[Openswan Users] Openswan and sha256 Aw: Problem: no RSA pulic key know for -Problem on CentOS 5
fatcharly at gmx.de
fatcharly at gmx.de
Thu Jan 28 10:01:21 EST 2016
Hi again,
I think I found the problem of this. When the peer send over his certificate, I can see in the logs the following:
...(verbose logging, we send over our cert, requested the peers cert, and he sends it over, we recieve and read it in)
Jan 28 15:07:19 zoey pluto[13908]: | L8 - dnsName:
Jan 28 15:07:19 zoey pluto[13908]: | 'customer-tunnel-2015.customer-xxx.de'
Jan 28 15:07:19 zoey pluto[13908]: | L1 - signatureAlgorithm:
Jan 28 15:07:19 zoey pluto[13908]: | L2 - algorithmIdentifier:
Jan 28 15:07:19 zoey pluto[13908]: | L3 - algorithm:
Jan 28 15:07:19 zoey pluto[13908]: | 'sha256WithRSAEncryption'
Jan 28 15:07:19 zoey pluto[13908]: | L1 - signatureValue:
Jan 28 15:07:19 zoey pluto[13908]: | signature algorithm: 'sha256WithRSAEncryption'
Jan 28 15:07:19 zoey pluto[13908]: "game_customer_test" #1: digest algorithm not supported
Jan 28 15:07:19 zoey pluto[13908]: "game_customer_test" #1: invalid certificate signature from "C=de, O=Customer, CN=Customer CA 2015" on "C=DE, ST=Country, L=City, O=Customer, CN=customer-tunnel-2015.customer-xxx.de"
Jan 28 15:07:19 zoey pluto[13908]: "game_customer_test" #1: X.509 certificate rejected
Jan 28 15:07:19 zoey pluto[13908]: | required CA is '%any'
Jan 28 15:07:19 zoey pluto[13908]: "game_customer_test" #1: no RSA public key known for '@customer-tunnel-2015.customer-xxx.de'
Jan 28 15:07:19 zoey pluto[13908]: | complete state transition with (null)
Jan 28 15:07:19 zoey pluto[13908]: "game_customer_test" #1: sending encrypted notification INVALID_KEY_INFORMATION to 82.xxx.xxx.xxx:500
Jan 28 15:07:19 zoey pluto[13908]: | sending 60 bytes for notification packet through eth1:500 to 82.xxx.xxx.xxx:500 (using #1)
Jan 28 15:07:19 zoey pluto[13908]: | state transition function for STATE_MAIN_I3 failed: INVALID_KEY_INFORMATION
I think this is the problem:
Jan 28 15:07:19 zoey pluto[13908]: | signature algorithm: 'sha256WithRSAEncryption'
Jan 28 15:07:19 zoey pluto[13908]: "game_customer_test" #1: digest algorithm not supported
Is there a way to get openswan run with support for sha256 ?
Any suggestions are welcome
> Gesendet: Donnerstag, 28. Januar 2016 um 11:26 Uhr
> Von: fatcharly at gmx.de
> An: "users openswan.org" <users at lists.openswan.org>
> Betreff: [Openswan Users] Problem: no RSA pulic key know for -Problem on CentOS 5
>
> Hi,
>
> we are using a openswan-2.6.32-9/CentOS 5 for quite a few years with out any problems. But after a change on our x509-based VPN-connection (all others are PSK, system got compiled without the support for fipschek and nssdb) we ran into a problem. We send our VPN-Partner a new csr and he sent us back the certificate and the ca-file. But whenever we try to connect to our partner-side, we recieve die following error:
>
> #1047: no RSA public key known for '@customer-tunnel-2015.customer-xxx.de'
>
> this is our configuration:
> conn customer
> left=62.xxx.xxx.xxx
> leftsubnet=192.168.170.0/24
> leftnexthop=62.xxx.xxx.xxx
> leftid="C=DE, ST=Town, L=Land, O=Organisation, OU=Organisastion, CN=vpn hostname"
> leftrsasigkey=%cert
> leftcert=hostname-cert_2016.pem
> right=82.xxx.xxx.xxx
> rightsubnet=192.168.180.0/24
> rightnexthop=82.xxx.xxx.xxx
> rightid=@customer-tunnel-2015.customer-xxx.de
> rightrsasigkey=%cert
> authby=rsasig
> auto=start
> type=tunnel
> ikelifetime=28800s
> keylife=28800s
> ike=3des-md5-modp1536
> esp=3des-md5
> pfs=yes
>
> If I understand this errormsg right, then there is a problem with the cacert which we use to verify the remote station ?
>
> Any suggestions are welcome
>
>
> Kind regards
>
> fatcharly
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list