Your Cisco must be configured to use sha-1 instead of sha-256. Strongswan is using sha-256 which the Cisco is complaining about. Check your crypto map and related isakmp profiles.
On Wed, 2012-08-22 at 12:16 +0530, SaRaVanAn wrote: > Hi, > I am trying to form a tunnel using RSA authentication in Strongswan > with CISCO as peer, but > I am getting the below error message. > > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] selected peer config > 'site-site' > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] using certificate "C=IN, > O=CAS" > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] using trusted ca > certificate "C=IN, ST=TN, L=CH, O=CAS, [email protected]" > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] checking certificate status > of "C=IN, O=CAS" > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] certificate status is not > available > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] reached self-signed root ca > with a path length of 0 > Aug 22 12:03:34 uxcasxxx charon: 08[LIB] expected hash algorithm > HASH_SHA1, but found HASH_SHA256 (OID: > 30:0d:06:09:60:86:48:01:65:03:04:02:01:05:00) > Aug 22 12:03:34 uxcasxxx charon: 08[IKE] signature validation failed, > looking for another key > Aug 22 12:03:34 uxcasxxx charon: 08[ENC] generating IKE_AUTH response > 1 [ N(AUTH_FAILED) ] > > Please find my configurations below . > > ca vpnca > cacert=ikeca_email.crt > auto=add > > config setup > plutostart=yes > plutodebug=all > charonstart=yes > charondebug=all > nat_traversal=yes > crlcheckinterval=10m > strictcrlpolicy=no > > conn %default > ikelifetime=8h > lifetime = 8h > rekeyfuzz = 100% > keyingtries=1 > > conn site-site > left=172.31.114.227 > leftcert=LeftGty_email.crt > ike=aes128-sha256-modp1536! > esp=aes128-sha256! > [email protected] > rightsubnet=0.0.0.0/0 > leftfirewall=yes > right=%any > [email protected] > keyexchange=ikev2 > auto=add > > ipsec.secrets > : RSA LeftGty_email.key > > I am suspecting the problem in configurations.If so, please help me to > correct the configuration or else > what could be the reason for the failure?. > > Regards, > Saravanan N > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
