IPSec established but no ping

dear techies, hi.
my goal is to have GRE over IPsec scenario between these two; ISR4331 as the hub and RB951Ui-2HnD as bespoke. first i decided to have a simple simple direct physical connection between the two. the GRE tunnel between them went ok; i could ping that never fails. the ipsec tunnel is also established. but the problem is i lost connectivity after ipsec established and ping didn’t come back! i tried a couple of suggestions from the forum but no success! here is the mikrotik config:

# may/28/2022 09:37:56 by RouterOS 6.44.5
# software id = 0G7Y-54W3
#
# model = 951Ui-2HnD
# serial number = B8570BE4F3C7
/interface ethernet
set [ find default-name=ether1 ] name=ether1_toCisco
set [ find default-name=ether2 ] name=ether2_toLAN
set [ find default-name=ether4 ] name=ether4_toLaptop
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface gre
add !keepalive local-address=192.168.222.3 name=gre-tunnel1 remote-address=\
    192.168.222.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] src-address-list=0
/ip ipsec peer
add address=192.168.222.2/32 local-address=192.168.222.3 name=MYSET
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des hash-algorithm=\
    md5 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des lifetime=1d
/ip address
add address=192.168.222.3/30 interface=ether1_toCisco network=192.168.222.0
add address=192.168.0.2/30 interface=gre-tunnel1 network=192.168.0.0
add address=172.16.2.2/24 interface=ether2_toLAN network=172.16.2.0
/ip firewall address-list
add address=0.0.0.0/0 disabled=yes list=0
/ip firewall filter
add action=accept chain=input disabled=yes dst-address=192.168.222.3 \
    src-address=192.168.222.2
add action=accept chain=output disabled=yes dst-address=192.168.222.2 \
    src-address=192.168.222.3
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec identity
add mode-config=request-only peer=MYSET secret=1234@qwer
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.222.2/32 dst-port=500 protocol=gre sa-dst-address=\
    192.168.222.2 sa-src-address=192.168.222.3 src-address=192.168.222.3/32 \
    src-port=500 tunnel=yes
/ip route
add distance=1 gateway=192.168.222.1
/system clock
set time-zone-name=Asia/Tehran
/system clock manual
set dst-delta=+03:30 time-zone=+03:30

and here is my cisco config:

!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!

!
crypto isakmp key 1234@qwer address 192.168.222.3
!


!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
 mode tunnel
! 

!
crypto map VPN 10 ipsec-isakmp
 set peer 192.168.222.3
 set transform-set MYSET
 set pfs group2
 match address GREIPSEC
!

!
interface Tunnel1
 ip address 192.168.0.1 255.255.255.252
 tunnel source GigabitEthernet0/0/1.2
 tunnel destination 192.168.222.3
!

!
ip access-list extended GREIPSEC
 permit ip 192.168.222.0 0.0.0.255 192.168.222.0 0.0.0.255
 permit gre host 192.168.222.3 host 192.168.222.2
!

hints:
i see some errors in mikrotik and cisco logs which i think is key to my problem but i can’t figure it out. here the log files:
mikrotik logs:

