[strongSwan] DH group for key exchange is undefined

Tobias Brunner tobias at strongswan.org
Fri Feb 5 15:31:35 CET 2016

Hi Michael,

I think the reason why no DH group is set in the KE payload and you get
a segmentation fault is that you are mixing an old crypto plugin with a
newer build of the daemon/libraries.

The 5.3.1 release added a new method to the diffie_hellman_t interface.
 It was added at the position where the get_dh_group() getter was in
previous releases:


Which means that get_dh_group() is now at the position destroy() was
previously.  So any code built against the current version of the
diffie_hellman.h header file that calls get_dh_group() for a DH
implementation provided by a plugin built against the previous header
file will actually call destroy() instead.  Since there won't be a
return value the DH group is basically undefined and at the same time
the DH object is destroyed, causing a segmentation fault when the object
is accessed later on (in your case when the DH object is accessed in

When upgrading from sources it is recommended to call `make uninstall`
in the _original_ build directory (i.e. where you called `make install`
previously), which will remove binaries but leave configuration files
alone.  So keep that build directory around.  If you don't want or can
do that at least use the same ./configure options (the options used for
a previous build can be seen at the top of the config.log file in the
build directory).  Of course, you can also remove the binaries manually
before running `make install` for the new build.  Their location depends
on the configured --prefix and other options to specify installation
paths.  By default plugins are installed in `/usr/local/lib/ipsec/plugins`.


More information about the Users mailing list