[strongSwan] charon says "DH group MODP_1024 inacceptable, requesting MODP_1536"
Harald Dunkel
harald.dunkel at aixigo.de
Tue Oct 27 13:44:25 CET 2015
Hi Tobias,
On 10/27/15 11:43, Tobias Brunner wrote:
> Hi Harald,
>
>> Please note that both peers agreed upon a proposal including DH group 5,
>> but then there is a message "DH group MODP_1024 inacceptable, requesting
>> MODP_1536". The selected proposal wasn't DH2, so I wonder WTH?
>
> Since the initiator has to send its public DH value in the KE payload in
> the first IKE_SA_INIT message it has to guess the DH group of the
> proposal the peer will select, in this case it guessed MODP_1024.
> However, because the selected proposal is with MODP_1536 the public DH
> value in the KE payload can't be used so the responder sends back an
> INVALID_KE_PAYLOAD notify with the DH group from the selected proposal.
> But as is documented at [1] iOS apparently does not support this
> particular DH group so this fails.
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
>
Thanx for the pointer. Seems I have missed the update to this wiki page.
If I got you correctly I would have to move back to DH2, just to make
the iphone users happy. Do you know of any commitments from Apple to fix
this?
Regards
Harri
More information about the Users
mailing list