On Wed, 15 Aug 2018, Reuben Farrelly wrote:
You didn't show me what happened next, so I cannot tell. It all looks
healthy up to here. You can avoid the extra roundtrip by of INVALID_KE
by using: ike=aes256-sha2_512;dh19
Ok here's a complete negotiation run:
[...]
It seems the Cisco wrongly retransmits the same IKE_INIT, and forgets to
update the KE payload. I've pinged one my of Cisco contacts for some
more information. Is there a chance you can update the firmware on that
Cisco device just in case it's an old fixed bug?
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
