[strongSwan] Phase 2: our client ID returned doesn't match my proposal betweetn two StrongSwans

Andreas Steffen andreas.steffen at strongswan.org
Wed Oct 8 13:38:42 CEST 2014

Hi Jakob,

In IKEv1 terminology the client IDs are traffic selectors
(a single host or an IPv4 or IPv6 subnet) which define which
local and remote subnets behind the gateways are to be connected
with each other over the tunnel. With IKEv2 these proposals must match
exactly. In your case it seems that the two IPsec endpoints propose
differing subnet defininitions.



On 08.10.2014 12:33, Jakob Curdes wrote:
> .. we have one  strongSwan U4.3.5 and on the second box  a  U5.1.2; when
> initiating a connection using IP addresses as IDs I get
> "our client ID returned doesn't match my proposal" in Phase 2 although
> the IPs are the correct ones (or Phase 1 would probably fail...)
> If I switch to hostnames as ID's, I get the same result. The connection
> is initiated from the U4.3.5 box.
> Any ideas?
> Regards,
> Jakob Curdes

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141008/3b58031e/attachment.bin>

More information about the Users mailing list