Hi Andrew,
This doesn’t work either it still complains with a syntax error - Leaving it out the seems to work though. I suspect it’s a bug with my version of libreswan - I guess next time RHEL issue a libreswan update that should fix it. Cheers Joe. -----Original Message----- From: Andrew Cagney [mailto:[email protected]] Sent: 15 May 2018 17:57 To: Paul Wouters <[email protected]> Cc: Madden, Joe <[email protected]>; [email protected] Subject: Re: [Swan] Unable to use DH group 19/ It's a hunch, but try: ike= aes256-sha2_256;dh19 phase2alg= aes256-sha2_256;ecp_256 v3.20 and earlier weren't exactly consistent when it came to algorithm names (but like paul pointed out, even better is to omit ecp_256 from the second line as it will use DH19 anyway). On 15 May 2018 at 10:21, Paul Wouters <[email protected]> wrote: > On Tue, 15 May 2018, Madden, Joe wrote: > >> Doesn't work with dh19 on the esp line: > > >> May 15 13:59:56 clyde01 pluto[20172]: phase2alg string error: >> pfsgroup "dh19" not found >> >> Seems to work when you load it via IKE settings >> >> clyde01 pluto[20570]: added connection description "seutmc-charm" >> >> Should I raise a Bugzilla with RHEL on this? > > > Note you do not have to specify this with the esp= line. Leaving it > out means you re-use the same group as the first ike= exchange used. > > Specifying it works on 3.24, which will be in RHEL-7.6. And 3.24 also > will have other improvements (re-auth, better rekey support) so this > change would not be a likely candidate for backporting to RHEL-7.5 or > earlier. > > > Paul > _______________________________________________ > Swan mailing list > [email protected] > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis > ts.libreswan.org%2Fmailman%2Flistinfo%2Fswan&data=01%7C01%7CJoe.Madden > %40mottmac.com%7C0bbfe264977b4dba5b5108d5ba84e2b0%7Ca2bed0c459574f73b0 > c2a811407590fb%7C0&sdata=Xmj4qTlWywgpt4VKUwmz16GimVKqkna8x%2FshushpIJ0 > %3D&reserved=0 _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
