[strongSwan] disregarded diffie hellmann group

Tobias Brunner tobias at strongswan.org
Wed Jun 3 15:04:15 CEST 2020

Hi Marco,

> I have patched the configuration like this:
> from esp_proposals = aes256-sha512-ecp521
> to esp_proposals = aes256-sha512-ecp521,aes256-sha512

You don't have to change the config as long as both peers agree to use a
DH group when rekeying or creating the SA with a CREATE_CHILD_SA
exchange.  You only need that second proposal (or adding modpnone at the
end of the existing proposal) if there is a peer that doesn't use a DH
group in these situations.


More information about the Users mailing list