Hi Strongswan users! This is my first post. I have problems to use ECDSA certificates with strongswan (did not have problems withRSA certificates). Please help to solve this problem. Thanks. ipsec.conf file conn ss_as_init_cert_x2_22685 left=172.16.58.97 leftid=Userikev2-A leftsubnet=172.16.58.93/32 #leftsourceip=%config leftfirewall=yes leftauth=pubkey leftcert=user-cert-ikev2-A.pem keyingtries=2 reauth=no right=172.16.58.96 rightauth=pubkey rightid=%any rightsubnet=172.16.58.96/32 auto=add ike=aes256-sha512-modp2048! keyexchange=ikev2 type=tunnel esp=aes256-sha512-modp2048! ikelifetime=60m lifetime=30m margintime=1s rekey=yes dpdaction=none dpddelay=300s dpdtimeout=10s mobike=no
Certificate: Data: Version: 3 (0x2) Serial Number: 4 (0x4) Signature Algorithm: ecdsa-with-SHA1 Issuer: C=US, ST=Massachusetts, L=Bedford, O=acmepacket, CN=root/[email protected] Validity Not Before: Nov 5 18:16:38 2020 GMT Not After : May 24 18:16:38 2021 GMT Subject: C=US, ST=Massachusetts, O=acmepacket.com, CN=Userikev2-A/[email protected] Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:36:43:df:ab:7a:1e:e4:33:7e:da:4c:da:42:67: 02:1c:3b:d0:ef:33:91:95:45:84:50:2d:34:b6:6f: 20:79:3e:a1:82:e6:e4:98:b3:56:cb:7a:b8:f3:c9: ff:0e:8c:33:a9:90:e4:55:9f:c9:28:4d:f5:15:2f: d0:78:ab:94:d8 ASN1 OID: prime256v1 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 23:36:62:1F:64:ED:C1:45:34:8D:52:C5:07:3C:68:AE:7F:92:8F:DE X509v3 Authority Key Identifier: keyid:1D:6A:76:68:32:A7:3B:48:35:6C:F1:3F:76:7A:06:12:F2:51:0A:2E DirName:/C=US/ST=Massachusetts/L=Bedford/O=acmepacket/CN=root/[email protected] serial:BD:52:8A:11:94:74:C2:20 X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Issuer Alternative Name: DNS:abc.com X509v3 Subject Alternative Name: DNS:abc.com Signature Algorithm: ecdsa-with-SHA1 30:45:02:21:00:f0:9e:68:b6:18:9a:aa:93:56:ad:74:80:d1: 2b:ce:9f:85:12:1b:19:17:ef:b2:10:d0:c4:14:28:18:42:79: 15:02:20:5d:32:32:bd:02:98:c2:28:9e:c9:10:5c:06:36:e7: 6d:37:5e:2c:f5:97:96:6b:54:e4:3d:63:59:8e:cb:95:d6 Private Key: read EC keyPrivate-Key: (256 bit)priv: 7b:7b:d0:11:9c:57:bc:86:2e:e9:29:d8:a1:54:a1: 32:bd:c4:4b:79:a2:ac:23:4e:7f:3e:16:88:47:4e: f7:29pub: 04:36:43:df:ab:7a:1e:e4:33:7e:da:4c:da:42:67: 02:1c:3b:d0:ef:33:91:95:45:84:50:2d:34:b6:6f: 20:79:3e:a1:82:e6:e4:98:b3:56:cb:7a:b8:f3:c9: ff:0e:8c:33:a9:90:e4:55:9f:c9:28:4d:f5:15:2f: d0:78:ab:94:d8ASN1 OID: prime256v1writing EC key-----BEGIN EC PRIVATE KEY-----MHcCAQEEIHt70BGcV7yGLukp2KFUoTK9xEt5oqwjTn8+FohHTvcpoAoGCCqGSM49AwEHoUQDQgAENkPfq3oe5DN+2kzaQmcCHDvQ7zORlUWEUC00tm8geT6hgubkmLNWy3q488n/DowzqZDkVZ/JKE31FS/QeKuU2A==-----END EC PRIVATE KEY----- IPSEC Secerts file : ECDSA user-key-ikev2-A.pem: ECDSA user-key-ikev2-B.pem CHARON OUTPUT feature PUBKEY:ECDSA in plugin 'pem' has unmet dependency: PUBKEY:ECDSANov 5 13:57:19 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSANov 5 13:57:19 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSANov 5 13:57:19 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISSNov 5 13:57:19 00[LIB] feature CERT_DECODE:X509_OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:X509_OCSP_REQUESTNov 5 13:57:19 00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in plugin 'xcbc' has unmet dependency: CRYPTER:CAMELLIA_CBC-16Nov 5 13:57:19 00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in plugin 'xcbc' has unmet dependency: CRYPTER:CAMELLIA_CBC-16Nov 5 13:57:19 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'Nov 5 13:57:19 00[ASN] file content is not binary ASN.1Nov 5 13:57:19 00[ASN] -----BEGIN CERTIFICATE-----Nov 5 13:57:19 00[ASN] -----END CERTIFICATE-----Nov 5 13:57:19 00[ASN] L0 - x509:Nov 5 13:57:19 00[ASN] L1 - tbsCertificate:Nov 5 13:57:19 00[ASN] L2 - DEFAULT v1:Nov 5 13:57:19 00[ASN] L3 - version:Nov 5 13:57:19 00[ASN] X.509v3Nov 5 13:57:19 00[ASN] L2 - serialNumber: Thank you. Rouben
