IPSec Deprecated Cipher Suites not proposed even though configured via web configurator



  • Hi All,

    I'm setting up a proof of concept / demo VPN connection with some older hardware which don't support the higher DH Groups (14 and above).

    In the web configurator the DH Groups 1,2 and 5 are still valid options. But StongSwan doses not list them as configured proposals when IPSec negotiation is occurring.

    So i am wondering if there is a config we can change to enable the weak cipher suites for testing purposes?

    Thanks.


  • Rebel Alliance Developer Netgate

    If you have them configured on a P1 or P2 they should be proposed and used if needed.

    You'll need to show the contents of your /var/etc/ipsec/ipsec.conf and the related IPsec logs to tell anything for sure.


Log in to reply