[strongSwan-dev] signature validation failed, looking for another key

Ballu ballu devel.tech1 at gmail.com
Fri Sep 19 14:56:03 CEST 2014


Hi all,





I am facing issue in tunnel creation using IKEv 2 of strongswan 4.5.3
(linux kernel 2.6.38). I am making a tunnel using Oberthur Authentic IC 3.2
cards. OpenSC installed version is 0.13.

SC’s are working fine with IKEv1 configuration. However in IKEv2, I am
getting following error in the logs.

Sep 18 14:52:23 TEST charon: 15[IKE] received cert request for "CN=NEXUS"

Sep 18 14:52:23 TEST charon: 15[IKE] received end entity cert "CN=DEVICEA"

Sep 18 14:52:23 TEST charon: 15[CFG] looking for peer configs matching
192.168.100.1[CN=DEVICEB]...192.168.100.2[CN=DEVICEA]

Sep 18 14:52:23 TEST charon: 15[CFG] selected peer config 'tunnel'

Sep 18 14:52:23 TEST charon: 15[CFG]   using certificate "CN=DEVICEA"

Sep 18 14:52:23 TEST charon: 15[CFG]   using trusted ca certificate
"CN=NEXUS"

Sep 18 14:52:23 TEST charon: 15[CFG] checking certificate status of
"CN=DEVICEA"

Sep 18 14:52:23 TEST charon: 15[CFG]   fetching crl from '
http://nexus/crl.crl' ...

Sep 18 14:52:23 TEST charon: 15[CFG]   using trusted certificate "CN=NEXUS"

Sep 18 14:52:23 TEST charon: 15[CFG]   crl correctly signed by "CN=NEXUS"

Sep 18 14:52:23 TEST charon: 15[CFG]   crl is valid: until Sep 15 13:16:14
2024

Sep 18 14:52:23 TEST charon: 15[CFG] certificate status is good

*Sep 18 14:52:23 TEST charon: 15[CFG]   reached self-signed root ca with a
path length of 0 *

*Sep 18 14:52:23 TEST charon: 15[IKE] signature validation failed, looking
for another key *

*Sep 18 14:52:23 TEST charon: 15[IKE] peer supports MOBIKE *

*Sep 18 14:52:23 TEST charon: 15[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]  *



*Ipsec.secrets configuration is following:*

*: PIN %smartcard1:10 "1234"*

*Slot is 1 and id of  private/public key on smart card is 10. *

*Ipsec.conf is also given below.*

*config setup*

*                #plutodebug="all"*

*                plutostart=no*

*                charondebug="all"*

*                charonstart=yes*

*                uniqueids=yes*

*                nat_traversal=yes*



*conn %default*



*conn tunnel #*

*                left=192.168.100.1*

*                right=192.168.100.2*

*                leftid="CN=DEVICEB"*

*                rightid="CN=DEVICEA"*



*             ike=aes256-sha2_256-modp1024!*

*                esp=aes256-sha2_256!*

*                pfsgroup=modp1024*

*                keyingtries=0*

*                ikelifetime=1h*

*                lifetime=8h*

*                dpddelay=30*

*                dpdtimeout=120*

*                dpdaction=clear*

*                pfs=no*

*                #leftcert=%smartcard1:10*

*                auto=start*

*                keyexchange=ikev2*

*                type=tunnel*








*Please guide me or give me some direction to sort out this issue. *


*regards*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20140919/19ef12c8/attachment.html>


More information about the Dev mailing list