Frequently Asked Questions (FAQ) » History » Version 2
Martin Willi, 05.03.2009 11:59
added FAQ regarding error message "no RSA public key known for"
| 1 | 1 | Martin Willi | = Frequently Asked Questions = |
|---|---|---|---|
| 2 | 1 | Martin Willi | |
| 3 | 1 | Martin Willi | '''Q:''' ''I'm trying to set up a VPN tunnel with a ZyXELL/Linksys/X router but the other side keeps on telling me "no proposal chosen" when strongSwan initiates the connection.'' |
| 4 | 1 | Martin Willi | |
| 5 | 1 | Martin Willi | '''A:''' Make sure that the peer supports all the algorithms (including the key lengths) which strongSwan proposes for IKE and ESP. In terms of IKE, the proposal consists of the following parts: Encryption algorithm, hash algorithm (PRF) and DH group. In terms of ESP the proposal includes the following: Encryption algorithm, hash algorithm, pfs group (DH group) and '''compression algorithm'''. There are lots of IPSec implementations out there that do '''not''' support compression or have implemented it erronously. So the first thing to try in this situation is to switch compression off on the peer. strongSwan's default setting is |
| 6 | 1 | Martin Willi | {{{ |
| 7 | 1 | Martin Willi | compress=no |
| 8 | 1 | Martin Willi | }}} |
| 9 | 1 | Martin Willi | See also Chapter [http://www.strongswan.org/docs/readme4.htm#section_14.1 14.1 Authentication and encryption algorithms] of the strongSwan documentation. It has good information about the relevant parameters. |
| 10 | 2 | Martin Willi | |
| 11 | 2 | Martin Willi | '''Q:''' ''I'm getting the error message "no RSA public key known for '....' ". What am I doing wrong? '' |
| 12 | 2 | Martin Willi | |
| 13 | 2 | Martin Willi | '''A:''' If you are using RSA based signatures for authentication strongSwan needs to have the peer's RSA public key in order to verify its authentication. This public key can be provided either by using the {{{rightrsasigkey}}} directive in the configuration file which was popular with FreeS/WAN or it can be extracted from the peer's X.509 certificate. This certificate can in turn be preloaded via the {{{rightcert}}} directive if it is available locally or it can be requested from the remote end by a ''certificate request''. Now if the certificate is missing one reason might be that the remote end refused to send it. Another reason could be that strongSwan did not send a ''certificate request''. This happens if you set the {{{nocrsend}}} option to {{{yes}}}. The Astaro Security Gateway which uses strongSwan behind the scene is known to do that. In order to make the IPSec connection work in that scenario you need to set {{{leftsendcert}}} to {{{yes}}} on the other end. With {{{leftsendcert=yes}}} strongSwan sends its certificate across even if no ''certificate request'' was received. This helps to interoperate with some misconfigured peers. |