Would it be more helpful to enable debug logging? Or is there some other test that could be done to figure this out?
Regards, *Brady Johnson* Principal Software Engineer Telco Verification Ecosystems Engineering brady.john...@redhat.com On Fri, Feb 16, 2024 at 1:45 AM Andrew Cagney <andrew.cag...@gmail.com> wrote: > > Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: > processing decrypted IKE_AUTH request: SK{IDi,CERT,AUTH,CP,SA,TSi,TSr} > > notice how the client sent a CP payload in the request (CP_REQUEST to be > exact). > > but > > > #2: missing v2CP reply, not attempting to setup child SA > > #1: IKE SA established but initiator rejected Child SA response > > the responder never came back with a CP_RESPONSE, which is required to > create the Child SA. Hence no child leaving only the IKE SA. > > What I'm not clear on is why the initiator asked for CP, and the > responder declined its request. > > Andrew > >
_______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev