Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

[Tom Robinson]

On 16/11/15 11:05, Tom Robinson wrote:
> On 15/11/15 01:50, Tom Robinson wrote:
>> On 14/11/15 22:58, Tuomo Soini wrote:
>>> On Sat, 14 Nov 2015 21:56:54 +1100
>>> Tom Robinson  wrote:
>>>
>>>
 My apologies, I should have said earlier. We're running
 libreswan-3.9-1 on CentOS 5.
>>>
>>> That is all too old version. It doesn't have any support for this
>>> config. Upgrade to 3.13 which is last version which will work on
>>> centos-5.
>>>
>>> I'd advice you to upgrade to centos-7 where libreswan is standard.
>>>
>> Thanks Tuomo,
>>
>> I have to support this older system for a few months more. I'm already
>> configuring a centos-7 replacement. I'll give 3.13 a try on centos-5
>> when I get a chance to compile it.
>>
> 
> I have compiled 3.13 and that is now working. Thanks for all the comments and 
> help.
> 
> I still have an issue though as I'm unable to find a good reference for 
> firewalling/routing.
> 
> Can anyone point me in the right direction please?
> 
> The problem now is that after connection is established, the VPN client gets 
> assigned an address
> from the addresspool= connection setting but it fails contact the internal 
> subnet. Does the
> addresspool subnet range have to be a different subnet from the internal 
> subnet? How is routing handled?
> 
> I have:
> rightaddresspool=192.168.0.241-192.168.0.252
> 
> but my internal network is also 192.168.0.0/24
> 
> The above combination worked with IPSec/L2TP where xl2tpd assigned a pppd 
> interface with an address
> from the 192.168.0.241-192.168.0.252 pool (xl2tpd.conf has 'ip range =
> 192.168.0.241-192.168.0.252'). That worked fine as the ppp? interface would 
> come up and be found in
> arp requests. With IKEv2, I'm seeing arp requests for an address that has no 
> interface.
> 
> Is it firewalling, routing or the libreswan connection that needs adjusting 
> here?

I've done some testing with a different subnet in rightaddresspool and (with 
the correct firewall
adjustments) that all appears to be working now.

Kind regards,
Tom
-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robin...@motec.com.au



signature.asc
Description: OpenPGP digital signature
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

[Tom Robinson]

On 14/11/15 01:50, Matt Rogers wrote:
> - Original Message -
>> From: "Tom Robinson" <tom.robin...@motec.com.au>
>> To: swan@lists.libreswan.org
>> Sent: Thursday, November 12, 2015 4:24:10 PM
>> Subject: Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA 
>> authentication failed"
>>
>> On 12/11/15 08:20, Tom Robinson wrote:
>>> Hi Matt,
>>>
>>> Thanks for your response.
>>>
>>> On 12/11/15 01:15, Matt Rogers wrote:
>>>> You should set rightid=%fromcert so it will use the received cert subject
>>>> as the ID here.
>>>>
>>>
>>> I've added rightid=%fromcert to the connection but it still fails as
>>> follows:
>>>
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
>>> transition from state
>>> STATE_IKEv2_START to state STATE_PARENT_R1
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
>>> STATE_PARENT_R1: received v2I1,
>>> sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha
>>> group=MODP1024}
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT
>>> mapping for #3330, was
>>> 165.228.94.4:500, now 165.228.94.4:4500
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
>>> non-critical payload ignored
>>> because it contains an unknown or unexpected payload type
>>> (ISAKMP_NEXT_v2CP) at the outermost level
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2
>>> mode peer ID is
>>> ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R, CN=Thomas
>>> Robinson,
>>> E=thomas.robin...@motec.com.au'
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl
>>> from issuer "C=AU,
>>> ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R, CN=MoTeC CA,
>>> E=shaun.fiel...@motec.com.au" found
>>> (strict=no)
>>> Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA
>>> public key known for
>>> '%fromcert'
> 
> Is this a much older version of libreswan? This looks like what would happen
> before we supported using %fromcert on the remote ID. 

My apologies, I should have said earlier. We're running libreswan-3.9-1
on CentOS 5.

> 
> Try with rightid='C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R, CN=*, E=*'
> that should cover this cert and others from the CA.

Interestingly, our current IPSec/L2TP roadwarrior (which I recently
migrated from and older OpenSWAN install) uses this:

rightid="C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*, CN=*, E=*"

Prior to receiving your email I already tried the above rightid for the
ikev2-cp connection but got a very similar log output to when I had
rightid=%fromcert:

Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
transition from state STATE_IKEv2_START to state STATE_PARENT_R1
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2
cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha group=MODP1024}
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: new
NAT mapping for #1835, was 165.228.94.4:500, now 165.228.94.4:4500
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
non-critical payload ignored because it contains an unknown or
unexpected payload type (ISAKMP_NEXT_v2CP) at the outermost level
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835:
IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty
Ltd, OU=R, CN=Thomas Robinson, E=thomas.robin...@motec.com.au'
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: no
RSA public key known for 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*,
CN=*, E=*'
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4 #1835: RSA
authentication failed
Nov 13 15:47:04 fw2 pluto[12924]: | ikev2_parent_inI2outR2_tail returned
STF_FATAL
Nov 13 15:47:04 fw2 pluto[12924]: "ikev2-cp"[1] 165.228.94.4: deleting
connection "ikev2-cp" instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}

The main difference is (with rightid=%fromcert) it used to say :

no RSA public key known for '%fromcert'

and now (with rightid="C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*, CN=*,
E=*") it says:

no RSA public key known for 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=*,
CN=*, E=*'

I'm still missing something here. What does 'no RSA public key known'
actually mean? Isn't the public key sent as part of the client certificate?

