[Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"
Matt Rogers
mrogers at redhat.com
Wed Nov 11 14:15:56 UTC 2015
----- Original Message -----
> From: "Tom Robinson" <tom.robinson at motec.com.au>
> To: swan at lists.libreswan.org
> Sent: Tuesday, November 10, 2015 6:54:39 PM
> Subject: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"
>
> Hi,
>
> I've had a lot of success with IPSec/L2TP but have faced some issues.
> Recently I upgraded from an
> older OpenSWAN to libreswan implementation and found there is support for
> IKEv2 connections. I
> decided to give it a go as it looked quite easy to setup. After following the
> documentation here:
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 I have
> so far not been able to
> get an IKEv2 connection working.
>
> Can someone please shed some light on this? Where did I mess up?
>
> Here's what the log says:
> Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: transition
> from state
> STATE_IKEv2_START to state STATE_PARENT_R1
> Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327:
> STATE_PARENT_R1: received v2I1,
> sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha
> group=MODP1024}
> Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: new NAT
> mapping for #327, was
> 165.228.94.4:500, now 165.228.94.4:4500
> Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327:
> non-critical payload ignored
> because it contains an unknown or unexpected payload type (ISAKMP_NEXT_v2CP)
> at the outermost level
> Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: IKEv2 mode
> peer ID is
> ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas
> Robinson,
> E=thomas.robinson at motec.com.au'
> Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: no crl
> from issuer "C=AU,
> ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA,
> E=shaun.fielder at motec.com.au" found
> (strict=no)
> Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: no RSA
> public key known for
> '165.228.94.4'
You should set rightid=%fromcert so it will use the received cert subject
as the ID here.
Regards,
Matt
More information about the Swan
mailing list