[Swan] Unable to use DH group 19/
Andrew Cagney
andrew.cagney at gmail.com
Tue May 15 16:57:02 UTC 2018
It's a hunch, but try:
ike= aes256-sha2_256;dh19
phase2alg= aes256-sha2_256;ecp_256
v3.20 and earlier weren't exactly consistent when it came to algorithm names
(but like paul pointed out, even better is to omit ecp_256 from the
second line as it will use DH19 anyway).
On 15 May 2018 at 10:21, Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 15 May 2018, Madden, Joe wrote:
>
>> Doesn't work with dh19 on the esp line:
>
>
>> May 15 13:59:56 clyde01 pluto[20172]: phase2alg string error: pfsgroup
>> "dh19" not found
>>
>> Seems to work when you load it via IKE settings
>>
>> clyde01 pluto[20570]: added connection description "seutmc-charm"
>>
>> Should I raise a Bugzilla with RHEL on this?
>
>
> Note you do not have to specify this with the esp= line. Leaving it out
> means you re-use the same group as the first ike= exchange used.
>
> Specifying it works on 3.24, which will be in RHEL-7.6. And 3.24 also
> will have other improvements (re-auth, better rekey support) so this
> change would not be a likely candidate for backporting to RHEL-7.5 or
> earlier.
>
>
> Paul
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list