Roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption (together with
HMAC_SHA1 authentication) in the first place and <b>AES_CBC_128</b> encryption in
second place for both the ISAKMP and IPsec SAs. Gateway <b>moon</b> defines
<b>ike=aes128-sha1</b> but will accept any other supported algorithm proposed
by the peer during Phase 1. But for ESP encryption <b>moon</b> enforces
<b>esp=aes128-sha1!</b> by applying the strict flag '!'.