<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    The selection is not based on "best", but rather on the order of
    algorithms at the initiator side first and the responder side
    second.  AFAIK, strongSwan accepts  the first  proposed algorithm
    that is also configured configured locally. The first algorithm
    proposed by windows and also accepted at your server is<br>
    <br>
    Windows:   
    "IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024" <br>
    strongSwan: <span style="color: rgb(0, 0, 0); font-family:
      "Helvetica Neue", Helvetica, Arial, sans-serif;
      font-size: 10px;"><span>  proposals = <span>aes256gcm16-aes128gcm16-sha384-sha256-prfsha384-prfsha256-modp1024</span>
      </span></span><br>
    <br>
    If you want the better algorithm, then move it first in your windows
    configuration, or  change strongSwan to only accept the algorithms
    you prefer, i.e drop "<span style="color: rgb(0, 0, 0); font-family:
      "Helvetica Neue", Helvetica, Arial, sans-serif;
      font-size: 10px;"><span><span>-aes128gcm16</span></span></span>"<br>
    <br>
    <span style="color: rgb(0, 0, 0); font-family: "Helvetica
      Neue", Helvetica, Arial, sans-serif; font-size: 10px;"><span>proposals
        = <span>aes256gcm16-sha384-sha256-prfsha384-prfsha256-modp1024</span>
      </span></span><br>
    <br>
    Regards,<br>
    Jafar<br>
     <br>
    <div class="moz-cite-prefix">On 5/1/2018 4:59 PM, Christian Salway
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:916331058.9903.1525211940692@mail.yahoo.com">
      <div style="font-family:Helvetica Neue, Helvetica, Arial,
        sans-serif;font-size:10px;">
        <div><b>version: strongSwan 5.6.2</b></div>
        <div><br>
        </div>
        <div>When I connect from Windows 10, strongSwan replies with a
          different policy than requested, causing a policy mismatch</div>
        <div><br>
        </div>
        <div>```</div>
        <div>
          <div><span style="color: rgb(0, 0, 0); font-family:
              "Helvetica Neue", Helvetica, Arial, sans-serif;
              font-size: 10px;"><span>
                <div>connections {</div>
                <div>   default {</div>
                <div>      version = 2</div>
                <div>      send_cert = always</div>
                <div>      encap = yes</div>
                <div>      pools = pool1</div>
                <div>      unique = replace</div>
                <div>      proposals = <span>aes256gcm16-aes128gcm16-sha384-sha256-prfsha384-prfsha256-modp1024</span> </div>
                <div>      local {</div>
                <div>         id = vpnserver</div>
                <div>         certs = vpnserver.crt</div>
                <div>      }</div>
                <div>      remote {</div>
                <div>         auth = eap-mschapv2</div>
                <div>         eap_id = %any</div>
                <div>      }<br>
                </div>
                <div>      children {</div>
                <div>         net {</div>
                <div>            local_ts = 10.0.0.0/20</div>
                <div>            inactivity = 1h</div>
                <div>         }</div>
                <div>      }</div>
                <div>   }</div>
                <div>}</div>
              </span>```</span></div>
          <div><br>
          </div>
          <div><span style="color: rgb(0, 0, 0); font-family:
              "Helvetica Neue", Helvetica, Arial, sans-serif;
              font-size: 10px;">When Windows connects, strongSwan gives
              it the wrong policy and hence Windows 10 reports a<b>
                policy match error</b></span></div>
          <div><br>
          </div>
          <div>
            <p class="ydp4c4ee11bp1"> </p>
            <div>May  1 21:53:12 08[CFG] <b>received proposals</b>:
              IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
              IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
              IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
              IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
              IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
              IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
              IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
              IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
              IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
              IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
              IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
              IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024</div>
            <div>May  1 21:53:12 08[CFG] <b>configured proposals</b>:
IKE:AES_GCM_16_256/AES_GCM_16_128/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/MODP_1024</div>
            <div>May  1 21:53:12 08[CFG] selected proposal: IKE:<b>AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_1024</b></div>
            <br>
            <span style="color: rgb(0, 0, 0); font-family:
              "Helvetica Neue", Helvetica, Arial, sans-serif;
              font-size: 10px;">Expected response (I'm guessing) <b>AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
              </b>(a</span>lthough I dont know why it doesnt chose the
            better ciphers).</div>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div><span>
            <div><br>
            </div>
          </span></div>
      </div>
    </blockquote>
    <br>
  </body>
</html>