[strongSwan] IKE signature scheme RSA_EMSA_PKCS1_SHA1 not acceptable

Binarus lists at binarus.de
Sat Aug 18 17:26:40 CEST 2018


Dear all,

I am getting the error message mentioned above when trying to connect to
a client's site. Of course, I have tried to research if there already
has been a similar problem, and have found exactly one appropriate thread:

https://lists.strongswan.org/pipermail/users/2018-March/012351.html

Unfortunately, my situation is different; in my case, something else
seems to cause the problem. Having said this:

- It happened after the upgrade from Debian jessie (Debian 8) to Debian
stretch (Debian 9), i.e. after the upgrade from StrongSwan 5.2.1 to
StrongSwan 5.5.1)

- I definitely have copied the whole configuration (including
certificates and so on) from the old system to the new one (AFTER having
installed the new StrongSwan version in the new system). I have double
checked multiple times (applying different methods) that nothing is missing.

- With the old system, I definitely could connect to the client's site
without any problem with exact that configuration.

If it matters, the VPN Gateway at the client's side is a Lancom router
(I don't know the exact type, but it is newer one, and I am absolutely
sure that they didn't any changes to it while I was upgrading my system,
and to stress it again, the old system / StrongSwan version could
connect to that device without problems).

This is my /etc/ipsec.conf (sensitive data has been changed, and lines
which are commented out have been left away):


config setup

conn %default
  mobike=no

conn myclient
  ikelifetime=10800s
  keylife=3600s
  rekeymargin=9m
  keyingtries=1
  type=tunnel
  keyexchange=ikev2
  mobike=no
  ike=aes256-sha512-modp4096!
  esp=aes256-sha512-modp4096!
  left=xxxxxxxxxxxxxxxx.hopto.org
  leftauth=rsa-4096-sha512
  leftid="/CN=xxxxxxxxxxxxxxxx.hopto.org"
  leftsubnet=192.168.20.0/24
  leftfirewall=no
  leftcert=mycompany-client.crt
  right=yyyyyyyyyyyyyyyy.zapto.org
  rightauth=rsa-4096-sha512
  rightid="/CN=yyyyyyyyyyyyyyyy.zapto.org"
  rightsubnet=192.168.0.0/24
  auto=add


This is the error message (sensitive data changed in the same way as
with ipsec.conf):

root at charon:/etc# /etc/init.d/ipsec restart
[ ok ] Restarting ipsec (via systemctl): ipsec.service.
root at charon:/etc# ipsec up myclient
initiating IKE_SA myclient[3] to 79.192.42.125
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 87.185.83.87[500] to 79.192.42.125[500] (714 bytes)
received packet: from 79.192.42.125[500] to 87.185.83.87[500] (713 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
received 1 cert requests for an unknown ca
sending cert request for "CN=ca.clientsite.local"
authentication of 'CN=xxxxxxxxxxxxxxxx.hopto.org' (myself) with RSA
signature successful
sending end entity cert "CN=xxxxxxxxxxxxxxxx.hopto.org"
establishing CHILD_SA myclient
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
AUTH SA TSi TSr N(EAP_ONLY) ]
sending packet: from 87.185.83.87[500] to 79.192.42.125[500] (2048 bytes)
received packet: from 79.192.42.125[500] to 87.185.83.87[500] (1984 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH TSi TSr N(INIT_CONTACT) SA ]
received end entity cert "CN=yyyyyyyyyyyyyyyy.zapto.org"
  using certificate "CN=yyyyyyyyyyyyyyyy.zapto.org"
  using trusted ca certificate "CN=ca.clientsite.local"
checking certificate status of "CN=yyyyyyyyyyyyyyyy.zapto.org"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of 'CN=yyyyyyyyyyyyyyyy.zapto.org' with RSA signature
successful
IKE signature scheme RSA_EMSA_PKCS1_SHA1 not acceptable
selected peer config 'myclient' inacceptable: constraint checking failed
no alternative config found
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 87.185.83.87[500] to 79.192.42.125[500] (96 bytes)
establishing connection 'myclient' failed
root at charon:/etc#


Does anybody have an idea?

Thank you very much in advance,

Binarus



More information about the Users mailing list