[strongSwan] IKEv1 Pubkey Auth Fails from Windows to Linux

Detweiler, Quinn Quinn.Detweiler at unisys.com
Thu Feb 4 21:39:50 CET 2016

Hi Tobias,

> OK, I found the issue.  The problem is that Windows, at least as
> initiator, creates IKEv1 ECDSA signatures incorrectly if the negotiated
> integrity algorithm does not match the one associated with the ECDSA
> authentication method.

This was the problem!  I was able to fix by following your configuration instructions.
> For some reason Windows seems to do this
> correctly if it acts as responder (I have not been able to verify this,
> though).

I double checked my configuration, and I realized that I was actually using a different ipsec.conf file when testing tunnel initiation from Linux to Windows.  In that case, I had configured ike to use SHA2-384.  This is why I could open tunnels when initiating from Linux.  I re-tested using the same configuration as in the Windows to Linux case (SHA2-256 for integrity), and tunnels would no longer open.  Instead (as expected), I got "AUTHENTICATION_FAILED" messages coming back from Windows.  

Thanks again for all your help!

More information about the Users mailing list