Openswan's IKEv2-only mode does not work properly when pluto is acting as the responder

Solution Verified - Updated -

Issue

When configuring Openswan with the ikev2=insist option, if an IKEv1 peer initiates the connection, the IKEv1 connection is still allowed. The policy flags displayed in 'ipsec auto --status' indicate that IKEv1 is disabled, and the ipsec.conf man page states that ikev2=insist means we should only propose and accept an IKEv2 negotiation.

Environment

  • Red Hat Enterprise Linux 6
  • openswan-2.6.32-20.el6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In