# may/28/2022  9: 1:14 by RouterOS 6.44.5
# software id = 0G7Y-54W3
#
08:10:31 system,error,critical router was rebooted without proper shutdown 
08:10:37 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
08:10:37 ipsec,error phase1 negotiation failed due to send error. 192.168.222.3[500]<=>192.168.222.2[500] ed6c73386871c010:0000000000000000 
08:10:40 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
08:10:40 ipsec,error phase1 negotiation failed due to send error. 192.168.222.3[500]<=>192.168.222.2[500] 709e266823f644a4:0000000000000000 
08:10:40 interface,info ether1_toCisco link up (speed 100M, full duplex) 
08:10:40 interface,info ether4_toLaptop link up (speed 100M, full duplex) 
08:10:41 interface,info gre-tunnel1 link up 
08:10:42 system,info,account user admin logged in from 20:89:84:2E:FD:D8 via winbox 
08:10:45 system,info,account user admin logged in via local 
08:10:50 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
08:10:50 ipsec,info ISAKMP-SA established 192.168.222.3[500]-192.168.222.2[500] spi:4e12103f105cc117:300e7acb589299c4 
08:11:15 system,info,account user admin logged in via local 
08:18:25 system,info,account user admin logged out via local 
08:35:15 system,info nat rule changed by admin 
08:43:20 system,info ipsec policy changed by admin 
08:44:52 ipsec,error 192.168.222.2 failed to pre-process ph2 packet. 
08:44:52 ipsec,info purging ISAKMP-SA 192.168.222.3[500]<=>192.168.222.2[500] spi=4e12103f105cc117:300e7acb589299c4. 
08:44:52 ipsec,info ISAKMP-SA deleted 192.168.222.3[500]-192.168.222.2[500] spi:4e12103f105cc117:300e7acb589299c4 rekey:1 
08:44:53 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
08:44:53 ipsec,info ISAKMP-SA established 192.168.222.3[500]-192.168.222.2[500] spi:cd4c63688f52b9f2:300e7acb5dbb27f4 
08:45:22 ipsec,error 192.168.222.2 failed to pre-process ph2 packet. 
08:45:22 ipsec,info purging ISAKMP-SA 192.168.222.3[500]<=>192.168.222.2[500] spi=cd4c63688f52b9f2:300e7acb5dbb27f4. 
08:45:22 ipsec,info ISAKMP-SA deleted 192.168.222.3[500]-192.168.222.2[500] spi:cd4c63688f52b9f2:300e7acb5dbb27f4 rekey:1 
08:45:23 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
08:45:23 ipsec,info ISAKMP-SA established 192.168.222.3[500]-192.168.222.2[500] spi:c56d6d2efdf9be5a:300e7acb38d772c1 
08:47:05 system,info,account user admin logged out via local 
08:50:55 ipsec,error 192.168.222.2 failed to pre-process ph2 packet. 
08:50:55 ipsec,info purging ISAKMP-SA 192.168.222.3[500]<=>192.168.222.2[500] spi=c56d6d2efdf9be5a:300e7acb38d772c1. 
08:50:55 ipsec,info ISAKMP-SA deleted 192.168.222.3[500]-192.168.222.2[500] spi:c56d6d2efdf9be5a:300e7acb38d772c1 rekey:1 
08:50:55 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
08:50:55 ipsec,info ISAKMP-SA established 192.168.222.3[500]-192.168.222.2[500] spi:91ccaa08d3df319f:300e7acb7d48d3e3 
08:51:25 ipsec,error 192.168.222.2 failed to pre-process ph2 packet. 
08:51:25 ipsec,info purging ISAKMP-SA 192.168.222.3[500]<=>192.168.222.2[500] spi=91ccaa08d3df319f:300e7acb7d48d3e3. 
08:51:25 ipsec,info ISAKMP-SA deleted 192.168.222.3[500]-192.168.222.2[500] spi:91ccaa08d3df319f:300e7acb7d48d3e3 rekey:1 
08:51:25 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
08:51:25 ipsec,info ISAKMP-SA established 192.168.222.3[500]-192.168.222.2[500] spi:a61437570093ed56:300e7acb7734e634 
09:01:01 system,info,account user admin logged in via local

cisco logs:

RM: SIP1: cpp_cp: QFP:0.0 Thread:000 TS:00000616818854580331 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 192.168.222.2, src_addr= 192.168.222.3, prot= 1
*May 30 08:26:44.169: %IOSXE-3-PLATFORM: SIP1: cpp_cp: QFP:0.0 Thread:001 TS:00000616878950376727 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 192.168.222.2, src_addr= 192.168.222.3, prot= 1
*May 30 08:27:28.304: ISAKMP (13634): received packet from 192.168.222.3 dport 500 sport 500 Global (R) QM_IDLE
*May 30 08:27:28.304: ISAKMP:(13634):DPD/R_U_THERE received from peer 192.168.222.3, sequence 0x592
*May 30 08:27:28.305: ISAKMP:(13634): sending packet to 192.168.222.3 my_port 500 peer_port 500 (R) QM_IDLE
*May 30 08:27:44.781: %IOSXE-3-PLATFORM: SIP1: cpp_cp: QFP:0.0 Thread:000 TS:00000616939562219425 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 192.168.222.2, src_addr= 192.168.222.3, prot= 1

===================================================================================================
guys please help me this is a given project that means a life to me!

knoc knoc! any body in this town?? somebody’s in danger here!

