[Swan] Unable to use DH group 19/

Madden, Joe Joe.Madden at mottmac.com
Thu May 17 07:41:32 UTC 2018


Hi,


I tried this to - It complained about the _ as a special character.

I think I have it working by just omitting the PFS group for it to use the one specified in phase one!


Cheers

Joe.

-----Original Message-----
From: Andrew Cagney [mailto:andrew.cagney at gmail.com] 
Sent: 15 May 2018 17:57
To: Paul Wouters <paul at nohats.ca>
Cc: Madden, Joe <Joe.Madden at mottmac.com>; swan at lists.libreswan.org
Subject: Re: [Swan] Unable to use DH group 19/

It's a hunch, but try:

        ike=            aes256-sha2_256;dh19
        phase2alg=      aes256-sha2_256;ecp_256

v3.20 and earlier weren't exactly consistent when it came to algorithm names

(but like paul pointed out, even better is to omit ecp_256 from the second line as it will use DH19 anyway).


On 15 May 2018 at 10:21, Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 15 May 2018, Madden, Joe wrote:
>
>> Doesn't work with dh19 on the esp line:
>
>
>> May 15 13:59:56 clyde01 pluto[20172]: phase2alg string error: 
>> pfsgroup "dh19" not found
>>
>> Seems to work when you load it via IKE settings
>>
>> clyde01 pluto[20570]: added connection description "seutmc-charm"
>>
>> Should I raise a Bugzilla with RHEL on this?
>
>
> Note you do not have to specify this with the esp= line. Leaving it 
> out means you re-use the same group as the first ike= exchange used.
>
> Specifying it works on 3.24, which will be in RHEL-7.6. And 3.24 also 
> will have other improvements (re-auth, better rekey support) so this 
> change would not be a likely candidate for backporting to RHEL-7.5 or 
> earlier.
>
>
> Paul
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis
> ts.libreswan.org%2Fmailman%2Flistinfo%2Fswan&data=01%7C01%7CJoe.Madden
> %40mottmac.com%7C0bbfe264977b4dba5b5108d5ba84e2b0%7Ca2bed0c459574f73b0
> c2a811407590fb%7C0&sdata=Xmj4qTlWywgpt4VKUwmz16GimVKqkna8x%2FshushpIJ0
> %3D&reserved=0


More information about the Swan mailing list