[strongSwan] IKEv1 Pubkey Auth Fails from Windows to Linux
Detweiler, Quinn
Quinn.Detweiler at unisys.com
Thu Feb 4 21:39:50 CET 2016
Hi Tobias,
> OK, I found the issue. The problem is that Windows, at least as
> initiator, creates IKEv1 ECDSA signatures incorrectly if the negotiated
> integrity algorithm does not match the one associated with the ECDSA
> authentication method.
This was the problem! I was able to fix by following your configuration instructions.
> For some reason Windows seems to do this
> correctly if it acts as responder (I have not been able to verify this,
> though).
I double checked my configuration, and I realized that I was actually using a different ipsec.conf file when testing tunnel initiation from Linux to Windows. In that case, I had configured ike to use SHA2-384. This is why I could open tunnels when initiating from Linux. I re-tested using the same configuration as in the Windows to Linux case (SHA2-256 for integrity), and tunnels would no longer open. Instead (as expected), I got "AUTHENTICATION_FAILED" messages coming back from Windows.
Thanks again for all your help!
Quinn
More information about the Users
mailing list