Bug #6113


SWu figure out why SWu has problems connecting to strongswan

Added by lynxis 7 months ago. Updated about 2 months ago.

Target version:
Start date:
Due date:
% Done:



Currently the python SWu project doesn't connect to strongswan. Strongswan
fails to find a proper peer config:

epdg charon-systemd[6345]: parsed IKE_AUTH request 1 [ IDi IDr CPRQ(ADDR DNS ADDR6 DNS6 PCSCF4 PCSCF6) SA TSi TSr N(EAP_ONLY) ]
epdg charon-systemd[6345]: looking for peer configs matching[internet]...[]
epdg charon-systemd[6345]: peer config "rw", ike match: 1052 ( IKEv2)
epdg charon-systemd[6345]:   local id match: 0 (ID_FQDN: 69:6e:74:65:72:6e:65:74)
epdg charon-systemd[6345]: no matching peer config found

I would guess SWu doesn't try to get the certificate of the epdg.


Actions #1

Updated by lynxis 7 months ago

  • % Done changed from 0 to 30

After relaxing the local id, the connection looks better.
But now epdg strongswan reports: "private key of type ED25519 not supported".

connections {
   rw {
      local_addrs  =
      pools = rw_pool

      local {
         auth = pubkey
         certs = epdgCert.pem
         id = %any
      remote {
         auth = eap-aka
      children {
         net {
            local_ts =

            updown = /usr/lib/ipsec/_updown iptables
            esp_proposals = default
      version = 2
      # proposals = null-md5-prfmd5-null-ecp192
      # proposals = AES_CBC_128-HMAC_SHA1_96-PRF_HMAC_SHA1-MODP_2048

secrets {

pools {
   rw_pool {
      addrs =

Actions #2

Updated by lynxis 7 months ago

I'm pretty sure the SWu doesn't support ED25519 authentication but the epdg is currently using an ed25519 certificate

Actions #3

Updated by lynxis 3 months ago

  • Status changed from New to Feedback
  • % Done changed from 30 to 90

The ed25519 certificate together with the hash algorithm was the problem.
With an rsa 4k certificate it works fine.

Further there is a problem with the eap encoder of SWu, since it's using hardcoded values which are problematic
if the NAI doesn't have the exact expected length.

Cleanup code and create a PR against SWu.

Actions #4

Updated by lynxis 3 months ago

Waiting for upstream feedback.

Actions #5

Updated by lynxis 3 months ago

  • % Done changed from 90 to 100

got merged.

Actions #6

Updated by lynxis about 2 months ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)