Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

2015-11-14 Thread Tom Robinson 
On 14/11/15 01:50, Matt Rogers wrote:
> - Original Message -
>> From: "Tom Robinson" 
>> To: swan@lists.libreswan.org
>> Sent: Thursday, November 12, 2015 4:24:10 PM
>> Subject: Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA 
>> authentication failed"
>>
>> On 12/11/15 08:20, Tom Robinson wrote:
>>> Hi Matt,
>>>
>>> Thanks for your response.
>>>
>>> On 12/11/15 01:15, Matt Rogers wrote:
 You should set rightid=%fromcert so it will use the received cert subject
 as the ID here.

>>>
>>> I've added rightid=%fromcert to the connection but it still fails as
>>> follows:
>>>
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
>>> transition from state
>>> STATE_IKEv2_START to state STATE_PARENT_R1
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
>>> STATE_PARENT_R1: received v2I1,
>>> sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha
>>> group=MODP1024}
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT
>>> mapping for #3330, was
>>> 165.228.94.4:500, now 165.228.94.4:4500
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
>>> non-critical payload ignored
>>> because it contains an unknown or unexpected payload type
>>> (ISAKMP_NEXT_v2CP) at the outermost level
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2
>>> mode peer ID is
>>> ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R, CN=Thomas
>>> Robinson,
>>> E=thomas.robin...@motec.com.au'
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl
>>> from issuer "C=AU,
>>> ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R, CN=MoTeC CA,
>>> E=shaun.fiel...@motec.com.au" found
>>> (strict=no)
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA
>>> public key known for
>>> '%fromcert'
> 
> Is this a much older version of libreswan? This looks like what would happen
> before we supported using %fromcert on the remote ID. 

My apologies, I should have said earlier. We're running libreswan-3.9-1
on CentOS 5.

> 
> Try with rightid='C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R, CN=*, E=*'
> that should cover this cert and others from the CA.

Interestingly, our current IPSec/L2TP roadwarrior (which I recently
migrated from and older OpenSWAN install) uses this:

rightid="C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*, CN=*, E=*"

Prior to receiving your email I already tried the above rightid for the
ikev2-cp connection but got a very similar log output to when I had
rightid=%fromcert:

Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
transition from state STATE_IKEv2_START to state STATE_PARENT_R1
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2
cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha group=MODP1024}
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: new
NAT mapping for #1835, was 165.228.94.4:500, now 165.228.94.4:4500
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
non-critical payload ignored because it contains an unknown or
unexpected payload type (ISAKMP_NEXT_v2CP) at the outermost level
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty
Ltd, OU=R, CN=Thomas Robinson, E=thomas.robin...@motec.com.au'
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: no
RSA public key known for 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*,
CN=*, E=*'
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: RSA
authentication failed
Nov 13 15:47:04 fw2 pluto[12924]: | ikev2_parent_inI2outR2_tail returned
STF_FATAL
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4: deleting
connection "ikev2-cp" instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}

The main difference is (with rightid=%fromcert) it used to say :

no RSA public key known for '%fromcert'

and now (with rightid="C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*, CN=*,
E=*") it says:

no RSA public key known for 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*,
CN=*, E=*'

I'm still missing something here. What does 'no RSA public key known'
actually mean? Isn't the public key sent as part of the client certificate?

Kind regards,
Tom
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

2015-11-14 Thread Tuomo Soini 
On Sat, 14 Nov 2015 21:56:54 +1100
Tom Robinson  wrote:


> My apologies, I should have said earlier. We're running
> libreswan-3.9-1 on CentOS 5.

That is all too old version. It doesn't have any support for this
config. Upgrade to 3.13 which is last version which will work on
centos-5.

I'd advice you to upgrade to centos-7 where libreswan is standard.

-- 
Tuomo Soini 
Foobar Linux services
+358 40 5240030
Foobar Oy 
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

2015-11-14 Thread Tom Robinson 
On 14/11/15 22:58, Tuomo Soini wrote:
> On Sat, 14 Nov 2015 21:56:54 +1100
> Tom Robinson  wrote:
> 
> 
>> My apologies, I should have said earlier. We're running
>> libreswan-3.9-1 on CentOS 5.
> 
> That is all too old version. It doesn't have any support for this
> config. Upgrade to 3.13 which is last version which will work on
> centos-5.
> 
> I'd advice you to upgrade to centos-7 where libreswan is standard.
> 
Thanks Tuomo,

I have to support this older system for a few months more. I'm already
configuring a centos-7 replacement. I'll give 3.13 a try on centos-5
when I get a chance to compile it.

My other question was about having both IKEv2 and IPSec/L2TP connection
definitions on the same VPN server. Is that possible on 3.13 (or any
version)? I noticed with my L2TP connection sometimes responded to the
IKEv2 client request.

Kind regards,
Tom
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] subnet to subnet IPv6 very slow

2015-11-14 Thread James Fromm 
Thank you for testing the scenario and confirming our findings.  For now, we're 
going to run ipv6 in ipv6.  The only reason I was trying to use ipv4 for the 
tunnel is because many of the server providers we've contacted, especially in 
South America and Asian locations, do not provide any SLA on ipv6.

Thanks,
James

On November 14, 2015 2:51:19 PM MST, Tuomo Soini  wrote:
>On Sat, 14 Nov 2015 13:03:50 +0900
>Paul Wouters  wrote:
>
>> You can try esp=aes_gcm128-null which is the fastest good crypto algo
>> to use but I'm not sure if that is your real problem 
>
>I don't think that's the problem. There is some huge performance
>bottleneck in kernel when running ipv6 in ipv4 with xfrm/netkey ipsec
>stack. On my quick test it show exactly same type of performance
>problem.
>
>-- 
>Tuomo Soini 
>Foobar Linux services
>+358 40 5240030
>Foobar Oy 
>___
>Swan mailing list
>Swan@lists.libreswan.org
>https://lists.libreswan.org/mailman/listinfo/swan
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan