[strongSwan] Strongswan as responder only

Tobias Brunner tobias at strongswan.org
Wed Sep 6 09:41:05 CEST 2017

Hi Balaji,

> Attached is the wireshark of the message sent to the strongswan.

Which shows that the peer sends an invalid IKE_SA_INIT message (not even
Wireshark will parse it).  The first payload is an SA payload, which has
33 (0x22) as next payload (KE payload), but the next payload has 44
(0x2c) as next payload, which is TSi.  The IKE_SA_INIT should actually
contain a Nonce payload, whose identifier is 40 (0x28).  The payload
that follows the KE payload has a next payload identifier of 45 (0x2d),
which is a TSr payload.  And from the looks of it these two payloads
following the KE payload do seem to be TS payloads.  So fix your peer.


More information about the Users mailing list