Hi Santiago, > I'm not an expert, but according to the logs it seems it might have > something to do with rekeying.
Yep, looks that way. First, I've never seen this message before: > Nov 9 23:31:17 RouterA charon: 15[IKE] peer didn't accept DH group > MODP_1024, it requested MODP_NONE It seems a bit strange, but I guess the peer doesn't want to use DH during CHILD_SA rekeying. Technically, it should just ignore the KE payload and select a proposal without DH group (or with MODP_NONE). If there isn't one, the response should probably be NO_PROPOSAL_CHOSEN and not INVALID_KE_PAYLOAD. What's interesting is that strongSwan actually continues without a KE payload, while the proposal is obviously not changed and still proposes modp1024, so it won't actually match later and causes this error: > Nov 9 23:31:17 RouterA charon: 08[CFG] received proposals: > ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ > Nov 9 23:31:17 RouterA charon: 08[CFG] configured proposals: > ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ > Nov 9 23:31:17 RouterA charon: 08[IKE] no acceptable proposal found You should either enable PFS on the Cisco box, or disable it on the other. Regards, Tobias
