[Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

Tom Robinson tom.robinson at motec.com.au
Mon Nov 16 00:05:53 UTC 2015


On 15/11/15 01:50, Tom Robinson wrote:
> On 14/11/15 22:58, Tuomo Soini wrote:
>> On Sat, 14 Nov 2015 21:56:54 +1100
>> Tom Robinson <tom.robinson at motec.com.au> wrote:
>>
>>
>>> My apologies, I should have said earlier. We're running
>>> libreswan-3.9-1 on CentOS 5.
>>
>> That is all too old version. It doesn't have any support for this
>> config. Upgrade to 3.13 which is last version which will work on
>> centos-5.
>>
>> I'd advice you to upgrade to centos-7 where libreswan is standard.
>>
> Thanks Tuomo,
> 
> I have to support this older system for a few months more. I'm already
> configuring a centos-7 replacement. I'll give 3.13 a try on centos-5
> when I get a chance to compile it.
> 

I have compiled 3.13 and that is now working. Thanks for all the comments and help.

I still have an issue though as I'm unable to find a good reference for firewalling/routing.

Can anyone point me in the right direction please?

The problem now is that after connection is established, the VPN client gets assigned an address
from the addresspool= connection setting but it fails contact the internal subnet. Does the
addresspool subnet range have to be a different subnet from the internal subnet? How is routing handled?

I have:
rightaddresspool=192.168.0.241-192.168.0.252

but my internal network is also 192.168.0.0/24

The above combination worked with IPSec/L2TP where xl2tpd assigned a pppd interface with an address
from the 192.168.0.241-192.168.0.252 pool (xl2tpd.conf has 'ip range =
192.168.0.241-192.168.0.252'). That worked fine as the ppp? interface would come up and be found in
arp requests. With IKEv2, I'm seeing arp requests for an address that has no interface.

Is it firewalling, routing or the libreswan connection that needs adjusting here?

Kind regards,
Tom

-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robinson at motec.com.au

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151116/ca1c99fc/attachment.sig>


More information about the Swan mailing list