12-26-2022 01:40 PM
trying to establish S2S VPN between Palo Alto 850 and Checkpoint SMB
Certificate based authentication (MS enterprise CA)
The ikev2 is complaining :
====> Initiated SA: XXX.XXX.XXX.XXX[500]-YYY.YYY.YYY.YYY[500] SPI:dcb4c37f6f955782:0898ce67edab9913 SN:8962 <====
2022-12-26 23:34:49.355 +0200 [PWRN]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:0x19961dc0 ignoring unauthenticated notify payload (NAT_DETECTION_SOURCE_IP)
2022-12-26 23:34:49.355 +0200 [PWRN]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:0x19961dc0 ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_IP)
2022-12-26 23:34:49.363 +0200 [INFO]: { 4: }: build IKEv2 CR payload[0]: 'CN=ABC Root CA'
2022-12-26 23:34:49.363 +0200 [INFO]: { 4: }: build IKEv2 CR payload[1]: 'CN=ABC Issuing CA 1,DC=ABC,DC=local'
2022-12-26 23:34:49.363 +0200 [INFO]: { 4: }: build IKEv2 CR payload[2]: 'O=AA:SS:AA:SS:AA:SS..8d67yo'
2022-12-26 23:34:49.394 +0200 [INFO]: { 4: }: cert received: subject=CN=CPGW
2022-12-26 23:34:49.394 +0200 [INFO]: { 4: }: cert received: issuer=CN=ABC Issuing CA 1,DC=ABC,DC=local[ee?]
2022-12-26 23:34:49.394 +0200 [INFO]: { 4: }: CR 'CN=ABC Issuing CA 1,DC=ABC,DC=local' received, trust CA founABCCA1
2022-12-26 23:34:49.397 +0200 [PERR]: RSA_verify failed: 0:error:04091068:rsa routines:int_rsa_verify:bad signature:crypto/rsa/rsa_sign.c:228:
2022-12-26 23:34:49.397 +0200 [PERR]: Invalid SIG.
2022-12-26 23:34:49.397 +0200 [PERR]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:0xffcc0f19a0 authentication failure
2022-12-26 23:34:49.397 +0200 [INFO]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:0xffcc0f19a0 authentication result: failure
2022-12-26 23:34:49.397 +0200 [INFO]: { 4: }: XXX.XXX.XXX.XXX[500] - YYY.YYY.YYY.YYY[500]:(nil) closing IKEv2 SA CPGW-Site:8962, code 15
2022-12-26 23:34:49.397 +0200 [PNTF]: { 4: }: ====> IKEv2 IKE SA NEGOTIATION FAILED AS RESPONDER, non-rekey; gateway CPGW-Site <====
====> Failed SA: XXX.XXX.XXX.XXX[500]-YYY.YYY.YYY.YYY[500] SPI:dcb4c37f6f955782:0898ce67edab9913 SN 8962 <====
I could not find something specific for the RSA_verify , Invalid SIG.
Any thoughts what could be the issue?
12-27-2022 08:56 AM
Hello,
Try IKEv1 and see what happens. I've seen this a few times where the IKEv2 between two different or even same manufactures, doesnt play well for some reason.
Regards,
01-12-2023 11:17 AM
Hello MEDOCHEMIE,
have you manage to fix this issue with the Invalid SIG? I have the same problem with S2S VPN between Paloalto and Cradlepoint router
Best regards,
01-16-2023 01:08 PM
Could there be some nat in the way and nat traversal to be needed?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClopCAC
Also check this:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW8CAK
And if needed enable ike debug:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC
02-01-2023 03:13 AM
Hello @MEDOCHEMIE , Did you manage to find the solution?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
