[Swan] Libreswan 4.6: connection IKEv2 win10 to Linux freezes soon after Android device connects
Mirsad Goran Todorovac
mirsad.todorovac at alu.unizg.hr
Sat Jan 15 10:25:41 EET 2022
On 1/14/2022 10:01 PM, Paul Wouters wrote:
>> 2. I would like to test the interoperability of ECDSA certs with
>> IKEv2, Win 10, Android and maybe even iOS devices when I get some for
>> testing ... also a Linux desktop client comes to mind ... but I miss
>> the reference material and Google is not revealing much ...
>
> It works the same as RSA certs if every aspect other than generating the
> certificates with the other algorithm, and perhaps ensuring the authby=
> is using "ecdsa" (although the default should already include that and
> you should be able to omit it)
Unfortunately, this did not work out right. I have created ECDSA certs,
but Windows 10 native client doesn't see the ecdsa cert in the store, it
offers the cert for another VPN instead.
Note, I was trying to log into the ALU IKEv2 VPN, and it had offered the
laptop-mtodorov.grf.hr cert.
I can't seem to see a way out of this.
Here is the session log if you want to see for yourself:
https://domac.alu.hr/mtodorov/ikev2-20220115-ecdsa-01.log
What I did was basically this (I tried automating those painstaking
menus of certutil for so many certs issued again and again):
root at domac:~# cat gencerts-ecdsa-alu.sh
#!/bin/bash -f
# mtodorov 2022-01-15
export PARM='--keyUsage digitalSignature,keyEncipherment
--extKeyUsage serverAuth,clientAuth'
rm /var/lib/ipsec/nss/cert9.db /var/lib/ipsec/nss/key4.db
ipsec initnss
rm -r tmpdb/
mkdir ${HOME}/tmpdb
echo "Initializing cert db:"
certutil -N -d sql:${HOME}/tmpdb
echo "Creating CA cert:"
certutil -S -x -n "ALU-UNIZG CA" -s "O=ALU-UNIZG,CN=ALU-UNIZG CA" -k
rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t "CT,," -2
echo "Creating server cert:"
certutil -S -c "ALU-UNIZG CA" -n "vpn.alu.hr" -s
"O=ALU-UNIZG,CN=vpn.alu.hr" -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb
-t ",," ${PARM} -8 "vpn.alu.hr"
echo "Creating client certs:"
certutil -S -c "ALU-UNIZG CA" -n "pc-mtodorov.alu.hr" -s
"O=ALU-UNIZG,CN=pc-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "pc-mtodorov.alu.hr"
certutil -S -c "ALU-UNIZG CA" -n "laptop-mtodorov.alu.hr" -s
"O=ALU-UNIZG,CN=laptop-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "laptop-mtodorov.alu.hr"
certutil -S -c "ALU-UNIZG CA" -n "phone-mtodorov.alu.hr" -s
"O=ALU-UNIZG,CN=phone-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "phone-mtodorov.alu.hr"
certutil -S -c "ALU-UNIZG CA" -n "tablet-mtodorov.alu.hr" -s
"O=ALU-UNIZG,CN=tablet-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "tablet-mtodorov.alu.hr"
certutil -L -d sql:${HOME}/tmpdb/
pk12util -o pc-mtodorov.alu.hr.p12 -n "pc-mtodorov.alu.hr" -d
sql:${HOME}/tmpdb/
pk12util -o laptop-mtodorov.alu.hr.p12 -n "laptop-mtodorov.alu.hr" -d
sql:${HOME}/tmpdb/
pk12util -o phone-mtodorov.alu.hr.p12 -n "phone-mtodorov.alu.hr" -d
sql:${HOME}/tmpdb/
pk12util -o tablet-mtodorov.alu.hr.p12 -n "tablet-mtodorov.alu.hr" -d
sql:${HOME}/tmpdb/
pk12util -o vpn.alu.hr.p12 -n "vpn.alu.hr" -d sql:${HOME}/tmpdb/
ipsec import vpn.alu.hr.p12
The same method works a OK with RSA certs, so I suppose there is
something wrong in the way Windows 10 selects certificates, or I was
creating in making things fail ...
Any help would be appreciated.
I would love to see EC certs work, for I believe they are better for
mobile devices.
Kind regards,
Mirsad
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
More information about the Swan
mailing list