<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px"><div id="yui_3_16_0_1_1432757546668_9568"><span>Hi Noel,</span></div><div id="yui_3_16_0_1_1432757546668_10193"><span><br></span></div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr"><span id="yui_3_16_0_1_1432757546668_10194">I did specify the key in ipsec.secrets. I am doing everything the same way I did with RSA certificates that work fine. Here is my config and how I generated the ECC keys and certs. I am thinking this is an issue with how I genereated the ECC keys and certs?</span></div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr"><span><br></span></div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr"><span><br></span></div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr"><span id="yui_3_16_0_1_1432757546668_10186"></span></div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">openssl ecparam -genkey -name secp384r1 -out centos2ecc.key</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style=""><br></div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style=""> openssl req -new -key centos2ecc.key -out centos2ecc.csr -config /etc/pki/newca/opensslc1.cnf -sha384</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style=""><br></div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey eccCA.key -CAcreateserial -out centos2ecc.crt -days 365 -extensions v3_req -extfile /etc/pki/newca/opensslc1.cnf -sha384</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style=""><br></div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">opensslc1.cnf file:</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style=""><br></div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">[req]</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">distinguished_name = req_distinguished_name</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">req_extensions = v3_req</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style=""><br class="" style=""></div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">[req_distinguished_name]</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">countryName = Country Name (2 letter code)</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">stateOrProvinceName = State or Province Name (full name)</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">localityName = Locality Name (eg, city)</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">organizationalUnitName = Organizational Unit Name (eg, section)</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">commonName =</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style=""><br class="" style=""></div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">[v3_req]</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">basicConstraints = CA:FALSE</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">keyUsage = nonRepudiation, digitalSignature, keyEncipherment</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">subjectAltName = @alt_names</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style=""><br class="" style=""></div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">[alt_names]</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">IP.1=10.X.X.X</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">IP.2=192.168.1.7</div><div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style="">~</div><div dir="ltr" class="" style="" id="yui_3_16_0_1_1432757546668_10714"><br class="" style=""></div><div dir="ltr" class="" style="" id="yui_3_16_0_1_1432757546668_10714">ipsec.secrets</div><div dir="ltr" class="" style="" id="yui_3_16_0_1_1432757546668_10714"><br></div><div dir="ltr" class="" style="" id="yui_3_16_0_1_1432757546668_10714"><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10714" style=""># /etc/ipsec.secrets - strongSwan IPsec secrets file</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10714" style=""><br class="" style=""></div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10714" style="">: RSA centos2.key</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10714" style="">: ECDSA centos2ecc.key</div><div dir="ltr" class="" style="" id="yui_3_16_0_1_1432757546668_11532"><br class="" style=""></div></div><div dir="ltr" class="" style="" id="yui_3_16_0_1_1432757546668_10475"><br class="" style=""></div><div dir="ltr" class="" style="" id="yui_3_16_0_1_1432757546668_10445"><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style=""><br class="" style=""></div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">[root@CENTOS7 ~]# vi /etc/strongswan/ipsec.conf</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">#      leftsendcert=never</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">#      right=192.168.0.2</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">#      rightsubnet=10.2.0.0/16</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">#      rightcert=peerCert.der</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">#      auto=start</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style=""><br class="" style=""></div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">#conn sample-with-ca-cert</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">#      leftsubnet=10.1.0.0/16</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">#      leftcert=myCert.pem</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">#      right=192.168.0.2</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">#      rightsubnet=10.2.0.0/16</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">#      rightid="C=CH, O=Linux strongSwan CN=peer name"</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">#      auto=start</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">conn %default</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">        keyexchange=ikev2</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style=""><br></div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">conn phone1ecc<br></div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">        left=%defaultroute</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">        leftcert=centos2ecc.crt</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">        leftsubnet=0.0.0.0/0</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">        leftid="C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">        leftfirewall=yes</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">        right=%any</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">        rightsourceip=192.168.9.0/24</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">        esp=aes256-sha384-ecp384!</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">        ike=aes256-sha384-ecp384!</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style="">        auto=add</div><div dir="ltr" class="" id="yui_3_16_0_1_1432757546668_10445" style=""><br class="" style=""></div></div>  <div id="yui_3_16_0_1_1432757546668_9569" dir="ltr" class="" style=""><span class="" style=""><br class="" style=""></span></div><br><div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"> <font size="2" face="Arial"> On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze <noel@familie-kuntze.de> wrote:<br> </font> </div>  <br><br> <div class="y_msg_container"><br clear="none">-----BEGIN PGP SIGNED MESSAGE-----<br clear="none">Hash: SHA256<br clear="none"><br clear="none">Hello Mark,<br clear="none"><br clear="none">Well, did you enter the ECDSA private key in ipsec.secrets as you did with the RSA key?<br clear="none"><br clear="none">Mit freundlichen Grüßen/Kind Regards,<br clear="none">Noel Kuntze<br clear="none"><br clear="none">GPG Key ID: 0x63EC6658<br clear="none">Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br clear="none"><div class="yqt5405077770" id="yqtfd95656"><br clear="none">Am 27.05.2015 um 04:52 schrieb Mark M:<br clear="none">> I am trying to use ECDSA certificates with my setup and I keep getting "no private key found" on my strongswan server when a client connects. I am using CentOS 7 and strongSwan 5.2.0. I am using the android client to connect and the certificate authentication works fine on the Android device.<br clear="none">><br clear="none">> Any ideas on what would cause the private key to not be found or be authenticated correctly?<br clear="none">><br clear="none">><br clear="none">> 14[CFG]   using trusted ca certificate "C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"<br clear="none">> 14[CFG] checking certificate status of "C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc"<br clear="none">> 14[CFG] certificate status is not available<br clear="none">> 14[CFG]   reached self-signed root ca with a path length of 0<br clear="none">> 14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc' with ECDSA-384 signature successful<br clear="none">> 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding<br clear="none">> 14[IKE] peer supports MOBIKE<br clear="none">> 14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA'<br clear="none">> 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br clear="none">> 14[NET] sending packet: from 192.168.1.7[4500] to 70.162.232.57[5477] (88 bytes)</div><br clear="none">><br clear="none">><br clear="none">><br clear="none">><br clear="none">> _______________________________________________<br clear="none">> Users mailing list<br clear="none">> <a shape="rect" ymailto="mailto:Users@lists.strongswan.org" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br clear="none">> <a shape="rect" href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br clear="none"><br clear="none">-----BEGIN PGP SIGNATURE-----<br clear="none">Version: GnuPG v2<br clear="none"><br clear="none">iQIcBAEBCAAGBQJVZbDdAAoJEDg5KY9j7GZYdrQP+gKX2Z6UnuuBm3axA47uBFeJ<br clear="none">U++oz8UJ5jN/FW4CMBjvKZJGJPMq+VblMbqZZGMAEE2Mgjm6z9olaDVj0Sl0cO1E<br clear="none">1M0HsNeBbQHb23Pb1p2/wMyCyfFFHPTEWLIqDeNHALOzguGiPVMlibZ/FogCeTjV<br clear="none">8qPfcwgYebQcAujOv8GEm1IWAn1/ZmnXsTbMDz6J3VT09Cjh0dQ5o32s6U0PoT4Y<br clear="none">93V5FLDSJIo0INMVG+RRPqoEt20PVTRyCFLTFaex3HJWgb/O3JKn6WXrdaMKOVex<br clear="none">KjRNkWvoqwg2LWB7sjEScNjrECOtUddBeG9Kx5p/kbs9jsB8Ftx+XKE+gSkXeKtt<br clear="none">qS9HpvAF78v2/aCPLbCYR2fxhxJgaX0Ofh2NQzYV55kFpHgYfH7/5U4tTN6/Go5H<br clear="none">xx/iZBdPr54I4FbWiUid4pMu1zDV2Uwrd7eCpjkpMbYLWUvOXRfztjklZL48K44P<br clear="none">F5Lh8EU5JBl10XI3OFU+tox8A1ZVE03ljeBkFwJfwScRvvAZMUBgnGlGiPmaFPBs<br clear="none">zgVNhmdswvvdikfL8y5E/t2UMMQgDCQpfOPIB+qrWkhGtXtddc2AYZnbRW+Gju4f<br clear="none">Y3Ad6nRh6AAGZbRlGPoc3pGCF2oP+p0yMOIY2QexUn32VSLff8W6Q5ymVVn6KPfx<br clear="none">ogdvtfSe+cOHsuYIW9WT<br clear="none">=koBw<br clear="none">-----END PGP SIGNATURE-----<br clear="none"><br clear="none">_______________________________________________<br clear="none">Users mailing list<br clear="none"><a shape="rect" ymailto="mailto:Users@lists.strongswan.org" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br clear="none"><a shape="rect" href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br><br></div>  </div> </div>  </div></div></body></html>