[strongSwan] disregarded diffie hellmann group
Tobias Brunner
tobias at strongswan.org
Wed Jun 3 15:45:33 CEST 2020
Hi Marco,
> It looks like the other peer (which should be a checkpoint) when acting
> as a responder claim the dhgroup. Instead when acting as initiator is
> going to drop the dh group request.
You didn't clarify if that happens during a CHILD_SA initiation with
IKE_AUTH or with CREATE_CHILD_SA. During IKE_AUTH, the DH group is
always omitted, so it really shouldn't matter who is initiator (and
removing the DH group from the proposal doesn't make a difference).
However, during CREATE_CHILD_SA DH is optional. But enforcing a DH
group as responder and not proposing one as initiator of the same
CHILD_SA doesn't really make sense. So if that's the case, it sounds
like a bug.
Regards,
Tobias
More information about the Users
mailing list