Thanks IL Ka, Which group should I add. I am a bit of a noob here. I have checked the Strongswan documentation but I cant trace a list of these commands.
Thanks, On Fri, Feb 15, 2019 at 10:17 AM IL Ka <kazakevichi...@gmail.com> wrote: > I see DH problem as Tobias said. > look: > > Client: > > IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, > IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, > IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048 > > StrongSwan: > IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, > IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > > Client wants MODP_2048 while Swan has only MODP_1024 enabled. > > As result, "no acceptable DIFFIE_HELLMAN_GROUP found" > > See ipsec.conf for "ike" setting. Especially about "modpgroup". > > > > > > <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> > Без > вирусов. www.avg.com > <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> > <#m_8551562222874236904_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > > On Fri, Feb 15, 2019 at 8:42 AM MOSES KARIUKI <kariuk...@gmail.com> wrote: > >> Dear Team, >> Please see below: >> >> *ipsec statusall* >> Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, >> x86_64): >> uptime: 17 hours, since Feb 14 11:52:17 2019 >> malloc: sbrk 1757184, mmap 0, used 534320, free 1222864 >> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 0 >> loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random >> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp >> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr >> kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 >> xauth-generic counters >> Virtual IP pools (size/online/offline): >> 10.10.10.0/24: 254/0/0 >> Listening IP addresses: >> 102.1*9.2*9.** >> Connections: >> ikev2-vpn: %any...%any IKEv2, dpddelay=300s >> ikev2-vpn: local: [102.1*9.2*9.**] uses public key authentication >> ikev2-vpn: cert: "CN=102.1*9.2*9.**" >> ikev2-vpn: remote: [fromcert] uses EAP_MSCHAPV2 authentication with >> EAP identity '%any' >> ikev2-vpn: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear >> Security Associations (0 up, 0 connecting): >> none >> >> >> *systemctl status strongswan* >> ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using >> ipsec.conf >> Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; >> vendor preset: enabled) >> Active: active (running) since Thu 2019-02-14 11:52:17 UTC; 17h ago >> Main PID: 2204 (starter) >> Tasks: 18 (limit: 2275) >> CGroup: /system.slice/strongswan.service >> ├─2204 /usr/lib/ipsec/starter --daemon charon --nofork >> └─2232 /usr/lib/ipsec/charon --debug-ike 1 --debug-knl 1 >> --debug-cfg 2 >> >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]: >> 09[CFG] received proposals: >> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_C >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]: >> 09[CFG] configured proposals: >> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]: >> 09[IKE] remote host is behind NAT >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]: >> 09[IKE] received proposals inacceptable >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]: >> 09[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ] >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]: >> 09[NET] sending packet: from 102.1*9.2*9.**[500] to 154.153.1*0.***[500] >> (36 bytes) >> Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]: >> 10[CFG] proposing traffic selectors for us: >> Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]: >> 10[CFG] 0.0.0.0/0 >> Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]: >> 10[CFG] proposing traffic selectors for other: >> Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]: >> 10[CFG] dynamic >> >> The error log: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[NET] >> received packet: from 154.153.1*0.***[500] to 102.1*9.2*9.**[500] (632 >> bytes) >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[ENC] >> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) >> N(NATD_D_IP) V V V V ] >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux >> 4.15.0-45-generic, x86_64) >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 00[CFG] loaded ca certificate "CN=VPN root CA" from >> '/etc/ipsec.d/cacerts/ca-cert.pem' >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 00[CFG] loading crls from '/etc/ipsec.d/crls' >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 00[CFG] loading secrets from '/etc/ipsec.secrets' >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server-key.pem' >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 00[CFG] loaded EAP secret for remoteprivate >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random >> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp >> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr >> kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 >> xauth-generic counters >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 00[LIB] dropped capabilities, running as uid 0, gid 0 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 00[JOB] spawning 16 worker threads >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] received stroke: add connection 'ikev2-vpn' >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] conn ikev2-vpn >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] left=%any >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] leftsubnet=0.0.0.0/0 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] leftid=102.1*9.2*9.** >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] leftcert=server-cert.pem >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] right=%any >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] rightsourceip=10.10.10.0/24 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] rightdns=8.8.8.8,8.8.4.4 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] rightauth=eap-mschapv2 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] rightid=%fromcert >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] eap_identity=%identity >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] esp=aes256-sha256,aes256-sha1,3des-sha1! >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] dpddelay=300 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] dpdtimeout=150 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] dpdaction=1 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] sha256_96=no >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] mediation=no >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] keyexchange=ikev2 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] adding virtual IP address pool 10.10.10.0/24 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] loaded certificate "CN=102.1*9.2*9.