Hi,
I have a weird “problem” with IPSec lately. The connection works fine but I can see in log that there are timeouts and also in remote peers I can see a second connection for the same tunnel but that one seems to be stuck.
There are two tunnels on this router and one is working fine, the other has this strange behaviour.
Has anyone had the same problem?
Thank you for your help
It won’t help you, but you’re not alone, I also see this on one router. I also have two tunnels with two different peers and only one does this. I don’t know when it started, but I first saw it happening on older RouterOS that worked fine before. I don’t remember exact version, I think something a little before 6.40, because somewhere around that MikroTik did bigger changes with IPSec and I rather hold back for a while. Now I have 6.44.5 and it’s the same.
It’s probably something on the other end, either bug or misconfiguration. Unfortunately in my case, the other end is not under my control. I don’t even have any idea what’s running there, most likely some big brand device. As long as it doesn’t break down completely, the chance to get any useful info from the other party is very low. And it’s not something I can play with much, it must keep running.
Try to enable more verbose logging, maybe it will show something useful. Or maybe not, the only unusual line I see is “SPI size isn’t zero, but IKE proposal”, but it doesn’t really tell me much.
It can be caused by weird bugs in other router’s NAT implementation.
E.g. when the MikroTik router is behind an AVM FritzBox or a Draytek router operating in NAT mode this kind of behaviour can often be observed.
It can help to take the connection down for at least as long as that router needs to flush its NAT table, or to reboot that router.
It is possible that both sides try to establish a connection simultaneously. You can see in the screenshot that one peer is initiator and one responder. You can use passive=yes on one side to make sure it does not initiate a connection. Having two active sessions between the same devices should not introduce any issues because the peers will negotiate themselves which IPsec SAs to use.
The second (responder) peer does not establish probably because of a strict firewall preventing new UDP/500 connections to establish in router’s input chain. The initiator peer works because the connection is initiated by the router itself and all responses are accepted by router’s “accept established” rule in input chain.
Before OP returns with some more info, I can say that firewall problem is unlikely in my case.
When my router is initiator, it works, so remote peer must accept new connections. The problem occurs when remote peer is initiator, but since the packet arrived to my router and IPSec sees it, my firewall clearly doesn’t block it either. And I also know for sure that I accept udp/500.
I’m wondering it it may have something to do with that “SPI size isn’t zero, but IKE proposal” message. I found what it’s about. With all other tunnels I have, field “SPI size” in incoming proposal is always zero (also for outgoing ones). With this one it’s 8 and then there’s SPI from initiator. When RouterOS responds, it also sets SPI size to 8, but then SPI is all zeroes. I don’t know if it’s correct or not (I looked in RFC, but I didn’t come across any easy to find answer there), but it’s the only difference I see, when compared to other tunnels.
Hi,
thank you all very much for you replies. I have been waiting for a weekend so I can experiment with it a little, since it is unfortunetaly a prod environment.
The other side is very probably Cisco device, but I dont know it for sure, since it is not under my control.
NAT could be a problem, but wouldnt it also affect the other working tunnel?
I tried setting PASSIVE and also removing the Send INITIAL_CONTACT.
Removing Send INIT… didnt make any change.
When I set the tunnel to passive I got a new error message and it looks like there is misconfiguration between the two sides?
remote-id-type is set to auto.
Also before I started these changes there were three identical tunnels. Two non-working ones and one working 
For these new error messages, try more verbose logging:
/system logging
add topics=ipsec,!packet
There’s often some useful info that’s not shown by default.
And sorry for hijacking your thread, I thought it could be the same thing, but maybe not.
Here is log with the above logging setting.
I dont see anything interesing there though, It almost looks like config mismatch, but in the log the setting is correct on both sides.
14:17:52 ipsec,debug Migrate Ph2
14:17:52 ipsec,info ISAKMP-SA deleted 10.255.255.1[500]-XXX.XXX.XXX.XXX[500] spi:d15
35185be9fc0fb:23d22ed5aa4beebe rekey:1
14:17:52 ipsec,debug an undead schedule has been deleted.
14:17:52 ipsec,debug Removing PH1…
14:17:52 ipsec,debug Deleting a Ph2…
14:17:52 ipsec,debug compute IV for phase2
14:17:52 ipsec,debug phase1 last IV:
14:17:52 ipsec,debug 2b435a77 2c14c4fa 23735c64 93bc12fd 8fce989f
14:17:52 ipsec,debug hash(sha1)
14:17:52 ipsec,debug encryption(aes)
14:17:52 ipsec,debug phase2 IV computed:
14:17:52 ipsec,debug ee098b90 cdd12f24 e1f661df 5d9b4d13
14:17:52 ipsec,debug HASH with:
14:17:52 ipsec,debug 8fce989f 00000010 00000001 03040001 03957e8f
14:17:52 ipsec,debug hmac(hmac_sha1)
14:17:52 ipsec,debug HASH computed:
14:17:52 ipsec,debug 1b644661 fb1da4f4 72c60893 4182206f 5bbefd50
14:17:52 ipsec,debug begin encryption.
14:17:52 ipsec,debug encryption(aes)
14:17:52 ipsec,debug pad length = 8
14:17:52 ipsec,debug 0c000018 1b644661 fb1da4f4 72c60893 4182206f 5bbefd50 0000001
0 00000001
14:17:52 ipsec,debug 03040001 03957e8f b3cb99db a3b5d407
14:17:52 ipsec,debug encryption(aes)
14:17:52 ipsec,debug with key:
14:17:52 ipsec,debug d9027c9e 0befdaec cb1a6bf6 32997fb6 dfd87bdb bd9e77e6 9eeec99
3 db180821
14:17:52 ipsec,debug encrypted payload by IV:
14:17:52 ipsec,debug ee098b90 cdd12f24 e1f661df 5d9b4d13
14:17:52 ipsec,debug save IV for next:
14:17:52 ipsec,debug c15637b4 e82ba1f8 8b552b6e c568f2a6
14:17:52 ipsec,debug encrypted.
14:17:52 ipsec,debug 76 bytes from 10.255.255.1[500] to XXX.XXX.XXX.XXX[500]
14:17:52 ipsec,debug 1 times of 76 bytes message will be sent to XXX.XXX.XXX.XXX[500
]
14:17:52 ipsec,debug sendto Information delete.
14:17:52 ipsec purged IPsec-SA proto_id=ESP spi=0xc982b561
14:17:52 ipsec purged IPsec-SA proto_id=ESP spi=0x3957e8f
14:17:52 ipsec,debug an undead schedule has been deleted.
14:17:52 ipsec,debug compute IV for phase2
14:17:52 ipsec,debug phase1 last IV:
14:17:52 ipsec,debug 2b435a77 2c14c4fa 23735c64 93bc12fd d47859a1
14:17:52 ipsec,debug hash(sha1)
14:17:52 ipsec,debug encryption(aes)
14:17:52 ipsec,debug phase2 IV computed:
14:17:52 ipsec,debug 6732d459 d9369dc6 a645bc9b 0ad0a54c
14:17:52 ipsec,debug HASH with:
14:17:52 ipsec,debug d47859a1 0000001c 00000001 01100001 0020d3b0 bf03db25 d51c1ed
d 23e173f8
14:17:52 ipsec,debug hmac(hmac_sha1)
14:17:52 ipsec,debug HASH computed:
14:17:52 ipsec,debug 9328386d 214da85f 043bb6de 710a1872 7498de8d
14:17:52 ipsec,debug begin encryption.
14:17:52 ipsec,debug encryption(aes)
14:17:52 ipsec,debug pad length = 12
14:17:52 ipsec,debug 0c000018 9328386d 214da85f 043bb6de 710a1872 7498de8d 0000001
c 00000001
14:17:52 ipsec,debug 01100001 0020d3b0 bf03db25 d51c1edd 23e173f8 f8cefcd8 bdf6eec
4 fcbf830b
14:17:52 ipsec,debug encryption(aes)
14:17:52 ipsec,debug with key:
14:17:52 ipsec,debug d9027c9e 0befdaec cb1a6bf6 32997fb6 dfd87bdb bd9e77e6 9eeec99
3 db180821
14:17:52 ipsec,debug encrypted payload by IV:
14:17:52 ipsec,debug 6732d459 d9369dc6 a645bc9b 0ad0a54c
14:17:52 ipsec,debug save IV for next:
14:17:52 ipsec,debug 2995bee7 6b127186 43c2c8de db72ffbd
14:17:52 ipsec,debug encrypted.
14:17:52 ipsec,debug 92 bytes from 10.255.255.1[500] to XXX.XXX.XXX.XXX[500]
14:17:52 ipsec,debug 1 times of 92 bytes message will be sent to XXX.XXX.XXX.XXX[500
]
14:17:52 ipsec,debug sendto Information delete.
14:17:52 ipsec,info ISAKMP-SA deleted 10.255.255.1[500]-XXX.XXX.XXX.XXX[500] spi:002
0d3b0bf03db25:d51c1edd23e173f8 rekey:1
14:17:52 ipsec,debug an undead schedule has been deleted.
14:17:52 system,info ipsec peer peer2 changed by admin
14:17:54 ipsec,debug ===== received 116 bytes from XXX.XXX.XXX.XXX[500] to 10.255.25
5.1[500]
14:17:54 ipsec,debug ===
14:17:54 ipsec,info respond new phase 1 (Identity Protection): 10.255.255.1[500]<=XXX.XXX.XXX.XXX[500]
14:17:54 ipsec,debug begin.
14:17:54 ipsec,debug seen nptype=1(sa) len=68
14:17:54 ipsec,debug seen nptype=13(vid) len=20
14:17:54 ipsec,debug succeed.
14:17:54 ipsec received Vendor ID: DPD
14:17:54 ipsec,debug remote supports DPD
14:17:54 ipsec,debug total SA len=64
14:17:54 ipsec,debug 00000001 00000001 00000038 01010801 e317f8b1 857bff4c 0000002
8 00010000
14:17:54 ipsec,debug 80010007 800e0100 80020002 80040005 800b0001 000c0004 0001518
0 80030001
14:17:54 ipsec,debug begin.
14:17:54 ipsec,debug seen nptype=2(prop) len=56
14:17:54 ipsec,debug succeed.
14:17:54 ipsec,debug proposal #1 len=56
14:17:54 ipsec SPI size isn’t zero, but IKE proposal.
14:17:54 ipsec,debug begin.
14:17:54 ipsec,debug seen nptype=3(trns) len=40
14:17:54 ipsec,debug succeed.
14:17:54 ipsec,debug transform #0 len=40
14:17:54 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
14:17:54 ipsec,debug encryption(aes)
14:17:54 ipsec,debug type=Key Length, flag=0x8000, lorv=256
14:17:54 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
14:17:54 ipsec,debug hash(sha1)
14:17:54 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group14:17:54 ipsec,debug dh(modp1536)
14:17:54 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
14:17:54 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
14:17:54 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
14:17:54 ipsec,debug pair 1:
14:17:54 ipsec,debug 0x80c1128: next=(nil) tnext=(nil)
14:17:54 ipsec,debug proposal #1: 1 transform
14:17:54 ipsec,debug -checking with pre-shared key auth-
14:17:54 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=8, #trns=1
14:17:54 ipsec,debug trns#=0, trns-id=IKE
14:17:54 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
14:17:54 ipsec,debug type=Key Length, flag=0x8000, lorv=256
14:17:54 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
14:17:54 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group14:17:54 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
14:17:54 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
14:17:54 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
14:17:54 ipsec,debug -compare proposal #1: Local:Peer
14:17:54 ipsec,debug (lifetime = 86400:86400)
14:17:54 ipsec,debug (lifebyte = 0:0)
14:17:54 ipsec,debug enctype = AES-CBC:AES-CBC
14:17:54 ipsec,debug (encklen = 256:256)
14:17:54 ipsec,debug hashtype = SHA:SHA
14:17:54 ipsec,debug authmethod = pre-shared key:pre-shared key
14:17:54 ipsec,debug dh_group = 1536-bit MODP group:1536-bit MODP group
14:17:54 ipsec,error no identity suits proposal
14:17:54 ipsec,error XXX.XXX.XXX.XXX failed to get valid proposal.
14:17:54 ipsec,error XXX.XXX.XXX.XXX failed to pre-process ph1 packet (side: 1, stat
us 1).
14:17:54 ipsec,error XXX.XXX.XXX.XXX phase1 negotiation failed.
14:17:54 ipsec acquire for 10.255.255.1 <=> XXX.XXX.XXX.XXX
14:17:54 ipsec suitable policy found: 10.1.0.0/16 <=> 10.160.0.0/16
14:17:54 ipsec no peer config for XXX.XXX.XXX.XXX
14:17:54 ipsec no peer config found
14:17:59 ipsec,debug ===== received 116 bytes from XXX.XXX.XXX.XXX[500] to 10.255.25
5.1[500]
14:17:59 ipsec,debug ===
14:17:59 ipsec,info respond new phase 1 (Identity Protection): 10.255.255.1[500]<=XXX.XXX.XXX.XXX[500]
14:17:59 ipsec,debug begin.
14:17:59 ipsec,debug seen nptype=1(sa) len=68
14:17:59 ipsec,debug seen nptype=13(vid) len=20
14:17:59 ipsec,debug succeed.
14:17:59 ipsec received Vendor ID: DPD
14:17:59 ipsec,debug remote supports DPD
14:17:59 ipsec,debug total SA len=64
14:17:59 ipsec,debug 00000001 00000001 00000038 01010801 e317f8b1 857bff4c 0000002
8 00010000
14:17:59 ipsec,debug 80010007 800e0100 80020002 80040005 800b0001 000c0004 0001518
0 80030001
14:17:59 ipsec,debug begin.
14:17:59 ipsec,debug seen nptype=2(prop) len=56
14:17:59 ipsec,debug succeed.
14:17:59 ipsec,debug proposal #1 len=56
14:17:59 ipsec SPI size isn’t zero, but IKE proposal.
14:17:59 ipsec,debug begin.
14:17:59 ipsec,debug seen nptype=3(trns) len=40
14:17:59 ipsec,debug succeed.
14:17:59 ipsec,debug transform #0 len=40
14:17:59 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
14:17:59 ipsec,debug encryption(aes)
14:17:59 ipsec,debug type=Key Length, flag=0x8000, lorv=256
14:17:59 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
14:17:59 ipsec,debug hash(sha1)
14:17:59 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group14:17:59 ipsec,debug dh(modp1536)
14:17:59 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
14:17:59 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
14:17:59 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
14:17:59 ipsec,debug pair 1:
14:17:59 ipsec,debug 0x8101298: next=(nil) tnext=(nil)
14:17:59 ipsec,debug proposal #1: 1 transform
14:17:59 ipsec,debug -checking with pre-shared key auth-
14:17:59 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=8, #trns=1
14:17:59 ipsec,debug trns#=0, trns-id=IKE
14:17:59 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
14:17:59 ipsec,debug type=Key Length, flag=0x8000, lorv=256
14:17:59 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
14:17:59 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group14:17:59 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
14:17:59 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
14:17:59 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
14:17:59 ipsec,debug -compare proposal #1: Local:Peer
14:17:59 ipsec,debug (lifetime = 86400:86400)
14:17:59 ipsec,debug (lifebyte = 0:0)
14:17:59 ipsec,debug enctype = AES-CBC:AES-CBC
14:17:59 ipsec,debug (encklen = 256:256)
14:17:59 ipsec,debug hashtype = SHA:SHA
14:17:59 ipsec,debug authmethod = pre-shared key:pre-shared key
14:17:59 ipsec,debug dh_group = 1536-bit MODP group:1536-bit MODP group
14:17:59 ipsec,error no identity suits proposal
14:17:59 ipsec,error XXX.XXX.XXX.XXX failed to get valid proposal.
14:17:59 ipsec,error XXX.XXX.XXX.XXX failed to pre-process ph1 packet (side: 1, stat
us 1).
14:17:59 ipsec,error XXX.XXX.XXX.XXX phase1 negotiation failed.
14:18:01 system,info ipsec peer peer2 changed by admin
14:18:01 ipsec,debug ===
14:18:01 ipsec,info initiate new phase 1 (Identity Protection): 10.255.255.1[500]<
=>XXX.XXX.XXX.XXX[500]
14:18:01 ipsec,debug new cookie:
14:18:01 ipsec,debug 3dadeca0fe173faa\01
14:18:01 ipsec,debug add payload of len 56, next type 13
14:18:01 ipsec,debug add payload of len 16, next type 13
14:18:01 ipsec,debug add payload of len 16, next type 13
14:18:01 ipsec,debug add payload of len 16, next type 13
14:18:01 ipsec,debug add payload of len 16, next type 13
14:18:01 ipsec,debug add payload of len 16, next type 13
14:18:01 ipsec,debug add payload of len 16, next type 13
14:18:01 ipsec,debug add payload of len 16, next type 13
14:18:01 ipsec,debug add payload of len 16, next type 13
14:18:01 ipsec,debug add payload of len 16, next type 13
14:18:01 ipsec,debug add payload of len 16, next type 13
14:18:01 ipsec,debug add payload of len 16, next type 13
14:18:01 ipsec,debug add payload of len 16, next type 13
14:18:01 ipsec,debug add payload of len 16, next type 0
14:18:01 ipsec,debug 348 bytes from 10.255.255.1[500] to XXX.XXX.XXX.XXX[500]
14:18:01 ipsec,debug 1 times of 348 bytes message will be sent to XXX.XXX.XXX.XXX[50
0]
14:18:01 ipsec sent phase1 packet 10.255.255.1[500]<=>XXX.XXX.XXX.XXX[500] 3dadeca0f
e173faa:0000000000000000
14:18:01 ipsec,debug ===== received 108 bytes from XXX.XXX.XXX.XXX[500] to 10.255.25
5.1[500]
14:18:01 ipsec,debug begin.
14:18:01 ipsec,debug seen nptype=1(sa) len=60
14:18:01 ipsec,debug seen nptype=13(vid) len=20
14:18:01 ipsec,debug succeed.
14:18:01 ipsec received Vendor ID: DPD
14:18:01 ipsec,debug remote supports DPD
14:18:01 ipsec,debug total SA len=56
14:18:01 ipsec,debug 00000001 00000001 00000030 01010001 00000028 01010000 800b000
1 000c0004
14:18:01 ipsec,debug 00015180 80010007 800e0100 80030001 80020002 80040005
14:18:01 ipsec,debug begin.
14:18:01 ipsec,debug seen nptype=2(prop) len=48
14:18:01 ipsec,debug succeed.
14:18:01 ipsec,debug proposal #1 len=48
14:18:01 ipsec,debug begin.
14:18:01 ipsec,debug seen nptype=3(trns) len=40
14:18:01 ipsec,debug succeed.
14:18:01 ipsec,debug transform #1 len=40
14:18:01 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
14:18:01 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
14:18:01 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
14:18:01 ipsec,debug encryption(aes)
14:18:01 ipsec,debug type=Key Length, flag=0x8000, lorv=256
14:18:01 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
14:18:01 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
14:18:01 ipsec,debug hash(sha1)
14:18:01 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group14:18:01 ipsec,debug dh(modp1536)
14:18:01 ipsec,debug pair 1:
14:18:01 ipsec,debug 0x80fda48: next=(nil) tnext=(nil)
14:18:01 ipsec,debug proposal #1: 1 transform
14:18:01 ipsec,debug -checking with pre-shared key auth-
14:18:01 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
14:18:01 ipsec,debug trns#=1, trns-id=IKE
14:18:01 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
14:18:01 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
14:18:01 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
14:18:01 ipsec,debug type=Key Length, flag=0x8000, lorv=256
14:18:01 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
14:18:01 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
14:18:01 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group14:18:01 ipsec,debug -compare proposal #1: Local:Peer
14:18:01 ipsec,debug (lifetime = 86400:86400)
14:18:01 ipsec,debug (lifebyte = 0:0)
14:18:01 ipsec,debug enctype = AES-CBC:AES-CBC
14:18:01 ipsec,debug (encklen = 256:256)
14:18:01 ipsec,debug hashtype = SHA:SHA
14:18:01 ipsec,debug authmethod = pre-shared key:pre-shared key
14:18:01 ipsec,debug dh_group = 1536-bit MODP group:1536-bit MODP group
14:18:01 ipsec,debug -an acceptable proposal found-
14:18:01 ipsec,debug dh(modp1536)
14:18:01 ipsec,debug -agreed on pre-shared key auth-
14:18:01 ipsec,debug ===
14:18:01 ipsec,debug dh(modp1536)
14:18:01 ipsec,debug compute DH’s private.
14:18:01 ipsec,debug 74981fc6 8492161a 0a5da098 0a4cc046 12417de2 b9ce663c 24a3afb
9 e20257fd
14:18:01 ipsec,debug c0db2440 3c8bb948 9f11e45e 760304fc ad871fbb 91d235e3 05b4271
a aec76835
14:18:01 ipsec,debug cf36b990 bf880708 b7108e8c eb2e5d17 e51eafc9 e673eed4 88d1890
a 78e20dfc
14:18:01 ipsec,debug dc4e3236 747b6a5f a7f2c788 24d67610 e3e1b016 dd652462 b30d524
0 1e2f1286
14:18:01 ipsec,debug baee4cb4 10b1d76e b5617294 660a86d8 774285ad 4179f703 ddbc43f
9 f9e4a32f
14:18:01 ipsec,debug 4e49106c 1c72ea23 73427829 fef229af 507379a1 cc60c7aa ec71f51
8 daa0ad9f
14:18:01 ipsec,debug compute DH’s public.
14:18:01 ipsec,debug b3250aa6 537afbc9 f4793ce5 bb7c5683 e61bc39f dfda4988 5c86b17
8 39dea297
14:18:01 ipsec,debug 60b0e00a bcc134a2 e238671c cf6d7d37 0013181d d14ebb29 6b73e80
7 e780740f
14:18:01 ipsec,debug 2d905f36 3e11d9d0 0340a60d 310ebeb9 21d0764c dc29b58a 4f38ee6
0 5bdc9f0d
14:18:01 ipsec,debug 464f9db8 6795a820 c2619c49 0fbc7c3c 7076a898 a451509e d30e4a3
6 32c4be16
14:18:01 ipsec,debug 31ce101b ce605bfa 628585df fbd2e433 bc4bd6aa 5fd5de3d 9c87293
6 f8116f2a
14:18:01 ipsec,debug 69d16f77 cc24bc1a 3939359f f42c114c 9b10c0d7 de01e0d7 bd869f2
4 4984be52
14:18:01 ipsec,debug add payload of len 192, next type 10
14:18:01 ipsec,debug add payload of len 24, next type 0
14:18:01 ipsec,debug 252 bytes from 10.255.255.1[500] to XXX.XXX.XXX.XXX[500]
14:18:01 ipsec,debug 1 times of 252 bytes message will be sent to XXX.XXX.XXX.XXX[50
0]
14:18:01 ipsec sent phase1 packet 10.255.255.1[500]<=>XXX.XXX.XXX.XXX[500] 3dadeca0f
e173faa:51723d21ecd0a63a
14:18:01 ipsec,debug ===== received 244 bytes from XXX.XXX.XXX.XXX[500] to 10.255.25
5.1[500]
14:18:01 ipsec,debug begin.
14:18:01 ipsec,debug seen nptype=4(ke) len=196
14:18:01 ipsec,debug seen nptype=10(nonce) len=20
14:18:01 ipsec,debug succeed.
14:18:01 ipsec,debug ===
14:18:01 ipsec,debug dh(modp1536)
14:18:01 ipsec,debug compute DH’s shared.
14:18:01 ipsec,debug
14:18:01 ipsec,debug 79c2371f bbeb69e9 8129244e 4bc9dd0a 3fa47c0c d7c46d65 ad74458
6 eed92528
14:18:01 ipsec,debug 081dfe9d 5a086cc5 ab201be8 ef4183be 7a46d8ce 5d78c296 2aa78de
8 ae0d2b21
14:18:01 ipsec,debug 320ba677 900af6ab 354dfa0e 4159b4f9 2b4305d1 617c3907 b61f560
3 e5672c96
14:18:01 ipsec,debug 61dcdd6b fffa8d76 99d5479b e6853790 4d5dac10 ea0a4055 78af1e4
3 68463441
14:18:01 ipsec,debug 5ebd01ee 7dc09e6a 90069fe5 3a52fc44 af5ac90c bedba0fa 004f7a7
6 1d09a01f
14:18:01 ipsec,debug 60bb9438 a95ffb5b b5377fc9 33da2d24 a4d78ba3 3eb4fe57 de8456d
c e2dab41b
14:18:01 ipsec,debug nonce 1:
14:18:01 ipsec,debug 98a1ad11 cdb454c9 61310efd 141f1b3d 9b21e575 94c84752
14:18:01 ipsec,debug nonce 2:
14:18:01 ipsec,debug f0128060 cbbb88eb 7bc9ab31 f6207370
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug SKEYID computed:
14:18:01 ipsec,debug 37dea46b 69bb9b28 60396c64 df802ba0 736bdbd2
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug SKEYID_d computed:
14:18:01 ipsec,debug e7a035a5 0a0af354 402f7f51 8bb0dc6b d86ffe6b
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug SKEYID_a computed:
14:18:01 ipsec,debug a60173bb fdcce0b1 158a14bc 0470fd79 3fcc241d
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug SKEYID_e computed:
14:18:01 ipsec,debug b869468d c78c3185 4c6d2489 d1fdec64 2b25d432
14:18:01 ipsec,debug encryption(aes)
14:18:01 ipsec,debug hash(sha1)
14:18:01 ipsec,debug len(SKEYID_e) < len(Ka) (20 < 32), generating long key (Ka =
K1 | K2 | …)
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug compute intermediate encryption key K1
14:18:01 ipsec,debug 00
14:18:01 ipsec,debug c87efe7b d3513ce9 2199603e 74e55622 70c0b803
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug compute intermediate encryption key K2
14:18:01 ipsec,debug c87efe7b d3513ce9 2199603e 74e55622 70c0b803
14:18:01 ipsec,debug db5580cc a39618ec 36d7f6ea 01ce9bba 317b4b88
14:18:01 ipsec,debug final encryption key computed:
14:18:01 ipsec,debug c87efe7b d3513ce9 2199603e 74e55622 70c0b803 db5580cc a39618e
c 36d7f6ea
14:18:01 ipsec,debug hash(sha1)
14:18:01 ipsec,debug encryption(aes)
14:18:01 ipsec,debug IV computed:
14:18:01 ipsec,debug f79fb966 ae53a6fb 24b099a1 54eaba0a
14:18:01 ipsec,debug use ID type of IPv4_address
14:18:01 ipsec,debug HASH with:
14:18:01 ipsec,debug b3250aa6 537afbc9 f4793ce5 bb7c5683 e61bc39f dfda4988 5c86b17
8 39dea297
14:18:01 ipsec,debug 60b0e00a bcc134a2 e238671c cf6d7d37 0013181d d14ebb29 6b73e80
7 e780740f
14:18:01 ipsec,debug 2d905f36 3e11d9d0 0340a60d 310ebeb9 21d0764c dc29b58a 4f38ee6
0 5bdc9f0d
14:18:01 ipsec,debug 464f9db8 6795a820 c2619c49 0fbc7c3c 7076a898 a451509e d30e4a3
6 32c4be16
14:18:01 ipsec,debug 31ce101b ce605bfa 628585df fbd2e433 bc4bd6aa 5fd5de3d 9c87293
6 f8116f2a
14:18:01 ipsec,debug 69d16f77 cc24bc1a 3939359f f42c114c 9b10c0d7 de01e0d7 bd869f2
4 4984be52
14:18:01 ipsec,debug ee361c41 e9858885 4d5c6aed cd27127a 4d8d84ef c43bdcc6 fbbf647
b a2194817
14:18:01 ipsec,debug 4ca5e8fe d90acf92 e35fd750 bbca7c09 d4be1805 f6645ddc 3d4188f
9 7bab51b4
14:18:01 ipsec,debug d20d67a3 0398b98e 745ca934 d947359d 298a5503 62e0710c a9a7498
f eb85b609
14:18:01 ipsec,debug 62b67401 b12c2812 9f0ddad4 c49ec56d 98433a54 176cae3a 0d89ea0
f 3b332fb7
14:18:01 ipsec,debug 4ca68197 ec6f4583 f45a09eb 32803392 4bd3a88e 91878586 aab5d99
0 8dcace78
14:18:01 ipsec,debug cb431190 cb26acea 1a898aef 5537e4b2 80df9efe 43833b29 3d56e9d
0 09450e54
14:18:01 ipsec,debug 3dadeca0 fe173faa 51723d21 ecd0a63a 00000001 00000001 0000003
0 01010001
14:18:01 ipsec,debug 00000028 01010000 800b0001 000c0004 00015180 80010007 800e010
0 80030001
14:18:01 ipsec,debug 80020002 80040005 011101f4 2ffe9bda
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug HASH computed:
14:18:01 ipsec,debug a34d63fb c5893e86 9b128b12 02416aa7 03708474
14:18:01 ipsec,debug add payload of len 8, next type 8
14:18:01 ipsec,debug add payload of len 20, next type 0
14:18:01 ipsec,debug begin encryption.
14:18:01 ipsec,debug encryption(aes)
14:18:01 ipsec,debug pad length = 12
14:18:01 ipsec,debug 0800000c 011101f4 2ffe9bda 00000018 a34d63fb c5893e86 9b128b1
2 02416aa7
14:18:01 ipsec,debug 03708474 a9babcf5 b8d397d7 fde3e30b
14:18:01 ipsec,debug encryption(aes)
14:18:01 ipsec,debug with key:
14:18:01 ipsec,debug c87efe7b d3513ce9 2199603e 74e55622 70c0b803 db5580cc a39618e
c 36d7f6ea
14:18:01 ipsec,debug encrypted payload by IV:
14:18:01 ipsec,debug f79fb966 ae53a6fb 24b099a1 54eaba0a
14:18:01 ipsec,debug save IV for next:
14:18:01 ipsec,debug f9e27a33 f69d0de0 f97d96f0 baad9bb4
14:18:01 ipsec,debug encrypted.
14:18:01 ipsec,debug 76 bytes from 10.255.255.1[500] to XXX.XXX.XXX.XXX[500]
14:18:01 ipsec,debug 1 times of 76 bytes message will be sent to XXX.XXX.XXX.XXX[500
]
14:18:01 ipsec sent phase1 packet 10.255.255.1[500]<=>XXX.XXX.XXX.XXX[500] 3dadeca0f
e173faa:51723d21ecd0a63a
14:18:01 ipsec,debug ===== received 76 bytes from XXX.XXX.XXX.XXX[500] to 10.255.255
.1[500]
14:18:01 ipsec,debug encryption(aes)
14:18:01 ipsec,debug IV was saved for next processing:
14:18:01 ipsec,debug 53b42d02 902cbfdb 440000b3 ace0cb25
14:18:01 ipsec,debug encryption(aes)
14:18:01 ipsec,debug with key:
14:18:01 ipsec,debug c87efe7b d3513ce9 2199603e 74e55622 70c0b803 db5580cc a39618e
c 36d7f6ea
14:18:01 ipsec,debug decrypted payload by IV:
14:18:01 ipsec,debug f9e27a33 f69d0de0 f97d96f0 baad9bb4
14:18:01 ipsec,debug decrypted payload, but not trimed.
14:18:01 ipsec,debug 0800000c 01000000 55cd1e8f 00000018 cdd20265 abce1af3 8529ee5
c b60bb6bb
14:18:01 ipsec,debug 52c5f27d 00000000 00000000 00000000
14:18:01 ipsec,debug padding len=1
14:18:01 ipsec,debug skip to trim padding.
14:18:01 ipsec,debug decrypted.
14:18:01 ipsec,debug 3dadeca0 fe173faa 51723d21 ecd0a63a 05100201 00000000 0000004
c 0800000c
14:18:01 ipsec,debug 01000000 55cd1e8f 00000018 cdd20265 abce1af3 8529ee5c b60bb6b
b 52c5f27d
14:18:01 ipsec,debug 00000000 00000000 00000000
14:18:01 ipsec,debug begin.
14:18:01 ipsec,debug seen nptype=5(id) len=12
14:18:01 ipsec,debug seen nptype=8(hash) len=24
14:18:01 ipsec,debug succeed.
14:18:01 ipsec,debug HASH received:
14:18:01 ipsec,debug cdd20265 abce1af3 8529ee5c b60bb6bb 52c5f27d
14:18:01 ipsec,debug HASH with:
14:18:01 ipsec,debug ee361c41 e9858885 4d5c6aed cd27127a 4d8d84ef c43bdcc6 fbbf647
b a2194817
14:18:01 ipsec,debug 4ca5e8fe d90acf92 e35fd750 bbca7c09 d4be1805 f6645ddc 3d4188f
9 7bab51b4
14:18:01 ipsec,debug d20d67a3 0398b98e 745ca934 d947359d 298a5503 62e0710c a9a7498
f eb85b609
14:18:01 ipsec,debug 62b67401 b12c2812 9f0ddad4 c49ec56d 98433a54 176cae3a 0d89ea0
f 3b332fb7
14:18:01 ipsec,debug 4ca68197 ec6f4583 f45a09eb 32803392 4bd3a88e 91878586 aab5d99
0 8dcace78
14:18:01 ipsec,debug cb431190 cb26acea 1a898aef 5537e4b2 80df9efe 43833b29 3d56e9d
0 09450e54
14:18:01 ipsec,debug b3250aa6 537afbc9 f4793ce5 bb7c5683 e61bc39f dfda4988 5c86b17
8 39dea297
14:18:01 ipsec,debug 60b0e00a bcc134a2 e238671c cf6d7d37 0013181d d14ebb29 6b73e80
7 e780740f
14:18:01 ipsec,debug 2d905f36 3e11d9d0 0340a60d 310ebeb9 21d0764c dc29b58a 4f38ee6
0 5bdc9f0d
14:18:01 ipsec,debug 464f9db8 6795a820 c2619c49 0fbc7c3c 7076a898 a451509e d30e4a3
6 32c4be16
14:18:01 ipsec,debug 31ce101b ce605bfa 628585df fbd2e433 bc4bd6aa 5fd5de3d 9c87293
6 f8116f2a
14:18:01 ipsec,debug 69d16f77 cc24bc1a 3939359f f42c114c 9b10c0d7 de01e0d7 bd869f2
4 4984be52
14:18:01 ipsec,debug 51723d21 ecd0a63a 3dadeca0 fe173faa 00000001 00000001 0000003
0 01010001
14:18:01 ipsec,debug 00000028 01010000 800b0001 000c0004 00015180 80010007 800e010
0 80030001
14:18:01 ipsec,debug 80020002 80040005 01000000 55cd1e8f
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug HASH computed:
14:18:01 ipsec,debug cdd20265 abce1af3 8529ee5c b60bb6bb 52c5f27d
14:18:01 ipsec,debug HASH for PSK validated.
