[Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

Tom Robinson tom.robinson at motec.com.au
Wed Nov 11 21:20:37 UTC 2015


Hi Matt,

Thanks for your response.

On 12/11/15 01:15, Matt Rogers wrote:
> You should set rightid=%fromcert so it will use the received cert subject
> as the ID here.
> 

I've added rightid=%fromcert to the connection but it still fails as follows:

Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: transition from state
STATE_IKEv2_START to state STATE_PARENT_R1
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: STATE_PARENT_R1: received v2I1,
sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha group=MODP1024}
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT mapping for #3330, was
165.228.94.4:500, now 165.228.94.4:4500
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: non-critical payload ignored
because it contains an unknown or unexpected payload type (ISAKMP_NEXT_v2CP) at the outermost level
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2 mode peer ID is
ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas Robinson,
E=thomas.robinson at motec.com.au'
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl from issuer "C=AU,
ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA, E=shaun.fielder at motec.com.au" found
(strict=no)
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA public key known for
'%fromcert'
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: RSA authentication failed
Nov 12 08:15:38 fw2 pluto[26342]: | ikev2_parent_inI2outR2_tail returned STF_FATAL
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4: deleting connection "ikev2-cp"
instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}

Do I need to add all the keys for issued roadwarrior certificates on the server?

Kind regards,
Tom

-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robinson at motec.com.au

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151112/035d89fa/attachment.sig>


More information about the Swan mailing list