Sorry, you can ignore this one.  It goes on to try the next signature hash 
algorithm (ECP_384) and succeeds.

> On 12 Aug 2018, at 05:23, Christian Salway <christian.sal...@naimuri.com> 
> wrote:
> 
> That wasn't the problem. still getting DH group ECP_256 inacceptable, 
> requesting ECP_384
> 
> 
> Aug 12 04:22:10 06[CFG] looking for an ike config for 10.0.1.216...86.2.58.36
> Aug 12 04:22:10 06[CFG]   candidate: %any...%any, prio 28
> Aug 12 04:22:10 06[CFG]   candidate: %any...%any, prio 28
> Aug 12 04:22:10 06[CFG] found matching ike config: %any...%any with prio 28
> Aug 12 04:22:10 06[IKE] 86.2.58.36 is initiating an IKE_SA
> Aug 12 04:22:10 06[IKE] IKE_SA (unnamed)[7] state change: CREATED => 
> CONNECTING
> Aug 12 04:22:10 06[CFG] selecting proposal:
> Aug 12 04:22:10 06[CFG]   no acceptable ENCRYPTION_ALGORITHM found
> Aug 12 04:22:10 06[CFG] selecting proposal:
> Aug 12 04:22:10 06[CFG]   proposal matches
> Aug 12 04:22:10 06[CFG] received proposals: 
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
>  
> IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
> Aug 12 04:22:10 06[CFG] configured proposals: 
> IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, 
> IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, 
> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, 
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, 
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> Aug 12 04:22:10 06[CFG] selected proposal: 
> IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
> Aug 12 04:22:10 06[CFG] received supported signature hash algorithms: sha256 
> sha384 sha512
> Aug 12 04:22:10 06[IKE] local host is behind NAT, sending keep alives
> Aug 12 04:22:10 06[IKE] remote host is behind NAT
> Aug 12 04:22:10 06[IKE] DH group ECP_256 inacceptable, requesting ECP_384
> 
> 
> 
>> On 11 Aug 2018, at 22:52, Christian Salway <christian.sal...@naimuri.com 
>> <mailto:christian.sal...@naimuri.com>> wrote:
>> 
>> forgot to add the --enable-openssl to the ./configure
>> 
>> 
>>> On 11 Aug 2018, at 22:31, Christian Salway <christian.sal...@naimuri.com 
>>> <mailto:christian.sal...@naimuri.com>> wrote:
>>> 
>>> I am unable to connect from StrongSwan client with an error that doesnt 
>>> make sense:
>>> 
>>> 
>>> Aug 11 21:26:17 15[CFG] looking for an ike config for 10.0.1.216...x.x.x.x
>>> Aug 11 21:26:17 15[CFG]   candidate: %any...%any, prio 28
>>> Aug 11 21:26:17 15[CFG] found matching ike config: %any...%any with prio 28
>>> Aug 11 21:26:17 15[IKE] x.x.x.x is initiating an IKE_SA
>>> Aug 11 21:26:17 15[IKE] IKE_SA (unnamed)[21] state change: CREATED => 
>>> CONNECTING
>>> Aug 11 21:26:17 15[CFG] selecting proposal:
>>> Aug 11 21:26:17 15[CFG]   proposal matches
>>> Aug 11 21:26:17 15[CFG] received proposals: 
>>> IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
>>> Aug 11 21:26:17 15[CFG] configured proposals: 
>>> IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, 
>>> IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, 
>>> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, 
>>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, 
>>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>>> Aug 11 21:26:17 15[CFG] selected proposal: 
>>> IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
>>> Aug 11 21:26:17 15[CFG] received supported signature hash algorithms: 
>>> sha256 sha384 sha512 identity
>>> Aug 11 21:26:17 15[IKE] local host is behind NAT, sending keep alives
>>> Aug 11 21:26:17 15[IKE] remote host is behind NAT
>>> Aug 11 21:26:17 15[IKE] DH group ECP_384 inacceptable, requesting ECP_384
>>> 
>>> CLIENT
>>> conn %default
>>>         ike=aes256gcm16-prfsha384-ecp384!
>>>         esp=aes256gcm16-ecp384!
>>>         ikelifetime=60m
>>>         keylife=20m
>>>         rekeymargin=3m
>>>         keyingtries=1
>>>         keyexchange=ikev2
>>> 
>>> conn test
>>>         leftsourceip=%config4
>>>         leftauth=eap
>>>         eap_identity=christian.salway
>>>         rightid=vpnserver
>>>         right=x.x.x.x
>>>         rightauth=pubkey
>>>         rightsubnet=0.0.0.0/0
>>>         auto=start
>>> 
>>> 
>>> SERVER
>>> config setup
>>>     uniqueids = replace
>>> 
>>> conn %default
>>>     
>>> ike=aes256gcm16-prfsha384-ecp384,aes128gcm16-prfsha256-ecp256,aes256-sha384-ecp384,aes128-sha256-ecp256,aes256-sha256-modp2048!
>>>     
>>> esp=aes256gcm16-ecp384,aes128gcm16-ecp256,aes256gmac-ecp384,aes128gmac-ecp256,aes256-sha256,aes256-sha1!
>>>     ikelifetime=60m
>>>     keylife=20m
>>>     rekeymargin=3m
>>>     keyingtries=1
>>>     keyexchange=ikev2
>>> 
>>> conn pod
>>>     leftid=vpnserver
>>>     leftauth=pubkey
>>>     leftcert=vpnserver.crt
>>>     leftsendcert=always
>>>     leftsubnet=10.0.0.0/8
>>>     rightid=%any
>>>     rightsourceip=10.0.76.0/22
>>>     rightauth=eap-radius
>>>     eap_identity=%identity
>>>     auto=start
>> 
> 

Reply via email to