FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
452 views 1 comments
by anonymous
RUTX11 firmware version RUTX_R_00.07.04.2

Hello,

i am testing IPsec VPN using X.509 certificates (no PSK!) with the above mentioned router to a Palo Alto PA-820.

With IKEv1 the VPN is building up as intended, but just changing the one setting "Key exchange" from IKEv1 to IKEv2 in the RUTX11 IPsec settings and the VPN is going down. The PA-820 accepts both (IKEv1 and IKEv2). As said, with IKEv1 it is working. But IKEv2 would be preferred.

In the Teltonika log i saw no error shown, but at the palo alto log there is:

"2023-04-26 11:46:25.856 +0200  [PERR]: RSA_verify failed: 1098954010896:error:04091064:rsa routines:INT_RSA_VERIFY:algorithm mismatch:rsa_sign.c:269:
2023-04-26 11:46:25.856 +0200  [PERR]: Invalid SIG."

The supporter says that this seems to be a wrong IKEv2 implementation at the Teltonika router.

Troubleshoot file is attached.

Are you able to help?

Best regards.

1 Answer

0 votes
by anonymous
Hi,

Thanks for providing detailed explanations.

Currently, I am unable to confirm any of the issues and the case has been relayed to our RnD department.

Thanks for the testing.
by anonymous

Hi,

Sorry this took quite some time but we needed to get hands-on some PaloAlto equipment to test out why did we heard complaints from multiple clients. As it turns out the issue is not really on our end.

1. Tried various configurations on PaloAlto and somewhat arrived to a conclusion that it only supports legacy RSA Digital Signature authentication and on top of it refuses SHA1 which Strongswan uses by default if RSA Digital Signature method is used. Strongswan has implemented rfc7427 which allows peers to negotiate which signature method should be used. In 3. pasted log IKEv2 auth verify method 1 can be seen that RSA Digital Signature method is used on PaloAlto (https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-12), but I cannot find neither in Palo WEBui nor in its documentation where to change that method to Digital Signature.

Strongswan currently supports these RFC's: https://docs.strongswan.org/docs/5.9/features/ietf.html

If customer has contact with PaloAlto support he should ask whether PANos support rfc7427 and how to enable it.

2. Would you able to provide us with the full palo alto config?

3.

debug ike global on debug

tail follow yes mp-log ikemgr.log

2023-05-31 02:16:42.696 +0300  [DUMP]: {    1:     }: IKEv2 auth verify method 1
2023-05-31 02:16:42.697 +0300  [PERR]: RSA_verify failed: 139714819081984:error:04091064:rsa routines:INT_RSA_VERIFY:algorithm mismatch:rsa_sign.c:269: 
2023-05-31 02:16:42.697 +0300  [INFO]: pfs is added SHA256 in proposal
2023-05-31 02:16:42.697 +0300  [DUMP]: GWid 1 does not allow SHA1
2023-05-31 02:16:42.697 +0300  [PERR]: Invalid SIGWhen SHA1 is added in IKE Crypto profile, tunnel establishes successfully (except when gcm algo is used):