Kind regards,
Tom
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

[Tuomo Soini]

On Sat, 14 Nov 2015 21:56:54 +1100
Tom Robinson  wrote:


> My apologies, I should have said earlier. We're running
> libreswan-3.9-1 on CentOS 5.

That is all too old version. It doesn't have any support for this
config. Upgrade to 3.13 which is last version which will work on
centos-5.

I'd advice you to upgrade to centos-7 where libreswan is standard.

-- 
Tuomo Soini 
Foobar Linux services
+358 40 5240030
Foobar Oy 
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

[Tom Robinson]

On 14/11/15 22:58, Tuomo Soini wrote:
> On Sat, 14 Nov 2015 21:56:54 +1100
> Tom Robinson  wrote:
> 
> 
>> My apologies, I should have said earlier. We're running
>> libreswan-3.9-1 on CentOS 5.
> 
> That is all too old version. It doesn't have any support for this
> config. Upgrade to 3.13 which is last version which will work on
> centos-5.
> 
> I'd advice you to upgrade to centos-7 where libreswan is standard.
> 
Thanks Tuomo,

I have to support this older system for a few months more. I'm already
configuring a centos-7 replacement. I'll give 3.13 a try on centos-5
when I get a chance to compile it.

My other question was about having both IKEv2 and IPSec/L2TP connection
definitions on the same VPN server. Is that possible on 3.13 (or any
version)? I noticed with my L2TP connection sometimes responded to the
IKEv2 client request.

Kind regards,
Tom
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

[Matt Rogers]

- Original Message -
> From: "Tom Robinson" <tom.robin...@motec.com.au>
> To: swan@lists.libreswan.org
> Sent: Thursday, November 12, 2015 4:24:10 PM
> Subject: Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA 
> authentication failed"
> 
> On 12/11/15 08:20, Tom Robinson wrote:
> > Hi Matt,
> > 
> > Thanks for your response.
> > 
> > On 12/11/15 01:15, Matt Rogers wrote:
> >> You should set rightid=%fromcert so it will use the received cert subject
> >> as the ID here.
> >>
> > 
> > I've added rightid=%fromcert to the connection but it still fails as
> > follows:
> > 
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
> > transition from state
> > STATE_IKEv2_START to state STATE_PARENT_R1
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
> > STATE_PARENT_R1: received v2I1,
> > sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha
> > group=MODP1024}
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT
> > mapping for #3330, was
> > 165.228.94.4:500, now 165.228.94.4:4500
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330:
> > non-critical payload ignored
> > because it contains an unknown or unexpected payload type
> > (ISAKMP_NEXT_v2CP) at the outermost level
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2
> > mode peer ID is
> > ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R, CN=Thomas
> > Robinson,
> > E=thomas.robin...@motec.com.au'
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl
> > from issuer "C=AU,
> > ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R, CN=MoTeC CA,
> > E=shaun.fiel...@motec.com.au" found
> > (strict=no)
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA
> > public key known for
> > '%fromcert'

Is this a much older version of libreswan? This looks like what would happen
before we supported using %fromcert on the remote ID. 

Try with rightid='C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R, CN=*, E=*'
that should cover this cert and others from the CA.

> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: RSA
> > authentication failed
> > Nov 12 08:15:38 fw2 pluto[26342]: | ikev2_parent_inI2outR2_tail returned
> > STF_FATAL
> > Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4: deleting
> > connection "ikev2-cp"
> > instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}
> > 
> > Do I need to add all the keys for issued roadwarrior certificates on the
> > server?
> > 
> 
> Anyone have any clues about the above?
> 
> Also, is it possible to have l2tp and ikev2 connection definitions on the
> same VPN server? In my
> tests I've noticed that sometimes the l2tp connection responds to the
> client's IKEv2 connection request.
> 
> Kind regards,
> Tom
> 
> 
> --
> 
> Tom Robinson
> IT Manager/System Administrator
> 
> MoTeC Pty Ltd
> 
> 121 Merrindale Drive
> Croydon South
> 3136 Victoria
> Australia
> 
> T: +61 3 9761 5050
> F: +61 3 9761 5051
> E: tom.robin...@motec.com.au
> 
> 
> ___
> Swan mailing list
> Swan@lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
> 
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

[Tom Robinson]

Hi Matt,

Thanks for your response.

On 12/11/15 01:15, Matt Rogers wrote:
> You should set rightid=%fromcert so it will use the received cert subject
> as the ID here.
> 

I've added rightid=%fromcert to the connection but it still fails as follows:

Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: transition 
from state
STATE_IKEv2_START to state STATE_PARENT_R1
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: 
STATE_PARENT_R1: received v2I1,
sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha 
group=MODP1024}
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT 
mapping for #3330, was
165.228.94.4:500, now 165.228.94.4:4500
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: 
non-critical payload ignored
because it contains an unknown or unexpected payload type (ISAKMP_NEXT_v2CP) at 
the outermost level
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2 mode 
peer ID is
ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R, CN=Thomas Robinson,
E=thomas.robin...@motec.com.au'
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl from 
issuer "C=AU,
ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R, CN=MoTeC CA, 
E=shaun.fiel...@motec.com.au" found
(strict=no)
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA 
public key known for
'%fromcert'
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: RSA 
authentication failed
Nov 12 08:15:38 fw2 pluto[26342]: | ikev2_parent_inI2outR2_tail returned 
STF_FATAL
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4: deleting 
connection "ikev2-cp"
instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}

Do I need to add all the keys for issued roadwarrior certificates on the server?

Kind regards,
Tom

-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robin...@motec.com.au



signature.asc
Description: OpenPGP digital signature
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan