[strongSwan] Unstable strongSwan-ASA tunnel

Santiago Lorente sll at disroot.org
Tue Nov 12 10:48:55 CET 2019

On 11/11/19 12:34, Tobias Brunner wrote:
> Hi Santiago,
>> I'm not an expert, but according to the logs it seems it might have
>> something to do with rekeying.
> Yep, looks that way.  First, I've never seen this message before:
>> Nov  9 23:31:17 RouterA charon: 15[IKE] peer didn't accept DH group MODP_1024, it requested MODP_NONE
> It seems a bit strange, but I guess the peer doesn't want to use DH
> during CHILD_SA rekeying.  Technically, it should just ignore the KE
> payload and select a proposal without DH group (or with MODP_NONE).  If
> there isn't one, the response should probably be NO_PROPOSAL_CHOSEN and
> What's interesting is that strongSwan actually continues without a KE
> payload, while the proposal is obviously not changed and still proposes
> modp1024, so it won't actually match later and causes this error:
>> Nov  9 23:31:17 RouterA charon: 08[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
>> Nov  9 23:31:17 RouterA charon: 08[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
>> Nov  9 23:31:17 RouterA charon: 08[IKE] no acceptable proposal found
> You should either enable PFS on the Cisco box, or disable it on the other.
> Regards,
> Tobias

Hey Tobias, thanks, it works now!

I added PFS to the Cisco ASA.

I think the the SA keeps restarting sometimes, but now no connection is 

Thank you!

More information about the Users mailing list