<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Thanks Tobias for the quick response. I set this up, the Registry value and below configuration, but still the same error. </div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default"><div class="gmail_default"><font face="tahoma, sans-serif">config setup</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> charondebug="ike 1, knl 1, cfg 0"</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> uniqueids=no</font></div><div class="gmail_default"><font face="tahoma, sans-serif"><br></font></div><div class="gmail_default"><font face="tahoma, sans-serif">conn ikev2-vpn</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> auto=add</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> compress=no</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> type=tunnel</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> keyexchange=ikev2</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> fragmentation=yes</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> forceencaps=yes</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> dpdaction=clear</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> dpddelay=300s</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> rekey=no</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> left=%any</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> leftid=102.1*9.2*9.**</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> leftcert=server-cert.pem</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> leftsendcert=always</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></font></div><div class="gmail_default"><font face="tahoma, sans-serif"> right=%any</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> rightid=%any</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> rightauth=eap-mschapv2</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> rightsourceip=<a href="http://10.10.10.0/24">10.10.10.0/24</a></font></div><div class="gmail_default"><font face="tahoma, sans-serif"> rightdns=8.8.8.8,8.8.4.4</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> rightsendcert=never</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> eap_identity=%identity</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! </font></div><div class="gmail_default"><font face="tahoma, sans-serif"> esp=aes256-sha256,aes256-sha1,3des-sha1!</font></div><div class="gmail_default"><font face="tahoma, sans-serif"><br></font></div><div class="gmail_default"><font face="tahoma, sans-serif">Thanks a lot</font></div><div class="gmail_default"><font face="tahoma, sans-serif"><br></font></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 13, 2019 at 5:45 PM Tobias Brunner <<a href="mailto:tobias@strongswan.org">tobias@strongswan.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Moses,<br>
<br>
Configure an IKE proposal that's accepted by your peer (you disabled log<br>
message for cfg, so you didn't see the details of the proposal<br>
negotiation). Most likely the problem is that modp1024 is proposed, a<br>
DH group strongSwan doesn't include in its default IKE proposal anymore.<br>
So to use it, IKE proposals have to be configured explicitly. Also see<br>
[1] for information on how to get Windows to use at least modp2048.<br>
<br>
Regards,<br>
Tobias<br>
<br>
[1]<br>
<a href="https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048" rel="noreferrer" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048</a><br>
</blockquote></div>