Skip to main content
Parzysz
Parzysz
New Member
August 29, 2018
Question

IKEv2 IPSEC with signature auth

  • August 29, 2018
  • 2 replies
  • 20647 views

Hi, I`m having problems with setting up IKEv2 IPSEC with remote site.

What I`ve done:

I`ve imported Certificate via GUI and whole Chain by which this certificate is signeg (Internal CA).

I`ve setup Custom Site-to-Site tunnel.

SA Policies do match.

Hovewer I can see in logs message saying:

ike 0:NVT_BIA:44590: reassembled fragmented message
ike 0:NVT_BIA:44590: initiator received AUTH msg
ike 0:NVT_BIA:44590: received peer identifier DER_ASN1_DN 'CN = RemoteIP, OU = VPN, O = CompanyName, C = UK'
ike 0:NVT_BIA:44590: Validating X.509 certificate
ike 0:NVT_BIA:44590: peer cert, subject='RemoteIP', issuer='IPSecCA'
ike 0:NVT_BIA:44590: peer ID verified
ike 0:NVT_BIA:44590: building fnbam peer candidate list
ike 0:NVT_BIA:44590: FNBAM_GROUP_ANY candidate ''
ike 0:NVT_BIA:44590: certificate validation pending
ike 0:NVT_BIA:44590: certificate validation complete
ike 0:NVT_BIA:44590: certificate validation succeeded
ike 0:NVT_BIA:44590: signature verification failed

2 replies

Parzysz
ParzyszAuthor
New Member
August 31, 2018
I've tried to set peer verification but result is same as above no matter if I verify with rootca (self signed) or ipsec ca (signed by root, remote and local certificate signed by this ca)
Parzysz
ParzyszAuthor
New Member
September 10, 2018

FG Config

 

FortiGate # show vpn ipsec phase1-interface BIA
config vpn ipsec phase1-interface
 edit "BIA"
 set interface "wan1"
 set ike-version 2
 set local-gw LocalIP
 set authmethod signature
 set peertype any
 set proposal aes256-sha256
 set dpd disable
 set dhgrp 21
 set nattraversal disable
 set remote-gw RemoteIP
 set certificate "VPN3"
 next
end
 
FortiGate # show vpn ipsec phase2-interface BIA
config vpn ipsec phase2-interface
 edit "BIA"
 set phase1name "BIA"
 set proposal aes256-sha256
 set dhgrp 21
 set src-addr-type name
 set dst-addr-type name
 set keylifeseconds 28800
 set src-name "local_10.254.211.0"
 set dst-name "BIA_Remote"
 next
end

 

And still I  get signature verification Failed.

VPN3 (Local Certificate) and Remote Certificate are both signed by same CA.

Certificates have CN=Local/RemoteIP

  X509v3 Extended Key Usage:                 TLS Web Client Authentication, ipsec Internet Key Exchange  X509v3 Key Usage: critical                 Digital Signature, Key Encipherment, Data Encipherment

 

Manual verification of CA and certificates is ok.

Can anyone give me any tip what`s going on?

 

PSK works fine so it`s not a problem of Policies.

train_wreck
train_wreck
New Member
March 26, 2019

I am having this same problem. Did you ever find out what is happening? It makes absolutely no sense that "certificate validation" is successful but "signature validation" is not.

 

Everything is the same as your setup; IKEv2, certificates verify properly but "signature" validation fails, with no indication as to why. If I switch to using IKEv1, the connection comes up fine, so it is just a problem with IKEv2.

 

Anyone at Fortinet around?????

Wurzlsepp
Wurzlsepp
New Member
January 3, 2025

With IKEv2 one needs to tell the fortigate what algorithm is used to verify the signature on the ike packets. Fortigate does not derive it from the ike algo.

Unfortunately, e. g. libreswan as the other end has the same issue.

If you get a certificate ok but signature auth failed, your best bet is to set this on both ends:

Fortigate:

set digital-signature-auth enable
set signature-hash-alg sha2-256

other end, e.g. libreswan:

authby = ecdsa

 

Hope this will save some headaches

Terms & ConditionsAccessibility statement