[Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"
Tom Robinson
tom.robinson at motec.com.au
Tue Nov 10 23:54:39 UTC 2015
Hi,
I've had a lot of success with IPSec/L2TP but have faced some issues. Recently I upgraded from an
older OpenSWAN to libreswan implementation and found there is support for IKEv2 connections. I
decided to give it a go as it looked quite easy to setup. After following the documentation here:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 I have so far not been able to
get an IKEv2 connection working.
Can someone please shed some light on this? Where did I mess up?
Here's what the log says:
Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: transition from state
STATE_IKEv2_START to state STATE_PARENT_R1
Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: STATE_PARENT_R1: received v2I1,
sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha group=MODP1024}
Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: new NAT mapping for #327, was
165.228.94.4:500, now 165.228.94.4:4500
Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: non-critical payload ignored
because it contains an unknown or unexpected payload type (ISAKMP_NEXT_v2CP) at the outermost level
Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: IKEv2 mode peer ID is
ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas Robinson,
E=thomas.robinson at motec.com.au'
Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: no crl from issuer "C=AU,
ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA, E=shaun.fielder at motec.com.au" found
(strict=no)
Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: no RSA public key known for
'165.228.94.4'
Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: RSA authentication failed
Nov 10 09:13:01 fw2 pluto[18852]: | ikev2_parent_inI2outR2_tail returned STF_FATAL
Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4: deleting connection "ikev2-cp"
instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}
My connection definition:
conn ikev2-cp
# The server's actual IP goes here - not elastic IPs
left=115.70.189.243
leftcert=motec6.motec.com.au
leftid=@motec6.motec.com.au
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
# Clients
rightsendcert=always
right=%any
# your addresspool to use - you might need NAT rules if providing full internet to clients
rightaddresspool=192.168.0.241-192.168.0.252
# optional rightid with restrictions
# rightid="C=CA, L=Toronto, O=Libreswan Project, OU=*, CN=*, E=*"
rightca=%same
rightrsasigkey=%cert
#
# connection configuration
# DNS servers for clients to use
modecfgdns1=10.0.19.13
modecfgdns2=10.0.18.1
narrowing=yes
# recommended dpd/liveness to cleanup vanished clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
# ikev2 fragmentation support requires libreswan 3.14 or newer
#fragmentation=yes
# optional PAM username verification (eg to implement bandwidth quota
# pam-authorize=yes
I have added Subject Alt Names to the certificate for this connection as per documentation:
# certutil -d . -L -n motec6.motec.com.au
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 588 (0x24c)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "E=shaun.fielder at motec.com.au,CN=MoTeC CA,OU=R&D,O=MoTeC Pty
Ltd,L=Melbourne,ST=Victoria,C=AU"
Validity:
Not Before: Mon Nov 09 03:07:42 2015
Not After : Tue Nov 08 03:07:42 2016
Subject: "E=authority at motec.com.au,CN=motec6.motec.com.au,OU=IT,O=MoT
eC Pty Ltd,L=Melbourne,ST=Victoria,C=AU"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
---redacted---
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Basic Constraints
Data: Is not a CA.
Name: Certificate Key Usage
Usages: Digital Signature
Key Encipherment
Name: Extended Key Usage
TLS Web Server Authentication Certificate
Name: Certificate Subject Alt Name
DNS name: "motec6.motec.com.au"
IP Address: 115.70.189.243
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
---redacted---
Fingerprint (SHA-256):
---redacted---
Fingerprint (SHA1):
---redacted---
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
Kind regards,
Tom
--
Tom Robinson
IT Manager/System Administrator
MoTeC Pty Ltd
121 Merrindale Drive
Croydon South
3136 Victoria
Australia
T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robinson at motec.com.au
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151111/86b3ca4c/attachment.sig>
More information about the Swan
mailing list