[strongSwan] "no RSA public key known" but ID is correct / even with "rightcert"

Andreas Steffen andreas.steffen at strongswan.org
Sun Dec 19 15:20:46 CET 2010


Well, if you intend to root Android then you could install
the strongSwan IKEv2 daemon:

http://wiki.strongswan.org/projects/strongswan/wiki/Android

Regards

Andreas

On 19.12.2010 13:43, Develop wrote:
> Hello Andreas,
> 
> the Android (2.1) does not offer the possibility to change the identity
> it sends. Not very useful to use the IP-address as ID for a mobile
> device. I think I will have a look at the android sources and root the
> phone.
> 
> Regards
> 
> Martin
> 
> 
> 
> Am 19.12.2010 12:33, schrieb Andreas Steffen:
>> Hello Martin,
>>
>> Android sends the certificate payload together with the identity
>> payload in the same IKE packet.
>>
>> No, strongSwan requires the peer identity to by verified by a
>> corresponding entry in the certificate. Certainly the Android
>> VPN client can be configured to use the Subject Distinguished
>> Name contained in the certificate as its identity.
>>
>> Regards
>>
>> Andreas
>>
>> On 12/19/2010 11:48 AM, Develop wrote:
>>   
>>> Hello Andreas,
>>>
>>> thanks a lot for your answer.
>>>
>>> I wonder a little bit because the correct cert was seen in the log just
>>> before the error. Is it correct that the Android sends first the
>>> certificate it has and then the ID with the IPv4 address? Because the
>>> IPv4 is dynamic (different WLANs) I think I can't use your suggested
>>> workaround :-(
>>>
>>> Is it perhaps possible to accept any peer who presents a valid (not
>>> revoked) certifiate independent of the presented ID? If so, I could
>>> control the access to the VPN by revoking the certificate.
>>>
>>> Regards
>>>
>>> Martin
>>>
>>> Am 18.12.2010 23:52, schrieb Andreas Steffen:
>>>     
>>>> Hello Martin,
>>>>
>>>> the problem is that the Android client sends as its ID the IPv4 address
>>>> 192.168.101.21 which is not contained as a subjectAltName in the client
>>>> certificate:
>>>>
>>>>
>>>>       
>>>>> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for
>>>>> '192.168.101.21'
>>>>>
>>>>>          
>>>> As a workaround generate the Android certificate with
>>>>
>>>> subjectAltName=IP:192.168.101.21
>>>>
>>>> set in openssl.cnf or alternatively try to convince the Android phone
>>>> to send its Distinguished Name as an ID.
>>>>
>>>> Regards
>>>>
>>>> Andreas
>>>>
>>>> On 12/18/2010 10:18 PM, Develop wrote:
>>>>
>>>>       
>>>>> Hello,
>>>>>
>>>>> I have a serious problem using x509 certs with strongswan and my
>>>>> android
>>>>> (2.1) mobile.
>>>>>
>>>>> After some hours of work, PSK works fine but x509 certs don't. Logging
>>>>> pluto I got the well known error
>>>>>
>>>>> "L2TP"[1] xxx.xxx.xxx.xxx #1: no RSA public key known for
>>>>> '192.168.101.21'
>>>>>
>>>>> but the in the configuration (rightid) seems to be correct. Even if I
>>>>> don't use "rightid=" but "rightcert=publiccert.pem" using the
>>>>> publiccert.pem copied to the mobile I get this error.
>>>>>
>>>>> Here is my configuration:
>>>>>
>>>>> config setup
>>>>>            nat_traversal=yes
>>>>>            charonstart=yes
>>>>>            plutostart=yes
>>>>>            plutodebug=all
>>>>>            plutostderrlog=/tmp/pluto.log
>>>>>
>>>>> conn L2TP
>>>>>            authby=rsasig
>>>>>            pfs=no
>>>>>            rekey=no
>>>>>            type=tunnel
>>>>>            esp=aes128-sha1
>>>>>            ike=aes128-sha-modp1024
>>>>>            leftid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec,
>>>>> CN=vpnrelay2, E=address at imagmbh.de"
>>>>>            leftrsasigkey=%cert
>>>>>            left=IP-ADDRESS-OF-THE-VPN-SERVER
>>>>>            leftnexthop=%defaultroute
>>>>>            leftprotoport=17/1701
>>>>>            right=%any
>>>>>            rightprotoport=17/%any
>>>>>            rightsubnetwithin=0.0.0.0/0
>>>>>            rightid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec,
>>>>> CN=handymalu, E=address at imagmbh.de"
>>>>>            rightrsasigkey=%cert
>>>>>            auto=add
>>>>>            keylife=60s
>>>>>
>>>>> and here the snip of the pluto-log:
>>>>>
>>>>>
>>>>> ....
>>>>> |   30 0c 06 08  2a 86 48 86  f7 0d 02 05  05 00 04 10
>>>>> |   a5 71 cb 29  58 61 4b 44  ce 22 5f 33  45 82 04 2a
>>>>> | certificate signature is valid
>>>>> | authcert list unlocked by 'verify_x509cert'
>>>>> | reached self-signed root ca
>>>>> | Public key validated
>>>>> |  keyid: *AwEAAceE8
>>>>> |  Modulus:
>>>>> 0xc784f34b1d8578b1152b92b4e7a55da38511d0dccdbb1445749a4b5638b6168f5bffafafa8510faed534d4d0a97d0c6b85750893343da5b9ac12a2da4395936dea885305bc6bc6500df081e8626443b1f28b21fc100c99b751be7bc5ce2b49f59b12ea0f4ce97e025d91d9bbfe03f535853af9ac27fa1efc4ba06328429b644d
>>>>>
>>>>>
>>>>> |  PublicExponent: 0x10001
>>>>> | unreference key: 0x7f27ca4a1810 C=DE, ST=NRW, L=Bochum, O=IMA GmbH,
>>>>> OU=ipsec, CN=handymalu, E=address at imagmbh.de cnt 1--
>>>>> | hashing 216 bytes of SA
>>>>> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for
>>>>> '192.168.101.21'
>>>>> "L2TP"[1] 84.61.190.246 #1: sending encrypted notification
>>>>> INVALID_KEY_INFORMATION to 84.61.190.246:500
>>>>>
>>>>>
>>>>> Also if I use
>>>>>
>>>>> rightid="C=*, ST=*, L=*, O=*, OU=*, CN=*, E=*"
>>>>>
>>>>> I get the error.
>>>>>
>>>>>
>>>>> Any help yould be wonderful.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Martin
>>>>>          

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list