[strongSwan] [Strongswan]expected hash algorithm HASH_SHA1, but found HASH_SHA256 error
richard.andrews at symstream.com
Wed Aug 22 09:02:38 CEST 2012
I'll try again
You have the rightid configured to use only the email adress part of the
Cisco's ID trusted CA. I think the ID doesn't match so it does not
consider the auth policy defined in conn site-site.
What has worked for me in this situation (IOS 12.4 and IOS 15.1) is to
export the cert from the Cisco as PEM. Then use eg.
This should unblock you. The cert forms a convenient container for the
peer ID + RSA pubkey. You probably then want to get the rightid= syntax
figured out and go back to your original config.
The identity in that Cisco cert looks awfully short.
Can someone show how to convert "C=IN, O=CAS" to a rightid= config line.
I remember it wasn't what I expected in some way.
On Wed, 2012-08-22 at 12:16 +0530, SaRaVanAn wrote:
> I am trying to form a tunnel using RSA authentication in Strongswan
> with CISCO as peer, but
> I am getting the below error message.
> Aug 22 12:03:34 uxcasxxx charon: 08[CFG] selected peer config
> Aug 22 12:03:34 uxcasxxx charon: 08[CFG] using certificate "C=IN,
> Aug 22 12:03:34 uxcasxxx charon: 08[CFG] using trusted ca
> certificate "C=IN, ST=TN, L=CH, O=CAS, E=saravanan at strongswan.org"
> Aug 22 12:03:34 uxcasxxx charon: 08[CFG] checking certificate status
> of "C=IN, O=CAS"
> Aug 22 12:03:34 uxcasxxx charon: 08[CFG] certificate status is not
> Aug 22 12:03:34 uxcasxxx charon: 08[CFG] reached self-signed root ca
> with a path length of 0
> Aug 22 12:03:34 uxcasxxx charon: 08[LIB] expected hash algorithm
> HASH_SHA1, but found HASH_SHA256 (OID:
> Aug 22 12:03:34 uxcasxxx charon: 08[IKE] signature validation failed,
> looking for another key
> Aug 22 12:03:34 uxcasxxx charon: 08[ENC] generating IKE_AUTH response
> 1 [ N(AUTH_FAILED) ]
> Please find my configurations below .
> ca vpnca
> config setup
> conn %default
> lifetime = 8h
> rekeyfuzz = 100%
> conn site-site
> leftid=carol at strongswan.org
> rightid=saravanan at strongswan.org
> : RSA LeftGty_email.key
> I am suspecting the problem in configurations.If so, please help me to
> correct the configuration or else
> what could be the reason for the failure?.
> Saravanan N
> Users mailing list
> Users at lists.strongswan.org
More information about the Users