Maybe add support for SHA2_512 in pubkey_authenticator.c ?

[anyn99]

Is your feature request related to a problem? Please describe.
When using strongswan with cisco servers, the authentication fails because cisco servers expect SHA2_512 as default.
Strongswan only has SHA1 as SHA authentication availiable.

Describe the solution you'd like
We just hacked/patched the source in /src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c (line 603 ff)
basically like this:

case AUTH_RSA:
			key_type = KEY_RSA;
-			params->scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+			params->scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512;
			break;

Describe alternatives you've considered
None

Additional context
Maybe there is another configuration possibility to allow cisco device to work with strongswan, but we needed SHA authentication to work.

[tobiasbrunner]

the authentication fails because cisco servers expect SHA2_512 as default.

I don't think that's the default. They might base their decision on some settings or other variables (e.g. PRF or the schemes used in the certificates).

The problem is that Cisco apparently still doesn't support RFC 7427, which adds proper support for signature schemes that aren't based on SHA-1.

[anyn99]

You are completly right of course, they should support RFC 7427. Cisco just doesn't care about being compatible, as always ;-)