[Swan] Unable to use DH group 19/
Madden, Joe
Joe.Madden at mottmac.com
Tue May 15 14:02:12 UTC 2018
Hi Paul,
Doesn't work with dh19 on the esp line:
conn seutmc-charm
authby= secret
auto= start
type= tunnel
forceencaps= no
rekeymargin= 3m
keyingtries= %forever
salifetime= 8h
ikelifetime= 24h
ikev2= insist
#RTT
left= #######
leftsubnet= 192.168.142.132/32
leftid= #####
leftnexthop= #######
#SAA
right= ######
rightid= #####
rightsubnet= 10.0.28.1/32
ike= aes256-sha2_256;dh19
phase2= esp
phase2alg= aes256-sha2_256;dh19
pfs= yes
sha2_truncbug= no
#Dead Peer Detection
dpdaction= restart
dpddelay= 30
dpdtimeout= 120
May 15 13:59:56 clyde01 pluto[20172]: phase2alg string error: pfsgroup "dh19" not found
Seems to work when you load it via IKE settings
clyde01 pluto[20570]: added connection description "seutmc-charm"
Should I raise a Bugzilla with RHEL on this?
Cheers.
Joe.
-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca]
Sent: 15 May 2018 14:47
To: Madden, Joe <Joe.Madden at mottmac.com>
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] Unable to use DH group 19/
On Tue, 15 May 2018, Madden, Joe wrote:
> ikev2= insist
> ike= aes256-sha2_256;ecp256
> phase2= esp
> phase2alg= aes256-sha2_256;ecp256
It should work with:
ikev2=insist
ike=aes256-sha2_256;dh19
esp=aes256-sha2_256;dh19
> I have tried dh19 too.
>
> May 15 08:52:56 clyde01 pluto[15875]: phase2alg string error: pfsgroup
> "dh19" not found
You can try leaving out dh19 on the esp= line. It will use the same group as phase1.
> libreswan-3.20-5.el7_4.x86_64
That might have had a parsing problem for esp in it. Note centos 7.5 was just released with libreswan-3.23.
Paul
More information about the Swan
mailing list