[Swan] peer authentication requires policy RSASIG_v1_5

David Valiente fierce.brake at gmail.com
Tue Jan 23 20:58:25 EET 2024 

@Paul Wouters <paul at nohats.ca>
Thanks for the input!

I followed this instruction "
https://learn.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2022-ps
"
to come up with these commands:

"Add-VpnConnection -Name "TCC" -ServerAddress "vpnserver" -TunnelType Ikev2
-EncryptionLevel "Maximum" -AuthenticationMethod MachineCertificate
-SplitTunneling $True -PassThru"

"Set-VpnConnectionIPsecConfiguration -ConnectionName "TCC"
-AuthenticationTransformConstants GCMAES256 -CipherTransformConstants
AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -PfsGroup None
-DHGroup Group14 -PassThru -Force"

The VPN seems to be created as required, but my tunnel would still fail
with the error below (authby=rsa-sha2):
========================
an 23 18:54:44 ip-172-14-0-28.ec2.internal pluto[44690]:
"tcc-server/1x1"[25] 168.90.110.44 #30: proposal
2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from
remote proposals
1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048
2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match]
3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
Jan 23 18:54:44 ip-172-14-0-28.ec2.internal pluto[44690]:
"tcc-server/1x1"[25] 168.90.110.44 #30: sent IKE_SA_INIT reply
{cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256
group=MODP2048}
Jan 23 18:54:44 ip-172-14-0-28.ec2.internal pluto[44690]:
"tcc-server/1x1"[25] 168.90.110.44 #30: processing decrypted IKE_AUTH
request: SK{IDi,CERT,CERTREQ,AUTH,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
Jan 23 18:54:44 ip-172-14-0-28.ec2.internal pluto[44690]:
"tcc-server/1x1"[25] 168.90.110.44 #30: authentication failed: peer
authentication requires policy RSASIG_v1_5
Jan 23 18:54:44 ip-172-14-0-28.ec2.internal pluto[44690]:
"tcc-server/1x1"[25] 168.90.110.44 #30: responding to IKE_AUTH message (ID
1) from 168.90.110.44:4500 with encrypted notification AUTHENTICATION_FAILED
Jan 23 18:54:44 ip-172-14-0-28.ec2.internal pluto[44690]:
"tcc-server/1x1"[25] 168.90.110.44 #30: encountered fatal error in state
STATE_V2_PARENT_R1
Jan 23 18:54:44 ip-172-14-0-28.ec2.internal pluto[44690]:
"tcc-server/1x1"[25] 168.90.110.44 #30: deleting state (STATE_V2_PARENT_R1)
aged 0.095529s and NOT sending notification
Jan 23 18:54:44 ip-172-14-0-28.ec2.internal pluto[44690]:
"tcc-server/1x1"[25] 168.90.110.44: deleting connection instance with peer
168.90.110.44 {isakmp=#0/ipsec=#0}
========================

If anyone knows how to tweak that VPN client configuration to match the
server and/or a fips compliant VPN client, I would appreciate any tip

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20240123/110ff16c/attachment.htm>

More information about the Swan mailing list