Hi, I've had a lot of success with IPSec/L2TP but have faced some issues. Recently I upgraded from an older OpenSWAN to libreswan implementation and found there is support for IKEv2 connections. I decided to give it a go as it looked quite easy to setup. After following the documentation here: https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 I have so far not been able to get an IKEv2 connection working.
Can someone please shed some light on this? Where did I mess up? Here's what the log says: Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: transition from state STATE_IKEv2_START to state STATE_PARENT_R1 Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha group=MODP1024} Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: new NAT mapping for #327, was 165.228.94.4:500, now 165.228.94.4:4500 Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: non-critical payload ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_v2CP) at the outermost level Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas Robinson, E=thomas.robin...@motec.com.au' Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: no crl from issuer "C=AU, ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA, E=shaun.fiel...@motec.com.au" found (strict=no) Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: no RSA public key known for '165.228.94.4' Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: RSA authentication failed Nov 10 09:13:01 fw2 pluto[18852]: | ikev2_parent_inI2outR2_tail returned STF_FATAL Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4: deleting connection "ikev2-cp" instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0} My connection definition: conn ikev2-cp # The server's actual IP goes here - not elastic IPs left=115.70.189.243 leftcert=motec6.motec.com.au leftid=@motec6.motec.com.au leftsendcert=always leftsubnet=0.0.0.0/0 leftrsasigkey=%cert # Clients rightsendcert=always right=%any # your addresspool to use - you might need NAT rules if providing full internet to clients rightaddresspool=192.168.0.241-192.168.0.252 # optional rightid with restrictions # rightid="C=CA, L=Toronto, O=Libreswan Project, OU=*, CN=*, E=*" rightca=%same rightrsasigkey=%cert # # connection configuration # DNS servers for clients to use modecfgdns1=10.0.19.13 modecfgdns2=10.0.18.1 narrowing=yes # recommended dpd/liveness to cleanup vanished clients dpddelay=30 dpdtimeout=120 dpdaction=clear auto=add ikev2=insist rekey=no # ikev2 fragmentation support requires libreswan 3.14 or newer #fragmentation=yes # optional PAM username verification (eg to implement bandwidth quota # pam-authorize=yes I have added Subject Alt Names to the certificate for this connection as per documentation: # certutil -d . -L -n motec6.motec.com.au Certificate: Data: Version: 3 (0x2) Serial Number: 588 (0x24c) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "E=shaun.fiel...@motec.com.au,CN=MoTeC CA,OU=R&D,O=MoTeC Pty Ltd,L=Melbourne,ST=Victoria,C=AU" Validity: Not Before: Mon Nov 09 03:07:42 2015 Not After : Tue Nov 08 03:07:42 2016 Subject: "E=author...@motec.com.au,CN=motec6.motec.com.au,OU=IT,O=MoT eC Pty Ltd,L=Melbourne,ST=Victoria,C=AU" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: ---redacted--- Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Basic Constraints Data: Is not a CA. Name: Certificate Key Usage Usages: Digital Signature Key Encipherment Name: Extended Key Usage TLS Web Server Authentication Certificate Name: Certificate Subject Alt Name DNS name: "motec6.motec.com.au" IP Address: 115.70.189.243 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: ---redacted--- Fingerprint (SHA-256): ---redacted--- Fingerprint (SHA1): ---redacted--- Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User Kind regards, Tom -- Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: tom.robin...@motec.com.au
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan