[Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

Tom Robinson tom.robinson at motec.com.au
Mon Nov 16 00:50:26 UTC 2015


On 16/11/15 11:05, Tom Robinson wrote:
> On 15/11/15 01:50, Tom Robinson wrote:
>> On 14/11/15 22:58, Tuomo Soini wrote:
>>> On Sat, 14 Nov 2015 21:56:54 +1100
>>> Tom Robinson <tom.robinson at motec.com.au> wrote:
>>>
>>>
>>>> My apologies, I should have said earlier. We're running
>>>> libreswan-3.9-1 on CentOS 5.
>>>
>>> That is all too old version. It doesn't have any support for this
>>> config. Upgrade to 3.13 which is last version which will work on
>>> centos-5.
>>>
>>> I'd advice you to upgrade to centos-7 where libreswan is standard.
>>>
>> Thanks Tuomo,
>>
>> I have to support this older system for a few months more. I'm already
>> configuring a centos-7 replacement. I'll give 3.13 a try on centos-5
>> when I get a chance to compile it.
>>
> 
> I have compiled 3.13 and that is now working. Thanks for all the comments and help.
> 
> I still have an issue though as I'm unable to find a good reference for firewalling/routing.
> 
> Can anyone point me in the right direction please?
> 
> The problem now is that after connection is established, the VPN client gets assigned an address
> from the addresspool= connection setting but it fails contact the internal subnet. Does the
> addresspool subnet range have to be a different subnet from the internal subnet? How is routing handled?
> 
> I have:
> rightaddresspool=192.168.0.241-192.168.0.252
> 
> but my internal network is also 192.168.0.0/24
> 
> The above combination worked with IPSec/L2TP where xl2tpd assigned a pppd interface with an address
> from the 192.168.0.241-192.168.0.252 pool (xl2tpd.conf has 'ip range =
> 192.168.0.241-192.168.0.252'). That worked fine as the ppp? interface would come up and be found in
> arp requests. With IKEv2, I'm seeing arp requests for an address that has no interface.
> 
> Is it firewalling, routing or the libreswan connection that needs adjusting here?

I've done some testing with a different subnet in rightaddresspool and (with the correct firewall
adjustments) that all appears to be working now.

Kind regards,
Tom
-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robinson at motec.com.au

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151116/91c68d15/attachment.sig>


More information about the Swan mailing list