<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">or add the registry key<a href="http://www.naimuri.com" class=""></a></div><div class=""><br class=""></div><div class="">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters [DWORD 32bit] NegotiateDH2048_AES256 1</div><div class=""><br class=""></div><div class=""><a href="https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Bugs-amp-Features" class="">https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Bugs-amp-Features</a></div><div class=""><br class=""></div><div><br class=""><blockquote type="cite" class=""><div class="">On 3 May 2018, at 14:39, Jafar A-Gharaibeh <<a href="mailto:jafar@atcorp.com" class="">jafar@atcorp.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class=""> The responder is configured to accept DH group modp2048 and up. Windows can only do modp1024 by default as you can see in the received proposals.<br class=""><br class="">Append modp1024 to your strongswan ike proposals and it should work.<br class=""><br class="">Regards,<br class="">Jafar<br class=""><br class=""><br class="">On 2018-05-03 04:34, flyingrhino wrote:<br class=""><blockquote type="cite" class="">Hi fellow swan'ers,<br class="">Can anyone point me in the right direction to understand why I get the<br class="">message "error 13868: Policy match error" when I connect using windows<br class="">8.1 & p12 cert to strongswan responder (5.6.2-2~local9.1 on debian<br class="">stretch)?<br class="">When I connect to the same responder from a linux initiator running<br class="">linux mint 18.3 with the cert components configured manually into<br class="">ipsec.conf , ipsec.secrets, strongswan.conf (ipsec up CONN_NAME) - it<br class="">works perfectly!<br class="">Here's the log from the responder with find/replace on private fields:<br class="">May 3 18:08:30 my_server charon: 02[NET] received packet: from<br class="">1.1.1.1[43473] to 2.2.2.2[500]<br class="">May 3 18:08:30 my_server charon: 12[NET] received packet: from<br class="">1.1.1.1[43473] to 2.2.2.2[500] (616 bytes)<br class="">May 3 18:08:30 my_server charon: 12[ENC] parsed IKE_SA_INIT request 0<br class="">[ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]<br class="">May 3 18:08:30 my_server charon: 12[CFG] looking for an ike config<br class="">for 2.2.2.2...1.1.1.1<br class="">May 3 18:08:30 my_server charon: 12[CFG] candidate: 2.2.2.2...%any, prio 1052<br class="">May 3 18:08:30 my_server charon: 12[CFG] found matching ike config:<br class="">2.2.2.2...%any with prio 1052<br class="">May 3 18:08:30 my_server charon: 12[IKE] received MS NT5 ISAKMPOAKLEY<br class="">v9 vendor ID<br class="">May 3 18:08:30 my_server charon: 12[IKE] received MS-Negotiation<br class="">Discovery Capable vendor ID<br class="">May 3 18:08:30 my_server charon: 12[IKE] received Vid-Initial-Contact vendor ID<br class="">May 3 18:08:30 my_server charon: 12[ENC] received unknown vendor ID:<br class="">01:MORE HEX HERE:00:00:02<br class="">May 3 18:08:30 my_server charon: 12[IKE] 1.1.1.1 is initiating an IKE_SA<br class="">May 3 18:08:30 my_server charon: 12[IKE] IKE_SA (unnamed)[2] state<br class="">change: CREATED => CONNECTING<br class="">May 3 18:08:30 my_server charon: 12[CFG] selecting proposal:<br class="">May 3 18:08:30 my_server charon: 12[CFG] no acceptable<br class="">DIFFIE_HELLMAN_GROUP found<br class="">May 3 18:08:30 my_server charon: 12[CFG] selecting proposal:<br class="">May 3 18:08:30 my_server charon: 12[CFG] no acceptable<br class="">DIFFIE_HELLMAN_GROUP found<br class="">May 3 18:08:30 my_server charon: 12[CFG] selecting proposal:<br class="">May 3 18:08:30 my_server charon: 12[CFG] no acceptable<br class="">DIFFIE_HELLMAN_GROUP found<br class="">May 3 18:08:30 my_server charon: 12[CFG] selecting proposal:<br class="">May 3 18:08:30 my_server charon: 12[CFG] no acceptable<br class="">DIFFIE_HELLMAN_GROUP found<br class="">May 3 18:08:30 my_server charon: 12[CFG] selecting proposal:<br class="">May 3 18:08:30 my_server charon: 12[CFG] no acceptable<br class="">DIFFIE_HELLMAN_GROUP found<br class="">May 3 18:08:30 my_server charon: 12[CFG] selecting proposal:<br class="">May 3 18:08:30 my_server charon: 12[CFG] no acceptable<br class="">DIFFIE_HELLMAN_GROUP found<br class="">May 3 18:08:30 my_server charon: 12[CFG] selecting proposal:<br class="">May 3 18:08:30 my_server charon: 12[CFG] no acceptable<br class="">ENCRYPTION_ALGORITHM found<br class="">May 3 18:08:30 my_server charon: 12[CFG] selecting proposal:<br class="">May 3 18:08:30 my_server charon: 12[CFG] no acceptable<br class="">ENCRYPTION_ALGORITHM found<br class="">May 3 18:08:30 my_server charon: 