[strongSwan] no private key found with ECDSA certificate

Noel Kuntze noel at familie-kuntze.de
Wed May 27 22:32:12 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Mark,

Okay, what does charon say during daemon startup?
Please create a log witht the following settings and post it here.
You are encouraged to use a pastebin service.

default = 3
mgr = 1
ike = 1
net = 1
enc = 0
cfg = 2
asn = 1
job = 1                
knl = 1

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.05.2015 um 22:25 schrieb Mark M:
> Hi Noel,
>
> I did specify the key in ipsec.secrets. I am doing everything the same way I did with RSA certificates that work fine. Here is my config and how I generated the ECC keys and certs. I am thinking this is an issue with how I genereated the ECC keys and certs?
>
>
> openssl ecparam -genkey -name secp384r1 -out centos2ecc.key
>
>  openssl req -new -key centos2ecc.key -out centos2ecc.csr -config /etc/pki/newca/opensslc1.cnf -sha384
>
> openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey eccCA.key -CAcreateserial -out centos2ecc.crt -days 365 -extensions v3_req -extfile /etc/pki/newca/opensslc1.cnf -sha384
>
> opensslc1.cnf file:
>
> [req]
> distinguished_name = req_distinguished_name
> req_extensions = v3_req
>
> [req_distinguished_name]
> countryName = Country Name (2 letter code)
> stateOrProvinceName = State or Province Name (full name)
> localityName = Locality Name (eg, city)
> organizationalUnitName = Organizational Unit Name (eg, section)
> commonName =
>
> [v3_req]
> basicConstraints = CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> subjectAltName = @alt_names
>
> [alt_names]
> IP.1=10.X.X.X
> IP.2=192.168.1.7
> ~
>
> ipsec.secrets
>
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>
> : RSA centos2.key
> : ECDSA centos2ecc.key
>
>
>
> [root at CENTOS7 ~]# vi /etc/strongswan/ipsec.conf
> #      leftsendcert=never
> #      right=192.168.0.2
> #      rightsubnet=10.2.0.0/16
> #      rightcert=peerCert.der
> #      auto=start
>
> #conn sample-with-ca-cert
> #      leftsubnet=10.1.0.0/16
> #      leftcert=myCert.pem
> #      right=192.168.0.2
> #      rightsubnet=10.2.0.0/16
> #      rightid="C=CH, O=Linux strongSwan CN=peer name"
> #      auto=start
> conn %default
>         keyexchange=ikev2
>
> conn phone1ecc
>         left=%defaultroute
>         leftcert=centos2ecc.crt
>         leftsubnet=0.0.0.0/0
>         leftid="C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"
>         leftfirewall=yes
>         right=%any
>         rightsourceip=192.168.9.0/24
>         esp=aes256-sha384-ecp384!
>         ike=aes256-sha384-ecp384!
>         auto=add
>
>
>
>
>
> On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
>
>
> Hello Mark,
>
> Well, did you enter the ECDSA private key in ipsec.secrets as you did with the RSA key?
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 27.05.2015 um 04:52 schrieb Mark M:
> > I am trying to use ECDSA certificates with my setup and I keep getting "no private key found" on my strongswan server when a client connects. I am using CentOS 7 and strongSwan 5.2.0. I am using the android client to connect and the certificate authentication works fine on the Android device.
>
> > Any ideas on what would cause the private key to not be found or be authenticated correctly?
>
>
> > 14[CFG]  using trusted ca certificate "C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"
> > 14[CFG] checking certificate status of "C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc"
> > 14[CFG] certificate status is not available
> > 14[CFG]  reached self-signed root ca with a path length of 0
> > 14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc' with ECDSA-384 signature successful
> > 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> > 14[IKE] peer supports MOBIKE
> > 14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA'
> > 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > 14[NET] sending packet: from 192.168.1.7[4500] to 70.162.232.57[5477] (88 bytes)
>
>
>
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVZinKAAoJEDg5KY9j7GZYpi8QAJHhGTsvkwqsIAU1WfvlZQSA
lfCtEBk1r3YS1cE65VZ3OCEOLO6H8/eZNkQCfgPpJfW0TZ/SIMDAr8f2HQBpQgKk
c3Y5RFgxZMo+HjASwtOzM8KYq5GxRyJ5IzmHONsjNlVUM606M9ve1HOVNWMdoW3f
SC9EDBNEQYDH1my2HeJY6ZMf8wifP0BZWj6OH07OV1Fe3bH8ciL0FgjSM+gncgZO
Z3qknAao5CrX+VVtMREtcJKDK8ULFP7DwazcklikZFwkkfm09C7f8OJp1cM7v1lb
OmTTjY0tRrw+ohyef2FJzEK4vAbv5IsETq+1F7rW9B3sTAfwiyP2Tve+6qx/QzFO
Un1q7HsMabY+rk9YXvxFk3Bs3MO2YrNP0mVHQ6ZIoQxk5D6r2w7cxl3XXU5QT6w6
kXeh0NarPpLY90stVlpNFUhFM6LHR4853cKU0/4u/l/67zzXQOf+cpBpFltw4aGk
ng5FEK8Uh5G3oKZDksXCiDfiuc/Z5DT8wETVQWqASlePXLjkSxMLSQ45Rs/mXcJJ
yDd0PNseKTKeRuNpWWLRwuianACuorPUciIKVuIuGR+jeKYvn8YulCgoFAeTEBLJ
GVBcjLJbn+adHrVMYg/HprsrXo8wWu5cdKXQSeIucV925q4uhjfgOxyb191LV9xi
p/IK0qECm1/q+0ydtT5e
=/+qT
-----END PGP SIGNATURE-----

More information about the Users mailing list