<div dir="ltr">Hello Jafar,<div><br></div><div>Thank you for the final proposals. I have entered them and it works great with iOS and OSX. I have no Windows to test it yet. </div><div><br></div><div>The only reason I had picked 3des-shal1, was because the StrongSwan Wiki claims this was needed for Mac (OSX) <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients">https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients</a>. But I can see it works even without that.</div><div><br></div><div>My user in Iran still can't connect successfully. I have followed your instructions. I have tailed the syslog below, hence this is all I can see:</div><div><br></div><div><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:07 vpn-server charon: 02[NET] received packet: from 91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:07 vpn-server charon: 02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:07 vpn-server charon: 02[IKE] 91.99.xxx.xxx is initiating an IKE_SA</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:07 vpn-server charon: 02[IKE] local host is behind NAT, sending keep alives</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:07 vpn-server charon: 02[IKE] remote host is behind NAT</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:07 vpn-server charon: 02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:07 vpn-server charon: 02[NET] sending packet: from 172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:13 vpn-server charon: 11[NET] received packet: from 91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:13 vpn-server charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:13 vpn-server charon: 11[IKE] received retransmit of request with ID 0, retransmitting response</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:13 vpn-server charon: 11[NET] sending packet: from 172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:16 vpn-server charon: 12[NET] received packet: from 91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:16 vpn-server charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:16 vpn-server charon: 12[IKE] received retransmit of request with ID 0, retransmitting response</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:16 vpn-server charon: 12[NET] sending packet: from 172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:27 vpn-server charon: 10[IKE] sending keep alive to 91.99.xxx.xxx[500]</p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">May 12 11:03:37 vpn-server charon: 05[JOB] deleting half open IKE_SA after timeout</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><br></p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">I have also executed ipsec statusall</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><br></p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1057-aws, x86_64):</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"> uptime: 68 minutes, since May 12 09:55:31 2018</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"> malloc: sbrk 1773568, mmap 0, used 572416, free 1201152</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">Virtual IP pools (size/online/offline):</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"> <a href="http://10.10.10.0/24">10.10.10.0/24</a>: 254/0/1</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">Listening IP addresses:</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"> 172.31.xxx.xxx</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">Connections:</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"> roadwarrior: %any...%any IKEv2, dpddelay=180s</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"> roadwarrior: local: [<a href="http://vpn1.xxx.com">vpn1.xxx.com</a>] uses public key authentication</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"> roadwarrior: cert: "CN=<a href="http://vpn1.xxx.com">vpn1.xxx.com</a>"</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"> roadwarrior: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"> roadwarrior: child: <a href="http://0.0.0.0/0">0.0.0.0/0</a> === dynamic TUNNEL, dpdaction=clear</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">Security Associations (0 up, 0 connecting):</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">
</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"> none</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><br></p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">I can't quite see from this if they have blocked ESP or not. But I suspect this is the case.</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><br></p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">Many Thanks for your help,</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">Houman</p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><br></p></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 11 May 2018 at 16:00, Jafar Al-Gharaibeh <span dir="ltr"><<a href="mailto:jafar@atcorp.com" target="_blank">jafar@atcorp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
1) The log shows that while it took a couple of attempts to
establish and IKE SA, it was eventually up with and ESP Child SA as
well. So, as far as I can see in your logs, the connection should be
up. What happens next? do the logs show that the connection is
dropped for some reason? what is the output of "ipsec statusall"?
