[Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

Tom Robinson tom.robinson at motec.com.au
Sat Nov 14 10:56:54 UTC 2015


On 14/11/15 01:50, Matt Rogers wrote:
> ----- Original Message -----
>> From: "Tom Robinson" <tom.robinson at motec.com.au>
>> To: swan at lists.libreswan.org
>> Sent: Thursday, November 12, 2015 4:24:10 PM
>> Subject: Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"
>>
>> On 12/11/15 08:20, Tom Robinson wrote:
>>> Hi Matt,
>>>
>>> Thanks for your response.
>>>
>>> On 12/11/15 01:15, Matt Rogers wrote:
>>>> You should set rightid=%fromcert so it will use the received cert subject
>>>> as the ID here.
>>>>
>>>
>>> I've added rightid=%fromcert to the connection but it still fails as
>>> follows:
>>>
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
>>> transition from state
>>> STATE_IKEv2_START to state STATE_PARENT_R1
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
>>> STATE_PARENT_R1: received v2I1,
>>> sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha
>>> group=MODP1024}
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT
>>> mapping for #3330, was
>>> 165.228.94.4:500, now 165.228.94.4:4500
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
>>> non-critical payload ignored
>>> because it contains an unknown or unexpected payload type
>>> (ISAKMP_NEXT_v2CP) at the outermost level
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2
>>> mode peer ID is
>>> ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas
>>> Robinson,
>>> E=thomas.robinson at motec.com.au'
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl
>>> from issuer "C=AU,
>>> ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA,
>>> E=shaun.fielder at motec.com.au" found
>>> (strict=no)
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA
>>> public key known for
>>> '%fromcert'
> 
> Is this a much older version of libreswan? This looks like what would happen
> before we supported using %fromcert on the remote ID. 

My apologies, I should have said earlier. We're running libreswan-3.9-1
on CentOS 5.

> 
> Try with rightid='C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=*, E=*'
> that should cover this cert and others from the CA.

Interestingly, our current IPSec/L2TP roadwarrior (which I recently
migrated from and older OpenSWAN install) uses this:

rightid="C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*, CN=*, E=*"

Prior to receiving your email I already tried the above rightid for the
ikev2-cp connection but got a very similar log output to when I had
rightid=%fromcert:

Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
transition from state STATE_IKEv2_START to state STATE_PARENT_R1
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2
cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha group=MODP1024}
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: new
NAT mapping for #1835, was 165.228.94.4:500, now 165.228.94.4:4500
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
non-critical payload ignored because it contains an unknown or
unexpected payload type (ISAKMP_NEXT_v2CP) at the outermost level
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty
Ltd, OU=R&D, CN=Thomas Robinson, E=thomas.robinson at motec.com.au'
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: no
RSA public key known for 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*,
CN=*, E=*'
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: RSA
authentication failed
Nov 13 15:47:04 fw2 pluto[12924]: | ikev2_parent_inI2outR2_tail returned
STF_FATAL
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4: deleting
connection "ikev2-cp" instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}

The main difference is (with rightid=%fromcert) it used to say :

no RSA public key known for '%fromcert'

and now (with rightid="C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*, CN=*,
E=*") it says:

no RSA public key known for 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*,
CN=*, E=*'

I'm still missing something here. What does 'no RSA public key known'
actually mean? Isn't the public key sent as part of the client certificate?

Kind regards,
Tom


More information about the Swan mailing list