Hi folks,

I am trying to connect an ios 9.1 device to strongswan 5.3.3,
using IKEv2. Problem: It doesn't.

Here is the log file:

Oct 27 09:33:25 srvl047 charon: 02[NET] received packet: from 2001:db8:30:fff0:4ff:fc45:f6a4:3860[500] to 2001:db8:13b0:ffff::63[500]
Oct 27 09:33:25 srvl047 charon: 02[NET] waiting for data on sockets
Oct 27 09:33:25 srvl047 charon: 15[MGR] checkout IKE_SA by message
Oct 27 09:33:25 srvl047 charon: 15[MGR] created IKE_SA (unnamed)[5]
Oct 27 09:33:25 srvl047 charon: 15[NET] received packet: from 2001:db8:30:fff0:4ff:fc45:f6a4:3860[500] to 2001:db8:13b0:ffff::63[500] (388 bytes)
Oct 27 09:33:25 srvl047 charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 27 09:33:25 srvl047 charon: 15[CFG] looking for an ike config for 2001:db8:13b0:ffff::63...2001:db8:30:fff0:4ff:fc45:f6a4:3860
Oct 27 09:33:25 srvl047 charon: 15[CFG] candidate: gate.example.com...%any, prio 1052
Oct 27 09:33:25 srvl047 charon: 15[CFG] candidate: gate.example.com...%any, prio 1052
Oct 27 09:33:25 srvl047 charon: 15[CFG] found matching ike config: gate.example.com...%any with prio 1052
Oct 27 09:33:25 srvl047 charon: 15[IKE] 2001:db8:30:fff0:4ff:fc45:f6a4:3860 is initiating an IKE_SA
Oct 27 09:33:25 srvl047 charon: 15[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
Oct 27 09:33:25 srvl047 charon: 15[CFG] selecting proposal:
Oct 27 09:33:25 srvl047 charon: 15[CFG] no acceptable ENCRYPTION_ALGORITHM found
Oct 27 09:33:25 srvl047 charon: 15[CFG] selecting proposal:
Oct 27 09:33:25 srvl047 charon: 15[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
Oct 27 09:33:25 srvl047 charon: 15[CFG] selecting proposal:
Oct 27 09:33:25 srvl047 charon: 15[CFG] no acceptable ENCRYPTION_ALGORITHM found
Oct 27 09:33:25 srvl047 charon: 15[CFG] selecting proposal:
Oct 27 09:33:25 srvl047 charon: 15[CFG] no acceptable ENCRYPTION_ALGORITHM found
Oct 27 09:33:25 srvl047 charon: 15[CFG] selecting proposal:
Oct 27 09:33:25 srvl047 charon: 15[CFG] proposal matches
Oct 27 09:33:25 srvl047 charon: 15[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 27 09:33:25 srvl047 charon: 15[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 27 09:33:25 srvl047 charon: 15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Oct 27 09:33:25 srvl047 charon: 15[IKE] sending strongSwan vendor ID
Oct 27 09:33:25 srvl047 charon: 15[IKE] DH group MODP_1024 inacceptable, requesting MODP_1536
Oct 27 09:33:25 srvl047 charon: 15[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
Oct 27 09:33:25 srvl047 charon: 15[NET] sending packet: from 2001:db8:13b0:ffff::63[500] to 2001:db8:30:fff0:4ff:fc45:f6a4:3860[500] (58 bytes)
Oct 27 09:33:25 srvl047 charon: 15[MGR] checkin and destroy IKE_SA (unnamed)[5]
Oct 27 09:33:25 srvl047 charon: 03[NET] sending packet: from 2001:db8:13b0:ffff::63[500] to 2001:db8:30:fff0:4ff:fc45:f6a4:3860[500]
Oct 27 09:33:25 srvl047 charon: 15[IKE] IKE_SA (unnamed)[5] state change: CONNECTING => DESTROYING
Oct 27 09:33:25 srvl047 charon: 15[MGR] check-in and destroy of IKE_SA successful


Please note that both peers agreed upon a proposal including DH group 5,
but then there is a message "DH group MODP_1024 inacceptable, requesting
MODP_1536". The selected proposal wasn't DH2, so I wonder WTH?


Every helpful comment would be highly appreciated
Regards

Harri