[strongSwan] issue with modpnull Diffie-Hellman group

Andreas Steffen andreas.steffen at strongswan.org
Thu Feb 27 14:20:06 CET 2014 

Hi,

since MODP_NULL is not an IANA-registered DH group but intended
for testing purposes only, You must send the strongSwan Vendor ID
by adding the following statements

charon {
  send_vendor_id = yes
}

in the /etc/strongswan.conf files of both endpoints.

Regards

Andreas

On 02/27/2014 12:25 PM, Chinmaya Dwibedy wrote:
> Hi ,
> 
> I am using the modpnull Diffie-Hellman gr to avoid the DH calculation
> overhead (strongswan-5.0.4). But it is unable to establish the security
> association. Here goes the logs at IKE responder end. Can anyone please
> suggest what is the wrong?   
> 
> 11[CFG] received stroke: add connection 'host-host'
> 11[CFG] adding virtual IP address pool 10.0.0.0/8
> 11[CFG] added configuration 'host-host'
> 13[NET] <1> received packet: from 30.30.30.11[500] to 30.30.30.21[500]
> (176 bytes)
> 13[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
> 13[CFG] <1> an algorithm from private space would match, but peer
> implementation is unknown, skipped
> 13[CFG] <1> received proposals:
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_NULL
> 13[CFG] <1> configured proposals:
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_NULL
> 13[IKE] <1> received proposals inacceptable
> 13[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> 13[NET] <1> sending packet: from 30.30.30.21[500] to 30.30.30.11[500]
> (36 bytes)
> 
> Regards,
> Chinmaya

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140227/e0ff4f7b/attachment.bin>

More information about the Users mailing list