Hello everyone, I wish to create an IPSEC v2 connection and use two authentication rounds, both with assymetric key pairs (one round using ECDSA followed by one round using BLISS). Since BLISS is rather new I would like the second round as safe-guard in case the near future shows any fatal flaws in BLISS. However at the moment I receive the follwoing message when I try to initiate a connection.
[IKE] no private key found for 'xyz_ecdsa'
The private keys are stored as /bliss/xyz_bliss.pem and /ecdsa/xyz_ecdsa.pem
and the matching (same file name) public keys are stored in /pubkeys.
When I load the keys, e.g. using swanctl --load-creds the keys are listed and
no error message shows up.
In the swanctl.conf the authentication rounds are defined like this (with
matching remote authentication rounds):
local-1 {
id = xyz_ecdsa
auth = pubkey
round = 1
}
local-2 {
id = xyz_bliss
auth = pubkey
round = 2
}
The private keys don't have a passphrase and are not listed in the secrets
section.
The private key file /ecdsa/xyz_ecdsa.pem looks like this:
-----BEGIN EC PRIVATE KEY-----
...
-----END EC PRIVATE KEY-----
and the public key file /pubkey/xyz_ecdsa.pem looks like this:
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
The keys have been generated using the pki tool.
Can you give me any hints on what I might be doing wrong?
Are two rounds even supported when using auth = pubkey in both rounds?
Do I need to tell strongswan somehow to associate the key files with the id?
Best regards,
Christoph
0xA362479F3F0ADC06.asc
Description: application/pgp-keys
