<div dir="ltr">Hi,<br><br>In ipsec.secrets instead of <br><div></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">: RSA server.crt</blockquote><div>try<br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><div>: RSA server.key</div></blockquote><div><br></div><div>Cheers<br> <br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-07-20 11:12 GMT+02:00 jinquan deng <span dir="ltr"><<a href="mailto:jiobxn@gmail.com" target="_blank">jiobxn@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>hi all,<br></div><div><br></div><div>######################################-------------------Error Messages----------------------######################################<br></div><div><br></div><div><br></div>windows 2008 R2 Connection ERROR:13801<br><div><br></div><div><br></div><div><br></div><div>LOG:</div><div><br></div><div><div>Jul 20 15:08:09 localhost charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] looking for an ike config for 112.91.xx.209...121.11.xx.203</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] candidate: %any...%any, prio 28</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] candidate: %any...%any, prio 28</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] found matching ike config: %any...%any with prio 28</div><div>Jul 20 15:08:09 localhost charon: 06[IKE] 121.11.xx.203 is initiating an IKE_SA</div><div>Jul 20 15:08:09 localhost charon: 06[IKE] IKE_SA (unnamed)[9] state change: CREATED => CONNECTING</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] no acceptable DIFFIE_HELLMAN_GROUP found</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] proposal matches</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP</div><div>Jul 20 15:08:09 localhost charon: 06[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div><div>Jul 20 15:08:09 localhost charon: 06[IKE] remote host is behind NAT</div><div>Jul 20 15:08:09 localhost charon: 06[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"</div><div>Jul 20 15:08:09 localhost charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]</div><div>Jul 20 15:08:09 localhost strongswan: 04[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div><div>Jul 20 15:08:09 localhost strongswan: 04[IKE] remote host is behind NAT</div><div>Jul 20 15:08:09 localhost strongswan: 04[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"</div><div>Jul 20 15:08:09 localhost strongswan: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]</div><div>Jul 20 15:08:09 localhost strongswan: 02[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid a7:81:1e:c9:90:39:d5:b0:d3:c4:cf:15:69:c3:6f:4b:26:a1:dd:86</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid 30:a4:e6:4f:de:76:8a:fc:ed:5a:90:84:28:30:46:79:2c:29:15:70</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid 48:e6:68:f9:2b:d2:b2:95:d7:47:d8:23:20:10:4f:33:98:90:9f:d4</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid 83:31:7e:62:85:42:53:d6:d7:78:31:90:ec:91:90:56:e9:91:b9:e3</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid 7e:95:9f:ed:82:8e:2a:ed:c3:7c:0d:05:46:31:ef:53:97:cd:48:49</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid 53:32:d1:b3:cf:7f:fa:e0:f1:a0:5d:85:4e:92:d2:9e:45:1d:b4:4f</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid 23:4b:71:25:56:13:e1:30:dd:e3:42:69:c9:cc:30:d4:6f:08:41:e0</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received cert request for unknown ca with keyid ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] received 18 cert requests for an unknown ca</div><div>Jul 20 15:08:09 localhost strongswan: 02[CFG] looking for peer configs matching 112.91.xx.209[%any]...121.11.xx.203[10.1.1.181]</div><div>Jul 20 15:08:09 localhost strongswan: 02[CFG] candidate "IpsecIKEv2", match: 1/1/28 (me/other/ike)</div><div>Jul 20 15:08:09 localhost strongswan: 02[CFG] candidate "IpsecIKEv2-EAP", match: 1/1/28 (me/other/ike)</div><div>Jul 20 15:08:09 localhost strongswan: 02[CFG] selected peer config 'IpsecIKEv2'</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] peer