[support] failed to get public key

qhtf126 qhtf126 at 126.com
Tue Jan 5 22:59:44 JST 2010 

Hi  ,
I used racoon2(2009)  running on the linux 2.6.22 .
I followed the tutorial at http://www.nautilus6.org/doc/dkhowto/Howto_dynamic_keying.html and  Created the X509 certificates  .
The ha.conf:
# Home Agent address:  3ffe:0:0:2::1
# MN Home address   :  3ffe:0:0:2::4

remote MobileNode {
	ikev2 {
		my_id    	x509_subject "/etc/openssl-ca/public-www/cacert.pem";
		peers_id 	x509_subject "/etc/openssl-ca/clients/certs/mn.mydomain.com.cert";
		kmp_auth_method { rsasig; };
		my_public_key	x509pem 
				"/etc/openssl-ca/public-www/cacert.pem"
				"/etc/openssl-ca/private/cakey.pem";
		peers_public_key x509pem
				"/etc/openssl-ca/clients/certs/mn.mydomain.com.cert"
				"";
	};
};

# Policy and selector for protecting the BU/BA messages for Home Registration.
policy HomeRegBinding {
	remote_index 	MobileNode;
	ipsec_mode 	transport;
	action 		auto_ipsec;
	ipsec_index 	{ ipsec_esp; };
	ipsec_level	require;
	peers_sa_ipaddr	3ffe:0:0:2::4;
	my_sa_ipaddr	3ffe:0:0:2::1;
	install 	off;
};
selector HomeRegBinding_out {
	direction 	outbound;
	dst		3ffe:0:0:2::4;
	src		3ffe:0:0:2::1;
	policy_index 	HomeRegBinding;
	upper_layer_protocol	135 6 5;
	reqid		201; # Note: you may choose whatever value you want but must be in sync with mip6d.conf and unique.
};

# Policy and selector for protecting the MPS/MPA messages for Mobile Prefix Discovery.
policy MobPfxDisc {
	remote_index 	MobileNode;
	ipsec_mode 	transport;
	action 		auto_ipsec;
	ipsec_index 	{ ipsec_esp; };
	ipsec_level	require;
	peers_sa_ipaddr	3ffe:0:0:2::4;
	my_sa_ipaddr	3ffe:0:0:2::1;
	install 	off;
};
selector MobPfxDisc_out {
	direction 	outbound;
	dst		3ffe:0:0:2::4;
	src		3ffe:0:0:2::1;
	policy_index 	MobPfxDisc;
	upper_layer_protocol	135 93 92;
	reqid		203;
};

# Tunnel all traffic between MN and HA when the MN is not at home.
policy TunnelPayload {
	remote_index 	MobileNode;
	ipsec_mode 	tunnel;
	action 		auto_ipsec;
	ipsec_index 	{ ipsec_esp; };
	ipsec_level	require;
	peers_sa_ipaddr	3ffe:0:0:2::4;
	my_sa_ipaddr	3ffe:0:0:2::1;
	install 	off;
};
selector TunnelPayload_out {
	direction 	outbound;
	dst		3ffe:0:0:2::4;
	src		3ffe:0:0:2::1;
	policy_index 	TunnelPayload;
	reqid		205;
};
mn.conf :
# Home Agent address:  3ffe:0:0:2::1
# MN Home address   :  3ffe:0:0:2::4
remote HomeAgent {
ikev2 {
my_id    x509_subject "/etc/racoon2/certs/mn.mydomain.com.cert";
peers_id x509_subject "/etc/racoon2/certs/cacert.pem";
kmp_auth_method { rsasig; };
my_public_key x509pem 
"/etc/racoon2/certs/mn.mydomain.com.cert"
"/etc/racoon2/certs/mn.mydomain.com.key.pem";
peers_public_key x509pem
"/etc/racoon2/certs/cacert.pem"
"";
};
};

