- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IKEv2 IPSEC with signature auth
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IKEv2 IPSEC with signature auth
Hi, I`m having problems with setting up IKEv2 IPSEC with remote site.
What I`ve done:
I`ve imported Certificate via GUI and whole Chain by which this certificate is signeg (Internal CA).
I`ve setup Custom Site-to-Site tunnel.
SA Policies do match.
Hovewer I can see in logs message saying:
ike 0:NVT_BIA:44590: reassembled fragmented message
ike 0:NVT_BIA:44590: initiator received AUTH msg
ike 0:NVT_BIA:44590: received peer identifier DER_ASN1_DN 'CN = RemoteIP, OU = VPN, O = CompanyName, C = UK'
ike 0:NVT_BIA:44590: Validating X.509 certificate
ike 0:NVT_BIA:44590: peer cert, subject='RemoteIP', issuer='IPSecCA'
ike 0:NVT_BIA:44590: peer ID verified
ike 0:NVT_BIA:44590: building fnbam peer candidate list
ike 0:NVT_BIA:44590: FNBAM_GROUP_ANY candidate ''
ike 0:NVT_BIA:44590: certificate validation pending
ike 0:NVT_BIA:44590: certificate validation complete
ike 0:NVT_BIA:44590: certificate validation succeeded
ike 0:NVT_BIA:44590: signature verification failed
Labels:
- Labels:
-
5.4
- « Previous
-
- 1
- 2
- Next »
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I finally found the incredibly stupid and insecure solution to this: use SHA1 for the hashing algortithm in Phase 1 and Phase 2. Doing this (and making no other changes to the above config) causes the tunnel to come up without issue.
Did you open any tickets with support ?And are you on the latest FortiOS version ?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Do we have a solution for that issue?
I have almost the same:
ike 0:XXXX-Test:367874: certificate validation complete ike 0:XXXX-Test:367874: certificate validation succeeded ike 0:XXXX-Test:367874: signature verification failed
Just with IKEv1 and only from Windows 1809 - when we use Windows 1803 and certificates from the same CA the tunnel works as expected.
We do the authentication with a RADIUS not with local peers.
P1 edit "XXXX-Test" set type dynamic set interface "port10" set authmethod signature set mode aggressive set peertype any set mode-cfg enable set ipv4-dns-server1 x.x.x.x set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1 set dpd on-idle set comments "VPN: XXXX-Test (Created by VPN wizard)" set wizard-type dialup-forticlient set xauthtype auto set authusrgrp "XXXX-Test" => RADIUS Group set certificate "XXXXXXXXXXXX" set net-device enable set ipv4-start-ip x.x.x.x set ipv4-end-ip x.x.x.x set ipv4-split-include "10.x.x.x.x/16" set save-password enable set client-auto-negotiate enable set client-keep-alive enable set dpd-retryinterval 5 next
P2 edit "XXXX-Test" set phase1name "XXXX-Test" set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256 set comments "VPN: XXXX-Test (Created by VPN wizard)" next
I have an open support case but now solution until now.
- « Previous
-
- 1
- 2
- Next »
Related Posts
- How to aggregate many IKEv1 and... 832 Views
- IKEv2 IPSec Troubleshooting Tips needed on... 704 Views
- Site-to-Site VPN to Cisco ASA with... 204 Views
- IPsec IKEv2: No CA certificate chain... 398 Views
- IkeV2 IPSEC-crash during HA failover after... 313 Views
Labels
-
FortiGate
6,705 -
FortiClient
1,334 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
344 -
FortiAP
340 -
FortiClient EMS
272 -
FortiMail
261 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
81 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
59 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
SD-WAN
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiAuthenticator
21 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Proxy policy
4 -
Packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
Antivirus profile
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.