[strongSwan] SeGW-initiated rekey fails - DH group unacceptable

Martin Willi martin at strongswan.org
Wed Dec 1 14:11:39 CET 2010

Hi Graham,

> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
> DH group MODP_2048 inacceptable, requesting MODP_1024

> The client sends back N(INVAL_KE) to the server and we then get into
> an endless cycle of trying to renegotiate the tunnel rekey.

The procedure looks correct so far, but the server should retry rekeying
with the correct group. What does the server show in its log? Does it
receive the MODP_1024 request, but retries again with MODP_2048?

> is this a bug in strongSwan ?

Looks like.

> the server a hacked version of strongSwan 4.3.2.

Have you tried a more recent version on the server? Haven't found a
related changelog, but maybe we have fixed this issue in the last
one-and-a-half years.


More information about the Users mailing list