[strongSwan] RSA_EMSA_PKCS1_SHA1 not acceptable
Mike.Ettrich at bertelsmann.de
Mike.Ettrich at bertelsmann.de
Mon Mar 12 09:23:52 CET 2018
Hi!
We do use some road warrior to connect to a gateway, but with the last newly installed road warrior we get following log output and the connection becomes not established.
We are using strongswan-5.5.3 on both sides.
Something seems to be different but we do use always the same configuration.
Gateway logoutput:
Mar 12 09:13:02 10[CFG] <RU1-TI|129> IKE signature scheme RSA_EMSA_PKCS1_SHA1 not acceptable
Mar 12 09:13:02 10[CFG] <RU1-TI|129> selected peer config 'RU1-TI' inacceptable: non-matching authentication done
If you need more installation or configuration details please let me know.
Roadwarrior ipsec.conf:
conn %default
keyexchange=ikev2
ike=aes256-sha256-modp2048,aes256-sha1-modp2048!
esp=aes256-sha256-modp2048,aes256-sha1-modp2048!
dpdaction=clear
dpddelay=300s
rekey=no
rightid=%any
leftcert=my.C_NK_VPN.pem
leftsourceip=%config
leftfirewall=yes
conn RU1_TI_1
right=146.185.113.4
rightsubnet=10.0.0.0/8
auto=add
Roadwarrior logoutput:
Mar 12 09:13:01 08[ENC] <RU1_TI_1|5> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 12 09:13:01 08[NET] <RU1_TI_1|5> sending packet: from 146.185.113.21[500] to 146.185.113.4[500] (476 bytes)
Mar 12 09:13:01 10[NET] <RU1_TI_1|5> received packet: from 146.185.113.4[500] to 146.185.113.21[500] (1433 bytes)
Mar 12 09:13:01 10[ENC] <RU1_TI_1|5> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HTTP_CERT_LOOK) CERTREQ N(MULT_AUTH) ]
Mar 12 09:13:01 10[CFG] <RU1_TI_1|5> selecting proposal:
Mar 12 09:13:01 10[CFG] <RU1_TI_1|5> proposal matches
Mar 12 09:13:01 10[CFG] <RU1_TI_1|5> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 12 09:13:01 10[CFG] <RU1_TI_1|5> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Mar 12 09:13:01 10[CFG] <RU1_TI_1|5> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 12 09:13:01 10[IKE] <RU1_TI_1|5> received 49 cert requests for an unknown ca
Mar 12 09:13:01 10[IKE] <RU1_TI_1|5> authentication of 'C=DE, ST=Nordrhein-Westfalen, L=G??tersloh, 55:04:11=33333, 55:04:09=An der Autobahn 200, O=Arvato Systems GmbH TEST-ONLY - NOT-VALID, CN=80276885551111130012-20180301' (myself) with RSA signature successful
Mar 12 09:13:01 10[IKE] <RU1_TI_1|5> sending end entity cert "C=DE, ST=Nordrhein-Westfalen, L=G??tersloh, 55:04:11=33333, 55:04:09=An der Autobahn 200, O=Arvato Systems GmbH TEST-ONLY - NOT-VALID, CN=80276885551111130012-20180301"
Mar 12 09:13:01 10[IKE] <RU1_TI_1|5> establishing CHILD_SA RU1_TI_1
Mar 12 09:13:01 10[CFG] <RU1_TI_1|5> proposing traffic selectors for us:
Mar 12 09:13:01 10[CFG] <RU1_TI_1|5> 0.0.0.0/0
Mar 12 09:13:01 10[CFG] <RU1_TI_1|5> proposing traffic selectors for other:
Mar 12 09:13:01 10[CFG] <RU1_TI_1|5> 10.0.0.0/8
Mar 12 09:13:01 10[CFG] <RU1_TI_1|5> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 12 09:13:01 10[ENC] <RU1_TI_1|5> generating IKE_AUTH request 1 [ IDi CERT AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Mar 12 09:13:01 10[NET] <RU1_TI_1|5> sending packet: from 146.185.113.21[4500] to 146.185.113.4[4500] (2032 bytes)
Mar 12 09:13:02 14[NET] <RU1_TI_1|5> received packet: from 146.185.113.4[4500] to 146.185.113.21[4500] (80 bytes)
Mar 12 09:13:02 14[ENC] <RU1_TI_1|5> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Kind regards,
Mike.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180312/c5249019/attachment-0001.html>
More information about the Users
mailing list