Martin,<div><br></div><div>Thanks for the swift reply.</div><div><br><div class="gmail_quote">On 1 December 2010 13:11, Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org">martin@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hi Graham,<br>
<div class="im"><br>
> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ<br>
</div><div class="im">> DH group MODP_2048 inacceptable, requesting MODP_1024<br>
<br>
</div><div class="im">> The client sends back N(INVAL_KE) to the server and we then get into<br>
> an endless cycle of trying to renegotiate the tunnel rekey.<br>
<br>
</div>The procedure looks correct so far, but the server should retry rekeying<br>
with the correct group. What does the server show in its log? Does it<br>
receive the MODP_1024 request, but retries again with MODP_2048?<br>
<div class="im"><br></div></blockquote><div><br></div><div>Unfortunately, I was running with minimal tracing on the server. The tracing on the client would suggest not.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">
> is this a bug in strongSwan ?<br>
<br>
</div>Looks like.<br>
<div class="im"><br></div></blockquote><div><br></div><div>Yikes !</div><div><br></div><div>Unfortunately, this being a live server and all, I've switch over to using "esp=aes-sha1" on the server. We'll have to wait ~8 hours to see if that works. If I get some time next week, I'll try and set up a separate server and point one of the clients at it.</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">
> the server a hacked version of strongSwan 4.3.2.<br>
<br>
</div>Have you tried a more recent version on the server? Haven't found a<br>
related changelog, but maybe we have fixed this issue in the last<br>
one-and-a-half years.<br>
<br></blockquote><div><br></div><div>Ah. Unfortunately, our copy of 4.3.2 is heavily hacked and the area that is hacked was completely re-architected by yourselves in 4.3.3 :-)</div><div><br></div><div>We are looking to do some new work with the server code in the New Year and as a prerequisite, I shall be moving our "hacks" to the latest release of strongSwan then. I'll let you know what happens.</div>
<div><br></div><div>Cheers,</div><div><br></div></div></div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><div class="gmail_quote"><div>Graham.</div><div> </div>
</div></div></blockquote>