Hi Christoph, Specify the keys using connections.<conn>.local<suffix>.pubkeys and connections.<conn>.remote<suffix>.pubkeys.
Afterwards, check the output and the log file (best if you enable debug logging
like shown on the HelpRequests page)
to see if the public keys were loaded and the private keys, too.
Kind regards
Noel
Am 25.10.20 um 21:11 schrieb Christoph Harder:
> Hello everyone,
>
> I wish to create an IPSEC v2 connection and use two authentication rounds,
> both with assymetric key pairs (one round using ECDSA followed by one round
> using BLISS).
> Since BLISS is rather new I would like the second round as safe-guard in case
> the near future shows any fatal flaws in BLISS.
> However at the moment I receive the follwoing message when I try to initiate
> a connection.
>
> [IKE] no private key found for 'xyz_ecdsa'
>
> The private keys are stored as /bliss/xyz_bliss.pem and /ecdsa/xyz_ecdsa.pem
> and the matching (same file name) public keys are stored in /pubkeys.
> When I load the keys, e.g. using swanctl --load-creds the keys are listed and
> no error message shows up.
>
> In the swanctl.conf the authentication rounds are defined like this (with
> matching remote authentication rounds):
> local-1 {
> id = xyz_ecdsa
> auth = pubkey
> round = 1
> }
> local-2 {
> id = xyz_bliss
> auth = pubkey
> round = 2
> }
>
> The private keys don't have a passphrase and are not listed in the secrets
> section.
>
> The private key file /ecdsa/xyz_ecdsa.pem looks like this:
> -----BEGIN EC PRIVATE KEY-----
> ...
> -----END EC PRIVATE KEY-----
>
> and the public key file /pubkey/xyz_ecdsa.pem looks like this:
> -----BEGIN PUBLIC KEY-----
> ...
> -----END PUBLIC KEY-----
>
> The keys have been generated using the pki tool.
>
> Can you give me any hints on what I might be doing wrong?
> Are two rounds even supported when using auth = pubkey in both rounds?
> Do I need to tell strongswan somehow to associate the key files with the id?
>
> Best regards,
> Christoph
>
signature.asc
Description: OpenPGP digital signature