At first lоок I do not see a rule for snat exception and there are no routing rules for the LANs in routerboard!

To understand what exactly the Mikrotik doesn’t like about the Phase 2 offer from the Cisco, you have to activate a more detailed logging:

/system logging add topics=ipsec,!packet

Once you do that, disable the peer or identity, run /log print follow-only file=ipsec-start where topics~“ipsec”, re-enable the peer or identity, wait 10 seconds and stop the /log print …, download file ipsec-start.txt and read it.

A clear mistake I can see in the exported configuration is the local address 192.168.222.3/30 on the Mikrotik - it is a broadcast address. In a /30 network, .1 and .2 are host addresses, .3 is a broadcast one. But apparently neither the Cisco nor the Mikrotik care, i.e. it is not the cause of the Phase 2 failure.

thank you JohnTRIVOLTA. yes you are right but do i need them in this scenario? the two routers are connected directly using IPs in the same subnet. i’m not sure how routing rules would help while these two are in fact adjacent to each other. or am i wrong?

dear sindy, thanks. i will do this as soon as possible and will post the results.

dear sindy, hi.
here is the output to the ipsec-start.txt file:

# may/28/2022 11: 8:49 by RouterOS 6.44.5
# software id = 0G7Y-54W3
#
11:09:18 ipsec,debug === 
11:09:18 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
11:09:18 ipsec,debug new cookie: 
11:09:18 ipsec,debug 5968d1f7b726f016 
11:09:18 ipsec,debug add payload of len 52, next type 13 
11:09:18 ipsec,debug add payload of len 16, next type 13 
11:09:18 ipsec,debug add payload of len 16, next type 0 
11:09:18 ipsec,debug 124 bytes from 192.168.222.3[500] to 192.168.222.2[500] 
11:09:18 ipsec,debug 1 times of 124 bytes message will be sent to 192.168.222.2[500] 
11:09:18 ipsec sent phase1 packet 192.168.222.3[500]<=>192.168.222.2[500] 5968d1f7b726f016:0000000000000000 
11:09:18 ipsec,debug ===== received 84 bytes from 192.168.222.2[500] to 192.168.222.3[500] 
11:09:18 ipsec,debug begin. 
11:09:18 ipsec,debug seen nptype=1(sa) len=56 
11:09:18 ipsec,debug succeed. 
11:09:18 ipsec,debug total SA len=52 
11:09:18 ipsec,debug 00000001 00000001 0000002c 01010001 00000024 01010000 80010005 80020001 
11:09:18 ipsec,debug 80040002 80030001 800b0001 000c0004 00015180 
11:09:18 ipsec,debug begin. 
11:09:18 ipsec,debug seen nptype=2(prop) len=44 
11:09:18 ipsec,debug succeed. 
11:09:18 ipsec,debug proposal #1 len=44 
11:09:18 ipsec,debug begin. 
11:09:18 ipsec,debug seen nptype=3(trns) len=36 
11:09:18 ipsec,debug succeed. 
11:09:18 ipsec,debug transform #1 len=36 
11:09:18 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5 
11:09:18 ipsec,debug hash(md5) 
11:09:18 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
11:09:18 ipsec,debug dh(modp1024) 
11:09:18 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
