Disregard. Got the logging backwards. On Wed, 2012-08-22 at 16:49 +1000, Richard Andrews wrote: > Your Cisco must be configured to use sha-1 instead of sha-256. > Strongswan is using sha-256 which the Cisco is complaining about. Check > your crypto map and related isakmp profiles. > > On Wed, 2012-08-22 at 12:16 +0530, SaRaVanAn wrote: > > Hi, > > I am trying to form a tunnel using RSA authentication in Strongswan > > with CISCO as peer, but > > I am getting the below error message. > > > > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] selected peer config > > 'site-site' > > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] using certificate "C=IN, > > O=CAS" > > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] using trusted ca > > certificate "C=IN, ST=TN, L=CH, O=CAS, [email protected]" > > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] checking certificate status > > of "C=IN, O=CAS" > > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] certificate status is not > > available > > Aug 22 12:03:34 uxcasxxx charon: 08[CFG] reached self-signed root ca > > with a path length of 0 > > Aug 22 12:03:34 uxcasxxx charon: 08[LIB] expected hash algorithm > > HASH_SHA1, but found HASH_SHA256 (OID: > > 30:0d:06:09:60:86:48:01:65:03:04:02:01:05:00) > > Aug 22 12:03:34 uxcasxxx charon: 08[IKE] signature validation failed, > > looking for another key > > Aug 22 12:03:34 uxcasxxx charon: 08[ENC] generating IKE_AUTH response > > 1 [ N(AUTH_FAILED) ] > > > > Please find my configurations below . > > > > ca vpnca > > cacert=ikeca_email.crt > > auto=add > > > > config setup > > plutostart=yes > > plutodebug=all > > charonstart=yes > > charondebug=all > > nat_traversal=yes > > crlcheckinterval=10m > > strictcrlpolicy=no > > > > conn %default > > ikelifetime=8h > > lifetime = 8h > > rekeyfuzz = 100% > > keyingtries=1 > > > > conn site-site > > left=172.31.114.227 > > leftcert=LeftGty_email.crt > > ike=aes128-sha256-modp1536! > > esp=aes128-sha256! > > [email protected] > > rightsubnet=0.0.0.0/0 > > leftfirewall=yes > > right=%any > > [email protected] > > keyexchange=ikev2 > > auto=add > > > > ipsec.secrets > > : RSA LeftGty_email.key > > > > I am suspecting the problem in configurations.If so, please help me to > > correct the configuration or else > > what could be the reason for the failure?. > > > > Regards, > > Saravanan N > > _______________________________________________ > > Users mailing list > > [email protected] > > https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
