Post History
I am trying to connect to a VPN server (that I don't control) using IKEv2 and strongswan. The connection fails with [IKE] no trusted RSA public key found for 'xxx.xxx.xxx.xxx'. I downloaded the Sec...
#1: Initial revision
by
filo
·
2024-11-28T18:16:21Z (6 days ago)
strongswan can't find "trusted RSA public key"
I am trying to connect to a VPN server (**that I don't control**) using IKEv2 and strongswan. The connection fails with `[IKE] no trusted RSA public key found for 'xxx.xxx.xxx.xxx'`. I downloaded the Sectigo certificates (Sectigo RSA Domain Validation CA Bundle) and put them in `/etc/swanctl/x509ca`. I see them being loaded when I run `swanctl -q`. What caught my attention is that the server uses a wildcard certificate. Is there a way to force strongswan to trust it? Is there a way to download or display the certificate from the server and put it in `/etc/swanctl/pubkey`? Thanks for help.
This is my `swanctl.conf`:
```
connections {
example-uk {
remote_addrs = uk.vpn.example.net
local {
auth = eap
eap_id = example
id = @*.vpn.example.net
}
remote {
id = @*.vpn.example.net
}
children {
home {
}
}
version = 2
}
}
secrets {
eap-example {
id = myusername
secret = mypassword
}
}
```
This is the connection attempt:
```
[IKE] initiating IKE_SA example-uk[7] to xxx.xxx.xxx.xxx
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from aaa.aaa.aaa.aaa[500] to xxx.xxx.xxx.xxx[500] (1080 bytes)
[NET] received packet: from xxx.xxx.xxx.xxx[500] to aaa.aaa.aaa.aaa[500] (38 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
[IKE] initiating IKE_SA example-uk[7] to xxx.xxx.xxx.xxx
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from aaa.aaa.aaa.aaa[500] to xxx.xxx.xxx.xxx[500] (1272 bytes)
[NET] received packet: from xxx.xxx.xxx.xxx[500] to aaa.aaa.aaa.aaa[500] (472 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
[IKE] local host is behind NAT, sending keep alives
[IKE] remote host is behind NAT
[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
[IKE] establishing CHILD_SA home{7}
[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from aaa.aaa.aaa.aaa[4500] to xxx.xxx.xxx.xxx[4500] (412 bytes)
[NET] received packet: from xxx.xxx.xxx.xxx[4500] to aaa.aaa.aaa.aaa[4500] (1248 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
[ENC] received fragment #1 of 2, waiting for complete IKE message
[NET] received packet: from xxx.xxx.xxx.xxx[4500] to aaa.aaa.aaa.aaa[4500] (800 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1980 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID N(AUTH_FOLLOWS) ]
[IKE] received end entity cert "CN=*.vpn.example.net"
[IKE] no trusted RSA public key found for 'xxx.xxx.xxx.xxx'
[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
[NET] sending packet: from aaa.aaa.aaa.aaa[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)
initiate failed: establishing CHILD_SA 'home' failed
```