[strongSwan] [Strongswan]expected hash algorithm HASH_SHA1, but found HASH_SHA256 error

Richard Andrews richard.andrews at symstream.com
Wed Aug 22 08:50:23 CEST 2012 

Disregard. Got the logging backwards.

On Wed, 2012-08-22 at 16:49 +1000, Richard Andrews wrote:
> Your Cisco must be configured to use sha-1 instead of sha-256.
> Strongswan is using sha-256 which the Cisco is complaining about. Check
> your crypto map and related isakmp profiles.
> 
> On Wed, 2012-08-22 at 12:16 +0530, SaRaVanAn wrote:
> > Hi,
> >    I am trying to form a tunnel using RSA authentication in Strongswan
> > with CISCO as peer, but
> > I am getting the below error message.
> > 
> > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] selected peer config
> > 'site-site'
> > Aug 22 12:03:34 uxcasxxx charon: 08[CFG]   using certificate "C=IN,
> > O=CAS"
> > Aug 22 12:03:34 uxcasxxx charon: 08[CFG]   using trusted ca
> > certificate "C=IN, ST=TN, L=CH, O=CAS, E=saravanan at strongswan.org"
> > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] checking certificate status
> > of "C=IN, O=CAS"
> > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] certificate status is not
> > available
> > Aug 22 12:03:34 uxcasxxx charon: 08[CFG]   reached self-signed root ca
> > with a path length of 0
> > Aug 22 12:03:34 uxcasxxx charon: 08[LIB] expected hash algorithm
> > HASH_SHA1, but found HASH_SHA256 (OID:
> > 30:0d:06:09:60:86:48:01:65:03:04:02:01:05:00)
> > Aug 22 12:03:34 uxcasxxx charon: 08[IKE] signature validation failed,
> > looking for another key
> > Aug 22 12:03:34 uxcasxxx charon: 08[ENC] generating IKE_AUTH response
> > 1 [ N(AUTH_FAILED) ]
> > 
> > Please find my configurations below .
> > 
> > ca vpnca
> >          cacert=ikeca_email.crt
> >          auto=add
> > 
> > config setup
> >           plutostart=yes
> >           plutodebug=all
> >           charonstart=yes
> >           charondebug=all
> >           nat_traversal=yes
> >           crlcheckinterval=10m
> >           strictcrlpolicy=no
> > 
> > conn %default
> >         ikelifetime=8h
> >         lifetime = 8h
> >         rekeyfuzz = 100%
> >         keyingtries=1
> > 
> > conn site-site
> >     left=172.31.114.227
> >     leftcert=LeftGty_email.crt
> >     ike=aes128-sha256-modp1536!
> >     esp=aes128-sha256!
> >     leftid=carol at strongswan.org
> >     rightsubnet=0.0.0.0/0
> >     leftfirewall=yes
> >     right=%any
> >     rightid=saravanan at strongswan.org
> >     keyexchange=ikev2
> >     auto=add
> > 
> > ipsec.secrets
> > : RSA LeftGty_email.key
> > 
> > I am suspecting the problem in configurations.If so, please help me to
> > correct the configuration or else 
> > what could be the reason for the failure?.
> > 
> > Regards,
> > Saravanan N
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list