This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

xUmaRix
L0 Member
In response to hecticneteng

‎01-25-2021 01:51 AM - edited ‎01-25-2021 04:43 AM

I've tested Site to Site VPN IKEv2 Certificate based authentication between Strongswan and Palo Alto.

I managed to get it work with Palo Alto version 8.1.0,8.1.17,8.1.18 and 9.1.7

However it failed on Palo Alto version 8.1.10,8.1.11,8.1.12,8.1.13,8.1.14,8.1.15,8.1.16

 

The error message is

RSA_verify failed: 140737128797952:error:04091064:rsa routines:INT_RSA_VERIFY:algorithm mismatch:rsa_sign.c:269:

 

Success logs

Strongswan log

 

 

 

 

Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1035-aws, x86_64):
  uptime: 101 seconds, since Jan 25 08:22:43 2021
  malloc: sbrk 1740800, mmap 0, used 724336, free 1016464
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  172.31.31.254
  172.17.0.1
Connections:
   palo-alto:  %any...18.138.107.2  IKEv2, dpddelay=300s
   palo-alto:   local:  [CN=fw.myfave.com] uses public key authentication
   palo-alto:    cert:  "CN=fw.myfave.com"
   palo-alto:   remote: [CN=CN=Palo-Alto] uses public key authentication
   palo-alto:    cert:  "CN=CN=Palo-Alto"
   palo-alto:   child:  10.168.12.0/26 === 10.10.10.0/24 TUNNEL, dpdaction=clear
Routed Connections:
   palo-alto{1}:  ROUTED, TUNNEL, reqid 1
   palo-alto{1}:   10.168.12.0/26 === 10.10.10.0/24
Security Associations (1 up, 0 connecting):
   palo-alto[1]: ESTABLISHED 94 seconds ago, 172.31.31.254[CN=fw.myfave.com]...18.138.107.2[CN=CN=Palo-Alto]
   palo-alto[1]: IKEv2 SPIs: be95a854c9de3f3a_i* ab0a765721ab6d73_r, public key reauthentication in 42 minutes
   palo-alto[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
   palo-alto{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd46364e_i f6b29a1f_o
   palo-alto{2}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 13 minutes
   palo-alto{2}:   10.168.12.0/26 === 10.10.10.0/24

 

 

 

 


Palo Alto logs

 

 

 

 

