Site to Site RSA_verify failed , error rsa routines (PaloAlto to checkpoint SMB)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site to Site RSA_verify failed , error rsa routines (PaloAlto to checkpoint SMB)

L0 Member

trying to establish S2S VPN between Palo Alto 850 and Checkpoint SMB 

Certificate based authentication (MS enterprise CA) 

The ikev2 is complaining :

====> Initiated SA: XXX.XXX.XXX.XXX[500]-YYY.YYY.YYY.YYY[500] SPI:dcb4c37f6f955782:0898ce67edab9913 SN:8962 <====
2022-12-26 23:34:49.355 +0200 [PWRN]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:0x19961dc0 ignoring unauthenticated notify payload (NAT_DETECTION_SOURCE_IP)
2022-12-26 23:34:49.355 +0200 [PWRN]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:0x19961dc0 ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_IP)
2022-12-26 23:34:49.363 +0200 [INFO]: { 4: }: build IKEv2 CR payload[0]: 'CN=ABC Root CA'
2022-12-26 23:34:49.363 +0200 [INFO]: { 4: }: build IKEv2 CR payload[1]: 'CN=ABC Issuing CA 1,DC=ABC,DC=local'
2022-12-26 23:34:49.363 +0200 [INFO]: { 4: }: build IKEv2 CR payload[2]: 'O=AA:SS:AA:SS:AA:SS..8d67yo'
2022-12-26 23:34:49.394 +0200 [INFO]: { 4: }: cert received: subject=CN=CPGW
2022-12-26 23:34:49.394 +0200 [INFO]: { 4: }: cert received: issuer=CN=ABC Issuing CA 1,DC=ABC,DC=local[ee?]
2022-12-26 23:34:49.394 +0200 [INFO]: { 4: }: CR 'CN=ABC Issuing CA 1,DC=ABC,DC=local' received, trust CA founABCCA1
2022-12-26 23:34:49.397 +0200 [PERR]: RSA_verify failed: 0:error:04091068:rsa routines:int_rsa_verify:bad signature:crypto/rsa/rsa_sign.c:228:
2022-12-26 23:34:49.397 +0200 [PERR]: Invalid SIG.
2022-12-26 23:34:49.397 +0200 [PERR]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:0xffcc0f19a0 authentication failure
2022-12-26 23:34:49.397 +0200 [INFO]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:0xffcc0f19a0 authentication result: failure
2022-12-26 23:34:49.397 +0200 [INFO]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:(nil) closing IKEv2 SA CPGW-Site:8962, code 15
2022-12-26 23:34:49.397 +0200 [PNTF]: { 4: }: ====> IKEv2 IKE SA NEGOTIATION FAILED AS RESPONDER, non-rekey; gateway CPGW-Site <====
====> Failed SA: XXX.XXX.XXX.XXX[500]-YYY.YYY.YYY.YYY[500] SPI:dcb4c37f6f955782:0898ce67edab9913 SN 8962 <====

 

I could not find something specific for the RSA_verify , Invalid SIG.

Any thoughts what could be the issue?

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

Try IKEv1 and see what happens. I've seen this a few times where the IKEv2 between two different or even same manufactures, doesnt play well for some reason.

 

Regards,

L0 Member

Hello MEDOCHEMIE,

 

have you manage to fix this issue with the Invalid SIG? I have the same problem with S2S VPN between Paloalto and Cradlepoint router

 

Best regards,

Cyber Elite
Cyber Elite

Could there be some nat in the way and nat traversal to be needed?

 

IPSec VPN Tunnel with NAT Traversal

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClopCAC

 

Also check this:

 

Proxy-ID for VPNs Between Palo Alto Networks and Firewalls with Policy-based VPNs

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW8CAK

 

 

 

 

And if needed enable ike debug:

 

How to Troubleshoot IPSec VPN connectivity issues

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!