[Swan] cisco asa IKEv2 Negotiation aborted due to ERROR: The peer's KE payload contained the wrong DH group
Dmitry Melekhov
dm at belkam.com
Tue May 14 13:17:58 UTC 2019
13.05.2019 20:16, Dmitry Melekhov пишет:
>
> 13.05.2019 20:10, Paul Wouters пишет:
>> On Mon, 13 May 2019, Dmitry Melekhov wrote:
>>
>>>
>>> Subject: Re: [Swan] cisco asa IKEv2 Negotiation aborted due to
>>> ERROR: The
>>> peer's KE payload contained the wrong DH group
>>>
>>> Well, hit the same problem on EdgeOS which runs strongswan.
>>>
>>> Looks like this problem is caused by mobike in all cases.
>>> Disabled.
>>
>> Odd?
>>
>> Note that strongswan does not implement the RFC processing of DH group
>> and KE payload to the letter, unless you set
>> charon.prefer_configured_proposals
>> to "no". Meaning if the initiator and strongswan responder share some DH
>> groups including the initiator's prefered pick for which it build the KE
>> payload, strongswan still rejects the valid proposal and insists the
>> initiator uses the single prefered responder proposal and its matching
>> KE payload.
>>
>> Paul
>>
> Well, I mean connecting edgeos strongswan to cisco asa.
>
> Looks like it works good, with mobike=no, set this on centos 7
> libreswan too, need to wait more .
It works OK for strongswan, but libreswan still have problems with Cisco
ASA ike2...
:-(
More information about the Swan
mailing list