[strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

MOSES KARIUKI kariukims at gmail.com
Wed Feb 13 19:38:55 CET 2019 

Thanks Tobias for the quick response. I set this up, the Registry value and
below configuration, but still the same error.

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=102.1*9.2*9.**
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity
    ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha256,aes256-sha1,3des-sha1!

Thanks a lot


On Wed, Feb 13, 2019 at 5:45 PM Tobias Brunner <tobias at strongswan.org>
wrote:

> Hi Moses,
>
> Configure an IKE proposal that's accepted by your peer (you disabled log
> message for cfg, so you didn't see the details of the proposal
> negotiation).  Most likely the problem is that modp1024 is proposed, a
> DH group strongSwan doesn't include in its default IKE proposal anymore.
>  So to use it, IKE proposals have to be configured explicitly.  Also see
> [1] for information on how to get Windows to use at least modp2048.
>
> Regards,
> Tobias
>
> [1]
>
> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190213/6625f41f/attachment.html>

More information about the Users mailing list