IKEv2 Connectivity

spr41178 · March 12, 2021, 1:16pm

Good afternoon,

I have two points one Branch and one Home connected via IKEv2 together working fine.
I also connect to my Home via a 2nd IKEv2 connection via Strongswan with certificates with my Android Phone that also works fine.
Connecting to my Home with Strongswan via WiFi or LTE or any other WiFi connects fine but when i use the WiFi at the Branch Office it fails to connect me and kicks me out.
From what i read in the log file of Strongswan it mentions no valid Proposal yet on the Mikrotik logs nothing shows up.

Branch 192.168.0.0/24
Home 192.168.5.0/24
Strongswan Pool 192.168.6.0/24

Attached Branch and Home IPSEC settings

Branch

/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
add dh-group=modp1024 enc-algorithm=aes-128 name=profile1
/ip ipsec peer
add address=xx.xx.xx.xx/32 comment=vpn01 exchange-mode=ike2 name=peer1 profile=profile1
add name=l2tp passive=yes profile=profile1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des lifetime=0s
add enc-algorithms=aes-128-cbc name=secure-proposal pfs-group=none
/ip ipsec identity
add generate-policy=port-override peer=peer1
add generate-policy=port-override peer=l2tp
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add comment=vpn01 dst-address=192.168.5.0/24 peer=peer1 proposal=secure-proposal sa-dst-address=\
    xx.xx.xx.xx sa-src-address=192.168.1.235 src-address=192.168.0.0/24 tunnel=yes
add dst-address=192.168.6.0/24 peer=peer1 proposal=secure-proposal sa-dst-address=xx.xx.xx.xx \
    sa-src-address=192.168.1.235 src-address=192.168.0.0/24 tunnel=yes

Home

/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-dns=""
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
add dh-group=modp1024 enc-algorithm=aes-128 name=profile1
add name=ike2
/ip ipsec peer
add address=xx.xx.xx.xx/32 comment=vpn01 exchange-mode=ike2 name=peer1 profile=profile1
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
add name=l2tp passive=yes profile=profile1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=0s pfs-group=none
add enc-algorithms=aes-128-cbc name=secure-proposal pfs-group=none
add name=ike2 pfs-group=none
/ip ipsec identity
add peer=peer1
add generate-policy=port-override peer=l2tp
add auth-method=digital-signature certificate=server1 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
/ip ipsec policy
add comment=vpn01 dst-address=192.168.0.0/24 peer=peer1 proposal=secure-proposal sa-dst-address=xx.xx.xx.xx sa-src-address=192.168.1.5 src-address=192.168.5.0/24 tunnel=\
    yes
add dst-address=192.168.0.0/24 peer=peer1 proposal=secure-proposal sa-dst-address=xx.xx.xx.xx sa-src-address=192.168.1.5 src-address=192.168.6.0/24 tunnel=yes
add dst-address=192.168.6.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes

Thanks in advance

sindy · March 12, 2021, 7:17pm

Since the log at Home Mikrotik shows nothing whilst the Strongswan did have a chat with some IPsec stack, and since I remember your previous issue, I would expect dst-nat rules at Branch Mikrotik to divert the IPsec connection attempt to the Branch Mikrotik itself.

So as the first thing, check the log at the Branch Mikrotik.

spr41178 · March 13, 2021, 1:31pm

Thanks sindy

Checking the Branch Log from my home for the specific date i was there shows up with nothing either but the Home point had this in the log section after all

mar/10 10:39:50 ipsec,info new ike2 SA (R): 192.168.1.5[500]-xx.xx.xx.xx[29237] spi:fbfb6c9be469493c:596f6da83b9db421
mar/10 10:39:51 ipsec,info,account peer authorized: 192.168.1.5[4500]-xx.xx.xx.xx[29234] spi:fbfb6c9be469493c:596f6da83b9db421
mar/10 10:39:51 ipsec,info acquired 192.168.6.120 address for xx.xx.xx.xx, rw-client1
mar/10 10:40:21 ipsec,info killing ike2 SA: 192.168.1.5[4500]-xx.xx.xx.xx[29234] spi:fbfb6c9be469493c:596f6da83b9db421
mar/10 10:40:21 ipsec,info releasing address 192.168.6.120

I can’t do any tests as i will go back to the Branch on Wednesday but can you give me roughly an idea on how to dstnat at Branch Mikrotik?

Thanks in advance

sindy · March 13, 2021, 3:26pm

No point in doing so as the whole assumption that it is a dstnat issue was based on a false input.

How many public IPs does the Branch have? Is the traffic to internet from the Android connected to the WiFi passing through the Mikrotik at Branch or not?

spr41178 · March 13, 2021, 4:17pm

One public IP and the phone is passing through the MikroTik at Branch.

I will try a new connection on Wednesday and take a look at the log again.

sindy · March 13, 2021, 5:28pm

If so, the IKE initial request from the phone arrives to Home with the same source IP like the site-to-site tunnel from the Branch Mikrotik itself. So normally also the one from the phone should match on the first peer with that xx.xx.xx.xx/32 address, and as the identity row matching on the phone’s certificate is attached to the other peer with address=0.0.0.0/0, the Phase 1 should fail with “matching identity not found”. It is a mystery for me why it doesn’t, and why even the mode-config is used and an address assigned. The only explanation to come to my mind is that RouterOS now skips to the next matching peer if no matching identity is found on the first one, but if so, I don’t get why it went wrong later, with Phase 2 proposal, given that the Phase 2 policy choice depends on identity.

So when testing on Wednesday, run
/system logging add topics=ipsec,!packet
/log print follow-only file=ipsec-start where topics~“ipsec”
at the Home Mikrotik before starting the connection attempt from the phone; after it fails, break the /log print …, disable the /system logging row, and look through the ipsec-start.txt for some hints what has happened.

spr41178 · March 17, 2021, 7:36am

One public IP and the phone is passing through the MikroTik at Branch.

If so, the IKE initial request from the phone arrives to Home with the same source IP like the site-to-site tunnel from the Branch Mikrotik itself. So normally also the one from the phone should match on the first peer with that xx.xx.xx.xx/32 address, and as the identity row matching on the phone’s certificate is attached to the other peer with address=0.0.0.0/0, the Phase 1 should fail with “matching identity not found”. It is a mystery for me why it doesn’t, and why even the mode-config is used and an address assigned. The only explanation to come to my mind is that RouterOS now skips to the next matching peer if no matching identity is found on the first one, but if so, I don’t get why it went wrong later, with Phase 2 proposal, given that the Phase 2 policy choice depends on identity.

So when testing on Wednesday, run
/system logging add topics=ipsec,!packet
/log print follow-only file=ipsec-start where topics~“ipsec”
at the Home Mikrotik before starting the connection attempt from the phone; after it fails, break the /log print …, disable the /system logging row, and look through the ipsec-start.txt for some hints what has happened.

Good morning Sindy

09:32:25 ipsec -> ike2 request, exchange: SA_INIT:0 xx.xx.xx.xx[53532] e1b8fea7538e5b29:0000000000000000 
09:32:25 ipsec ike2 respond 
09:32:25 ipsec payload seen: SA (492 bytes) 
09:32:25 ipsec payload seen: KE (72 bytes) 
09:32:25 ipsec payload seen: NONCE (36 bytes) 
09:32:25 ipsec payload seen: NOTIFY (28 bytes) 
09:32:25 ipsec payload seen: NOTIFY (28 bytes) 
09:32:25 ipsec payload seen: NOTIFY (8 bytes) 
09:32:25 ipsec payload seen: NOTIFY (16 bytes) 
09:32:25 ipsec payload seen: NOTIFY (8 bytes) 
09:32:25 ipsec processing payload: NONCE 
09:32:25 ipsec processing payload: SA 
09:32:25 ipsec,debug unknown auth: #5 
09:32:25 ipsec,debug unknown prf: #4 
09:32:25 ipsec,debug unknown DH group: #28 
09:32:25 ipsec,debug unknown DH group: #29 
09:32:25 ipsec,debug unknown DH group: #30 
09:32:25 ipsec,debug unknown DH group: #31 
09:32:25 ipsec,debug unknown enc: #28 
09:32:25 ipsec,debug unknown enc: #19 
09:32:25 ipsec,debug unknown enc: #19 
09:32:25 ipsec,debug unknown enc: #19 
09:32:25 ipsec,debug unknown enc: #18 
09:32:25 ipsec,debug unknown enc: #18 
09:32:25 ipsec,debug unknown enc: #18 
09:32:25 ipsec,debug unknown prf: #4 
09:32:25 ipsec,debug unknown DH group: #28 
09:32:25 ipsec,debug unknown DH group: #29 
09:32:25 ipsec,debug unknown DH group: #30 
09:32:25 ipsec,debug unknown DH group: #31 
09:32:25 ipsec IKE Protocol: IKE 
09:32:25 ipsec  proposal #1 
09:32:25 ipsec   enc: aes128-cbc 
09:32:25 ipsec   enc: aes192-cbc 
09:32:25 ipsec   enc: aes256-cbc 
09:32:25 ipsec   enc: 3des-cbc 
09:32:25 ipsec   prf: hmac-sha256 
09:32:25 ipsec   prf: hmac-sha384 
09:32:25 ipsec   prf: hmac-sha512 
09:32:25 ipsec   prf: unknown 
09:32:25 ipsec   prf: hmac-sha1 
09:32:25 ipsec   auth: sha256 
09:32:25 ipsec   auth: sha384 
09:32:25 ipsec   auth: sha512 
09:32:25 ipsec   auth: sha1 
09:32:25 ipsec   auth: unknown 
09:32:25 ipsec   dh: ecp256 
09:32:25 ipsec   dh: ecp384 
09:32:25 ipsec   dh: ecp521 
09:32:25 ipsec   dh: unknown 
09:32:25 ipsec   dh: unknown 
09:32:25 ipsec   dh: unknown 
09:32:25 ipsec   dh: unknown 
09:32:25 ipsec   dh: modp3072 
09:32:25 ipsec   dh: modp4096 
09:32:25 ipsec   dh: modp6144 
09:32:25 ipsec   dh: modp8192 
09:32:25 ipsec   dh: modp2048 
09:32:25 ipsec  proposal #2 
09:32:25 ipsec   enc: aes128-gcm 
09:32:25 ipsec   enc: aes192-gcm 
09:32:25 ipsec   enc: aes256-gcm 
09:32:25 ipsec   enc: unknown 
09:32:25 ipsec   enc: unknown 
09:32:25 ipsec   enc: unknown 
09:32:25 ipsec   enc: unknown 
09:32:25 ipsec   enc: unknown 
09:32:25 ipsec   enc: unknown 
09:32:25 ipsec   enc: unknown 
09:32:25 ipsec   prf: hmac-sha256 
09:32:25 ipsec   prf: hmac-sha384 
09:32:25 ipsec   prf: hmac-sha512 
09:32:25 ipsec   prf: unknown 
09:32:25 ipsec   prf: hmac-sha1 
09:32:25 ipsec   dh: ecp256 
09:32:25 ipsec   dh: ecp384 
09:32:25 ipsec   dh: ecp521 
09:32:25 ipsec   dh: unknown 
09:32:25 ipsec   dh: unknown 
09:32:25 ipsec   dh: unknown 
09:32:25 ipsec   dh: unknown 
09:32:25 ipsec   dh: modp3072 
09:32:25 ipsec   dh: modp4096 
09:32:25 ipsec   dh: modp6144 
09:32:25 ipsec   dh: modp8192 
09:32:25 ipsec   dh: modp2048 
09:32:25 ipsec can't agree on IKE proposal, my config: 
09:32:25 ipsec   enc: aes128-cbc  
09:32:25 ipsec   auth: sha1  
09:32:25 ipsec   dh: modp1024  
09:32:25 ipsec   prf: hmac-sha1  
09:32:25 ipsec adding notify: NO_PROPOSAL_CHOSEN 
09:32:25 ipsec,debug => (size 0x8) 
09:32:25 ipsec,debug 00000008 0000000e

this is what i am getting at the home log.
branch log doesn’t show anything

sindy · March 17, 2021, 9:26am

The two Phase 1 proposals coming from the phone are indeed incompatible with the Phase 1 proposal (specified on both /ip ipsec profile rows) of RouterOS, hence I have no idea why the same phone connects successfully when it connects using some other uplink than the WiFi at the Branch.

