[strongSwan] SeGW-initiated rekey fails - DH group unacceptable

[Graham Hudspith]

Martin,

Thanks for the swift reply.

On 1 December 2010 13:11, Martin Willi <martin at strongswan.org> wrote:

> Hi Graham,
>
> > selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
> > DH group MODP_2048 inacceptable, requesting MODP_1024
>
> > The client sends back N(INVAL_KE) to the server and we then get into
> > an endless cycle of trying to renegotiate the tunnel rekey.
>
> The procedure looks correct so far, but the server should retry rekeying
> with the correct group. What does the server show in its log? Does it
> receive the MODP_1024 request, but retries again with MODP_2048?
>
>
Unfortunately, I was running with minimal tracing on the server. The tracing
on the client would suggest not.


> > is this a bug in strongSwan ?
>
> Looks like.
>
>
Yikes !

Unfortunately, this being a live server and all, I've switch over to using
"esp=aes-sha1" on the server. We'll have to wait ~8 hours to see if that
works. If I get some time next week, I'll try and set up a separate server
and point one of the clients at it.

> the server a hacked version of strongSwan 4.3.2.
>
> Have you tried a more recent version on the server? Haven't found a
> related changelog, but maybe we have fixed this issue in the last
> one-and-a-half years.
>
>
Ah. Unfortunately, our copy of 4.3.2 is heavily hacked and the area that is
hacked was completely re-architected by yourselves in 4.3.3 :-)

We are looking to do some new work with the server code in the New Year and
as a prerequisite, I shall be moving our "hacks" to the latest release of
strongSwan then. I'll let you know what happens.

Cheers,

Graham.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101201/4d440ed4/attachment.html>