Would it be more helpful to enable debug logging? Or is there some other
test that could be done to figure this out?
Regards,
*Brady Johnson*
Principal Software Engineer
Telco Verification Ecosystems Engineering
brady.john...@redhat.com
On Fri, Feb 16, 2024 at 1:45 AM Andrew Cagney <andrew.cag...@gmail.com>
wrote:
> > Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2:
> processing decrypted IKE_AUTH request: SK{IDi,CERT,AUTH,CP,SA,TSi,TSr}
>
> notice how the client sent a CP payload in the request (CP_REQUEST to be
> exact).
>
> but
>
> > #2: missing v2CP reply, not attempting to setup child SA
> > #1: IKE SA established but initiator rejected Child SA response
>
> the responder never came back with a CP_RESPONSE, which is required to
> create the Child SA. Hence no child leaving only the IKE SA.
>
> What I'm not clear on is why the initiator asked for CP, and the
> responder declined its request.
>
> Andrew
>
>
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