**" from 'server-cert.pem' >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 05[CFG] added configuration 'ikev2-vpn' >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 08[NET] received packet: from 216.218.206.86[8310] to 102.1*9.2*9.**[500] >> (64 bytes) >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 08[ENC] parsed ID_PROT request 0 [ SA ] >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> looking for an ike config for 102.1*9.2*9.**...154.153.1*0.*** >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 08[CFG] looking for an ike config for 102.1*9.2*9.**...216.218.206.86 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 08[IKE] no IKE config found for 102.1*9.2*9.**...216.218.206.86, sending >> NO_PROPOSAL_CHOSEN >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 08[ENC] generating INFORMATIONAL_V1 request 2332246493 [ N(NO_PROP) ] >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 08[NET] sending packet: from 102.1*9.2*9.**[500] to 216.218.206.86[8310] >> (40 bytes) >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[NET] received packet: from 154.153.1*0.***[500] to 102.1*9.2*9.**[500] >> (632 bytes) >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) >> N(NATD_D_IP) V V V V ] >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] looking for an ike config for 102.1*9.2*9.**...154.153.1*0.*** >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] candidate: %any...%any, prio 28 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] found matching ike config: %any...%any with prio 28 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[IKE] received MS-Negotiation Discovery Capable vendor ID >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[IKE] received Vid-Initial-Contact vendor ID >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[ENC] received unknown vendor ID: >> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[IKE] 154.153.1*0.*** is initiating an IKE_SA >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] no acceptable DIFFIE_HELLMAN_GROUP found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] no acceptable ENCRYPTION_ALGORITHM found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] no acceptable ENCRYPTION_ALGORITHM found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] no acceptable ENCRYPTION_ALGORITHM found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] no acceptable ENCRYPTION_ALGORITHM found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] received proposals: >> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, >> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, >> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> candidate: %any...%any, prio 28 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]: >> 09[CFG] configured proposals: >> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> found matching ike config: %any...%any with prio 28 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE] >> received MS NT5 ISAKMPOAKLEY v9 vendor ID >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE] >> received MS-Negotiation Discovery Capable vendor ID >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE] >> received Vid-Initial-Contact vendor ID >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[ENC] >> received unknown vendor ID: >> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE] >> 154.153.1*0.*** is initiating an IKE_SA >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> no acceptable DIFFIE_HELLMAN_GROUP found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> no acceptable PSEUDO_RANDOM_FUNCTION found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> no acceptable PSEUDO_RANDOM_FUNCTION found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> no acceptable ENCRYPTION_ALGORITHM found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> no acceptable ENCRYPTION_ALGORITHM found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> no acceptable ENCRYPTION_ALGORITHM found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> no acceptable ENCRYPTION_ALGORITHM found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> no acceptable ENCRYPTION_ALGORITHM found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> selecting proposal: >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> no acceptable ENCRYPTION_ALGORITHM found >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, >> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, >> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, >> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, >> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG] >> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE] >> remote host is behind NAT >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE] >> received proposals inacceptable >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[ENC] >> generating IKE_SA_INIT response 0 [ N(NO_PROP) ] >> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[NET] >> sending packet: from 102.1*9.2*9.**[500] to 154.153.1*0.***[500] (36 bytes) >> Feb 15 05:11:50 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a kernel: >> [68232.190082] [UFW BLOCK] IN=ens3 OUT= >> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.153.1*0.*** >> DST=102.1*9.2*9.** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=15775 DF PROTO=TCP >> SPT=54821 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0 >> .... >> >> >> >> On Thu, Feb 14, 2019 at 5:37 PM MOSES KARIUKI <kariuk...@gmail.com> >> wrote: >> >>> Thanks Tobias for the feedback. Let me try from another machine and >>> revert back to you. >>> >>> Thanks a lot, >>> Moses K >>> >>> On Thu, Feb 14, 2019 at 5:30 PM Tobias Brunner <tob...@strongswan.org> >>> wrote: >>> >>>> Hi Moses, >>>> >>>> > But now it gives the error that it didn't >>>> > connect as the remote host did not resolve . :( >>>> >>>> That doesn't sound like it's in any way related to your previous issue. >>>> And until you fix that (DNS, firewall or whatever else the problem is) >>>> the config updates or the log won't help as the client won't send any >>>> packets to the server. >>>> >>>> Also, log level 9 makes no sense as 4 is the maximum and is too much >>>> either. Set it to 2 (even 1 would be enough to debug the proposal >>>> issue, though). >>>> >>>> Regards, >>>> Tobias >>>> >>> > > <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> > Без > вирусов. www.avg.com > <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> > <#m_8551562222874236904_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> >