----- Original Message ----- > From: "Tom Robinson" <[email protected]> > To: [email protected] > Sent: Tuesday, November 10, 2015 6:54:39 PM > Subject: [Swan] IKEv2 connection "no RSA public key known for" and "RSA > authentication failed" > > Hi, > > I've had a lot of success with IPSec/L2TP but have faced some issues. > Recently I upgraded from an > older OpenSWAN to libreswan implementation and found there is support for > IKEv2 connections. I > decided to give it a go as it looked quite easy to setup. After following the > documentation here: > https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 I have > so far not been able to > get an IKEv2 connection working. > > Can someone please shed some light on this? Where did I mess up? > > Here's what the log says: > Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: transition > from state > STATE_IKEv2_START to state STATE_PARENT_R1 > Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: > STATE_PARENT_R1: received v2I1, > sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha > group=MODP1024} > Nov 10 09:13:00 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: new NAT > mapping for #327, was > 165.228.94.4:500, now 165.228.94.4:4500 > Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: > non-critical payload ignored > because it contains an unknown or unexpected payload type (ISAKMP_NEXT_v2CP) > at the outermost level > Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: IKEv2 mode > peer ID is > ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R&D, CN=Thomas > Robinson, > [email protected]' > Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: no crl > from issuer "C=AU, > ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R&D, CN=MoTeC CA, > [email protected]" found > (strict=no) > Nov 10 09:13:01 fw2 pluto[18852]: "ikev2-cp"[1] 165.228.94.4 #327: no RSA > public key known for > '165.228.94.4'
You should set rightid=%fromcert so it will use the received cert subject as the ID here. Regards, Matt _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
