> On Jan 30, 2018, at 10:25 AM, Tobias Brunner <[email protected]> wrote: > > Hi Rich, > >> I’m not clear on next steps, though — are you saying that this is expected >> behaviour that can’t be worked around, or that the fix needs to be on the >> racoon side? > > I think this is actually due to a bug in your strongSwan release. Back > then we sent back the wrong IP address in one of the two NAT-OA > payloads, which is probably what trips racoon (it seems to compare the > addresses in the ID payloads with those in the NAT-OA payloads, which > succeeds for IDci but evidently fails for IDcr). This issue was fixed > with the patch at [1], which was included in 5.5.2.
Aha, thanks! I’ve confirmed that 5.5.2 fixes the issue. Now to figure out Ubuntu back ports… Thanks for your help, -Rich > Regards, > Tobias > > [1] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d8f0d9c2
