networking
config_error
ai_generated
true
IPsec:快速模式中PFS组不匹配,提案被对等体203.0.113.5拒绝
IPsec: PFS group mismatch in Quick Mode, proposal rejected by peer 203.0.113.5
ID: networking/ipsec-pfs-mismatch
88%修复率
87%置信度
1证据数
2024-06-10首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| strongSwan 5.9.11 | active | — | — | — |
| Libreswan 4.12 | active | — | — | — |
| Linux kernel 6.2 | active | — | — | — |
根因分析
IKE对等体在快速模式中的完美前向保密(PFS)Diffie-Hellman组与本地配置不匹配,导致SA协商失败。
English
The IKE peer's Perfect Forward Secrecy (PFS) Diffie-Hellman group in Quick Mode does not match the local configuration, causing the SA negotiation to fail.
官方文档
https://docs.strongswan.org/docs/5.9/config/ipsec-conf.html解决方案
-
Align PFS groups in ipsec.conf: set pfs=yes and esp=aes256-sha256-modp2048 on both peers, then reload: ipsec reload
-
Check peer logs for supported groups and update local config accordingly; e.g., on strongSwan use: swanctl --list-sas | grep 'pfs'
无效尝试
常见但无效的做法:
-
95% 失败
The configuration mismatch persists after restart; the PFS group setting must be aligned manually.
-
50% 失败
While this may work, it reduces security and may be rejected by the peer if it requires PFS.