[Swan] Libreswan 4.6: connection IKEv2 win10 to Linux freezes soon after Android device connects

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Sat Jan 15 11:08:52 EET 2022

On 1/15/2022 9:25 AM, Mirsad Goran Todorovac wrote:

> On 1/14/2022 10:01 PM, Paul Wouters wrote:
>>> 2. I would like to test the interoperability of ECDSA certs with 
>>> IKEv2, Win 10, Android and maybe even iOS devices when I get some 
>>> for testing ... also a Linux desktop client comes to mind ... but I 
>>> miss the reference material and Google is not revealing much ...
>> It works the same as RSA certs if every aspect other than generating the
>> certificates with the other algorithm, and perhaps ensuring the authby=
>> is using "ecdsa" (although the default should already include that and
>> you should be able to omit it)

FYI, I have noticed that I generated RSA CA and server cert and ECDSA 
client certs in the previous email. To fix that, I have repeated the 
entire installation with this fixed script, but the same result: Win 10 
gives wrong cert, or no cert if ECDSA cert is alone in the store. RSA 
certs in the same place work fine.

The script:

# mtodorov 2022-01-15

   export PARM='--keyUsage digitalSignature,keyEncipherment 
--extKeyUsage serverAuth,clientAuth'
   rm /var/lib/ipsec/nss/cert9.db  /var/lib/ipsec/nss/key4.db
   ipsec initnss
   rm -r tmpdb/
   mkdir ${HOME}/tmpdb
   echo "Initializing cert db:"
   certutil -N -d sql:${HOME}/tmpdb
   echo "Creating CA cert:"
   certutil -S -x -n "ALU-UNIZG CA" -s "O=ALU-UNIZG,CN=ALU-UNIZG CA" -k 
ec -q secp384r1 -v 12 -d sql:${HOME}/tmpdb -t "CT,," -2
   echo "Creating server cert:"
   certutil -S -c "ALU-UNIZG CA" -n "vpn.alu.hr" -s 
"O=ALU-UNIZG,CN=vpn.alu.hr" -k ec -q secp384r1 -v 12 -d 
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "vpn.alu.hr"
   echo "Creating client certs:"
   certutil -S -c "ALU-UNIZG CA" -n "pc-mtodorov.alu.hr" -s 
"O=ALU-UNIZG,CN=pc-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d 
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "pc-mtodorov.alu.hr"
   certutil -S -c "ALU-UNIZG CA" -n "laptop-mtodorov.alu.hr" -s 
"O=ALU-UNIZG,CN=laptop-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d 
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "laptop-mtodorov.alu.hr"
   certutil -S -c "ALU-UNIZG CA" -n "phone-mtodorov.alu.hr" -s 
"O=ALU-UNIZG,CN=phone-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d 
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "phone-mtodorov.alu.hr"
   certutil -S -c "ALU-UNIZG CA" -n "tablet-mtodorov.alu.hr" -s 
"O=ALU-UNIZG,CN=tablet-mtodorov.alu.hr" -k ec -q secp384r1 -v 12 -d 
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "tablet-mtodorov.alu.hr"
   certutil -L -d sql:${HOME}/tmpdb/

   pk12util -o pc-mtodorov.alu.hr.p12 -n "pc-mtodorov.alu.hr" -d 
   pk12util -o laptop-mtodorov.alu.hr.p12 -n "laptop-mtodorov.alu.hr" -d 
   pk12util -o phone-mtodorov.alu.hr.p12 -n "phone-mtodorov.alu.hr" -d 
   pk12util -o tablet-mtodorov.alu.hr.p12 -n "tablet-mtodorov.alu.hr" -d 
   pk12util -o vpn.alu.hr.p12 -n "vpn.alu.hr" -d sql:${HOME}/tmpdb/
   ipsec import vpn.alu.hr.p12

   chmod 444 *-mtodorov.alu.hr.p12
   mv *-mtodorov.alu.hr.p12 /srv/www/domac.alu.hr/vpn/ec

I may be doing some (to you) obvious error again. However, Android won't 
even connect to IKEv2 if ecdsa is even one of the options in authby=, it 
has to be authby=rsa-sha1 alone. :(

The next step should probably be to try strongswan client, but I tried 
to avoid that.
The best way would be to have RSA and EC certificates coexist as auth 
options in the database, so some clients would use RSA auth and those 
who know EC. But I don't know how to make that work in a single NSS 
certificate store.

Kind regards,

Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

More information about the Swan mailing list