I.e. all the speculation regarding retry on next peer is irrelevant as the “no proposal chosen” is related already to a stage of Phase 1 where identity is not yet looked for. And the log doesn’t indicate which peer has been chosen.

So the problem of the initial IKE packet from the phone to come from the same IP like the IKE connection from the branch router will pop up, but at a later stage.

Can you repeat the same test (logging IPsec at Home) with WiFi on the phone disabled, so that it connects via LTE? It should show different proposals to come from the phone, or it should fail as well.

spr41178 · March 17, 2021, 9:53am

The two Phase 1 proposals coming from the phone are indeed incompatible with the Phase 1 proposal (specified on both /ip ipsec profile rows) of RouterOS, hence I have no idea why the same phone connects successfully when it connects using some other uplink than the WiFi at the Branch.

I.e. all the speculation regarding retry on next peer is irrelevant as the “no proposal chosen” is related already to a stage of Phase 1 where identity is not yet looked for. And the log doesn’t indicate which peer has been chosen.

So the problem of the initial IKE packet from the phone to come from the same IP like the IKE connection from the branch router will pop up, but at a later stage.

Can you repeat the same test (logging IPsec at Home) with WiFi on the phone disabled, so that it connects via LTE? It should show different proposals to come from the phone, or it should fail as well.

Log via LTE on Home MikroTik

11:46:20 ipsec,debug ===== received 716 bytes from xx.xx.xx.xx[10057] to 192.168.1.5[500] 
11:46:20 ipsec -> ike2 request, exchange: SA_INIT:0 xx.xx.xx.xx[10057] ced88752023d9ecb:0000000000000000 
11:46:20 ipsec ike2 respond 
11:46:20 ipsec payload seen: SA (492 bytes) 
11:46:20 ipsec payload seen: KE (72 bytes) 
11:46:20 ipsec payload seen: NONCE (36 bytes) 
11:46:20 ipsec payload seen: NOTIFY (28 bytes) 
11:46:20 ipsec payload seen: NOTIFY (28 bytes) 
11:46:20 ipsec payload seen: NOTIFY (8 bytes) 
11:46:20 ipsec payload seen: NOTIFY (16 bytes) 
11:46:20 ipsec payload seen: NOTIFY (8 bytes) 
11:46:20 ipsec processing payload: NONCE 
11:46:20 ipsec processing payload: SA 
11:46:20 ipsec,debug unknown auth: #5 
11:46:20 ipsec,debug unknown prf: #4 
11:46:20 ipsec,debug unknown DH group: #28 
11:46:20 ipsec,debug unknown DH group: #29 
11:46:20 ipsec,debug unknown DH group: #30 
11:46:20 ipsec,debug unknown DH group: #31 
11:46:20 ipsec,debug unknown enc: #28 
11:46:20 ipsec,debug unknown enc: #19 
11:46:20 ipsec,debug unknown enc: #19 
11:46:20 ipsec,debug unknown enc: #19 
11:46:20 ipsec,debug unknown enc: #18 
11:46:20 ipsec,debug unknown enc: #18 
11:46:20 ipsec,debug unknown enc: #18 
11:46:20 ipsec,debug unknown prf: #4 
11:46:20 ipsec,debug unknown DH group: #28 
11:46:20 ipsec,debug unknown DH group: #29 
11:46:20 ipsec,debug unknown DH group: #30 
11:46:20 ipsec,debug unknown DH group: #31 
11:46:20 ipsec IKE Protocol: IKE 
11:46:20 ipsec  proposal #1 
11:46:20 ipsec   enc: aes128-cbc 
11:46:20 ipsec   enc: aes192-cbc 
11:46:20 ipsec   enc: aes256-cbc 
11:46:20 ipsec   enc: 3des-cbc 
11:46:20 ipsec   prf: hmac-sha256 
11:46:20 ipsec   prf: hmac-sha384 
11:46:20 ipsec   prf: hmac-sha512 
11:46:20 ipsec   prf: unknown 
11:46:20 ipsec   prf: hmac-sha1 
11:46:20 ipsec   auth: sha256 
11:46:20 ipsec   auth: sha384 
11:46:20 ipsec   auth: sha512 
11:46:20 ipsec   auth: sha1 
11:46:20 ipsec   auth: unknown 
11:46:20 ipsec   dh: ecp256 
11:46:20 ipsec   dh: ecp384 
11:46:20 ipsec   dh: ecp521 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: modp3072 
11:46:20 ipsec   dh: modp4096 
11:46:20 ipsec   dh: modp6144 
11:46:20 ipsec   dh: modp8192 
11:46:20 ipsec   dh: modp2048 
11:46:20 ipsec  proposal #2 
11:46:20 ipsec   enc: aes128-gcm 
11:46:20 ipsec   enc: aes192-gcm 
11:46:20 ipsec   enc: aes256-gcm 
11:46:20 ipsec   enc: unknown 
11:46:20 ipsec   enc: unknown 
11:46:20 ipsec   enc: unknown 
11:46:20 ipsec   enc: unknown 
11:46:20 ipsec   enc: unknown 
11:46:20 ipsec   enc: unknown 
11:46:20 ipsec   enc: unknown 
11:46:20 ipsec   prf: hmac-sha256 
11:46:20 ipsec   prf: hmac-sha384 
11:46:20 ipsec   prf: hmac-sha512 
11:46:20 ipsec   prf: unknown 
11:46:20 ipsec   prf: hmac-sha1 
11:46:20 ipsec   dh: ecp256 
11:46:20 ipsec   dh: ecp384 
11:46:20 ipsec   dh: ecp521 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: modp3072 
11:46:20 ipsec   dh: modp4096 
11:46:20 ipsec   dh: modp6144 
11:46:20 ipsec   dh: modp8192 
11:46:20 ipsec   dh: modp2048 
11:46:20 ipsec matched proposal: 
11:46:20 ipsec  proposal #1 
11:46:20 ipsec   enc: aes128-cbc 
11:46:20 ipsec   prf: hmac-sha1 
11:46:20 ipsec   auth: sha1 
11:46:20 ipsec   dh: modp2048 
11:46:20 ipsec processing payload: KE 
11:46:20 ipsec DH group number mismatch: 14 != 19 
11:46:20 ipsec adding notify: INVALID_KE_PAYLOAD 
11:46:20 ipsec,debug => (size 0xa) 
11:46:20 ipsec,debug 0000000a 00000011 000e 
11:46:20 ipsec,debug ===== sending 38 bytes from 192.168.1.5[500] to xx.xx.xx.xx[10057] 
11:46:20 ipsec,debug 1 times of 38 bytes message will be sent to xx.xx.xx.xx[10057] 
11:46:20 ipsec,debug ===== received 908 bytes from xx.xx.xx.xx[10057] to 192.168.1.5[500] 
11:46:20 ipsec -> ike2 request, exchange: SA_INIT:0 xx.xx.xx.xx[10057] ced88752023d9ecb:0000000000000000 
11:46:20 ipsec ike2 respond 
11:46:20 ipsec payload seen: SA (492 bytes) 
11:46:20 ipsec payload seen: KE (264 bytes) 
11:46:20 ipsec payload seen: NONCE (36 bytes) 
11:46:20 ipsec payload seen: NOTIFY (28 bytes) 
11:46:20 ipsec payload seen: NOTIFY (28 bytes) 
11:46:20 ipsec payload seen: NOTIFY (8 bytes) 
11:46:20 ipsec payload seen: NOTIFY (16 bytes) 
11:46:20 ipsec payload seen: NOTIFY (8 bytes) 
11:46:20 ipsec processing payload: NONCE 
11:46:20 ipsec processing payload: SA 
11:46:20 ipsec,debug unknown auth: #5 
11:46:20 ipsec,debug unknown prf: #4 
11:46:20 ipsec,debug unknown DH group: #28 
11:46:20 ipsec,debug unknown DH group: #29 
11:46:20 ipsec,debug unknown DH group: #30 
11:46:20 ipsec,debug unknown DH group: #31 
11:46:20 ipsec,debug unknown enc: #28 
11:46:20 ipsec,debug unknown enc: #19 
11:46:20 ipsec,debug unknown enc: #19 
11:46:20 ipsec,debug unknown enc: #19 
11:46:20 ipsec,debug unknown enc: #18 
11:46:20 ipsec,debug unknown enc: #18 
11:46:20 ipsec,debug unknown enc: #18 
11:46:20 ipsec,debug unknown prf: #4 
11:46:20 ipsec,debug unknown DH group: #28 
11:46:20 ipsec,debug unknown DH group: #29 
11:46:20 ipsec,debug unknown DH group: #30 
11:46:20 ipsec,debug unknown DH group: #31 
11:46:20 ipsec IKE Protocol: IKE 
11:46:20 ipsec  proposal #1 
11:46:20 ipsec   enc: aes128-cbc 
11:46:20 ipsec   enc: aes192-cbc 
11:46:20 ipsec   enc: aes256-cbc 
11:46:20 ipsec   enc: 3des-cbc 
11:46:20 ipsec   prf: hmac-sha256 
11:46:20 ipsec   prf: hmac-sha384 
11:46:20 ipsec   prf: hmac-sha512 
11:46:20 ipsec   prf: unknown 
11:46:20 ipsec   prf: hmac-sha1 
11:46:20 ipsec   auth: sha256 
11:46:20 ipsec   auth: sha384 
11:46:20 ipsec   auth: sha512 
11:46:20 ipsec   auth: sha1 
11:46:20 ipsec   auth: unknown 
11:46:20 ipsec   dh: modp2048 
11:46:20 ipsec   dh: ecp256 
11:46:20 ipsec   dh: ecp384 
11:46:20 ipsec   dh: ecp521 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: modp3072 
11:46:20 ipsec   dh: modp4096 
11:46:20 ipsec   dh: modp6144 
11:46:20 ipsec   dh: modp8192 
11:46:20 ipsec  proposal #2 
11:46:20 ipsec   enc: aes128-gcm 
11:46:20 ipsec   enc: aes192-gcm 
11:46:20 ipsec   enc: aes256-gcm 
11:46:20 ipsec   enc: unknown 
11:46:20 ipsec   enc: unknown 
11:46:20 ipsec   enc: unknown 
11:46:20 ipsec   enc: unknown 
11:46:20 ipsec   enc: unknown 
11:46:20 ipsec   enc: unknown 
11:46:20 ipsec   enc: unknown 
11:46:20 ipsec   prf: hmac-sha256 
11:46:20 ipsec   prf: hmac-sha384 
11:46:20 ipsec   prf: hmac-sha512 
11:46:20 ipsec   prf: unknown 
11:46:20 ipsec   prf: hmac-sha1 
11:46:20 ipsec   dh: modp2048 
11:46:20 ipsec   dh: ecp256 
11:46:20 ipsec   dh: ecp384 
11:46:20 ipsec   dh: ecp521 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: unknown 
11:46:20 ipsec   dh: modp3072 
11:46:20 ipsec   dh: modp4096 
11:46:20 ipsec   dh: modp6144 
11:46:20 ipsec   dh: modp8192 
11:46:20 ipsec matched proposal: 
11:46:20 ipsec  proposal #1 
11:46:20 ipsec   enc: aes128-cbc 
11:46:20 ipsec   prf: hmac-sha1 
11:46:20 ipsec   auth: sha1 
11:46:20 ipsec   dh: modp2048 
11:46:20 ipsec processing payload: KE 
11:46:20 ipsec,debug => shared secret (size 0x100) 
11:46:20 ipsec,debug e84b086f efb7c8c6 dcd9f68c affaa3a3 1cf78de0 f9dae339 348e04c6 a1faf372 
11:46:20 ipsec,debug 3b005c25 c66df228 87b25794 f4cb07f9 1dbabd9c a86ce1e0 b8fdb9c3 327d147d 
11:46:20 ipsec,debug 9755874a 5f8ac1da c1e0800e 38d7bcba 524a573e 29fdd245 2be73e1d 9a495851 
11:46:20 ipsec,debug a0d1a794 daeee933 c584e298 2d751786 4c6e43d1 f8f379a0 758e0ae0 1ebb2646 
11:46:20 ipsec,debug 83ca3884 74da59aa a448c394 825fba6e e601758c 849ca4c3 17962f9d bc754301 
11:46:20 ipsec,debug c067c939 2adff12a d8c69434 e2e719fb 69740c8e a0b8c783 f544d944 ae828d56 
11:46:20 ipsec,debug e3da77d6 28a34547 14a012c8 1f7bc4f1 493f4450 68e83169 f3e8b089 970a6e71 
11:46:20 ipsec,debug ef584865 3c43fdf4 32fe49aa 78f0056a f51e23d1 b8d3de42 c2fdb15f 6e27d690 
11:46:20 ipsec adding payload: SA 
11:46:20 ipsec,debug => (size 0x30) 
11:46:20 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0080 03000008 02000002 
11:46:20 ipsec,debug 03000008 03000002 00000008 0400000e 
11:46:20 ipsec adding payload: KE 
11:46:20 ipsec,debug => (first 0x100 of 0x108) 
11:46:20 ipsec,debug 00000108 000e0000 253c2116 578292ed 1a2fad72 447a1310 d1289ac4 bbc650ef 
11:46:20 ipsec,debug 38ef9127 76ce9afe bbe95a62 1b285167 28f24dec bddb6e13 c82c90c2 1fc33c3c 
11:46:20 ipsec,debug def269e4 905e754d c5b0fe21 82017584 268f49c9 079d6201 eae2add6 75d440c6 
11:46:20 ipsec,debug 27d5f28a 0ede3fa9 d8cd86cf 50009cbf 532040e4 20dbb79a da28a5bb 24f88f82 
