[strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
kman at fastmail.com
Wed Feb 13 20:12:40 CET 2019
Based on this in an earlier message:
"you disabled log message for cfg, so you didn't see the details of the
... you may want to enable "cfg" logging under "charondebug"
And then you should be able to see the actual proposal sent by the
client (Windows) which should help troubleshoot.
On Wed, Feb 13, 2019, at 9:38 PM, MOSES KARIUKI wrote:
> Thanks Tobias for the quick response. I set this up, the Registry
> value and below configuration, but still the same error.>
> config setup
> charondebug="ike 1, knl 1, cfg 0"
> conn ikev2-vpn
> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!> esp=aes256-sha256,aes256-sha1,3des-sha1!
> Thanks a lot
> On Wed, Feb 13, 2019 at 5:45 PM Tobias Brunner
> <tobias at strongswan.org> wrote:>> Hi Moses,
>> Configure an IKE proposal that's accepted by your peer (you
>> disabled log>> message for cfg, so you didn't see the details of the proposal
>> negotiation). Most likely the problem is that modp1024 is
>> proposed, a>> DH group strongSwan doesn't include in its default IKE proposal
>> anymore.>> So to use it, IKE proposals have to be configured explicitly.
>> Also see>>  for information on how to get Windows to use at least modp2048.>>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users