13.05.2019 20:16, Dmitry Melekhov пишет:
13.05.2019 20:10, Paul Wouters пишет:
On Mon, 13 May 2019, Dmitry Melekhov wrote:
Subject: Re: [Swan] cisco asa IKEv2 Negotiation aborted due to
ERROR: The
peer's KE payload contained the wrong DH group
Well, hit the same problem on EdgeOS which runs strongswan.
Looks like this problem is caused by mobike in all cases.
Disabled.
Odd?
Note that strongswan does not implement the RFC processing of DH group
and KE payload to the letter, unless you set
charon.prefer_configured_proposals
to "no". Meaning if the initiator and strongswan responder share some DH
groups including the initiator's prefered pick for which it build the KE
payload, strongswan still rejects the valid proposal and insists the
initiator uses the single prefered responder proposal and its matching
KE payload.
Paul
Well, I mean connecting edgeos strongswan to cisco asa.
Looks like it works good, with mobike=no, set this on centos 7
libreswan too, need to wait more .
It works OK for strongswan, but libreswan still have problems with Cisco
ASA ike2...
:-(
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
