<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <tt>Hi,</tt><tt><br>
    </tt><tt><br>
    </tt><tt>I am trying to setup a IPsec site-site network based on </tt><tt><b>X.509
        certificates</b></tt><tt> and the </tt><tt><b>kernel-libipsec</b></tt><tt>
      plugin for userland IPsec ESP encryption.
    </tt><tt><br>
    </tt><tt><br>
    </tt><tt>But I am getting error as 'no trusted RSA public key found.</tt><tt><br>
    </tt><tt><br>
      Configuration on both side looks like:</tt><tt><br>
    </tt><tt><br>
    </tt><tt>sun:</tt><tt><br>
    </tt><tt><br>
    </tt><tt> cat ipsec.conf</tt><tt><br>
    </tt><tt>config setup</tt><tt><br>
    </tt><tt><br>
    </tt><tt>conn %default</tt><tt><br>
    </tt><tt>        ikelifetime=60m</tt><tt><br>
    </tt><tt>        keylife=20m</tt><tt><br>
    </tt><tt>        rekeymargin=3m</tt><tt><br>
    </tt><tt>        keyingtries=1</tt><tt><br>
    </tt><tt>        keyexchange=ikev2</tt><tt><br>
    </tt><tt>        mobike=no</tt><tt><br>
    </tt><tt><br>
    </tt><tt>conn test</tt><tt><br>
    </tt><tt>        left=12.0.0.189</tt><tt><br>
    </tt><tt>        leftcert=sunCert.pem</tt><tt><br>
    </tt><tt>        leftsubnet=11.0.0.0/24</tt><tt><br>
    </tt><tt>        <a class="moz-txt-link-abbreviated" href="mailto:leftid=sun@test.com">leftid=sun@test.com</a></tt><tt><br>
    </tt><tt>        leftupdown=/etc/updown</tt><tt><br>
    </tt><tt>        right=12.0.0.167</tt><tt><br>
    </tt><tt>        rightsubnet=10.0.0.0/24</tt><tt><br>
    </tt><tt>        <a class="moz-txt-link-abbreviated" href="mailto:rightid=moon@test.com">rightid=moon@test.com</a></tt><tt><br>
    </tt><tt>        auto=add</tt><tt><br>
    </tt><tt><br>
    </tt><tt>cat ipsec.secrets</tt><tt><br>
    </tt><tt> : RSA sunKey.pem</tt><tt><br>
    </tt><tt><br>
    </tt><tt>cat strongswan.conf</tt><tt><br>
    </tt><tt>charon {</tt><tt><br>
    </tt><tt>   load = aes des rc2 sha1 sha2 md5 random nonce x509
      revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
      sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-libipsec
      kernel-netlink resolve socket-default stroke updown xauth-generic</tt><tt><br>
    </tt><tt>  multiple_authentication = no</tt><tt><br>
    </tt><tt>  debug = 4</tt><tt><br>
    </tt><tt>            }</tt><tt><br>
    </tt><tt><br>
    </tt><tt>ipsec listall | more</tt><tt><br>
    </tt><tt><br>
    </tt><tt>List of X.509 End Entity Certificates:</tt><tt><br>
    </tt><tt><br>
    </tt><tt>  altNames:  <a class="moz-txt-link-abbreviated" href="mailto:sun@test.com">sun@test.com</a></tt><tt><br>
    </tt><tt>  subject:  "C=UK, O=Adax Remote unit, <a class="moz-txt-link-abbreviated" href="mailto:CN=sun@test.com">CN=sun@test.com</a>"</tt><tt><br>
    </tt><tt>  issuer:   "C=UK, O=Adax unit, CN=Adax Inc"</tt><tt><br>
    </tt><tt>  serial:    58:67:70:fd:12:9c:61:ad</tt><tt><br>
    </tt><tt>  validity:  not before Jul 07 15:58:59 2014, ok</tt><tt><br>
    </tt><tt>             not after  Jul 06 15:58:59 2017, ok</tt><tt><br>
    </tt><tt>  pubkey:    RSA 1024 bits, has private key</tt><tt><br>
    </tt><tt>  keyid:    
      3a:e6:24:0c:69:6a:96:a8:cf:ef:04:56:c7:f9:2d:5c:b9:9a:89:a2</tt><tt><br>
    </tt><tt>  subjkey:  
      bf:b9:81:e2:86:d9:11:e5:69:a1:da:40:6b:48:45:9f:d4:89:cf:d2</tt><tt><br>
    </tt><tt>  authkey:  
      79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25</tt><tt><br>
    </tt><tt><br>
    </tt><tt>List of X.509 CRLs:</tt><tt><br>
    </tt><tt><br>
    </tt><tt>  issuer:   "C=UK, O=Adax unit, CN=Adax Inc"</tt><tt><br>
    </tt><tt>  serial:    01</tt><tt><br>
    </tt><tt>  revoked:   0 certificates</tt><tt><br>
    </tt><tt>  updates:   this Jul 07 16:01:35 2014</tt><tt><br>
    </tt><tt>             next Jul 22 16:01:35 2014, ok</tt><tt><br>
    </tt><tt>  authkey:  
      79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25</tt><tt><br>
    </tt><tt><br>
    </tt><tt><br>
    </tt><tt>moon:</tt><tt><br>
    </tt><tt><br>
    </tt><tt>cat ipsec.conf</tt><tt><br>
    </tt><tt>config setup</tt><tt><br>
    </tt><tt><br>
    </tt><tt>conn %default</tt><tt><br>
    </tt><tt>        ikelifetime=60m</tt><tt><br>
    </tt><tt>        keylife=20m</tt><tt><br>
    </tt><tt>        rekeymargin=3m</tt><tt><br>
    </tt><tt>        keyingtries=1</tt><tt><br>
    </tt><tt>        keyexchange=ikev2</tt><tt><br>
    </tt><tt>        mobike=no</tt><tt><br>
    </tt><tt><br>
    </tt><tt>conn test</tt><tt><br>
    </tt><tt>        left=12.0.0.167</tt><tt><br>
    </tt><tt>        leftcert=moonCert.pem</tt><tt><br>
    </tt><tt>        leftsubnet=10.0.0.0/24</tt><tt><br>
    </tt><tt>        <a class="moz-txt-link-abbreviated" href="mailto:leftid=moon@test.com">leftid=moon@test.com</a></tt><tt><br>
    </tt><tt>        leftupdown=/etc/updown</tt><tt><br>
    </tt><tt>        right=12.0.0.189</tt><tt><br>
    </tt><tt>        rightsubnet=11.0.0.0/24</tt><tt><br>
    </tt><tt>        <a class="moz-txt-link-abbreviated" href="mailto:rightid=sun@test.com">rightid=sun@test.com</a></tt><tt><br>
    </tt><tt>        auto=add</tt><tt><br>
    </tt><tt><br>
    </tt><tt>cat ipsec.secrets</tt><tt><br>
    </tt><tt> : RSA moonKey.pem</tt><tt><br>
    </tt><tt><br>
    </tt><tt>ipsec listall | more</tt><tt><br>
    </tt><tt><br>
    </tt><tt>List of X.509 End Entity Certificates:</tt><tt><br>
    </tt><tt><br>
    </tt><tt>  altNames:  <a class="moz-txt-link-abbreviated" href="mailto:moon@test.com">moon@test.com</a></tt><tt><br>
    </tt><tt>  subject:  "C=UK, O=Adax remote moon unit,
      <a class="moz-txt-link-abbreviated" href="mailto:CN=moon@test.com">CN=moon@test.com</a>"</tt><tt><br>
    </tt><tt>  issuer:   "C=UK, O=Adax unit, CN=Adax Inc"</tt><tt><br>
    </tt><tt>  serial:    23:65:47:ec:54:e5:05:08</tt><tt><br>
    </tt><tt>  validity:  not before Jul 07 16:00:47 2014, ok</tt><tt><br>
    </tt><tt>             not after  Jul 06 16:00:47 2017, ok</tt><tt><br>
    </tt><tt>  pubkey:    RSA 1024 bits, has private key</tt><tt><br>
    </tt><tt>  keyid:    
      e5:bc:2e:35:dd:a9:80:70:a9:05:67:4c:27:19:40:75:fc:5e:28:ce</tt><tt><br>
    </tt><tt>  subjkey:  
      f4:d7:b7:e0:d0:4d:3e:ba:c8:06:f3:0d:6a:da:c8:ea:3f:49:86:48</tt><tt><br>
    </tt><tt>  authkey:  
      79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25</tt><tt><br>
    </tt><tt><br>
    </tt><tt>List of X.509 CRLs:</tt><tt><br>
    </tt><tt><br>
    </tt><tt>  issuer:   "C=UK, O=Adax unit, CN=Adax Inc"</tt><tt><br>
    </tt><tt>  serial:    01</tt><tt><br>
    </tt><tt>  revoked:   0 certificates</tt><tt><br>
    </tt><tt>  updates:   this Jul 07 16:01:35 2014</tt><tt><br>
    </tt><tt>             next Jul 22 16:01:35 2014, ok</tt><tt><br>
    </tt><tt>  authkey:  
      79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25</tt><tt><br>
    </tt><tt><br>
    </tt><tt>#############</tt><tt><br>
    </tt><tt><br>
    </tt><tt>When I am running 'ipsec up test' from sun side following
      error is logged:</tt><tt><br>
    </tt><tt><br>
    </tt><tt>sun</tt><tt><br>
    </tt><tt><br>
    </tt><tt>Jul  7 16:16:33 ZNYX9210 charon: 14[CFG] received stroke:
      initiate 'test'</tt><tt><br>
    </tt><tt>Jul  7 16:16:33 ZNYX9210 charon: 15[IKE] initiating IKE_SA
      test[2] to 12.0.0.167</tt><tt><br>
    </tt><tt>Jul  7 16:16:33 ZNYX9210 charon: 15[ENC] generating
      IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</tt><tt><br>
    </tt><tt>Jul  7 16:16:33 ZNYX9210 charon: 15[NET] sending packet:
      from 12.0.0.189[500] to 12.0.0.167[500] (708 bytes)</tt><tt><br>
    </tt><tt>Jul  7 16:16:33 ZNYX9210 charon: 06[NET] received packet:
      from 12.0.0.167[500] to 12.0.0.189[500] (432 bytes)</tt><tt><br>
    </tt><tt>Jul  7 16:16:33 ZNYX9210 charon: 06[ENC] parsed IKE_SA_INIT
      response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</tt><tt><br>
    </tt><tt>Jul  7 16:16:33 ZNYX9210 charon: 06[IKE] authentication of
      '<a class="moz-txt-link-abbreviated" href="mailto:sun@test.com">sun@test.com</a>' (myself) with RSA signature successful</tt><tt><br>
    </tt><tt>Jul  7 16:16:33 ZNYX9210 charon: 06[IKE] establishing
      CHILD_SA test</tt><tt><br>
    </tt><tt>Jul  7 16:16:33 ZNYX9210 charon: 06[ENC] generating
      IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
      N(EAP_ONLY) ]</tt><tt><br>
    </tt><tt>Jul  7 16:16:33 ZNYX9210 charon: 06[NET] sending packet:
      from 12.0.0.189[500] to 12.0.0.167[500] (492 bytes)</tt><tt><br>
    </tt><tt>Jul  7 16:16:33 ZNYX9210 charon: 05[NET] received packet:
      from 12.0.0.167[500] to 12.0.0.189[500] (76 bytes)</tt><tt><br>
    </tt><tt>Jul  7 16:16:33 ZNYX9210 charon: 05[ENC] parsed IKE_AUTH
      response 1 [ N(AUTH_FAILED) ]</tt><tt><br>
    </tt><tt>Jul  7 16:16:33 ZNYX9210 charon: 05[IKE] received
      AUTHENTICATION_FAILED notify error</tt><tt><br>
    </tt><tt><br>
    </tt><tt>moon</tt><tt><br>
    </tt><tt><br>
    </tt><tt>Jul  7 16:16:37 RAID_server charon: 07[NET] received
      packet: from 12.0.0.189[500] to 12.0.0.167[500] (708 bytes)</tt><tt><br>
    </tt><tt>Jul  7 16:16:37 RAID_server charon: 07[ENC] parsed
      IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</tt><tt><br>
    </tt><tt>Jul  7 16:16:37 RAID_server charon: 07[IKE] 12.0.0.189 is
      initiating an IKE_SA</tt><tt><br>
    </tt><tt>Jul  7 16:16:37 RAID_server charon: 07[ENC] generating
      IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</tt><tt><br>
    </tt><tt>Jul  7 16:16:37 RAID_server charon: 07[NET] sending packet:
      from 12.0.0.167[500] to 12.0.0.189[500] (432 bytes)</tt><tt><br>
    </tt><tt>Jul  7 16:16:37 RAID_server charon: 08[NET] received
      packet: from 12.0.0.189[500] to 12.0.0.167[500] (492 bytes)</tt><tt><br>
    </tt><tt>Jul  7 16:16:37 RAID_server charon: 08[ENC] parsed IKE_AUTH
      request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]</tt><tt><br>
    </tt><tt>Jul  7 16:16:37 RAID_server charon: 08[CFG] looking for
      peer configs matching
      12.0.0.167[<a class="moz-txt-link-abbreviated" href="mailto:moon@test.com">moon@test.com</a>]...12.0.0.189[<a class="moz-txt-link-abbreviated" href="mailto:sun@test.com">sun@test.com</a>]</tt><tt><br>
    </tt><tt>Jul  7 16:16:37 RAID_server charon: 08[CFG] selected peer
      config 'test'</tt><tt><br>
    </tt><tt>Jul  7 16:16:37 RAID_server charon: 08[IKE] no trusted RSA
      public key found for '<a class="moz-txt-link-abbreviated" href="mailto:sun@test.com">sun@test.com</a>'</tt><tt><br>
    </tt><tt>Jul  7 16:16:37 RAID_server charon: 08[ENC] generating
      IKE_AUTH response 1 [ N(AUTH_FAILED) ]</tt><tt><br>
    </tt><tt>Jul  7 16:16:37 RAID_server charon: 08[NET] sending packet:
      from 12.0.0.167[500] to 12.0.0.189[500] (76 bytes)</tt><tt><br>
    </tt><tt><br>
    </tt><tt>Can you please help what could be the reason for this
      failure?</tt><tt><br>
    </tt><tt><br>
    </tt><tt>Thanks,</tt><tt><br>
    </tt><tt>Shahreen</tt><br>
    <br>
    <pre class="moz-signature" cols="72">-- 

Shahreen Noor Ahmed
Network Support Department
Adax Europe Ltd
url: <a class="moz-txt-link-abbreviated" href="http://www.adax.com">www.adax.com</a>
e-mail: <a class="moz-txt-link-abbreviated" href="mailto:sahmed@adax.co.uk">sahmed@adax.co.uk</a>
Direct line: +44(0)118 952 2804</pre>
  </body>
</html>