On Wed, 7 Feb 2024, Marc wrote:
This is a win10 client. What problem do I have here?
Feb 6 21:47:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #320:
1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-MODP2048-ENABLED+DISABLED
so we received a proposal like: esp=aes_gcm128,aes_gcm256 with DH14
but your esp= line does not seem to allow this. It means you have
a non-default esp= line that doesn't include what windows wants.
I don't have an esp= configured and I am using Libreswan 4.12 on alpine
Then the above proposal should already be included in the default?
Is this happening on rekeys? Windows did have various bugs related to
rekeying, so if that's the case, try adding ms-dh-downgrade=yes
Is it possible to configure esp with something like
esp={defaults}+aes_gcm256
No. You either use the defaults or specify the entire list.
Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan