[strongSwan] no private key found with ECDSA certificate

Noel Kuntze noel at familie-kuntze.de
Wed May 27 23:31:13 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Mark,

I remotely remember such an issue from a couple of months ago.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.05.2015 um 23:29 schrieb Mark M:
> Do you know this is an issue? it works fine on the Android device?
>
>
>
> On Wednesday, May 27, 2015 5:25 PM, Mark M <mark076h at yahoo.com> wrote:
>
>
> Noel,
>
> I got it to work. I had to use ec instead of ecparam for the conversion like this;
>
> openssl ec -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER -out centos2ecc.key
>
> strongSwan can now load the private key and I can connect with my Android client using ECDSA SHA384 certs :)
>
> Thank you very much for the help.
>
> Mark-
>
>
>
>
> On Wednesday, May 27, 2015 5:18 PM, Mark M <mark076h at yahoo.com> wrote:
>
>
> Not working,
>
> I am using this method to convert, maybe it is wrong?
>
> [root at CENTOS7 ~]# openssl ecparam -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER -out centos2ecc.key
>
>
> I am getting
>
> 00[LIB]   file coded in unknown format, discarded
> 00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders
> 00[CFG]   loading private key from '/etc/strongswan/ipsec.d/private/centos2ecc.der' failed
>
>
>
>
>
> On Wednesday, May 27, 2015 5:10 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
>
>
> Hello Mark,
>
> Try converting the key from PEM to DER format.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 27.05.2015 um 23:03 schrieb Mark M:
> > Noel,
>
> >  Here is a pastebin of the log with the settings you asked for -
>
> >  http://pastebin.com/4T47jNNA
>
> > I am seeing this a problem
>
> > 1.
> >    00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
> > 2.
> >    00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders
> > 3.
> >    00[CFG]  loading private key from '/etc/strongswan/ipsec.d/private/centos2ecc.key' failed
>
>
>
>
> > On Wednesday, May 27, 2015 4:32 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
>
> > Hello Mark,
>
> > Okay, what does charon say during daemon startup?
> > Please create a log witht the following settings and post it here.
> > You are encouraged to use a pastebin service.
>
> > default = 3
> > mgr = 1
> > ike = 1
> > net = 1
> > enc = 0
> > cfg = 2
> > asn = 1
> > job = 1            
> > knl = 1
>
> > Mit freundlichen Grüßen/Kind Regards,
> > Noel Kuntze
>
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> > Am 27.05.2015 um 22:25 schrieb Mark M:
> > > Hi Noel,
>
> > > I did specify the key in ipsec.secrets. I am doing everything the same way I did with RSA certificates that work fine. Here is my config and how I generated the ECC keys and certs. I am thinking this is an issue with how I genereated the ECC keys and certs?
>
>
> > > openssl ecparam -genkey -name secp384r1 -out centos2ecc.key
>
> > >  openssl req -new -key centos2ecc.key -out centos2ecc.csr -config /etc/pki/newca/opensslc1.cnf -sha384
>
> > > openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey eccCA.key -CAcreateserial -out centos2ecc.crt -days 365 -extensions v3_req -extfile /etc/pki/newca/opensslc1.cnf -sha384
>
> > > opensslc1.cnf file:
>
> > > [req]
> > > distinguished_name = req_distinguished_name
> > > req_extensions = v3_req
>
> > > [req_distinguished_name]
> > > countryName = Country Name (2 letter code)
> > > stateOrProvinceName = State or Province Name (full name)
> > > localityName = Locality Name (eg, city)
> > > organizationalUnitName = Organizational Unit Name (eg, section)
> > > commonName =
>
> > > [v3_req]
> > > basicConstraints = CA:FALSE
> > > keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> > > subjectAltName = @alt_names
>
> > > [alt_names]
> > > IP.1=10.X.X.X
> > > IP.2=192.168.1.7
> > > ~
>
> > > ipsec.secrets
>
> > > # /etc/ipsec.secrets - strongSwan IPsec secrets file
>
> > > : RSA centos2.key
> > > : ECDSA centos2ecc.key
>
>
>
> > > [root at CENTOS7 <mailto:root at CENTOS7> <mailto:root at CENTOS7 <mailto:root at CENTOS7>> ~]# vi /etc/strongswan/ipsec.conf
> > > #      leftsendcert=never
> > > #      right=192.168.0.2
> > > #      rightsubnet=10.2.0.0/16
> > > #      rightcert=peerCert.der
> > > #      auto=start
>
> > > #conn sample-with-ca-cert
> > > #      leftsubnet=10.1.0.0/16
> > > #      leftcert=myCert.pem
> > > #      right=192.168.0.2
> > > #      rightsubnet=10.2.0.0/16
> > > #      rightid="C=CH, O=Linux strongSwan CN=peer name"
> > > #      auto=start
> > > conn %default
> > >        keyexchange=ikev2
>
> > > conn phone1ecc
> > >        left=%defaultroute
> > >        leftcert=centos2ecc.crt
> > >        leftsubnet=0.0.0.0/0
> > >        leftid="C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"
> > >        leftfirewall=yes
> > >        right=%any
> > >        rightsourceip=192.168.9.0/24
> > >        esp=aes256-sha384-ecp384!
> > >        ike=aes256-sha384-ecp384!
> > >        auto=add
>
>
>
>
>
> > > On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> wrote:
>
>
>
> > > Hello Mark,
>
> > > Well, did you enter the ECDSA private key in ipsec.secrets as you did with the RSA key?
>
> > > Mit freundlichen Grüßen/Kind Regards,
> > > Noel Kuntze
>
> > > GPG Key ID: 0x63EC6658
> > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> > > Am 27.05.2015 um 04:52 schrieb Mark M:
> > > > I am trying to use ECDSA certificates with my setup and I keep getting "no private key found" on my strongswan server when a client connects. I am using CentOS 7 and strongSwan 5.2.0. I am using the android client to connect and the certificate authentication works fine on the Android device.
>
> > > > Any ideas on what would cause the private key to not be found or be authenticated correctly?
>
>
> > > > 14[CFG]  using trusted ca certificate "C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"
> > > > 14[CFG] checking certificate status of "C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc"
> > > > 14[CFG] certificate status is not available
> > > > 14[CFG]  reached self-signed root ca with a path length of 0
> > > > 14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc' with ECDSA-384 signature successful
> > > > 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> > > > 14[IKE] peer supports MOBIKE
> > > > 14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA'
> > > > 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > > > 14[NET] sending packet: from 192.168.1.7[4500] to 70.162.232.57[5477] (88 bytes)
>
>
>
>
>
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
> > > > https://lists.strongswan.org/mailman/listinfo/users
>
>
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
> > > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>
>
>
>
>
>
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVZjehAAoJEDg5KY9j7GZYeskP/iXdwalOvQ/4rZFG9hTSIx43
C48+/RIFN4nwg9Nf2INInd4UBMrWYrx5HowquD64yAT9XF1LhpRAuQ/S5Ebdq6yB
e6K6sqYv4YehR87VqX5vANA4bnmUQCRJlNPSvLEJw4o3xnOrfcT8YIHkhAzOcg58
POs+WBOMyzQNnANtGkQHG7BKeAkmXm3XKHbdWxKW07eOAjsCTFJ1LB/DPSJiuPMX
YCDfM7sv1Igs1laEteSNW4DBpnc12adXt0KHk0c7YXM4RcoOPVImeA1qsEtz6hYh
/0XRsU5zf46uAet5lrSW2oFonP5uTpwOr+FkGsgTdpsON4q1/Mof0X22arE0GsQK
cwWc8eMWZz97lsTxRV7cQjcH3a3Li1r+bpymLC9RIqRlFjWQogZ1wklVGu8X2HJx
3OZ4dLGQo4z3WUX2nVWW/qZKZ1QPWm+7/WdZ76SLxwzfYs92bp0Ssc9anA9lwY1c
OBYUHfePApm+13MxvGQeTgW7NnWa5FS/t8SsNkTc3oDm7jolR4tWB2VFYC2/YgZR
zqPxWE6bvAhiMPTDlE2Yr4LCCixKy8bvkHwdzGH+ZKfa0ettzm1zCGELqX1hZdwx
aD6X4x50YdMaI77Gy9scoTo23izZ6ubEwSu26pUlo/3ttDIx3Rpq05c4+ct9vQ6X
yHZQK5Dh9CCqfGXPKm5B
=S3jF
-----END PGP SIGNATURE-----



More information about the Users mailing list