<div dir="ltr">Hi Noel,<div>thanks for your help.</div><div>I've set a Debian 9 pc, so I am now using Strongswan 5.5.1-4 as you suggested. I cannot get 5.5.3 since is not available under debian. As a bonus, now my linux kernel is 4.9.0-3.</div><div><br></div><div>This are my ipsec.conf (I followed your hints and semplified whatever I could) and charon_debug.log:</div><div><br></div><div><div class="gmail_extra">=== ipsec.conf ======================</div></div><div><br></div><div><div>config setup</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span># strictcrlpolicy=yes</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span># uniqueids = no</div><div><br></div><div>conn home</div><div> ikelifetime=60m</div><div> keylife=20m</div><div> rekeymargin=3m</div><div> keyingtries=1</div><div> keyexchange=ikev1</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>leftcert=my_crt.pem</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>leftsourceip=192.168.145.128 # CP-known client IP</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>leftfirewall=yes</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>right=CP_FW_IP</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>rightid=CP_FW_IP</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>rightsubnet= <a href="http://192.168.2.0/24">192.168.2.0/24</a>, <a href="http://192.168.3.0/24">192.168.3.0/24</a></div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>rightcert=cp_fw_crt.pem</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>auto=start</div></div><div><br></div><div class="gmail_extra"><div class="gmail_extra">=== charon_debug.log ======================</div><div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">Mon, 2017-08-07 15:57 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-3-amd64, x86_64)</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'test-vectors': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'ldap': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs11': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'aesni': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'aes': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'rc2': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'sha2': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'sha1': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'md5': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'rdrand': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] detected RDRAND support, enabled</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'random': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'nonce': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'x509': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'revocation': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'constraints': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pubkey': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs1': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs7': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs8': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs12': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pgp': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'dnskey': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'sshkey': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pem': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'openssl': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'gcrypt': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'af-alg': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'fips-prf': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'gmp': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'agent': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'xcbc': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'cmac': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'hmac': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'ctr': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'ccm': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'gcm': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'curl': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'attr': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'kernel-netlink': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'resolve': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'socket-default': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'connmark': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'farp': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'stroke': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'updown': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-identity': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-aka': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-md5': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-gtc': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-mschapv2': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-radius': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-tls': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-ttls': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-tnc': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-generic': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-eap': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-pam': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'tnc-tnccs': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'dhcp': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'ha': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'lookip': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'error-notify': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'certexpire': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'led': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'addrblock': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'unity': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISS</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loaded ca certificate "O=my_ca" from '/etc/ipsec.d/cacerts/ca_crt.pem'<br></div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loading crls from '/etc/ipsec.d/crls'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loading secrets from '/etc/ipsec.secrets'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/my_key.der'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loaded 0 RADIUS server configurations</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] HA config misses local/remote address</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature CUSTOM:ha in plugin 'ha' failed to load</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] unloading plugin 'ha' without loaded features</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] unable to load 13 plugin features (12 due to unmet dependencies)</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] dropped capabilities, running as uid 0, gid 0</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[JOB] spawning 16 worker threads</div><div class="gmail_extra">Mon, 2017-08-07 15:57 01[LIB] created thread 01 [2935]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 02[LIB] created thread 02 [2936]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 03[LIB] created thread 03 [2937]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 04[LIB] created thread 04 [2938]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 05[LIB] created thread 05 [2939]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 06[LIB] created thread 06 [2940]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[LIB] created thread 07 [2941]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[LIB] created thread 08 [2942]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 09[LIB] created thread 09 [2943]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 10[LIB] created thread 10 [2944]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 11[LIB] created thread 11 [2945]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 12[LIB] created thread 12 [2946]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 13[LIB] created thread 13 [2947]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 14[LIB] created thread 14 [2948]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 15[LIB] created thread 15 [2949]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 16[LIB] created thread 16 [2950]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] received stroke: add connection 'home'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] conn home</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] left=%any</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] leftsourceip=192.168.145.128</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] leftcert=my_crt.pem</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] leftupdown=ipsec _updown iptables</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] right=CP_FW_IP</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] rightsubnet=<a href="http://192.168.2.0/24">192.168.2.0/24</a>, <a href="http://192.168.3.0/24">192.168.3.0/24</a></div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] rightid=CP_FW_IP</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] rightcert=cp_fw_crt.pem</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] ike=aes128-sha256-modp3072</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] esp=aes128-sha256</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] dpddelay=30</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] dpdtimeout=150</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] mediation=no</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] keyexchange=ikev1</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] loaded certificate "O=my_ca, OU=users, CN=my_name" from 'my_crt.pem'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] id '%any' not confirmed by certificate, defaulting to 'O=my_ca, OU=users, CN=my_name'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] loaded certificate "O=my_ca, OU=users, CN=cp_fw_cert" from 'cp_fw_crt.pem'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] added configuration 'home'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[CFG] received stroke: initiate 'home'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_VENDOR task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_CERT_PRE task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing MAIN_MODE task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_CERT_POST task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_NATD task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing QUICK_MODE task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> activating new tasks</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> activating ISAKMP_VENDOR task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> activating ISAKMP_CERT_PRE task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> activating MAIN_MODE task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> activating ISAKMP_CERT_POST task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> activating ISAKMP_NATD task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> sending XAuth vendor ID</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> sending DPD vendor ID</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> sending FRAGMENTATION vendor ID</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> sending NAT-T (RFC 3947) vendor ID</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> initiating Main Mode IKE_SA home[1] to CP_FW_IP</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> IKE_SA home[1] state change: CREATED => CONNECTING</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[CFG] <home|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_MD5_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[ENC] <home|1> generating ID_PROT request 0 [ SA V V V V V ]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[NET] <home|1> sending packet: from 192.168.1.122[500] to CP_FW_IP[500] (240 bytes)</div><div class="gmail_extra">Mon, 2017-08-07 15:57 10[NET] <home|1> received packet: from CP_FW_IP[500] to 192.168.1.122[500] (40 bytes)</div><div class="gmail_extra">Mon, 2017-08-07 15:57 10[ENC] <home|1> parsed INFORMATIONAL_V1 request 111406742 [ N(NO_PROP) ]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 10[IKE] <home|1> received NO_PROPOSAL_CHOSEN error notify</div><div class="gmail_extra">Mon, 2017-08-07 15:57 10[IKE] <home|1> IKE_SA home[1] state change: CONNECTING => DESTROYING</div><div><br></div></div><div class="gmail_extra">=======================================</div></div><div><br></div></div><div class="gmail_extra">So now the problems seems to be that no proposal is choosen... any hint?</div><div class="gmail_extra"><br></div><div class="gmail_extra">Thanks,</div><div class="gmail_extra">larzeni</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Aug 5, 2017 at 11:20 AM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting" target="_blank">noel.kuntze+strongswan-users-ml@thermi.consulting</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
On 05.08.2017 02:27, Luca Arzeni wrote:<br>
> [...]<br>
> I'm on a debian jessie 8.0, openswan 2.6.37 and I need to migrate to StrongSWAN 5.2.1<br>
You better get 5.5.3 right away. 5.2.1 is already pretty old.<br>
<br>
> [...]<br>
> ==============================<wbr>==============================<wbr>==<br>
><br>
> Now I'm trying to use StrongSWAN to setup a connection, but I'm not able to connect.<br>
> This is my StrongSWAN ipsec.conf:<br>
><br>
> ==============================<wbr>==============================<wbr>==<br>
><br>
> # ipsec.conf - strongSwan IPsec configuration file<br>
><br>
> config setup<br>
> # strictcrlpolicy=yes<br>
> # uniqueids = no<br>
> charondebug = dmn 2, mgr 2, ike 2, chd 2, job 0, cfg 2, knl 2, net 2, asn 0, enc 0, lib 0, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2<br>
Remove that. Use the logger configuration from the HelpRequests[1] page instead and pastebin us that, after you made the following changes.<br>
><br>
> conn home<br>
> ikelifetime=60m<br>
> keylife=20m<br>
> rekeymargin=3m<br>
> keyingtries=1<br>
> keyexchange=ikev1<br>
> #<br>
> left=%any<br>
Remove left. It is unnecessary.<br>
> leftcert=my_cert.pem<br>
> leftrsasigkey=%cert<br>
> leftid="my certificate subject"<br>
leftrsasigkey and leftid are unnecessary, if not counterproductive.<br>
<br>
> #leftauth=pubkey<br>
> leftfirewall=yes<br>
> #<br>
> leftsourceip=A.B.C.D # CP-known client IP (not necessarily my ip), I need to set it because I'm using also a "rightsubnets" list<br>
> leftsubnet=A.B.C.D/32 # CP-known client IP(not necessarily my ip), I need to set it because I'm using also a "rightsubnets" list<br>
Remove leftsubnet.<br>
> #<br>
> rightcert=fwncest_2012-11-07_<wbr>cert.pem<br>
> rightrsasigkey=%cert<br>
Remove rightrsasigkey.<br>
> right=X.Y.Z.W (FW1_IP_ADDESS)<br>
> rightid=X.Y.Z.W (I cannot use FW cert or other values, I MUST use the firewall public IP)<br>
> rightsubnet= <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>>, <a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">http://192.168.2.0/24</a>>, ecc...<br>
> rightcert=firewall_cert.pem<br>
> rightrsasigkey=%cert<br>
Duplicate settings. Pick one of the certs, remove rightrsasigkey anyway.<br>
> #<br>
> auto=start<br>
Careful: Charon does not try to reestablish IKE_SAs or CHILD_SAs if the remote peer deletes them. This behaves differently than openswan.<br>
<br>
> # after establishing the vpn, run these script to allow routes from my client to server behind the firevall<br>
> #<br>
> # /sbin/iptables -t nat -I POSTROUTING -d <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> -j SNAT --to my_ip<br>
> # /sbin/iptables -t nat -I POSTROUTING -d <a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">http://192.168.2.0/24</a>> -j SNAT --to my_ip<br>
><br>
> include /var/lib/strongswan/ipsec.<wbr>conf.inc<br>
Remove the include.<br>
<br>
> ==============================<wbr>==============================<wbr>===============<br>
><br>
> But this setup is not working.<br>
<br>
Provide all the information from the HelpRequests[1] page, please.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
[1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests" rel="noreferrer" target="_blank">https://wiki.strongswan.org/<wbr>projects/strongswan/wiki/<wbr>HelpRequests</a><br>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><span style="font-size:12.8px">Luca Arzeni</span></div></div></div></div>
</div></div>