[Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

Paul Wouters paul at nohats.ca
Sun Nov 15 09:37:45 UTC 2015

On Sun, 15 Nov 2015, Tom Robinson wrote:

> My other question was about having both IKEv2 and IPSec/L2TP connection
> definitions on the same VPN server. Is that possible on 3.13 (or any
> version)? I noticed with my L2TP connection sometimes responded to the
> IKEv2 client request.

Note that pluto uses "connection switching". It will pick a matching
connection, and will refine it during the negotiation when more
information comes in. So it is perfectly normal if you have two type
of roadwarrior connections, that it seems to pick the "wrong one" at
first. It should switch to the right one later on.

You might help things a bit by more clearly seperating your two
connections by using ikev2=never for the l2tp connection and
ikev2=insist for the non-l2tp connection. That should help pluto
make the right decision on the first received packet that will
state if it is an ikev1 or ikev2 packet.


More information about the Swan mailing list