IPsec script neither sets a default DH group for IKE nor warns that it should be set
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	dmbaturin
	Jun 1 2018, 2:35 AM

Description

Create an IKE group without DH group:

ike-group Foo {
    proposal 1 {
        encryption aes128
        hash sha1
    }
}

In ipsec.conf you get: ike=aes128-sha1!

And then in logs you get:

Jun  1 02:29:11 vyos-test charon: 14[CFG] a DH group is mandatory in IKE proposals
Jun  1 02:29:11 vyos-test charon: 14[CFG] skipped invalid proposal string: aes128-sha1

We should set the default to whatever it was in 1.1.8 I suppose, for compatibility reasons. I think it was DH group 2.

Details

Version: 1.2.0

Related Objects

Duplicates Merged Here: T374: Different default IKE DH Group behaviour between v1.1.7 and v999 Nightlies

Event Timeline

dmbaturin created this task.Jun 1 2018, 2:35 AM

dmbaturin renamed this task from IPsec script neither sets a default DH group for IKE neither warns that it should be set to IPsec script neither sets a default DH group for IKE nor warns that it should be set.

dmbaturin claimed this task.

dmbaturin triaged this task as High priority.

dmbaturin edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1); removed VyOS 1.2 Crux.Jun 3 2018, 3:36 AM

dmbaturin edited a custom field.

dmbaturin moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc1) board.

pasik subscribed.Jun 19 2018, 5:05 PM

syncer closed this task as Resolved.Jul 3 2018, 7:19 AM

syncer added a project: VyOS-1.2.0-GA.Oct 15 2018, 10:54 PM

dmbaturin merged a task: T374: Different default IKE DH Group behaviour between v1.1.7 and v999 Nightlies.Nov 11 2018, 10:14 AM

dmbaturin added subscribers: JulesT, syncer, c-po.