Hi Matt, Thanks for your response.
On 12/11/15 01:15, Matt Rogers wrote: > You should set rightid=%fromcert so it will use the received cert subject > as the ID here. > I've added rightid=%fromcert to the connection but it still fails as follows: Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: transition from state STATE_IKEv2_START to state STATE_PARENT_R1 Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha group=MODP1024} Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT mapping for #3330, was 165.228.94.4:500, now 165.228.94.4:4500 Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: non-critical payload ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_v2CP) at the outermost level Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas Robinson, E=thomas.robin...@motec.com.au' Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl from issuer "C=AU, ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA, E=shaun.fiel...@motec.com.au" found (strict=no) Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA public key known for '%fromcert' Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: RSA authentication failed Nov 12 08:15:38 fw2 pluto[26342]: | ikev2_parent_inI2outR2_tail returned STF_FATAL Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4: deleting connection "ikev2-cp" instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0} Do I need to add all the keys for issued roadwarrior certificates on the server? Kind regards, Tom -- Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: tom.robin...@motec.com.au
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan