[strongSwan] "no RSA public key known" but ID is correct / even with "rightcert"

Andreas Steffen andreas.steffen at strongswan.org
Sat Dec 18 23:52:06 CET 2010


Hello Martin,

the problem is that the Android client sends as its ID the IPv4 address
192.168.101.21 which is not contained as a subjectAltName in the client
certificate:

> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21'

As a workaround generate the Android certificate with

subjectAltName=IP:192.168.101.21

set in openssl.cnf or alternatively try to convince the Android phone
to send its Distinguished Name as an ID.

Regards

Andreas

On 12/18/2010 10:18 PM, Develop wrote:
> Hello,
> 
> I have a serious problem using x509 certs with strongswan and my android 
> (2.1) mobile.
> 
> After some hours of work, PSK works fine but x509 certs don't. Logging 
> pluto I got the well known error
> 
> "L2TP"[1] xxx.xxx.xxx.xxx #1: no RSA public key known for '192.168.101.21'
> 
> but the in the configuration (rightid) seems to be correct. Even if I 
> don't use "rightid=" but "rightcert=publiccert.pem" using the 
> publiccert.pem copied to the mobile I get this error.
> 
> Here is my configuration:
> 
> config setup
>          nat_traversal=yes
>          charonstart=yes
>          plutostart=yes
>          plutodebug=all
>          plutostderrlog=/tmp/pluto.log
> 
> conn L2TP
>          authby=rsasig
>          pfs=no
>          rekey=no
>          type=tunnel
>          esp=aes128-sha1
>          ike=aes128-sha-modp1024
>          leftid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec, 
> CN=vpnrelay2, E=address at imagmbh.de"
>          leftrsasigkey=%cert
>          left=IP-ADDRESS-OF-THE-VPN-SERVER
>          leftnexthop=%defaultroute
>          leftprotoport=17/1701
>          right=%any
>          rightprotoport=17/%any
>          rightsubnetwithin=0.0.0.0/0
>          rightid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec, 
> CN=handymalu, E=address at imagmbh.de"
>          rightrsasigkey=%cert
>          auto=add
>          keylife=60s
> 
> and here the snip of the pluto-log:
> 
> 
> ....
> |   30 0c 06 08  2a 86 48 86  f7 0d 02 05  05 00 04 10
> |   a5 71 cb 29  58 61 4b 44  ce 22 5f 33  45 82 04 2a
> | certificate signature is valid
> | authcert list unlocked by 'verify_x509cert'
> | reached self-signed root ca
> | Public key validated
> |  keyid: *AwEAAceE8
> |  Modulus: 
> 0xc784f34b1d8578b1152b92b4e7a55da38511d0dccdbb1445749a4b5638b6168f5bffafafa8510faed534d4d0a97d0c6b85750893343da5b9ac12a2da4395936dea885305bc6bc6500df081e8626443b1f28b21fc100c99b751be7bc5ce2b49f59b12ea0f4ce97e025d91d9bbfe03f535853af9ac27fa1efc4ba06328429b644d
> |  PublicExponent: 0x10001
> | unreference key: 0x7f27ca4a1810 C=DE, ST=NRW, L=Bochum, O=IMA GmbH, 
> OU=ipsec, CN=handymalu, E=address at imagmbh.de cnt 1--
> | hashing 216 bytes of SA
> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21'
> "L2TP"[1] 84.61.190.246 #1: sending encrypted notification 
> INVALID_KEY_INFORMATION to 84.61.190.246:500
> 
> 
> Also if I use
> 
> rightid="C=*, ST=*, L=*, O=*, OU=*, CN=*, E=*"
> 
> I get the error.
> 
> 
> Any help yould be wonderful.
> 
> Thanks
> 
> Martin

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list