[Swan] windows 10 Policy Match Error

Computerisms Corporation bob at computerisms.ca
Fri Oct 4 18:29:17 UTC 2019

Hi Again,

Turns out that brand new laptop still does connect so long as I do not 
specify an ike/esp line.  in the debug logs, it seems to choose this 


Not sure how that helps me get the other ones connected, but it is 
interesting, at least...

In the debug logs, I think this is the line that indicates what windows 
is proposing that libreswan is rejecting:

pluto[30250]: "rw-ikev2"[1] #5: no local proposal matches 
remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED 

so I put this in my conn:


and the connection worked.

so I go back to the wiki, which tells me to use this:


and I believe from reading the man page on the topic that this should 
also match the aes256-sha1-modp1024 proposal, however evidence clearly 
indicates it does not.

I tried messing with the syntax of the wiki line a bit, but nothing I 
did worked, really not clear what I am missing.  Did I find a problem 
that isn't supposed to be there?  Or am I just stuck with only accepting 
the single esp proposal?

How do I interpret this and translate it to

On 2019-10-04 9:30 a.m., Computerisms Corporation wrote:
> Hi Nels and Paul,
> Apologies for the delayed reply, I was overly busy at the moment and 
> duct taped the immediate issue with some iptables rules and port 
> forwarding.  But need something better and I am back to trying to solve 
> this now.
> I tried setting ikev2 from yes to no, sadly did not change the situation.
> Oddly enough I put a brand new setup together about a week ago, with a 
> brand new laptop, and it connected fine.  Yesterday I configured a bunch 
> of other laptops to connect to that same firewall, and now nothing 
> connects to it.  That causes me to wonder if a windows update that 
> wasn't installed to begin with is there now on the brand new laptop.
> Regardless, I faced this problem with windows7 way back, and I managed 
> to solve it that time with a post I found on the strong swan list.  So 
> my instinct is telling me I need to find the correct ike=/esp= lines to 
> fix this problem.  I did find a post from strong swan from Oct/Nov 2018:
> https://wiki.strongswan.org/issues/2808
> But none of those cipher lines worked.
> Similarly there are a set of ciphers listed on the libreswan wiki under 
> the no_proposal_chosen section, and those are not working either.
> I am thinking the next task is to go through the debug log and find out 
> what proposals windows is expecting, and try to construct appropriate 
> ike=/esp= lines.  I found the parts of the man page that explain how to 
> write the ciphers, but having a hard time translating the log entries 
> into valid cipher descriptions for the conf file.
> Posting the debug log here in case any one is interested in having a 
> look...

More information about the Swan mailing list