<div dir="ltr"><div><div><div><div>Hi Amine,<br><br></div>I noticed that you selected pfs=yes but you have not defined a Diffie-Hellman group in the esp parameter. In order to enforce pfs for the child sa you need to specify a Diffie-Hellman group in the esp parameter.<br><br><a href="https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection">https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection</a><br><br></div>Not sure if this is your problem but it may help.<br><br></div>Cheers,<br><br><br></div>Tormod<br></div><div class="gmail_extra"><br><div class="gmail_quote">On 28 September 2015 at 21:21, Amine Eddarkaoui <span dir="ltr"><<a href="mailto:drkamine@gmail.com" target="_blank">drkamine@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>hello all , </div><div><br clear="all"><p style="color:rgb(54,0,12);font-family:Verdana,sans-serif;background-color:rgb(255,255,221)">my configuration in strong swan is</p><p style="color:rgb(54,0,12);font-family:Verdana,sans-serif;background-color:rgb(255,255,221)">config setup # strictcrlpolicy=yes # uniqueids = no</p><p style="color:rgb(54,0,12);font-family:Verdana,sans-serif;background-color:rgb(255,255,221)">conn %default<br>ikelifetime=86400s<br>keylife=36000s<br>rekeymargin=3m<br>keyingtries=1<br>keyexchange=ikev2<br>authby=secret<br>mobike=no</p><p style="color:rgb(54,0,12);font-family:Verdana,sans-serif;background-color:rgb(255,255,221)">conn ciscoios<br>left=@IP STRONGSWAN<br>leftsubnet=<a href="http://172.16.1.0/24" target="_blank"><font color="#0066cc">172.16.1.0/24</font></a><br>leftid=@IPSTONGSWAN<br>leftfirewall=yes<br>right=IP ASA<br>rightsubnet=IP PRIVE<br>rightid=IP ASA<br>pfs=yes<br>auto=add<br>ike=aes256-sha512-modp1536<br>esp=aes256-sha1<br>keyexchange=ikev2</p><p style="color:rgb(54,0,12);font-family:Verdana,sans-serif;background-color:rgb(255,255,221)">include /var/lib/strongswan/ipsec.conf.inc</p><p style="color:rgb(54,0,12);font-family:Verdana,sans-serif;background-color:rgb(255,255,221)">error is : <br>initiating IKE_SA ciscoios<sup><a style="color:rgb(138,0,32);font-weight:bold;text-decoration:none" href="https://wiki.strongswan.org/issues/1136#fn5" target="_blank"><font size="2">5</font></a></sup> to @IP ASA<br>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>sending packet: from @IPSTRONGSWAN<sup><a style="color:rgb(138,0,32);font-weight:bold;text-decoration:none" href="https://wiki.strongswan.org/issues/1136#fn500" target="_blank"><font size="2">500</font></a></sup> to @IP ASA<sup><a style="color:rgb(138,0,32);font-weight:bold;text-decoration:none" href="https://wiki.strongswan.org/issues/1136#fn500" target="_blank"><font size="2">500</font></a></sup><br>received packet: from @IP ASA [500] to @IP STRONG<sup><a style="color:rgb(138,0,32);font-weight:bold;text-decoration:none" href="https://wiki.strongswan.org/issues/1136#fn500" target="_blank"><font size="2">500</font></a></sup><br>parsed IKE_SA_INIT response 0 [ SA KE No V V V N(NATD_S_IP) N(NATD_D_IP) V ]<br>received unknown vendor id: 43:49:53:43:4f:2d:44:45:4c:45:54:45:2d:52:45:41:53:4 f:4e<br>received unknown vendor id: 43:49:53:43:4f:28:43:4f:50:59:52:49:47:48:54:29:26:4 3:6f:70:79:72:69:67:68:74:20:28:63:29:20:32:30:30:39:20:43:69:73:63:6f:20:53:79: 73:74:65:6d:73:2c:20:49:6e:63:2e<br>received unknown vendor id: 43:49:53:43:4f:2d:47:52:45:2d:4d:4f:44:45:02<br>received unknown vendor id: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3<br>remote host is behind NAT<br>authentication of '178.32.180.245' (myself) with pre-shared key<br>establishing CHILD_SA ciscoios<br>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ON LY) ]<br>sending packet: from @IPSTRONG<sup><a style="color:rgb(138,0,32);font-weight:bold;text-decoration:none" href="https://wiki.strongswan.org/issues/1136#fn4500" target="_blank"><font size="2">4500</font></a></sup> to ASA [4500]<br>received packet: from ASA [4500] to STRONG [4500]<br>parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]<br>authentication of '192.168.255.1' with pre-shared key successful<br>constraint check failed: identity @IP ASA required<br>selected peer config 'ciscoios' inacceptable<br></p><div><span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;background-color:rgb(255,255,221)">no alternative config found</span><span class="HOEnZb"><font color="#888888"><br>-- <br></font></span></div></div><span class="HOEnZb"><font color="#888888"><div><div>- VMware Certified Professional 5 – Data Center Virtualization (VCP5-DCV)</div><div>- Ingénieur Microsoft </div><div>- Ingénieur CISCO</div><div>- Administrateur Linux Senior </div></div>
</font></span></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br></blockquote></div><br></div>