[strongSwan] "no RSA public key known" but ID is correct / even with "rightcert"

Develop develop at imagmbh.de
Sun Dec 19 13:57:13 CET 2010 

If someone has the same problem: The actual git-repository of the 
android contains patches for usage of the DN für android 2.2 (Froyo) and 
2.3 (gingerbread): 
http://android.git.kernel.org/?p=platform/external/ipsec-tools.git;a=summary

Martin

Am 19.12.2010 12:33, schrieb Andreas Steffen:
> Hello Martin,
>
> Android sends the certificate payload together with the identity
> payload in the same IKE packet.
>
> No, strongSwan requires the peer identity to by verified by a
> corresponding entry in the certificate. Certainly the Android
> VPN client can be configured to use the Subject Distinguished
> Name contained in the certificate as its identity.
>
> Regards
>
> Andreas
>
> On 12/19/2010 11:48 AM, Develop wrote:
>    
>> Hello Andreas,
>>
>> thanks a lot for your answer.
>>
>> I wonder a little bit because the correct cert was seen in the log just
>> before the error. Is it correct that the Android sends first the
>> certificate it has and then the ID with the IPv4 address? Because the
>> IPv4 is dynamic (different WLANs) I think I can't use your suggested
>> workaround :-(
>>
>> Is it perhaps possible to accept any peer who presents a valid (not
>> revoked) certifiate independent of the presented ID? If so, I could
>> control the access to the VPN by revoking the certificate.
>>
>> Regards
>>
>> Martin
>>
>> Am 18.12.2010 23:52, schrieb Andreas Steffen:
>>      
>>> Hello Martin,
>>>
>>> the problem is that the Android client sends as its ID the IPv4 address
>>> 192.168.101.21 which is not contained as a subjectAltName in the client
>>> certificate:
>>>
>>>
>>>        
>>>> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21'
>>>>
>>>>          
>>> As a workaround generate the Android certificate with
>>>
>>> subjectAltName=IP:192.168.101.21
>>>
>>> set in openssl.cnf or alternatively try to convince the Android phone
>>> to send its Distinguished Name as an ID.
>>>
>>> Regards
>>>
>>> Andreas
>>>
>>> On 12/18/2010 10:18 PM, Develop wrote:
>>>
>>>        
>>>> Hello,
>>>>
>>>> I have a serious problem using x509 certs with strongswan and my android
>>>> (2.1) mobile.
>>>>
>>>> After some hours of work, PSK works fine but x509 certs don't. Logging
>>>> pluto I got the well known error
>>>>
>>>> "L2TP"[1] xxx.xxx.xxx.xxx #1: no RSA public key known for
>>>> '192.168.101.21'
>>>>
>>>> but the in the configuration (rightid) seems to be correct. Even if I
>>>> don't use "rightid=" but "rightcert=publiccert.pem" using the
>>>> publiccert.pem copied to the mobile I get this error.
>>>>
>>>> Here is my configuration:
>>>>
>>>> config setup
>>>>            nat_traversal=yes
>>>>            charonstart=yes
>>>>            plutostart=yes
>>>>            plutodebug=all
>>>>            plutostderrlog=/tmp/pluto.log
>>>>
>>>> conn L2TP
>>>>            authby=rsasig
>>>>            pfs=no
>>>>            rekey=no
>>>>            type=tunnel
>>>>            esp=aes128-sha1
>>>>            ike=aes128-sha-modp1024
>>>>            leftid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec,
>>>> CN=vpnrelay2, E=address at imagmbh.de"
>>>>            leftrsasigkey=%cert
>>>>            left=IP-ADDRESS-OF-THE-VPN-SERVER
>>>>            leftnexthop=%defaultroute
>>>>            leftprotoport=17/1701
>>>>            right=%any
>>>>            rightprotoport=17/%any
>>>>            rightsubnetwithin=0.0.0.0/0
>>>>            rightid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec,
>>>> CN=handymalu, E=address at imagmbh.de"
>>>>            rightrsasigkey=%cert
>>>>            auto=add
>>>>            keylife=60s
>>>>
>>>> and here the snip of the pluto-log:
>>>>
>>>>
>>>> ....
>>>> |   30 0c 06 08  2a 86 48 86  f7 0d 02 05  05 00 04 10
>>>> |   a5 71 cb 29  58 61 4b 44  ce 22 5f 33  45 82 04 2a
>>>> | certificate signature is valid
>>>> | authcert list unlocked by 'verify_x509cert'
>>>> | reached self-signed root ca
>>>> | Public key validated
>>>> |  keyid: *AwEAAceE8
>>>> |  Modulus:
>>>> 0xc784f34b1d8578b1152b92b4e7a55da38511d0dccdbb1445749a4b5638b6168f5bffafafa8510faed534d4d0a97d0c6b85750893343da5b9ac12a2da4395936dea885305bc6bc6500df081e8626443b1f28b21fc100c99b751be7bc5ce2b49f59b12ea0f4ce97e025d91d9bbfe03f535853af9ac27fa1efc4ba06328429b644d
>>>>
>>>> |  PublicExponent: 0x10001
>>>> | unreference key: 0x7f27ca4a1810 C=DE, ST=NRW, L=Bochum, O=IMA GmbH,
>>>> OU=ipsec, CN=handymalu, E=address at imagmbh.de cnt 1--
>>>> | hashing 216 bytes of SA
>>>> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21'
>>>> "L2TP"[1] 84.61.190.246 #1: sending encrypted notification
>>>> INVALID_KEY_INFORMATION to 84.61.190.246:500
>>>>
>>>>
>>>> Also if I use
>>>>
>>>> rightid="C=*, ST=*, L=*, O=*, OU=*, CN=*, E=*"
>>>>
>>>> I get the error.
>>>>
>>>>
>>>> Any help yould be wonderful.
>>>>
>>>> Thanks
>>>>
>>>> Martin
>>>>          
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>

More information about the Users mailing list