BTW is my following understanding of the NO_PROPOSAL_CHOSEN error correct: strongSwan correcty executes phase 1 of IKE because I see the message:
IKE_SA data-display[1] established between 192.168.42.213[83.161.66.130]...213.163.70.4[213.163.70.4] However, it can't finish phase 2 because the cipher suites that my strongSwan says it supports (configured with the "esp" setting) are not supported by the Cicso gateway on the other end. That is why the gateway sends the NO_PROPOSAL_CHOSEN message: received NO_PROPOSAL_CHOSEN error notify Is there a way to find out which cipher suites the Cisco router supports? I know that during phase 1 of IKE I get a "received proposals" message: charon[24416]: 08[CFG] received proposals: IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 charon[24416]: 08[CFG] configured proposals: IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 charon[24416]: 08[CFG] selected proposal: IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Is there something similar for phase 2? Are there also other tools to debug this problem? I already tried ike-scan: sudo ike-scan -v -v -v 213.163.70.4 http://pastebin.com/FpwT6xEH Cheers, Bas _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