12[CFG] selecting proposal:<br class="">May 3 18:08:30 my_server charon: 12[CFG] no acceptable<br class="">ENCRYPTION_ALGORITHM found<br class="">May 3 18:08:30 my_server charon: 12[CFG] selecting proposal:<br class="">May 3 18:08:30 my_server charon: 12[CFG] no acceptable<br class="">ENCRYPTION_ALGORITHM found<br class="">May 3 18:08:30 my_server charon: 12[CFG] selecting proposal:<br class="">May 3 18:08:30 my_server charon: 12[CFG] no acceptable<br class="">ENCRYPTION_ALGORITHM found<br class="">May 3 18:08:30 my_server charon: 12[CFG] selecting proposal:<br class="">May 3 18:08:30 my_server charon: 12[CFG] no acceptable<br class="">ENCRYPTION_ALGORITHM found<br class="">May 3 18:08:30 my_server charon: 12[CFG] received proposals:<br class="">IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,<br class="">IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,<br class="">IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,<br class="">IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,<br class="">IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,<br class="">IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024<br class="">May 3 18:08:30 my_server charon: 12[CFG] configured proposals:<br class="">IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/CURVE_25519/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,<br class="">IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/CURVE_25519/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048<br class="">May 3 18:08:30 my_server charon: 12[IKE] remote host is behind NAT<br class="">May 3 18:08:30 my_server charon: 12[IKE] received proposals inacceptable<br class="">May 3 18:08:30 my_server charon: 12[ENC] generating IKE_SA_INIT<br class="">response 0 [ N(NO_PROP) ]<br class="">May 3 18:08:30 my_server charon: 12[NET] sending packet: from<br class="">2.2.2.2[500] to 1.1.1.1[43473] (36 bytes)<br class="">May 3 18:08:30 my_server charon: 12[IKE] IKE_SA (unnamed)[2] state<br class="">change: CONNECTING => DESTROYING<br class="">May 3 18:08:30 my_server charon: 02[NET] waiting for data on sockets<br class="">May 3 18:08:30 my_server charon: 08[NET] sending packet: from<br class="">2.2.2.2[500] to 1.1.1.1[<br class="">Could it be something to do with how the client key is built - the CN,<br class="">or san fields, or the IP addresses?<br class="">Here's how I made the keys. Again fields have been sanitized:<br class="">Responder<br class="">=========<br class="">ipsec pki --gen --type rsa --size 4096 --outform pem ><br class="">/etc/ipsec.d/private/my_strongswanKey.pem<br class="">ipsec pki --self --ca --lifetime 720 --in<br class="">/etc/ipsec.d/private/my_strongswanKey.pem --type rsa --dn "C=US,<br class="">O=company, CN=myrootCA" --outform pem ><br class="">/etc/ipsec.d/cacerts/my_strongswanCert.pem<br class="">ipsec pki --gen --type rsa --size 2048 --outform pem ><br class="">/etc/ipsec.d/private/my_vpnHostKey.pem<br class="">ipsec pki --pub --in /etc/ipsec.d/private/my_vpnHostKey.pem --type rsa<br class="">| ipsec pki --issue --lifetime 710 --cacert<br class="">/etc/ipsec.d/cacerts/my_strongswanCert.pem --cakey<br class="">/etc/ipsec.d/private/my_strongswanKey.pem --dn "C=US, O=company,<br class="">CN=2.2.2.2" --san 2.2.2.2 --san @2.2.2.2 --san 10.10.10.10 --san<br class="">@10.10.10.10 --san servername --flag serverAuth --flag ikeIntermediate<br class="">--outform pem > /etc/ipsec.d/certs/my_vpnHostCert.pem<br class="">Initiator certs<br class="">===============<br class="">ipsec pki --gen --type rsa --size 2048 --outform pem ><br class="">/etc/ipsec.d/private/my_MynameKey.pem<br class="">ipsec pki --pub --in /etc/ipsec.d/private/my_MynameKey.pem --type rsa<br class="">| ipsec pki --issue --lifetime 710 --cacert<br class="">/etc/ipsec.d/cacerts/my_strongswanCert.pem --cakey<br class="">/etc/ipsec.d/private/my_strongswanKey.pem --dn "C=US, O=company,<br class=""><a href="mailto:CN=Myname@company.com" class="">CN=Myname@company.com</a>" --san <a href="mailto:Myname@company.com" class="">Myname@company.com</a> --san <a href="mailto:Myname@2.2.2.2" class="">Myname@2.2.2.2</a><br class="">--san <a href="mailto:Myname@10.10.10.10" class="">Myname@10.10.10.10</a> --outform pem ><br class="">/etc/ipsec.d/certs/my_MynameCert.pem<br class="">openssl pkcs12 -export -inkey /etc/ipsec.d/private/my_MynameKey.pem<br class="">-in /etc/ipsec.d/certs/my_MynameCert.pem -name "my_MynameCert"<br class="">-certfile /etc/ipsec.d/cacerts/my_strongswanCert.pem -caname<br class="">"myrootCA" -out /etc/ipsec.d/p12/my_Myname.p12<br class="">Thanks.<br class=""></blockquote></div></div></blockquote></div><br class=""></body></html>