# IPsec: PFS group mismatch in Quick Mode, proposal rejected by peer 203.0.113.5

- **ID:** `networking/ipsec-pfs-mismatch`
- **Domain:** networking
- **Category:** config_error
- **Verification:** ai_generated
- **Fix Rate:** 88%

## Root Cause

The IKE peer's Perfect Forward Secrecy (PFS) Diffie-Hellman group in Quick Mode does not match the local configuration, causing the SA negotiation to fail.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| strongSwan 5.9.11 | active | — | — |
| Libreswan 4.12 | active | — | — |
| Linux kernel 6.2 | active | — | — |

## Workarounds

1. **Align PFS groups in ipsec.conf: set pfs=yes and esp=aes256-sha256-modp2048 on both peers, then reload: ipsec reload** (90% success)
   ```
   Align PFS groups in ipsec.conf: set pfs=yes and esp=aes256-sha256-modp2048 on both peers, then reload: ipsec reload
   ```
2. **Check peer logs for supported groups and update local config accordingly; e.g., on strongSwan use: swanctl --list-sas | grep 'pfs'** (85% success)
   ```
   Check peer logs for supported groups and update local config accordingly; e.g., on strongSwan use: swanctl --list-sas | grep 'pfs'
   ```

## Dead Ends

- **** — The configuration mismatch persists after restart; the PFS group setting must be aligned manually. (95% fail)
- **** — While this may work, it reduces security and may be rejected by the peer if it requires PFS. (50% fail)