[strongSwan-dev] why DH group NEWHOPE_128 inacceptable ?

Fri Oct 21 08:57:14 CEST 2016

Hi
   I have configured newhope, and enable newhope plugin , but
strongswan 5.5.1 told me DH group NEWHOPE_128 inacceptable

08[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
08[CFG] selecting proposal:
08[CFG] an algorithm from private space would match, but peer
implementation is unknown, skipped
08[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
08[CFG] selecting proposal:
08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
08[CFG] selecting proposal:
08[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
08[CFG] selecting proposal:
08[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
08[CFG] selecting proposal:
08[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
08[CFG] selecting proposal:
08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
08[CFG] selecting proposal:
08[CFG]   proposal matches
08[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128,
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
08[CFG] configured proposals:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128,
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_GCM_12_256/PRF_HMAC_SHA2_384/MODP_2048,
IKE:AES_CCM_12_256/PRF_HMAC_SHA2_384/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
08[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
08[IKE] natd_chunk => 22 bytes @ 0x7fb3c000aa60
08[IKE]    0: 37 6B D6 85 77 7D D8 47 00 00 00 00 00 00 00 00  7k..w}.G........
08[IKE]   16: 2D 4F 5B 4D 01 F4                                -O[M..
08[IKE] natd_hash => 20 bytes @ 0x7fb3c000aa40
08[IKE]    0: 42 74 37 46 72 9D A2 0E 16 F5 0B FF ED E5 BD C2  Bt7Fr...........
08[IKE]   16: 78 79 72 91                                      xyr.
08[IKE] natd_chunk => 22 bytes @ 0x7fb3c000aa60
08[IKE]    0: 37 6B D6 85 77 7D D8 47 00 00 00 00 00 00 00 00  7k..w}.G........
08[IKE]   16: 75 95 1E E3 B8 43                                u....C
08[IKE] natd_hash => 20 bytes @ 0x7fb3c000a970
08[IKE]    0: EC 73 F7 79 EE 4D 42 CC 81 BF D6 91 FA 47 58 44  .s.y.MB......GXD
08[IKE]   16: 41 62 62 E1                                      Abb.
08[IKE] precalculated src_hash => 20 bytes @ 0x7fb3c000a970
08[IKE]    0: EC 73 F7 79 EE 4D 42 CC 81 BF D6 91 FA 47 58 44  .s.y.MB......GXD
08[IKE]   16: 41 62 62 E1                                      Abb.
08[IKE] precalculated dst_hash => 20 bytes @ 0x7fb3c000aa40
08[IKE]    0: 42 74 37 46 72 9D A2 0E 16 F5 0B FF ED E5 BD C2  Bt7Fr...........
08[IKE]   16: 78 79 72 91                                      xyr.
08[IKE] received src_hash => 20 bytes @ 0x7fb3c0008cc0
08[IKE]    0: 14 23 FC 58 22 F6 04 D7 9B D7 E9 5D 0A 00 6E 2F  .#.X"......]..n/
08[IKE]   16: 2E DA 44 F9                                      ..D.
08[IKE] received dst_hash => 20 bytes @ 0x7fb3c0009730
08[IKE]    0: 42 74 37 46 72 9D A2 0E 16 F5 0B FF ED E5 BD C2  Bt7Fr...........
08[IKE]   16: 78 79 72 91                                      xyr.
08[IKE] remote host is behind NAT
08[IKE] DH group NEWHOPE_128 inacceptable, requesting MODP_2048

-- 
Thanks