[Swan] net-to-net for road warriors

Paul Wouters paul at nohats.ca
Wed Jan 30 03:29:00 UTC 2019

On Tue, 29 Jan 2019, Alex wrote:

> Jan 29 20:36:53.923873: "bwimail03-arcade" #5: Signature check (on
> @arcade) failed (wrong key?); tried *AwEAAfVyj
> Jan 29 20:36:53.923902: | public key for @arcade failed: decrypted SIG
> payload into a malformed ECB (SIG length does not match public key le
> ngth)

I haven't seen this error before....

> It's also interesting to note that on the remote system (arcade), it
> seems to think the link is up:

Yes, because the arcade authenticated endpoint, installed the VPN
connection, then send its last IKE packet containing its authentication
proof, which upon your end receiving you have rejected. So as far as
arcade knows, the tunnel is up. (technically, our end is supported to
send an encrypted informational exchange message with delete and notify
payload AUTHENTICATION_FAILED, but we don't)


More information about the Swan mailing list