[Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

Tom Robinson tom.robinson at motec.com.au
Thu Nov 12 21:24:10 UTC 2015


On 12/11/15 08:20, Tom Robinson wrote:
> Hi Matt,
> 
> Thanks for your response.
> 
> On 12/11/15 01:15, Matt Rogers wrote:
>> You should set rightid=%fromcert so it will use the received cert subject
>> as the ID here.
>>
> 
> I've added rightid=%fromcert to the connection but it still fails as follows:
> 
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: transition from state
> STATE_IKEv2_START to state STATE_PARENT_R1
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: STATE_PARENT_R1: received v2I1,
> sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha group=MODP1024}
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT mapping for #3330, was
> 165.228.94.4:500, now 165.228.94.4:4500
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: non-critical payload ignored
> because it contains an unknown or unexpected payload type (ISAKMP_NEXT_v2CP) at the outermost level
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2 mode peer ID is
> ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas Robinson,
> E=thomas.robinson at motec.com.au'
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl from issuer "C=AU,
> ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA, E=shaun.fielder at motec.com.au" found
> (strict=no)
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA public key known for
> '%fromcert'
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: RSA authentication failed
> Nov 12 08:15:38 fw2 pluto[26342]: | ikev2_parent_inI2outR2_tail returned STF_FATAL
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4: deleting connection "ikev2-cp"
> instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}
> 
> Do I need to add all the keys for issued roadwarrior certificates on the server?
> 

Anyone have any clues about the above?

Also, is it possible to have l2tp and ikev2 connection definitions on the same VPN server? In my
tests I've noticed that sometimes the l2tp connection responds to the client's IKEv2 connection request.

Kind regards,
Tom


-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robinson at motec.com.au

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151113/496685f1/attachment.sig>


More information about the Swan mailing list