11:09:18 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
11:09:18 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
11:09:18 ipsec,debug pair 1: 
11:09:18 ipsec,debug  0x497798: next=(nil) tnext=(nil) 
11:09:18 ipsec,debug proposal #1: 1 transform 
11:09:18 ipsec,debug -checking with pre-shared key auth- 
11:09:18 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1 
11:09:18 ipsec,debug trns#=1, trns-id=IKE 
11:09:18 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 
11:09:18 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5 
11:09:18 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
11:09:18 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
11:09:18 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
11:09:18 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
11:09:18 ipsec,debug -compare proposal #1: Local:Peer 
11:09:18 ipsec,debug (lifetime = 86400:86400) 
11:09:18 ipsec,debug (lifebyte = 0:0) 
11:09:18 ipsec,debug enctype = 3DES-CBC:3DES-CBC 
11:09:18 ipsec,debug (encklen = 0:0) 
11:09:18 ipsec,debug hashtype = MD5:MD5 
11:09:18 ipsec,debug authmethod = pre-shared key:pre-shared key 
11:09:18 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
11:09:18 ipsec,debug -an acceptable proposal found- 
11:09:18 ipsec,debug dh(modp1024) 
11:09:18 ipsec,debug -agreed on pre-shared key auth- 
11:09:18 ipsec,debug === 
11:09:18 ipsec,debug dh(modp1024) 
11:09:18 ipsec,debug compute DH's private. 
11:09:18 ipsec,debug 7ef4912d d8630b7a 98213303 7e84060d 19e25a8c 15b572b8 895bdeaf 77fbc647 
11:09:18 ipsec,debug 61261bed 52903819 3034d2cf 9d64470d 1a7a4eb5 fc0b1367 55b7dde5 d01b8582 
11:09:18 ipsec,debug 802a843c 6ccd14e5 df544735 1fb81568 d231f55d a9d7b3d0 f9494fb1 af529f43 
11:09:18 ipsec,debug ce6c1628 56530940 7372992a a6e729cc 30b5adb1 13b0dcc7 f813e56f 353aa338 
11:09:18 ipsec,debug compute DH's public. 
11:09:18 ipsec,debug e988acde d306f989 4ecaae35 c18c100a ecce6202 5a0d4e80 36b7c280 b69ebf7a 
11:09:18 ipsec,debug 15e17ed9 34c344e7 18e8e63d 043b853e 47fd4e5a 95efe861 f8cf75dd 50d3c756 
11:09:18 ipsec,debug 8ee26714 abbd6283 0d2558d6 e087b5c5 3daad5cc d54e7487 d3226052 2d9acfb2 
11:09:18 ipsec,debug 7d7b70fc 3f318fa3 dd4b52fe 64af5641 f1f6b79a a0d4040a 8d6d21bf 05cff167 
11:09:18 ipsec,debug add payload of len 128, next type 10 
11:09:18 ipsec,debug add payload of len 24, next type 0 
11:09:18 ipsec,debug 188 bytes from 192.168.222.3[500] to 192.168.222.2[500] 
11:09:18 ipsec,debug 1 times of 188 bytes message will be sent to 192.168.222.2[500] 
11:09:18 ipsec sent phase1 packet 192.168.222.3[500]<=>192.168.222.2[500] 5968d1f7b726f016:300e7acba22a38fb 
11:09:18 ipsec,debug ===== received 256 bytes from 192.168.222.2[500] to 192.168.222.3[500] 
11:09:18 ipsec,debug begin. 
11:09:18 ipsec,debug seen nptype=4(ke) len=132 
11:09:18 ipsec,debug seen nptype=10(nonce) len=24 
11:09:18 ipsec,debug seen nptype=13(vid) len=20 
11:09:18 ipsec,debug seen nptype=13(vid) len=20 
11:09:18 ipsec,debug seen nptype=13(vid) len=20 
11:09:18 ipsec,debug seen nptype=13(vid) len=12 
11:09:18 ipsec,debug succeed. 
11:09:18 ipsec received Vendor ID: CISCO-UNITY 
11:09:18 ipsec received Vendor ID: DPD 
11:09:18 ipsec,debug remote supports DPD 
11:09:18 ipsec,debug received unknown Vendor ID 
11:09:18 ipsec,debug c5c9ddd6 a22b38fb 6860cd6d 7e94dc65 
11:09:18 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
11:09:18 ipsec,debug === 
11:09:18 ipsec,debug dh(modp1024) 
11:09:18 ipsec,debug compute DH's shared. 
11:09:18 ipsec,debug 
11:09:18 ipsec,debug 3ff2376c d39da761 a018a082 97ad0fa7 04c469e2 285bfa93 560a2bb5 70b7151b 
11:09:18 ipsec,debug bf5bf3a5 a9728f86 00b2b890 2a24a466 833ae09b 51b2c655 f3ec6ee2 23cb255e 
11:09:18 ipsec,debug d2144e62 4eb2dede 3ed5f104 e968a272 2ab5e178 d9942ca2 0baa0d2a 3f73f536 
11:09:18 ipsec,debug 9f39626d 40884e02 0ceed870 b34e0758 fece2ec7 c3a3539f ab525228 cddbffad 
11:09:18 ipsec,debug nonce 1:  
11:09:18 ipsec,debug f87d3648 a3d22df2 4735d6af 89f709dc 23c709d6 9c40404d 
11:09:18 ipsec,debug nonce 2:  
11:09:18 ipsec,debug 46a5053a 70e02b12 784d8c69 0cb06495 bace2099 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug SKEYID computed: 
11:09:18 ipsec,debug f8a8425b efc2d3a0 9bd0d9fa 3a3ce87c 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug SKEYID_d computed: 
11:09:18 ipsec,debug 5e171706 eec3b3c0 f8283445 1890ab09 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug SKEYID_a computed: 
11:09:18 ipsec,debug a9717edf 3f9c173c 4b33a116 d2a7e0cd 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug SKEYID_e computed: 
11:09:18 ipsec,debug cac0c1c1 785ed85e b90707ef ef3cb480 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug hash(md5) 
11:09:18 ipsec,debug len(SKEYID_e) < len(Ka) (16 < 24), generating long key (Ka = K1 | K2 | ...) 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug compute intermediate encryption key K1 
11:09:18 ipsec,debug 00 
11:09:18 ipsec,debug 968b3e86 46a4e695 f14388f1 0f68ddc6 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug compute intermediate encryption key K2 
11:09:18 ipsec,debug 968b3e86 46a4e695 f14388f1 0f68ddc6 
11:09:18 ipsec,debug c5e919c1 86ba1879 b89c2c0e ca513f89 
11:09:18 ipsec,debug final encryption key computed: 
11:09:18 ipsec,debug 968b3e86 46a4e695 f14388f1 0f68ddc6 c5e919c1 86ba1879 
11:09:18 ipsec,debug hash(md5) 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug IV computed: 
11:09:18 ipsec,debug 2351072a 33ec5143 
11:09:18 ipsec,debug use ID type of IPv4_address 
11:09:18 ipsec,debug HASH with: 
11:09:18 ipsec,debug e988acde d306f989 4ecaae35 c18c100a ecce6202 5a0d4e80 36b7c280 b69ebf7a 
11:09:18 ipsec,debug 15e17ed9 34c344e7 18e8e63d 043b853e 47fd4e5a 95efe861 f8cf75dd 50d3c756 
11:09:18 ipsec,debug 8ee26714 abbd6283 0d2558d6 e087b5c5 3daad5cc d54e7487 d3226052 2d9acfb2 
