Hi Laurens, > openssl: > ... > DH:ECP_256 > ...
Ah yes. It's because the default IKE proposal in versions before 5.4.0 listed ECP_256 after MODP_2048 and the server always preferred its own proposals (this can be changed with the upcoming 5.5.0 release). So it insists on using MODP_2048 even if it supports ECP_256. > I've added 'fragmentation=yes' to the server, same issue. Please have a look at the client log. Does it send an IKE_AUTH message? Is it fragmented? If so, check with Wireshark/tcpdump on the server whether any packets arrive. > and the Android phone (which almost always fails) What do you mean "almost always"? > How can I select the correct CA certificate in the strongSwan Android > client? In the VPN profile, deselect automatic CA selection and then select the certificate yourself. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
