[strongSwan] no acceptable proposal found even though it has matching proposal

Tobias Brunner tobias at strongswan.org
Wed Oct 10 12:02:30 CEST 2018

Hi Yogesh,

> received
> proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
> configured
> proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ,

> Why is it saying no acceptable DH group when it is same ?

Because they aren't the same.  If you look (more closely, I guess) at
the log output above you'll see that the received proposal includes a DH
group, while the configured proposal that matches the proposed integrity
algorithm (sha256) doesn't.  The first configured proposal includes a
matching DH group, but its integrity algorithm doesn't match (sha1).  So
fix your ESP proposal: esp=aes256-sha256-modp2048 (and optionally end it
with !).


More information about the Users mailing list