On Wed, 7 Feb 2024, Marc wrote:
This is a win10 client. What problem do I have here?Feb 6 21:47:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #320: 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-MODP2048-ENABLED+DISABLEDso we received a proposal like: esp=aes_gcm128,aes_gcm256 with DH14 but your esp= line does not seem to allow this. It means you have a non-default esp= line that doesn't include what windows wants.I don't have an esp= configured and I am using Libreswan 4.12 on alpine
Then the above proposal should already be included in the default? Is this happening on rekeys? Windows did have various bugs related to rekeying, so if that's the case, try adding ms-dh-downgrade=yes
Is it possible to configure esp with something like
esp={defaults}+aes_gcm256
No. You either use the defaults or specify the entire list. Paul _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
