Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

Tom Robinson Wed, 11 Nov 2015 13:21:07 -0800

Hi Matt,

Thanks for your response.


On 12/11/15 01:15, Matt Rogers wrote:
> You should set rightid=%fromcert so it will use the received cert subject
> as the ID here.
> 

I've added rightid=%fromcert to the connection but it still fails as follows:

Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: transition 
from state
STATE_IKEv2_START to state STATE_PARENT_R1
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: 
STATE_PARENT_R1: received v2I1,
sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha 
group=MODP1024}
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT 
mapping for #3330, was
165.228.94.4:500, now 165.228.94.4:4500
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: 
non-critical payload ignored
because it contains an unknown or unexpected payload type (ISAKMP_NEXT_v2CP) at 
the outermost level
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2 mode 
peer ID is
ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas Robinson,
E=thomas.robin...@motec.com.au'
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl from 
issuer "C=AU,
ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA, 
E=shaun.fiel...@motec.com.au" found
(strict=no)
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA 
public key known for
'%fromcert'
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: RSA 
authentication failed
Nov 12 08:15:38 fw2 pluto[26342]: | ikev2_parent_inI2outR2_tail returned 
STF_FATAL
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4: deleting 
connection "ikev2-cp"
instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}

Do I need to add all the keys for issued roadwarrior certificates on the server?

Kind regards,
Tom

-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robin...@motec.com.au

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

Reply via email to