Hi,
I'm trying to get a remote access VPN setup to a 2921-G2 with onboard hardware crypto engine running 15.2(2)T2 IOS. Remote users use StrongSwan as a VPN client.
I've configured both ends to use RSA certs for authentication and Suite B cryptographic suites, but when attempting to form a tunnel with the router, the authentication process fails with the following debug entries on the router:
*Aug 14 09:21:33.876: crypto_engine_select_crypto_engine: can't handle any more
*Aug 14 09:21:33.880: crypto_engine: no crypto engines available
*Aug 14 09:21:33.880: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Verification of signed authentication data FAILED
*Aug 14 09:21:33.880: CRYPTO_PKI: Application requested to expire the key
*Aug 14 09:21:33.880: CRYPTO_PKI: Expiring peer's cached key with key id 17
*Aug 14 09:21:33.880: IKEv2:(SA ID = 1):Failed to compute or verify a signature
*Aug 14 09:21:33.880: IKEv2:(SA ID = 1):
*Aug 14 09:21:33.880: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=76AB0E9D61482693 R_SPI=18E7CB2367731416 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
*Aug 14 09:21:33.880: IKEv2:(SA ID = 1):Verification of peer's authentication data FAILED
*Aug 14 09:21:33.880: IKEv2:(SA ID = 1):Sending authentication failure notify
*Aug 14 09:21:33.880: IKEv2:Construct Notify Payload: AUTHENTICATION_FAILED
*Aug 14 09:21:33.880: IKEv2:(SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED
The entries of concern are: crypto_engine_select_crypto_engine: can't handle any more & crypto_engine: no crypto engines available
Does anyone have an idea of the possible cause of this?
Thanks,