[strongSwan] Strongswan with ECDSA certificate

george rbagdassar at yahoo.com
Thu Nov 5 20:20:45 CET 2020


Hi Strongswan users!
This is my first post. I have problems to use ECDSA certificates with strongswan (did not have problems withRSA certificates).
Please help to solve this problem. Thanks.
ipsec.conf file 
conn ss_as_init_cert_x2_22685    left=172.16.58.97            leftid=Userikev2-A           leftsubnet=172.16.58.93/32    #leftsourceip=%config         leftfirewall=yes              leftauth=pubkey               leftcert=user-cert-ikev2-A.pem    keyingtries=2                     reauth=no                         right=172.16.58.96                rightauth=pubkey                  rightid=%any    rightsubnet=172.16.58.96/32    auto=add    ike=aes256-sha512-modp2048!    keyexchange=ikev2    type=tunnel    esp=aes256-sha512-modp2048!    ikelifetime=60m    lifetime=30m    margintime=1s    rekey=yes    dpdaction=none    dpddelay=300s    dpdtimeout=10s    mobike=no

Certificate:
  Data:        Version: 3 (0x2)        Serial Number: 4 (0x4)    Signature Algorithm: ecdsa-with-SHA1        Issuer: C=US, ST=Massachusetts, L=Bedford, O=acmepacket, CN=root/emailAddress=tester at acmepacket.com        Validity            Not Before: Nov  5 18:16:38 2020 GMT            Not After : May 24 18:16:38 2021 GMT        Subject: C=US, ST=Massachusetts, O=acmepacket.com, CN=Userikev2-A/emailAddress=userikev2-A at acmepacket.com        Subject Public Key Info:            Public Key Algorithm: id-ecPublicKey                Public-Key: (256 bit)                pub:                    04:36:43:df:ab:7a:1e:e4:33:7e:da:4c:da:42:67:                    02:1c:3b:d0:ef:33:91:95:45:84:50:2d:34:b6:6f:                    20:79:3e:a1:82:e6:e4:98:b3:56:cb:7a:b8:f3:c9:                    ff:0e:8c:33:a9:90:e4:55:9f:c9:28:4d:f5:15:2f:                    d0:78:ab:94:d8                ASN1 OID: prime256v1        X509v3 extensions:            X509v3 Basic Constraints:                CA:FALSE            X509v3 Subject Key Identifier:                23:36:62:1F:64:ED:C1:45:34:8D:52:C5:07:3C:68:AE:7F:92:8F:DE            X509v3 Authority Key Identifier:                keyid:1D:6A:76:68:32:A7:3B:48:35:6C:F1:3F:76:7A:06:12:F2:51:0A:2E                DirName:/C=US/ST=Massachusetts/L=Bedford/O=acmepacket/CN=root/emailAddress=tester at acmepacket.com                serial:BD:52:8A:11:94:74:C2:20
            X509v3 Key Usage:                Digital Signature, Key Encipherment            X509v3 Issuer Alternative Name:                DNS:abc.com            X509v3 Subject Alternative Name:                DNS:abc.com    Signature Algorithm: ecdsa-with-SHA1         30:45:02:21:00:f0:9e:68:b6:18:9a:aa:93:56:ad:74:80:d1:         2b:ce:9f:85:12:1b:19:17:ef:b2:10:d0:c4:14:28:18:42:79:         15:02:20:5d:32:32:bd:02:98:c2:28:9e:c9:10:5c:06:36:e7:         6d:37:5e:2c:f5:97:96:6b:54:e4:3d:63:59:8e:cb:95:d6


Private Key:
read EC keyPrivate-Key: (256 bit)priv:    7b:7b:d0:11:9c:57:bc:86:2e:e9:29:d8:a1:54:a1:    32:bd:c4:4b:79:a2:ac:23:4e:7f:3e:16:88:47:4e:    f7:29pub:    04:36:43:df:ab:7a:1e:e4:33:7e:da:4c:da:42:67:    02:1c:3b:d0:ef:33:91:95:45:84:50:2d:34:b6:6f:    20:79:3e:a1:82:e6:e4:98:b3:56:cb:7a:b8:f3:c9:    ff:0e:8c:33:a9:90:e4:55:9f:c9:28:4d:f5:15:2f:    d0:78:ab:94:d8ASN1 OID: prime256v1writing EC key-----BEGIN EC PRIVATE KEY-----MHcCAQEEIHt70BGcV7yGLukp2KFUoTK9xEt5oqwjTn8+FohHTvcpoAoGCCqGSM49AwEHoUQDQgAENkPfq3oe5DN+2kzaQmcCHDvQ7zORlUWEUC00tm8geT6hgubkmLNWy3q488n/DowzqZDkVZ/JKE31FS/QeKuU2A==-----END EC PRIVATE KEY-----

IPSEC Secerts file
: ECDSA user-key-ikev2-A.pem: ECDSA user-key-ikev2-B.pem



CHARON OUTPUT
feature PUBKEY:ECDSA in plugin 'pem' has unmet dependency: PUBKEY:ECDSANov  5 13:57:19 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSANov  5 13:57:19 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSANov  5 13:57:19 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISSNov  5 13:57:19 00[LIB] feature CERT_DECODE:X509_OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:X509_OCSP_REQUESTNov  5 13:57:19 00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in plugin 'xcbc' has unmet dependency: CRYPTER:CAMELLIA_CBC-16Nov  5 13:57:19 00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in plugin 'xcbc' has unmet dependency: CRYPTER:CAMELLIA_CBC-16Nov  5 13:57:19 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'Nov  5 13:57:19 00[ASN]   file content is not binary ASN.1Nov  5 13:57:19 00[ASN]   -----BEGIN CERTIFICATE-----Nov  5 13:57:19 00[ASN]   -----END CERTIFICATE-----Nov  5 13:57:19 00[ASN] L0 - x509:Nov  5 13:57:19 00[ASN] L1 - tbsCertificate:Nov  5 13:57:19 00[ASN] L2 - DEFAULT v1:Nov  5 13:57:19 00[ASN] L3 - version:Nov  5 13:57:19 00[ASN]   X.509v3Nov  5 13:57:19 00[ASN] L2 - serialNumber:
Thank you.
Rouben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201105/0f471c97/attachment.html>


More information about the Users mailing list