Re: [strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

Wed, 13 Feb 2019 12:07:12 -0800 

Try "cfg 9" for  charondebug , and check your logs


<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Без
вирусов. www.avg.com
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Wed, Feb 13, 2019 at 9:55 PM MOSES KARIUKI <[email protected]> wrote:

> Thanks Tobias for the quick response. I set this up, the Registry value
> and below configuration, but still the same error.
>
> config setup
>     charondebug="ike 1, knl 1, cfg 0"
>     uniqueids=no
>
> conn ikev2-vpn
>     auto=add
>     compress=no
>     type=tunnel
>     keyexchange=ikev2
>     fragmentation=yes
>     forceencaps=yes
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>     left=%any
>     leftid=102.1*9.2*9.**
>     leftcert=server-cert.pem
>     leftsendcert=always
>     leftsubnet=0.0.0.0/0
>     right=%any
>     rightid=%any
>     rightauth=eap-mschapv2
>     rightsourceip=10.10.10.0/24
>     rightdns=8.8.8.8,8.8.4.4
>     rightsendcert=never
>     eap_identity=%identity
>     ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
>     esp=aes256-sha256,aes256-sha1,3des-sha1!
>
> Thanks a lot
>
>
> On Wed, Feb 13, 2019 at 5:45 PM Tobias Brunner <[email protected]>
> wrote:
>
>> Hi Moses,
>>
>> Configure an IKE proposal that's accepted by your peer (you disabled log
>> message for cfg, so you didn't see the details of the proposal
>> negotiation).  Most likely the problem is that modp1024 is proposed, a
>> DH group strongSwan doesn't include in its default IKE proposal anymore.
>>  So to use it, IKE proposals have to be configured explicitly.  Also see
>> [1] for information on how to get Windows to use at least modp2048.
>>
>> Regards,
>> Tobias
>>
>> [1]
>>
>> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048
>>
>
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Без
вирусов. www.avg.com
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Reply via email to