Martin, Thanks for the swift reply.
On 1 December 2010 13:11, Martin Willi <mar...@strongswan.org> wrote: > Hi Graham, > > > selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ > > DH group MODP_2048 inacceptable, requesting MODP_1024 > > > The client sends back N(INVAL_KE) to the server and we then get into > > an endless cycle of trying to renegotiate the tunnel rekey. > > The procedure looks correct so far, but the server should retry rekeying > with the correct group. What does the server show in its log? Does it > receive the MODP_1024 request, but retries again with MODP_2048? > > Unfortunately, I was running with minimal tracing on the server. The tracing on the client would suggest not. > > is this a bug in strongSwan ? > > Looks like. > > Yikes ! Unfortunately, this being a live server and all, I've switch over to using "esp=aes-sha1" on the server. We'll have to wait ~8 hours to see if that works. If I get some time next week, I'll try and set up a separate server and point one of the clients at it. > the server a hacked version of strongSwan 4.3.2. > > Have you tried a more recent version on the server? Haven't found a > related changelog, but maybe we have fixed this issue in the last > one-and-a-half years. > > Ah. Unfortunately, our copy of 4.3.2 is heavily hacked and the area that is hacked was completely re-architected by yourselves in 4.3.3 :-) We are looking to do some new work with the server code in the New Year and as a prerequisite, I shall be moving our "hacks" to the latest release of strongSwan then. I'll let you know what happens. Cheers, Graham.
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users