[strongSwan] DH group for key exchange is undefined

Michael Chan mchan49 at gmail.com
Sun Jan 31 09:12:38 CET 2016


I ran this against a cisco device. I looked at the packet capture and it
shows that the key exchange DH group is undefined. Has anyone tried with
load-tester on 5.3.5?

On Sat, Jan 30, 2016 at 2:22 AM, Thomas Egerer <hakke_007 at gmx.de> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Michael,
>
> while unloading the dishwasher I gave your issue another thought ;)
> It seems I have somehow misread your problem. The peer you are trying
> to connect the load tester to, runs which VPN-service? If it is a
> strongwan instance, you should provide the version, log information
> of the IKE negotiation and an output of your config (stroke statusall).
> It seems odd, that the peer does not accept modp 1024 while it request
> this same modp group in the response.
> Does the peer a plugin loaded that provides modp 1024 (gcrypt, gmp,
> openssl)? You should see this in 'stroke listall'.
>
> Cheers,
> Thomas
>
> On 01/30/2016 12:20 AM, Michael Chan wrote:
> > I looked at the ike logs and I see the following message
> >
> > [ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> > [IKE] peer didn't accept DH group MODP_1024, it requested MODP_1024
> >
> > The packet capture shows the DH group is undefined. Is there a parameter
> to
> > set the DH group for the ike key exchange? I have the following parameter
> > in my load-tester.conf file.
> > proposal = aes-sha1-modp1024
> >
> >
> >
> >
> > On Fri, Jan 29, 2016 at 12:40 PM, Michael Chan <mchan49 at gmail.com>
> wrote:
> >
> >> Hi,
> >>      I'm wanting to use the load-tester plugin to perform load testing
> on
> >> remote host, but the remote host keeps sending back INVALID_KE_PAYLOAD
> >> message back. When I do a packet capture I see that the DH group for key
> >> exchange payload is undefined. I tried setting in the load-tester.conf
> file
> >> esp and proposal to use modp1024, but it doesn't change the key exchange
> >> payload DH group at all. Is there a way to set the group in load-tester?
> >>
> >> Thanks,
> >> Michael
> >>
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJWrI7BAAoJEGK31ONirBTGozAP/2VUe4t/ZoCnSrxfMRzHat6X
> IDmLzonBQVasovtUMVZn6grRy3IxhEQi6B7cnFwxeIkRG2Jh6gTSKGGwwho84mLP
> MsnG3SrIuLwTCd/7unVxR6OFNsbKo07MhJFo/hVO4WlOKp0yKay+DuV8TBUVAAiq
> FuZVTEgwJGTM83uOzOPC1b0Mfgr1T5prSFxSddq9GT3aEA5UR5pKK7655dRygrZQ
> ppTQfBAWarFvj312PRUhgV6XnH/UFh+YBvXFWg5o0yGTX9kDWTy0vkX+rBPXA47h
> GUI7xkG/Q98fKwWqPy//HdPjHFa7XSkbkOu9lkIfj7U6JzGKO7shwn6vvx/v5xFM
> yhskEpValk+bLMbJOJxAi8v1qXooojnP3FdRKKXjc/8wLiDinrfBR56oukKC7sRX
> Dk+L+nhUMmN644ymXRnFsQ5Jo9bjLK+CCGIQ3J1eDHmsyVOkvm7jG4uWbsx28LQz
> V6/oPzXrY6XdcjLupkjwgkqJ4CpIERpzOlcU/G2+sAsbf0zJeIQ03ZKN0lzSuogF
> 7ppHM4wiwPAQu70M1xsbwOsu9r+N2NLf0atpleeKtVXCu6Mh8a9LC/Et1m4TF7Kq
> 6YkP2k5Soc9A0WnuFL72nbt616SorTUtm8mbVEQ1ocfToT/R9AHZZkvDYcmMezM3
> 2YZIxXVp0KRZGazBgqcS
> =+tYA
> -----END PGP SIGNATURE-----
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160131/21d18339/attachment.html>


More information about the Users mailing list