[strongSwan] disregarded diffie hellmann group

Marco Berizzi pupilla at hotmail.com
Wed Jun 3 15:36:03 CEST 2020

Hi Tobias,

> You don't have to change the config as long as both peers agree to use a
> DH group when rekeying or creating the SA with a CREATE_CHILD_SA
> exchange.

I tried to remove the dh group, but if my ipsec peer running strongswan
is the initiator the proposal will be refused.

> You only need that second proposal (or adding modpnone at the
> end of the existing proposal) if there is a peer that doesn't use a DH
> group in these situations.

It looks like the other peer (which should be a checkpoint) when acting
as a responder claim the dhgroup. Instead when acting as initiator is
going to drop the dh group request.

Thanks Tobias. I didn't know the modpnone parameter: I will change the
proposal like this:

esp_proposals = aes256-sha512-ecp521-modpnone


More information about the Users mailing list