[Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

Matt Rogers mrogers at redhat.com
Fri Nov 13 14:50:29 UTC 2015


----- Original Message -----
> From: "Tom Robinson" <tom.robinson at motec.com.au>
> To: swan at lists.libreswan.org
> Sent: Thursday, November 12, 2015 4:24:10 PM
> Subject: Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"
> 
> On 12/11/15 08:20, Tom Robinson wrote:
> > Hi Matt,
> > 
> > Thanks for your response.
> > 
> > On 12/11/15 01:15, Matt Rogers wrote:
> >> You should set rightid=%fromcert so it will use the received cert subject
> >> as the ID here.
> >>
> > 
> > I've added rightid=%fromcert to the connection but it still fails as
> > follows:
> > 
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
> > transition from state
> > STATE_IKEv2_START to state STATE_PARENT_R1
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
> > STATE_PARENT_R1: received v2I1,
> > sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha
> > group=MODP1024}
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT
> > mapping for #3330, was
> > 165.228.94.4:500, now 165.228.94.4:4500
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
> > non-critical payload ignored
> > because it contains an unknown or unexpected payload type
> > (ISAKMP_NEXT_v2CP) at the outermost level
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2
> > mode peer ID is
> > ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas
> > Robinson,
> > E=thomas.robinson at motec.com.au'
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl
> > from issuer "C=AU,
> > ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA,
> > E=shaun.fielder at motec.com.au" found
> > (strict=no)
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA
> > public key known for
> > '%fromcert'

Is this a much older version of libreswan? This looks like what would happen
before we supported using %fromcert on the remote ID. 

Try with rightid='C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=*, E=*'
that should cover this cert and others from the CA.

> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: RSA
> > authentication failed
> > Nov 12 08:15:38 fw2 pluto[26342]: | ikev2_parent_inI2outR2_tail returned
> > STF_FATAL
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4: deleting
> > connection "ikev2-cp"
> > instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}
> > 
> > Do I need to add all the keys for issued roadwarrior certificates on the
> > server?
> > 
> 
> Anyone have any clues about the above?
> 
> Also, is it possible to have l2tp and ikev2 connection definitions on the
> same VPN server? In my
> tests I've noticed that sometimes the l2tp connection responds to the
> client's IKEv2 connection request.
> 
> Kind regards,
> Tom
> 
> 
> --
> 
> Tom Robinson
> IT Manager/System Administrator
> 
> MoTeC Pty Ltd
> 
> 121 Merrindale Drive
> Croydon South
> 3136 Victoria
> Australia
> 
> T: +61 3 9761 5050
> F: +61 3 9761 5051
> E: tom.robinson at motec.com.au
> 
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
> 


More information about the Swan mailing list