[strongSwan] Error in Setting DH group for strongswan
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Jun 7 15:10:44 CEST 2017
Hello,
On 07.06.2017 15:01, haris iqbal wrote:
> On Wed, Jun 7, 2017 at 1:11 AM, Noel Kuntze
> <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>>> So, since charon is the keying daemon for strongswan, it starts by
>>> guessing a cipher and if the peer supports it, and it is allowed by
>>> the conf file then it is used. Else, a new one is chosen.
>> Charon doesn't guess. It uses the first (EC)DH group in the first configured proposal.
>> If it receives an INVALID_KE error, it searches for the advised DH group in the configured proposal
>> and uses that one instead. If it doesn't find that DH group, it aborts.
> I didn't know about these "first configured proposal" and other
> "configured proposal".
>
> So there are 2 different configured proposals? Which one corresponds
> to the configuration settings I add in ipsec.conf? And where can I
> change the settings for the other configured proposal?
In your case, no. All the proposals are configured in the corresponding option
for the IKE proposals (in ipsec.conf it's "ike", in swanctl.conf, it's "connections.<conn>.proposals").
You only have one proposal (aes128-sha1-modp2048s256) and that's doesn't contain MODP1024, which the other peer wants,
so you can't continue the negotiation.
Kind regards
Noel
PS: Always send to the list, too.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170607/841d778e/attachment.sig>
More information about the Users
mailing list