[strongSwan-dev] why DH group NEWHOPE_128 inacceptable ?

[Trump DD]

Thanks for reply

I have enable this options in config file.

Now in IKE phase, NEWHOPE was actived,
But in ESP phase, NEWHOPE was always inactive

I have check config newhope128 for esp phase in both sides:

esp=aes256gcm128-newhope128

what's wrong with my config ?


below is my log files, I have config NEWHOPE_128 for both side

02[CFG] selecting proposal:
02[CFG]   proposal matches
02[CFG] received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
02[CFG] configured proposals:
ESP:AES_GCM_16_256/NEWHOPE_128/NO_EXT_SEQ,
ESP:CHACHA20_POLY1305_256/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ,
ESP:AES_CCM_16_256/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_2048/NO_EXT_SEQ
02[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ


On Fri, Oct 21, 2016 at 7:29 PM, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Which means, add the following entry to /etc/strongswan.conf:
>
> charon {
>   send_vendor_id = yes
> }
>
> Regards
>
> Andreas
>
> On 21.10.2016 13:21, Noel Kuntze wrote:
>>
>> On 21.10.2016 08:57, Trump DD wrote:
>>>
>>> 08[CFG] an algorithm from private space would match, but peer
>>> implementation is unknown, skipped
>>
>>
>> Make sure both sides are configured to send the strongswan vendor id.
>>
>>
>>
>> _______________________________________________
>> Dev mailing list
>> Dev at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/dev
>>
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>



-- 
Thanks