[strongSwan] Strongswan is proposing only PFS enabled proposals as part of quick mode

pothuganti sridhar pothuganti.sridhar at gmail.com
Fri Oct 7 09:48:00 CEST 2016


Hi,

We have configured two proposals one with PFS enabled and another with PFS
disabled. With this configuration, strongswan is sharing only one PFS
enabled proposal to peer in quick mode.

Following is our configuration:

conn client
        auto=add
        left=%any
        ike=3des-md5-modp1024!
*        esp=aes128-md5-modp1024,aes128-md5!*
        right=2.2.2.1
        leftauth=psk
        rightauth=psk
        aggressive=yes
        leftid=keyid:C2S
        rightid=%any
        modeconfig=pull
        leftsourceip=%config
        rightsubnet=0.0.0.0/0
        xauth=client
        leftauth2=xauth
        xauth_identity=user
        dpddelay=40
        dpdtimeout=120
        dpdaction=clear
        ikelifetime=28800s
        lifetime=300s
        rekeymargin=15s

With the above configuration, strongswan is sending only one proposal "
*aes128-md5-modp1024*" part of quick mode, instead of sending both.
Is there any way we can send both proposals to the peer in the quick mode.
Any pointers would be helpful.

Regards,
Sridhar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161007/11c4ae88/attachment.html>


More information about the Users mailing list