Hi Tobias, > OK, I found the issue. The problem is that Windows, at least as > initiator, creates IKEv1 ECDSA signatures incorrectly if the negotiated > integrity algorithm does not match the one associated with the ECDSA > authentication method.
This was the problem! I was able to fix by following your configuration instructions. > For some reason Windows seems to do this > correctly if it acts as responder (I have not been able to verify this, > though). I double checked my configuration, and I realized that I was actually using a different ipsec.conf file when testing tunnel initiation from Linux to Windows. In that case, I had configured ike to use SHA2-384. This is why I could open tunnels when initiating from Linux. I re-tested using the same configuration as in the Windows to Linux case (SHA2-256 for integrity), and tunnels would no longer open. Instead (as expected), I got "AUTHENTICATION_FAILED" messages coming back from Windows. Thanks again for all your help! Quinn _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
