<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px"><div id="yui_3_16_0_1_1432760834708_32266"><span id="yui_3_16_0_1_1432760834708_32267">Do you know this is an issue? it works fine on the Android device?</span></div>  <br><div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"> <font size="2" face="Arial"> On Wednesday, May 27, 2015 5:25 PM, Mark M <mark076h@yahoo.com> wrote:<br> </font> </div>  <br><br> <div class="y_msg_container"><div id="yiv7898168228"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px;"><div id="yiv7898168228yui_3_16_0_1_1432760834708_27171"><span id="yiv7898168228yui_3_16_0_1_1432760834708_27680">Noel,</span></div><div id="yiv7898168228yui_3_16_0_1_1432760834708_27172"><span><br clear="none"></span></div><div dir="ltr" id="yiv7898168228yui_3_16_0_1_1432760834708_27173"><span id="yiv7898168228yui_3_16_0_1_1432760834708_27679">I got it to work. I had to use ec instead of ecparam for the conversion like this;</span></div><div dir="ltr" id="yiv7898168228yui_3_16_0_1_1432760834708_27174"><span><br clear="none"></span></div><div dir="ltr" id="yiv7898168228yui_3_16_0_1_1432760834708_27175">openssl ec -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER -out centos2ecc.key<span><br clear="none"></span></div><div dir="ltr" id="yiv7898168228yui_3_16_0_1_1432760834708_27175"><br clear="none"></div><div dir="ltr" id="yiv7898168228yui_3_16_0_1_1432760834708_27175">strongSwan can now load the private key and I can connect with my Android client using ECDSA SHA384 certs :)</div><div dir="ltr" id="yiv7898168228yui_3_16_0_1_1432760834708_27175"><br clear="none"></div><div dir="ltr" id="yiv7898168228yui_3_16_0_1_1432760834708_27175">Thank you very much for the help.</div><div dir="ltr" id="yiv7898168228yui_3_16_0_1_1432760834708_27175"><br clear="none"></div><div dir="ltr" id="yiv7898168228yui_3_16_0_1_1432760834708_27175">Mark-</div>  <div class="yiv7898168228" dir="ltr" style=""><span class="yiv7898168228" style=""><br clear="none" class="yiv7898168228" style=""></span></div><br clear="none"><div class="yiv7898168228qtdSeparateBR"><br clear="none"><br clear="none"></div><div class="yiv7898168228yqt4481217334" id="yiv7898168228yqt03482"><div class="yiv7898168228yahoo_quoted" style="display: block;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr"> <font size="2" face="Arial"> On Wednesday, May 27, 2015 5:18 PM, Mark M <mark076h@yahoo.com> wrote:<br clear="none"> </font> </div>  <br clear="none"><br clear="none"> <div class="yiv7898168228y_msg_container"><div id="yiv7898168228"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px;"><div id="yiv7898168228yui_3_16_0_1_1432760834708_20381"><span>Not working,</span></div><div id="yiv7898168228yui_3_16_0_1_1432760834708_20381"><span><br clear="none"></span></div><div id="yiv7898168228yui_3_16_0_1_1432760834708_20381"><span id="yiv7898168228yui_3_16_0_1_1432760834708_20825">I am using this method to convert, maybe it is wrong? </span></div><div id="yiv7898168228yui_3_16_0_1_1432760834708_20381"><span><br clear="none"></span></div><div id="yiv7898168228yui_3_16_0_1_1432760834708_20381"><span></span></div><div class="yiv7898168228" id="yiv7898168228yui_3_16_0_1_1432760834708_20381" style="">[root@CENTOS7 ~]# openssl ecparam -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER -out centos2ecc.key</div><div class="yiv7898168228" dir="ltr" id="yiv7898168228yui_3_16_0_1_1432760834708_20912" style=""><br clear="none" class="yiv7898168228" style=""></div><div id="yiv7898168228yui_3_16_0_1_1432760834708_20381"><span><br clear="none"></span></div><div id="yiv7898168228yui_3_16_0_1_1432760834708_20381"><span>I am getting</span></div><div id="yiv7898168228yui_3_16_0_1_1432760834708_20381"><span><br clear="none"></span></div><div class="yiv7898168228" id="yiv7898168228yui_3_16_0_1_1432760834708_20381" style="">00[LIB]   file coded in unknown format, discarded</div><div class="yiv7898168228" id="yiv7898168228yui_3_16_0_1_1432760834708_20381" style="">00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders</div><div id="yiv7898168228yui_3_16_0_1_1432760834708_20381"></div><div