pothuganti sridhar
2016-10-07 07:48:00 UTC
Hi,
We have configured two proposals one with PFS enabled and another with PFS
disabled. With this configuration, strongswan is sharing only one PFS
enabled proposal to peer in quick mode.
Following is our configuration:
conn client
auto=add
left=%any
ike=3des-md5-modp1024!
* esp=aes128-md5-modp1024,aes128-md5!*
right=2.2.2.1
leftauth=psk
rightauth=psk
aggressive=yes
leftid=keyid:C2S
rightid=%any
modeconfig=pull
leftsourceip=%config
rightsubnet=0.0.0.0/0
xauth=client
leftauth2=xauth
xauth_identity=user
dpddelay=40
dpdtimeout=120
dpdaction=clear
ikelifetime=28800s
lifetime=300s
rekeymargin=15s
With the above configuration, strongswan is sending only one proposal "
*aes128-md5-modp1024*" part of quick mode, instead of sending both.
Is there any way we can send both proposals to the peer in the quick mode.
Any pointers would be helpful.
Regards,
Sridhar
We have configured two proposals one with PFS enabled and another with PFS
disabled. With this configuration, strongswan is sharing only one PFS
enabled proposal to peer in quick mode.
Following is our configuration:
conn client
auto=add
left=%any
ike=3des-md5-modp1024!
* esp=aes128-md5-modp1024,aes128-md5!*
right=2.2.2.1
leftauth=psk
rightauth=psk
aggressive=yes
leftid=keyid:C2S
rightid=%any
modeconfig=pull
leftsourceip=%config
rightsubnet=0.0.0.0/0
xauth=client
leftauth2=xauth
xauth_identity=user
dpddelay=40
dpdtimeout=120
dpdaction=clear
ikelifetime=28800s
lifetime=300s
rekeymargin=15s
With the above configuration, strongswan is sending only one proposal "
*aes128-md5-modp1024*" part of quick mode, instead of sending both.
Is there any way we can send both proposals to the peer in the quick mode.
Any pointers would be helpful.
Regards,
Sridhar