[strongSwan] no private key found with ECDSA certificate

Mark M mark076h at yahoo.com
Wed May 27 23:29:50 CEST 2015


Do you know this is an issue? it works fine on the Android device? 


     On Wednesday, May 27, 2015 5:25 PM, Mark M <mark076h at yahoo.com> wrote:
   

 Noel,
I got it to work. I had to use ec instead of ecparam for the conversion like this;
openssl ec -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER -out centos2ecc.key

strongSwan can now load the private key and I can connect with my Android client using ECDSA SHA384 certs :)
Thank you very much for the help.
Mark- 



     On Wednesday, May 27, 2015 5:18 PM, Mark M <mark076h at yahoo.com> wrote:
   

 Not working,
I am using this method to convert, maybe it is wrong? 
[root at CENTOS7 ~]# openssl ecparam -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER -out centos2ecc.key

I am getting
00[LIB]   file coded in unknown format, discarded00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders00[CFG]   loading private key from '/etc/strongswan/ipsec.d/private/centos2ecc.der' failed
 



     On Wednesday, May 27, 2015 5:10 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
   

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Mark,

Try converting the key from PEM to DER format.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.05.2015 um 23:03 schrieb Mark M:
> Noel,
>
>  Here is a pastebin of the log with the settings you asked for -
>
>  http://pastebin.com/4T47jNNA
>
> I am seeing this a problem
>
> 1.
>    00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
> 2.
>    00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders
> 3.
>    00[CFG]  loading private key from '/etc/strongswan/ipsec.d/private/centos2ecc.key' failed
>
> 
>
>
> On Wednesday, May 27, 2015 4:32 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
>
>
> Hello Mark,
>
> Okay, what does charon say during daemon startup?
> Please create a log witht the following settings and post it here.
> You are encouraged to use a pastebin service.
>
> default = 3
> mgr = 1
> ike = 1
> net = 1
> enc = 0
> cfg = 2
> asn = 1
> job = 1              
> knl = 1
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 27.05.2015 um 22:25 schrieb Mark M:
> > Hi Noel,
>
> > I did specify the key in ipsec.secrets. I am doing everything the same way I did with RSA certificates that work fine. Here is my config and how I generated the ECC keys and certs. I am thinking this is an issue with how I genereated the ECC keys and certs?
>
>
> > openssl ecparam -genkey -name secp384r1 -out centos2ecc.key
>
> >  openssl req -new -key centos2ecc.key -out centos2ecc.csr -config /etc/pki/newca/opensslc1.cnf -sha384
>
> > openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey eccCA.key -CAcreateserial -out centos2ecc.crt -days 365 -extensions v3_req -extfile /etc/pki/newca/opensslc1.cnf -sha384
>
> > opensslc1.cnf file:
>
> > [req]
> > distinguished_name = req_distinguished_name
> > req_extensions = v3_req
>
> > [req_distinguished_name]
> > countryName = Country Name (2 letter code)
> > stateOrProvinceName = State or Province Name (full name)
> > localityName = Locality Name (eg, city)
> > organizationalUnitName = Organizational Unit Name (eg, section)
> > commonName =
>
> > [v3_req]
> > basicConstraints = CA:FALSE
> > keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> > subjectAltName = @alt_names
>
> > [alt_names]
> > IP.1=10.X.X.X
> > IP.2=192.168.1.7
> > ~
>
> > ipsec.secrets
>
> > # /etc/ipsec.secrets - strongSwan IPsec secrets file