11:46:20 ipsec,debug e74e6eb6 07065ec0 82bb94e2 320cc971 ac44bcdf 4274d9d4 677c4acd a25ee8f8 
11:46:20 ipsec,debug 9533fe59 7f731e46 6c883a37 7224b7a9 37619625 fea256c4 68dcb1ab aded7b07 
11:46:20 ipsec,debug 09ffdf95 0eee65e2 16ab1809 53f9ea03 0288dabd 320f3817 74d87452 80128f01 
11:46:20 ipsec,debug b593a554 2f785167 6c135f69 ef52bbf5 c3b9f4f7 2ddfd4ad d86db4bc 9e8dcc30 
11:46:20 ipsec adding payload: NONCE 
11:46:20 ipsec,debug => (size 0x1c) 
11:46:20 ipsec,debug 0000001c 9d65553e 6f3b7596 6e8be1eb 612548f8 2d8e00b3 5a01113f 
11:46:20 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
11:46:20 ipsec,debug => (size 0x1c) 
11:46:20 ipsec,debug 0000001c 00004004 b998ccbd 4cdde459 dd3e4477 23de0449 4df058cb 
11:46:20 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
11:46:20 ipsec,debug => (size 0x1c) 
11:46:20 ipsec,debug 0000001c 00004005 63e6ee4a 6a057e64 3c0a9509 a8ff7463 bc3b29f5 
11:46:20 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED 
11:46:20 ipsec,debug => (size 0x8) 
11:46:20 ipsec,debug 00000008 0000402e 
11:46:20 ipsec adding payload: CERTREQ 
11:46:20 ipsec,debug => (size 0x5) 
11:46:20 ipsec,debug 00000005 04 
11:46:20 ipsec <- ike2 reply, exchange: SA_INIT:0 xx.xx.xx.xx[10057] ced88752023d9ecb:a3a3515834cbe7ca 
11:46:20 ipsec,debug ===== sending 437 bytes from 192.168.1.5[500] to xx.xx.xx.xx[10057] 
11:46:20 ipsec,debug 1 times of 437 bytes message will be sent to xx.xx.xx.xx[10057] 
11:46:20 ipsec,debug => skeyseed (size 0x14) 
11:46:20 ipsec,debug 543c87a3 cb348fbc b927a2f8 4c6870e6 18532d2c 
11:46:20 ipsec,debug => keymat (size 0x14) 
11:46:20 ipsec,debug e2a266f6 46f63091 676f755b 661379ae da1f8399 
11:46:20 ipsec,debug => SK_ai (size 0x14) 
11:46:20 ipsec,debug e17ad546 4ae5fabb bbc541c8 d585833a a55ce2b8 
11:46:20 ipsec,debug => SK_ar (size 0x14) 
11:46:20 ipsec,debug 8bc093af b1163409 de6e3f7f 40166f34 46357aca 
11:46:20 ipsec,debug => SK_ei (size 0x10) 
11:46:20 ipsec,debug 815d0b40 b503a078 e16abd94 ca136128 
11:46:20 ipsec,debug => SK_er (size 0x10) 
11:46:20 ipsec,debug 2f8c636d 663eb1f3 1438d344 0f32925d 
11:46:20 ipsec,debug => SK_pi (size 0x14) 
11:46:20 ipsec,debug 00350fdb 4c11fa29 e474f85b e8dcfe02 1fd97f71 
11:46:20 ipsec,debug => SK_pr (size 0x14) 
11:46:20 ipsec,debug cc7b3511 317d2c60 96e779a7 3f20d6dd 66227bfc 
11:46:20 ipsec,info new ike2 SA (R): 192.168.1.5[500]-xx.xx.xx.xx[10057] spi:a3a3515834cbe7ca:ced88752023d9ecb 
11:46:20 ipsec processing payloads: VID (none found) 
11:46:20 ipsec processing payloads: NOTIFY 
11:46:20 ipsec   notify: NAT_DETECTION_SOURCE_IP 
11:46:20 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
11:46:20 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED 
11:46:20 ipsec   notify: SIGNATURE_HASH_ALGORITHMS 
11:46:20 ipsec,debug 0002000300040005 
11:46:20 ipsec   notify: REDIRECT_SUPPORTED 
11:46:20 ipsec (NAT-T) REMOTE LOCAL 
11:46:20 ipsec KA list add: 192.168.1.5[4500]->xx.xx.xx.xx[10057] 
11:46:20 ipsec fragmentation negotiated 
11:46:21 ipsec,debug ===== received 1360 bytes from xx.xx.xx.xx[10103] to 192.168.1.5[4500] 
11:46:21 ipsec -> ike2 request, exchange: AUTH:1 xx.xx.xx.xx[10103] ced88752023d9ecb:a3a3515834cbe7ca 
11:46:21 ipsec peer ports changed: 10057 -> 10103 
11:46:21 ipsec KA remove: 192.168.1.5[4500]->xx.xx.xx.xx[10057] 
11:46:21 ipsec,debug KA tree dump: 192.168.1.5[4500]->xx.xx.xx.xx[10057] (in_use=1) 
11:46:21 ipsec,debug KA tree dump: 192.168.1.5[4500]->xx.xx.xx.xx[10057] (in_use=1) 
11:46:21 ipsec,debug KA removing this one... 
11:46:21 ipsec KA list add: 192.168.1.5[4500]->xx.xx.xx.xx[10103] 
11:46:21 ipsec payload seen: SKF (1332 bytes) 
11:46:21 ipsec processing payload: ENC (not found) 
11:46:21 ipsec processing payload: SKF 
11:46:21 ipsec,debug => iv (size 0x10) 
11:46:21 ipsec,debug 91b3165a 3ef38c60 c1ef49ca 58504b42 
11:46:21 ipsec,debug => decrypted and trimmed payload (size 0x50f) 
11:46:21 ipsec,debug 2500001f 09000000 30153113 30110603 5504030c 0a72772d 636c6965 6e743129 
11:46:21 ipsec,debug 00032a04 30820321 30820209 a0030201 02020826 a350bee5 a78f0730 0d06092a 
11:46:21 ipsec,debug 864886f7 0d01010b 0500300d 310b3009 06035504 030c0263 61301e17 0d323130 
11:46:21 ipsec,debug 33303531 31353633 365a170d 32323033 30353131 35363336 5a301531 13301106 
11:46:21 ipsec,debug 03550403 0c0a7277 2d636c69 656e7431 30820122 300d0609 2a864886 f70d0101 
11:46:21 ipsec,debug 01050003 82010f00 3082010a 02820101 00cf96ec 3d659945 be6752bd 75a2d097 
11:46:21 ipsec,debug c2599386 7825cf5c d91f6e09 bf0d6ebc 7991a4a0 5d94538b 332d7aa6 034a2a77 
11:46:21 ipsec,debug ea8bddaa f33ed258 e93d23ba 26fc5520 9d2f2152 4218a60f e3c6dd5b 611427c8 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 596dca56 5ccfe1c3 006fa549 5dcb4f89 a2f97ff5 e7b0c33d ff12aae9 ee3c7abc 
11:46:21 ipsec,debug 550d5075 e2dc3a23 5799b7aa 7203d68c db57de98 d4c90e84 c31483d3 49ed48b4 
11:46:21 ipsec,debug d90c3667 12f94a29 f21b473b ae80baa7 eb970f80 a49cfa32 192611ee 023febc7 
11:46:21 ipsec,debug 77c12b90 8b6e8b39 72f6caa0 bebbb9c2 3c47f2b6 7a0cca84 f1c51d27 134df762 
11:46:21 ipsec,debug e5734042 ea9b403c b1383c8a b5cb5710 e1311eb4 9ade6d06 fe1c53fa 50599bb3 
11:46:21 ipsec,debug 2f994c83 69275ef0 2b2784a6 fe4f1f03 3d020301 0001a37d 307b3013 0603551d 
11:46:21 ipsec,debug 25040c30 0a06082b 06010505 07030230 1d060355 1d0e0416 0414ba8f 0266c4b5 
11:46:21 ipsec,debug 238e1b18 5b60ec1e e69514b8 4013301f 0603551d 23041830 16801474 f23d338b 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 11cde7bd 4486ab5f e9b2389f c8ab4e30 24060960 86480186 f842010d 04171615 
11:46:21 ipsec,debug 47656e65 72617465 64206279 20526f75 7465724f 53300d06 092a8648 86f70d01 
11:46:21 ipsec,debug 010b0500 03820101 00d0f1ba ce494dec 77a6c0a6 4db9f71e 81db1f51 e18045bf 
11:46:21 ipsec,debug ed9fbf88 40b11adb f595c202 2ff1b26a 452940f6 fabbddc6 282383d1 2a3db29f 
11:46:21 ipsec,debug 7a34a427 f54190b0 52e5c77c f9cfd590 33842fb8 0e1cdb3e da033810 26d4da74 
11:46:21 ipsec,debug 2270c7ac 858f8774 3eb572b6 e95c701f a2370c64 ef2039a0 53643150 60bb1e6e 
11:46:21 ipsec,debug 49841e34 7327ffb1 eb9326e8 2e46cf82 85c07024 274ab25c e81a76e1 4f326227 
11:46:21 ipsec,debug 97c9fab2 5b8ee080 1677e5a0 12f38477 fcee2c3c 787e6a7a d87be362 eeea119c 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 81404cbb 0f4dacd6 160050aa b3f81bdc 89b10f8e 41528c39 c438fae5 ff2be66b 
11:46:21 ipsec,debug 050f0ad7 220686ec 46a0c541 865fed0a 4e6f12fc 7f625575 8e9b98b0 b8a7b056 
11:46:21 ipsec,debug 50af98d5 5ef4a6bd 5b260000 08000040 0027000a b904cf58 aa908d58 39761bcf 
11:46:21 ipsec,debug 4eda03bf 818ed1d7 f89b7397 82eab404 166e25d4 823c37db f8a812fb cf2690e2 
11:46:21 ipsec,debug 41c21141 8b95b1a9 e09c3724 7e849fe4 bea18331 7e628542 53d6d778 3190ec91 
11:46:21 ipsec,debug 9056e991 b9e3899b 18f3914d 6c4aaa95 5b18a638 e51ccad4 d400e6ff c394e838 
11:46:21 ipsec,debug 597f51d4 80421976 27cfdb94 8ec61ef9 cf49ac1a b5523a59 166a6105 bd8406cc 
11:46:21 ipsec,debug 96626833 0e613585 21592983 a3c8d2d2 e1406e7a b3c1c45c 9ce6c690 1d48b6d3 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 50ac117d 741fb602 0814f816 513cfd1b 449f2e6b 28a19722 1fb81f51 4e3c6a25 
11:46:21 ipsec,debug 239d6275 cd522169 5c31e989 c4d538b8 c4eac64f a23d0663 84099cce 62e404ac 
11:46:21 ipsec,debug 8d5cb5e9 b61bb71a 8b40df93 d05ce098 03089159 6d61e815 f6fed7c1 47916651 
11:46:21 ipsec,debug beb952ca 11c9903d 8150550f b097138f 7b5d6eda 54ee844c 7c78d47e 3fd02a60 
11:46:21 ipsec,debug d5ff121a 24b7518b f79ce259 7b396d21 438493cc f9433592 761947e2 907b7ac8 
11:46:21 ipsec,debug 80f429bf 2be66c81 511a04c3 a9d011cb 20f7c948 598ced21 a9f2e89b cf113b37 
11:46:21 ipsec,debug c0c5473d fc5b9a0d 015b123b 53ccadb7 54669980 bf7cf450 8ba2d04c e3a186e4 
11:46:21 ipsec,debug f382711e 0cc7ef66 52d46280 e8ca8e37 df491eb1 c9bcfd0a 1c25ed0d c8d62cd3 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 1329d882 fe2dc3fc c510d34d bb14b0 
11:46:21 ipsec,debug decrypted fragment 1 out of 4 
11:46:21 ipsec,debug need more fragments 
11:46:21 ipsec,debug ===== received 1360 bytes from xx.xx.xx.xx[10103] to 192.168.1.5[4500] 
11:46:21 ipsec -> ike2 request, exchange: AUTH:1 xx.xx.xx.xx[10103] ced88752023d9ecb:a3a3515834cbe7ca 
11:46:21 ipsec payload seen: SKF (1332 bytes) 
11:46:21 ipsec processing payload: ENC (not found) 
11:46:21 ipsec processing payload: SKF 
11:46:21 ipsec,debug => iv (size 0x10) 
11:46:21 ipsec,debug d26eb1e0 25034213 f9340d31 3cc899bb 
11:46:21 ipsec,debug => decrypted and trimmed payload (size 0x50f) 
11:46:21 ipsec,debug 819da5df 2416ef0d 7dfe7fe9 2b40d7ef f5448fc5 f32d5254 067ec2b5 c35ce363 
11:46:21 ipsec,debug f44ab0ec 692199a5 9dbf9015 d9f1f5a8 d8c01d14 e6f1d8c4 fe5717e1 a05a9534 
11:46:21 ipsec,debug 7578a7ff 4dcf3252 5df2f82c 1ae1159b 10827a95 032ab26b 73c82f18 c92ecae5 
11:46:21 ipsec,debug 68c208af 4404c241 7e4883db 4e3902ec ec847ae6 cec9a4ef e7122486 fba28408 
11:46:21 ipsec,debug e284b17a 991d0e55 0572f9a5 068a78cf 84bd7432 dd58f965 eb3a55e7 c780dc07 
11:46:21 ipsec,debug 232d4565 87b9d7b1 d97dd1c5 fb65c589 bf929606 2118f572 6a904263 48b15c0d 
11:46:21 ipsec,debug d8899723 31b8f2c0 7a98688d 89fbab05 640c117d aa7d65b8 cacc4eb0 1989e7ef 
11:46:21 ipsec,debug fb4aafcb 148f5846 39762241 50e1ba87 e3bf3224 27c1405d 2736c381 e01d1a71 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug d4a03975 b1bcdddb be95b87a 809cb699 a144d21b 74eb3d5b bf1f744a e051bd61 
11:46:21 ipsec,debug 7b200dbb 74dc268b d13a02ab 7688f4e5 e138c9e9 5017cdcd b31817b3 3e8cf521 
11:46:21 ipsec,debug 0f2c89f7 c4cd5d1b 825e38d6 c6593ba6 9375ae8c cf8c878a 0e9f4ac1 2eebad58 
11:46:21 ipsec,debug d3cb1a6a 66786f05 1c6d0c7c a9b0d9b9 e50a5bc8 f9f5e383 48eb78f0 63ba7c9a 
11:46:21 ipsec,debug 16744a9c db54ec23 cd67298e 7c494dea 670c27c1 609d4b0c 93a2ab6f e2c46715 
11:46:21 ipsec,debug 6bdc70c5 c10d9a9c 7b0d0999 3dddac38 787245f7 e7ca9163 45e65f05 b9539eb2 
11:46:21 ipsec,debug 4e03b140 bbb9a750 6c241387 e85b6353 c623a312 8cb0ffbb f551fe59 800e22d1 
11:46:21 ipsec,debug f95439ed 1916e5f2 89f10950 db39d8d9 5dfb8384 621bd13f ae0bbc27 35ef6cb7 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 49779198 b8b456c6 0befb375 c8f5b99d 34d948c2 9dd537b1 6be4c542 32b616fa 
11:46:21 ipsec,debug 04fdfe5d 4b7ac3fd f74c401d 5a43af28 56843ab6 d54a8ba3 bbae9f8a 7773745e 
11:46:21 ipsec,debug a55ca836 12c239c5 22b91e20 d48e083c be69e11d a827e592 aeef0e89 02ee6d79 
11:46:21 ipsec,debug 68d1a10e 756001fa e4ebfce9 f1a56362 fbf3d351 1211b1ae 9c650394 9ec52287 
11:46:21 ipsec,debug dbd45fb0 928d4e1d f81567e7 f2abafd6 2b6775b5 993343ac a217c508 ba888ca6 
11:46:21 ipsec,debug 927e26b3 0f87a9bc f0908779 da24861d 2b7c49a1 36bd06ef cdffbf0f 15333bc1 
11:46:21 ipsec,debug 55e81a21 95ae971f 84167019 8042287d decf64e0 48b75a65 b28e2f1e 4cf1a888 
11:46:21 ipsec,debug d40cf448 2b591775 e2617bef c720d37a 9cecbe36 9e84e399 9b76540b 4a9c7a35 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug ca8f0f2e aa747a0f aec56e40 8377dd67 5d40870d e22a8905 452875f2 36ded44c 
11:46:21 ipsec,debug 75d48580 62aaa944 9c66151e 6c581305 3a9c72ee dded4df3 b43816cf d7057366 
11:46:21 ipsec,debug 9c242e91 e8331dc8 188f7a06 a99bf579 dd9f8896 afd1d91f 19bc2a55 e481d111 
11:46:21 ipsec,debug 80bed889 b908a331 f9a12409 16b970c5 3021e4c8 4bd1a9e9 dee840ba 6a169f77 
11:46:21 ipsec,debug 928f910f ceb26328 ef466c00 d04e6f09 9ab33e2c 50e5d77f ce500428 019d1f73 
11:46:21 ipsec,debug e68fe186 374111a8 89be9f17 4ab82b5f fb056775 27ad495a 4a5dc422 ccea4e4a 
11:46:21 ipsec,debug 810cdef0 c0900f19 06423135 a2a28dd3 44fd084f c7189da5 bec3a2a5 baf02081 
11:46:21 ipsec,debug ff4f05ed 87438af7 9319efdf c1f520fb ac85552c f2d28f5a b9ca0b3e 51598ba7 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 6f545c77 24c566eb aafb3e2b f3ac4fec 83684146 f9d754a4 43d2327a 769b22e0 
11:46:21 ipsec,debug d5aabab3 037eae36 bcb079d1 dc9426b6 11be21b2 698694ff 9d7f8fb2 95ecabf5 
11:46:21 ipsec,debug 23db9be9 01b598f1 56331230 a4e64fde 768afced 5a908428 3046792c 29157036 
11:46:21 ipsec,debug ccc7d828 e20aea4e 8070dc7f 7711933f 5ebfa765 76a0be70 426df117 f5ed9ce4 
11:46:21 ipsec,debug 6a509329 7476c311 e491d1c9 e4c0eb9a cecf7354 5de1f1a8 303ec367 ec9f902d 
11:46:21 ipsec,debug cd64aefe 7ebccdf8 8c5128f1 932c12bd bea71bab 7157f9e4 75d954d2 b727801a 
11:46:21 ipsec,debug 822682b3 67675afa 621dc17a 6cf4e1b7 bb9460cf 03bf2f22 fe59a2cf 8a284268 
11:46:21 ipsec,debug cfeebd68 44d926ba 2ca83652 2c46fcee 2ea4beb5 f101a39d d216bad8 858eb55e 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 4f538685 dd4f9eca 5fdc0d45 6f7d51 
11:46:21 ipsec,debug decrypted fragment 2 out of 4 
11:46:21 ipsec,debug need more fragments 
11:46:21 ipsec,debug ===== received 1360 bytes from xx.xx.xx.xx[10103] to 192.168.1.5[4500] 
11:46:21 ipsec -> ike2 request, exchange: AUTH:1 xx.xx.xx.xx[10103] ced88752023d9ecb:a3a3515834cbe7ca 
11:46:21 ipsec payload seen: SKF (1332 bytes) 
11:46:21 ipsec processing payload: ENC (not found) 
11:46:21 ipsec processing payload: SKF 
11:46:21 ipsec,debug => iv (size 0x10) 
11:46:21 ipsec,debug e96a7f42 036507b1 df1e40b8 8a788488 
11:46:21 ipsec,debug => decrypted and trimmed payload (size 0x50f) 
11:46:21 ipsec,debug b1dc9b7b ed663135 d31bd4ec a614c429 e319069f 94c12650 a2af240a dae86779 
11:46:21 ipsec,debug c8a850b3 c746eed9 f71b1678 f7f30194 50ba3e69 ec9a50f5 02d13845 cc931372 
11:46:21 ipsec,debug 8626cb1b c554b39f bd6bed63 7fb989a9 80f1f48a 88098f76 06c15808 b8fcf3da 
11:46:21 ipsec,debug d873ae71 34235c0a 33de35ca 82a63615 2944cdf1 c78a055a cc9c1ccd ba42b081 
11:46:21 ipsec,debug 8853881d 8663bd4c c05e08fe ea6ebb77 b181081a 19a4c094 1ffae895 28c124c9 
11:46:21 ipsec,debug 9b34acc7 6ccabd7d b47e94a5 759901b6 a7dfd45d 1c091ccc 6e584e33 75bd57f6 
11:46:21 ipsec,debug d5421b16 01c2d8c0 f53a9f6e bbc23e29 0bb32877 1dad3ea2 4dbdf423 bd06b03d 
11:46:21 ipsec,debug 19813706 c13acc5d 0159405d 5c82d22e f31f3184 3e18e544 f6bd4d77 5028c940 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 3e5c74f5 4cd96029 07daa737 8c513b15 ad74036a 652e2e29 206e21b7 d52e13c1 
11:46:21 ipsec,debug abe349da e8b49594 ef7c3843 606466bd 1916f3cc e47902cb 4fc9807f ed03bec4 
11:46:21 ipsec,debug ac274dbc 5e8c5318 22601d56 71d66aa0 cc64a060 0743d5a8 6e115871 ad6d276f 
11:46:21 ipsec,debug f9ab9330 c247ddf7 404ee47f d3948a4c 62132a19 2eccaf72 8a7d36d7 9a1cdc67 
11:46:21 ipsec,debug c8951368 0197280a 2c55c3fc d390f53a 053bc9fb bdff8d1d 594d832b a7dae387 
11:46:21 ipsec,debug 6e63681c 13dea6c0 148db354 ed9b2f13 087cc38b 4bc15b96 8ac55378 eee59f1e 
11:46:21 ipsec,debug 2aa544c3 cb2543a6 9a5bd46a 25bcbb8e c4527220 a958c06e 9d4bf20b 21123ceb 
11:46:21 ipsec,debug 3a0b6b6f f8f6fa6b 261bcc64 62124630 d1c59915 cd011fcb 95a372ff cd41d7e9 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug fddd3f39 ac270b24 781ed654 3eb748eb 57131db9 02473d5c 8db4381e 1b69f0ef 
11:46:21 ipsec,debug a8e30296 70a68b57 ebecefcc 294e9174 9ad49238 62afb75c 2aa70dad 0d3d8dcf 
11:46:21 ipsec,debug fb109e65 c616c30b c24e4522 d1c32f86 80f74d38 484b74e5 71cd17cf 2260a783 
11:46:21 ipsec,debug 31eea4c8 1165c3b9 da518574 423906c5 c49c127e 4be9e55e f4647726 2cb6d9c9 
11:46:21 ipsec,debug 342b7c38 a7e9c80c 8c4b56d6 37fa9e0d 6c69581d 324e91c0 dd0092e0 168eba57 
11:46:21 ipsec,debug c267d67d 0a0a4e57 b6cbc6c8 3d9f4ee4 171de9cc 8ccb6bee 8403c2cd d7bc0b9f 
11:46:21 ipsec,debug 2704fae0 a632eb18 4b51e4c6 39e13510 6bb5ff61 3a284464 9f20e8b1 05bfe9d7 
11:46:21 ipsec,debug f5663361 51aeeb51 9ca98d00 af740ddd 8180d213 45a58b8f 2e9438d6 ab30d3af 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 4bd8f16b 5869ee45 6929da84 b8739488 e08c9bdb 2549b3f1 7c86d6b2 42870bd0 
11:46:21 ipsec,debug 6ba0d9e4 c43028c5 d3e3080c 10448b2c 77ba2453 9760bbf9 69c427db 59696818 
11:46:21 ipsec,debug 47e25217 0ae0e57f ab9def0f 28a4baee 613e0ab8 15839565 4e4fcc13 c170e3e3 
11:46:21 ipsec,debug fdda14c4 9f30de21 bd1e4239 fcab6323 49e0f184 b386367d bce5f84e e28c1537 
11:46:21 ipsec,debug 81b21df5 3d2c15cd 7b6db8b0 b5e5850d 106151f0 3db0f4ff 408d9ea4 80fca20c 
11:46:21 ipsec,debug 56d95bd9 71c135ed 2460136f 7846a92a 4f9c7d21 799cad0e d8b90c57 9f1a0299 
11:46:21 ipsec,debug e790f387 8df00aad 7c3f4cf3 4275e2ec 19bdf328 e2246922 c5c21f02 fb33f798 
11:46:21 ipsec,debug f080435b 46f4bdae 19bc5b76 2f000108 01000000 27837e47 27a5d23a ce47f2f0 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 6db1bee1 291b4fde 1c939018 c64ca5c4 e1f83190 6c126427 b0dd1424 418f5e57 
11:46:21 ipsec,debug 9aedf39d 73500f03 f0c9bccb cd525040 3ac4c338 87d61270 40c1ef6c 6f44959e 
11:46:21 ipsec,debug 6ec64dcf 94137ad8 32c01568 51a18e0b d4b77ba3 23f50ef7 3c8987e5 bece0700 
11:46:21 ipsec,debug 29e78579 b2d480ae 35c8b8a2 e8a41780 62cb91c5 5cc43d1b d64ad13f cd50547f 
11:46:21 ipsec,debug 3de42d3e d7dcc1b2 4cfd5440 d3c22e44 509332ec 6619ace3 f7aa2526 02c6cdd9 
11:46:21 ipsec,debug a5b4d826 9d8bd190 72ccecf0 4b3e46e2 7e35701e 2c259d22 b24fe0a7 3c1c9d11 
11:46:21 ipsec,debug ebef7361 c9d5d923 8b610b62 5e1688ce 01ce703c 77895db3 95378c57 f6e7bb07 
11:46:21 ipsec,debug b8d8cdf5 43c5b9c9 48776d2f b47abfc7 d7f121a9 29000018 01000000 00010000 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 00080000 00030000 000a0000 210000 
11:46:21 ipsec,debug decrypted fragment 3 out of 4 
11:46:21 ipsec,debug need more fragments 
11:46:21 ipsec,debug ===== received 384 bytes from xx.xx.xx.xx[10103] to 192.168.1.5[4500] 
11:46:21 ipsec -> ike2 request, exchange: AUTH:1 xx.xx.xx.xx[10103] ced88752023d9ecb:a3a3515834cbe7ca 
11:46:21 ipsec payload seen: SKF (356 bytes) 
11:46:21 ipsec processing payload: ENC (not found) 
11:46:21 ipsec processing payload: SKF 
11:46:21 ipsec,debug => iv (size 0x10) 
11:46:21 ipsec,debug e9ccbd67 8d4bc57b ae34465c 09886a0a 
11:46:21 ipsec,debug => decrypted and trimmed payload (size 0x135) 
11:46:21 ipsec,debug 08000040 0a2c0000 90020000 34010304 04e2a1d5 4d030000 0c010000 14800e01 
11:46:21 ipsec,debug 00030000 0c010000 14800e00 80030000 08010000 1c000000 08050000 00000000 
11:46:21 ipsec,debug 58020304 08e2a1d5 4d030000 0c010000 0c800e01 00030000 0c010000 0c800e00 
11:46:21 ipsec,debug c0030000 0c010000 0c800e00 80030000 08030000 0d030000 08030000 0c030000 
11:46:21 ipsec,debug 08030000 0e030000 08030000 02000000 08050000 002d0000 40020000 00070000 
11:46:21 ipsec,debug 100000ff ff000000 00ffffff ff080000 280000ff ff000000 00000000 00000000 
11:46:21 ipsec,debug 00000000 00ffffff ffffffff ffffffff ffffffff ff290000 40020000 00070000 
11:46:21 ipsec,debug 100000ff ff000000 00ffffff ff080000 280000ff ff000000 00000000 00000000 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 00000000 00ffffff ffffffff ffffffff ffffffff ff290000 08000040 0c290000 
11:46:21 ipsec,debug 08000040 0f290000 08000040 21000000 08000040 24 
11:46:21 ipsec,debug decrypted fragment 4 out of 4 
11:46:21 ipsec,debug reassembling fragments 
11:46:21 ipsec payload seen: ID_I (31 bytes) 
11:46:21 ipsec payload seen: CERT (810 bytes) 
11:46:21 ipsec payload seen: NOTIFY (8 bytes) 
11:46:21 ipsec payload seen: CERTREQ (2745 bytes) 
11:46:21 ipsec payload seen: AUTH (264 bytes) 
11:46:21 ipsec payload seen: CONFIG (24 bytes) 
11:46:21 ipsec payload seen: NOTIFY (8 bytes) 
11:46:21 ipsec payload seen: SA (144 bytes) 
11:46:21 ipsec payload seen: TS_I (64 bytes) 
11:46:21 ipsec payload seen: TS_R (64 bytes) 
11:46:21 ipsec payload seen: NOTIFY (8 bytes) 
11:46:21 ipsec payload seen: NOTIFY (8 bytes) 
11:46:21 ipsec payload seen: NOTIFY (8 bytes) 
11:46:21 ipsec payload seen: NOTIFY (8 bytes) 
11:46:21 ipsec processing payloads: NOTIFY 
11:46:21 ipsec   notify: INITIAL_CONTACT 
11:46:21 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED 
11:46:21 ipsec   notify: MOBIKE_SUPPORTED 
11:46:21 ipsec   notify: NO_ADDITIONAL_ADDRESSES 
11:46:21 ipsec   notify: EAP_ONLY_AUTHENTICATION 
11:46:21 ipsec   notify: IKEV2_MESSAGE_ID_SYNC_SUPPORTED 
11:46:21 ipsec ike auth: respond 
11:46:21 ipsec processing payload: ID_I 
11:46:21 ipsec ID_I (DER DN): rw-client1 
11:46:21 ipsec processing payload: ID_R (not found) 
11:46:21 ipsec processing payload: AUTH 
11:46:21 ipsec processing payload: CERT 
11:46:21 ipsec got CERT: rw-client1 
11:46:21 ipsec,debug => (size 0x325) 
11:46:21 ipsec,debug 30820321 30820209 a0030201 02020826 a350bee5 a78f0730 0d06092a 864886f7 
11:46:21 ipsec,debug 0d01010b 0500300d 310b3009 06035504 030c0263 61301e17 0d323130 33303531 
11:46:21 ipsec,debug 31353633 365a170d 32323033 30353131 35363336 5a301531 13301106 03550403 
11:46:21 ipsec,debug 0c0a7277 2d636c69 656e7431 30820122 300d0609 2a864886 f70d0101 01050003 
11:46:21 ipsec,debug 82010f00 3082010a 02820101 00cf96ec 3d659945 be6752bd 75a2d097 c2599386 
11:46:21 ipsec,debug 7825cf5c d91f6e09 bf0d6ebc 7991a4a0 5d94538b 332d7aa6 034a2a77 ea8bddaa 
11:46:21 ipsec,debug f33ed258 e93d23ba 26fc5520 9d2f2152 4218a60f e3c6dd5b 611427c8 596dca56 
11:46:21 ipsec,debug 5ccfe1c3 006fa549 5dcb4f89 a2f97ff5 e7b0c33d ff12aae9 ee3c7abc 550d5075 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug e2dc3a23 5799b7aa 7203d68c db57de98 d4c90e84 c31483d3 49ed48b4 d90c3667 
11:46:21 ipsec,debug 12f94a29 f21b473b ae80baa7 eb970f80 a49cfa32 192611ee 023febc7 77c12b90 
11:46:21 ipsec,debug 8b6e8b39 72f6caa0 bebbb9c2 3c47f2b6 7a0cca84 f1c51d27 134df762 e5734042 
11:46:21 ipsec,debug ea9b403c b1383c8a b5cb5710 e1311eb4 9ade6d06 fe1c53fa 50599bb3 2f994c83 
11:46:21 ipsec,debug 69275ef0 2b2784a6 fe4f1f03 3d020301 0001a37d 307b3013 0603551d 25040c30 
11:46:21 ipsec,debug 0a06082b 06010505 07030230 1d060355 1d0e0416 0414ba8f 0266c4b5 238e1b18 
11:46:21 ipsec,debug 5b60ec1e e69514b8 4013301f 0603551d 23041830 16801474 f23d338b 11cde7bd 
11:46:21 ipsec,debug 4486ab5f e9b2389f c8ab4e30 24060960 86480186 f842010d 04171615 47656e65 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 72617465 64206279 20526f75 7465724f 53300d06 092a8648 86f70d01 010b0500 
11:46:21 ipsec,debug 03820101 00d0f1ba ce494dec 77a6c0a6 4db9f71e 81db1f51 e18045bf ed9fbf88 
11:46:21 ipsec,debug 40b11adb f595c202 2ff1b26a 452940f6 fabbddc6 282383d1 2a3db29f 7a34a427 
11:46:21 ipsec,debug f54190b0 52e5c77c f9cfd590 33842fb8 0e1cdb3e da033810 26d4da74 2270c7ac 
11:46:21 ipsec,debug 858f8774 3eb572b6 e95c701f a2370c64 ef2039a0 53643150 60bb1e6e 49841e34 
11:46:21 ipsec,debug 7327ffb1 eb9326e8 2e46cf82 85c07024 274ab25c e81a76e1 4f326227 97c9fab2 
11:46:21 ipsec,debug 5b8ee080 1677e5a0 12f38477 fcee2c3c 787e6a7a d87be362 eeea119c 81404cbb 
11:46:21 ipsec,debug 0f4dacd6 160050aa b3f81bdc 89b10f8e 41528c39 c438fae5 ff2be66b 050f0ad7 
11:46:21 ipsec,debug 
11:46:21 ipsec,debug 220686ec 46a0c541 865fed0a 4e6f12fc 7f625575 8e9b98b0 b8a7b056 50af98d5 
11:46:21 ipsec,debug 5ef4a6bd 5b 
11:46:21 ipsec processing payloads: NOTIFY 
11:46:21 ipsec   notify: INITIAL_CONTACT 
11:46:21 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED 
11:46:21 ipsec   notify: MOBIKE_SUPPORTED 
11:46:21 ipsec   notify: NO_ADDITIONAL_ADDRESSES 
11:46:21 ipsec   notify: EAP_ONLY_AUTHENTICATION 
11:46:21 ipsec   notify: IKEV2_MESSAGE_ID_SYNC_SUPPORTED 
11:46:21 ipsec processing payload: AUTH 
11:46:21 ipsec requested auth method: RSA 
11:46:21 ipsec,debug => peer's auth (size 0x100) 
11:46:21 ipsec,debug 27837e47 27a5d23a ce47f2f0 6db1bee1 291b4fde 1c939018 c64ca5c4 e1f83190 
11:46:21 ipsec,debug 6c126427 b0dd1424 418f5e57 9aedf39d 73500f03 f0c9bccb cd525040 3ac4c338 
11:46:21 ipsec,debug 87d61270 40c1ef6c 6f44959e 6ec64dcf 94137ad8 32c01568 51a18e0b d4b77ba3 
11:46:21 ipsec,debug 23f50ef7 3c8987e5 bece0700 29e78579 b2d480ae 35c8b8a2 e8a41780 62cb91c5 
11:46:21 ipsec,debug 5cc43d1b d64ad13f cd50547f 3de42d3e d7dcc1b2 4cfd5440 d3c22e44 509332ec 
11:46:21 ipsec,debug 6619ace3 f7aa2526 02c6cdd9 a5b4d826 9d8bd190 72ccecf0 4b3e46e2 7e35701e 
11:46:21 ipsec,debug 2c259d22 b24fe0a7 3c1c9d11 ebef7361 c9d5d923 8b610b62 5e1688ce 01ce703c 
11:46:21 ipsec,debug 77895db3 95378c57 f6e7bb07 b8d8cdf5 43c5b9c9 48776d2f b47abfc7 d7f121a9 
11:46:21 ipsec,debug => auth nonce (size 0x18) 
11:46:21 ipsec,debug 9d65553e 6f3b7596 6e8be1eb 612548f8 2d8e00b3 5a01113f 
11:46:21 ipsec,debug => SK_p (size 0x14) 
11:46:21 ipsec,debug 00350fdb 4c11fa29 e474f85b e8dcfe02 1fd97f71 
11:46:21 ipsec,debug => idhash (size 0x14) 
11:46:21 ipsec,debug 4f9865ce b9231275 37cf7661 28a5df3f bfb2ee39 
11:46:21 ipsec,info,account peer authorized: 192.168.1.5[4500]-xx.xx.xx.xx[10103] spi:a3a3515834cbe7ca:ced88752023d9ecb 
11:46:21 ipsec initial contact 
11:46:21 ipsec processing payloads: NOTIFY 
11:46:21 ipsec   notify: INITIAL_CONTACT 
11:46:21 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED 
11:46:21 ipsec   notify: MOBIKE_SUPPORTED 
11:46:21 ipsec   notify: NO_ADDITIONAL_ADDRESSES 
11:46:21 ipsec   notify: EAP_ONLY_AUTHENTICATION 
11:46:21 ipsec   notify: IKEV2_MESSAGE_ID_SYNC_SUPPORTED 
11:46:21 ipsec peer wants tunnel mode 
11:46:21 ipsec processing payload: CONFIG 
11:46:21 ipsec   attribute: internal IPv4 address 
11:46:21 ipsec   attribute: internal IPv6 address 
11:46:21 ipsec   attribute: internal IPv4 DNS 
11:46:21 ipsec   attribute: internal IPv6 DNS 
11:46:21 ipsec,info acquired 192.168.6.117 address for xx.xx.xx.xx, rw-client1 
11:46:21 ipsec processing payload: SA 
11:46:21 ipsec,debug unknown enc: #28 
11:46:21 ipsec IKE Protocol: ESP 
11:46:21 ipsec  proposal #1 
11:46:21 ipsec   enc: aes256-gcm 
11:46:21 ipsec   enc: aes128-gcm 
11:46:21 ipsec   enc: unknown 
11:46:21 ipsec  proposal #2 
11:46:21 ipsec   enc: aes256-cbc 
11:46:21 ipsec   enc: aes192-cbc 
11:46:21 ipsec   enc: aes128-cbc 
11:46:21 ipsec   auth: sha384 
11:46:21 ipsec   auth: sha256 
11:46:21 ipsec   auth: sha512 
11:46:21 ipsec   auth: sha1 
11:46:21 ipsec processing payload: TS_I 
11:46:21 ipsec 0.0.0.0/0 
11:46:21 ipsec [::/0] 
11:46:21 ipsec processing payload: TS_R 
11:46:21 ipsec 0.0.0.0/0 
11:46:21 ipsec [::/0] 
11:46:21 ipsec TSi in tunnel mode replaced with config address: 192.168.6.117 
11:46:21 ipsec candidate selectors: 0.0.0.0/0 <=> 192.168.6.117 
11:46:21 ipsec candidate selectors: [::/0] <=> [::/0] 
11:46:21 ipsec searching for policy for selector: 0.0.0.0/0 <=> 192.168.6.117 
11:46:21 ipsec generating policy 
11:46:21 ipsec matched proposal: 
11:46:21 ipsec  proposal #2 
11:46:21 ipsec   enc: aes256-cbc 
11:46:21 ipsec   auth: sha1 
11:46:21 ipsec ike auth: finish 
11:46:21 ipsec ID_R (FQDN): 8d1308cded11.sn.mynetname.net 
11:46:21 ipsec,debug => auth nonce (size 0x20) 
11:46:21 ipsec,debug a860f5b1 efe5e3b0 81511ed1 ac7d912f bc084c91 67ef0ede 766c27a0 bc910039 
11:46:21 ipsec,debug => SK_p (size 0x14) 
11:46:21 ipsec,debug cc7b3511 317d2c60 96e779a7 3f20d6dd 66227bfc 
11:46:21 ipsec,debug => idhash (size 0x14) 
11:46:21 ipsec,debug 338069e3 80ce0345 3afdccce 0b174008 d7266eca 
11:46:21 ipsec,debug => my auth (size 0x100) 
11:46:21 ipsec,debug 863cec30 b063b3cd 43df36b5 a5e209d8 1a347fc3 7efc2d60 4a93e1f5 292d8945 
11:46:21 ipsec,debug 70f83553 929f8520 d9f5ebd5 b24a8fcd e2592a55 9e61c6f7 c50851b4 98221a76 
11:46:21 ipsec,debug ccc559b9 a583afad ded1bbc3 22ed09c4 843eb501 c6d7f90a ae26ce91 089735d3 
11:46:21 ipsec,debug 0ce63959 fe48381c 01060885 48d0a091 6f983c0e a53e75ab b1dd8f4e 283c8a1d 
11:46:21 ipsec,debug d245d113 32e6efdc a8ca529c d8812056 fcbe0b51 f7c109ba 0cbb4a4e 856ee159 
11:46:21 ipsec,debug 61caa12d 7b4060bc cd8573f7 b79f6bcc 4f8348c5 64bc2d65 4aab7914 1982f825 
11:46:21 ipsec,debug db26ac14 d3482c86 5d7d31c5 fd1b94e3 878ffc19 2446b9e3 f8873e59 fc15b9b8 
11:46:21 ipsec,debug 651c1ffb 5555c202 06c0c0c5 3ba5b106 eb6b44c1 2aafaa36 43d0ef74 a4dbc424 
11:46:21 ipsec cert: 8d1308cded11.sn.mynetname.net 
11:46:21 ipsec adding payload: CERT 
11:46:21 ipsec,debug => (first 0x100 of 0x369) 
11:46:21 ipsec,debug 00000369 04308203 60308202 48a00302 01020208 4d850a1b 9b6e2464 300d0609 
11:46:21 ipsec,debug 2a864886 f70d0101 0b050030 0d310b30 09060355 04030c02 6361301e 170d3231 
11:46:21 ipsec,debug 30333035 31313536 31305a17 0d323230 33303531 31353631 305a3028 31263024 
11:46:21 ipsec,debug 06035504 030c1d38 64313330 38636465 6431312e 736e2e6d 796e6574 6e616d65 
11:46:21 ipsec,debug 2e6e6574 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 
11:46:21 ipsec,debug 02820101 00b0d8bb 059089e7 8fd28a75 5ec30a7b 557738d4 e4979cc3 249d2da5 
11:46:21 ipsec,debug e0753602 750de74e 39c64cc8 3ee547a3 273c44fe 5fbf0410 021d6254 7f20bea1 
11:46:21 ipsec,debug a7bf2eab 3d07dcf3 c9768bbb a880f983 5991e6d2 e5fd6638 bf233ca0 189b9771 
11:46:21 ipsec adding payload: ID_R 
11:46:21 ipsec,debug => (size 0x25) 
11:46:21 ipsec,debug 00000025 02000000 38643133 30386364 65643131 2e736e2e 6d796e65 746e616d 
11:46:21 ipsec,debug 652e6e65 74 
11:46:21 ipsec adding payload: AUTH 
11:46:21 ipsec,debug => (first 0x100 of 0x108) 
11:46:21 ipsec,debug 00000108 01000000 863cec30 b063b3cd 43df36b5 a5e209d8 1a347fc3 7efc2d60 
11:46:21 ipsec,debug 4a93e1f5 292d8945 70f83553 929f8520 d9f5ebd5 b24a8fcd e2592a55 9e61c6f7 
11:46:21 ipsec,debug c50851b4 98221a76 ccc559b9 a583afad ded1bbc3 22ed09c4 843eb501 c6d7f90a 
11:46:21 ipsec,debug ae26ce91 089735d3 0ce63959 fe48381c 01060885 48d0a091 6f983c0e a53e75ab 
11:46:21 ipsec,debug b1dd8f4e 283c8a1d d245d113 32e6efdc a8ca529c d8812056 fcbe0b51 f7c109ba 
11:46:21 ipsec,debug 0cbb4a4e 856ee159 61caa12d 7b4060bc cd8573f7 b79f6bcc 4f8348c5 64bc2d65 
11:46:21 ipsec,debug 4aab7914 1982f825 db26ac14 d3482c86 5d7d31c5 fd1b94e3 878ffc19 2446b9e3 
11:46:21 ipsec,debug f8873e59 fc15b9b8 651c1ffb 5555c202 06c0c0c5 3ba5b106 eb6b44c1 2aafaa36 
11:46:21 ipsec adding notify: INITIAL_CONTACT 
11:46:21 ipsec,debug => (size 0x8) 
11:46:21 ipsec,debug 00000008 00004000 
11:46:21 ipsec preparing internal IPv4 address 
11:46:21 ipsec preparing internal IPv4 netmask 
11:46:21 ipsec preparing internal IPv4 DNS 
11:46:21 ipsec preparing internal DNS domain 
11:46:21 ipsec adding payload: CONFIG 
11:46:21 ipsec,debug => (size 0x24) 
11:46:21 ipsec,debug 00000024 02000000 00010004 c0a80675 00020004 ffffffff 00030004 01010101 
11:46:21 ipsec,debug 00190000 
11:46:21 ipsec initiator selector: 192.168.6.117  
11:46:21 ipsec adding payload: TS_I 
11:46:21 ipsec,debug => (size 0x18) 
11:46:21 ipsec,debug 00000018 01000000 07000010 0000ffff c0a80675 c0a80675 
11:46:21 ipsec responder selector: 0.0.0.0/0  
11:46:21 ipsec adding payload: TS_R 
11:46:21 ipsec,debug => (size 0x18) 
11:46:21 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff 
11:46:21 ipsec adding payload: SA 
11:46:21 ipsec,debug => (size 0x2c) 
11:46:21 ipsec,debug 0000002c 00000028 02030403 02620958 0300000c 0100000c 800e0100 03000008 
11:46:21 ipsec,debug 03000002 00000008 05000000 
11:46:21 ipsec <- ike2 reply, exchange: AUTH:1 xx.xx.xx.xx[10103] ced88752023d9ecb:a3a3515834cbe7ca 
11:46:21 ipsec fragmenting into 2 chunks 
11:46:21 ipsec adding payload: SKF 
11:46:21 ipsec,debug => (first 0x100 of 0x494) 
11:46:21 ipsec,debug 25000494 00010002 0800d137 7f2a29ac 08807368 8060ff75 9f28b3a2 925f5b48 
11:46:21 ipsec,debug 59ed8904 31157c73 939de675 da1413bc 8f6c484a 110e8ccd 7f6f0439 0ab40b77 
11:46:21 ipsec,debug 030034e5 f02654fb 85282e99 a2af2fc8 2d0f6c2a febdb80d ec8d1a84 ae8be300 
11:46:21 ipsec,debug 68239f06 32584857 26b97ab3 72e3560d 5fcec129 c7757c2e c35d62c3 78c7bd8c 
11:46:21 ipsec,debug 6b16ba10 eeb25a5a 833e1a42 2c8037df 5a5d219a af2ed031 25a0302e 50888b05 
11:46:21 ipsec,debug 2668a144 2bb74e3f 5489746d c7e2fc39 61416dd7 58b59770 9f3e12a8 bce0c0d4 
11:46:21 ipsec,debug 1a037bb3 50826b32 f793ea65 f96a5b81 18b6983c 8126c5cd 242c3090 6d44b6cb 
11:46:21 ipsec,debug cd00a08e 360bdc29 ce6a0fb8 46fefc70 7926cd74 e9fab6bf 002bcbe8 f2a131bd 
11:46:21 ipsec adding payload: SKF 
11:46:21 ipsec,debug => (first 0x100 of 0x1f4) 
11:46:21 ipsec,debug 000001f4 00020002 0800d137 7f2a29ac 08807368 8060ff75 37a3a507 5835c0fc 
11:46:21 ipsec,debug 7f77d151 bfc9c45d 14b429dd 36447b9a d1a57895 4dac60e1 8eeff1f4 cf88b452 
11:46:21 ipsec,debug 5cc86f3c 5e065aab 6956dc70 3227f6bc 86a4e3d8 ec28d0c5 299d9727 68a52aa8 
11:46:21 ipsec,debug 2ec1571a b37e34de 6376a837 08c92393 1991ee79 69c8f8fe 6cbf4d05 38b1cb17 
11:46:21 ipsec,debug cecff98f 50a115ba 5ac306d7 790a476a 1f5a1eb5 40124a6a ce6b76ba 32e9c9d1 
11:46:21 ipsec,debug c21fef2f 366e76e7 9a828c51 762850d9 4c160d34 f4a5cd0d 9527969b 88305e98 
11:46:21 ipsec,debug 0117f8c7 807f7267 e0da4fd7 e5586e36 575567c3 bd3760ca 9053c14b bdb467ef 
11:46:21 ipsec,debug 86831ca9 d72424bc 8bfa0719 226b956e 7323c068 a6ed4fe9 484865a8 40a5a0fd 
11:46:21 ipsec,debug ===== sending 1200 bytes from 192.168.1.5[4500] to xx.xx.xx.xx[10103] 
11:46:21 ipsec,debug 1 times of 1204 bytes message will be sent to xx.xx.xx.xx[10103] 
11:46:21 ipsec,debug ===== sending 528 bytes from 192.168.1.5[4500] to xx.xx.xx.xx[10103] 
11:46:21 ipsec,debug 1 times of 532 bytes message will be sent to xx.xx.xx.xx[10103] 
11:46:21 ipsec,debug => child keymat (size 0x78) 
11:46:21 ipsec,debug 1b231577 6cf556fc f7d8477e 55446ae7 08acf4ac dfe67df0 7e1e3cd6 30b9894b 
11:46:21 ipsec,debug 11eebea0 7dfa889c 9644f252 44d25239 a0b0e55d fe8bdfec 62bd7b95 fad20c8b 
11:46:21 ipsec,debug 3c81afda 1380c219 00da87f9 fcf6a91f 11e4efdf 8200a3e8 0b8d1544 d2e2bed8 
11:46:21 ipsec,debug a8624c37 65c0bf95 a3fa3c3a 8abe05ab 8f01c697 4bfb6de1 
11:46:21 ipsec IPsec-SA established: xx.xx.xx.xx[10103]->192.168.1.5[4500] spi=0x2620958 
11:46:21 ipsec IPsec-SA established: 192.168.1.5[4500]->xx.xx.xx.xx[10103] spi=0xe2a1d54d 
11:46:21 ipsec,debug KA: 192.168.1.5[4500]->xx.xx.xx.xx[4500] 
11:46:21 ipsec,debug 1 times of 1 bytes message will be sent to xx.xx.xx.xx[4500] 
11:46:21 ipsec,debug KA: 192.168.1.5[4500]->xx.xx.xx.xx[10103] 
11:46:21 ipsec,debug 1 times of 1 bytes message will be sent to xx.xx.xx.xx[10103]

sindy · March 17, 2021, 10:51am

OK, so I was blind and haven’t noticed the profile named ikev2 in your export from Home above, which uses default values of all parameters, so it 1. admits modp2048 and 2. doesn’t show any parameters except the name in the export, as default values of parameters are not shown unless you use the verbose parameter of the export command.

So the root cause is indeed what I’ve said before: as the connection from the phone arrives from the address of the Branch router, it matches by that address on the peer named peer1, and hence the proposal from the phone is not accepted. If it was, it would fail shortly after anyway as the identity representing the phone is not linked to that peer.

But I guess you are not so much interested in an analysis and would prefer a solution, correct?

The key is to make the initial IKE packets coming from the Branch router land on a different peer at Home than those coming from the phone although both come from the same public IP. As the remote address (from the perspective of the Home router) is the same, and as the listening port of a peer cannot be set, the distinction must be made using the local-address parameter of the two peers, change of the port to which the Branch router connects, and NAT rules linking these two factors together.

So what I would do is the following:

set up another IP address at the Home router, in addition to 192.168.5.1/24. It can be 192.168.5.2/24 on the same interface, or it can be e.g. 10.10.10.10/32 on a dedicated bridge interface with no member ports created just for the purpose of hosting that address, whatever you prefer. It just must not conflict with any subnet you use. We’ll call it a.a.a.a in later steps.
also at the Home router, add two NAT rules to the top of their respective chains:
chain=dstnat in-interface=your-wan-name src-address=public.ip.of.branch protocol=udp dst-port=4501 action=dst-nat to-addresses=a.a.a.a to-ports=4500
chain=srcnat out-interface=your-wan-name src-address=a.a.a.a src-port=4500 dst-address=public.ip.of.branch action=src-nat to-addresses=192.168.5.1 to-ports=4501
the following two steps need to be done in proper order if the tunnel is your only way how to get to the Home router from Branch or vice versa, depending on where you currently are.

set local-address of peer1 at Home to a.a.a.a
set port of peer1 at Branch to 4501
The thing is that when you add new NAT rules, it doesn’t affect already existing connections that match the new rules. But when you modify the configuration of a peer, all its connections are dropped and have to be re-established. So you need to do the change first at the remote router, and then at the local one.

Once you implement the changes above, the site-to-site tunnel between the routers will re-establish in the new way (using port 4501 at Home), and the phone will be able to connect to Home even from the Branch WiFi.

spr41178 · March 17, 2021, 1:12pm

OK, so I was blind and haven’t noticed the profile named ikev2 in your export from Home above, which uses default values of all parameters, so it 1. admits modp2048 and 2. doesn’t show any parameters except the name in the export, as default values of parameters are not shown unless you use the verbose parameter of the export command.

So the root cause is indeed what I’ve said before: as the connection from the phone arrives from the address of the Branch router, it matches by that address on the peer named peer1, and hence the proposal from the phone is not accepted. If it was, it would fail shortly after anyway as the identity representing the phone is not linked to that peer.

But I guess you are not so much interested in an analysis and would prefer a solution, correct?

The key is to make the initial IKE packets coming from the Branch router land on a different peer at Home than those coming from the phone although both come from the same public IP. As the remote address (from the perspective of the Home router) is the same, and as the listening port of a peer cannot be set, the distinction must be made using the local-address parameter of the two peers, change of the port to which the Branch router connects, and NAT rules linking these two factors together.

So what I would do is the following:

set up another IP address at the Home router, in addition to 192.168.5.1/24. It can be 192.168.5.2/24 on the same interface, or it can be e.g. 10.10.10.10/32 on a dedicated bridge interface with no member ports created just for the purpose of hosting that address, whatever you prefer. It just must not conflict with any subnet you use. We’ll call it a.a.a.a in later steps.

also at the Home router, add two NAT rules to the top of their respective chains:
chain=dstnat in-interface=your-wan-name src-address=public.ip.of.branch protocol=udp dst-port=4501 action=dst-nat to-addresses=a.a.a.a to-ports=4500
chain=srcnat out-interface=your-wan-name src-address=a.a.a.a src-port=4500 dst-address=public.ip.of.branch action=src-nat to-addresses=192.168.5.1 to-ports=4501

the following two steps need to be done in proper order if the tunnel is your only way how to get to the Home router from Branch or vice versa, depending on where you currently are.

set local-address of peer1 at Home to a.a.a.a

set port of peer1 at Branch to 4501
The thing is that when you add new NAT rules, it doesn’t affect already existing connections that match the new rules. But when you modify the configuration of a peer, all its connections are dropped and have to be re-established. So you need to do the change first at the remote router, and then at the local one.

Once you implement the changes above, the site-to-site tunnel between the routers will re-establish in the new way (using port 4501 at Home), and the phone will be able to connect to Home even from the Branch WiFi.

Is there any way of doing this but with dynamic ip? My Public IP on both MikroTik’s are not statically assigned.

I can try it with the already assigned IP’s for testing purposes but once a reboot on the ISP router’s occurs i will lose it and have to edit again.

sindy · March 17, 2021, 2:47pm

Is there any reason to quote my directly preceding post as a whole? This is no e-mail, I could see what I wrote just above even if you answered a month later.

Sure. One pre-requisite to this is that when you set the dynamic DNS fqdn as peer’s address, RouterOS re-resolves the fqdn to an IP number each time the peer connection is down and a new connection attempt is taken.
The other pre-requisite is the ability of RouterOS to use an fqdn as the address in an /ip firewall address-list entry. Such entries create dynamic entries with the real IP numbers, and once the TTL of the DNS response expires, a new query is sent and new dynamic entry is created.

So in the NAT rules above, you’d refer to the (src|dst)-address-list rather than (src|dst)-address.

spr41178 · March 17, 2021, 3:46pm

Is there any reason to quote my directly preceding post as a whole? This is no e-mail, I could see what I wrote just above even if you answered a month later.

Is there any way of doing this but with dynamic ip? My Public IP on both MikroTik’s are not statically assigned.

Sure. One pre-requisite to this is that when you set the dynamic DNS fqdn as peer’s address, RouterOS re-resolves the fqdn to an IP number each time the peer connection is down and a new connection attempt is taken.
The other pre-requisite is the ability of RouterOS to use an fqdn as the address in an /ip firewall address-list entry. Such entries create dynamic entries with the real IP numbers, and once the TTL of the DNS response expires, a new query is sent and new dynamic entry is created.

So in the NAT rules above, you’d refer to the (src|dst)-address-list rather than (src|dst)-address.

Thanks for your answer Sindy.

Adding 192.168.5.2/24 and setting it in peer1 local ip address has resolved my issue without adding the Nat rules.

Everything seems to be working properly and it connects through Branch WiFi and has access to Home subnet (i.e camera).

Is this acceptable?

sindy · March 17, 2021, 4:26pm

If you set the passive parameter of peer1 at Branch to yes, it might be OK even without the NAT rules. If you keep it at no, whenever the site-to-site connection goes down, the Branch router will try to actively connect to Home until the connection attempt in the opposite direction (from Home to Branch) succeeds; the connection attempts initiated by Branch will keep failing as they will land on the wrong peer so the identity search will fail.

I prefer to actively control the NAT because I sometimes use multiple initiators behind the same NAT connecting to the same remote responder, and in these cases, after eventual reboot of the NAT device, the pinholes may get created in a different order (so with different source ports at the public side) and then the IPsec sessions never come up properly, because the lifetime of the pinholes is longer than the time between re-connection attempts, so the responder’s responses to the requests from the initiators keep hitting wrong pinholes (leading to the another initiator), resetting their lifetime, so manual intervention is necessary to resolve this. But your simple case should not suffer from this.

spr41178 · March 17, 2021, 4:36pm

If you set the passive parameter of peer1 at Branch to yes, it might be OK even without the NAT rules. If you keep it at no, whenever the site-to-site connection goes down, the Branch router will try to actively connect to Home until the connection attempt in the opposite direction (from Home to Branch) succeeds; the connection attempts initiated by Branch will keep failing as they will land on the wrong peer so the identity search will fail.

I prefer to actively control the NAT because I sometimes use multiple initiators behind the same NAT connecting to the same remote responder, and in these cases, after eventual reboot of the NAT device, the pinholes may get created in a different order (so with different source ports at the public side) and then the IPsec sessions never come up properly, because the lifetime of the pinholes is longer than the time between re-connection attempts, so the responder’s responses to the requests from the initiators keep hitting wrong pinholes (leading to the another initiator), resetting their lifetime, so manual intervention is necessary to resolve this. But your simple case should not suffer from this.

Thank you once again for your time and knowledge

But I guess you are not so much interested in an analysis and would prefer a solution, correct?

I don’t mind a detailed analysis on your thoughts.
Always a pleasure reading and trying to understand as much as i can of what you have to say

I have marked it as solved from your above answer.

Thank you