topic Site to Site RSA_verify failed , error rsa routines (PaloAlto to checkpoint SMB) in Next-Generation Firewall Discussions

Site to Site RSA_verify failed , error rsa routines (PaloAlto to checkpoint SMB)

MEDOCHEMIE — Mon, 26 Dec 2022 21:40:26 GMT

trying to establish S2S VPN between Palo Alto 850 and Checkpoint SMB

Certificate based authentication (MS enterprise CA)

The ikev2 is complaining :

====> Initiated SA: XXX.XXX.XXX.XXX[500]-YYY.YYY.YYY.YYY[500] SPI:dcb4c37f6f955782:0898ce67edab9913 SN:8962 <====
2022-12-26 23:34:49.355 +0200 [PWRN]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:0x19961dc0 ignoring unauthenticated notify payload (NAT_DETECTION_SOURCE_IP)
2022-12-26 23:34:49.355 +0200 [PWRN]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:0x19961dc0 ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_IP)
2022-12-26 23:34:49.363 +0200 [INFO]: { 4: }: build IKEv2 CR payload[0]: 'CN=ABC Root CA'
2022-12-26 23:34:49.363 +0200 [INFO]: { 4: }: build IKEv2 CR payload[1]: 'CN=ABC Issuing CA 1,DC=ABC,DC=local'
2022-12-26 23:34:49.363 +0200 [INFO]: { 4: }: build IKEv2 CR payload[2]: 'O=AA:SS:AA:SS:AA:SS..8d67yo'
2022-12-26 23:34:49.394 +0200 [INFO]: { 4: }: cert received: subject=CN=CPGW
2022-12-26 23:34:49.394 +0200 [INFO]: { 4: }: cert received: issuer=CN=ABC Issuing CA 1,DC=ABC,DC=local[ee?]
2022-12-26 23:34:49.394 +0200 [INFO]: { 4: }: CR 'CN=ABC Issuing CA 1,DC=ABC,DC=local' received, trust CA founABCCA1
2022-12-26 23:34:49.397 +0200 [PERR]: RSA_verify failed: 0:error:04091068:rsa routines:int_rsa_verify:bad signature:crypto/rsa/rsa_sign.c:228:
2022-12-26 23:34:49.397 +0200 [PERR]: Invalid SIG.
2022-12-26 23:34:49.397 +0200 [PERR]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:0xffcc0f19a0 authentication failure
2022-12-26 23:34:49.397 +0200 [INFO]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:0xffcc0f19a0 authentication result: failure
2022-12-26 23:34:49.397 +0200 [INFO]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:(nil) closing IKEv2 SA CPGW-Site:8962, code 15
2022-12-26 23:34:49.397 +0200 [PNTF]: { 4: }: ====> IKEv2 IKE SA NEGOTIATION FAILED AS RESPONDER, non-rekey; gateway CPGW-Site <====
====> Failed SA: XXX.XXX.XXX.XXX[500]-YYY.YYY.YYY.YYY[500] SPI:dcb4c37f6f955782:0898ce67edab9913 SN 8962 <====

I could not find something specific for the RSA_verify , Invalid SIG.

Any thoughts what could be the issue?

Re: Site to Site RSA_verify failed , error rsa routines (PaloAlto to checkpoint SMB)

OtakarKlier — Tue, 27 Dec 2022 16:56:55 GMT

Hello,

Try IKEv1 and see what happens. I've seen this a few times where the IKEv2 between two different or even same manufactures, doesnt play well for some reason.

Regards,

Re: Site to Site RSA_verify failed , error rsa routines (PaloAlto to checkpoint SMB)

leszeksroka — Thu, 12 Jan 2023 19:17:39 GMT

Hello MEDOCHEMIE,

have you manage to fix this issue with the Invalid SIG? I have the same problem with S2S VPN between Paloalto and Cradlepoint router

Best regards,

Re: Site to Site RSA_verify failed , error rsa routines (PaloAlto to checkpoint SMB)

nikoolayy1 — Mon, 16 Jan 2023 21:08:35 GMT

Could there be some nat in the way and nat traversal to be needed?

IPSec VPN Tunnel with NAT Traversal

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClopCAC

Also check this:

Proxy-ID for VPNs Between Palo Alto Networks and Firewalls with Policy-based VPNs

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW8CAK

And if needed enable ike debug:

How to Troubleshoot IPSec VPN connectivity issues

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

Re: Site to Site RSA_verify failed , error rsa routines (PaloAlto to checkpoint SMB)

nikoolayy1 — Wed, 01 Feb 2023 11:13:00 GMT

Hello @MEDOCHEMIE , Did you manage to find the solution?