11:09:18 ipsec,debug 7d7b70fc 3f318fa3 dd4b52fe 64af5641 f1f6b79a a0d4040a 8d6d21bf 05cff167 
11:09:18 ipsec,debug e93aada8 2112c47e e17ee091 9dc778ab 78bf3801 69fd1c37 dbcddfaf 85c4fd88 
11:09:18 ipsec,debug f236d234 8750132b b6a89e8c 07426a50 393de29c f74bd896 1e9491f9 e3ef9cbc 
11:09:18 ipsec,debug 227cc686 3d0a8080 483c2c61 6dd7f2e5 8123713b 468c9b36 621474df b4462280 
11:09:18 ipsec,debug 311f5144 8a5d4824 20de5c28 2f6e42c9 af198c41 9991e68a 0cb1c02f ead6d62d 
11:09:18 ipsec,debug 5968d1f7 b726f016 300e7acb a22a38fb 00000001 00000001 0000002c 01010001 
11:09:18 ipsec,debug 00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020001 
11:09:18 ipsec,debug 80040002 011101f4 c0a8de03 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug HASH computed: 
11:09:18 ipsec,debug 2e99a6d6 af92d3c6 68515997 6aafee4d 
11:09:18 ipsec,debug add payload of len 8, next type 8 
11:09:18 ipsec,debug add payload of len 16, next type 0 
11:09:18 ipsec,debug begin encryption. 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug pad length = 8 
11:09:18 ipsec,debug 0800000c 011101f4 c0a8de03 00000014 2e99a6d6 af92d3c6 68515997 6aafee4d 
11:09:18 ipsec,debug 8ea38a9f cc757407 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug with key: 
11:09:18 ipsec,debug 968b3e86 46a4e695 f14388f1 0f68ddc6 c5e919c1 86ba1879 
11:09:18 ipsec,debug encrypted payload by IV: 
11:09:18 ipsec,debug 2351072a 33ec5143 
11:09:18 ipsec,debug save IV for next: 
11:09:18 ipsec,debug 13d02418 39a93f59 
11:09:18 ipsec,debug encrypted. 
11:09:18 ipsec,debug 68 bytes from 192.168.222.3[500] to 192.168.222.2[500] 
11:09:18 ipsec,debug 1 times of 68 bytes message will be sent to 192.168.222.2[500] 
11:09:18 ipsec sent phase1 packet 192.168.222.3[500]<=>192.168.222.2[500] 5968d1f7b726f016:300e7acba22a38fb 
11:09:18 ipsec,debug ===== received 108 bytes from 192.168.222.2[500] to 192.168.222.3[500] 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug IV was saved for next processing: 
11:09:18 ipsec,debug 1ccc9d5f b7c3a957 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug with key: 
11:09:18 ipsec,debug 968b3e86 46a4e695 f14388f1 0f68ddc6 c5e919c1 86ba1879 
11:09:18 ipsec,debug decrypted payload by IV: 
11:09:18 ipsec,debug 13d02418 39a93f59 
11:09:18 ipsec,debug decrypted payload, but not trimed. 
11:09:18 ipsec,debug 0800000c 011101f4 c0a8de02 0b000014 16ae1ac6 0781cd33 703a3c01 8cbacca2 
11:09:18 ipsec,debug 00000028 00000001 01106000 5968d1f7 b726f016 300e7acb a22a38fb 800b0001 
11:09:18 ipsec,debug 000c0004 00015180 00000000 00000000 
11:09:18 ipsec,debug padding len=1 
11:09:18 ipsec,debug skip to trim padding. 
11:09:18 ipsec,debug decrypted. 
11:09:18 ipsec,debug 5968d1f7 b726f016 300e7acb a22a38fb 05100201 00000000 0000006c 0800000c 
11:09:18 ipsec,debug 011101f4 c0a8de02 0b000014 16ae1ac6 0781cd33 703a3c01 8cbacca2 00000028 
