On Mon, 22 Jan 2024, David Valiente wrote:
I am trying to get a windows client connected to the VPN.
Linux client works just fine with the same configuration, its just the windows
client giving me crap.
conn tcc-server
left=172.14.0.28
leftcert=my-domain
leftid=@my-domain
leftsendcert=always
leftsubnets={172.14.0.0/16}
leftrsasigkey=%cert
right=%any
rightaddresspool=192.168.1.0/24
rightca=%same
rightrsasigkey=%cert
rightsubnets={192.168.1.0/24}
modecfgdns=8.8.8.8,8.8.1.1,1.1.1.1
narrowing=yes
dpddelay=30
# dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
fragmentation=yes
encapsulation=yes
So this uses the default authby= for IKEv2, which does not include rsa-sha1.
Jan 22 18:33:32 ip-172-14-0-28.ec2.internal pluto[234457]: "tcc-server/1x1"[2]
168.90.110.44 #1: authentication failed: peer
authentication requires policy RSASIG_v1_5
RSASIG_v1_5 is the RSA variant predating RFC 7427 Signature Authentication.
(well, it is more complicated but that is the essence)
try adding:
authby=rsa-sha2,rsa-sha1
The sha2 variant will use the RFC 7427 variant, and the sha1 variant
will use the legacy RSASIG_v1_5 one. Be sure to test your other clients
that worked before as well.
Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
