[Swan] Question: IKEv2 with RSAsig: Invalid payload received
Mirsad Goran Todorovac
mirsad.todorovac at alu.hr
Wed Nov 24 23:12:56 EET 2021
Dear Sir,
I have proceeded to configure IKEv2 auth according to your advice, as
even the libreswan.org website wiki says
that L2TP is legacy and to be avoided for new connections. It became
clear that I will have to manually setup
each user's laptop or mobile device as I can neither memorize nor
publish the 32 key PSK I use (as it is recommended
for security).
However, my IKEv2 conn with RSA reports an error. I have had problems
with wrong policy and (since modp1024 is no longer allowed in libreswan
v3.32) enabled the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256
registry key in Windows 10 according to instructions here:
https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#A-Authentication-using-X509-Machine-Certificates
.
The error I receive now is:
The IKEv2 conn setup is here:
conn MYCONN-ikev2-cp
# The server's actual IP goes here - not elastic IPs
left=161.53.235.3
leftcert=vpn.alu.hr
leftid=@vpn.alu.hr
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
# Clients
right=%any
# your addresspool to use - you might need NAT rules if
providing full internet to clients
rightaddresspool=192.168.100.10-192.168.100.253
# optional rightid with restrictions
rightid="C=HR, L=Zagreb, O=Akademija likovnih umjetnosti, OU=*,
CN=*, E=*"
rightca=%same
rightrsasigkey=%cert
#
# connection configuration
# DNS servers for clients to use
modecfgdns=8.8.8.8,192.168.100.1
# Versions up to 3.22 used modecfgdns1 and modecfgdns2
#modecfgdns1=8.8.8.8
#modecfgdns2=193.110.157.123
narrowing=yes
# recommended dpd/liveness to cleanup vanished clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
# ikev2 fragmentation support requires libreswan 3.14 or newer
fragmentation=yes
# optional PAM username verification (eg to implement bandwidth
quota
# pam-authorize=yes
The session log is:
https://domac.alu.hr/mtodorov/ikev2-v3.32-20211124-07.log
The most notable error is:
Nov 24 22:05:52.272134: | [RE]START processing: state #1 connection
"MYCONN-ikev2-cp"[1] 188.252.255.83 from 188.252.255.83:500 (in
complete_v2_state_transition() at ikev2.c:3235)
Nov 24 22:05:52.272145: | #1 complete_v2_state_transition() PARENT_R1 ->
PARENT_R1 with status STF_FATAL
Nov 24 22:05:52.272158: "MYCONN-ikev2-cp"[1] 188.252.255.83 #1:
encountered fatal error in state STATE_PARENT_R1
Nov 24 22:05:52.272167: | Message ID: exchange zombie as no response?
Nov 24 22:05:52.272177: | release_pending_whacks: state #1 has no whack fd
Nov 24 22:05:52.272186: | pstats #1 ikev2.ike deleted other
Nov 24 22:05:52.272198: | #1 spent 13.2 milliseconds in total
Nov 24 22:05:52.272213: | [RE]START processing: state #1 connection
"MYCONN-ikev2-cp"[1] 188.252.255.83 from 188.252.255.83:500 (in
delete_state() at state.c:944)
Nov 24 22:05:52.272227: "MYCONN-ikev2-cp"[1] 188.252.255.83 #1: deleting
state (STATE_PARENT_R1) aged 0.031s and NOT sending notification
Nov 24 22:05:52.272237: | parent state #1: PARENT_R1(half-open IKE SA)
=> delete
At this point Googling didn't help and I am stuck.
Do you please have an idea of what should I try next?
Kind regards,
Mirsad Todorovac
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211124/c3794063/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AfLbfQpUTIE5NWYr.png
Type: image/png
Size: 5165 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211124/c3794063/attachment.png>
More information about the Swan
mailing list