<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Tobias,<div class=""><br class=""></div><div class="">I’ve tried ike-scan and what I see: </div><div class=""><br class=""></div><div class=""><div class="">~/ike-scan$ sudo ike-scan --verbose  --trans=7/256,2,1,5  xx.xx.xx.xx</div><div class="">sudo: unable to resolve host stratus01</div><div class="">DEBUG: pkt len=88 bytes, bandwidth=56000 bps, int=16571 us</div><div class="">Starting ike-scan 1.9.4 with 1 hosts (<a href="http://www.nta-monitor.com/tools/ike-scan/" class="">http://www.nta-monitor.com/tools/ike-scan/</a>)</div><div class="">xx.xx.xx.xx     Main Mode Handshake returned HDR=(CKY-R=8d51ab78888680ad) SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Mar 19, 2018, at 11:01, Andrii Petrenko <<a href="mailto:aplsms@gmail.com" class="">aplsms@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Tobias, thank you for reply.<div class=""><br class=""></div><div class="">Remote side is not supporting pfs.</div><div class=""><br class=""></div><div class=""><table xmlns="http://www.w3.org/1999/xhtml" cellspacing="0" cellpadding="0" dir="ltr" border="1" style="table-layout:fixed;font-size:10pt;font-family:Arial;width:0px;border-collapse:collapse;border:none" class=""><colgroup class=""><col width="407" class=""><col width="343" class=""></colgroup><tbody class=""><tr style="height:17px;" class=""><td style="border-top:1px solid transparent;border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;text-decoration:underline;" data-sheets-value="{"1":2,"2":"IKE Phase One Parameters:   "}" class=""><span style="font-size: 11pt; font-weight: bold; -webkit-text-decoration-skip: none;" class="">IKE Phase One Parameters:</span><span style="font-size: 11pt; font-weight: bold; -webkit-text-decoration-skip: none;" class="">  </span><span style="font-size: 11pt; -webkit-text-decoration-skip: none;" class=""> </span></td><td style="border-top:1px solid transparent;border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" class=""></td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"Encryption Algorithm: "}" class="">Encryption Algorithm: </td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" data-sheets-value="{"1":2,"2":"AES 256"}" class="">AES 256</td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"Hash Algorithm: "}" class="">Hash Algorithm: </td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" data-sheets-value="{"1":2,"2":"SHA"}" class="">SHA</td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"Authentication Method:"}" class="">Authentication Method:</td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" data-sheets-value="{"1":2,"2":"Pre-shared key"}" class="">Pre-shared key</td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"Key Exchange:"}" class="">Key Exchange:</td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" data-sheets-value="{"1":2,"2":"Diffie Hellman Group 5"}" class="">Diffie Hellman Group 5</td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"IKE SA Lifetime: "}" class="">IKE SA Lifetime: </td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" data-sheets-value="{"1":2,"2":"86400 (Cisco default)"}" class="">86400 (Cisco default)</td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" class=""></td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" class=""></td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;font-weight:bold;text-decoration:underline;" data-sheets-value="{"1":2,"2":"IKE Phase Two Parameters (IPSEC):"}" class="">IKE Phase Two Parameters (IPSEC):</td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" class=""></td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"Authentication:"}" class="">Authentication:</td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" data-sheets-value="{"1":2,"2":"  ESP with SHA-HMAC"}" class="">  ESP with SHA-HMAC</td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"Encryption Algorithm: "}" class="">Encryption Algorithm: </td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" data-sheets-value="{"1":2,"2":"  ESP-AES 256"}" class="">  ESP-AES 256</td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"SA Establishment: "}" class="">SA Establishment: </td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" data-sheets-value="{"1":2,"2":"  ipsec-isakmp (IKE negotiated)"}" class="">  ipsec-isakmp (IKE negotiated)</td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"IPSEC Mode"}" class="">IPSEC Mode</td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" data-sheets-value="{"1":2,"2":"  Tunnel (Cisco default)"}" class="">  Tunnel (Cisco default)</td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"IPSEC SA Lifetime (time)"}" class="">IPSEC SA Lifetime (time)</td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" data-sheets-value="{"1":2,"2":"  3600 seconds"}" class="">  3600 seconds</td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"IPSEC SA Lifetime (volume)  "}" class="">IPSEC SA Lifetime (volume)  </td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" data-sheets-value="{"1":2,"2":"  4608000 kilobytes"}" class="">  4608000 kilobytes</td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"PFS (Perfect Forward Secrecy)"}" class="">PFS (Perfect Forward Secrecy)</td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" data-sheets-value="{"1":2,"2":"   No"}" class="">   No</td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" class=""></td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" class=""></td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;font-weight:bold;text-decoration:underline;" data-sheets-value="{"1":2,"2":"Optional encryption if requirements differ from above:"}" class="">Optional encryption if requirements differ from above:</td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" class=""></td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"esp-3des         esp-md5-hmac"}" class="">esp-3des         esp-md5-hmac</td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" class=""></td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"esp-aes 256   esp-sha-hmac"}" class="">esp-aes 256   esp-sha-hmac</td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" class=""></td></tr><tr style="height:17px;" class=""><td style="border-right:1px solid transparent;border-bottom:1px solid transparent;border-left:2px solid #000000;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;font-size:11pt;" data-sheets-value="{"1":2,"2":"esp-aes 128   esp-sha-hmac"}" class="">esp-aes 128   esp-sha-hmac</td><td style="border-right:2px solid #000000;border-bottom:1px solid transparent;overflow:hidden;padding:0px 3px 0px 3px;vertical-align:bottom;background-color:#ffffff;" class=""></td></tr></tbody></table><div class=""><br class=""></div></div><div class="">This information I have from remote side. </div><div class=""><br class=""></div><div class="">Is it possible to se what offer remote side?</div><div class=""><br class=""></div><div class="">Thank you,</div><div class="">AP</div><div class=""><br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On Mar 19, 2018, at 10:52, Tobias Brunner <<a href="mailto:tobias@strongswan.org" class="">tobias@strongswan.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Hi Andrii,<br class=""><br class=""><blockquote type="cite" class="">I see the problem on IKE side, but don’t know how to debug and fix it.<br class=""></blockquote><br class="">The log tells you _exactly_ what the problem is:<br class=""><br class=""><blockquote type="cite" class="">12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]<br class="">12[IKE] received NO_PROPOSAL_CHOSEN error notify<br class=""></blockquote><br class="">The peer doesn't like the crypto proposal sent by the client.  So fix<br class="">the `esp` setting in the config (maybe you have to enabled PFS by adding<br class="">a DH group, ask the other server admin for the correct algorithms).<br class=""><br class="">Regards,<br class="">Tobias<br class=""></div></div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></body></html>