14:18:01 ipsec,debug XXX.XXX.XXX.XXX peer’s ID:
14:18:01 ipsec,debug 01000000 55cd1e8f
14:18:01 ipsec,debug ===
14:18:01 ipsec ph2 possible after ph1 creation
14:18:01 ipsec,debug (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=
Tunnel reqid=0:0)
14:18:01 ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-sha1)
14:18:01 ipsec,debug begin QUICK mode.
14:18:01 ipsec,debug ===
14:18:01 ipsec,debug begin QUICK mode.
14:18:01 ipsec initiate new phase 2 negotiation: 10.255.255.1[500]<=>XXX.XXX.XXX.XXX
[500]
14:18:01 ipsec,debug compute IV for phase2
14:18:01 ipsec,debug phase1 last IV:
14:18:01 ipsec,debug 53b42d02 902cbfdb 440000b3 ace0cb25 c72d5815
14:18:01 ipsec,debug hash(sha1)
14:18:01 ipsec,debug encryption(aes)
14:18:01 ipsec,debug phase2 IV computed:
14:18:01 ipsec,debug 4efe92fd ac3ecd2b cea2c0ca 959f1f2f
14:18:01 ipsec,debug call pfkey_send_getspi c63
14:18:01 ipsec,debug pfkey GETSPI sent: ESP/Tunnel XXX.XXX.XXX.XXX[500]->10.255.255.
1[500]
14:18:01 ipsec,debug pfkey getspi sent.
14:18:01 ipsec,info ISAKMP-SA established 10.255.255.1[500]-XXX.XXX.XXX.XXX[500] spi
:3dadeca0fe173faa:51723d21ecd0a63a
14:18:01 ipsec,debug ===
14:18:01 ipsec,debug dh(modp1536)
14:18:01 ipsec,debug dh(modp1536)
14:18:01 ipsec,debug dh(modp1536)
14:18:01 ipsec,debug compute DH’s private.
14:18:01 ipsec,debug 6e31c04b cc142ec3 1c5fbf3f cc5be4b1 3a985433 f5603d68 9fa520b
e 8818c894
14:18:01 ipsec,debug eeda3f99 8823dfd7 58687981 a3a708fd f2147a2b 7821ef8f fb9b4e0
d bc0bc27b
14:18:01 ipsec,debug 7811f1d4 c07c436a a12416ff a08a5de1 78bb1aa1 1fd9bcf8 23ca670
8 b78d83a1
14:18:01 ipsec,debug daad31dc eb581918 2a43b39f efb4c28f df1287c7 28eeb539 a72182c
9 0f2cf894
14:18:01 ipsec,debug ccb7b86a 7d4a5475 a570114f ecd2c681 77408e7a 0b4b7761 c7bf7a4
0 58962414
14:18:01 ipsec,debug b5950fa9 a29d2585 a7d2ecba 4cae43f1 588a98fe 8546b5b4 0a9ba9a
4 62a4a413
14:18:01 ipsec,debug compute DH’s public.
14:18:01 ipsec,debug a9302de6 ed328b57 f35b92f7 13bbe5ac 8fa48f53 c8935a9d 5a0f9cb
b 6d5b0471
14:18:01 ipsec,debug 2670210c d4b06831 61dbafb4 30dc4258 1c77ffa7 afeae592 e00b9be
9 f41598cc
14:18:01 ipsec,debug b754c2ef 317525cd 0e2af5c0 2452eb10 9b553c12 7a9f215b 5079c8a
8 1cdac760
14:18:01 ipsec,debug 014dae17 5b0a3946 d8222956 f7878693 d628ed9d 1a81e73d 26e1b7f
9 34681141
14:18:01 ipsec,debug 3c3efa08 5419a6bb bb3f6bb1 0f352fe4 3ae0a6ba c3ff5811 34a016f
b 48189e33
14:18:01 ipsec,debug b73496f9 7b8007e7 d10e0f7f 4156d280 722d3d27 ae85af59 ce9a790
7 3b907361
14:18:01 ipsec,debug use local ID type IPv4_subnet
14:18:01 ipsec,debug use remote ID type IPv4_subnet
14:18:01 ipsec,debug IDci:
14:18:01 ipsec,debug 04000000 0a010000 ffff0000
14:18:01 ipsec,debug IDcr:
14:18:01 ipsec,debug 04000000 0aa00000 ffff0000
14:18:01 ipsec,debug add payload of len 52, next type 10
14:18:01 ipsec,debug add payload of len 24, next type 4
14:18:01 ipsec,debug add payload of len 192, next type 5
14:18:01 ipsec,debug add payload of len 12, next type 5
14:18:01 ipsec,debug add payload of len 12, next type 0
14:18:01 ipsec,debug HASH with:
14:18:01 ipsec,debug c72d5815 0a000038 00000001 00000001 0000002c 01030401 09e2093
3 00000020
14:18:01 ipsec,debug 010c0000 80010001 80020708 80040001 80060100 80050002 8003000
5 0400001c
14:18:01 ipsec,debug a762ee58 d635ce3b cfd95b74 c9258c0e 274a8b99 7b6e8c6a 050000c
4 a9302de6
14:18:01 ipsec,debug ed328b57 f35b92f7 13bbe5ac 8fa48f53 c8935a9d 5a0f9cbb 6d5b047
1 2670210c
14:18:01 ipsec,debug d4b06831 61dbafb4 30dc4258 1c77ffa7 afeae592 e00b9be9 f41598c
c b754c2ef
14:18:01 ipsec,debug 317525cd 0e2af5c0 2452eb10 9b553c12 7a9f215b 5079c8a8 1cdac76
0 014dae17
14:18:01 ipsec,debug 5b0a3946 d8222956 f7878693 d628ed9d 1a81e73d 26e1b7f9 3468114
1 3c3efa08
14:18:01 ipsec,debug 5419a6bb bb3f6bb1 0f352fe4 3ae0a6ba c3ff5811 34a016fb 48189e3
3 b73496f9
14:18:01 ipsec,debug 7b8007e7 d10e0f7f 4156d280 722d3d27 ae85af59 ce9a7907 3b90736
1 05000010
14:18:01 ipsec,debug 04000000 0a010000 ffff0000 00000010 04000000 0aa00000 ffff000
0
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug HASH computed:
14:18:01 ipsec,debug 1ac7bf3c 51407789 b6c3618a 2b572c10 8cfa21e6
14:18:01 ipsec,debug add payload of len 20, next type 1
14:18:01 ipsec,debug begin encryption.
14:18:01 ipsec,debug encryption(aes)
14:18:01 ipsec,debug pad length = 16
14:18:01 ipsec,debug 01000018 1ac7bf3c 51407789 b6c3618a 2b572c10 8cfa21e6 0a00003
8 00000001
14:18:01 ipsec,debug 00000001 0000002c 01030401 09e20933 00000020 010c0000 8001000
1 80020708
14:18:01 ipsec,debug 80040001 80060100 80050002 80030005 0400001c a762ee58 d635ce3
b cfd95b74
14:18:01 ipsec,debug c9258c0e 274a8b99 7b6e8c6a 050000c4 a9302de6 ed328b57 f35b92f
7 13bbe5ac
14:18:01 ipsec,debug 8fa48f53 c8935a9d 5a0f9cbb 6d5b0471 2670210c d4b06831 61dbafb
4 30dc4258
14:18:01 ipsec,debug 1c77ffa7 afeae592 e00b9be9 f41598cc b754c2ef 317525cd 0e2af5c
0 2452eb10
14:18:01 ipsec,debug 9b553c12 7a9f215b 5079c8a8 1cdac760 014dae17 5b0a3946 d822295
6 f7878693
14:18:01 ipsec,debug d628ed9d 1a81e73d 26e1b7f9 34681141 3c3efa08 5419a6bb bb3f6bb
1 0f352fe4
14:18:01 ipsec,debug 3ae0a6ba c3ff5811 34a016fb 48189e33 b73496f9 7b8007e7 d10e0f7
f 4156d280
14:18:01 ipsec,debug 722d3d27 ae85af59 ce9a7907 3b907361 05000010 04000000 0a01000
0 ffff0000
14:18:01 ipsec,debug 00000010 04000000 0aa00000 ffff0000 ccbdd099 d8c28db0 94d0d1c
a 8ead9e0f
14:18:01 ipsec,debug encryption(aes)
14:18:01 ipsec,debug with key:
14:18:01 ipsec,debug c87efe7b d3513ce9 2199603e 74e55622 70c0b803 db5580cc a39618e
c 36d7f6ea
14:18:01 ipsec,debug encrypted payload by IV:
14:18:01 ipsec,debug 4efe92fd ac3ecd2b cea2c0ca 959f1f2f
14:18:01 ipsec,debug save IV for next:
14:18:01 ipsec,debug e532d8e8 db1ced4e 60614b7d 92481eb5
14:18:01 ipsec,debug encrypted.
14:18:01 ipsec,debug 380 bytes from 10.255.255.1[500] to XXX.XXX.XXX.XXX[500]
14:18:01 ipsec,debug 1 times of 380 bytes message will be sent to XXX.XXX.XXX.XXX[50
0]
14:18:01 ipsec sent phase2 packet 10.255.255.1[500]<=>XXX.XXX.XXX.XXX[500] 3dadeca0f
e173faa:51723d21ecd0a63a:0000c72d
14:18:01 ipsec,debug ===== received 364 bytes from XXX.XXX.XXX.XXX[500] to 10.255.25
5.1[500]
14:18:01 ipsec,debug encryption(aes)
14:18:01 ipsec,debug IV was saved for next processing:
14:18:01 ipsec,debug 31f863ca 8d5ff75d 9e493b3e 2ba73916
14:18:01 ipsec,debug encryption(aes)
14:18:01 ipsec,debug with key:
14:18:01 ipsec,debug c87efe7b d3513ce9 2199603e 74e55622 70c0b803 db5580cc a39618e
c 36d7f6ea
14:18:01 ipsec,debug decrypted payload by IV:
14:18:01 ipsec,debug e532d8e8 db1ced4e 60614b7d 92481eb5
14:18:01 ipsec,debug decrypted payload, but not trimed.
14:18:01 ipsec,debug 01000018 3f8017b0 e8ca4cc3 daeaca7d c6fb325c a5b58e5e 0a00003
8 00000001
14:18:01 ipsec,debug 00000001 0000002c 01030401 490b77f0 00000020 010c0000 8001000
1 80020708
14:18:01 ipsec,debug 80040001 80060100 80050002 80030005 04000014 58499fd2 6dc937a
6 31b3c957
14:18:01 ipsec,debug c5b5f966 050000c4 12411201 54185a53 c6d1471d e9b662df f034395
7 f86e2541
14:18:01 ipsec,debug a50a1a55 ded80b2d 5fd95821 88e34e5a f59b8ca0 1d5339a4 a853862
b c482656d
14:18:01 ipsec,debug f2210561 fdb567b7 232122dc 38753488 b4bcd6e3 413dd559 6de480c
f 0c7435fc
14:18:01 ipsec,debug 00bf88de 7daff2b3 d8793437 a6bd4d72 593bab10 179f7148 6ed9148
2 65d00da6
14:18:01 ipsec,debug c78ed16b 8d7c526d 55c0d26a f76c89f4 69cb2897 c9aff4b3 b30297e
6 d86971bc
14:18:01 ipsec,debug 195e277d a7dd8dbc 14a83ee5 528c1faa 98ea570a e9a4325f b522fa5
2 a80b9749
14:18:01 ipsec,debug 74db7f38 676c77bd 05000010 04000000 0a010000 ffff0000 0000001
0 04000000
14:18:01 ipsec,debug 0aa00000 ffff0000 00000000 00000000
14:18:01 ipsec,debug padding len=1
14:18:01 ipsec,debug skip to trim padding.
14:18:01 ipsec,debug decrypted.
14:18:01 ipsec,debug 3dadeca0 fe173faa 51723d21 ecd0a63a 08102001 c72d5815 0000016
c 01000018
14:18:01 ipsec,debug 3f8017b0 e8ca4cc3 daeaca7d c6fb325c a5b58e5e 0a000038 0000000
1 00000001
14:18:01 ipsec,debug 0000002c 01030401 490b77f0 00000020 010c0000 80010001 8002070
8 80040001
14:18:01 ipsec,debug 80060100 80050002 80030005 04000014 58499fd2 6dc937a6 31b3c95
7 c5b5f966
14:18:01 ipsec,debug 050000c4 12411201 54185a53 c6d1471d e9b662df f0343957 f86e254
1 a50a1a55
14:18:01 ipsec,debug ded80b2d 5fd95821 88e34e5a f59b8ca0 1d5339a4 a853862b c482656
d f2210561
14:18:01 ipsec,debug fdb567b7 232122dc 38753488 b4bcd6e3 413dd559 6de480cf 0c7435f
c 00bf88de
14:18:01 ipsec,debug 7daff2b3 d8793437 a6bd4d72 593bab10 179f7148 6ed91482 65d00da
6 c78ed16b
14:18:01 ipsec,debug 8d7c526d 55c0d26a f76c89f4 69cb2897 c9aff4b3 b30297e6 d86971b
c 195e277d
14:18:01 ipsec,debug a7dd8dbc 14a83ee5 528c1faa 98ea570a e9a4325f b522fa52 a80b974
9 74db7f38
14:18:01 ipsec,debug 676c77bd 05000010 04000000 0a010000 ffff0000 00000010 0400000
0 0aa00000
14:18:01 ipsec,debug ffff0000 00000000 00000000
14:18:01 ipsec,debug begin.
14:18:01 ipsec,debug seen nptype=8(hash) len=24
14:18:01 ipsec,debug seen nptype=1(sa) len=56
14:18:01 ipsec,debug seen nptype=10(nonce) len=20
14:18:01 ipsec,debug seen nptype=4(ke) len=196
14:18:01 ipsec,debug seen nptype=5(id) len=16
14:18:01 ipsec,debug seen nptype=5(id) len=16
14:18:01 ipsec,debug succeed.
14:18:01 ipsec,debug IDci matches proposal.
14:18:01 ipsec,debug IDcr matches proposal.
14:18:01 ipsec,debug HASH allocated:hbuf->l=360 actual:tlen=328
14:18:01 ipsec,debug HASH(2) received:
14:18:01 ipsec,debug 3f8017b0 e8ca4cc3 daeaca7d c6fb325c a5b58e5e
14:18:01 ipsec,debug HASH with:
14:18:01 ipsec,debug c72d5815 a762ee58 d635ce3b cfd95b74 c9258c0e 274a8b99 7b6e8c6
a 0a000038
14:18:01 ipsec,debug 00000001 00000001 0000002c 01030401 490b77f0 00000020 010c000
0 80010001
14:18:01 ipsec,debug 80020708 80040001 80060100 80050002 80030005 04000014 58499fd
2 6dc937a6
14:18:01 ipsec,debug 31b3c957 c5b5f966 050000c4 12411201 54185a53 c6d1471d e9b662d
f f0343957
14:18:01 ipsec,debug f86e2541 a50a1a55 ded80b2d 5fd95821 88e34e5a f59b8ca0 1d5339a
4 a853862b
14:18:01 ipsec,debug c482656d f2210561 fdb567b7 232122dc 38753488 b4bcd6e3 413dd55
9 6de480cf
14:18:01 ipsec,debug 0c7435fc 00bf88de 7daff2b3 d8793437 a6bd4d72 593bab10 179f714
8 6ed91482
14:18:01 ipsec,debug 65d00da6 c78ed16b 8d7c526d 55c0d26a f76c89f4 69cb2897 c9aff4b
3 b30297e6
14:18:01 ipsec,debug d86971bc 195e277d a7dd8dbc 14a83ee5 528c1faa 98ea570a e9a4325
f b522fa52
14:18:01 ipsec,debug a80b9749 74db7f38 676c77bd 05000010 04000000 0a010000 ffff000
0 00000010
14:18:01 ipsec,debug 04000000 0aa00000 ffff0000
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug HASH computed:
14:18:01 ipsec,debug 3f8017b0 e8ca4cc3 daeaca7d c6fb325c a5b58e5e
14:18:01 ipsec,debug total SA len=52
14:18:01 ipsec,debug 00000001 00000001 0000002c 01030401 09e20933 00000020 010c000
0 80010001
14:18:01 ipsec,debug 80020708 80040001 80060100 80050002 80030005
14:18:01 ipsec,debug begin.
14:18:01 ipsec,debug seen nptype=2(prop) len=44
14:18:01 ipsec,debug succeed.
14:18:01 ipsec,debug proposal #1 len=44
14:18:01 ipsec,debug begin.
14:18:01 ipsec,debug seen nptype=3(trns) len=32
14:18:01 ipsec,debug succeed.
14:18:01 ipsec,debug transform #1 len=32
14:18:01 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds
14:18:01 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=1800
14:18:01 ipsec,debug life duration was in TLV.
14:18:01 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel
14:18:01 ipsec,debug type=Key Length, flag=0x8000, lorv=256
14:18:01 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1
14:18:01 ipsec,debug type=Group Description, flag=0x8000, lorv=5
14:18:01 ipsec,debug dh(modp1536)
14:18:01 ipsec,debug pair 1:
14:18:01 ipsec,debug 0x80f8908: next=(nil) tnext=(nil)
14:18:01 ipsec,debug proposal #1: 1 transform
14:18:01 ipsec,debug total SA len=52
14:18:01 ipsec,debug 00000001 00000001 0000002c 01030401 490b77f0 00000020 010c000
0 80010001
14:18:01 ipsec,debug 80020708 80040001 80060100 80050002 80030005
14:18:01 ipsec,debug begin.
14:18:01 ipsec,debug seen nptype=2(prop) len=44
14:18:01 ipsec,debug succeed.
14:18:01 ipsec,debug proposal #1 len=44
14:18:01 ipsec,debug begin.
14:18:01 ipsec,debug seen nptype=3(trns) len=32
14:18:01 ipsec,debug succeed.
14:18:01 ipsec,debug transform #1 len=32
14:18:01 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds
14:18:01 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=1800
14:18:01 ipsec,debug life duration was in TLV.
14:18:01 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel
14:18:01 ipsec,debug type=Key Length, flag=0x8000, lorv=256
14:18:01 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1
14:18:01 ipsec,debug type=Group Description, flag=0x8000, lorv=5
14:18:01 ipsec,debug dh(modp1536)
14:18:01 ipsec,debug pair 1:
14:18:01 ipsec,debug 0x80f8410: next=(nil) tnext=(nil)
14:18:01 ipsec,debug proposal #1: 1 transform
14:18:01 ipsec,debug begin compare proposals.
14:18:01 ipsec,debug pair[1]: 0x80f8410
14:18:01 ipsec,debug 0x80f8410: next=(nil) tnext=(nil)
14:18:01 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=AES-CB
C
14:18:01 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds
14:18:01 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=1800
14:18:01 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel
14:18:01 ipsec,debug type=Key Length, flag=0x8000, lorv=256
14:18:01 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1
14:18:01 ipsec,debug type=Group Description, flag=0x8000, lorv=5
14:18:01 ipsec,debug peer’s single bundle:
14:18:01 ipsec,debug (proto_id=ESP spisize=4 spi=490b77f0 spi_p=00000000 encmode=
Tunnel reqid=0:0)
14:18:01 ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-sha1)
14:18:01 ipsec,debug my single bundle:
14:18:01 ipsec,debug (proto_id=ESP spisize=4 spi=09e20933 spi_p=00000000 encmode=
Tunnel reqid=0:0)
14:18:01 ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-sha1)
14:18:01 ipsec,debug matched
14:18:01 ipsec,debug ===
14:18:01 ipsec,debug HASH(3) generate
14:18:01 ipsec,debug HASH with:
14:18:01 ipsec,debug 00c72d58 15a762ee 58d635ce 3bcfd95b 74c9258c 0e274a8b 997b6e8
c 6a58499f
14:18:01 ipsec,debug d26dc937 a631b3c9 57c5b5f9 66
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug HASH computed:
14:18:01 ipsec,debug ed88563d f1664ec0 8a9efdd7 34802fbf cbbabf49
14:18:01 ipsec,debug add payload of len 20, next type 0
14:18:01 ipsec,debug begin encryption.
14:18:01 ipsec,debug encryption(aes)
14:18:01 ipsec,debug pad length = 8
14:18:01 ipsec,debug 00000018 ed88563d f1664ec0 8a9efdd7 34802fbf cbbabf49 86bd91c
3 e797e707
14:18:01 ipsec,debug encryption(aes)
14:18:01 ipsec,debug with key:
14:18:01 ipsec,debug c87efe7b d3513ce9 2199603e 74e55622 70c0b803 db5580cc a39618e
c 36d7f6ea
14:18:01 ipsec,debug encrypted payload by IV:
14:18:01 ipsec,debug 31f863ca 8d5ff75d 9e493b3e 2ba73916
14:18:01 ipsec,debug save IV for next:
14:18:01 ipsec,debug 28314c74 905ef5e2 c49d25ba f7fa771f
14:18:01 ipsec,debug encrypted.
14:18:01 ipsec,debug 60 bytes from 10.255.255.1[500] to XXX.XXX.XXX.XXX[500]
14:18:01 ipsec,debug 1 times of 60 bytes message will be sent to XXX.XXX.XXX.XXX[500
]
14:18:01 ipsec,debug dh(modp1536)
14:18:01 ipsec,debug compute DH’s shared.
14:18:01 ipsec,debug
14:18:01 ipsec,debug 347a5b98 81338070 02cd450e 55d90ce4 4e26efc3 5cf762df c719e7b
8 a70d33d8
14:18:01 ipsec,debug 7f3bc466 6c726bc4 6f57af4d 54b89a24 a0e90fc7 e60fa361 ebc1e97
2 71fba87b
14:18:01 ipsec,debug bbdc8aae f3e80723 2bbef05a ae8a1634 f7b51988 652ce75b 1d8bf4f
7 f35dbd57
14:18:01 ipsec,debug 6efcaae5 22f5aff1 910e0c68 df477745 f5581763 9cb6e382 0587ad4
9 2393d2be
14:18:01 ipsec,debug cdf768f3 1a8c5f37 d367ef95 5df1f81c 71926463 3261a27e 2e9ad5b
f 5f0aed3d
14:18:01 ipsec,debug f24e3d21 0fe81f64 d57735de 1f672073 86dc2fb6 ffc7f4b7 0314b59
a 6e8ccad3
14:18:01 ipsec,debug KEYMAT compute with
14:18:01 ipsec,debug 347a5b98 81338070 02cd450e 55d90ce4 4e26efc3 5cf762df c719e7b
8 a70d33d8
14:18:01 ipsec,debug 7f3bc466 6c726bc4 6f57af4d 54b89a24 a0e90fc7 e60fa361 ebc1e97
2 71fba87b
14:18:01 ipsec,debug bbdc8aae f3e80723 2bbef05a ae8a1634 f7b51988 652ce75b 1d8bf4f
7 f35dbd57
14:18:01 ipsec,debug 6efcaae5 22f5aff1 910e0c68 df477745 f5581763 9cb6e382 0587ad4
9 2393d2be
14:18:01 ipsec,debug cdf768f3 1a8c5f37 d367ef95 5df1f81c 71926463 3261a27e 2e9ad5b
f 5f0aed3d
14:18:01 ipsec,debug f24e3d21 0fe81f64 d57735de 1f672073 86dc2fb6 ffc7f4b7 0314b59
a 6e8ccad3
14:18:01 ipsec,debug 0309e209 33a762ee 58d635ce 3bcfd95b 74c9258c 0e274a8b 997b6e8
c 6a58499f
14:18:01 ipsec,debug d26dc937 a631b3c9 57c5b5f9 66
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug encryption(aes-cbc)
14:18:01 ipsec,debug hmac(sha1)
14:18:01 ipsec,debug encklen=256 authklen=160
14:18:01 ipsec,debug generating 640 bits of key (dupkeymat=4)
14:18:01 ipsec,debug generating K1…K4 for KEYMAT.
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug 20fe9ea6 c0ead563 b36b96c0 4d2416b4 9fc856e7 f124d62a 8e62e9e
1 84224a17
14:18:01 ipsec,debug 5d63978a 9c7c843e d9184543 d80431ba 7de912dc 18fcc436 8b85555
b b2136972
14:18:01 ipsec,debug de6a334d c4aeac46 bef582c3 cf588a88
14:18:01 ipsec,debug KEYMAT compute with
14:18:01 ipsec,debug 347a5b98 81338070 02cd450e 55d90ce4 4e26efc3 5cf762df c719e7b
8 a70d33d8
14:18:01 ipsec,debug 7f3bc466 6c726bc4 6f57af4d 54b89a24 a0e90fc7 e60fa361 ebc1e97
2 71fba87b
14:18:01 ipsec,debug bbdc8aae f3e80723 2bbef05a ae8a1634 f7b51988 652ce75b 1d8bf4f
7 f35dbd57
14:18:01 ipsec,debug 6efcaae5 22f5aff1 910e0c68 df477745 f5581763 9cb6e382 0587ad4
9 2393d2be
14:18:01 ipsec,debug cdf768f3 1a8c5f37 d367ef95 5df1f81c 71926463 3261a27e 2e9ad5b
f 5f0aed3d
14:18:01 ipsec,debug f24e3d21 0fe81f64 d57735de 1f672073 86dc2fb6 ffc7f4b7 0314b59
a 6e8ccad3
14:18:01 ipsec,debug 03490b77 f0a762ee 58d635ce 3bcfd95b 74c9258c 0e274a8b 997b6e8
c 6a58499f
14:18:01 ipsec,debug d26dc937 a631b3c9 57c5b5f9 66
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug encryption(aes-cbc)
14:18:01 ipsec,debug hmac(sha1)
14:18:01 ipsec,debug encklen=256 authklen=160
14:18:01 ipsec,debug generating 640 bits of key (dupkeymat=4)
14:18:01 ipsec,debug generating K1…K4 for KEYMAT.
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug hmac(hmac_sha1)
14:18:01 ipsec,debug 6aa296c8 676019d6 bf5cbe90 6c95ee65 6340f123 eb9ba531 570dca3
c 8b0919e3
14:18:01 ipsec,debug b3050d87 9da3c482 1b2839c6 144060b1 58e5af24 d46de11b 47b31b7
2 0375cd7e
14:18:01 ipsec,debug 9b99dcca cc5bc6ca 787986fa 628c5a5b
14:18:01 ipsec,debug KEYMAT computed.
14:18:01 ipsec,debug call pk_sendupdate
14:18:01 ipsec,debug encryption(aes-cbc)
14:18:01 ipsec,debug hmac(sha1)
14:18:01 ipsec,debug call pfkey_send_update_nat
14:18:01 ipsec IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[500]->10.255.255.1[5
00] spi=0x9e20933
14:18:01 ipsec,debug pfkey update sent.
14:18:01 ipsec,debug encryption(aes-cbc)
14:18:01 ipsec,debug hmac(sha1)
14:18:01 ipsec,debug call pfkey_send_add_nat
14:18:01 ipsec IPsec-SA established: ESP/Tunnel 10.255.255.1[500]->XXX.XXX.XXX.XXX[5
00] spi=0x490b77f0
14:18:01 ipsec,debug pfkey add sent.
14:18:03 ipsec,debug ===== received 196 bytes from XXX.XXX.XXX.XXX[500] to 10.255.25
5.1[500]
14:18:03 ipsec,debug ===
14:18:03 ipsec,info respond new phase 1 (Identity Protection): 10.255.255.1[500]<=XXX.XXX.XXX.XXX[500]
14:18:03 ipsec,debug begin.
14:18:03 ipsec,debug seen nptype=1(sa) len=68
14:18:03 ipsec,debug seen nptype=13(vid) len=20
14:18:03 ipsec,debug seen nptype=13(vid) len=20
14:18:03 ipsec,debug seen nptype=13(vid) len=20
14:18:03 ipsec,debug seen nptype=13(vid) len=20
14:18:03 ipsec,debug seen nptype=13(vid) len=20
14:18:03 ipsec,debug succeed.
14:18:03 ipsec received Vendor ID: DPD
14:18:03 ipsec,debug remote supports DPD
14:18:03 ipsec received Vendor ID: RFC 3947
14:18:03 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
14:18:03 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
14:18:03 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
14:18:03 ipsec XXX.XXX.XXX.XXX Selected NAT-T version: RFC 3947
14:18:03 ipsec,debug total SA len=64
14:18:03 ipsec,debug 00000001 00000001 00000038 01010801 4ac6b43e 02996e01 0000002
8 00010000
14:18:03 ipsec,debug 80010007 800e0100 80020002 80040005 800b0001 000c0004 0001518
0 80030001
14:18:03 ipsec,debug begin.
14:18:03 ipsec,debug seen nptype=2(prop) len=56
14:18:03 ipsec,debug succeed.
14:18:03 ipsec,debug proposal #1 len=56
14:18:03 ipsec SPI size isn’t zero, but IKE proposal.
14:18:03 ipsec,debug begin.
14:18:03 ipsec,debug seen nptype=3(trns) len=40
14:18:03 ipsec,debug succeed.
14:18:03 ipsec,debug transform #0 len=40
14:18:03 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
14:18:03 ipsec,debug encryption(aes)
14:18:03 ipsec,debug type=Key Length, flag=0x8000, lorv=256
14:18:03 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
14:18:03 ipsec,debug hash(sha1)
14:18:03 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group14:18:03 ipsec,debug dh(modp1536)
14:18:03 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
14:18:03 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
14:18:03 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
14:18:03 ipsec,debug pair 1:
14:18:03 ipsec,debug 0x81003b8: next=(nil) tnext=(nil)
14:18:03 ipsec,debug proposal #1: 1 transform
14:18:03 ipsec,debug -checking with pre-shared key auth-
14:18:03 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=8, #trns=1
14:18:03 ipsec,debug trns#=0, trns-id=IKE
14:18:03 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
14:18:03 ipsec,debug type=Key Length, flag=0x8000, lorv=256
14:18:03 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
14:18:03 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group14:18:03 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
14:18:03 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
14:18:03 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
14:18:03 ipsec,debug -compare proposal #1: Local:Peer
14:18:03 ipsec,debug (lifetime = 86400:86400)
14:18:03 ipsec,debug (lifebyte = 0:0)
14:18:03 ipsec,debug enctype = AES-CBC:AES-CBC
14:18:03 ipsec,debug (encklen = 256:256)
14:18:03 ipsec,debug hashtype = SHA:SHA
14:18:03 ipsec,debug authmethod = pre-shared key:pre-shared key
14:18:03 ipsec,debug dh_group = 1536-bit MODP group:1536-bit MODP group
14:18:03 ipsec,debug -an acceptable proposal found-
14:18:03 ipsec,debug dh(modp1536)
14:18:03 ipsec,debug -agreed on pre-shared key auth-
14:18:03 ipsec,debug ===
14:18:03 ipsec,debug new cookie:
14:18:03 ipsec,debug 760e373210bd18be\01
14:18:03 ipsec,debug add payload of len 64, next type 13
14:18:03 ipsec,debug add payload of len 16, next type 13
14:18:03 ipsec,debug add payload of len 16, next type 0
14:18:03 ipsec,debug 136 bytes from 10.255.255.1[500] to XXX.XXX.XXX.XXX[500]
14:18:03 ipsec,debug 1 times of 136 bytes message will be sent to XXX.XXX.XXX.XXX[50
0]
14:18:03 ipsec sent phase1 packet 10.255.255.1[500]<=>XXX.XXX.XXX.XXX[500] 4ac6b43e0
2996e01:760e373210bd18be
14:18:03 ipsec,debug KA: 10.255.255.1[4500]->YYY.YYY.YYY.YYY[4500]
14:18:03 ipsec,debug 1 times of 1 bytes message will be sent to YYY.YYY.YYY.YYY[4500]
14:18:08 ipsec,debug ===== received 196 bytes from XXX.XXX.XXX.XXX[500] to 10.255.25
5.1[500]
14:18:08 ipsec,debug 1 times of 136 bytes message will be sent to XXX.XXX.XXX.XXX[50
0]
14:18:08 ipsec,info the packet is retransmitted by XXX.XXX.XXX.XXX[500].
Is this all from one peer? I see four parts (by starting time):
14:17:54 - incoming phase 1, fails with “no identity suits proposal”
14:17:59 - same as previous
14:18:01 - outgoing phase 1 & 2, succeeds
14:18:03 - incoming phase 1, authentication succeeds, router sends response, but peer resends the request, as if it didn’t get the response
Interesting difference between #1 and #4 is that the former has only DPD, while the latter has more vendor IDs. I’m no IPSec expert, so I don’t know if it’s possible that same peer would sometimes send more or less of them, or if you have logs from two peers mixed together.
If I take only #4, then it’s the same as what I’m seeing, both peers seem to agree on proposal, but it’s like remote one doesn’t receive the response. But since there’s no reason why it wouldn’t receive it (if it’s initiator, then the response must be allowed by its “accept established” in firewall), maybe it does receive it, but doesn’t like it for some reason?
I guess it could be the difference between the peer acting as an initiator and acting as a responder. As I wrote, I have sometimes seen that peers did not meet because of the NAT inbetween, causing the traffic in one direction not to meet the traffic in the other direction, and those “the packet is retransmitted” messages to occur.
But maybe in this case it is completely different…