[strongSwan] IKEv2 rekey failure with IOS8

Tom Matthews tom at axiom-partners.com
Thu Jul 23 18:04:40 CEST 2015


thanks, super helpful.

I don't understand why IKE and ESP can't be the same. I know the child uses the IKE key exchange until rekey, but does this mean IKE can have DH params on IOS8, but ESP can't use them, and therefore no PFS is available?

Kind regards,
Tom

On 23 Jul 2015, at 16:48, Tobias Brunner <tobias at strongswan.org> wrote:

>> Can anyone suggest where I'm going wrong please?
> 
> What's the deal with that constant reluctance to read the log files?
> 
>> Jul 23 14:40:17 nibbler charon: 16[CFG] selecting proposal:
>> Jul 23 14:40:17 nibbler charon: 16[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
>> Jul 23 14:40:17 nibbler charon: 16[CFG] received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
>> Jul 23 14:40:17 nibbler charon: 16[CFG] configured proposals: ESP:AES_GCM_16_256/MODP_4096/NO_EXT_SEQ
>> Jul 23 14:40:17 nibbler charon: 16[IKE] no acceptable proposal found
> 
> Regards,
> Tobias
> 


More information about the Users mailing list