diff -Naur libreswan-3.27-orig/programs/pluto/ikev2_send.c libreswan-3.27/programs/pluto/ikev2_send.c
--- libreswan-3.27-orig/programs/pluto/ikev2_send.c	2018-10-07 22:52:09.000000000 -0400
+++ libreswan-3.27/programs/pluto/ikev2_send.c	2019-06-03 19:17:39.951046484 -0400
@@ -407,6 +407,17 @@
 				     chunk_t *ndata)
 {
 	passert(md != NULL); /* always a reply */
+
+	/*
+	 * The caller must have computed DH and SKEYSEED; but may not
+	 * have authenticated (i.e., don't assume that the IKE SA has
+	 * "established").
+	 */
+	if (!pst->hidden_variables.st_skeyid_calculated) {
+		loglog(RC_LOG_SERIOUS, "Cannot send an encrypted response without SKEYSEED, dropping packet");
+		return;
+	}
+
 	const char *const notify_name = enum_short_name(&ikev2_notify_names, ntype);
 
 	enum isakmp_xchg_types exchange_type = md->hdr.isa_xchg;