[strongSwan] no private key found with ECDSA certificate

Wed May 27 22:25:25 CEST 2015

Hi Noel,
I did specify the key in ipsec.secrets. I am doing everything the same way I did with RSA certificates that work fine. Here is my config and how I generated the ECC keys and certs. I am thinking this is an issue with how I genereated the ECC keys and certs?

openssl ecparam -genkey -name secp384r1 -out centos2ecc.key
 openssl req -new -key centos2ecc.key -out centos2ecc.csr -config /etc/pki/newca/opensslc1.cnf -sha384
openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey eccCA.key -CAcreateserial -out centos2ecc.crt -days 365 -extensions v3_req -extfile /etc/pki/newca/opensslc1.cnf -sha384
opensslc1.cnf file:
[req]distinguished_name = req_distinguished_namereq_extensions = v3_req
[req_distinguished_name]countryName = Country Name (2 letter code)stateOrProvinceName = State or Province Name (full name)localityName = Locality Name (eg, city)organizationalUnitName = Organizational Unit Name (eg, section)commonName =
[v3_req]basicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEnciphermentsubjectAltName = @alt_names
[alt_names]IP.1=10.X.X.XIP.2=192.168.1.7~
ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA centos2.key: ECDSA centos2ecc.key

[root at CENTOS7 ~]# vi /etc/strongswan/ipsec.conf#      leftsendcert=never#      right=192.168.0.2#      rightsubnet=10.2.0.0/16#      rightcert=peerCert.der#      auto=start
#conn sample-with-ca-cert#      leftsubnet=10.1.0.0/16#      leftcert=myCert.pem#      right=192.168.0.2#      rightsubnet=10.2.0.0/16#      rightid="C=CH, O=Linux strongSwan CN=peer name"#      auto=startconn %default        keyexchange=ikev2
conn phone1ecc
        left=%defaultroute        leftcert=centos2ecc.crt        leftsubnet=0.0.0.0/0        leftid="C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"        leftfirewall=yes        right=%any        rightsourceip=192.168.9.0/24        esp=aes256-sha384-ecp384!        ike=aes256-sha384-ecp384!        auto=add

     On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Mark,

Well, did you enter the ECDSA private key in ipsec.secrets as you did with the RSA key?

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.05.2015 um 04:52 schrieb Mark M:
> I am trying to use ECDSA certificates with my setup and I keep getting "no private key found" on my strongswan server when a client connects. I am using CentOS 7 and strongSwan 5.2.0. I am using the android client to connect and the certificate authentication works fine on the Android device.
>
> Any ideas on what would cause the private key to not be found or be authenticated correctly?
>
>
> 14[CFG]  using trusted ca certificate "C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"
> 14[CFG] checking certificate status of "C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc"
> 14[CFG] certificate status is not available
> 14[CFG]  reached self-signed root ca with a path length of 0
> 14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc' with ECDSA-384 signature successful
> 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> 14[IKE] peer supports MOBIKE
> 14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA'
> 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 14[NET] sending packet: from 192.168.1.7[4500] to 70.162.232.57[5477] (88 bytes)
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVZbDdAAoJEDg5KY9j7GZYdrQP+gKX2Z6UnuuBm3axA47uBFeJ
U++oz8UJ5jN/FW4CMBjvKZJGJPMq+VblMbqZZGMAEE2Mgjm6z9olaDVj0Sl0cO1E
1M0HsNeBbQHb23Pb1p2/wMyCyfFFHPTEWLIqDeNHALOzguGiPVMlibZ/FogCeTjV
8qPfcwgYebQcAujOv8GEm1IWAn1/ZmnXsTbMDz6J3VT09Cjh0dQ5o32s6U0PoT4Y
93V5FLDSJIo0INMVG+RRPqoEt20PVTRyCFLTFaex3HJWgb/O3JKn6WXrdaMKOVex
KjRNkWvoqwg2LWB7sjEScNjrECOtUddBeG9Kx5p/kbs9jsB8Ftx+XKE+gSkXeKtt
qS9HpvAF78v2/aCPLbCYR2fxhxJgaX0Ofh2NQzYV55kFpHgYfH7/5U4tTN6/Go5H
xx/iZBdPr54I4FbWiUid4pMu1zDV2Uwrd7eCpjkpMbYLWUvOXRfztjklZL48K44P
F5Lh8EU5JBl10XI3OFU+tox8A1ZVE03ljeBkFwJfwScRvvAZMUBgnGlGiPmaFPBs
zgVNhmdswvvdikfL8y5E/t2UMMQgDCQpfOPIB+qrWkhGtXtddc2AYZnbRW+Gju4f
Y3Ad6nRh6AAGZbRlGPoc3pGCF2oP+p0yMOIY2QexUn32VSLff8W6Q5ymVVn6KPfx
ogdvtfSe+cOHsuYIW9WT
=koBw
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150527/166516b5/attachment-0001.html>