[Swan] peer authentication requires policy RSASIG_v1_5
David Valiente
fierce.brake at gmail.com
Mon Jan 22 20:37:50 EET 2024
Hey everyone!
I am trying to get a windows client connected to the VPN.
Linux client works just fine with the same configuration, its just the
windows client giving me crap.
I followed this documentation to bring the configuration up:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
This is the server's configuration
========================
conn tcc-server
left=172.14.0.28
leftcert=my-domain
leftid=@my-domain
leftsendcert=always
leftsubnets={172.14.0.0/16}
leftrsasigkey=%cert
right=%any
rightaddresspool=192.168.1.0/24
rightca=%same
rightrsasigkey=%cert
rightsubnets={192.168.1.0/24}
modecfgdns=8.8.8.8,8.8.1.1,1.1.1.1
narrowing=yes
dpddelay=30
# dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
fragmentation=yes
encapsulation=yes
========================
The error logs I get
========================
Jan 22 18:33:31 ip-172-14-0-28.ec2.internal pluto[234457]:
"tcc-server/1x1"[1] 168.90.110.44 #1: proposal
2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from
remote proposals
1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048
2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match]
3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
Jan 22 18:33:31 ip-172-14-0-28.ec2.internal pluto[234457]:
"tcc-server/1x1"[1] 168.90.110.44 #1: sent IKE_SA_INIT reply
{cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256
group=MODP2048}
Jan 22 18:33:32 ip-172-14-0-28.ec2.internal pluto[234457]:
"tcc-server/1x1"[1] 168.90.110.44 #1: processing decrypted IKE_AUTH
request: SK{IDi,CERT,CERTREQ,AUTH,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
Jan 22 18:33:32 ip-172-14-0-28.ec2.internal pluto[234457]:
"tcc-server/1x1"[1] 168.90.110.44 #1: switched to "tcc-server/1x1"[2] my-ip
Jan 22 18:33:32 ip-172-14-0-28.ec2.internal pluto[234457]:
"tcc-server/1x1"[1] 168.90.110.44: deleting connection instance with peer
my-ip {isakmp=#0/ipsec=#0}
Jan 22 18:33:32 ip-172-14-0-28.ec2.internal pluto[234457]:
"tcc-server/1x1"[2] 168.90.110.44 #1: authentication failed: peer
authentication requires policy RSASIG_v1_5
Jan 22 18:33:32 ip-172-14-0-28.ec2.internal pluto[234457]:
"tcc-server/1x1"[2] 168.90.110.44 #1: responding to IKE_AUTH message (ID 1)
from my-ip:4500 with encrypted notification AUTHENTICATION_FAILED
Jan 22 18:33:32 ip-172-14-0-28.ec2.internal pluto[234457]:
"tcc-server/1x1"[2] 168.90.110.44 #1: encountered fatal error in state
STATE_V2_PARENT_R1
Jan 22 18:33:32 ip-172-14-0-28.ec2.internal pluto[234457]:
"tcc-server/1x1"[2] 168.90.110.44 #1: deleting state (STATE_V2_PARENT_R1)
aged 0.142638s and NOT sending notification
Jan 22 18:33:32 ip-172-14-0-28.ec2.internal pluto[234457]:
"tcc-server/1x1"[2] 168.90.110.44: deleting connection instance with peer
my-ip {isakmp=#0/ipsec=#0}
========================
Has anyone experienced this problem before with windows clients? any tips?
what exactly does 'policy RSASIG_v1_5' refer to and how can i go about
fixing that?
Thanks, everyone!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20240122/e13b46c7/attachment.htm>
More information about the Swan
mailing list