----- Original Message ----- > From: "Tom Robinson" <tom.robin...@motec.com.au> > To: swan@lists.libreswan.org > Sent: Thursday, November 12, 2015 4:24:10 PM > Subject: Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA > authentication failed" > > On 12/11/15 08:20, Tom Robinson wrote: > > Hi Matt, > > > > Thanks for your response. > > > > On 12/11/15 01:15, Matt Rogers wrote: > >> You should set rightid=%fromcert so it will use the received cert subject > >> as the ID here. > >> > > > > I've added rightid=%fromcert to the connection but it still fails as > > follows: > > > > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: > > transition from state > > STATE_IKEv2_START to state STATE_PARENT_R1 > > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: > > STATE_PARENT_R1: received v2I1, > > sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha > > group=MODP1024} > > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT > > mapping for #3330, was > > 165.228.94.4:500, now 165.228.94.4:4500 > > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: > > non-critical payload ignored > > because it contains an unknown or unexpected payload type > > (ISAKMP_NEXT_v2CP) at the outermost level > > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2 > > mode peer ID is > > ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas > > Robinson, > > E=thomas.robin...@motec.com.au' > > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl > > from issuer "C=AU, > > ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA, > > E=shaun.fiel...@motec.com.au" found > > (strict=no) > > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA > > public key known for > > '%fromcert'
Is this a much older version of libreswan? This looks like what would happen before we supported using %fromcert on the remote ID. Try with rightid='C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=*, E=*' that should cover this cert and others from the CA. > > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: RSA > > authentication failed > > Nov 12 08:15:38 fw2 pluto[26342]: | ikev2_parent_inI2outR2_tail returned > > STF_FATAL > > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4: deleting > > connection "ikev2-cp" > > instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0} > > > > Do I need to add all the keys for issued roadwarrior certificates on the > > server? > > > > Anyone have any clues about the above? > > Also, is it possible to have l2tp and ikev2 connection definitions on the > same VPN server? In my > tests I've noticed that sometimes the l2tp connection responds to the > client's IKEv2 connection request. > > Kind regards, > Tom > > > -- > > Tom Robinson > IT Manager/System Administrator > > MoTeC Pty Ltd > > 121 Merrindale Drive > Croydon South > 3136 Victoria > Australia > > T: +61 3 9761 5050 > F: +61 3 9761 5051 > E: tom.robin...@motec.com.au > > > _______________________________________________ > Swan mailing list > Swan@lists.libreswan.org > https://lists.libreswan.org/mailman/listinfo/swan > _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan