[Swan] Libreswan 4.6: connection IKEv2 win10 to Linux freezes soon after Android device connects

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Sat Jan 15 10:25:41 EET 2022

On 1/14/2022 10:01 PM, Paul Wouters wrote:

>> 2. I would like to test the interoperability of ECDSA certs with 
>> IKEv2, Win 10, Android and maybe even iOS devices when I get some for 
>> testing ... also a Linux desktop client comes to mind ... but I miss 
>> the reference material and Google is not revealing much ...
> It works the same as RSA certs if every aspect other than generating the
> certificates with the other algorithm, and perhaps ensuring the authby=
> is using "ecdsa" (although the default should already include that and
> you should be able to omit it)

Unfortunately, this did not work out right. I have created ECDSA certs, 
but Windows 10 native client doesn't see the ecdsa cert in the store, it 
offers the cert for another VPN instead.

Note, I was trying to log into the ALU IKEv2 VPN, and it had offered the 
laptop-mtodorov.grf.hr cert.

I can't seem to see a way out of this.

Here is the session log if you want to see for yourself: 

What I did was basically this (I tried automating those painstaking 
menus of certutil for so many certs issued again and again):

root at domac:~# cat gencerts-ecdsa-alu.sh
#!/bin/bash -f
# mtodorov 2022-01-15

   export PARM='--keyUsage digitalSignature,keyEncipherment 
--extKeyUsage serverAuth,clientAuth'
   rm /var/lib/ipsec/nss/cert9.db  /var/lib/ipsec/nss/key4.db
   ipsec initnss
   rm -r tmpdb/
   mkdir ${HOME}/tmpdb
   echo "Initializing cert db:"
   certutil -N -d sql:${HOME}/tmpdb
   echo "Creating CA cert:"
   certutil -S -x -n "ALU-UNIZG CA" -s "O=ALU-UNIZG,CN=ALU-UNIZG CA"  -k 
rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t "CT,," -2
   echo "Creating server cert:"
   certutil -S -c "ALU-UNIZG CA" -n "vpn.alu.hr" -s 
"O=ALU-UNIZG,CN=vpn.alu.hr"  -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb 
-t ",," ${PARM} -8 "vpn.alu.hr"
   echo "Creating client certs:"
   certutil -S -c "ALU-UNIZG CA" -n "pc-mtodorov.alu.hr" -s 
"O=ALU-UNIZG,CN=pc-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d 
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "pc-mtodorov.alu.hr"
   certutil -S -c "ALU-UNIZG CA" -n "laptop-mtodorov.alu.hr" -s 
"O=ALU-UNIZG,CN=laptop-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d 
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "laptop-mtodorov.alu.hr"
   certutil -S -c "ALU-UNIZG CA" -n "phone-mtodorov.alu.hr" -s 
"O=ALU-UNIZG,CN=phone-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d 
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "phone-mtodorov.alu.hr"
   certutil -S -c "ALU-UNIZG CA" -n "tablet-mtodorov.alu.hr" -s 
"O=ALU-UNIZG,CN=tablet-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d 
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "tablet-mtodorov.alu.hr"
   certutil -L -d sql:${HOME}/tmpdb/

   pk12util -o pc-mtodorov.alu.hr.p12 -n "pc-mtodorov.alu.hr" -d 
   pk12util -o laptop-mtodorov.alu.hr.p12 -n "laptop-mtodorov.alu.hr" -d 
   pk12util -o phone-mtodorov.alu.hr.p12 -n "phone-mtodorov.alu.hr" -d 
   pk12util -o tablet-mtodorov.alu.hr.p12 -n "tablet-mtodorov.alu.hr" -d 
   pk12util -o vpn.alu.hr.p12 -n "vpn.alu.hr" -d sql:${HOME}/tmpdb/
   ipsec import vpn.alu.hr.p12

The same method works a OK with RSA certs, so I suppose there is 
something wrong in the way Windows 10 selects certificates, or I was 
creating in making things fail ...

Any help would be appreciated.

I would love to see EC certs work, for I believe they are better for 
mobile devices.

Kind regards,

Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

More information about the Swan mailing list