[strongSwan] DH group MODP_1024 inacceptable, requesting MODP_1024

Mon Nov 2 20:42:15 CET 2015

Hi guys,

I'm facing an issue with my strongswan config with an IOS 9.0.1 and
strongswan 5.3.3.

The DH group negotiation says "DH group MODP_1024 inacceptable,
requesting MODP_1024"

Here's the log cfg 2:

Nov  2 16:25:57 strongswan charon: 06[NET] received packet: from
190.220.147.10[500] to 192.168.1.175[500] (388 bytes)
Nov  2 16:25:57 strongswan charon: 06[ENC] parsed IKE_SA_INIT request 0
[ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov  2 16:25:57 strongswan charon: 06[CFG] looking for an ike config for
192.168.1.175...190.220.147.10
Nov  2 16:25:57 strongswan charon: 06[CFG]   candidate:
192.168.1.175...%any, prio 1052
Nov  2 16:25:57 strongswan charon: 06[CFG] found matching ike config:
192.168.1.175...%any with prio 1052
Nov  2 16:25:57 strongswan charon: 06[IKE] 190.220.147.10 is initiating
an IKE_SA
Nov  2 16:25:57 strongswan charon: 06[CFG] selecting proposal:
Nov  2 16:25:57 strongswan charon: 06[CFG]   proposal matches
Nov  2 16:25:57 strongswan charon: 06[CFG] received proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Nov  2 16:25:57 strongswan charon: 06[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512
Nov  2 16:25:57 strongswan charon: 06[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Nov  2 16:25:57 strongswan charon: 06[IKE] local host is behind NAT,
sending keep alives
Nov  2 16:25:57 strongswan charon: 06[IKE] remote host is behind NAT
Nov  2 16:25:57 strongswan charon: 06[IKE] DH group MODP_1024
inacceptable, requesting MODP_1024
Nov  2 16:25:57 strongswan charon: 06[ENC] generating IKE_SA_INIT
response 0 [ N(INVAL_KE) V ]
Nov  2 16:25:57 strongswan charon: 06[NET] sending packet: from
192.168.1.175[500] to 190.220.147.10[500] (58 bytes)

My ipsec.conf:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
        ikelifetime=60m
        keylife=20m

ike=aes128-sha1-prfsha1-modp1024,aes256-sha2_256-prfsha256-modp1536,3des-sha1-prfsha1-modp1024
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2

esp=aes128-sha1-prfsha1-modp1024,aes256-sha2_256-prfsha256-modp1536,3des-sha1-prfsha1-modp1024
        authby=secret

conn rw
        left=192.168.1.175
        leftid=192.168.1.175
        leftsubnet=10.1.0.0/16
        leftfirewall=yes
        right=%any
        rightsubnet=%any
        rightauth=psk
        rightid=dowhale
        auto=add

Thanks in advance.