[strongSwan] "no RSA public key known" but ID is correct / even with "rightcert"

Develop develop at imagmbh.de
Sat Dec 18 22:18:36 CET 2010 

Hello,

I have a serious problem using x509 certs with strongswan and my android 
(2.1) mobile.

After some hours of work, PSK works fine but x509 certs don't. Logging 
pluto I got the well known error

"L2TP"[1] xxx.xxx.xxx.xxx #1: no RSA public key known for '192.168.101.21'

but the in the configuration (rightid) seems to be correct. Even if I 
don't use "rightid=" but "rightcert=publiccert.pem" using the 
publiccert.pem copied to the mobile I get this error.

Here is my configuration:

config setup
         nat_traversal=yes
         charonstart=yes
         plutostart=yes
         plutodebug=all
         plutostderrlog=/tmp/pluto.log

conn L2TP
         authby=rsasig
         pfs=no
         rekey=no
         type=tunnel
         esp=aes128-sha1
         ike=aes128-sha-modp1024
         leftid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec, 
CN=vpnrelay2, E=address at imagmbh.de"
         leftrsasigkey=%cert
         left=IP-ADDRESS-OF-THE-VPN-SERVER
         leftnexthop=%defaultroute
         leftprotoport=17/1701
         right=%any
         rightprotoport=17/%any
         rightsubnetwithin=0.0.0.0/0
         rightid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec, 
CN=handymalu, E=address at imagmbh.de"
         rightrsasigkey=%cert
         auto=add
         keylife=60s

and here the snip of the pluto-log:


....
|   30 0c 06 08  2a 86 48 86  f7 0d 02 05  05 00 04 10
|   a5 71 cb 29  58 61 4b 44  ce 22 5f 33  45 82 04 2a
| certificate signature is valid
| authcert list unlocked by 'verify_x509cert'
| reached self-signed root ca
| Public key validated
|  keyid: *AwEAAceE8
|  Modulus: 
0xc784f34b1d8578b1152b92b4e7a55da38511d0dccdbb1445749a4b5638b6168f5bffafafa8510faed534d4d0a97d0c6b85750893343da5b9ac12a2da4395936dea885305bc6bc6500df081e8626443b1f28b21fc100c99b751be7bc5ce2b49f59b12ea0f4ce97e025d91d9bbfe03f535853af9ac27fa1efc4ba06328429b644d
|  PublicExponent: 0x10001
| unreference key: 0x7f27ca4a1810 C=DE, ST=NRW, L=Bochum, O=IMA GmbH, 
OU=ipsec, CN=handymalu, E=address at imagmbh.de cnt 1--
| hashing 216 bytes of SA
"L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21'
"L2TP"[1] 84.61.190.246 #1: sending encrypted notification 
INVALID_KEY_INFORMATION to 84.61.190.246:500


Also if I use

rightid="C=*, ST=*, L=*, O=*, OU=*, CN=*, E=*"

I get the error.


Any help yould be wonderful.

Thanks

Martin

More information about the Users mailing list