[strongSwan] IKE signature scheme RSA_EMSA_PKCS1_SHA1 not acceptable
lists at binarus.de
Sat Aug 18 17:26:40 CEST 2018
I am getting the error message mentioned above when trying to connect to
a client's site. Of course, I have tried to research if there already
has been a similar problem, and have found exactly one appropriate thread:
Unfortunately, my situation is different; in my case, something else
seems to cause the problem. Having said this:
- It happened after the upgrade from Debian jessie (Debian 8) to Debian
stretch (Debian 9), i.e. after the upgrade from StrongSwan 5.2.1 to
- I definitely have copied the whole configuration (including
certificates and so on) from the old system to the new one (AFTER having
installed the new StrongSwan version in the new system). I have double
checked multiple times (applying different methods) that nothing is missing.
- With the old system, I definitely could connect to the client's site
without any problem with exact that configuration.
If it matters, the VPN Gateway at the client's side is a Lancom router
(I don't know the exact type, but it is newer one, and I am absolutely
sure that they didn't any changes to it while I was upgrading my system,
and to stress it again, the old system / StrongSwan version could
connect to that device without problems).
This is my /etc/ipsec.conf (sensitive data has been changed, and lines
which are commented out have been left away):
This is the error message (sensitive data changed in the same way as
root at charon:/etc# /etc/init.d/ipsec restart
[ ok ] Restarting ipsec (via systemctl): ipsec.service.
root at charon:/etc# ipsec up myclient
initiating IKE_SA myclient to 22.214.171.124
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 126.96.36.199 to 188.8.131.52 (714 bytes)
received packet: from 184.108.40.206 to 220.127.116.11 (713 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
received 1 cert requests for an unknown ca
sending cert request for "CN=ca.clientsite.local"
authentication of 'CN=xxxxxxxxxxxxxxxx.hopto.org' (myself) with RSA
sending end entity cert "CN=xxxxxxxxxxxxxxxx.hopto.org"
establishing CHILD_SA myclient
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
AUTH SA TSi TSr N(EAP_ONLY) ]
sending packet: from 18.104.22.168 to 22.214.171.124 (2048 bytes)
received packet: from 126.96.36.199 to 188.8.131.52 (1984 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH TSi TSr N(INIT_CONTACT) SA ]
received end entity cert "CN=yyyyyyyyyyyyyyyy.zapto.org"
using certificate "CN=yyyyyyyyyyyyyyyy.zapto.org"
using trusted ca certificate "CN=ca.clientsite.local"
checking certificate status of "CN=yyyyyyyyyyyyyyyy.zapto.org"
certificate status is not available
reached self-signed root ca with a path length of 0
authentication of 'CN=yyyyyyyyyyyyyyyy.zapto.org' with RSA signature
IKE signature scheme RSA_EMSA_PKCS1_SHA1 not acceptable
selected peer config 'myclient' inacceptable: constraint checking failed
no alternative config found
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 184.108.40.206 to 220.127.116.11 (96 bytes)
establishing connection 'myclient' failed
root at charon:/etc#
Does anybody have an idea?
Thank you very much in advance,
More information about the Users