[strongSwan] charon says "DH group MODP_1024 inacceptable, requesting MODP_1536"
Tobias Brunner
tobias at strongswan.org
Tue Oct 27 11:43:14 CET 2015
Hi Harald,
> Please note that both peers agreed upon a proposal including DH group 5,
> but then there is a message "DH group MODP_1024 inacceptable, requesting
> MODP_1536". The selected proposal wasn't DH2, so I wonder WTH?
Since the initiator has to send its public DH value in the KE payload in
the first IKE_SA_INIT message it has to guess the DH group of the
proposal the peer will select, in this case it guessed MODP_1024.
However, because the selected proposal is with MODP_1536 the public DH
value in the KE payload can't be used so the responder sends back an
INVALID_KE_PAYLOAD notify with the DH group from the selected proposal.
But as is documented at [1] iOS apparently does not support this
particular DH group so this fails.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
More information about the Users
mailing list