class="yiv7898168228" id="yiv7898168228yui_3_16_0_1_1432760834708_20381" style="">00[CFG]   loading private key from '/etc/strongswan/ipsec.d/private/centos2ecc.der' failed</div><div class="yiv7898168228" dir="ltr" id="yiv7898168228yui_3_16_0_1_1432760834708_20401" style=""><br clear="none" class="yiv7898168228" style=""></div>  <div class="yiv7898168228" id="yiv7898168228yui_3_16_0_1_1432760834708_20381" style=""><span class="yiv7898168228" style=""><br clear="none" class="yiv7898168228" style=""></span></div><br clear="none"><div class="yiv7898168228qtdSeparateBR"><br clear="none"><br clear="none"></div><div class="yiv7898168228yqt4094981402" id="yiv7898168228yqt97829"><div class="yiv7898168228yahoo_quoted" style="display:block;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr"> <font size="2" face="Arial"> On Wednesday, May 27, 2015 5:10 PM, Noel Kuntze <noel@familie-kuntze.de> wrote:<br clear="none"> </font> </div>  <br clear="none"><br clear="none"> <div class="yiv7898168228y_msg_container"><br clear="none">-----BEGIN PGP SIGNED MESSAGE-----<br clear="none">Hash: SHA256<br clear="none"><br clear="none">Hello Mark,<br clear="none"><br clear="none">Try converting the key from PEM to DER format.<br clear="none"><br clear="none">Mit freundlichen Grüßen/Kind Regards,<br clear="none">Noel Kuntze<br clear="none"><br clear="none">GPG Key ID: 0x63EC6658<br clear="none">Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br clear="none"><br clear="none">Am 27.05.2015 um 23:03 schrieb Mark M:<br clear="none">> Noel,<br clear="none">><br clear="none">>  Here is a pastebin of the log with the settings you asked for -<br clear="none">><br clear="none">>  <a rel="nofollow" shape="rect" target="_blank" href="http://pastebin.com/4T47jNNA">http://pastebin.com/4T47jNNA</a><br clear="none">><br clear="none">> I am seeing this a problem<br clear="none">><br clear="none">> 1.<br clear="none">>     00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'<br clear="none">> 2.<br clear="none">>     00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders<br clear="none">> 3.<br clear="none">>     00[CFG]   loading private key from '/etc/strongswan/ipsec.d/private/centos2ecc.key' failed<br clear="none">><br clear="none">> <br clear="none">><br clear="none">><br clear="none">> On Wednesday, May 27, 2015 4:32 PM, Noel Kuntze <<a rel="nofollow" shape="rect" ymailto="mailto:noel@familie-kuntze.de" target="_blank" href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> wrote:<br clear="none">><br clear="none">><br clear="none">><br clear="none">> Hello Mark,<br clear="none">><br clear="none">> Okay, what does charon say during daemon startup?<br clear="none">> Please create a log witht the following settings and post it here.<br clear="none">> You are encouraged to use a pastebin service.<br clear="none">><br clear="none">> default = 3<br clear="none">> mgr = 1<br clear="none">> ike = 1<br clear="none">> net = 1<br clear="none">> enc = 0<br clear="none">> cfg = 2<br clear="none">> asn = 1<br clear="none">> job = 1              <br clear="none">> knl = 1<br clear="none">><br clear="none">> Mit freundlichen Grüßen/Kind Regards,<br clear="none">> Noel Kuntze<br clear="none">><br clear="none">> GPG Key ID: 0x63EC6658<br clear="none">> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br clear="none">><br clear="none">> Am 27.05.2015 um 22:25 schrieb Mark M:<br clear="none">> > Hi Noel,<br clear="none">><br clear="none">> > I did specify the key in ipsec.secrets. I am doing everything the same way I did with RSA certificates that work fine. Here is my config and how I generated the ECC keys and certs. I am thinking this is an issue with how I genereated the ECC keys and certs?