Hi Mark, it usually is much easier to use the strongSwan pki tool to generate ECDSA keys and certificates:
https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPKI Best regards Andreas On 27.05.2015 23:29, Mark M wrote:
Do you know this is an issue? it works fine on the Android device? On Wednesday, May 27, 2015 5:25 PM, Mark M <[email protected]> wrote: Noel, I got it to work. I had to use ec instead of ecparam for the conversion like this; openssl ec -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER -out centos2ecc.key strongSwan can now load the private key and I can connect with my Android client using ECDSA SHA384 certs :) Thank you very much for the help. Mark- On Wednesday, May 27, 2015 5:18 PM, Mark M <[email protected]> wrote: Not working, I am using this method to convert, maybe it is wrong? [root@CENTOS7 ~]# openssl ecparam -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER -out centos2ecc.key I am getting 00[LIB] file coded in unknown format, discarded 00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders 00[CFG] loading private key from '/etc/strongswan/ipsec.d/private/centos2ecc.der' failed On Wednesday, May 27, 2015 5:10 PM, Noel Kuntze <[email protected]> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Mark, Try converting the key from PEM to DER format. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 27.05.2015 um 23:03 schrieb Mark M: > Noel, > > Here is a pastebin of the log with the settings you asked for - > > http://pastebin.com/4T47jNNA > > I am seeing this a problem > > 1. > 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets' > 2. > 00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders > 3. > 00[CFG] loading private key from '/etc/strongswan/ipsec.d/private/centos2ecc.key' failed > > > > > On Wednesday, May 27, 2015 4:32 PM, Noel Kuntze <[email protected] <mailto:[email protected]>> wrote: > > > > Hello Mark, > > Okay, what does charon say during daemon startup? > Please create a log witht the following settings and post it here. > You are encouraged to use a pastebin service. > > default = 3 > mgr = 1 > ike = 1 > net = 1 > enc = 0 > cfg = 2 > asn = 1 > job = 1 > knl = 1 > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 27.05.2015 um 22:25 schrieb Mark M: > > Hi Noel, > > > I did specify the key in ipsec.secrets. I am doing everything the same way I did with RSA certificates that work fine. Here is my config and how I generated the ECC keys and certs. I am thinking this is an issue with how I genereated the ECC keys and certs? > > > > openssl ecparam -genkey -name secp384r1 -out centos2ecc.key > > > openssl req -new -key centos2ecc.key -out centos2ecc.csr -config /etc/pki/newca/opensslc1.cnf -sha384 > > > openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey eccCA.key -CAcreateserial -out centos2ecc.crt -days 365 -extensions v3_req -extfile /etc/pki/newca/opensslc1.cnf -sha384 > > > opensslc1.cnf file: > > > [req] > > distinguished_name = req_distinguished_name > > req_extensions = v3_req > > > [req_distinguished_name] > > countryName = Country Name (2 letter code) > > stateOrProvinceName = State or Province Name (full name) > > localityName = Locality Name (eg, city) > > organizationalUnitName = Organizational Unit Name (eg, section) > > commonName = > > > [v3_req] > > basicConstraints = CA:FALSE > > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > subjectAltName = @alt_names > > > [alt_names] > > IP.1=10.X.X.X > > IP.2=192.168.1.7 > > ~ > > > ipsec.secrets > > > # /etc/ipsec.secrets - strongSwan IPsec secrets file > > > : RSA centos2.key > > : ECDSA centos2ecc.key > > > > > [root@CENTOS7 <mailto:root@CENTOS7> <mailto:root@CENTOS7 <mailto:root@CENTOS7>> ~]# vi /etc/strongswan/ipsec.conf > > # leftsendcert=never > > # right=192.168.0.2 > > # rightsubnet=10.2.0.0/16 > > # rightcert=peerCert.der > > # auto=start > > > #conn sample-with-ca-cert > > # leftsubnet=10.1.0.0/16 > > # leftcert=myCert.pem > > # right=192.168.0.2 > > # rightsubnet=10.2.0.0/16 > > # rightid="C=CH, O=Linux strongSwan CN=peer name" > > # auto=start > > conn %default > > keyexchange=ikev2 > > > conn phone1ecc > > left=%defaultroute > > leftcert=centos2ecc.crt > > leftsubnet=0.0.0.0/0 > > leftid="C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7" > > leftfirewall=yes > > right=%any > > rightsourceip=192.168.9.0/24 > > esp=aes256-sha384-ecp384! > > ike=aes256-sha384-ecp384! > > auto=add > > > > > > > On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > Hello Mark, > > > Well, did you enter the ECDSA private key in ipsec.secrets as you did with the RSA key? > > > Mit freundlichen Grüßen/Kind Regards, > > Noel Kuntze > > > GPG Key ID: 0x63EC6658 > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > Am 27.05.2015 um 04:52 schrieb Mark M: > > > I am trying to use ECDSA certificates with my setup and I keep getting "no private key found" on my strongswan server when a client connects. I am using CentOS 7 and strongSwan 5.2.0. I am using the android client to connect and the certificate authentication works fine on the Android device. > > > > Any ideas on what would cause the private key to not be found or be authenticated correctly? > > > > > 14[CFG] using trusted ca certificate "C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7" > > > 14[CFG] checking certificate status of "C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc" > > > 14[CFG] certificate status is not available > > > 14[CFG] reached self-signed root ca with a path length of 0 > > > 14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc' with ECDSA-384 signature successful > > > 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding > > > 14[IKE] peer supports MOBIKE > > > 14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA' > > > 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] > > > 14[NET] sending packet: from 192.168.1.7[4500] to 70.162.232.57[5477] (88 bytes) > > > > > > > > _______________________________________________ > > > Users mailing list > > > [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> > > > https://lists.strongswan.org/mailman/listinfo/users > > > > _______________________________________________ > > Users mailing list > > [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> > > https://lists.strongswan.org/mailman/listinfo/users > > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVZjGEAAoJEDg5KY9j7GZY9hgQAJBZeSw2dDyssPgxcWMydhzK 4UphjKZ0IrybXtZ24wTowKBFLEjn1RdW+p5NiCrVskezNESp89zdyKtDaYxvVv/s N/5KdXeNs0wRMU1kl4hcSH9xjzOt5CFbvhjkSZ6oasFah/8T0OEJtk2e1IID0McC IzuWb0wY3ui3Mox1KT/XTV/iS+ulfgqjVxDWuDaQi1R9kdYMhMSFYT+KKE6HRKVV 171HgJ2+kcDxcm0gW/w1qEqniuZehW/BsZ48Ut1HGHJmR/z/cgMQGvgilvNmYRpD eGjk5Kwzl3Wsr8Y6vQssGu8jNTbeXiy5wN0nZ5h+8zHu4MidpQzEhRPvjUxSRC7h GoESpAg8/m5N8wmXxtJDl2pxXxp1xa9YGWZPNZ7nAVz3UfDLW6cfVgMLukYQsOc7 /p+SNpEjO8x+Zr0Y13s4vllJcE5JbP5GY3caGDF+xVP21HwML4IqiNwFDDgtAZqQ Iblq1VaTK73x4FxNFzg6C8N5OJo62OP+4HeZUENmBFGAUJaBOARBrsBmmlOqgPkn 2GtYzkcVMdkblaKzvV8Zp3U+tj0tu6QLK6/cDUVVnSoG2h7T6/dBJR6fpcftW9zD cXcM8MW2Wk1F4LPn9aOr+0rVZWlKVaebj1NrPZhwgqE7zA6XH5EkU3Km15LoSl4D PDo4tN1Y3zcPHFnLfv+/ =epoc -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
-- ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
