[strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

Kostya Vasilyev kman at fastmail.com
Wed Feb 13 20:12:40 CET 2019 

Based on this in an earlier message:

"you disabled log message for cfg, so you didn't see the details of the
proposal negotiation"
... you may want to enable "cfg" logging under "charondebug"

https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection
And then you should be able to see the actual proposal sent by the
client (Windows) which should help troubleshoot.
-- K

On Wed, Feb 13, 2019, at 9:38 PM, MOSES KARIUKI wrote:
> Thanks Tobias for the quick response. I set this up, the Registry
> value and below configuration, but still the same error.> 
> config setup
>     charondebug="ike 1, knl 1, cfg 0"
>     uniqueids=no
> 
> conn ikev2-vpn
>     auto=add
>     compress=no
>     type=tunnel
>     keyexchange=ikev2
>     fragmentation=yes
>     forceencaps=yes
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>     left=%any
>     leftid=102.1*9.2*9.**
>     leftcert=server-cert.pem
>     leftsendcert=always
>     leftsubnet=0.0.0.0/0
>     right=%any
>     rightid=%any
>     rightauth=eap-mschapv2
>     rightsourceip=10.10.10.0/24
>     rightdns=8.8.8.8,8.8.4.4
>     rightsendcert=never
>     eap_identity=%identity
>     ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!>     esp=aes256-sha256,aes256-sha1,3des-sha1!
> 
> Thanks a lot
> 
> 
> On Wed, Feb 13, 2019 at 5:45 PM Tobias Brunner
> <tobias at strongswan.org> wrote:>> Hi Moses,
>> 
>>  Configure an IKE proposal that's accepted by your peer (you
>>  disabled log>>  message for cfg, so you didn't see the details of the proposal
>>  negotiation).  Most likely the problem is that modp1024 is
>>  proposed, a>>  DH group strongSwan doesn't include in its default IKE proposal
>>  anymore.>>   So to use it, IKE proposals have to be configured explicitly.
>>   Also see>>  [1] for information on how to get Windows to use at least modp2048.>> 
>>  Regards,
>>  Tobias
>> 
>>  [1]
>> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190213/c64b9cd3/attachment.html>

More information about the Users mailing list