName = Country Name (2 letter
code)stateOrProvinceName = State or Province Name (full name)localityName =
Locality Name (eg, city)organizationalUnitName = Organizational Unit Name (eg,
section)commonName =
[v3_req]basicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature,
keyEnciphermentsubjectAltName = @alt_names
[alt_names]IP.1=10.X.X.XIP.2=192.168.1.7~
ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA centos2.key: ECDSA centos2ecc.key
[root@CENTOS7 ~]# vi /etc/strongswan/ipsec.conf# leftsendcert=never#
right=192.168.0.2# rightsubnet=10.2.0.0/16# rightcert=peerCert.der#
auto=start
#conn sample-with-ca-cert# leftsubnet=10.1.0.0/16#
leftcert=myCert.pem# right=192.168.0.2# rightsubnet=10.2.0.0/16#
rightid="C=CH, O=Linux strongSwan CN=peer name"# auto=startconn %default
keyexchange=ikev2
conn phone1ecc
left=%defaultroute leftcert=centos2ecc.crt
leftsubnet=0.0.0.0/0 leftid="C=US, ST=MA, L=SELF, O=SSCA, OU=SS,
CN=192.168.1.7" leftfirewall=yes right=%any
rightsourceip=192.168.9.0/24 esp=aes256-sha384-ecp384!
ike=aes256-sha384-ecp384! auto=add
On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze <[email protected]>
wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Mark,
Well, did you enter the ECDSA private key in ipsec.secrets as you did with the
RSA key?
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 27.05.2015 um 04:52 schrieb Mark M:
> I am trying to use ECDSA certificates with my setup and I keep getting "no
> private key found" on my strongswan server when a client connects. I am using
> CentOS 7 and strongSwan 5.2.0. I am using the android client to connect and
> the certificate authentication works fine on the Android device.
>
> Any ideas on what would cause the private key to not be found or be
> authenticated correctly?
>
>
> 14[CFG] using trusted ca certificate "C=US, ST=MA, L=SELF, O=SSCA, OU=SS,
> CN=192.168.1.7"
> 14[CFG] checking certificate status of "C=US, ST=MA, L=SELF, O=SSCA, OU=SS,
> CN=phone1ecc"
> 14[CFG] certificate status is not available
> 14[CFG] reached self-signed root ca with a path length of 0
> 14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc'
> with ECDSA-384 signature successful
> 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> 14[IKE] peer supports MOBIKE
> 14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA'
> 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 14[NET] sending packet: from 192.168.1.7[4500] to 70.162.232.57[5477] (88
> bytes)
>
>
>
>
> _______________________________________________
> Users mailing list
> [email protected]
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVZbDdAAoJEDg5KY9j7GZYdrQP+gKX2Z6UnuuBm3axA47uBFeJ
U++oz8UJ5jN/FW4CMBjvKZJGJPMq+VblMbqZZGMAEE2Mgjm6z9olaDVj0Sl0cO1E
1M0HsNeBbQHb23Pb1p2/wMyCyfFFHPTEWLIqDeNHALOzguGiPVMlibZ/FogCeTjV
8qPfcwgYebQcAujOv8GEm1IWAn1/ZmnXsTbMDz6J3VT09Cjh0dQ5o32s6U0PoT4Y
93V5FLDSJIo0INMVG+RRPqoEt20PVTRyCFLTFaex3HJWgb/O3JKn6WXrdaMKOVex
KjRNkWvoqwg2LWB7sjEScNjrECOtUddBeG9Kx5p/kbs9jsB8Ftx+XKE+gSkXeKtt
qS9HpvAF78v2/aCPLbCYR2fxhxJgaX0Ofh2NQzYV55kFpHgYfH7/5U4tTN6/Go5H
xx/iZBdPr54I4FbWiUid4pMu1zDV2Uwrd7eCpjkpMbYLWUvOXRfztjklZL48K44P
F5Lh8EU5JBl10XI3OFU+tox8A1ZVE03ljeBkFwJfwScRvvAZMUBgnGlGiPmaFPBs
zgVNhmdswvvdikfL8y5E/t2UMMQgDCQpfOPIB+qrWkhGtXtddc2AYZnbRW+Gju4f
Y3Ad6nRh6AAGZbRlGPoc3pGCF2oP+p0yMOIY2QexUn32VSLff8W6Q5ymVVn6KPfx
ogdvtfSe+cOHsuYIW9WT
=koBw
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
