[strongSwan] "no RSA public key known" but ID is correct / even with "rightcert"
Develop
develop at imagmbh.de
Sun Dec 19 11:48:48 CET 2010
Hello Andreas,
thanks a lot for your answer.
I wonder a little bit because the correct cert was seen in the log just
before the error. Is it correct that the Android sends first the
certificate it has and then the ID with the IPv4 address? Because the
IPv4 is dynamic (different WLANs) I think I can't use your suggested
workaround :-(
Is it perhaps possible to accept any peer who presents a valid (not
revoked) certifiate independent of the presented ID? If so, I could
control the access to the VPN by revoking the certificate.
Regards
Martin
Am 18.12.2010 23:52, schrieb Andreas Steffen:
> Hello Martin,
>
> the problem is that the Android client sends as its ID the IPv4 address
> 192.168.101.21 which is not contained as a subjectAltName in the client
> certificate:
>
>
>> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21'
>>
> As a workaround generate the Android certificate with
>
> subjectAltName=IP:192.168.101.21
>
> set in openssl.cnf or alternatively try to convince the Android phone
> to send its Distinguished Name as an ID.
>
> Regards
>
> Andreas
>
> On 12/18/2010 10:18 PM, Develop wrote:
>
>> Hello,
>>
>> I have a serious problem using x509 certs with strongswan and my android
>> (2.1) mobile.
>>
>> After some hours of work, PSK works fine but x509 certs don't. Logging
>> pluto I got the well known error
>>
>> "L2TP"[1] xxx.xxx.xxx.xxx #1: no RSA public key known for '192.168.101.21'
>>
>> but the in the configuration (rightid) seems to be correct. Even if I
>> don't use "rightid=" but "rightcert=publiccert.pem" using the
>> publiccert.pem copied to the mobile I get this error.
>>
>> Here is my configuration:
>>
>> config setup
>> nat_traversal=yes
>> charonstart=yes
>> plutostart=yes
>> plutodebug=all
>> plutostderrlog=/tmp/pluto.log
>>
>> conn L2TP
>> authby=rsasig
>> pfs=no
>> rekey=no
>> type=tunnel
>> esp=aes128-sha1
>> ike=aes128-sha-modp1024
>> leftid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec,
>> CN=vpnrelay2, E=address at imagmbh.de"
>> leftrsasigkey=%cert
>> left=IP-ADDRESS-OF-THE-VPN-SERVER
>> leftnexthop=%defaultroute
>> leftprotoport=17/1701
>> right=%any
>> rightprotoport=17/%any
>> rightsubnetwithin=0.0.0.0/0
>> rightid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec,
>> CN=handymalu, E=address at imagmbh.de"
>> rightrsasigkey=%cert
>> auto=add
>> keylife=60s
>>
>> and here the snip of the pluto-log:
>>
>>
>> ....
>> | 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10
>> | a5 71 cb 29 58 61 4b 44 ce 22 5f 33 45 82 04 2a
>> | certificate signature is valid
>> | authcert list unlocked by 'verify_x509cert'
>> | reached self-signed root ca
>> | Public key validated
>> | keyid: *AwEAAceE8
>> | Modulus:
>> 0xc784f34b1d8578b1152b92b4e7a55da38511d0dccdbb1445749a4b5638b6168f5bffafafa8510faed534d4d0a97d0c6b85750893343da5b9ac12a2da4395936dea885305bc6bc6500df081e8626443b1f28b21fc100c99b751be7bc5ce2b49f59b12ea0f4ce97e025d91d9bbfe03f535853af9ac27fa1efc4ba06328429b644d
>> | PublicExponent: 0x10001
>> | unreference key: 0x7f27ca4a1810 C=DE, ST=NRW, L=Bochum, O=IMA GmbH,
>> OU=ipsec, CN=handymalu, E=address at imagmbh.de cnt 1--
>> | hashing 216 bytes of SA
>> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21'
>> "L2TP"[1] 84.61.190.246 #1: sending encrypted notification
>> INVALID_KEY_INFORMATION to 84.61.190.246:500
>>
>>
>> Also if I use
>>
>> rightid="C=*, ST=*, L=*, O=*, OU=*, CN=*, E=*"
>>
>> I get the error.
>>
>>
>> Any help yould be wonderful.
>>
>> Thanks
>>
>> Martin
>>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
More information about the Users
mailing list