Hello, We have an IPsec connection between a Cisco 2800 series and a strongSwan Linux box. Everything works fine when the Cisco box initiates the connection, but when the strongSwan box initiates the connection and the first algorithm in the esp= line isn't supported by the Cisco we get NO_PROPOSAL_CHOSEN.
I realize that without the '!' on the esp= line, strongSwan will accept any algorithm it knows about and it will propose the list of algorithms specified in ipsec.conf. This nicely explains why the strongSwan box always accepts Cisco requests. If I have esp=aes256-sha in my strongSwan config file, the Cisco box accepts my phase 2 negotiations for connections I initiate and I can successfully establish a connection. If I have esp=aes256-sha2_256,aes256-sha in my config file, I get a NO_PROPOSAL_CHOSEN on boths ends of the connection. I was hoping to be able to allow both strongSwan clients and Cisco boxes to use the came configuration (with strongSwan using a stronger integrity algorithm). I am pretty confused as to why the Cisco box would reject my initiation request when there is a valid Cisco-supported algorithm later in the list. I expected the Cisco box to respond that it couldn't do aes256-sha2_256 and would agree to aes256-sha instead, but all it does is puke at the request. Has anyone else ran into this? If so, anyone know how to work around it? Thanks, Barry _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users