On 14/11/15 01:50, Matt Rogers wrote: > ----- Original Message ----- >> From: "Tom Robinson" <tom.robin...@motec.com.au> >> To: swan@lists.libreswan.org >> Sent: Thursday, November 12, 2015 4:24:10 PM >> Subject: Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA >> authentication failed" >> >> On 12/11/15 08:20, Tom Robinson wrote: >>> Hi Matt, >>> >>> Thanks for your response. >>> >>> On 12/11/15 01:15, Matt Rogers wrote: >>>> You should set rightid=%fromcert so it will use the received cert subject >>>> as the ID here. >>>> >>> >>> I've added rightid=%fromcert to the connection but it still fails as >>> follows: >>> >>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: >>> transition from state >>> STATE_IKEv2_START to state STATE_PARENT_R1 >>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: >>> STATE_PARENT_R1: received v2I1, >>> sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha >>> group=MODP1024} >>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT >>> mapping for #3330, was >>> 165.228.94.4:500, now 165.228.94.4:4500 >>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: >>> non-critical payload ignored >>> because it contains an unknown or unexpected payload type >>> (ISAKMP_NEXT_v2CP) at the outermost level >>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2 >>> mode peer ID is >>> ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas >>> Robinson, >>> E=thomas.robin...@motec.com.au' >>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl >>> from issuer "C=AU, >>> ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA, >>> E=shaun.fiel...@motec.com.au" found >>> (strict=no) >>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA >>> public key known for >>> '%fromcert' > > Is this a much older version of libreswan? This looks like what would happen > before we supported using %fromcert on the remote ID.
My apologies, I should have said earlier. We're running libreswan-3.9-1 on CentOS 5. > > Try with rightid='C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=*, E=*' > that should cover this cert and others from the CA. Interestingly, our current IPSec/L2TP roadwarrior (which I recently migrated from and older OpenSWAN install) uses this: rightid="C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*, CN=*, E=*" Prior to receiving your email I already tried the above rightid for the ikev2-cp connection but got a very similar log output to when I had rightid=%fromcert: Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: transition from state STATE_IKEv2_START to state STATE_PARENT_R1 Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha group=MODP1024} Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: new NAT mapping for #1835, was 165.228.94.4:500, now 165.228.94.4:4500 Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: non-critical payload ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_v2CP) at the outermost level Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas Robinson, E=thomas.robin...@motec.com.au' Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: no RSA public key known for 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*, CN=*, E=*' Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: RSA authentication failed Nov 13 15:47:04 fw2 pluto[12924]: | ikev2_parent_inI2outR2_tail returned STF_FATAL Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4: deleting connection "ikev2-cp" instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0} The main difference is (with rightid=%fromcert) it used to say : no RSA public key known for '%fromcert' and now (with rightid="C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*, CN=*, E=*") it says: no RSA public key known for 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*, CN=*, E=*' I'm still missing something here. What does 'no RSA public key known' actually mean? Isn't the public key sent as part of the client certificate? Kind regards, Tom _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan