[strongSwan] Tunnel established, but 'no acceptable ENCRYPTION_ALGORITHM found'
jafar at atcorp.com
Wed May 2 21:01:24 CEST 2018
On 5/2/2018 3:22 AM, Tobias Brunner wrote:
> Hi Jafar,
>> Makes sense, but just to understand what is going on and know how
>> to read the logs, are you saying that each "ESP:" prefix signifies a
>> separate proposal that is parsed independently (log below)? A single
>> proposal might have one or more algorithms separated by slashes, correct ?
> Yes, they each are separate proposals that were all contained in the
> same SA payload sent by the client (see section 3.3 of RFC 7296  for
> an illustration). During proposal selection they are treated separately
> (i.e. we can't pick and choose algorithms from different proposals).
> And for each transform type (encryption, integrity, DH etc.) multiple
> algorithms may be contained in each proposal (in the log and status
> output separated with /).
> When configuring it you'd separate proposals with commas and the
> algorithms with dashes. For instance,
> would be configured like this in swanctl.conf:
> esp_proposals =
>  https://tools.ietf.org/html/rfc7296#section-3.3
More information about the Users