MODP_2048 must not only be supported, it also must be contained in the
configured IKE proposal. As you didn't specify any ike= keyword in
ipsec.conf, it actually should, and I don't see why the responder
doesn't accept it.
Could you increase the log level of cfg to 2 (see [1]) and send us
configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
DH group MODP_2048 inacceptable, requesting MODP_1024
generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Your responder configuration uses the
Been scratching my head over this for a couple of hours now. Time for the
experts to take a look ;-)
Everything was working fine with Ubuntu 10.04 (Strongswan 4.3.2). A colleague
has updated to Ubuntu 10.10 (Strongswan 4.4.0) and now we get:
[IKE] DH group MODP_2048 inacceptable, requesting
Hi Kevin,
[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
So why does the responder reject MODP_2048 when it is a supported algorithm?
MODP_2048 must not only be supported, it also must be contained in the
configured IKE proposal. As you didn't specify any ike= keyword in