[strongSwan] IKE signature scheme RSA_EMSA_PKCS1_SHA1 not acceptable
Binarus
lists at binarus.de
Sat Aug 18 17:26:40 CEST 2018
Dear all,
I am getting the error message mentioned above when trying to connect to
a client's site. Of course, I have tried to research if there already
has been a similar problem, and have found exactly one appropriate thread:
https://lists.strongswan.org/pipermail/users/2018-March/012351.html
Unfortunately, my situation is different; in my case, something else
seems to cause the problem. Having said this:
- It happened after the upgrade from Debian jessie (Debian 8) to Debian
stretch (Debian 9), i.e. after the upgrade from StrongSwan 5.2.1 to
StrongSwan 5.5.1)
- I definitely have copied the whole configuration (including
certificates and so on) from the old system to the new one (AFTER having
installed the new StrongSwan version in the new system). I have double
checked multiple times (applying different methods) that nothing is missing.
- With the old system, I definitely could connect to the client's site
without any problem with exact that configuration.
If it matters, the VPN Gateway at the client's side is a Lancom router
(I don't know the exact type, but it is newer one, and I am absolutely
sure that they didn't any changes to it while I was upgrading my system,
and to stress it again, the old system / StrongSwan version could
connect to that device without problems).
This is my /etc/ipsec.conf (sensitive data has been changed, and lines
which are commented out have been left away):
config setup
conn %default
mobike=no
conn myclient
ikelifetime=10800s
keylife=3600s
rekeymargin=9m
keyingtries=1
type=tunnel
keyexchange=ikev2
mobike=no
ike=aes256-sha512-modp4096!
esp=aes256-sha512-modp4096!
left=xxxxxxxxxxxxxxxx.hopto.org
leftauth=rsa-4096-sha512
leftid="/CN=xxxxxxxxxxxxxxxx.hopto.org"
leftsubnet=192.168.20.0/24
leftfirewall=no
leftcert=mycompany-client.crt
right=yyyyyyyyyyyyyyyy.zapto.org
rightauth=rsa-4096-sha512
rightid="/CN=yyyyyyyyyyyyyyyy.zapto.org"
rightsubnet=192.168.0.0/24
auto=add
This is the error message (sensitive data changed in the same way as
with ipsec.conf):
root at charon:/etc# /etc/init.d/ipsec restart
[ ok ] Restarting ipsec (via systemctl): ipsec.service.
root at charon:/etc# ipsec up myclient
initiating IKE_SA myclient[3] to 79.192.42.125
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 87.185.83.87[500] to 79.192.42.125[500] (714 bytes)
received packet: from 79.192.42.125[500] to 87.185.83.87[500] (713 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
received 1 cert requests for an unknown ca
sending cert request for "CN=ca.clientsite.local"
authentication of 'CN=xxxxxxxxxxxxxxxx.hopto.org' (myself) with RSA
signature successful
sending end entity cert "CN=xxxxxxxxxxxxxxxx.hopto.org"
establishing CHILD_SA myclient
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
AUTH SA TSi TSr N(EAP_ONLY) ]
sending packet: from 87.185.83.87[500] to 79.192.42.125[500] (2048 bytes)
received packet: from 79.192.42.125[500] to 87.185.83.87[500] (1984 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH TSi TSr N(INIT_CONTACT) SA ]
received end entity cert "CN=yyyyyyyyyyyyyyyy.zapto.org"
using certificate "CN=yyyyyyyyyyyyyyyy.zapto.org"
using trusted ca certificate "CN=ca.clientsite.local"
checking certificate status of "CN=yyyyyyyyyyyyyyyy.zapto.org"
certificate status is not available
reached self-signed root ca with a path length of 0
authentication of 'CN=yyyyyyyyyyyyyyyy.zapto.org' with RSA signature
successful
IKE signature scheme RSA_EMSA_PKCS1_SHA1 not acceptable
selected peer config 'myclient' inacceptable: constraint checking failed
no alternative config found
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 87.185.83.87[500] to 79.192.42.125[500] (96 bytes)
establishing connection 'myclient' failed
root at charon:/etc#
Does anybody have an idea?
Thank you very much in advance,
Binarus
More information about the Users
mailing list