[Openswan Users] no RSA public key problem

Florian Harmuth florian.harmuth at googlemail.com
Fri Jun 17 08:42:38 EDT 2011


Hello all,
i try to make a host-to-host connection between two openswan instances
but it results in "no RSA public key known for ...". I've tried to set
the id on the server side to --id="C=DE, ST=BY, L=Ort, O=Company,
CN=client, E=info at lala.com" which results in the same behavior. Any
hints?

Best Regards,
flo

ipsec.conf:
version 2.0

config setup
     nat_traversal=yes
     uniqueids=no

conn %default
    compress=no
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    keyingtries=3
    type=transport
    rightca=%same


"server" side:
whack --name server --host 192.168.60.201 --cert local.crt --nexthop
%direct --to --host %any --rsasig
whack --listen

"client" side:
whack --name client --host 192.168.60.202 --cert local.crt --to --host
192.168.60.201 --rsasig
whack --listen
whack --name client --initiate

log from "server"
added connection description "server"
packet from 192.168.60.202:500: received Vendor ID payload [Openswan
(this version) 2.6.34 ]
packet from 192.168.60.202:500: received Vendor ID payload [Dead Peer Detection]
| processing connection server[1] 192.168.60.202
"server"[1] 192.168.60.202 #2: responding to Main Mode from unknown
peer 192.168.60.202
"server"[1] 192.168.60.202 #2: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
"server"[1] 192.168.60.202 #2: STATE_MAIN_R1: sent MR1, expecting MI2
| processing connection server[1] 192.168.60.202
| processing connection server[1] 192.168.60.202
| processing connection server[1] 192.168.60.202
"server"[1] 192.168.60.202 #2: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
"server"[1] 192.168.60.202 #2: STATE_MAIN_R2: sent MR2, expecting MI3
| processing connection server[1] 192.168.60.202
"server"[1] 192.168.60.202 #2: Main mode peer ID is ID_DER_ASN1_DN:
'C=DE, ST=BY, L=Ort, O=Company, CN=client, E=info at lala.com'
|   trusted_ca called with a=(empty) b=(empty)
|   trusted_ca called with a=(empty) b=(empty)
"server"[1] 192.168.60.202 #2: swno RSA public key known foritched
from "server" to "server"
| processing connection server[2] 192.168.60.202
| processing connection server[1] 192.168.60.202
"server"[2] 192.168.60.202 #2: deleting connection "server" instance
with peer 192.168.60.202 {isakmp=#0/ipsec=#0}
"server"[2] 192.168.60.202 #2: no RSA public key known for 'C=DE,
ST=BY, L=Ort, O=Company, CN=client, E=info at lala.com'
"server"[2] 192.168.60.202 #2: sending encrypted notification
INVALID_KEY_INFORMATION to 192.168.60.202:500
| processing connection server[2] 192.168.60.202

log from "client"
"client" #1: initiating Main Mode
002 "client" #1: initiating Main Mode
104 "client" #1: STATE_MAIN_I1: initiate
"client" #1: received Vendor ID payload [Openswan (this version) 2.6.34 ]
"client" #1: received Vendor ID payload [Dead Peer Detection]
003 "client" #1: received Vendor ID payload [Openswan (this version) 2.6.34 ]
003 "client" #1: received Vendor ID payload [Dead Peer Detection]
"client" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
002 "client" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
"client" #1: STATE_MAIN_I2: sent MI2, expecting MR2
106 "client" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"client" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
"client" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "client" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "client" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"client" #1: ignoring informational payload, type
INVALID_KEY_INFORMATION msgid=00000000
"client" #1: received and ignored informational message
003 "client" #1: ignoring informational payload, type
INVALID_KEY_INFORMATION msgid=00000000
003 "client" #1: received and ignored informational message
010 "client" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
"client" #1: ignoring informational payload, type
INVALID_KEY_INFORMATION msgid=00000000
"client" #1: received and ignored informational message


More information about the Users mailing list