On 12/11/15 08:20, Tom Robinson wrote:
> Hi Matt,
>
> Thanks for your response.
>
> On 12/11/15 01:15, Matt Rogers wrote:
>> You should set rightid=%fromcert so it will use the received cert subject
>> as the ID here.
>>
>
> I've added rightid=%fromcert to the connection but it still fails as follows:
>
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
> transition from state
> STATE_IKEv2_START to state STATE_PARENT_R1
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
> STATE_PARENT_R1: received v2I1,
> sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha
> group=MODP1024}
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT
> mapping for #3330, was
> 165.228.94.4:500, now 165.228.94.4:4500
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
> non-critical payload ignored
> because it contains an unknown or unexpected payload type (ISAKMP_NEXT_v2CP)
> at the outermost level
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2
> mode peer ID is
> ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas
> Robinson,
> E=thomas.robin...@motec.com.au'
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl
> from issuer "C=AU,
> ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA,
> E=shaun.fiel...@motec.com.au" found
> (strict=no)
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA
> public key known for
> '%fromcert'
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: RSA
> authentication failed
> Nov 12 08:15:38 fw2 pluto[26342]: | ikev2_parent_inI2outR2_tail returned
> STF_FATAL
> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4: deleting
> connection "ikev2-cp"
> instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}
>
> Do I need to add all the keys for issued roadwarrior certificates on the
> server?
> Anyone have any clues about the above? Also, is it possible to have l2tp and ikev2 connection definitions on the same VPN server? In my tests I've noticed that sometimes the l2tp connection responds to the client's IKEv2 connection request. Kind regards, Tom -- Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: tom.robin...@motec.com.au
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
