[strongSwan] no private key found with ECDSA certificate
Andreas Steffen
andreas.steffen at strongswan.org
Thu May 28 08:16:14 CEST 2015
Hi Mark,
it usually is much easier to use the strongSwan pki tool to generate
ECDSA keys and certificates:
https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPKI
Best regards
Andreas
On 27.05.2015 23:29, Mark M wrote:
> Do you know this is an issue? it works fine on the Android device?
>
>
>
> On Wednesday, May 27, 2015 5:25 PM, Mark M <mark076h at yahoo.com> wrote:
>
>
> Noel,
>
> I got it to work. I had to use ec instead of ecparam for the conversion
> like this;
>
> openssl ec -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER
> -out centos2ecc.key
>
> strongSwan can now load the private key and I can connect with my
> Android client using ECDSA SHA384 certs :)
>
> Thank you very much for the help.
>
> Mark-
>
>
>
>
> On Wednesday, May 27, 2015 5:18 PM, Mark M <mark076h at yahoo.com> wrote:
>
>
> Not working,
>
> I am using this method to convert, maybe it is wrong?
>
> [root at CENTOS7 ~]# openssl ecparam -in /etc/pki/eccCA/centos2ecc.key
> -inform PEM -outform DER -out centos2ecc.key
>
>
> I am getting
>
> 00[LIB] file coded in unknown format, discarded
> 00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders
> 00[CFG] loading private key from
> '/etc/strongswan/ipsec.d/private/centos2ecc.der' failed
>
>
>
>
>
> On Wednesday, May 27, 2015 5:10 PM, Noel Kuntze <noel at familie-kuntze.de>
> wrote:
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Mark,
>
> Try converting the key from PEM to DER format.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 27.05.2015 um 23:03 schrieb Mark M:
> > Noel,
> >
> > Here is a pastebin of the log with the settings you asked for -
> >
> > http://pastebin.com/4T47jNNA
> >
> > I am seeing this a problem
> >
> > 1.
> > 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
> > 2.
> > 00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders
> > 3.
> > 00[CFG] loading private key from
> '/etc/strongswan/ipsec.d/private/centos2ecc.key' failed
> >
> >
> >
> >
> > On Wednesday, May 27, 2015 4:32 PM, Noel Kuntze
> <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
> >
> >
> >
> > Hello Mark,
> >
> > Okay, what does charon say during daemon startup?
> > Please create a log witht the following settings and post it here.
> > You are encouraged to use a pastebin service.
> >
> > default = 3
> > mgr = 1
> > ike = 1
> > net = 1
> > enc = 0
> > cfg = 2
> > asn = 1
> > job = 1
> > knl = 1
> >
> > Mit freundlichen Grüßen/Kind Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > Am 27.05.2015 um 22:25 schrieb Mark M:
> > > Hi Noel,
> >
> > > I did specify the key in ipsec.secrets. I am doing everything the
> same way I did with RSA certificates that work fine. Here is my config
> and how I generated the ECC keys and certs. I am thinking this is an
> issue with how I genereated the ECC keys and certs?
> >
> >
> > > openssl ecparam -genkey -name secp384r1 -out centos2ecc.key
> >
> > > openssl req -new -key centos2ecc.key -out centos2ecc.csr -config
> /etc/pki/newca/opensslc1.cnf -sha384
> >
> > > openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey
> eccCA.key -CAcreateserial -out centos2ecc.crt -days 365 -extensions
> v3_req -extfile /etc/pki/newca/opensslc1.cnf -sha384
> >
> > > opensslc1.cnf file:
> >
> > > [req]
> > > distinguished_name = req_distinguished_name
> > > req_extensions = v3_req
> >
> > > [req_distinguished_name]
> > > countryName = Country Name (2 letter code)
> > > stateOrProvinceName = State or Province Name (full name)
> > > localityName = Locality Name (eg, city)
> > > organizationalUnitName = Organizational Unit Name (eg, section)
> > > commonName =
> >
> > > [v3_req]
> > > basicConstraints = CA:FALSE
> > > keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> > > subjectAltName = @alt_names
> >
> > > [alt_names]
> > > IP.1=10.X.X.X
> > > IP.2=192.168.1.7
> > > ~
> >
> > > ipsec.secrets
> >
> > > # /etc/ipsec.secrets - strongSwan IPsec secrets file
> >
> > > : RSA centos2.key
> > > : ECDSA centos2ecc.key
> >
> >
> >
> > > [root at CENTOS7 <mailto:root at CENTOS7> <mailto:root at CENTOS7
> <mailto:root at CENTOS7>> ~]# vi /etc/strongswan/ipsec.conf
> > > # leftsendcert=never
> > > # right=192.168.0.2
> > > # rightsubnet=10.2.0.0/16
> > > # rightcert=peerCert.der
> > > # auto=start
> >
> > > #conn sample-with-ca-cert
> > > # leftsubnet=10.1.0.0/16
> > > # leftcert=myCert.pem
> > > # right=192.168.0.2
> > > # rightsubnet=10.2.0.0/16
> > > # rightid="C=CH, O=Linux strongSwan CN=peer name"
> > > # auto=start
> > > conn %default
> > > keyexchange=ikev2
> >
> > > conn phone1ecc
> > > left=%defaultroute
> > > leftcert=centos2ecc.crt
> > > leftsubnet=0.0.0.0/0
> > > leftid="C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"
> > > leftfirewall=yes
> > > right=%any
> > > rightsourceip=192.168.9.0/24
> > > esp=aes256-sha384-ecp384!
> > > ike=aes256-sha384-ecp384!
> > > auto=add
> >
> >
> >
> >
> >
> > > On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze
> <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>
> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> wrote:
> >
> >
> >
> > > Hello Mark,
> >
> > > Well, did you enter the ECDSA private key in ipsec.secrets as you
> did with the RSA key?
> >
> > > Mit freundlichen Grüßen/Kind Regards,
> > > Noel Kuntze
> >
> > > GPG Key ID: 0x63EC6658
> > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > > Am 27.05.2015 um 04:52 schrieb Mark M:
> > > > I am trying to use ECDSA certificates with my setup and I keep
> getting "no private key found" on my strongswan server when a client
> connects. I am using CentOS 7 and strongSwan 5.2.0. I am using the
> android client to connect and the certificate authentication works fine
> on the Android device.
> >
> > > > Any ideas on what would cause the private key to not be found or
> be authenticated correctly?
> >
> >
> > > > 14[CFG] using trusted ca certificate "C=US, ST=MA, L=SELF,
> O=SSCA, OU=SS, CN=192.168.1.7"
> > > > 14[CFG] checking certificate status of "C=US, ST=MA, L=SELF,
> O=SSCA, OU=SS, CN=phone1ecc"
> > > > 14[CFG] certificate status is not available
> > > > 14[CFG] reached self-signed root ca with a path length of 0
> > > > 14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS,
> CN=phone1ecc' with ECDSA-384 signature successful
> > > > 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3
> TFC padding
> > > > 14[IKE] peer supports MOBIKE
> > > > 14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA'
> > > > 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > > > 14[NET] sending packet: from 192.168.1.7[4500] to
> 70.162.232.57[5477] (88 bytes)
> >
> >
> >
> >
> >
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
> > > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
> > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVZjGEAAoJEDg5KY9j7GZY9hgQAJBZeSw2dDyssPgxcWMydhzK
> 4UphjKZ0IrybXtZ24wTowKBFLEjn1RdW+p5NiCrVskezNESp89zdyKtDaYxvVv/s
> N/5KdXeNs0wRMU1kl4hcSH9xjzOt5CFbvhjkSZ6oasFah/8T0OEJtk2e1IID0McC
> IzuWb0wY3ui3Mox1KT/XTV/iS+ulfgqjVxDWuDaQi1R9kdYMhMSFYT+KKE6HRKVV
> 171HgJ2+kcDxcm0gW/w1qEqniuZehW/BsZ48Ut1HGHJmR/z/cgMQGvgilvNmYRpD
> eGjk5Kwzl3Wsr8Y6vQssGu8jNTbeXiy5wN0nZ5h+8zHu4MidpQzEhRPvjUxSRC7h
> GoESpAg8/m5N8wmXxtJDl2pxXxp1xa9YGWZPNZ7nAVz3UfDLW6cfVgMLukYQsOc7
> /p+SNpEjO8x+Zr0Y13s4vllJcE5JbP5GY3caGDF+xVP21HwML4IqiNwFDDgtAZqQ
> Iblq1VaTK73x4FxNFzg6C8N5OJo62OP+4HeZUENmBFGAUJaBOARBrsBmmlOqgPkn
> 2GtYzkcVMdkblaKzvV8Zp3U+tj0tu6QLK6/cDUVVnSoG2h7T6/dBJR6fpcftW9zD
> cXcM8MW2Wk1F4LPn9aOr+0rVZWlKVaebj1NrPZhwgqE7zA6XH5EkU3Km15LoSl4D
> PDo4tN1Y3zcPHFnLfv+/
> =epoc
>
> -----END PGP SIGNATURE-----
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150528/80d1b742/attachment.bin>
More information about the Users
mailing list