11:09:18 ipsec,debug 00000001 01106000 5968d1f7 b726f016 300e7acb a22a38fb 800b0001 000c0004 
11:09:18 ipsec,debug 00015180 00000000 00000000 
11:09:18 ipsec,debug begin. 
11:09:18 ipsec,debug seen nptype=5(id) len=12 
11:09:18 ipsec,debug seen nptype=8(hash) len=20 
11:09:18 ipsec,debug seen nptype=11(notify) len=40 
11:09:18 ipsec,debug succeed. 
11:09:18 ipsec,debug 192.168.222.2 Notify Message received 
11:09:18 ipsec 192.168.222.2 ignore RESPONDER-LIFETIME notification. 
11:09:18 ipsec,debug HASH received: 
11:09:18 ipsec,debug 16ae1ac6 0781cd33 703a3c01 8cbacca2 
11:09:18 ipsec,debug HASH with: 
11:09:18 ipsec,debug e93aada8 2112c47e e17ee091 9dc778ab 78bf3801 69fd1c37 dbcddfaf 85c4fd88 
11:09:18 ipsec,debug f236d234 8750132b b6a89e8c 07426a50 393de29c f74bd896 1e9491f9 e3ef9cbc 
11:09:18 ipsec,debug 227cc686 3d0a8080 483c2c61 6dd7f2e5 8123713b 468c9b36 621474df b4462280 
11:09:18 ipsec,debug 311f5144 8a5d4824 20de5c28 2f6e42c9 af198c41 9991e68a 0cb1c02f ead6d62d 
11:09:18 ipsec,debug e988acde d306f989 4ecaae35 c18c100a ecce6202 5a0d4e80 36b7c280 b69ebf7a 
11:09:18 ipsec,debug 15e17ed9 34c344e7 18e8e63d 043b853e 47fd4e5a 95efe861 f8cf75dd 50d3c756 
11:09:18 ipsec,debug 8ee26714 abbd6283 0d2558d6 e087b5c5 3daad5cc d54e7487 d3226052 2d9acfb2 
11:09:18 ipsec,debug 7d7b70fc 3f318fa3 dd4b52fe 64af5641 f1f6b79a a0d4040a 8d6d21bf 05cff167 
11:09:18 ipsec,debug 300e7acb a22a38fb 5968d1f7 b726f016 00000001 00000001 0000002c 01010001 
11:09:18 ipsec,debug 00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020001 
11:09:18 ipsec,debug 80040002 011101f4 c0a8de02 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug HASH computed: 
11:09:18 ipsec,debug 16ae1ac6 0781cd33 703a3c01 8cbacca2 
11:09:18 ipsec,debug HASH for PSK validated. 
11:09:18 ipsec,debug 192.168.222.2 peer's ID: 
11:09:18 ipsec,debug 011101f4 c0a8de02 
11:09:18 ipsec,debug === 
11:09:18 ipsec ph2 possible after ph1 creation 
11:09:18 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 
11:09:18 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-md5) 
11:09:18 ipsec,debug begin QUICK mode. 
11:09:18 ipsec,debug === 
11:09:18 ipsec,debug begin QUICK mode. 
11:09:18 ipsec initiate new phase 2 negotiation: 192.168.222.3[500]<=>192.168.222.2[500] 
11:09:18 ipsec,debug compute IV for phase2 
11:09:18 ipsec,debug phase1 last IV: 
11:09:18 ipsec,debug 1ccc9d5f b7c3a957 98c5c145 
11:09:18 ipsec,debug hash(md5) 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug phase2 IV computed: 
11:09:18 ipsec,debug 748bf612 f81d4c7c 
11:09:18 ipsec,debug call pfkey_send_getspi 5 
11:09:18 ipsec,debug pfkey GETSPI sent: ESP/Tunnel 192.168.222.2[500]->192.168.222.3[500]  
11:09:18 ipsec,debug pfkey getspi sent. 
11:09:18 ipsec,info ISAKMP-SA established 192.168.222.3[500]-192.168.222.2[500] spi:5968d1f7b726f016:300e7acba22a38fb 
11:09:18 ipsec,debug === 
11:09:18 ipsec,debug dh(modp1024) 
