[strongSwan] DH group for key exchange is undefined

Sat Jan 30 11:22:03 CET 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Michael,

while unloading the dishwasher I gave your issue another thought ;)
It seems I have somehow misread your problem. The peer you are trying
to connect the load tester to, runs which VPN-service? If it is a
strongwan instance, you should provide the version, log information
of the IKE negotiation and an output of your config (stroke statusall).
It seems odd, that the peer does not accept modp 1024 while it request
this same modp group in the response.
Does the peer a plugin loaded that provides modp 1024 (gcrypt, gmp,
openssl)? You should see this in 'stroke listall'.

Cheers,
Thomas

On 01/30/2016 12:20 AM, Michael Chan wrote:
> I looked at the ike logs and I see the following message
> 
> [ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> [IKE] peer didn't accept DH group MODP_1024, it requested MODP_1024
> 
> The packet capture shows the DH group is undefined. Is there a parameter to
> set the DH group for the ike key exchange? I have the following parameter
> in my load-tester.conf file.
> proposal = aes-sha1-modp1024
> 
> 
> 
> 
> On Fri, Jan 29, 2016 at 12:40 PM, Michael Chan <mchan49 at gmail.com> wrote:
> 
>> Hi,
>>      I'm wanting to use the load-tester plugin to perform load testing on
>> remote host, but the remote host keeps sending back INVALID_KE_PAYLOAD
>> message back. When I do a packet capture I see that the DH group for key
>> exchange payload is undefined. I tried setting in the load-tester.conf file
>> esp and proposal to use modp1024, but it doesn't change the key exchange
>> payload DH group at all. Is there a way to set the group in load-tester?
>>
>> Thanks,
>> Michael
>>
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWrI7BAAoJEGK31ONirBTGozAP/2VUe4t/ZoCnSrxfMRzHat6X
IDmLzonBQVasovtUMVZn6grRy3IxhEQi6B7cnFwxeIkRG2Jh6gTSKGGwwho84mLP
MsnG3SrIuLwTCd/7unVxR6OFNsbKo07MhJFo/hVO4WlOKp0yKay+DuV8TBUVAAiq
FuZVTEgwJGTM83uOzOPC1b0Mfgr1T5prSFxSddq9GT3aEA5UR5pKK7655dRygrZQ
ppTQfBAWarFvj312PRUhgV6XnH/UFh+YBvXFWg5o0yGTX9kDWTy0vkX+rBPXA47h
GUI7xkG/Q98fKwWqPy//HdPjHFa7XSkbkOu9lkIfj7U6JzGKO7shwn6vvx/v5xFM
yhskEpValk+bLMbJOJxAi8v1qXooojnP3FdRKKXjc/8wLiDinrfBR56oukKC7sRX
Dk+L+nhUMmN644ymXRnFsQ5Jo9bjLK+CCGIQ3J1eDHmsyVOkvm7jG4uWbsx28LQz
V6/oPzXrY6XdcjLupkjwgkqJ4CpIERpzOlcU/G2+sAsbf0zJeIQ03ZKN0lzSuogF
7ppHM4wiwPAQu70M1xsbwOsu9r+N2NLf0atpleeKtVXCu6Mh8a9LC/Et1m4TF7Kq
6YkP2k5Soc9A0WnuFL72nbt616SorTUtm8mbVEQ1ocfToT/R9AHZZkvDYcmMezM3
2YZIxXVp0KRZGazBgqcS
=+tYA
-----END PGP SIGNATURE-----