[Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

Tom Robinson tom.robinson at motec.com.au
Tue Nov 10 23:54:39 UTC 2015


Hi,

I've had a lot of success with IPSec/L2TP but have faced some issues. Recently I upgraded from an
older OpenSWAN to libreswan implementation and found there is support for IKEv2 connections. I
decided to give it a go as it looked quite easy to setup. After following the documentation here:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 I have so far not been able to
get an IKEv2 connection working.

Can someone please shed some light on this? Where did I mess up?

Here's what the log says:
Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: transition from state
STATE_IKEv2_START to state STATE_PARENT_R1
Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: STATE_PARENT_R1: received v2I1,
sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha group=MODP1024}
Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: new NAT mapping for #327, was
165.228.94.4:500, now 165.228.94.4:4500
Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: non-critical payload ignored
because it contains an unknown or unexpected payload type (ISAKMP_NEXT_v2CP) at the outermost level
Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: IKEv2 mode peer ID is
ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas Robinson,
E=thomas.robinson at motec.com.au'
Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: no crl from issuer "C=AU,
ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA, E=shaun.fielder at motec.com.au" found
(strict=no)
Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: no RSA public key known for
'165.228.94.4'
Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: RSA authentication failed
Nov 10 09:13:01 fw2 pluto[18852]: | ikev2_parent_inI2outR2_tail returned STF_FATAL
Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4: deleting connection "ikev2-cp"
instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}

My connection definition:
conn ikev2-cp
        # The server's actual IP goes here - not elastic IPs
        left=115.70.189.243
        leftcert=motec6.motec.com.au
        leftid=@motec6.motec.com.au
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        leftrsasigkey=%cert
        # Clients
        rightsendcert=always
        right=%any
        # your addresspool to use - you might need NAT rules if providing full internet to clients
        rightaddresspool=192.168.0.241-192.168.0.252
        # optional rightid with restrictions
        # rightid="C=CA, L=Toronto, O=Libreswan Project, OU=*, CN=*, E=*"
        rightca=%same
        rightrsasigkey=%cert
        #
        # connection configuration
        # DNS servers for clients to use
        modecfgdns1=10.0.19.13
        modecfgdns2=10.0.18.1
        narrowing=yes
        # recommended dpd/liveness to cleanup vanished clients
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        auto=add
        ikev2=insist
        rekey=no
        # ikev2 fragmentation support requires libreswan 3.14 or newer
        #fragmentation=yes
        # optional PAM username verification (eg to implement bandwidth quota
        # pam-authorize=yes

I have added Subject Alt Names to the certificate for this connection as per documentation:
# certutil -d . -L -n motec6.motec.com.au
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 588 (0x24c)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "E=shaun.fielder at motec.com.au,CN=MoTeC CA,OU=R&D,O=MoTeC Pty
            Ltd,L=Melbourne,ST=Victoria,C=AU"
        Validity:
            Not Before: Mon Nov 09 03:07:42 2015
            Not After : Tue Nov 08 03:07:42 2016
        Subject: "E=authority at motec.com.au,CN=motec6.motec.com.au,OU=IT,O=MoT
            eC Pty Ltd,L=Melbourne,ST=Victoria,C=AU"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
 ---redacted---
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Data: Is not a CA.

            Name: Certificate Key Usage
            Usages: Digital Signature
                    Key Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate

            Name: Certificate Subject Alt Name
            DNS name: "motec6.motec.com.au"
            IP Address: 115.70.189.243

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
 ---redacted---
    Fingerprint (SHA-256):
 ---redacted---
    Fingerprint (SHA1):
 ---redacted---

    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

Kind regards,
Tom

-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robinson at motec.com.au

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151111/86b3ca4c/attachment.sig>


More information about the Swan mailing list