返回列表 發帖

Strongwan installed on Linux and Windows 10 giving "policy mismatch error"

本帖最後由 角色 於 2022-5-3 12:10 編輯

Please read the following messages to resolve the captioned issue:
  1. The problem is most likely that the Windows client proposes a weak Diffie-Hellman (DH) group (1024-bit MODP). That group is not used anymore by strongSwan unless the user configures it explicitly.

  2. You have two options:

  3. Configure Windows to use a stronger DH group. This can be done either
  4. via Set-VpnConnectionIPsecConfiguration PowerShell cmdlet, which allows enabling stronger DH groups (e.g. group 14/2048-bit MODP or 384-bit ECP) and even other algorithms (e.g. AES-GCM combined-mode encryption/integrity, which is more efficient, but needs to be enabled explicitly on the server too)
  5. or via registry by adding the DWORD key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256. Set it to 1 to enable (the other algorithms are still proposed), or 2 to enforce the use of 256-bit AES-CBC and 2048-bit MODP DH (only these will be proposed).
  6. Add the proposed, weak DH group (1024-bit MODP) to the IKE proposal on the server (e.g. configure something like ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024, which adds it at the end so other clients may use stronger DH groups).
  7. Option 1 is definitely preferred.
複製代碼
References:

I used the method as follows:
  1. or via registry by adding the DWORD key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256. Set it to 1 to enable (the other algorithms are still proposed), or 2 to enforce the use of 256-bit AES-CBC and 2048-bit MODP DH (only these will be proposed).
複製代碼
Please be noted that you have to use the "local machine" to install the certificate generated by StrongSwan.

[1] https://serverfault.com/question ... error/965275#965275

返回列表