Closed ghost closed 2 years ago
From the IPsec log on the server:
#1: proposal 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[better-match] 3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
#1: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
#2: proposal 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[better-match] 3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
#2: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
INFORMATIONAL request has no corresponding IKE SA; message dropped
#3: proposal 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[better-match] 3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
#3: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
#3: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
#3: ignoring CERTREQ payload that is not ASN1: number of length octets overflows size_t
#3: reloaded private key matching left certificate '168.235.81.164'
#3: responder established IKE SA; authenticated using PKCS#1 1.5 RSA with SHA1 and peer certificate 'CN=vpnclient, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
#3: NSS: SGN_Digest(SHA-1) function failed: SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED: Could not create or verify a signature using a signature algorithm that is disabled because it is not secure.
pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1
#4: proposal 2:ESP=AES_CBC_128-HMAC_SHA1_96-DISABLED SPI=eed72b56 chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED[better-match] 3:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLED 4:ESP:ENCR=DES(UNUSED);INTEG=HMAC_SHA1_96;ESN=DISABLED 5:ESP:ENCR=NULL;INTEG=HMAC_SHA1_96;ESN=DISABLED
#4: responder established Child SA using #3; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0xeed72b56 <0x271eeb08 xfrm=AES_CBC_128-HMAC_SHA1_96 NATD=XX.XX.XX.XX:4500 DPD=active}
Possibly it is relevant that SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED: Could not create or verify a signature using a signature algorithm that is disabled because it is not secure
@logyxis Thank you for reporting this issue and providing the logs. I was able to reproduce this issue on a server with AlmaLinux 9. The root cause is that this OS comes with a newer NSS version that disallows the SHA1 signature algorithm.
To fix, edit file /etc/crypto-policies/back-ends/nss.config
on your VPN server. Find the line:
config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1 ...
Insert SHA1:
so that the line becomes:
config="disallow=ALL allow=SHA1:HMAC-SHA256:HMAC-SHA1 ...
Save the file and run sudo service ipsec restart
. Then re-connect the VPN client.
On Win10, still have this problem. My VPN server is centOS7, and I can't find '/etc/crypto-policies/back-ends/nss.config' this file. Could you give me some advice?
On Wed, 8 Mar 2023, chenj_freedom wrote:
On Win10, still have this problem. My VPN server is centOS7, and I can't find '/etc/crypto-policies/back-ends/nss.config' this file. Could you give me some advice?
If your system does not have crypto-policies, then just delete the line that is trying to include that. It is only changing the set of defaults and libreswan has strong builtin defaults already.
On Wed, 8 Mar 2023, chenj_freedom wrote: On Win10, still have this problem. My VPN server is centOS7, and I can't find '/etc/crypto-policies/back-ends/nss.config' this file. Could you give me some advice? If your system does not have crypto-policies, then just delete the line that is trying to include that. It is only changing the set of defaults and libreswan has strong builtin defaults already.
I can't find '/etc/crypto-policies/back-ends/nss.config' in my CentOS7. where should I delete the line?
On Wed, 8 Mar 2023, chenj_freedom wrote:
I can't find '/etc/crypto-policies/back-ends/nss.config' in my CentOS7. where should I delete the line?
/etc/ipsec.conf
Attempting to connect from Windows 11 native VPN client to an IKEv2 server on Alma Linux 9 produces an error message:
Can't connect to ikev2
Error processing Signature payload
Windows Event Viewer says the user dialed a connection named ikev2 which has failed. The error code returned on failure is 13838.