On Wed, 30 Apr 2014, jeffchen wrote:
I am trying to use certificate to connect multiple roaming user with one
IPSec server (each side is running libreswan 3.8).
It failed when I use ikev2 mode. If I use ikev1 mode (by removing the line
ikev2=insist), it works fine.
Below is my configuration. Is there anything wrong in the configuration to
make it work in ikev2 mode? Thanks.
That should be possible yes.
conn R2-R9
authby=rsasig
auto=add
phase2=esp
ikev2=insist
left=192.168.22.2
leftcert=R4
leftid="C=CA, ST=Ontario, O=RuggedCom, CN=R4, [email protected]"
leftnexthop=%defaultroute
leftsubnet=192.168.21.0/24
pfs=no
right=%any
rightid=%fromcert
rightupdown="ipsec _updown --route yes"
type=tunnel
perhaps add leftsendcert=always
conn R2-R9
connaddrfamily=ipv4
authby=rsasig
auto=start
phase2=esp
ikev2=insist
left=192.168.22.2
leftid="C=CA, ST=Ontario, O=RuggedCom, CN=R4, [email protected]"
leftsubnet=192.168.21.0/24
pfs=no
right=192.168.34.9
rightcert=R9
rightid="C=CA, ST=Ontario, O=RuggedCom, CN=R9, [email protected]"
rightnexthop=%defaultroute
rightupdown="ipsec _updown --route yes"
type=tunnel
The tunnel is established successfully in ikev1 mode. But failed in ikev2
mode. It gives the following error message in ikev2 mode:
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: no RSA public
key known for '%fromcert'
That might be a bug in the IKEv2 code. Can you try adding
rightsendcert=always here and let me know if that makes a difference.
I'll do some testing regarding this issue and try to reproduce it.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
