[strongSwan] StrongSwan/Racoon interop issue: IDcr mismatch
Rich Lafferty
rich at lafferty.ca
Tue Jan 30 15:38:58 CET 2018
> On Jan 30, 2018, at 5:34 AM, Tobias Brunner <tobias at strongswan.org> wrote:
>
> Hi Rich,
>
>> The problem:
>>
>> When Racoon is the initiator and the connections go through NAT, phase 2
>> negotiation fails with the following error on the Racoon side:
>>
>> ERROR: mismatched IDcr was returned.
>
> With Transport Mode in NAT situations strongSwan will replace the
> received traffic selectors with the actually observed addresses. It's
> definitely possible this causes a problem with racoon (but the same
> applies to IDci, which apparently is fine)
Hey Tobias,
Thanks for the quick response. I’m not clear on next steps, though — are you saying that this is expected behaviour that can’t be worked around, or that the fix needs to be on the racoon side? Or with more logs is this something that we could try to address on the strongswan side?
> By the way, I pushed a commit to the ikev1-qm-fragments branch that
> fixes the handling of fragments during Quick Mode (avoids the error
> messages and error notify seen below:
Appreciated, thanks.
-Rich
More information about the Users
mailing list