Based on this in an earlier message: "you disabled log message for cfg, so you didn't see the details of the proposal negotiation" ... you may want to enable "cfg" logging under "charondebug"
https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection And then you should be able to see the actual proposal sent by the client (Windows) which should help troubleshoot. -- K On Wed, Feb 13, 2019, at 9:38 PM, MOSES KARIUKI wrote: > Thanks Tobias for the quick response. I set this up, the Registry > value and below configuration, but still the same error.> > config setup > charondebug="ike 1, knl 1, cfg 0" > uniqueids=no > > conn ikev2-vpn > auto=add > compress=no > type=tunnel > keyexchange=ikev2 > fragmentation=yes > forceencaps=yes > dpdaction=clear > dpddelay=300s > rekey=no > left=%any > leftid=102.1*9.2*9.** > leftcert=server-cert.pem > leftsendcert=always > leftsubnet=0.0.0.0/0 > right=%any > rightid=%any > rightauth=eap-mschapv2 > rightsourceip=10.10.10.0/24 > rightdns=8.8.8.8,8.8.4.4 > rightsendcert=never > eap_identity=%identity > ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!> > esp=aes256-sha256,aes256-sha1,3des-sha1! > > Thanks a lot > > > On Wed, Feb 13, 2019 at 5:45 PM Tobias Brunner > <[email protected]> wrote:>> Hi Moses, >> >> Configure an IKE proposal that's accepted by your peer (you >> disabled log>> message for cfg, so you didn't see the details of the >> proposal >> negotiation). Most likely the problem is that modp1024 is >> proposed, a>> DH group strongSwan doesn't include in its default IKE >> proposal >> anymore.>> So to use it, IKE proposals have to be configured explicitly. >> Also see>> [1] for information on how to get Windows to use at least >> modp2048.>> >> Regards, >> Tobias >> >> [1] >> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048