<br clear="none">><br clear="none">><br clear="none">> > openssl ecparam -genkey -name secp384r1 -out centos2ecc.key<br clear="none">><br clear="none">> >  openssl req -new -key centos2ecc.key -out centos2ecc.csr -config /etc/pki/newca/opensslc1.cnf -sha384<br clear="none">><br clear="none">> > openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey eccCA.key -CAcreateserial -out centos2ecc.crt -days 365 -extensions v3_req -extfile /etc/pki/newca/opensslc1.cnf -sha384<br clear="none">><br clear="none">> > opensslc1.cnf file:<br clear="none">><br clear="none">> > [req]<br clear="none">> > distinguished_name = req_distinguished_name<br clear="none">> > req_extensions = v3_req<br clear="none">><br clear="none">> > [req_distinguished_name]<br clear="none">> > countryName = Country Name (2 letter code)<br clear="none">> > stateOrProvinceName = State or Province Name (full name)<br clear="none">> > localityName = Locality Name (eg, city)<br clear="none">> > organizationalUnitName = Organizational Unit Name (eg, section)<br clear="none">> > commonName =<br clear="none">><br clear="none">> > [v3_req]<br clear="none">> > basicConstraints = CA:FALSE<br clear="none">> > keyUsage = nonRepudiation, digitalSignature, keyEncipherment<br clear="none">> > subjectAltName = @alt_names<br clear="none">><br clear="none">> > [alt_names]<br clear="none">> > IP.1=10.X.X.X<br clear="none">> > IP.2=192.168.1.7<br clear="none">> > ~<br clear="none">><br clear="none">> > ipsec.secrets<br clear="none">><br clear="none">> > # /etc/ipsec.secrets - strongSwan IPsec secrets file<br clear="none">><br clear="none">> > : RSA centos2.key<br clear="none">> > : ECDSA centos2ecc.key<br clear="none">><br clear="none">><br clear="none">><br clear="none">> > [<a rel="nofollow" shape="rect" ymailto="mailto:root@CENTOS7" target="_blank" href="mailto:root@CENTOS7">root@CENTOS7</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:root@CENTOS7" target="_blank" href="mailto:root@CENTOS7">root@CENTOS7</a>> ~]# vi /etc/strongswan/ipsec.conf<br clear="none">> > #      leftsendcert=never<br clear="none">> > #      right=192.168.0.2<br clear="none">> > #      rightsubnet=10.2.0.0/16<br clear="none">> > #      rightcert=peerCert.der<br clear="none">> > #      auto=start<br clear="none">><br clear="none">> > #conn sample-with-ca-cert<br clear="none">> > #      leftsubnet=10.1.0.0/16<br clear="none">> > #      leftcert=myCert.pem<br clear="none">> > #      right=192.168.0.2<br clear="none">> > #      rightsubnet=10.2.0.0/16<br clear="none">> > #      rightid="C=CH, O=Linux strongSwan CN=peer name"<br clear="none">> > #      auto=start<br clear="none">> > conn %default<br clear="none">> >        keyexchange=ikev2<br clear="none">><br clear="none">> > conn phone1ecc<br clear="none">> >        left=%defaultroute<br clear="none">> >        leftcert=centos2ecc.crt<br clear="none">> >        leftsubnet=0.0.0.0/0<br clear="none">> >        leftid="C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"<br clear="none">> >        leftfirewall=yes<br clear="none">> >        right=%any<br clear="none">> >        rightsourceip=192.168.9.0/24<br clear="none">> >        esp=aes256-sha384-ecp384!<br clear="none">> >        ike=aes256-sha384-ecp384!<br clear="none">> >        auto=add<br clear="none">><br clear="none">><br clear="none">><br clear="none">><br clear="none">><br clear="none">> > On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze <<a rel="nofollow" shape="rect" ymailto="mailto:noel@familie-kuntze.de" target="_blank" href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:noel@familie-kuntze.de" target="_blank" href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> wrote:<br clear="none">><br clear="none">><br clear="none">><br clear="none">> > Hello Mark,<br clear="none">><br clear="none">> > Well, did you enter the ECDSA private key in ipsec.secrets as you did with the RSA key?<br clear="none">><br clear="none">> > Mit freundlichen Grüßen/Kind Regards,<br clear="none">> > Noel Kuntze<br clear="none">><br clear="none">> > GPG Key ID: 0x63EC6658<br clear="none">> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br clear="none">><br clear="none">> > Am 27.05.2015 um 04:52 schrieb Mark M:<br clear="none">> > > I am trying to use ECDSA certificates with my setup and I keep getting "no private key found" on my strongswan server when a client connects. I am using CentOS 7 and strongSwan 5.2.0. I am using the android client to connect and the certificate authentication works fine on the Android device.