[strongSwan] RSA_EMSA_PKCS1_SHA1 not acceptable
Tobias Brunner
tobias at strongswan.org
Tue Mar 13 11:48:49 CET 2018
Hi Mike,
> I hope you mean the ipsec.conf only:
>
> Ipsec.conf:
> config setup
> charondebug="cfg 2, dmn 1, ike 1, net 1, job 0"
>
> conn %default
> keyexchange=ikev2
> ike=aes256-sha256-modp2048,aes256-sha1-modp2048!
> esp=aes256-sha256-modp2048,aes256-sha1-modp2048!
> leftauth=pubkey-sha256
> rightauth=pubkey-sha256
There you go. If you require the client authentication to use SHA-256,
but don't actually configure your client to use SHA-256 (the default
depends on the key size) you get exactly the error message you saw.
> dpdaction=clear
> dpddelay=300s
> rekey=yes
> left=%any
> leftsubnet=0.0.0.0/0
> right=%any
> lifetime=24h
> ikelifetime=168h
> compress=yes
>
> ca %default
> certuribase=http://hashandurl.gto1-ref.service-ti.de/
>
> ca GEM.VPNK-CA27
> cacert = GEM_VPNK-CA27TEST-ONLY.pem
> auto=add
>
> ca GEM.RCA2
> cacert = GEM.RCA2.der
> auto=add
>
> conn RU1-TI
> keyexchange=ikev2
> left=vpn1-ti.gto1-ref.service-ti.de
> leftcert=vpn1-ti.gto1-refCert.pem
> leftid="C=DE, O=Arvato Systems GmbH TEST-ONLY - NOT-VALID, CN=vpn1-ti.gto1-ref.service-ti.de"
> leftfirewall=yes
> right=%any
> rightsourceip=10.23.0.0/20
> auto=add
Regards,
Tobias
More information about the Users
mailing list