[strongSwan] disregarded diffie hellmann group
Marco Berizzi
pupilla at hotmail.com
Wed Jun 3 15:36:03 CEST 2020
Hi Tobias,
> You don't have to change the config as long as both peers agree to use a
> DH group when rekeying or creating the SA with a CREATE_CHILD_SA
> exchange.
I tried to remove the dh group, but if my ipsec peer running strongswan
is the initiator the proposal will be refused.
> You only need that second proposal (or adding modpnone at the
> end of the existing proposal) if there is a peer that doesn't use a DH
> group in these situations.
It looks like the other peer (which should be a checkpoint) when acting
as a responder claim the dhgroup. Instead when acting as initiator is
going to drop the dh group request.
Thanks Tobias. I didn't know the modpnone parameter: I will change the
proposal like this:
esp_proposals = aes256-sha512-ecp521-modpnone
Marco
More information about the Users
mailing list