[strongSwan] no acceptable proposal found even though it has matching proposal
Tobias Brunner
tobias at strongswan.org
Wed Oct 10 12:02:30 CEST 2018
Hi Yogesh,
> received
> proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
> configured
> proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Why is it saying no acceptable DH group when it is same ?
Because they aren't the same. If you look (more closely, I guess) at
the log output above you'll see that the received proposal includes a DH
group, while the configured proposal that matches the proposed integrity
algorithm (sha256) doesn't. The first configured proposal includes a
matching DH group, but its integrity algorithm doesn't match (sha1). So
fix your ESP proposal: esp=aes256-sha256-modp2048 (and optionally end it
with !).
Regards,
Tobias
More information about the Users
mailing list