<html><head></head><body><div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:10px;"><div><b>version: strongSwan 5.6.2</b></div><div><br></div><div>When I connect from Windows 10, strongSwan replies with a different policy than requested, causing a policy mismatch</div><div><br></div><div>```</div><div><div><span style="color: rgb(0, 0, 0); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 10px;"><span><div>connections {</div><div>   default {</div><div>      version = 2</div><div>      send_cert = always</div><div>      encap = yes</div><div>      pools = pool1</div><div>      unique = replace</div><div>      proposals = <span>aes256gcm16-aes128gcm16-sha384-sha256-prfsha384-prfsha256-modp1024</span> </div><div>      local {</div><div>         id = vpnserver</div><div>         certs = vpnserver.crt</div><div>      }</div><div>      remote {</div><div>         auth = eap-mschapv2</div><div>         eap_id = %any</div><div>      }<br></div><div>      children {</div><div>         net {</div><div>            local_ts = 10.0.0.0/20</div><div>            inactivity = 1h</div><div>         }</div><div>      }</div><div>   }</div><div>}</div></span>```</span></div><div><br></div><div><span style="color: rgb(0, 0, 0); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 10px;">When Windows connects, strongSwan gives it the wrong policy and hence Windows 10 reports a<b> policy match error</b></span></div><div><br></div><div>







<p class="ydp4c4ee11bp1"> </p><div>May  1 21:53:12 08[CFG] <b>received proposals</b>: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024</div><div>May  1 21:53:12 08[CFG] <b>configured proposals</b>: IKE:AES_GCM_16_256/AES_GCM_16_128/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/MODP_1024</div><div>May  1 21:53:12 08[CFG] selected proposal: IKE:<b>AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_1024</b></div><br><p></p><span style="color: rgb(0, 0, 0); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 10px;">Expected response (I'm guessing) <b>AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 </b>(a</span>lthough I dont know why it doesnt chose the better ciphers).</div></div><div><br></div><div><br></div><div><span><div><br></div></span></div></div></body></html>