Project

General

Profile

Issue #3200

ECP384 Diffie-Hellman fail in 5.8.1

Added by Jun Hu about 1 month ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.8.1
Resolution:
No change required

Description

OS: linux

with 5.8.1, when using ecp384 as DH group, the strongswan rejects proposal despite its config has ecp384, and there is weird message in log:"DH group ECP_384 unacceptable, requesting ECP_384".

I repeat same test with 5.7.1, then tunnel is created successfully

following is the ipsec.conf:

conn %default
ikelifetime=600m
rekeymargin=5m
keyingtries=1
keyexchange=ikev2
ike = aes256-sha512-ecp384!
esp = aes128-sha1-ecp384!
mobike = no

conn psk
rightsourceip=192.168.1.100-192.168.10.200
leftfirewall=yes
authby=psk
auto=add
left=%any
right=%any

charonlog (40 KB) charonlog Jun Hu, 10.10.2019 23:48

History

#1 Updated by Tobias Brunner about 1 month ago

  • Category set to configuration
  • Status changed from New to Feedback

You don't have a plugin loaded that provides that DH algorithm. See here for an overview of which algorithms are provided by what plugins, make sure one of them is loaded to use the algorithm.

#2 Updated by Jun Hu about 1 month ago

Tobias Brunner wrote:

You don't have a plugin loaded that provides that DH algorithm. See here for an overview of which algorithms are provided by what plugins, make sure one of them is loaded to use the algorithm.

Thanks, it works now after enabling openssl;
it would be nice if there is error message indicate such cause

#3 Updated by Noel Kuntze about 1 month ago

it would be nice if there is error message indicate such cause

Seconded.

#4 Updated by Tobias Brunner about 1 month ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

it would be nice if there is error message indicate such cause

There will be one once the QSKE stuff comes in.

Also available in: Atom PDF