requested EAP, config inacceptable</div><div>Jul 20 15:08:09 localhost strongswan: 02[CFG] switching to peer config 'IpsecIKEv2-EAP'</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] initiating EAP_IDENTITY method (id 0x00)</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] processing INTERNAL_IP4_ADDRESS attribute</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] processing INTERNAL_IP4_DNS attribute</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] processing INTERNAL_IP4_NBNS attribute</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] processing INTERNAL_IP4_SERVER attribute</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] processing INTERNAL_IP6_ADDRESS attribute</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] processing INTERNAL_IP6_DNS attribute</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] processing INTERNAL_IP6_SERVER attribute</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] peer supports MOBIKE</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] no private key found for 'C=CH, O=strongSwan, CN=112.91.xx.209'</div><div>Jul 20 15:08:09 localhost strongswan: 02[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</div><div>Jul 20 15:08:09 localhost strongswan: 02[IKE] IKE_SA IpsecIKEv2-EAP[8] state change: CONNECTING => DESTROYING</div><div>Jul 20 15:08:09 localhost strongswan: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] looking for an ike config for 112.91.xx.209...121.11.xx.203</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] candidate: %any...%any, prio 28</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] candidate: %any...%any, prio 28</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] found matching ike config: %any...%any with prio 28</div><div>Jul 20 15:08:09 localhost strongswan: 06[IKE] 121.11.xx.203 is initiating an IKE_SA</div><div>Jul 20 15:08:09 localhost strongswan: 06[IKE] IKE_SA (unnamed)[9] state change: CREATED => CONNECTING</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid a7:81:1e:c9:90:39:d5:b0:d3:c4:cf:15:69:c3:6f:4b:26:a1:dd:86</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid 30:a4:e6:4f:de:76:8a:fc:ed:5a:90:84:28:30:46:79:2c:29:15:70</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid 48:e6:68:f9:2b:d2:b2:95:d7:47:d8:23:20:10:4f:33:98:90:9f:d4</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid 83:31:7e:62:85:42:53:d6:d7:78:31:90:ec:91:90:56:e9:91:b9:e3</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid 7e:95:9f:ed:82:8e:2a:ed:c3:7c:0d:05:46:31:ef:53:97:cd:48:49</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid 53:32:d1:b3:cf:7f:fa:e0:f1:a0:5d:85:4e:92:d2:9e:45:1d:b4:4f</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid 23:4b:71:25:56:13:e1:30:dd:e3:42:69:c9:cc:30:d4:6f:08:41:e0</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received cert request for unknown ca with keyid ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] received 18 cert requests for an unknown ca</div><div>Jul 20 15:08:09 localhost charon: 04[CFG] looking for peer configs matching 112.91.xx.209[%any]...121.11.xx.203[10.1.1.181]</div><div>Jul 20 15:08:09 localhost charon: 04[CFG] candidate "IpsecIKEv2", match: 1/1/28 (me/other/ike)</div><div>Jul 20 15:08:09 localhost charon: 04[CFG] candidate "IpsecIKEv2-EAP", match: 1/1/28 (me/other/ike)</div><div>Jul 20 15:08:09 localhost charon: 04[CFG] selected peer config 'IpsecIKEv2'</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] peer requested EAP, config inacceptable</div><div>Jul 20 15:08:09 localhost charon: 04[CFG] switching to peer config 'IpsecIKEv2-EAP'</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] initiating EAP_IDENTITY method (id 0x00)</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] processing INTERNAL_IP4_ADDRESS attribute</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] processing INTERNAL_IP4_DNS attribute</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] processing INTERNAL_IP4_NBNS attribute</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] processing INTERNAL_IP4_SERVER attribute</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] processing INTERNAL_IP6_ADDRESS attribute</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] processing INTERNAL_IP6_DNS attribute</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] processing INTERNAL_IP6_SERVER attribute</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] peer supports MOBIKE</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] no private key found for 'C=CH, O=strongSwan, CN=112.91.xx.209'</div><div>Jul 20 15:08:09 localhost charon: 04[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</div><div>Jul 20 15:08:09 localhost charon: 04[IKE] IKE_SA IpsecIKEv2-EAP[9] state change: CONNECTING => DESTROYING</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] no acceptable DIFFIE_HELLMAN_GROUP found</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] selecting proposal:</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] proposal matches</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP</div><div>Jul 20 15:08:09 localhost strongswan: 06[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div><div>Jul 20 15:08:09 localhost strongswan: 06[IKE] remote host is behind NAT</div><div>Jul 20 15:08:09 localhost strongswan: 06[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"</div><div>Jul 20 15:08:09 localhost strongswan: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]</div><div>Jul 20 15:08:09 localhost strongswan: 04[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]</div><div>Jul 20 15:08:09 localhost strongswan: 04[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4</div><div>Jul 20 15:08:09 localhost strongswan: 04[IKE] received cert request for unknown ca with keyid a7:81:1e:c9:90:39:d5:b0:d3:c4:cf:15:69:c3:6f:4b:26:a1:dd:86</div><div>Jul 20 15:08:09 localhost strongswan: 04[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15</div><div>Jul 20 15:08:09 localhost strongswan: 04[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d</div><div>Jul 20 15:08:09 localhost strongswan: 04[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb</div><div>Jul 20 15:08:09 localhost strongswan: 04[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"</div><div>Jul 20 15:08:09 localhost strongswan: 04[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec</div><div>Jul 20 15:08:09 localhost strongswan: 04[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0</div><div>Jul 20 15:08:09 localhost strongswan: 04[IKE] received cert request for unknown ca with keyid da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8</div><div>Jul 20 15:08:09 localhost strongswan: 04[IKE] received cert request for unknown ca with keyid 30:a4:e6:4f:de:76:8a:fc:ed:5a:90:84:28:30:46:79:2c:29:15:70</div><div>Jul 20 15:08:09 localhost strongswan: 04[IKE] received cert request for unknown ca with keyid 48:e6:68:f9:2b:d2:b2:95:d7:47:d8:23:20:10:4f:33:98:90:9f:d4</div><div>Jul 20 15:08:09 localhost strongswan: 04[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72</div></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div>######################################-------------------Configuration----------------------######################################<br></div><div><br></div><div><div>#INSTALL</div><div>yum -y install strongswan</div><div><br></div><div><br></div><div>#CA</div><div>cd /etc/strongswan/ipsec.d</div><div>strongswan pki --gen --type rsa --size 4096 --outform pem > ca-key.pem</div><div>chmod 600 ca-key.pem</div><div>strongswan pki --self --ca --lifetime 730 --in ca-key.pem --type rsa --dn "C=CH, O=strongSwan, CN=strongSwan CA" --outform pem > ca-cert.pem</div><div><br></div><div>#Server</div><div>strongswan pki --gen --type rsa --size 2048 --outform pem > server-key.pem</div><div>chmod 600 server-key.pem</div><div>strongswan pki --pub --in server-key.pem --type rsa | strongswan pki --issue --lifetime 730 --cacert ca-cert.pem --cakey ca-key.pem --dn "C=CH, O=strongSwan, CN=x.x.x.x" --san "x.x.x.x" --flag serverAuth --flag ikeIntermediate --outform pem > server-cert.pem </div><div><br></div><div>#Client</div><div>strongswan pki --gen --type rsa --size 2048 --outform pem > client-key.pem</div><div>chmod 600 client-key.pem</div><div>strongswan pki --pub --in client-key.pem --type rsa | strongswan pki --issue --lifetime 730 --cacert ca-cert.pem --cakey ca-key.pem --dn "C=CH, O=strongSwan, CN=john" --san "<a href="mailto:john@example.com" target="_blank">john@example.com</a>" --outform pem > client-cert.pem</div><div><br></div><div>openssl pkcs12 -export -inkey client-key.pem -in client-cert.pem -name "John's VPN Certificate" -certfile ca-cert.pem -caname "strongSwan CA" -out john.p12 -password "pass:123"</div><div><br></div><div><br></div><div>#copy</div><div>\cp ca-key.pem /etc/strongswan/ipsec.d/private/ca.key</div><div>\cp ca-cert.pem /etc/strongswan/ipsec.d/cacerts/ca.crt</div><div>\cp server-key.pem /etc/strongswan/ipsec.d/private/server.key</div><div>\cp server-cert.pem /etc/strongswan/ipsec.d/certs/server.crt</div><div>\cp client-key.pem /etc/strongswan/ipsec.d/private/client.key</div><div>\cp client-cert.pem /etc/strongswan/ipsec.d/certs/client.crt</div><div>\cp john.p12 /usr/local/nginx/html/docs/</div><div>cd ~</div><div><br></div><div><br></div><div><br></div><div>#--->ipsec.conf<---#</div><div>cat >/etc/strongswan/ipsec.conf<<EOF</div><div># ipsec.conf - strongSwan IPsec configuration file</div><div><br></div><div>config setup</div><div> uniqueids=never</div><div> charondebug="cfg 2, dmn 2, ike 2, net 0"</div><div><br></div><div>conn %default</div><div> left=%defaultroute</div><div> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div> leftcert=server.crt</div><div> right=%any</div><div> rightsourceip=<a href="http://10.11.0.5/24" target="_blank">10.11.0.5/24</a></div><div><br></div><div>conn CiscoIPSec</div><div> keyexchange=ikev1</div><div> fragmentation=yes</div><div> rightauth=pubkey</div><div> rightauth2=xauth</div><div> leftsendcert=always</div><div> rekey=no</div><div> auto=add</div><div><br></div><div>conn XauthPsk</div><div> keyexchange=ikev1</div><div> leftauth=psk</div><div> rightauth=psk</div><div> rightauth2=xauth</div><div> auto=add</div><div><br></div><div>conn IpsecIKEv2</div><div> keyexchange=ikev2</div><div> leftauth=pubkey</div><div> rightauth=pubkey</div><div> leftsendcert=always</div><div> auto=add</div><div><br></div><div>conn IpsecIKEv2-EAP</div><div> keyexchange=ikev2</div><div> ike=aes256-sha1-modp1024!</div><div> rekey=no</div><div> leftauth=pubkey</div><div> leftsendcert=always</div><div> rightauth=eap-mschapv2</div><div> eap_identity=%any</div><div> auto=add</div><div>EOF</div><div><br></div><div><br></div><div><br></div><div>#--->strongswan.conf<---#</div><div>cat >/etc/strongswan/strongswan.conf<<EOF</div><div><br></div><div>charon {</div><div> load_modular = yes</div><div> duplicheck.enable = no</div><div> compress = yes</div><div> plugins {</div><div> include strongswan.d/charon/*.conf</div><div> }</div><div> dns1 = 8.8.8.8</div><div> dns2 = 8.8.4.4</div><div> nbns1 = 8.8.8.8</div><div> nbns2 = 8.8.4.4</div><div>}</div><div><br></div><div>include strongswan.d/*.conf</div><div>EOF</div><div><br></div><div><br></div><div><br></div><div>#--->ipsec.secrets<---#</div><div>cat >/etc/strongswan/ipsec.secrets<<EOF</div><div>: RSA server.crt</div><div>: PSK "123"</div><div>john %any : EAP "password"</div><div>john %any : XAUTH "password"</div><div>EOF</div><div><br></div><div><br></div><div>systemctl enable strongswan.service</div><div>systemctl start strongswan.service</div><div><br></div><div>iptables -I INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT</div><div>iptables -I INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT</div></div><div><br></div><div><br></div><div><br></div><div>I do not know where the wrong,Beg a Correct example.</div><div><br></div><div>Thank</div><div><br></div><div>Cheer<br></div></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br></blockquote></div><br></div>