# IPsec：快速模式中PFS组不匹配，提案被对等体203.0.113.5拒绝

- **ID:** `networking/ipsec-pfs-mismatch`
- **领域:** networking
- **类别:** config_error
- **验证级别:** ai_generated
- **修复率:** 88%

## 根因

IKE对等体在快速模式中的完美前向保密（PFS）Diffie-Hellman组与本地配置不匹配，导致SA协商失败。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| strongSwan 5.9.11 | active | — | — |
| Libreswan 4.12 | active | — | — |
| Linux kernel 6.2 | active | — | — |

## 解决方案

1. ```
   Align PFS groups in ipsec.conf: set pfs=yes and esp=aes256-sha256-modp2048 on both peers, then reload: ipsec reload
   ```
2. ```
   Check peer logs for supported groups and update local config accordingly; e.g., on strongSwan use: swanctl --list-sas | grep 'pfs'
   ```

## 无效尝试

- **** — The configuration mismatch persists after restart; the PFS group setting must be aligned manually. (95% 失败率)
- **** — While this may work, it reduces security and may be rejected by the peer if it requires PFS. (50% 失败率)