[strongSwan] Error in Setting DH group for strongswan
haris iqbal
haris.phnx at gmail.com
Tue Jun 6 08:38:15 CEST 2017
According to the strongswan page, one can set the allowed ciphers in
the file `ipsec.conf`
ike = <cipher suites>
comma-separated list of IKE/ISAKMP SA encryption/authentication
algorithms to be used, e.g.
.
.
I have setup the conf file with by preferred cipher as,
`aes128-sha1-modp2048s256!`.
But when I look into the charon log I get this error
Jun 6 01:28:12 03[IKE] DH group MODP_1024 inacceptable,
requesting MODP_2048_256
Searching, I found [this][1] and [this][2] article. Going through them
I kinda understood that,
Since the initiator has to send its public DH value in the KE payload in
the first IKE_SA_INIT message it has to guess the DH group of the
proposal the peer will select, in this case it guessed MODP_1024.
and
charon-cmd is only configurable through its command line interface,
and that doesn't enable ciphers configuration
So, since charon is the keying daemon for strongswan, it starts by
guessing a cipher and if the peer supports it, and it is allowed by
the conf file then it is used. Else, a new one is chosen.
Is the above statement correct? Or am I missing something?
[1]: https://wiki.strongswan.org/issues/508
[2]: http://users.strongswan.narkive.com/dbTl29C2/charon-says-dh-group-modp-1024-inacceptable-requesting-modp-1536
--
With regards,
Md Haris Iqbal,
Contact: +91 8861996962
More information about the Users
mailing list