# Policy and selector for protecting the BU/BA messages for Home Registration.
policy HomeRegBinding {
remote_index HomeAgent;
ipsec_mode transport;
action auto_ipsec;
ipsec_index { ipsec_esp; };
ipsec_level require;
peers_sa_ipaddr 3ffe:0:0:2::1;
my_sa_ipaddr 3ffe:0:0:2::4;
install off;
};
selector HomeRegBinding_out {
direction outbound;
dst  3ffe:0:0:2::1;
src  3ffe:0:0:2::4;
policy_index HomeRegBinding;
upper_layer_protocol 135 5 6;
reqid 200; # Note: you may choose whatever value you want but must be in sync with mip6d.conf and unique.
};

# Policy and selector for protecting the MPS/MPA messages for Mobile Prefix Discovery.
policy MobPfxDisc {
remote_index HomeAgent;
ipsec_mode transport;
action auto_ipsec;
ipsec_index { ipsec_esp; };
ipsec_level require;
peers_sa_ipaddr 3ffe:0:0:2::1;
my_sa_ipaddr 3ffe:0:0:2::4;
install off;
};
selector MobPfxDisc_out {
direction outbound;
dst  3ffe:0:0:2::1;
src  3ffe:0:0:2::4;
policy_index MobPfxDisc;
upper_layer_protocol 135 92 93;
reqid 202;
};

# Tunnel all traffic between MN and HA when the MN is not at home.
policy TunnelPayload {
remote_index HomeAgent;
ipsec_mode tunnel;
action auto_ipsec;
ipsec_index { ipsec_esp; };
ipsec_level require;
peers_sa_ipaddr 3ffe:0:0:2::1;
my_sa_ipaddr 3ffe:0:0:2::4;
install off;
};
selector TunnelPayload_out {
direction outbound;
dst  3ffe:0:0:2::1;
src  3ffe:0:0:2::4;
policy_index TunnelPayload;
reqid 204;
};
 
  
The HA iked  info  :
2010-01-04 11:33:27 [DEBUG]: ikev2_auth.c:437:ikev2_auth_verify(): auth method 1
2010-01-04 11:33:27 [PROTO_ERR]: crypto_openssl.c:351:cb_check_cert(): unable to get local issuer 
certificate(20) at depth:0 SubjectName:/C=JP/ST=Kanagawa/L=Shin-Kawasaki/O=WIDE/OU=Nautilus6 
WG/CN=mn.mydomain.com/emailAddress=mn-user at mydomain.com
2010-01-04 11:33:27 [INTERNAL_ERR]: crypto_openssl.c:306:eay_check_x509cert(): 
2010-01-04 11:33:27 [INTERNAL_ERR]: ike_conf.c:713:ikev2_public_key(): failed verifying certificate 
authrotiy of cert (/etc/openssl-ca/clients/certs/mn.mydomain.com.cert)
2010-01-04 11:33:27 [PROTO_ERR]: ike_conf.c:761:ikev2_public_key(): no matching public key
2010-01-04 11:33:27 [INTERNAL_ERR]: ikev2_auth.c:448:ikev2_auth_verify(): 1:3ffe:0:0:2::1[500] - 
3ffe::3:215:ff:fe4d:7046[500]:(nil):failed to get public key
2010-01-04 11:33:27 [DEBUG]: ikev2_auth.c:535:ikev2_auth_verify(): result: -1
2010-01-04 11:33:27 [PROTO_ERR]: ikev2_auth.c:615:ikev2_verify(): 1:3ffe:0:0:2::1[500] - 
3ffe::3:215:ff:fe4d:7046[500]:0x81babf0:authentication failure
2010-01-04 11:33:27 [DEBUG]: ikev2_payload.c:719:ikev2_notify_payload(): ikev2_notify_payload(0, (nil), 
0, 24, (nil), 0
 
This is strange. HA  failed to get public key . Can anyone help me with it ?

best regards,
Lw
 
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://ml.nautilus6.org/pipermail/support/attachments/20100105/c86f716f/attachment.htm

More information about the Support mailing list