Hi Mike, > I hope you mean the ipsec.conf only: > > Ipsec.conf: > config setup > charondebug="cfg 2, dmn 1, ike 1, net 1, job 0" > > conn %default > keyexchange=ikev2 > ike=aes256-sha256-modp2048,aes256-sha1-modp2048! > esp=aes256-sha256-modp2048,aes256-sha1-modp2048! > leftauth=pubkey-sha256 > rightauth=pubkey-sha256
There you go. If you require the client authentication to use SHA-256, but don't actually configure your client to use SHA-256 (the default depends on the key size) you get exactly the error message you saw. > dpdaction=clear > dpddelay=300s > rekey=yes > left=%any > leftsubnet=0.0.0.0/0 > right=%any > lifetime=24h > ikelifetime=168h > compress=yes > > ca %default > certuribase=http://hashandurl.gto1-ref.service-ti.de/ > > ca GEM.VPNK-CA27 > cacert = GEM_VPNK-CA27TEST-ONLY.pem > auto=add > > ca GEM.RCA2 > cacert = GEM.RCA2.der > auto=add > > conn RU1-TI > keyexchange=ikev2 > left=vpn1-ti.gto1-ref.service-ti.de > leftcert=vpn1-ti.gto1-refCert.pem > leftid="C=DE, O=Arvato Systems GmbH TEST-ONLY - NOT-VALID, > CN=vpn1-ti.gto1-ref.service-ti.de" > leftfirewall=yes > right=%any > rightsourceip=10.23.0.0/20 > auto=add Regards, Tobias