[Swan] authentication method: IKEv2_AUTH_ECDSA_P384 not supported in I2 Auth Payload
Paul Wouters
paul at nohats.ca
Fri Dec 11 16:19:21 UTC 2020
On Fri, 11 Dec 2020, Manfred wrote:
> Subject: [Swan] authentication method: IKEv2_AUTH_ECDSA_P384 not supported in
> I2 Auth Payload
> I'm trying to configure a connection to use IKEv2 + ECDSA certificates, but
> pluto barks the message above. I'm running libreswan 3.29.
> I see that it should support ECDSA since 3.26, and the only conf item I could
> find is authby=ecdsa (or possibly authby=ecdsa-sha2_384), both of which are
> accepted but not described in the man page.
>
> Any pointers to where to find info about this configuration, or hints on what
> am I missing?
See https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-12
We support ECDSA methods only via Digital Signature (RFC 7427) method,
not via the old methods of valie 9,10 and 11.
In the past, each new digital signature format required its own
Authentication Method value. That's why "digital signature" (value 14,
RFC 7427) was written. All new methods are basically going to be supportd
via value 14. See the RFC for why this is much better.
Perhaps the other end has a way to use ECDSA via the new method?
Paul
More information about the Swan
mailing list