ECDSA Secret¶

For the private key file both absolute paths or paths relative to /etc/ipsec.d/private are accepted. If the private key file is encrypted, the passphrase must be defined. Instead of a passphrase %prompt can be used which then causes the daemons to ask the user for the password whenever it is required to decrypt the key.

Notation¶

: ECDSA <private key file> [ <passphrase> | %prompt ]

Encountered problems¶

Sometimes an ECDSA key fails to load for no reason and without an error message that points to a problem with access rights. When that is the case, try converting the private key into DER format and loading it again.

Examples¶

: ECDSA moonKey.pem

: ECDSA sunKey.der "cjen4*lWnr3jsk" 

Creation of an ECDSA key using OpenSSL 0.9.8¶

You can create an ECDSA key with the openssl ecparam command.

openssl ecparam -list_curves

gives you a huge list of available elliptic curves but IKEv2 currently supports
only the following three curves:

prime256v1
secp384r1
secp521r1

The creation of an EC key goes like this:

openssl ecparam -genkey -name secp384r1 -noout -out ecKey.pem

Verify the content of the key:

openssl ec -in ecKey.pem -text

read EC key
Private-Key: (384 bit)
priv:
    3c:75:17:c3:97:0b:b4:28:42:8c:b6:f5:56:57:32:
    2b:c1:ff:e2:ee:62:25:38:04:b1:6a:f5:23:48:e1:
    ba:79:ff:56:64:88:74:92:b7:c2:49:ab:8c:ff:b2:
    7c:6c:b3
pub:
    04:f2:cd:ca:ae:37:38:8d:98:e0:1c:f4:26:59:af:
    41:4d:fb:4f:d1:20:10:fb:88:b3:4a:b3:9b:a7:69:
    dc:0b:5c:ef:06:22:6b:8e:08:c3:c2:74:1b:36:12:
    8b:ee:45:c5:f8:3b:73:6f:0a:a4:c9:7c:e1:e9:a8:
    e2:c9:7c:6f:f1:69:b4:45:ab:d3:45:89:41:6e:68:
    9d:9a:d2:ee:fd:1a:a1:e6:ca:3f:4a:6b:0d:db:a5:
    ef:93:95:4f:8c:4c:31
ASN1 OID: secp384r1

writing EC key
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDA8dRfDlwu0KEKMtvVWVzIrwf/i7mIlOASxavUjSOG6ef9WZIh0krfC
SauM/7J8bLOgBwYFK4EEACKhZANiAATyzcquNziNmOAc9CZZr0FN+0/RIBD7iLNK
s5unadwLXO8GImuOCMPCdBs2EovuRcX4O3NvCqTJfOHpqOLJfG/xabRFq9NFiUFu
aJ2a0u79GqHmyj9Kaw3bpe+TlU+MTDE=
-----END EC PRIVATE KEY-----