[strongSwan-dev] [StrongSwan]: Tunnels establishment in case of IKE version mismatch

Andreas Steffen andreas.steffen at strongswan.org
Fri Nov 23 08:27:38 CET 2012

Hi Jegathesh,

as a principle, an IKEv1 peer cannot talk to an IKEv2 peer at all
and vice versa but a responder could support both IKEv1 and
IKEv2 at the same time. Starting with strongSwan 5.0 this is the
case with the default setting


as shown in the following example scenario:


whereas a responder with


will react to IKEv1 initiators only and with


to IKEv2 initiators only.



On 11/23/2012 08:11 AM, jegathesh malaiyappan wrote:
> Hi All,
> I have observed the tunnels are getting established incase of IKE
> version mismatch.
> Option 1:
> =========
> Initiator : IKEv1
> Responder: IKEv2
> *Result:* Tunnels are not establised
> Option 2:
> =========
> Initiator : IKEv2
> Responder: IKEv1
> *Result:* Tunnels are establised
> Why it's happening? Is this correct behavior or not?
> Thanks.
> - Jegathesh,
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Dev mailing list