[strongSwan] charon says "DH group MODP_1024 inacceptable, requesting MODP_1536"
Dirk Hartmann
dha at heise.de
Wed Oct 28 10:23:45 CET 2015
--On Wednesday, October 28, 2015 05:18:28 PM +0800 Rayson Zhu
<vfreex at gmail.com> wrote:
> yes, but only if you don't use high encryption.
> so sad.
>
> On Wed, Oct 28, 2015 at 4:56 PM, Roger Skjetlein
> <rskjetlein at netrunner.nu> wrote:
>
>> I found out that this combination works with of the devices out
>> there: ike = 3des-sha1-modp1024
>> esp = aes256-sha1,aes192-sha1,aes128-sha1
ike=aes256-sha2_512-modp2048,aes256-sha1-modp1024
esp=aes256-sha2_512,aes256-sha1,aes128-sha1
should work too but you still would have the dangerous modp1024 for
Win7 etc.
>> windows 7 to 10, os x 10.11, ios 8 and 9, android...
>>
>> On Wed, Oct 28, 2015 at 2:50 AM, Rayson Zhu <vfreex at gmail.com> wrote:
>>
>>> I met this issue too. I have to change my cipher suite to
>>> aes128-sha-1-modp1024 to connect IOS devices.
>>>
>>>
>>> On Tuesday, October 27, 2015, Tobias Brunner <tobias at strongswan.org>
>>> wrote:
>>>
>>>> Hi Harald,
>>>>
>>>> > If I got you correctly I would have to move back to DH2, just to
>>>> > make the iphone users happy.
>>>>
>>>> Correct, or you use a configuration profile with
>>>> DiffieHellmanGroup set to one of the other groups Apple claims to
>>>> support (I don't know which of them actually work, though): 2
>>>> (Default), 5, 14, 15, 16, 17, or 18.
>>>>
>>>> > Do you know of any commitments from Apple to fix this?
>>>>
>>>> No idea. I wasn't the one adding that information to the wiki.
>>>> But you could report the bug to Apple to get a rough idea when it
>>>> is fixed. In this case they will close your bug report and mark
>>>> it as duplicate and you won't get any direct status updates etc.
>>>> but you can see whether the original ticket is still open or not.
More information about the Users
mailing list