[strongSwan] IKEv2 cisco anyconnect app
Martin Willi
martin at strongswan.org
Tue Apr 22 10:19:21 CEST 2014
Atri,
> I notice you mention in your response that strongswan is rejecting an
> unencrypted payload that it expects to be encrypted.
I assume you are referring to the one-and-a-half year old discussion at
[1]?
> However, this particular attribute is included in Message 1 which can't
> be encrypted. So why is strongswan expecting the payload to be
> encrypted?
While this is true, strongSwan still rejects an unencrypted
configuration payload message. It just does not expect a configuration
payload in IKE_SA_INIT.
So the question is: Why does Anyconnect send a configuration payload in
IKE_SA_INIT? Even if it might not be explicitly disallowed, the
configuration payload is certainly not used here as intended in RFC5996.
As said, working around this issue might be possible, but I don't think
it makes much sense given the mentioned Cisco EULA restrictions.
Regards
Martin
[1]https://lists.strongswan.org/pipermail/users/2012-December/004064.html
More information about the Users
mailing list