[strongSwan] DH group for key exchange is undefined
hakke_007 at gmx.de
Sat Jan 30 11:22:03 CET 2016
-----BEGIN PGP SIGNED MESSAGE-----
while unloading the dishwasher I gave your issue another thought ;)
It seems I have somehow misread your problem. The peer you are trying
to connect the load tester to, runs which VPN-service? If it is a
strongwan instance, you should provide the version, log information
of the IKE negotiation and an output of your config (stroke statusall).
It seems odd, that the peer does not accept modp 1024 while it request
this same modp group in the response.
Does the peer a plugin loaded that provides modp 1024 (gcrypt, gmp,
openssl)? You should see this in 'stroke listall'.
On 01/30/2016 12:20 AM, Michael Chan wrote:
> I looked at the ike logs and I see the following message
> [ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> [IKE] peer didn't accept DH group MODP_1024, it requested MODP_1024
> The packet capture shows the DH group is undefined. Is there a parameter to
> set the DH group for the ike key exchange? I have the following parameter
> in my load-tester.conf file.
> proposal = aes-sha1-modp1024
> On Fri, Jan 29, 2016 at 12:40 PM, Michael Chan <mchan49 at gmail.com> wrote:
>> I'm wanting to use the load-tester plugin to perform load testing on
>> remote host, but the remote host keeps sending back INVALID_KE_PAYLOAD
>> message back. When I do a packet capture I see that the DH group for key
>> exchange payload is undefined. I tried setting in the load-tester.conf file
>> esp and proposal to use modp1024, but it doesn't change the key exchange
>> payload DH group at all. Is there a way to set the group in load-tester?
> Users mailing list
> Users at lists.strongswan.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Users