>
> > : RSA centos2.key
> > : ECDSA centos2ecc.key
>
>
>
> > [root at CENTOS7 <mailto:root at CENTOS7> ~]# vi /etc/strongswan/ipsec.conf
> > #      leftsendcert=never
> > #      right=192.168.0.2
> > #      rightsubnet=10.2.0.0/16
> > #      rightcert=peerCert.der
> > #      auto=start
>
> > #conn sample-with-ca-cert
> > #      leftsubnet=10.1.0.0/16
> > #      leftcert=myCert.pem
> > #      right=192.168.0.2
> > #      rightsubnet=10.2.0.0/16
> > #      rightid="C=CH, O=Linux strongSwan CN=peer name"
> > #      auto=start
> > conn %default
> >        keyexchange=ikev2
>
> > conn phone1ecc
> >        left=%defaultroute
> >        leftcert=centos2ecc.crt
> >        leftsubnet=0.0.0.0/0
> >        leftid="C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"
> >        leftfirewall=yes
> >        right=%any
> >        rightsourceip=192.168.9.0/24
> >        esp=aes256-sha384-ecp384!
> >        ike=aes256-sha384-ecp384!
> >        auto=add
>
>
>
>
>
> > On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
>
> > Hello Mark,
>
> > Well, did you enter the ECDSA private key in ipsec.secrets as you did with the RSA key?
>
> > Mit freundlichen Grüßen/Kind Regards,
> > Noel Kuntze
>
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> > Am 27.05.2015 um 04:52 schrieb Mark M:
> > > I am trying to use ECDSA certificates with my setup and I keep getting "no private key found" on my strongswan server when a client connects. I am using CentOS 7 and strongSwan 5.2.0. I am using the android client to connect and the certificate authentication works fine on the Android device.
>
> > > Any ideas on what would cause the private key to not be found or be authenticated correctly?
>
>
> > > 14[CFG]  using trusted ca certificate "C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"
> > > 14[CFG] checking certificate status of "C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc"
> > > 14[CFG] certificate status is not available
> > > 14[CFG]  reached self-signed root ca with a path length of 0
> > > 14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc' with ECDSA-384 signature successful
> > > 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> > > 14[IKE] peer supports MOBIKE
> > > 14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA'
> > > 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > > 14[NET] sending packet: from 192.168.1.7[4500] to 70.162.232.57[5477] (88 bytes)
>
>
>
>
>
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> > > https://lists.strongswan.org/mailman/listinfo/users
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVZjGEAAoJEDg5KY9j7GZY9hgQAJBZeSw2dDyssPgxcWMydhzK
4UphjKZ0IrybXtZ24wTowKBFLEjn1RdW+p5NiCrVskezNESp89zdyKtDaYxvVv/s
N/5KdXeNs0wRMU1kl4hcSH9xjzOt5CFbvhjkSZ6oasFah/8T0OEJtk2e1IID0McC
IzuWb0wY3ui3Mox1KT/XTV/iS+ulfgqjVxDWuDaQi1R9kdYMhMSFYT+KKE6HRKVV
171HgJ2+kcDxcm0gW/w1qEqniuZehW/BsZ48Ut1HGHJmR/z/cgMQGvgilvNmYRpD
eGjk5Kwzl3Wsr8Y6vQssGu8jNTbeXiy5wN0nZ5h+8zHu4MidpQzEhRPvjUxSRC7h
GoESpAg8/m5N8wmXxtJDl2pxXxp1xa9YGWZPNZ7nAVz3UfDLW6cfVgMLukYQsOc7
/p+SNpEjO8x+Zr0Y13s4vllJcE5JbP5GY3caGDF+xVP21HwML4IqiNwFDDgtAZqQ
Iblq1VaTK73x4FxNFzg6C8N5OJo62OP+4HeZUENmBFGAUJaBOARBrsBmmlOqgPkn
2GtYzkcVMdkblaKzvV8Zp3U+tj0tu6QLK6/cDUVVnSoG2h7T6/dBJR6fpcftW9zD
cXcM8MW2Wk1F4LPn9aOr+0rVZWlKVaebj1NrPZhwgqE7zA6XH5EkU3Km15LoSl4D
PDo4tN1Y3zcPHFnLfv+/
=epoc
-----END PGP SIGNATURE-----



   

   

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150527/85442ec6/attachment-0001.html>


More information about the Users mailing list