[Swan] peer authentication requires policy RSASIG_v1_5
Paul Wouters
paul at nohats.ca
Tue Jan 23 02:28:38 EET 2024
On Mon, 22 Jan 2024, David Valiente wrote:
> I am trying to get a windows client connected to the VPN.
> Linux client works just fine with the same configuration, its just the windows client giving me crap.
> conn tcc-server
> left=172.14.0.28
> leftcert=my-domain
> leftid=@my-domain
> leftsendcert=always
> leftsubnets={172.14.0.0/16}
> leftrsasigkey=%cert
> right=%any
> rightaddresspool=192.168.1.0/24
> rightca=%same
> rightrsasigkey=%cert
> rightsubnets={192.168.1.0/24}
> modecfgdns=8.8.8.8,8.8.1.1,1.1.1.1
> narrowing=yes
> dpddelay=30
> # dpdtimeout=120
> dpdaction=clear
> auto=add
> ikev2=insist
> rekey=no
> fragmentation=yes
> encapsulation=yes
So this uses the default authby= for IKEv2, which does not include rsa-sha1.
> Jan 22 18:33:32 ip-172-14-0-28.ec2.internal pluto[234457]: "tcc-server/1x1"[2] 168.90.110.44 #1: authentication failed: peer
> authentication requires policy RSASIG_v1_5
RSASIG_v1_5 is the RSA variant predating RFC 7427 Signature Authentication.
(well, it is more complicated but that is the essence)
try adding:
authby=rsa-sha2,rsa-sha1
The sha2 variant will use the RFC 7427 variant, and the sha1 variant
will use the legacy RSASIG_v1_5 one. Be sure to test your other clients
that worked before as well.
Paul
More information about the Swan
mailing list