Re: [strongSwan] Strongswan with ECDSA certificate

[Noel Kuntze]

Hello George,

Please share a complete log as shown on the HelpRequests page on the wiki.
Use the filelogger at the bottom of it.

Kind regards

Noel

Am 05.11.20 um 20:20 schrieb george:
> Hi Strongswan users!
> 
> This is my first post. I have problems to use ECDSA 
> certificates with strongswan (did not have problems with
> RSA certificates).
> 
> Please help to solve this problem. Thanks.
> 
> ipsec.conf file 
> 
> conn ss_as_init_cert_x2_22685
>     left=172.16.58.97        
>     leftid=Userikev2-A       
>     leftsubnet=172.16.58.93/32
>     #leftsourceip=%config     
>     leftfirewall=yes          
>     leftauth=pubkey           
>     leftcert=user-cert-ikev2-A.pem
>     keyingtries=2                 
>     reauth=no                     
>     right=172.16.58.96            
>     rightauth=pubkey              
>     rightid=%any
>     rightsubnet=172.16.58.96/32
>     auto=add
>     ike=aes256-sha512-modp2048!
>     keyexchange=ikev2
>     type=tunnel
>     esp=aes256-sha512-modp2048!
>     ikelifetime=60m
>     lifetime=30m
>     margintime=1s
>     rekey=yes
>     dpdaction=none
>     dpddelay=300s
>     dpdtimeout=10s
>     mobike=no
> 
> 
> Certificate:
> 
>   Data:
>         Version: 3 (0x2)
>         Serial Number: 4 (0x4)
>     Signature Algorithm: ecdsa-with-SHA1
>         Issuer: C=US, ST=Massachusetts, L=Bedford, O=acmepacket, 
> CN=root/emailAddress=tes...@acmepacket.com
>         Validity
>             Not Before: Nov  5 18:16:38 2020 GMT
>             Not After : May 24 18:16:38 2021 GMT
>         Subject: C=US, ST=Massachusetts, O=acmepacket.com, 
> CN=Userikev2-A/emailAddress=userikev...@acmepacket.com
>         Subject Public Key Info:
>             Public Key Algorithm: id-ecPublicKey
>                 Public-Key: (256 bit)
>                 pub:
>                     04:36:43:df:ab:7a:1e:e4:33:7e:da:4c:da:42:67:
>                     02:1c:3b:d0:ef:33:91:95:45:84:50:2d:34:b6:6f:
>                     20:79:3e:a1:82:e6:e4:98:b3:56:cb:7a:b8:f3:c9:
>                     ff:0e:8c:33:a9:90:e4:55:9f:c9:28:4d:f5:15:2f:
>                     d0:78:ab:94:d8
>                 ASN1 OID: prime256v1
>         X509v3 extensions:
>             X509v3 Basic Constraints:
>                 CA:FALSE
>             X509v3 Subject Key Identifier:
>                 23:36:62:1F:64:ED:C1:45:34:8D:52:C5:07:3C:68:AE:7F:92:8F:DE
>             X509v3 Authority Key Identifier:
>                 
> keyid:1D:6A:76:68:32:A7:3B:48:35:6C:F1:3F:76:7A:06:12:F2:51:0A:2E
>                 
> DirName:/C=US/ST=Massachusetts/L=Bedford/O=acmepacket/CN=root/emailAddress=tes...@acmepacket.com
>                 serial:BD:52:8A:11:94:74:C2:20
> 
>             X509v3 Key Usage:
>                 Digital Signature, Key Encipherment
>             X509v3 Issuer Alternative Name:
>                 DNS:abc.com
>             X509v3 Subject Alternative Name:
>                 DNS:abc.com
>     Signature Algorithm: ecdsa-with-SHA1
>          30:45:02:21:00:f0:9e:68:b6:18:9a:aa:93:56:ad:74:80:d1:
>          2b:ce:9f:85:12:1b:19:17:ef:b2:10:d0:c4:14:28:18:42:79:
>          15:02:20:5d:32:32:bd:02:98:c2:28:9e:c9:10:5c:06:36:e7:
>          6d:37:5e:2c:f5:97:96:6b:54:e4:3d:63:59:8e:cb:95:d6
> 
> 
> 
> Private Key:
> 
> read EC key
> Private-Key: (256 bit)
> priv:
>     7b:7b:d0:11:9c:57:bc:86:2e:e9:29:d8:a1:54:a1:
>     32:bd:c4:4b:79:a2:ac:23:4e:7f:3e:16:88:47:4e:
>     f7:29
> pub:
>     04:36:43:df:ab:7a:1e:e4:33:7e:da:4c:da:42:67:
>     02:1c:3b:d0:ef:33:91:95:45:84:50:2d:34:b6:6f:
>     20:79:3e:a1:82:e6:e4:98:b3:56:cb:7a:b8:f3:c9:
>     ff:0e:8c:33:a9:90:e4:55:9f:c9:28:4d:f5:15:2f:
>     d0:78:ab:94:d8
> ASN1 OID: prime256v1
> writing EC key
> -----BEGIN EC PRIVATE KEY-----
> MHcCAQEEIHt70BGcV7yGLukp2KFUoTK9xEt5oqwjTn8+FohHTvcpoAoGCCqGSM49
> AwEHoUQDQgAENkPfq3oe5DN+2kzaQmcCHDvQ7zORlUWEUC00tm8geT6hgubkmLNW
> y3q488n/DowzqZDkVZ/JKE31FS/QeKuU2A==
> -----END EC PRIVATE KEY-----
> 
> 
> IPSEC Secerts file
> 
> : ECDSA user-key-ikev2-A.pem
> : ECDSA user-key-ikev2-B.pem
> 
> 
> 
> 
> CHARON OUTPUT
> 
> feature PUBKEY:ECDSA in plugin 'pem' has unmet dependency: PUBKEY:ECDSA
> Nov  5 13:57:19 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet 
> dependency: PUBKEY:DSA
> Nov  5 13:57:19 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet 
> dependency: PRIVKEY:DSA
> Nov  5 13:57:19 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet 
> dependency: PRIVKEY:BLISS
> Nov  5 13:57:19 00[LIB] feature CERT_DECODE:X509_OCSP_REQUEST in plugin 'pem' 
> has unmet dependency: CERT_DECODE:X509_OCSP_REQUEST
> Nov  5 13:57:19 00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in plugin 'xcbc' has 
> unmet dependency: CRYPTER:CAMELLIA_CBC-16
> Nov  5 13:57:19 00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in plugin 'xcbc' has 
> unmet dependency: CRYPTER:CAMELLIA_CBC-16
> Nov  5 13:57:19 00[CFG] loading ca certificates from 
> '/usr/local/etc/ipsec.d/cacerts'
> Nov  5 13:57:19 00[ASN]   file content is not binary ASN.1
> Nov  5 13:57:19 00[ASN]   -----BEGIN CERTIFICATE-----
> Nov  5 13:57:19 00[ASN]   -----END CERTIFICATE-----
> Nov  5 13:57:19 00[ASN] L0 - x509:
> Nov  5 13:57:19 00[ASN] L1 - tbsCertificate:
> Nov  5 13:57:19 00[ASN] L2 - DEFAULT v1:
> Nov  5 13:57:19 00[ASN] L3 - version:
> Nov  5 13:57:19 00[ASN]   X.509v3
> Nov  5 13:57:19 00[ASN] L2 - serialNumber:
> 
> Thank you.
> 
> Rouben
> 

signature.asc
Description: OpenPGP digital signature