[strongSwan] EC Use on and Android

Matt Link matt.link at cyverone.com
Wed Jun 20 02:55:58 CEST 2012 

Hi Andreas,

You were correct.  Once I enabled OpenSSL on the Linux box those problems
went away on my Linux boxes.  However, what I am trying to do is change my
strongSwan IPSec connections between the server and my road warriors to be
Suite B compliant.  So I created a set of ECDSA keys and certificates.  When
I restart IPSec on the Linux server I receive no errors.  However, on the
Android I get the following:

I/charon  ( 2866): 00[CFG] loading ca certificates from
'/system/etc/ipsec.d/cacerts'
I/charon  ( 2866): 00[CFG]   loaded ca certificate "C=US, ST=CA, L=Irvine,
O=CyverONE, OU=Information Services, CN=IS, N=IS,
E=administrator at cyverone.com" from
'/system/etc/ipsec.d/cacerts/caCyCert.pem'
I/charon  ( 2866): 00[CFG] loading aa certificates from
'/system/etc/ipsec.d/aacerts'
I/charon  ( 2866): 00[CFG] loading ocsp signer certificates from
'/system/etc/ipsec.d/ocspcerts'
I/charon  ( 2866): 00[CFG] loading attribute certificates from
'/system/etc/ipsec.d/acerts'
I/charon  ( 2866): 00[CFG] loading crls from '/system/etc/ipsec.d/crls'
I/charon  ( 2866): 00[CFG] loading secrets from '/system/etc/ipsec.secrets'
I/charon  ( 2866): 00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 1
builders
I/charon  ( 2866): 00[CFG]   loading private key from
'/system/etc/ipsec.d/private/keyCyECRmt01.pem' failed
I/charon  ( 2866): 00[DMN] loaded plugins: openssl fips-prf random pubkey
pkcs1 pem xcbc hmac kernel-netlink socket-raw android stroke eap-identity
eap-mschapv2 eap-md5
I/charon  ( 2866): 00[JOB] spawning 16 worker threads
I/charon  ( 2866): 09[CFG] received stroke: add connection 'home01'
I/charon  ( 2866): 09[LIB] OpenSSL X.509 parsing failed
I/charon  ( 2866): 09[LIB] building CRED_CERTIFICATE - ANY failed, tried 1
builders
I/charon  ( 2866): 09[CFG]   loading certificate from 'crtCyECRmt01.pem'
failed
I/charon  ( 2866): 09[CFG] added configuration 'home01'
I/charon  ( 2866): 10[CFG] received stroke: initiate 'home01'
I/charon  ( 2866): 10[IKE] initiating IKE_SA home01[1] to 68.225.28.68
I/charon  ( 2866): 10[IKE] configured DH group ECP_256 not supported
I/charon  ( 2866): 10[MGR] tried to check-in and delete nonexisting IKE_SA

As we can see, I have three problems; It doesn't like my key, it doesn't
like my certificate, and it doesn't like the DH group specification.  When I
do an ipsec statusall I get:

ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.6.2):
  uptime: 21 seconds, since Jun 20 00:24:11 2012
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: openssl fips-prf random pubkey pkcs1 pem xcbc hmac
kernel-netlink socket-raw android stroke eap-identity eap-mschapv2 eap-md5
Listening IP addresses:
  2600:1010:8004:783e:0:9:40aa:ca01
  xx.xxx.xx.xx
  2600:100e:b011:d63c:0:8:73c4:f001
  xx.xxx.xxx.xxx
Connections:
      home01:  xx.xxx.xxx.xx...xx.xxx.xx.xx
      home01:   local:  [rmt01ec at cyverone.com] uses public key
authentication
      home01:   remote: [C=US, ST=CA, L=Irvine, O=CyverONE, OU=Information
Services, CN=IS, N=IS, E=administrator at cyverone.com] uses any authentication
      home01:   child:  dynamic === 10.20.0.0/16 TUNNEL
Security Associations (0 up, 0 connecting):
  none
I/charon  ( 2717): 10[IKE] configured DH group ECP_256 not supported
I/charon  ( 2717): 10[MGR] tried to check-in and delete nonexisting IKE_SA

