[Swan] Cisco IOS XE Interoperability with Libreswan
Paul Wouters
paul at nohats.ca
Wed Aug 15 19:38:33 UTC 2018
On Wed, 15 Aug 2018, Reuben Farrelly wrote:
>> You didn't show me what happened next, so I cannot tell. It all looks
>> healthy up to here. You can avoid the extra roundtrip by of INVALID_KE
>> by using: ike=aes256-sha2_512;dh19
>
> Ok here's a complete negotiation run:
[...]
It seems the Cisco wrongly retransmits the same IKE_INIT, and forgets to
update the KE payload. I've pinged one my of Cisco contacts for some
more information. Is there a chance you can update the firmware on that
Cisco device just in case it's an old fixed bug?
Paul
More information about the Swan
mailing list