On 14/11/15 01:50, Matt Rogers wrote:
> ----- Original Message -----
>> From: "Tom Robinson" <tom.robin...@motec.com.au>
>> To: swan@lists.libreswan.org
>> Sent: Thursday, November 12, 2015 4:24:10 PM
>> Subject: Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA
>> authentication failed"
>>
>> On 12/11/15 08:20, Tom Robinson wrote:
>>> Hi Matt,
>>>
>>> Thanks for your response.
>>>
>>> On 12/11/15 01:15, Matt Rogers wrote:
>>>> You should set rightid=%fromcert so it will use the received cert subject
>>>> as the ID here.
>>>>
>>>
>>> I've added rightid=%fromcert to the connection but it still fails as
>>> follows:
>>>
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
>>> transition from state
>>> STATE_IKEv2_START to state STATE_PARENT_R1
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
>>> STATE_PARENT_R1: received v2I1,
>>> sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha
>>> group=MODP1024}
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT
>>> mapping for #3330, was
>>> 165.228.94.4:500, now 165.228.94.4:4500
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
>>> non-critical payload ignored
>>> because it contains an unknown or unexpected payload type
>>> (ISAKMP_NEXT_v2CP) at the outermost level
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2
>>> mode peer ID is
>>> ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas
>>> Robinson,
>>> E=thomas.robin...@motec.com.au'
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl
>>> from issuer "C=AU,
>>> ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA,
>>> E=shaun.fiel...@motec.com.au" found
>>> (strict=no)
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA
>>> public key known for
>>> '%fromcert'
>
> Is this a much older version of libreswan? This looks like what would happen
> before we supported using %fromcert on the remote ID.
My apologies, I should have said earlier. We're running libreswan-3.9-1
on CentOS 5.
>
> Try with rightid='C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=*, E=*'
> that should cover this cert and others from the CA.
Interestingly, our current IPSec/L2TP roadwarrior (which I recently
migrated from and older OpenSWAN install) uses this:
rightid="C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*, CN=*, E=*"
Prior to receiving your email I already tried the above rightid for the
ikev2-cp connection but got a very similar log output to when I had
rightid=%fromcert:
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
transition from state STATE_IKEv2_START to state STATE_PARENT_R1
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2
cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha group=MODP1024}
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: new
NAT mapping for #1835, was 165.228.94.4:500, now 165.228.94.4:4500
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
non-critical payload ignored because it contains an unknown or
unexpected payload type (ISAKMP_NEXT_v2CP) at the outermost level
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty
Ltd, OU=R&D, CN=Thomas Robinson, E=thomas.robin...@motec.com.au'
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: no
RSA public key known for 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*,
CN=*, E=*'
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: RSA
authentication failed
Nov 13 15:47:04 fw2 pluto[12924]: | ikev2_parent_inI2outR2_tail returned
STF_FATAL
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4: deleting
connection "ikev2-cp" instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}
The main difference is (with rightid=%fromcert) it used to say :
no RSA public key known for '%fromcert'
and now (with rightid="C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*, CN=*,
E=*") it says:
no RSA public key known for 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*,
CN=*, E=*'
I'm still missing something here. What does 'no RSA public key known'
actually mean? Isn't the public key sent as part of the client certificate?
Kind regards,
Tom
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