Can you confirm that you are receiving ESP packets afterward, or if
ESP is blocked? <br>
<br>
2) Depending on the vpn clients you use, your proposals seem OK. I
would expand them a bit with better DH group in case the client
supports it in both IKE and ESP configs. In ESP case you can have
two proposals, with and without DH groups if you have clients that
can't do DH with ESP. Unless you really think you need 3des-sha1 for
some clients, there is no reason to keep it. Here is an example:<br>
<br>
ike=aes256-sha256-ecp521-<wbr>ecp256-modp4096-modp2048!<br>
esp=aes256-sha256-sha1-ecp521-<wbr>ecp256-modp4096-modp2048,
aes256-sha256-sha1!<br>
<div class="m_8289949549181578463moz-cite-prefix"><br>
<br>
Regards,<br>
Jafar<div><div class="h5"><br>
<br>
On 5/11/2018 3:17 AM, Houman wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">Hello Jafar,
<div><br>
</div>
<div>Apologies, as I didn't explain what I had already tried.</div>
<div><br>
</div>
<div>1) I have tried your suggestion:</div>
<div><br>
</div>
<div>
<div> ike=aes256-sha256-prfsha256-<wbr>modp2048-modp1024!</div>
<div> esp=aes256-sha256,aes256-<wbr>sha1,3des-sha1!</div>
</div>
<div><br>
</div>
<div>I can connect to it via iOS 11 and OSX High Sierra without
any problem from UK. And I no longer get that error message:
"<span>DH group MODP_2048 inacceptable,
requesting MODP_1024".</span></div>
<div><span><br>
</span></div>
<div><span>However my user still can't
connect. As he is connecting from Iran, I strongly suspect
this is because of a recent tightening of the VPN traffic
due to the recent political circumstances. Further below I
have pasted the log when he is trying to connect
unsuccessfully. It says "Connecting..." and after a few
sconds, it drops.</span></div>
<div><span><br>
</span></div>
<div><span>2) Unrelated to that, considering
what we discussed in this thread, it seems I could skip
both </span><b>prfsha256</b> and <b>modp1024</b>.<span> Would you say this is now the
perfect settings for iOS 10+, OSX and Windows 10?</span></div>
<div><span><br>
</span></div>
<div>
<div><b> ike=aes256-sha256-modp2048!</b></div>
<div><b> esp=aes256-sha256,aes256-<wbr>sha1,3des-sha1!</b></div>
</div>
<div><span><br>
</span></div>
<div><span>Many Thanks for your help,</span></div>
<div><span>Houman</span></div>
<div><span><br>
</span></div>
<div><span>Btw here is the log when he is
trying to connect:</span></div>
<div><span><br>
</span></div>
<div>
<p>May 11 07:55:16 vpn-server
charon: 02[NET] received packet: from 109.230.xxx.xx[500] to
172.31.xxx.xxx[500] (604 bytes)</p>
<p>May 11 07:55:16 vpn-server
charon: 02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</p>
<p>May 11 07:55:16 vpn-server
charon: 02[IKE] 109.230.xxx.xx is initiating an IKE_SA</p>
<p>May 11 07:55:16 vpn-server
charon: 02[IKE] local host is behind NAT, sending keep
alives</p>
<p>May 11 07:55:16 vpn-server
charon: 02[IKE] remote host is behind NAT</p>
<p>May 11 07:55:16 vpn-server
charon: 02[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]</p>
<p>May 11 07:55:16 vpn-server
charon: 02[NET] sending packet: from 172.31.xxx.xxx[500] to
109.230.xxx.xx[500] (448 bytes)</p>
<p>May 11 07:55:36 vpn-server
charon: 01[IKE] sending keep alive to 109.230.xxx.xx[500]</p>
<p>May 11 07:55:46 vpn-server
charon: 11[JOB] deleting half open IKE_SA after timeout</p>
<p>May 11 07:57:44 vpn-server
charon: 16[NET] received packet: from 109.230.xxx.xx[1] to
172.31.xxx.xxx[500] (624 bytes)</p>
<p>May 11 07:57:44 vpn-server
charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) V V V V ]</p>
<p>May 11 07:57:44 vpn-server
charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID</p>
<p>May 11 07:57:44 vpn-server
charon: 16[IKE] received MS-Negotiation Discovery Capable
vendor ID</p>
<p>May 11 07:57:44 vpn-server
charon: 16[IKE] received Vid-Initial-Contact vendor ID</p>
<p>May 11 07:57:44 vpn-server
charon: 16[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:<wbr>ab:9a:1c:5b:2a:51:00:00:00:02</p>
<p>May 11 07:57:44 vpn-server
charon: 16[IKE] 109.230.xxx.xx is initiating an IKE_SA</p>
<p>May 11 07:57:44 vpn-server
charon: 16[IKE] local host is behind NAT, sending keep
alives</p>
<p>May 11 07:57:44 vpn-server
charon: 16[IKE] remote host is behind NAT</p>
<p>May 11 07:57:44 vpn-server
charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]</p>
<p>May 11 07:57:44 vpn-server
charon: 16[NET] sending packet: from 172.31.xxx.xxx[500] to
109.230.xxx.xx[1] (440 bytes)</p>
<p>May 11 07:57:45 vpn-server
charon: 04[NET] received packet: from 109.230.xxx.xx[1024]
to 172.31.xxx.xxx[4500] (1536 bytes)</p>
<p>May 11 07:57:45 vpn-server
charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ
N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi
TSr ]</p>
<p>May 11 07:57:45 vpn-server
charon: 04[IKE] received 54 cert requests for an unknown ca</p>
<p>May 11 07:57:45 vpn-server
charon: 04[CFG] looking for peer configs matching
172.31.xxx.xxx[%any]...109.<wbr>230.xxx.xx[192.168.1.103]</p>
<p>May 11 07:57:45 vpn-server
charon: 04[CFG] selected peer config 'roadwarrior'</p>
<p>May 11 07:57:45 vpn-server
charon: 04[IKE] initiating EAP_IDENTITY method (id 0x00)</p>
<p>May 11 07:57:45 vpn-server
charon: 04[IKE] peer supports MOBIKE</p>
<p>May 11 07:57:45 vpn-server
charon: 04[IKE] authentication of '<a href="http://vpn1.xxx.com" target="_blank">vpn1.xxx.com</a>'
(myself) with RSA signature successful</p>
<p>May 11 07:57:45 vpn-server
charon: 04[IKE] sending end entity cert "CN=<a href="http://vpn1.xxx.com" target="_blank">vpn1.xxx.com</a>"</p>
<p>May 11 07:57:45 vpn-server
charon: 04[IKE] sending issuer cert "C=US, O=Let's Encrypt,
CN=Let's Encrypt Authority X3"</p>
<p>May 11 07:57:45 vpn-server
charon: 04[ENC] generating IKE_AUTH response 1 [ IDr CERT
CERT AUTH EAP/REQ/ID ]</p>
<p>May 11 07:57:45 vpn-server
charon: 04[NET] sending packet: from 172.31.xxx.xxx[4500] to
109.230.xxx.xx[1024] (3616 bytes)</p>
<p>May 11 07:57:45 vpn-server
charon: 02[NET] received packet: from 109.230.xxx.xx[1024]
to 172.31.xxx.xxx[4500] (96 bytes)</p>
<p>May 11 07:57:45 vpn-server
charon: 02[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]</p>
<p>May 11 07:57:45 vpn-server
charon: 02[IKE] received EAP identity 'houmie'</p>
<p>May 11 07:57:45 vpn-server
charon: 02[IKE] initiating EAP_MSCHAPV2 method (id 0x6C)</p>
<p>May 11 07:57:45 vpn-server
charon: 02[ENC] generating IKE_AUTH response 2 [
EAP/REQ/MSCHAPV2 ]</p>
<p>May 11 07:57:45 vpn-server
charon: 02[NET] sending packet: from 172.31.xxx.xxx[4500] to
109.230.xxx.xx[1024] (112 bytes)</p>
<p>May 11 07:57:45 vpn-server
charon: 03[NET] received packet: from 109.230.xxx.xx[1024]
to 172.31.xxx.xxx[4500] (144 bytes)</p>
<p>May 11 07:57:45 vpn-server
charon: 03[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2
]</p>
<p>May 11 07:57:45 vpn-server
charon: 03[ENC] generating IKE_AUTH response 3 [
EAP/REQ/MSCHAPV2 ]</p>
<p>May 11 07:57:45 vpn-server
charon: 03[NET] sending packet: from 172.31.xxx.xxx[4500] to
109.230.xxx.xx[1024] (144 bytes)</p>
<p>May 11 07:57:45 vpn-server
charon: 01[NET] received packet: from 109.230.xxx.xx[1024]
to 172.31.xxx.xxx[4500] (80 bytes)</p>
<p>May 11 07:57:45 vpn-server
charon: 01[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2
]</p>
<p>May 11 07:57:45 vpn-server
charon: 01[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK
established</p>
<p>May 11 07:57:45 vpn-server
charon: 01[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]</p>
<p>May 11 07:57:45 vpn-server
charon: 01[NET] sending packet: from 172.31.xxx.xxx[4500] to
109.230.xxx.xx[1024] (80 bytes)</p>
<p>May 11 07:57:46 vpn-server
charon: 11[NET] received packet: from 109.230.xxx.xx[1024]
to 172.31.xxx.xxx[4500] (112 bytes)</p>
<p>May 11 07:57:46 vpn-server
charon: 11[ENC] parsed IKE_AUTH request 5 [ AUTH ]</p>
<p>May 11 07:57:46 vpn-server
charon: 11[IKE] authentication of '192.168.1.103' with EAP
successful</p>
<p>May 11 07:57:46 vpn-server
charon: 11[IKE] authentication of '<a href="http://vpn1.xxx.com" target="_blank">vpn1.xxx.com</a>'
(myself) with EAP</p>
<p>May 11 07:57:46 vpn-server
charon: 11[IKE] IKE_SA roadwarrior[4] established between
172.31.xxx.xxx[<a href="http://vpn1.xxx.com" target="_blank">vpn1.xxx.com</a>]..<wbr>.109.230.xxx.xx[192.168.1.103]</p>
<p>May 11 07:57:46 vpn-server
charon: 11[IKE] peer requested virtual IP %any</p>
<p>May 11 07:57:46 vpn-server
charon: 11[CFG] reassigning offline lease to 'houmie'</p>
<p>May 11 07:57:46 vpn-server
charon: 11[IKE] assigning virtual IP 10.10.10.1 to peer
'houmie'</p>
<p>May 11 07:57:46 vpn-server
charon: 11[IKE] peer requested virtual IP %any6</p>
<p>May 11 07:57:46 vpn-server
charon: 11[IKE] no virtual IP found for %any6 requested by
'houmie'</p>
<p>May 11 07:57:46 vpn-server
charon: 11[IKE] CHILD_SA roadwarrior{2} established with
SPIs caa2d799_i 8f5ab10c_o and TS <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
=== <a href="http://10.10.10.1/32" target="_blank">10.10.10.1/32</a></p>
<p>May 11 07:57:46 vpn-server
charon: 11[ENC] generating IKE_AUTH response 5 [ AUTH
CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]</p>
<p>May 11 07:57:46 vpn-server
charon: 11[NET] sending packet: from 172.31.xxx.xxx[4500] to
109.230.xxx.xx[1024] (256 bytes)</p>
</div>
<div><span><br>
</span></div>
<div><span><br>
</span></div>
<div><span><br>
</span></div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 10 May 2018 at 21:52, John Connett <span dir="ltr"><<a href="mailto:jrc@skylon.demon.co.uk" target="_blank">jrc@skylon.demon.co.uk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div id="m_8289949549181578463m_4818619819815122131divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif" dir="ltr">
<div id="m_8289949549181578463m_4818619819815122131divtagdefaultwrapper" dir="ltr">
<p style="margin-top:0;margin-bottom:0">Don't know if
this might be related:</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0"><a href="https://support.microsoft.com/en-gb/help/4103721/windows-10-update-kb4103721" class="m_8289949549181578463m_4818619819815122131OWAAutoLink" id="m_8289949549181578463m_4818619819815122131LPlnk348641" target="_blank">https://support.microsoft.com/<wbr>en-gb/help/4103721/windows-10-<wbr>update-kb4103721</a><br>
<br>
</p>
"<span>Addresses an issue that prevents certain VPN
apps from working on builds of Windows 10, version
1803. These apps were developed using an SDK version
that precedes Windows 10, version 1803, and use the
public RasSetEntryProperties API".</span></div>
<div id="m_8289949549181578463m_4818619819815122131divtagdefaultwrapper" dir="ltr">
<br>
</div>
<div id="m_8289949549181578463m_4818619819815122131divtagdefaultwrapper" dir="ltr">
<span></span>Regards</div>
<div id="m_8289949549181578463m_4818619819815122131divtagdefaultwrapper" dir="ltr">
--</div>
<div id="m_8289949549181578463m_4818619819815122131divtagdefaultwrapper" dir="ltr">
John Connett<br>
<br>
<div style="color:rgb(0,0,0)">
<hr style="display:inline-block;width:98%">
<div id="m_8289949549181578463m_4818619819815122131divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b>
Users <<a href="mailto:users-bounces@lists.strongswan.org" target="_blank">users-bounces@lists.strongswa<wbr>n.org</a>>
on behalf of Jafar Al-Gharaibeh <<a href="mailto:jafar@atcorp.com" target="_blank">jafar@atcorp.com</a>><br>
<b>Sent:</b> 10 May 2018 21:33<br>
<b>To:</b> Houman<br>
<b>Cc:</b> <a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br>
<b>Subject:</b> Re: [strongSwan] Sudden issues
with Windows 10 clients</font>
<div> </div>
</div>
<span>
<div style="background-color:#ffffff">Hi Houman,<br>
<br>
Similar to the Windows problem you had earlier,
you don't have the correct combination of
configured algorithms. look at the logs:<br>
<br>
May 10 20:26:48 vpn-server charon: 12[IKE]
DH group MODP_2048 inacceptable, requesting
MODP_1024<br>
<br>
The iphone expect modp2048, but your
configuration says modp1024. Look back at the
suggestion we made for Windows and just use the
same configuration.<br>
<br>
Regards,<br>
Jafar<br>
</div>
</span></div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>