[strongSwan] DH group for key exchange is undefined

Sun Jan 31 10:57:49 CET 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Michael,

can you provide the charon load-tester log with facility enc set to log
level 3, see [1], and the pcap file from your cisco device (one IKE_INIT
exchange should do).

Thomas

[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

On 01/31/2016 09:12 AM, Michael Chan wrote:
> I ran this against a cisco device. I looked at the packet capture and it
> shows that the key exchange DH group is undefined. Has anyone tried with
> load-tester on 5.3.5?
> 
> On Sat, Jan 30, 2016 at 2:22 AM, Thomas Egerer <hakke_007 at gmx.de> wrote:
> 
> Michael,
> 
> while unloading the dishwasher I gave your issue another thought ;)
> It seems I have somehow misread your problem. The peer you are trying
> to connect the load tester to, runs which VPN-service? If it is a
> strongwan instance, you should provide the version, log information
> of the IKE negotiation and an output of your config (stroke statusall).
> It seems odd, that the peer does not accept modp 1024 while it request
> this same modp group in the response.
> Does the peer a plugin loaded that provides modp 1024 (gcrypt, gmp,
> openssl)? You should see this in 'stroke listall'.
> 
> Cheers,
> Thomas
> 
> On 01/30/2016 12:20 AM, Michael Chan wrote:
>>>> I looked at the ike logs and I see the following message
>>>>
>>>> [ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
>>>> [IKE] peer didn't accept DH group MODP_1024, it requested MODP_1024
>>>>
>>>> The packet capture shows the DH group is undefined. Is there a parameter
> to
>>>> set the DH group for the ike key exchange? I have the following parameter
>>>> in my load-tester.conf file.
>>>> proposal = aes-sha1-modp1024
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Jan 29, 2016 at 12:40 PM, Michael Chan <mchan49 at gmail.com>
> wrote:
>>>>
>>>>> Hi,
>>>>>      I'm wanting to use the load-tester plugin to perform load testing
> on
>>>>> remote host, but the remote host keeps sending back INVALID_KE_PAYLOAD
>>>>> message back. When I do a packet capture I see that the DH group for key
>>>>> exchange payload is undefined. I tried setting in the load-tester.conf
> file
>>>>> esp and proposal to use modp1024, but it doesn't change the key exchange
>>>>> payload DH group at all. Is there a way to set the group in load-tester?
>>>>>
>>>>> Thanks,
>>>>> Michael
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
> 
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWrdqZAAoJEGK31ONirBTGOhAP/0rr7ZcgG4ljSwbRJUtGSQKv
BwSO069RVcxTKSdV8bwvwL5u7gA1Gkbld1TASArN9auVfMcvmjuW6zlt+QpK9FSV
o9qvJoPpJTeBTgbRlZmWEXTCr/flLl1Hd5eu4IZ+rG0MxM0GCtxXOBYWPlWNw3j7
4lB6mj/hpwnvIW0iu3OvrzuRbvarFf7lKAEDBdZ0AVoiCJFPwj6C/R04K4ouRsav
3ldWxh80fGH1WQHTHytEqlBSYBnj2cAcpgKtAiGqZQ7LzMzoCk05WQmJemW5DgEu
zhrsMIxXlHxf1VjLKJ9zRP6oJIk8ZvDMGg3n84OIpqhJK6gnG+7p4YJCCL4JGQF5
XyaDwy0DV6vfyiYP3rxCzqbeB7+e7kAKGeDUO+O+DyUTAK+K88SiAdTPL2cGc6sz
io4JH7jqwnG0gaqkDPpRHkZRa/OJxeu6/p8u5tyMwC0PO1FHEPlkgqCBikXuvAko
hA2XfvrmSnrPROViR2ujfSjlLqcJ0y0XrG4MrTFF1xFroXIhLsHsUDZ/vIM8lmT4
pA+DQmNqToQ2m7ashz3fYu6zyPS+PGT9AFiEyqUrNKZ++7lHGW/DvvMomyymHCzb
x2RoVDa/TMFiTInNfAqCQd0s6DDikfu/MUqGFfDi/4/lGQ9hkABd3bmYst8Wvms8
bJFLJQSzB3Z0zP+AwUYK
=48yJ
-----END PGP SIGNATURE-----