[Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"
Matt Rogers
mrogers at redhat.com
Fri Nov 13 14:50:29 UTC 2015
----- Original Message -----
> From: "Tom Robinson" <tom.robinson at motec.com.au>
> To: swan at lists.libreswan.org
> Sent: Thursday, November 12, 2015 4:24:10 PM
> Subject: Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"
>
> On 12/11/15 08:20, Tom Robinson wrote:
> > Hi Matt,
> >
> > Thanks for your response.
> >
> > On 12/11/15 01:15, Matt Rogers wrote:
> >> You should set rightid=%fromcert so it will use the received cert subject
> >> as the ID here.
> >>
> >
> > I've added rightid=%fromcert to the connection but it still fails as
> > follows:
> >
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
> > transition from state
> > STATE_IKEv2_START to state STATE_PARENT_R1
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
> > STATE_PARENT_R1: received v2I1,
> > sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha
> > group=MODP1024}
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT
> > mapping for #3330, was
> > 165.228.94.4:500, now 165.228.94.4:4500
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
> > non-critical payload ignored
> > because it contains an unknown or unexpected payload type
> > (ISAKMP_NEXT_v2CP) at the outermost level
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2
> > mode peer ID is
> > ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas
> > Robinson,
> > E=thomas.robinson at motec.com.au'
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl
> > from issuer "C=AU,
> > ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA,
> > E=shaun.fielder at motec.com.au" found
> > (strict=no)
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA
> > public key known for
> > '%fromcert'
Is this a much older version of libreswan? This looks like what would happen
before we supported using %fromcert on the remote ID.
Try with rightid='C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=*, E=*'
that should cover this cert and others from the CA.
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: RSA
> > authentication failed
> > Nov 12 08:15:38 fw2 pluto[26342]: | ikev2_parent_inI2outR2_tail returned
> > STF_FATAL
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4: deleting
> > connection "ikev2-cp"
> > instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}
> >
> > Do I need to add all the keys for issued roadwarrior certificates on the
> > server?
> >
>
> Anyone have any clues about the above?
>
> Also, is it possible to have l2tp and ikev2 connection definitions on the
> same VPN server? In my
> tests I've noticed that sometimes the l2tp connection responds to the
> client's IKEv2 connection request.
>
> Kind regards,
> Tom
>
>
> --
>
> Tom Robinson
> IT Manager/System Administrator
>
> MoTeC Pty Ltd
>
> 121 Merrindale Drive
> Croydon South
> 3136 Victoria
> Australia
>
> T: +61 3 9761 5050
> F: +61 3 9761 5051
> E: tom.robinson at motec.com.au
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
More information about the Swan
mailing list