Sorry, you can ignore this one. It goes on to try the next signature hash algorithm (ECP_384) and succeeds.
> On 12 Aug 2018, at 05:23, Christian Salway <christian.sal...@naimuri.com> > wrote: > > That wasn't the problem. still getting DH group ECP_256 inacceptable, > requesting ECP_384 > > > Aug 12 04:22:10 06[CFG] looking for an ike config for 10.0.1.216...86.2.58.36 > Aug 12 04:22:10 06[CFG] candidate: %any...%any, prio 28 > Aug 12 04:22:10 06[CFG] candidate: %any...%any, prio 28 > Aug 12 04:22:10 06[CFG] found matching ike config: %any...%any with prio 28 > Aug 12 04:22:10 06[IKE] 86.2.58.36 is initiating an IKE_SA > Aug 12 04:22:10 06[IKE] IKE_SA (unnamed)[7] state change: CREATED => > CONNECTING > Aug 12 04:22:10 06[CFG] selecting proposal: > Aug 12 04:22:10 06[CFG] no acceptable ENCRYPTION_ALGORITHM found > Aug 12 04:22:10 06[CFG] selecting proposal: > Aug 12 04:22:10 06[CFG] proposal matches > Aug 12 04:22:10 06[CFG] received proposals: > IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, > > IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 > Aug 12 04:22:10 06[CFG] configured proposals: > IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, > IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, > IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, > IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, > IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 > Aug 12 04:22:10 06[CFG] selected proposal: > IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 > Aug 12 04:22:10 06[CFG] received supported signature hash algorithms: sha256 > sha384 sha512 > Aug 12 04:22:10 06[IKE] local host is behind NAT, sending keep alives > Aug 12 04:22:10 06[IKE] remote host is behind NAT > Aug 12 04:22:10 06[IKE] DH group ECP_256 inacceptable, requesting ECP_384 > > > >> On 11 Aug 2018, at 22:52, Christian Salway <christian.sal...@naimuri.com >> <mailto:christian.sal...@naimuri.com>> wrote: >> >> forgot to add the --enable-openssl to the ./configure >> >> >>> On 11 Aug 2018, at 22:31, Christian Salway <christian.sal...@naimuri.com >>> <mailto:christian.sal...@naimuri.com>> wrote: >>> >>> I am unable to connect from StrongSwan client with an error that doesnt >>> make sense: >>> >>> >>> Aug 11 21:26:17 15[CFG] looking for an ike config for 10.0.1.216...x.x.x.x >>> Aug 11 21:26:17 15[CFG] candidate: %any...%any, prio 28 >>> Aug 11 21:26:17 15[CFG] found matching ike config: %any...%any with prio 28 >>> Aug 11 21:26:17 15[IKE] x.x.x.x is initiating an IKE_SA >>> Aug 11 21:26:17 15[IKE] IKE_SA (unnamed)[21] state change: CREATED => >>> CONNECTING >>> Aug 11 21:26:17 15[CFG] selecting proposal: >>> Aug 11 21:26:17 15[CFG] proposal matches >>> Aug 11 21:26:17 15[CFG] received proposals: >>> IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 >>> Aug 11 21:26:17 15[CFG] configured proposals: >>> IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, >>> IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, >>> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, >>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, >>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 >>> Aug 11 21:26:17 15[CFG] selected proposal: >>> IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 >>> Aug 11 21:26:17 15[CFG] received supported signature hash algorithms: >>> sha256 sha384 sha512 identity >>> Aug 11 21:26:17 15[IKE] local host is behind NAT, sending keep alives >>> Aug 11 21:26:17 15[IKE] remote host is behind NAT >>> Aug 11 21:26:17 15[IKE] DH group ECP_384 inacceptable, requesting ECP_384 >>> >>> CLIENT >>> conn %default >>> ike=aes256gcm16-prfsha384-ecp384! >>> esp=aes256gcm16-ecp384! >>> ikelifetime=60m >>> keylife=20m >>> rekeymargin=3m >>> keyingtries=1 >>> keyexchange=ikev2 >>> >>> conn test >>> leftsourceip=%config4 >>> leftauth=eap >>> eap_identity=christian.salway >>> rightid=vpnserver >>> right=x.x.x.x >>> rightauth=pubkey >>> rightsubnet=0.0.0.0/0 >>> auto=start >>> >>> >>> SERVER >>> config setup >>> uniqueids = replace >>> >>> conn %default >>> >>> ike=aes256gcm16-prfsha384-ecp384,aes128gcm16-prfsha256-ecp256,aes256-sha384-ecp384,aes128-sha256-ecp256,aes256-sha256-modp2048! >>> >>> esp=aes256gcm16-ecp384,aes128gcm16-ecp256,aes256gmac-ecp384,aes128gmac-ecp256,aes256-sha256,aes256-sha1! >>> ikelifetime=60m >>> keylife=20m >>> rekeymargin=3m >>> keyingtries=1 >>> keyexchange=ikev2 >>> >>> conn pod >>> leftid=vpnserver >>> leftauth=pubkey >>> leftcert=vpnserver.crt >>> leftsendcert=always >>> leftsubnet=10.0.0.0/8 >>> rightid=%any >>> rightsourceip=10.0.76.0/22 >>> rightauth=eap-radius >>> eap_identity=%identity >>> auto=start >> >
