diff -Naur libreswan-3.21-orig/programs/pluto/ikev1.c libreswan-3.21/programs/pluto/ikev1.c
--- libreswan-3.21-orig/programs/pluto/ikev1.c	2017-08-09 13:47:34.000000000 -0700
+++ libreswan-3.21/programs/pluto/ikev1.c	2017-10-16 14:43:10.057639590 -0700
@@ -2273,16 +2273,17 @@
 		 * actual end of phase 1. With modecfg, negotiation ends with
 		 * STATE_MAIN_I4 already.
 		 */
-#if 0	/* ??? what's this code for? */
 		if (st->st_connection->spd.this.xauth_client
-		    && st->hidden_variables.st_xauth_client_done
-		    && !st->st_connection->spd.this.modecfg_client
-		    && st->st_state == STATE_XAUTH_I1) {
-			DBG(DBG_CONTROL,
-				DBG_log("As XAUTH is done and modecfg is not configured, so Phase 1 neogtiation finishes successfully"));
-			change_state(st, STATE_MAIN_I4);
+			&& st->hidden_variables.st_xauth_client_done
+			&& !st->st_connection->spd.this.modecfg_client
+			&& st->st_state == STATE_XAUTH_I1)
+		{
+			bool aggrmode = (st->st_connection->policy & POLICY_AGGRESSIVE);
+
+			libreswan_log("XAUTH completed, ModeCFG skipped as per configuration");
+			change_state(st, aggrmode ? STATE_AGGR_I2 : STATE_MAIN_I4);
+			st->st_msgid_phase15 = v1_MAINMODE_MSGID;
 		}
-#endif
 
 		/* Schedule for whatever timeout is specified */
 		if (!md->event_already_set) {
@@ -2332,6 +2333,15 @@
 			bool agreed_time = FALSE;
 			struct connection *c = st->st_connection;
 
+			/* fixup in case of state machine jump for xauth without modecfg */
+			if (c->spd.this.xauth_client
+				&& st->hidden_variables.st_xauth_client_done
+				&& !c->spd.this.modecfg_client
+				&& (st->st_state == STATE_MAIN_I4 || st->st_state == STATE_AGGR_I2)) {
+					DBG(DBG_CONTROL, DBG_log("fixup XAUTH without ModeCFG event from EVENT_v1_RETRANSMIT to EVENT_SA_REPLACE"));
+					kind = EVENT_SA_REPLACE;
+			}
+
 			switch (kind) {
 			case EVENT_v1_RETRANSMIT: /* Retransmit packet */
 				delay_ms = c->r_interval;