networking
config_error
ai_generated
true
IPsec: PFS group mismatch in Quick Mode, proposal rejected by peer 203.0.113.5
ID: networking/ipsec-pfs-mismatch
88%Fix Rate
87%Confidence
1Evidence
2024-06-10First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| strongSwan 5.9.11 | active | — | — | — |
| Libreswan 4.12 | active | — | — | — |
| Linux kernel 6.2 | active | — | — | — |
Root Cause
The IKE peer's Perfect Forward Secrecy (PFS) Diffie-Hellman group in Quick Mode does not match the local configuration, causing the SA negotiation to fail.
generic中文
IKE对等体在快速模式中的完美前向保密(PFS)Diffie-Hellman组与本地配置不匹配,导致SA协商失败。
Official Documentation
https://docs.strongswan.org/docs/5.9/config/ipsec-conf.htmlWorkarounds
-
90% success Align PFS groups in ipsec.conf: set pfs=yes and esp=aes256-sha256-modp2048 on both peers, then reload: ipsec reload
Align PFS groups in ipsec.conf: set pfs=yes and esp=aes256-sha256-modp2048 on both peers, then reload: ipsec reload
-
85% success Check peer logs for supported groups and update local config accordingly; e.g., on strongSwan use: swanctl --list-sas | grep 'pfs'
Check peer logs for supported groups and update local config accordingly; e.g., on strongSwan use: swanctl --list-sas | grep 'pfs'
中文步骤
Align PFS groups in ipsec.conf: set pfs=yes and esp=aes256-sha256-modp2048 on both peers, then reload: ipsec reload
Check peer logs for supported groups and update local config accordingly; e.g., on strongSwan use: swanctl --list-sas | grep 'pfs'
Dead Ends
Common approaches that don't work:
-
95% fail
The configuration mismatch persists after restart; the PFS group setting must be aligned manually.
-
50% fail
While this may work, it reduces security and may be rejected by the peer if it requires PFS.