The FortiGate and Palo Alto IPsec tunnel fails to establish when the certificates is signed with SHA-256 or stronger algorithm.

The FortiGate and Palo Alto IPsec tunnel fails to establish when the certificates is signed with SHA-256 or stronger algorithm.

641
Created On 11/07/25 09:51 AM - Last Modified 01/12/26 22:49 PM


Symptom


  • IPSEC tunnel is configured between FortiGate and Palo Alto Firewall.
  • The tunnel fails to establish with IKEV2 phase 1 failing.
  • The following logs are visible in ikemgr.log: 
    +0100  [PERR]: RSA_verify failed: 0:error:04091068:rsa routines:int_rsa_verify:bad signature:crypto/rsa/rsa_sign.c:228:
+0100  [PERR]: Invalid SIG.

Environment


  • FortiGate.
  • NGFW.
  • Prisma Access - Remote Networks.
  • IPSec using certificates.
  • PAN-OS 10.2.4

Cause


  • The StrongSwan implementation used by FortiGate introduces an incompatibility with PAN-OS when utilizing certificate authentication.
  • This issue is triggered by the deployment of SHA-256 certificates, which subsequently conflict with the hashing requirements of the IPsec tunnel.

Resolution


  1. Configure Palo Alto IKE profile with SHA1 at the first place of the authentication list.
  2. This can be done under GUI: Network > Network Profiles > IKE Crypto > (modify or add) > under Authentication add SHA1 as first.
  3. CLI output is shown below 
     Example-IKE-Crypto {
                hash [ sha1 sha256 sha384 sha512]; 
                dh-group group20;
                encryption aes-256-cbc;
                lifetime {
                  seconds 28800;
                }
  4. Configure FortiGate IKE profile only with the desired SHA, for example, SHA512.
  5. Tunnel will be established with SHA512.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000bm3HKAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail