ikev2 vpn and android phone

nevolex · November 7, 2020, 4:32am

Hi all,

I have set up my ikev2 (using certificates) vpn connection and it works fine on windows, however, on the android phone, I can connect to vpn fine and lan resources are accessible however nothing on the Internet works (timed out)

can somebody please advise what the problem can be?

thank you

[admin@MikroTik_RB4011] > /export hide-sensitive                                                           
# nov/07/2020 17:29:32 by RouterOS 6.47.7
# software id = A0JA-PWUH
#
# model = RB4011iGS+
# serial number = D1260BF19E4D
/interface bridge
add name=bridge_vlan10_main
add arp=reply-only name=bridge_vlan20_guest
/interface ethernet
set [ find default-name=ether1 ] comment=WAN_PRIMARY_VIA_FIBRE
set [ find default-name=ether2 ] comment=QNAP_BACKUP_1Gb_LINK
set [ find default-name=ether5 ] comment=Main_PC
set [ find default-name=ether8 ] comment=Monitor_VLAN_20
set [ find default-name=ether9 ] comment=Audience_VLAN_10_20 name=ether9-trunk
set [ find default-name=ether10 ] comment=WAN_SECONDARY_VIA_LTE
set [ find default-name=sfp-sfpplus1 ] comment=QNAP_PRIMARY_10Gb_LINK
/interface vlan
add comment=WAN_VLAN_100_VIA_LTE interface=ether10 name=2degress_ISP vlan-id=100
add comment=WAN_VLAN_10 interface=ether1 name=Orcon_ISP vlan-id=10
add comment=VLAN_10_and_20_per_Trunk interface=ether9-trunk name=vlan10_main vlan-id=10
add comment=VLAN_10_and_20_per_Trunk interface=ether9-trunk name=vlan20_guest vlan-id=20
/interface bonding
add mode=active-backup name=qnap_bonding primary=sfp-sfpplus1 slaves=sfp-sfpplus1,ether2
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 name=IKEv2
/ip pool
add name=pool_vlan10_main ranges=10.10.0.30-10.10.0.253
add name=pool_vlan20_guest ranges=10.20.0.1-10.20.0.253
add name=pool_ikev2_vpn ranges=10.90.0.1-10.90.0.253
/ip dhcp-server
add address-pool=pool_vlan10_main disabled=no interface=bridge_vlan10_main lease-time=23h59m59s name=\
    dhcp_vlan10_main
add add-arp=yes address-pool=pool_vlan20_guest disabled=no interface=bridge_vlan20_guest lease-time=23h59m59s \
    name=dhcp_vlan20_guest
/ip ipsec mode-config
add address-pool=pool_ikev2_vpn address-prefix-length=32 name=IKEv2-cfg split-include=10.10.0.0/24 \
    static-dns=1.1.1.1,1.0.0.1 system-dns=no
/queue simple
add max-limit=20M/20M name=vlan20_speed_limit target=10.20.0.0/24
/interface bridge port
add bridge=bridge_vlan10_main interface=ether3
add bridge=bridge_vlan10_main interface=ether4
add bridge=bridge_vlan10_main interface=ether5
add bridge=bridge_vlan10_main interface=ether6
add bridge=bridge_vlan10_main interface=ether7
add bridge=bridge_vlan20_guest interface=ether8
add bridge=bridge_vlan10_main interface=vlan10_main
add bridge=bridge_vlan20_guest interface=vlan20_guest
add bridge=bridge_vlan10_main interface=ether10
add bridge=bridge_vlan10_main interface=qnap_bonding
/interface list member
add interface=Orcon_ISP list=WAN
add interface=bridge_vlan10_main list=LAN
add disabled=yes interface=bridge_vlan20_guest list=LAN
add interface=2degress_ISP list=WAN
/ip address
add address=10.10.0.1/24 interface=bridge_vlan10_main network=10.10.0.0
add address=10.20.0.1/24 interface=bridge_vlan20_guest network=10.20.0.0
/ip dhcp-client
add disabled=no interface=Orcon_ISP
add default-route-distance=2 disabled=no interface=2degress_ISP
/ip dhcp-server lease
add address=10.10.0.7 client-id=1:9c:5c:8e:20:b8:c6 comment=MainPC mac-address=9C:5C:8E:20:B8:C6 server=\
    dhcp_vlan10_main
add address=10.10.0.14 comment=Kettle mac-address=BC:DD:C2:A8:06:52 server=dhcp_vlan10_main
add address=10.10.0.17 client-id=1:d0:73:d5:24:52:2f comment=LIFXBulb mac-address=D0:73:D5:24:52:2F server=\
    dhcp_vlan10_main
add address=10.10.0.20 client-id=1:50:ec:50:3a:f7:c5 comment=CCTV mac-address=50:EC:50:3A:F7:C5 server=\
    dhcp_vlan10_main
add address=10.10.0.13 comment=NestMini_Living_Room mac-address=D4:F5:47:2B:BB:D7 server=dhcp_vlan10_main
add address=10.10.0.8 client-id=1:c0:b5:d7:5b:d7:4e comment=Printer mac-address=C0:B5:D7:5B:D7:4E server=\
    dhcp_vlan10_main
add address=10.10.0.18 comment=NestMini_Bed_Room mac-address=D4:F5:47:12:EE:02 server=dhcp_vlan10_main
add address=10.10.0.16 comment=LIFXBulb mac-address=D0:73:D5:12:25:E9 server=dhcp_vlan10_main
add address=10.10.0.15 client-id=1:ac:d5:64:94:db:dd comment=SonyTV mac-address=AC:D5:64:94:DB:DD server=\
    dhcp_vlan10_main
add address=10.10.0.11 client-id=1:cc:f9:e4:9c:0:e0 comment=DellXPS_Laptop mac-address=CC:F9:E4:9C:00:E0 \
    server=dhcp_vlan10_main
add address=10.20.0.2 client-id=1:76:4d:28:f4:f7:f3 comment=MikroTik_Audience_VLAN_20 mac-address=\
    76:4D:28:F4:F7:F3 server=dhcp_vlan20_guest
add address=10.10.0.2 client-id=1:74:4d:28:f4:f7:f2 comment=MikroTik_Audience_VLAN_10 mac-address=\
    74:4D:28:F4:F7:F2 server=dhcp_vlan10_main
add address=10.10.0.19 client-id=1:38:f9:d3:52:a6:be comment=MacbookAir mac-address=38:F9:D3:52:A6:BE server=\
    dhcp_vlan10_main
add address=10.10.0.9 client-id=1:dc:a6:32:e:48:81 comment=RaspberryPi mac-address=DC:A6:32:0E:48:81 server=\
    dhcp_vlan10_main
add address=10.10.0.12 client-id=1:0:18:dd:24:1c:fa comment=IPTVTuner mac-address=00:18:DD:24:1C:FA server=\
    dhcp_vlan10_main
add address=10.10.0.10 client-id=1:0:a:f5:45:bf:ec comment=BookReader mac-address=00:0A:F5:45:BF:EC server=\
    dhcp_vlan10_main
add address=10.10.0.3 client-id=1:c4:ad:34:b1:33:b comment=MikroTik_hap_ac2_VLAN_10 mac-address=\
    C4:AD:34:B1:33:0B server=dhcp_vlan10_main
add address=10.20.0.3 client-id=1:c4:ad:34:b1:33:a comment=MikroTik_hap_ac2_VLAN_20 mac-address=\
    C4:AD:34:B1:33:0A server=dhcp_vlan20_guest
add address=10.10.0.4 client-id=1:b8:69:f4:ba:4f:f1 comment=Mikrotik_LtAP_mini mac-address=B8:69:F4:BA:4F:F1 \
    server=dhcp_vlan10_main
add address=10.10.0.21 comment=VOIP_PHONE mac-address=00:0B:82:EA:D2:C4 server=dhcp_vlan10_main
add address=10.10.0.5 client-id=1:24:5e:be:1a:4f:37 comment=QNAP mac-address=24:5E:BE:1A:4F:37 server=\
    dhcp_vlan10_main
add address=10.10.0.6 client-id=ff:b5:5e:67:ff:0:2:0:0:ab:11:14:d1:4f:b6:de:77:92:10 comment=Linux_Server \
    mac-address=52:54:00:13:09:91 server=dhcp_vlan10_main
add address=10.10.0.22 client-id=1:2c:26:17:82:8e:2b comment=Oculus_Quest mac-address=2C:26:17:82:8E:2B \
    server=dhcp_vlan10_main
/ip dhcp-server network
add address=10.10.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.10.0.1 netmask=24
add address=10.20.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.20.0.1 netmask=24
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="accept connection to IKEv2 ports" dst-port=500,4500 in-interface-list=\
    WAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="management over VPN" dst-port=80,8291 ipsec-policy=in,ipsec protocol=\
    tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" in-interface-list=WAN ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Primary_ISP out-interface=Orcon_ISP
add action=masquerade chain=srcnat comment=Secondary_ISP out-interface=2degress_ISP
/ip ipsec identity
add auth-method=digital-signature certificate=VPN_Server generate-policy=port-strict mode-config=IKEv2-cfg \
    peer=IKEv2-peer policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.90.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes
/ip route rule
add action=unreachable dst-address=10.10.0.0/24 src-address=10.20.0.0/24
add action=unreachable dst-address=10.20.0.0/24 src-address=10.10.0.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=MikroTik_RB4011
/system scheduler
add interval=4w2d name=monthly_reboot on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=aug/27/2020 start-time=\
    03:00:00
[admin@MikroTik_RB4011] >

sindy · November 7, 2020, 5:26pm

Are you using a newer Android whose embedded VPN client can use IKEv2 or do you use StrongSwan?

StrongSwan attempts to establish an SA to 0.0.0.0/0, and once RouterOS restricts it to the first subnet on the split-include list, it doesn’t try again and sends traffic to other destinations outside the tunnel.

I have no idea how the Android embedded client handles that, but it is possible that it tries to send everything down the VPN and as RouterOS rejects its attempts to establish an SA towards other destinations than those listed in the split-include, traffic to other destinations doesn’t get anywhere.

What happens if you remove the split-include from the mode-config row?

nevolex · November 7, 2020, 8:24pm

Thank you for your reply sindy,
I didn’t know that implementation varies from client to client when it comes to ikvev2 VPN, I guess open vpn is much more practical in this way

in a standard android vpn client if I add a forwarding route to 10.10.0.0 /24 then the Internet is working and i can access my LAN resources but public ip doesn’t change to my router’s public Ip and remains isp’s original ip, so I am not sure how it works and how secure it’s (i guess not)

in StrongSwan it all works withiout any modifications but public ip is noy router’s vpn tunneled ip and if I tick the option “block all no disatned for vpn traffic” i gett the same results 10.10.0.0 works but nothing else

I just wanted all the traffic to be tunneled it’s a home network and just an experiment with me

I removed 10.10.0.0/24 split and everything is working as expected now, thank you!

thank you

nevolex · November 7, 2020, 10:14pm

getting vpn slowing working on all devices across the network, however having issues getting it working on mac os

getting a few errors and a user message "unexpected error occurred "

here are some logs:

\f0\fs24 \cf0 default	11:02:24.980781+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: Received a start command from SystemUIServer[322]\
default	11:02:24.980880+1300	nesessionmanager	Registering session NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]\
default	11:02:24.983203+1300	nesessionmanager	<NESMServer: 0x7fcbe5d069f0>: Register Enterprise VPN Session: NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]\
default	11:02:24.983261+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: Successfully registered\
default	11:02:24.986218+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: status changed to connecting\
default	11:02:24.986854+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)] in state NESMVPNSessionStateIdle: received start message\
default	11:02:24.987202+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: Leaving state NESMVPNSessionStateIdle\
default	11:02:24.987323+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: Entering state NESMVPNSessionStatePreparingNetwork\
default	11:02:24.988331+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: Leaving state NESMVPNSessionStatePreparingNetwork\
default	11:02:24.988401+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: Entering state NESMVPNSessionStateStarting\
default	11:02:24.988490+1300	nesessionmanager	NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]): Sending start command\
default	11:02:24.988719+1300	nesessionmanager	com.apple.NetworkExtension.IKEv2Provider[inactive]: starting\
default	11:02:25.029251+1300	secinitd	NEIKEv2Provider[2293]: root path for bundle "<private>" of main executable "<private>"\
default	11:02:25.039964+1300	secinitd	NEIKEv2Provider[2293]: AppSandbox request successful\
default	11:02:25.050445+1300	NEIKEv2Provider	Hello, I'm launching as euid = 501, uid = 501, (persona not available)\
error	11:02:25.066473+1300	NEIKEv2Provider	Bootstrapping; external subsystem UIKit_PKSubsystem refused setup\
default	11:02:25.066622+1300	NEIKEv2Provider	Bootstrapping; Bootstrap complete. Ready for handshake from host.\
default	11:02:25.067678+1300	NEIKEv2Provider	[u EAC202AF-7EA3-485E-96CB-48253C2B1F83] [(null)((null))] Prepare received as euid = 501, uid = 501, (persona not available)\
default	11:02:25.068372+1300	NEIKEv2Provider	[u 68A488FF-ED99-4038-B0A6-4BD0C2595360] [<private>(<private>)] Set sole personality.\
default	11:02:25.070024+1300	NEIKEv2Provider	[u 68A488FF-ED99-4038-B0A6-4BD0C2595360] [<private>(<private>)] Begin using received as euid = 501, uid = 501, (persona not available)\
error	11:02:25.076169+1300	NEIKEv2Provider	cannot open file at line 43353 of [378230ae7f]\
error	11:02:25.076205+1300	NEIKEv2Provider	os_unix.c:43353: (2) open(/var/db/DetachedSignatures) - No such file or directory\
default	11:02:25.106926+1300	NEIKEv2Provider	Signature check failed: code failed to satisfy specified code requirement(s)\
default	11:02:25.108123+1300	NEIKEv2Provider	nw_path_evaluator_start [1C4B1A7C-A36D-4C36-B8A4-875DCD0247E0 <NULL> generic, indefinite]\
	path: satisfied (Path is satisfied), interface: en0, ipv4, dns\
default	11:02:25.108695+1300	NEIKEv2Provider	<NEIKEv2Provider:  (ifIndex 0)>: : New scoped interface (null) (0) (SATISFIED: 0)\
default	11:02:25.109389+1300	NEIKEv2Provider	<NEIKEv2Provider:  (ifIndex 0)>: : New scoped interface en0 (6) (SATISFIED: 1)\
default	11:02:25.109550+1300	NEIKEv2Provider	<NEIKEv2Provider:  (ifIndex 6)>: : Starting tunnel on scoped interface UP (6)\
default	11:02:25.121792+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: Plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[360]) initialized with Mach-O UUIDs (\
    "3F45C984-0491-3962-BC1E-63E6199E075F"\
)\
default	11:02:25.125962+1300	NEIKEv2Provider	[Extension com.apple.NetworkExtension.IKEv2Provider]: Calling startTunnelWithOptions with options 0x7fc92d434cc0\
default	11:02:25.125607+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[360]) started with PID 2293 error (null)\
default	11:02:25.126015+1300	NEIKEv2Provider	<NEIKEv2Provider:  (ifIndex 6)>: : startTunnelWithOptions Invoked\
default	11:02:25.126105+1300	NEIKEv2Provider	<NEIKEv2Provider: Primary Tunnel (ifIndex 6)>: : Starting IKEv2 Tunnel on scoped ifindex 6\
default	11:02:25.129652+1300	NEIKEv2Provider	<NEIKEv2Provider: Primary Tunnel (ifIndex 6)>: : Resolving vpn.domain.me:500 (\
    processUUID = 3F45C984-0491-3962-BC1E-63E6199E075F\
    effectiveProcessUUID = 3F45C984-0491-3962-BC1E-63E6199E075F\
    pid = 2293\
    uid = 501\
    protocolTransforms = (\
    )\
    requiredInterface = \{\
        type = wifi\
        subtype = wifi_infrastructure\
    \})\
default	11:02:25.129818+1300	NEIKEv2Provider	<NEIKEv2Provider: Primary Tunnel (ifIndex 6)>: : handleDNSResolution (resolvedEndpoints count 0) (query status In progress)\
default	11:02:25.130148+1300	mDNSResponder	[R3602] DNSServiceCreateConnection START PID[2293](NEIKEv2Provider)\
default	11:02:25.130449+1300	mDNSResponder	[R3603] DNSServiceGetAddrInfo(C000D000, 6, 0, <private>) START PID[2293](NEIKEv2Provider)\
default	11:02:25.132509+1300	NEIKEv2Provider	<NEIKEv2Provider: Primary Tunnel (ifIndex 6)>: : handleDNSResolution (resolvedEndpoints count 1) (query status Complete)\
default	11:02:25.133148+1300	mDNSResponder	[R3602] DNSServiceCreateConnection STOP PID[2293](NEIKEv2Provider)\
default	11:02:25.133183+1300	mDNSResponder	[R3603] DNSServiceGetAddrInfo(<private>) STOP PID[2293](NEIKEv2Provider)\
default	11:02:25.142339+1300	NEIKEv2Provider	NEIKEv2Transport: Adding client IKEv2Session[1, 0000000000000000-0000000000000000] with SPI 963784C57E5DF1D8 on <NEIKEv2Transport> UDP 0.0.0.0:500 -> 121.99.240.12:500\
default	11:02:25.144738+1300	NEIKEv2Provider	[C1 77A2AB57-7B8A-4065-97B0-0D1597D9048E IPv4#068b161b:500 udp, interface: en0, local: IPv4#c0ea65bf:500, prohibit joining] start\
default	11:02:25.148960+1300	NEIKEv2Provider	nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state preparing\
default	11:02:25.149430+1300	NEIKEv2Provider	nw_flow_connected [C1 IPv4#068b161b:500 in_progress socket-flow (satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns)] Output protocol connected\
default	11:02:25.149554+1300	NEIKEv2Provider	<NEIKEv2Provider: Primary Tunnel (ifIndex 6)>:  tunnel bringup requested\
default	11:02:25.150288+1300	NEIKEv2Provider	Connect IKEv2Session[1, 963784C57E5DF1D8-0000000000000000]\
default	11:02:25.151355+1300	NEIKEv2Provider	nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state ready\
default	11:02:25.151990+1300	NEIKEv2Provider	IKEv2Session[1, 963784C57E5DF1D8-0000000000000000] Initiating IKEv2 connection\
default	11:02:25.152051+1300	NEIKEv2Provider	IKEv2IKESA[1.1, 963784C57E5DF1D8-0000000000000000] state Disconnected -> Connecting\
default	11:02:25.152107+1300	NEIKEv2Provider	ChildSA[1, (null)-(null)] state Disconnected -> Connecting\
default	11:02:25.218738+1300	NEIKEv2Provider	Adding securityd connection to pool, total now 1\
default	11:02:25.219167+1300	secd	NEIKEv2Provider[2293]/1#6 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo=\{NSDescription=query missing class name\}\
default	11:02:25.342973+1300	secd	NEIKEv2Provider[2293]/1#6 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo=\{NSDescription=query missing class name\}\
default	11:02:25.472491+1300	NEIKEv2Provider	<NEIKEv2Provider: Primary Tunnel (ifIndex 6)>: : New scoped interface en0 (6) (SATISFIED: 1)\
error	11:02:25.934324+1300	NEIKEv2Provider	[IKE_SA_INIT R resp0 963784C57E5DF1D8-0000000000000000] Initiator init received notify error Error Domain=NEIKEv2ProtocolErrorDomain Code=17 "InvalidKEPayload" UserInfo=\{NSDebugDescription=InvalidKEPayload\}\
default	11:02:25.942507+1300	secd	NEIKEv2Provider[2293]/1#6 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo=\{NSDescription=query missing class name\}\
default	11:02:25.946016+1300	secd	NEIKEv2Provider[2293]/1#6 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo=\{NSDescription=query missing class name\}\
default	11:02:26.309926+1300	NEIKEv2Provider	Disabling wildcard for client [NEIKEv2TransportClient 963784C57E5DF1D8 IKEv2Session[1, 963784C57E5DF1D8-0B2C22A0ED8DB25C]] on <NEIKEv2Transport> UDP 192.168.43.7:500 -> 121.99.240.12:500\
default	11:02:26.315076+1300	NEIKEv2Provider	[C2 F19FF3A8-6D47-404A-84FF-79BE70E70F58 IPv4#068b161b:4500 udp, interface: en0, local: IPv4#c0ea65bf:4500, prohibit joining] start\
default	11:02:26.315124+1300	NEIKEv2Provider	NEIKEv2Transport: Adding client IKEv2Session[1, 963784C57E5DF1D8-0B2C22A0ED8DB25C] with SPI 963784C57E5DF1D8 on <NEIKEv2Transport> UDP NAT-T 192.168.43.7:4500 -> 121.99.240.12:4500\
default	11:02:26.316508+1300	NEIKEv2Provider	nw_connection_report_state_with_handler_on_nw_queue [C2] reporting state preparing\
default	11:02:26.316608+1300	NEIKEv2Provider	nw_flow_connected [C2 IPv4#068b161b:4500 in_progress socket-flow (satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns)] Transport protocol connected\
default	11:02:26.316752+1300	NEIKEv2Provider	nw_flow_connected [C2 IPv4#068b161b:4500 in_progress socket-flow (satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns)] Output protocol connected\
default	11:02:26.317684+1300	NEIKEv2Provider	nw_connection_report_state_with_handler_on_nw_queue [C2] reporting state ready\
default	11:02:26.321047+1300	secd	NEIKEv2Provider[2293]/1#6 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo=\{NSDescription=query missing class name\}\
default	11:02:26.323836+1300	secd	NEIKEv2Provider[2293]/1#6 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo=\{NSDescription=query missing class name\}\
default	11:02:26.325252+1300	NEIKEv2Provider	keychain blob version does not support integrity\
default	11:02:26.347991+1300	secd	NEIKEv2Provider[2293]/1#6 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo=\{NSDescription=query missing class name\}\
default	11:02:26.351670+1300	secd	NEIKEv2Provider[2293]/1#6 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo=\{NSDescription=query missing class name\}\
error	11:02:26.638991+1300	NEIKEv2Provider	[IKE_AUTH R resp1 963784C57E5DF1D8-0B2C22A0ED8DB25C] Initiator auth received notify error Error Domain=NEIKEv2ProtocolErrorDomain Code=24 "AuthenticationFailed" UserInfo=\{NSDebugDescription=AuthenticationFailed\}\
default	11:02:26.639183+1300	NEIKEv2Provider	IKEv2IKESA[1.1, 963784C57E5DF1D8-0B2C22A0ED8DB25C] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ProtocolErrorDomain Code=24 "AuthenticationFailed" UserInfo=\{NSDebugDescription=AuthenticationFailed\}\
error	11:02:26.639303+1300	NEIKEv2Provider	IKEv2Session[1, 963784C57E5DF1D8-0B2C22A0ED8DB25C] Failed to process IKE Auth packet (connect)\
default	11:02:26.639512+1300	NEIKEv2Provider	IKEv2IKESA[1.1, 963784C57E5DF1D8-0B2C22A0ED8DB25C] not changing state Disconnected nor error Error Domain=NEIKEv2ProtocolErrorDomain Code=24 "AuthenticationFailed" UserInfo=\{NSDebugDescription=AuthenticationFailed\} -> Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax: Failed to process IKE Auth packet (connect)" UserInfo=\{NSLocalizedDescription=PeerInvalidSyntax: Failed to process IKE Auth packet (connect)\}\
default	11:02:26.639810+1300	NEIKEv2Provider	ChildSA[1, (null)-(null)] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ProtocolErrorDomain Code=24 "AuthenticationFailed" UserInfo=\{NSDebugDescription=AuthenticationFailed\}\
default	11:02:26.639935+1300	NEIKEv2Provider	Resetting IKEv2Session[1, 963784C57E5DF1D8-0B2C22A0ED8DB25C]\
default	11:02:26.640047+1300	NEIKEv2Provider	Aborting session IKEv2Session[1, 963784C57E5DF1D8-0B2C22A0ED8DB25C]\
default	11:02:26.640181+1300	NEIKEv2Provider	IKEv2Session[1, 963784C57E5DF1D8-0B2C22A0ED8DB25C] KernelSASession[1, IKEv2 Session Database] Uninstalling all child SAs\
default	11:02:26.646620+1300	NEIKEv2Provider	Invalidating transports for IKEv2IKESA[1.1, 963784C57E5DF1D8-0B2C22A0ED8DB25C]\
default	11:02:26.646708+1300	NEIKEv2Provider	Cancelling client 963784C57E5DF1D8 for <NEIKEv2Transport> UDP 192.168.43.7:500 -> 121.99.240.12:500\
default	11:02:26.646919+1300	NEIKEv2Provider	<NEIKEv2Transport> UDP 192.168.43.7:500 -> 121.99.240.12:500 out of clients, invalidating\
default	11:02:26.647034+1300	NEIKEv2Provider	[C1 77A2AB57-7B8A-4065-97B0-0D1597D9048E IPv4#068b161b:500 udp, interface: en0, local: IPv4#c0ea65bf:500, prohibit joining] cancel\
default	11:02:26.647080+1300	NEIKEv2Provider	Cancelling client 963784C57E5DF1D8 for <NEIKEv2Transport> UDP NAT-T 192.168.43.7:4500 -> 121.99.240.12:4500\
default	11:02:26.647211+1300	NEIKEv2Provider	[C1 77A2AB57-7B8A-4065-97B0-0D1597D9048E IPv4#068b161b:500 udp, interface: en0, local: IPv4#c0ea65bf:500, prohibit joining] cancelled\
	[C1 AFD6CB84-2BF7-4AB4-AA02-193B00371343 192.168.43.7:500<->IPv4#068b161b:500]\
	Connected Path: satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns\
	Duration: 1.502s, , UDP @0.003s took 0.003s\
default	11:02:26.647286+1300	NEIKEv2Provider	<NEIKEv2Transport> UDP NAT-T 192.168.43.7:4500 -> 121.99.240.12:4500 out of clients, invalidating\
default	11:02:26.647290+1300	NEIKEv2Provider	0.000s [C1 AFD6CB84-2BF7-4AB4-AA02-193B00371343 192.168.43.7:500<->IPv4#068b161b:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns] path:start\
default	11:02:26.647360+1300	NEIKEv2Provider	0.000s [C1 AFD6CB84-2BF7-4AB4-AA02-193B00371343 192.168.43.7:500<->IPv4#068b161b:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns] path:satisfied\
default	11:02:26.647427+1300	NEIKEv2Provider	0.003s [C1 AFD6CB84-2BF7-4AB4-AA02-193B00371343 192.168.43.7:500<->IPv4#068b161b:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns] flow:start_connect\
default	11:02:26.647504+1300	NEIKEv2Provider	0.006s [C1 AFD6CB84-2BF7-4AB4-AA02-193B00371343 192.168.43.7:500<->IPv4#068b161b:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns] flow:finish_connect\
default	11:02:26.647566+1300	NEIKEv2Provider	0.006s [C1 AFD6CB84-2BF7-4AB4-AA02-193B00371343 192.168.43.7:500<->IPv4#068b161b:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns] flow:changed_viability\
default	11:02:26.647731+1300	NEIKEv2Provider	1.502s [C1] path:cancel\
default	11:02:26.648133+1300	NEIKEv2Provider	<NEIKEv2Provider: Primary Tunnel (ifIndex 6)>: : stopping tunnel since IKE disconnected 14\
default	11:02:26.648379+1300	NEIKEv2Provider	nw_flow_disconnected [C1 IPv4#068b161b:500 cancelled socket-flow ((null))] Output protocol disconnected\
default	11:02:26.648577+1300	NEIKEv2Provider	nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state cancelled\
default	11:02:26.648683+1300	NEIKEv2Provider	Invalidating IKEv2Session[1, 317AE356492D828A-0000000000000000]\
default	11:02:26.648861+1300	NEIKEv2Provider	<NEIKEv2Provider: Primary Tunnel (ifIndex 6)>: : Invalidated session (IKEv2Session[1, 317AE356492D828A-0000000000000000])\
default	11:02:26.648963+1300	NEIKEv2Provider	[C2 F19FF3A8-6D47-404A-84FF-79BE70E70F58 IPv4#068b161b:4500 udp, interface: en0, local: IPv4#c0ea65bf:4500, prohibit joining] cancel\
default	11:02:26.649055+1300	NEIKEv2Provider	[Extension com.apple.NetworkExtension.IKEv2Provider]: IPC detached\
default	11:02:26.649437+1300	NEIKEv2Provider	[C2 F19FF3A8-6D47-404A-84FF-79BE70E70F58 IPv4#068b161b:4500 udp, interface: en0, local: IPv4#c0ea65bf:4500, prohibit joining] cancelled\
	[C2 F31B161A-C984-49E7-875E-2925E510B7E5 192.168.43.7:4500<->IPv4#068b161b:4500]\
	Connected Path: satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns\
	Duration: 0.334s, , UDP @0.001s took 0.000s\
default	11:02:26.649605+1300	NEIKEv2Provider	0.000s [C2 F31B161A-C984-49E7-875E-2925E510B7E5 192.168.43.7:4500<->IPv4#068b161b:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns] path:start\
error	11:02:26.649624+1300	NEIKEv2Provider	IKE received error Operation canceled\
default	11:02:26.649779+1300	NEIKEv2Provider	Aborting session IKEv2Session[1, 317AE356492D828A-0000000000000000]\
default	11:02:26.649846+1300	NEIKEv2Provider	Resetting IKEv2Session[1, 317AE356492D828A-0000000000000000]\
default	11:02:26.649899+1300	NEIKEv2Provider	0.000s [C2 F31B161A-C984-49E7-875E-2925E510B7E5 192.168.43.7:4500<->IPv4#068b161b:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns] path:satisfied\
default	11:02:26.649905+1300	NEIKEv2Provider	Aborting session IKEv2Session[1, 317AE356492D828A-0000000000000000]\
default	11:02:26.650374+1300	NEIKEv2Provider	IKEv2Session[1, 317AE356492D828A-0000000000000000] KernelSASession[1, IKEv2 Session Database] Uninstalling all child SAs\
default	11:02:26.651026+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[360]) did detach from IPC\
default	11:02:26.650768+1300	NEIKEv2Provider	Invalidating transports for IKEv2IKESA[1.1, 317AE356492D828A-0000000000000000]\
default	11:02:26.649962+1300	NEIKEv2Provider	0.001s [C2 F31B161A-C984-49E7-875E-2925E510B7E5 192.168.43.7:4500<->IPv4#068b161b:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns] flow:start_connect\
default	11:02:26.651613+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[360]) disconnected with reason Plugin failed\
default	11:02:26.650855+1300	NEIKEv2Provider	0.001s [C2 F31B161A-C984-49E7-875E-2925E510B7E5 192.168.43.7:4500<->IPv4#068b161b:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns] flow:finish_transport\
default	11:02:26.651156+1300	NEIKEv2Provider	0.002s [C2 F31B161A-C984-49E7-875E-2925E510B7E5 192.168.43.7:4500<->IPv4#068b161b:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns] flow:finish_connect\
default	11:02:26.650891+1300	NEIKEv2Provider	IKEv2IKESA[1.1, 317AE356492D828A-0000000000000000] not changing state Disconnected nor error Error Domain=NEIKEv2ProtocolErrorDomain Code=24 "AuthenticationFailed" UserInfo=\{NSDebugDescription=AuthenticationFailed\} -> (null)\
default	11:02:26.651233+1300	NEIKEv2Provider	0.002s [C2 F31B161A-C984-49E7-875E-2925E510B7E5 192.168.43.7:4500<->IPv4#068b161b:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns] flow:changed_viability\
default	11:02:26.651459+1300	NEIKEv2Provider	0.334s [C2] path:cancel\
default	11:02:26.651889+1300	NEIKEv2Provider	<NEIPSecDB 0x7fc92d4124e0 [0x7fff8cd4bcc0]> \{UniqueIndex = 1\} invalidating\
default	11:02:26.652508+1300	NEIKEv2Provider	nw_flow_disconnected [C2 IPv4#068b161b:4500 cancelled socket-flow ((null))] Output protocol disconnected\
default	11:02:26.652699+1300	NEIKEv2Provider	IKEv2Session[1, 317AE356492D828A-0000000000000000] (null) Uninstalling all child SAs\
default	11:02:26.652565+1300	NEIKEv2Provider	nw_flow_disconnected [C2 IPv4#068b161b:4500 cancelled socket-flow ((null))] Output protocol disconnected\
default	11:02:26.652797+1300	NEIKEv2Provider	nw_connection_report_state_with_handler_on_nw_queue [C2] reporting state cancelled\
default	11:02:26.653954+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: Leaving state NESMVPNSessionStateStarting\
default	11:02:26.654028+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: Entering state NESMVPNSessionStateStopping, timeout 20 seconds\
default	11:02:26.654238+1300	nesessionmanager	<NESMServer: 0x7fcbe5d069f0>: Request to uninstall session: NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]\
default	11:02:26.654299+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: status changed to disconnecting\
default	11:02:26.654387+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: Updated network agent (inactive, compulsory, not-user-activiated, not-kernel-activated)\
default	11:02:26.657829+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: Leaving state NESMVPNSessionStateStopping\
default	11:02:26.657901+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: Entering state NESMVPNSessionStateDisposing, timeout 5 seconds\
default	11:02:26.658032+1300	nesessionmanager	com.apple.NetworkExtension.IKEv2Provider[360]: disposing\
default	11:02:26.668133+1300	nesessionmanager	com.apple.NetworkExtension.IKEv2Provider[360]: Tearing down agent connection\
default	11:02:26.668232+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)] in state NESMVPNSessionStateDisposing: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[360]) dispose complete\
default	11:02:26.668286+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)] in state NESMVPNSessionStateDisposing: all plugins have disposed\
default	11:02:26.668514+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: Leaving state NESMVPNSessionStateDisposing\
default	11:02:26.668601+1300	nesessionmanager	com.apple.NetworkExtension.IKEv2Provider[360]: XPC connection went away\
default	11:02:26.668661+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: Entering state NESMVPNSessionStateIdle\
default	11:02:26.668689+1300	nesessionmanager	NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[360]): Tearing down plugin connection\
default	11:02:26.670197+1300	nesessionmanager	NESMIKEv2VPNSession[Primary Tunnel:VPN (IKEv2):2CDEA0E4-353D-413C-AF6D-F34CC92764B1:(null)]: status changed to disconnected, last stop reason Plugin failed\
default	11:02:28.643100+1300	nesessionmanager	-[NESMIKEv2VPNSession setStatus:]_block_invoke: user acknowledged VPN notification\
}