And an ipsec listalgs shows:

ipsec listalgs

List of registered IKEv2 Algorithms:

  encryption: AES_CBC[openssl] CAMELLIA_CBC[openssl] BLOWFISH_CBC[openssl]
3DES_CBC[openssl] DES_CBC[openssl]
              DES_ECB[openssl] NULL[openssl]
  integrity:  CAMELLIA_XCBC_96[xcbc] AES_XCBC_96[xcbc] HMAC_SHA1_96[hmac]
HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac]
              HMAC_MD5_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA2_256_128[hmac]
HMAC_SHA2_256_256[hmac]
              HMAC_SHA2_384_192[hmac] HMAC_SHA2_384_384[hmac]
HMAC_SHA2_512_256[hmac]
  aead:
  hasher:     HASH_SHA1[openssl] HASH_MD4[openssl] HASH_MD5[openssl]
HASH_SHA224[openssl] HASH_SHA256[openssl]
              HASH_SHA384[openssl] HASH_SHA512[openssl]
  prf:        PRF_KEYED_SHA1[openssl] PRF_FIPS_SHA1_160[fips-prf]
PRF_AES128_XCBC[xcbc] PRF_CAMELLIA128_XCBC[xcbc]
              PRF_HMAC_SHA1[hmac] PRF_HMAC_MD5[hmac] PRF_HMAC_SHA2_256[hmac]
PRF_HMAC_SHA2_384[hmac]
              PRF_HMAC_SHA2_512[hmac]
  dh-group:   MODP_2048[openssl] MODP_2048_224[openssl]
MODP_2048_256[openssl] MODP_1536[openssl] MODP_3072[openssl]
              MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl]
MODP_1024[openssl] MODP_1024_160[openssl]
              MODP_768[openssl] MODP_CUSTOM[openssl]
  random-gen: RNG_STRONG[random] RNG_TRUE[random]

My config files follow:

ipsec.conf

config setup
	 crlcheckinterval=180
	 strictcrlpolicy=no
       plutostart=no
	 charondebug="ike 3, knl 3, cfg 3"
#
# This section contains Default configuration parameters.
#
conn %default 
       ikelifetime=60m
	 keylife=20m
	 rekeymargin=3m
	 keyingtries=1
	 keyexchange=ikev2
       ike=aes128-sha256-ecp256!
       esp=aes128gcm16!
#
# Next comes the Connection Specific configuration.
#
conn home01
       left=%defaultroute
	 leftsourceip=%config
	 leftcert=crtCyECRmt01.pem
	 leftid=rmt01ec at cyverone.com
	 leftfirewall=yes
	 right=xx.xxx.xx.xx
	 rightsubnet=10.20.0.0/16
	 rightid="C=US, ST=CA, L=Irvine, O=CyverONE, OU=Information
Services, CN=IS, N=IS, E=administrator at cyverone.com"
	 auto=start

ipsec.secrets

: ECDSA keyCyECRmt01.pem

Clearly, the ECP algorithms are missing even though the OpenSSL plugin
appears to be loading.  I believe this to be a problem with the way I have
compiled strongSwan for the android but I'm not sure where I went wrong.
Hopefully you will have some insights.

Thanks,
	Matt

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Monday, June 18, 2012 9:10 PM
To: Matt Link
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Error Creating ECDSA with PKI

Hi Matt,

did you enable the openssl plugin (./configure --enable-openssl)?

If yes, your OpenSSL library might have ECC disabled.

Regards

Andreas

On 06/19/2012 01:05 AM, Matt Link wrote:
> Hi All,
> 
>  
> 
> When I run the command:
> 
>  
> 
> pki --gen --type ecdsa --size 256 > myKey.der
> 
>  
> 
> I get the following error:
> 
>  
> 
> building CRED_PRIVATE_KEY - ECDSA failed, tried 1 builders
> 
>  
> 
> I'm running strongSwan 4.5.3.  I don't find anything else in the logs. 
> I've probably missed something obvious but any help would be appreciated.
> 
>  
> 
> Thanks,
> 
>       Matt

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list