<br clear="none">><br clear="none">> > > Any ideas on what would cause the private key to not be found or be authenticated correctly?<br clear="none">><br clear="none">><br clear="none">> > > 14[CFG]  using trusted ca certificate "C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"<br clear="none">> > > 14[CFG] checking certificate status of "C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc"<br clear="none">> > > 14[CFG] certificate status is not available<br clear="none">> > > 14[CFG]  reached self-signed root ca with a path length of 0<br clear="none">> > > 14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc' with ECDSA-384 signature successful<br clear="none">> > > 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding<br clear="none">> > > 14[IKE] peer supports MOBIKE<br clear="none">> > > 14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA'<br clear="none">> > > 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br clear="none">> > > 14[NET] sending packet: from 192.168.1.7[4500] to 70.162.232.57[5477] (88 bytes)<br clear="none">><br clear="none">><br clear="none">><br clear="none">><br clear="none">><br clear="none">> > > _______________________________________________<br clear="none">> > > Users mailing list<br clear="none">> > > <a rel="nofollow" shape="rect" ymailto="mailto:Users@lists.strongswan.org" target="_blank" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Users@lists.strongswan.org" target="_blank" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Users@lists.strongswan.org" target="_blank" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Users@lists.strongswan.org" target="_blank" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>><br clear="none">> > > <a rel="nofollow" shape="rect" target="_blank" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a><br clear="none">><br clear="none">><br clear="none">> > _______________________________________________<br clear="none">> > Users mailing list<br clear="none">> > <a rel="nofollow" shape="rect" ymailto="mailto:Users@lists.strongswan.org" target="_blank" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Users@lists.strongswan.org" target="_blank" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Users@lists.strongswan.org" target="_blank" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:Users@lists.strongswan.org" target="_blank" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>><br clear="none">> > <a rel="nofollow" shape="rect" target="_blank" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a><br clear="none">><br clear="none">><br clear="none">><br clear="none">><br clear="none">><br clear="none"><br clear="none">-----BEGIN PGP SIGNATURE-----<br clear="none">Version: GnuPG v2<br clear="none"><br clear="none">iQIcBAEBCAAGBQJVZjGEAAoJEDg5KY9j7GZY9hgQAJBZeSw2dDyssPgxcWMydhzK<br clear="none">4UphjKZ0IrybXtZ24wTowKBFLEjn1RdW+p5NiCrVskezNESp89zdyKtDaYxvVv/s<br clear="none">N/5KdXeNs0wRMU1kl4hcSH9xjzOt5CFbvhjkSZ6oasFah/8T0OEJtk2e1IID0McC<br clear="none">IzuWb0wY3ui3Mox1KT/XTV/iS+ulfgqjVxDWuDaQi1R9kdYMhMSFYT+KKE6HRKVV<br clear="none">171HgJ2+kcDxcm0gW/w1qEqniuZehW/BsZ48Ut1HGHJmR/z/cgMQGvgilvNmYRpD<br clear="none">eGjk5Kwzl3Wsr8Y6vQssGu8jNTbeXiy5wN0nZ5h+8zHu4MidpQzEhRPvjUxSRC7h<br clear="none">GoESpAg8/m5N8wmXxtJDl2pxXxp1xa9YGWZPNZ7nAVz3UfDLW6cfVgMLukYQsOc7<br clear="none">/p+SNpEjO8x+Zr0Y13s4vllJcE5JbP5GY3caGDF+xVP21HwML4IqiNwFDDgtAZqQ<br clear="none">Iblq1VaTK73x4FxNFzg6C8N5OJo62OP+4HeZUENmBFGAUJaBOARBrsBmmlOqgPkn<br clear="none">2GtYzkcVMdkblaKzvV8Zp3U+tj0tu6QLK6/cDUVVnSoG2h7T6/dBJR6fpcftW9zD<br clear="none">cXcM8MW2Wk1F4LPn9aOr+0rVZWlKVaebj1NrPZhwgqE7zA6XH5EkU3Km15LoSl4D<br clear="none">PDo4tN1Y3zcPHFnLfv+/<br clear="none">=epoc<div class="yiv7898168228yqt8514873837" id="yiv7898168228yqtfd38953"><br clear="none">-----END PGP SIGNATURE-----<br clear="none"><br clear="none"></div><br clear="none"><br clear="none"></div>  </div> </div>  </div></div></div></div></div><br clear="none"><br clear="none"></div>  </div> </div>  </div></div></div></div></div><br><br></div>  </div> </div>  </div></div></body></html>