[strongSwan] signature validation failed error

Piyush Agarwal agarwalpiyush at gmail.com
Mon May 15 19:40:53 CEST 2017


Hi,
I am running into a strange issue and would appreciate any help in
debugging what could be going wrong.

I am using self-signed certs for both my client and server. Client sends
its cert to server (via out of band channel) and vice-versa so that
verification can be done.

I am using the same subject DN for both my client and server (again, as bad
as this is, this works for our setup).

All is good and IPsec comes up. Now I am simulating failure scenario where
the server dies and restarts after say 40 seconds and expect IPsec to come
up again because client is programmed to retry every 30 seconds. [BTW, the
client here is detecting the server is down by checking output of setkey -D
to see if mature bi-directional IPsec SAs are present or not]

Client logic on detecting IPsec down for 30 seconds (Start state is IPsec
transport tunnel established):
========================================
1) Call ipsec stop
2) Receive out of band event that server is up, connect to server
3) Regenerate private key and store in ipsec.d/private/
4) Regenerate self-signed cert and store in ipsec.d/certs/client.cert
3) Get server's self-signed cert and store in local
ipsec.d/certs/server.cert. Send client's self-signed cert to server
4) ipsec start to bring tunnel up

Server events (Start state is IPsec transport tunnel established):
===========
1) Server is shut down resulting in ipsec daemon stopping
2) After 40 seconds, server restarts
3) Generate private key and store in ipsec.d/private/
4) Generate self-signed cert and store in ipsec.d/certs/server.cert
5) Receives out of band event that client is trying to register
6) Send own cert to client and store client's cert in
ipsec.d/certs/client.cert
7) ipsec start to bring tunnel up
7.1) Each subsequent client re-attempt (30 seconds), will lead to "ipsec
reload" and not "ipsec stop/start" cycle on server end.

At this point the server logs complain the following:
*07[CFG] selected peer config 'x.x.x.x'*
*07[CFG]   using trusted certificate "ABCDEFGH"*
*07[IKE] signature validation failed, looking for another key*

Appreciate any guidance.
-- 
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170515/dbfecc4e/attachment.html>


More information about the Users mailing list