2021-01-25 00:22:51.260 -0800  [PNTF]: {    1:     }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway fave <====
                                                      ====> Initiated SA: 192.168.21.44[500]-3.0.180.248[500] SPI:be95a854c9de3f3a:ab0a765721ab6d73 SN:3 <====
2021-01-25 00:22:51.260 -0800  [PWRN]: {    1:     }: 192.168.21.44[500] - 3.0.180.248[500]:0x8e2bd0 ignoring unauthenticated notify payload (NAT_DETECTION_SOURCE_IP)
2021-01-25 00:22:51.260 -0800  [PWRN]: {    1:     }: 192.168.21.44[500] - 3.0.180.248[500]:0x8e2bd0 ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_IP)
2021-01-25 00:22:51.260 -0800  [PWRN]: {    1:     }: 192.168.21.44[500] - 3.0.180.248[500]:0x8e2bd0 ignoring unauthenticated notify payload (16430)
2021-01-25 00:22:51.260 -0800  [PWRN]: {    1:     }: 192.168.21.44[500] - 3.0.180.248[500]:0x8e2bd0 ignoring unauthenticated notify payload (16431)
2021-01-25 00:22:51.260 -0800  [PWRN]: {    1:     }: 192.168.21.44[500] - 3.0.180.248[500]:0x8e2bd0 ignoring unauthenticated notify payload (16406)
2021-01-25 00:22:51.261 -0800  [INFO]: {    1:     }: build IKEv2 CR payload[0]: 'CN=Root_CA_VPN'
2021-01-25 00:22:51.261 -0800  [INFO]: {    1:     }: build IKEv2 CR payload[1]: 'CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB'
2021-01-25 00:22:51.283 -0800  [INFO]: {    1:     }: cert received: subject=CN=fw.myfave.com, issuer=CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB[ee
?]
2021-01-25 00:22:51.283 -0800  [INFO]: {    1:     }: CR hash (2) ignored, no match found.
2021-01-25 00:22:51.283 -0800  [INFO]: {    1:     }: 192.168.21.44[500] - 3.0.180.248[500]:0x7fffe0000da0 authentication result: success
2021-01-25 00:22:51.283 -0800  [PWRN]: {    1:     }: 16384 is not a child notify type
2021-01-25 00:22:51.283 -0800  [INFO]: {    1:     }: received Notify payload protocol 0 type INITIAL_CONTACT
2021-01-25 00:22:51.283 -0800  [PWRN]: {    1:     }: 16417 is not a child notify type
2021-01-25 00:22:51.283 -0800  [INFO]: {    1:     }: received Notify payload protocol 0 type EAP_ONLY_AUTHENTICATION
2021-01-25 00:22:51.283 -0800  [PWRN]: {    1:     }: 16420 is not a child notify type
2021-01-25 00:22:51.283 -0800  [INFO]: {    1:     }: received Notify payload protocol 0 type 16420
2021-01-25 00:22:51.283 -0800  [PNTF]: {    1:     }: ====> IKEv2 CHILD SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway fave <====
                                                      ====> Initiated SA: 192.168.21.44[500]-3.0.180.248[500] message id:0x00000001 parent SN:3 <====
2021-01-25 00:22:51.283 -0800  [WARN]: {    1:    1}: selector fave src is ambiguous, using the first one of the expanded addresses
2021-01-25 00:22:51.283 -0800  [WARN]: {    1:    1}: selector fave dst is ambiguous, using the first one of the expanded addresses
2021-01-25 00:22:51.283 -0800  [INFO]: {    1:    1}: SADB_UPDATE proto=255 3.0.180.248[500]=>192.168.21.44[500] ESP tunl spi 0xF6B29A1F auth=SHA256 enc=AES256/32 lifetime soft 2971/0 hard 3600/0
2021-01-25 00:22:51.283 -0800  [INFO]: {    1:    1}: SADB_ADD proto=255 192.168.21.44[500]=>3.0.180.248[500] ESP tunl spi 0xCD46364E auth=SHA256 enc=AES256/32 lifetime soft 2990/0 hard 3600/0
2021-01-25 00:22:51.283 -0800  [PNTF]: {    1:    1}: ====> IPSEC KEY INSTALLATION SUCCEEDED; tunnel fave <====
                                                      ====> Installed SA: 192.168.21.44[500]-3.0.180.248[500] SPI:0xF6B29A1F/0xCD46364E lifetime 3600 Sec lifesize unlimited <====
2021-01-25 00:22:51.283 -0800  [PNTF]: {    1:    1}: ====> IKEv2 CHILD SA NEGOTIATION SUCCEEDED AS RESPONDER, non-rekey; tunnel fave <====
                                                      ====> Established SA: 192.168.21.44[500]-3.0.180.248[500] message id:0x00000001, SPI:0xF6B29A1F/0xCD46364E parent SN:3 <====
2021-01-25 00:22:51.283 -0800  [PNTF]: {    1:     }: ====> IKEv2 IKE SA NEGOTIATION SUCCEEDED AS RESPONDER, non-rekey; gateway fave <====
                                                      ====> Established SA: 192.168.21.44[500]-3.0.180.248[500] SPI:be95a854c9de3f3a:ab0a765721ab6d73 SN:3 lifetime 28800 Sec <====

 

 

 

 

 

Failed logs

Strongswan log

 

 

 

 

initiating IKE_SA palo-alto[1] to 18.138.107.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 172.31.31.254[500] to 18.138.107.2[500] (1894 bytes)
retransmit 1 of request with message ID 0
sending packet: from 172.31.31.254[500] to 18.138.107.2[500] (1894 bytes)
received packet: from 18.138.107.2[500] to 172.31.31.254[500] (269 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(HTTP_CERT_LOOK) ]
received cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
received 1 cert requests for an unknown ca
sending cert request for "C=CH, O=strongswan, CN=Root CA"
sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
authentication of 'CN=fw.myfave.com' (myself) with RSA signature successful
sending end entity cert "CN=fw.myfave.com"
establishing CHILD_SA palo-alto{2}
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 172.31.31.254[500] to 18.138.107.2[500] (2368 bytes)
received packet: from 18.138.107.2[500] to 172.31.31.254[500] (1280 bytes)
parsed IKE_AUTH response 1 [ IDr CERT N(INIT_CONTACT) AUTH N(ESP_TFC_PAD_N) SA TSi TSr ]
received end entity cert "CN=CN=Palo-Alto"
no issuer certificate found for "CN=CN=Palo-Alto"
  issuer is "CN=Root_CA_VPN"
  using trusted certificate "CN=CN=Palo-Alto"
signature validation failed, looking for another key
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 172.31.31.254[500] to 18.138.107.2[500] (80 bytes)
establishing connection 'palo-alto' failed

 

 

 

 

 

Palo Alto logs

 

 

 

 

2021-01-25 00:52:01.760 -0800  [PNTF]: {    1:     }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway fave <====
                                                      ====> Initiated SA: 192.168.21.44[500]-3.0.180.248[500] SPI:196afe660f063f23:0c939463ff93c6e9 SN:1 <====
2021-01-25 00:52:01.760 -0800  [PWRN]: {    1:     }: 192.168.21.44[500] - 3.0.180.248[500]:0x8e3520 ignoring unauthenticated notify payload (NAT_DETECTION_SOURCE_IP)
2021-01-25 00:52:01.760 -0800  [PWRN]: {    1:     }: 192.168.21.44[500] - 3.0.180.248[500]:0x8e3520 ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_IP)
2021-01-25 00:52:01.760 -0800  [PWRN]: {    1:     }: 192.168.21.44[500] - 3.0.180.248[500]:0x8e3520 ignoring unauthenticated notify payload (16430)
2021-01-25 00:52:01.760 -0800  [PWRN]: {    1:     }: 192.168.21.44[500] - 3.0.180.248[500]:0x8e3520 ignoring unauthenticated notify payload (16431)
2021-01-25 00:52:01.760 -0800  [PWRN]: {    1:     }: 192.168.21.44[500] - 3.0.180.248[500]:0x8e3520 ignoring unauthenticated notify payload (16406)
2021-01-25 00:52:01.761 -0800  [INFO]: {    1:     }: build IKEv2 CR payload[0]: 'CN=Root_CA_VPN'
2021-01-25 00:52:01.761 -0800  [INFO]: {    1:     }: build IKEv2 CR payload[1]: 'CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB'
2021-01-25 00:52:01.777 -0800  [INFO]: {    1:     }: cert received: subject=CN=fw.myfave.com, issuer=CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB[ee
?]
2021-01-25 00:52:01.777 -0800  [INFO]: {    1:     }: CR hash (2) ignored, no match found.
2021-01-25 00:52:01.777 -0800  [PERR]: RSA_verify failed: 140737128797952:error:04091064:rsa routines:INT_RSA_VERIFY:algorithm mismatch:rsa_sign.c:269:
2021-01-25 00:52:01.777 -0800  [WARN]: {    1:     }: 192.168.21.44[500] - 3.0.180.248[500]:(nil) RSA_verify switch hash_alg SHA256 to SHA1
2021-01-25 00:52:01.778 -0800  [INFO]: {    1:     }: 192.168.21.44[500] - 3.0.180.248[500]:0x7fffd800b6f0 authentication result: success
2021-01-25 00:52:01.778 -0800  [PWRN]: {    1:     }: 16384 is not a child notify type
2021-01-25 00:52:01.778 -0800  [INFO]: {    1:     }: received Notify payload protocol 0 type INITIAL_CONTACT
2021-01-25 00:52:01.778 -0800  [PWRN]: {    1:     }: 16417 is not a child notify type
2021-01-25 00:52:01.778 -0800  [INFO]: {    1:     }: received Notify payload protocol 0 type EAP_ONLY_AUTHENTICATION
2021-01-25 00:52:01.778 -0800  [PWRN]: {    1:     }: 16420 is not a child notify type
2021-01-25 00:52:01.778 -0800  [INFO]: {    1:     }: received Notify payload protocol 0 type 16420
2021-01-25 00:52:01.778 -0800  [PNTF]: {    1:     }: ====> IKEv2 CHILD SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway fave <====
                                                      ====> Initiated SA: 192.168.21.44[500]-3.0.180.248[500] message id:0x00000001 parent SN:1 <====
2021-01-25 00:52:01.778 -0800  [WARN]: {    1:    1}: selector fave src is ambiguous, using the first one of the expanded addresses
2021-01-25 00:52:01.778 -0800  [WARN]: {    1:    1}: selector fave dst is ambiguous, using the first one of the expanded addresses
2021-01-25 00:52:01.778 -0800  [INFO]: {    1:    1}: SADB_UPDATE proto=255 3.0.180.248[500]=>192.168.21.44[500] ESP tunl spi 0xEBA22C90 auth=SHA256 enc=AES256/32 lifetime soft 3075/0 hard 3600/0
2021-01-25 00:52:01.778 -0800  [INFO]: {    1:    1}: SADB_ADD proto=255 192.168.21.44[500]=>3.0.180.248[500] ESP tunl spi 0xC688599B auth=SHA256 enc=AES256/32 lifetime soft 2888/0 hard 3600/0
2021-01-25 00:52:01.778 -0800  [PNTF]: {    1:    1}: ====> IPSEC KEY INSTALLATION SUCCEEDED; tunnel fave <====
                                                      ====> Installed SA: 192.168.21.44[500]-3.0.180.248[500] SPI:0xEBA22C90/0xC688599B lifetime 3600 Sec lifesize unlimited <====
2021-01-25 00:52:01.778 -0800  [PNTF]: {    1:    1}: ====> IKEv2 CHILD SA NEGOTIATION SUCCEEDED AS RESPONDER, non-rekey; tunnel fave <====
                                                      ====> Established SA: 192.168.21.44[500]-3.0.180.248[500] message id:0x00000001, SPI:0xEBA22C90/0xC688599B parent SN:1 <====
2021-01-25 00:52:01.778 -0800  [PNTF]: {    1:     }: ====> IKEv2 IKE SA NEGOTIATION SUCCEEDED AS RESPONDER, non-rekey; gateway fave <====
                                                      ====> Established SA: 192.168.21.44[500]-3.0.180.248[500] SPI:196afe660f063f23:0c939463ff93c6e9 SN:1 lifetime 28800 Sec <====
2021-01-25 00:52:01.783 -0800  [PERR]: {    1:     }: received Notify payload protocol 0 type AUTHENTICATION_FAILED
2021-01-25 00:52:01.783 -0800  [INFO]: {    1:     }: 192.168.21.44[500] - 3.0.180.248[500]:(nil) closing IKEv2 SA fave:1, code 18
2021-01-25 00:52:01.783 -0800  [PNTF]: {    1:     }: ====> IKEv2 IKE SA NEGOTIATION FAILED AS RESPONDER, non-rekey; gateway fave <====
                                                      ====> Failed SA: 192.168.21.44[500]-3.0.180.248[500] SPI:196afe660f063f23:0c939463ff93c6e9 SN 1 <====
2021-01-25 00:52:01.783 -0800  [PNTF]: {    1:    1}: ====> IPSEC KEY DELETED; tunnel fave <====
                                                      ====> Deleted SA: 192.168.21.44[500]-3.0.180.248[500] SPI:0xEBA22C90/0xC688599B <====
2021-01-25 00:52:01.783 -0800  [INFO]: {    1:    1}: SADB_DELETE proto=255 src=3.0.180.248[0] dst=192.168.21.44[0] ESP spi=0xEBA22C90

 

 

 

 

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks