[strongSwan] [Strongswan]expected hash algorithm HASH_SHA1, but found HASH_SHA256 error

Richard Andrews richard.andrews at symstream.com
Wed Aug 22 09:02:38 CEST 2012 

I'll try again

You have the rightid configured to use only the email adress part of the
Cisco's ID trusted CA. I think the ID doesn't match so it does not
consider the auth policy defined in conn site-site.

What has worked for me in this situation (IOS 12.4 and IOS 15.1) is to
export the cert from the Cisco as PEM. Then use eg.

rightauth=rsasig
rightcert=cisco.crt.pem

This should unblock you. The cert forms a convenient container for the
peer ID + RSA pubkey. You probably then want to get the rightid= syntax
figured out and go back to your original config.

The identity in that Cisco cert looks awfully short.

Can someone show how to convert "C=IN, O=CAS" to a rightid= config line.
I remember it wasn't what I expected in some way.


On Wed, 2012-08-22 at 12:16 +0530, SaRaVanAn wrote:
> Hi,
>    I am trying to form a tunnel using RSA authentication in Strongswan
> with CISCO as peer, but
> I am getting the below error message.
> 
> Aug 22 12:03:34 uxcasxxx charon: 08[CFG] selected peer config
> 'site-site'
> Aug 22 12:03:34 uxcasxxx charon: 08[CFG]   using certificate "C=IN,
> O=CAS"
> Aug 22 12:03:34 uxcasxxx charon: 08[CFG]   using trusted ca
> certificate "C=IN, ST=TN, L=CH, O=CAS, E=saravanan at strongswan.org"
> Aug 22 12:03:34 uxcasxxx charon: 08[CFG] checking certificate status
> of "C=IN, O=CAS"
> Aug 22 12:03:34 uxcasxxx charon: 08[CFG] certificate status is not
> available
> Aug 22 12:03:34 uxcasxxx charon: 08[CFG]   reached self-signed root ca
> with a path length of 0
> Aug 22 12:03:34 uxcasxxx charon: 08[LIB] expected hash algorithm
> HASH_SHA1, but found HASH_SHA256 (OID:
> 30:0d:06:09:60:86:48:01:65:03:04:02:01:05:00)
> Aug 22 12:03:34 uxcasxxx charon: 08[IKE] signature validation failed,
> looking for another key
> Aug 22 12:03:34 uxcasxxx charon: 08[ENC] generating IKE_AUTH response
> 1 [ N(AUTH_FAILED) ]
> 
> Please find my configurations below .
> 
> ca vpnca
>          cacert=ikeca_email.crt
>          auto=add
> 
> config setup
>           plutostart=yes
>           plutodebug=all
>           charonstart=yes
>           charondebug=all
>           nat_traversal=yes
>           crlcheckinterval=10m
>           strictcrlpolicy=no
> 
> conn %default
>         ikelifetime=8h
>         lifetime = 8h
>         rekeyfuzz = 100%
>         keyingtries=1
> 
> conn site-site
>     left=172.31.114.227
>     leftcert=LeftGty_email.crt
>     ike=aes128-sha256-modp1536!
>     esp=aes128-sha256!
>     leftid=carol at strongswan.org
>     rightsubnet=0.0.0.0/0
>     leftfirewall=yes
>     right=%any
>     rightid=saravanan at strongswan.org
>     keyexchange=ikev2
>     auto=add
> 
> ipsec.secrets
> : RSA LeftGty_email.key
> 
> I am suspecting the problem in configurations.If so, please help me to
> correct the configuration or else 
> what could be the reason for the failure?.
> 
> Regards,
> Saravanan N
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list