[strongSwan] disregarded diffie hellmann group
Tobias Brunner
tobias at strongswan.org
Wed Jun 3 15:04:15 CEST 2020
Hi Marco,
> I have patched the configuration like this:
>
> from esp_proposals = aes256-sha512-ecp521
> to esp_proposals = aes256-sha512-ecp521,aes256-sha512
You don't have to change the config as long as both peers agree to use a
DH group when rekeying or creating the SA with a CREATE_CHILD_SA
exchange. You only need that second proposal (or adding modpnone at the
end of the existing proposal) if there is a peer that doesn't use a DH
group in these situations.
Regards,
Tobias
More information about the Users
mailing list