11:09:18 ipsec,debug dh(modp1024) 
11:09:18 ipsec,debug dh(modp1024) 
11:09:19 ipsec,debug compute DH's private. 
11:09:19 ipsec,debug 4031f515 b8ce70cf 3a668bf2 7859dcff 5611ea74 05a95cd2 128a39c5 e7b3d8e5 
11:09:19 ipsec,debug 4467a02d a291bf5c d08d13f6 10972181 f496b1ac 46473ec2 a04be575 e43e4cf6 
11:09:19 ipsec,debug e84bebdd 9489d576 a2637843 38ec3763 bddff2c4 52c88502 a60ea5d3 59df3774 
11:09:19 ipsec,debug 1646e58b 5ec8173c f69f767c 88018eeb b7aadcc8 9db60371 d70e2780 24658572 
11:09:19 ipsec,debug compute DH's public. 
11:09:19 ipsec,debug 53da0eaf c2184fdd 8fb125ae c36ca04c 375ac7e9 5bc9ee86 aa0700ff c7a66a4e 
11:09:19 ipsec,debug 57152dfe be347f36 4b892748 823cc2a6 17dc95f2 c0f698d8 e900acc1 0beb7aa9 
11:09:19 ipsec,debug 9a481e1b 6d08aa25 44f99979 ed19db36 e65def27 53ae5c67 6214a1cc 561796cb 
11:09:19 ipsec,debug 77363671 85964f16 656a5c6b 22aaf39c 5fc3caf9 2a8f77cc 21ff84fd b9725e43 
11:09:19 ipsec,debug use local ID type IPv4_subnet 
11:09:19 ipsec,debug use remote ID type IPv4_subnet 
11:09:19 ipsec,debug IDci: 
11:09:19 ipsec,debug 04000000 ac100200 ffffff00 
11:09:19 ipsec,debug IDcr: 
11:09:19 ipsec,debug 04000000 01010100 ffffff00 
11:09:19 ipsec,debug add payload of len 52, next type 10 
11:09:19 ipsec,debug add payload of len 24, next type 4 
11:09:19 ipsec,debug add payload of len 128, next type 5 
11:09:19 ipsec,debug add payload of len 12, next type 5 
11:09:19 ipsec,debug add payload of len 12, next type 0 
11:09:19 ipsec,debug HASH with: 
11:09:19 ipsec,debug 98c5c145 0a000038 00000001 00000001 0000002c 01030401 0bde7ef8 00000020 
11:09:19 ipsec,debug 01030000 80010001 00020004 00015180 80040001 80050001 80030002 0400001c 
11:09:19 ipsec,debug cf038d2c 5b9354cd f29f9e81 324fb845 34e7f69c 53c03468 05000084 53da0eaf 
11:09:19 ipsec,debug c2184fdd 8fb125ae c36ca04c 375ac7e9 5bc9ee86 aa0700ff c7a66a4e 57152dfe 
11:09:19 ipsec,debug be347f36 4b892748 823cc2a6 17dc95f2 c0f698d8 e900acc1 0beb7aa9 9a481e1b 
11:09:19 ipsec,debug 6d08aa25 44f99979 ed19db36 e65def27 53ae5c67 6214a1cc 561796cb 77363671 
11:09:19 ipsec,debug 85964f16 656a5c6b 22aaf39c 5fc3caf9 2a8f77cc 21ff84fd b9725e43 05000010 
11:09:19 ipsec,debug 04000000 ac100200 ffffff00 00000010 04000000 01010100 ffffff00 
11:09:19 ipsec,debug hmac(hmac_md5) 
11:09:19 ipsec,debug HASH computed: 
11:09:19 ipsec,debug 0abdcc3c 631ff1bd 153a0842 8ab8bd2c 
11:09:19 ipsec,debug add payload of len 16, next type 1 
11:09:19 ipsec,debug begin encryption. 
11:09:19 ipsec,debug encryption(3des) 
11:09:19 ipsec,debug pad length = 4 
11:09:19 ipsec,debug 01000014 0abdcc3c 631ff1bd 153a0842 8ab8bd2c 0a000038 00000001 00000001 
11:09:19 ipsec,debug 0000002c 01030401 0bde7ef8 00000020 01030000 80010001 00020004 00015180 
11:09:19 ipsec,debug 80040001 80050001 80030002 0400001c cf038d2c 5b9354cd f29f9e81 324fb845 
11:09:19 ipsec,debug 34e7f69c 53c03468 05000084 53da0eaf c2184fdd 8fb125ae c36ca04c 375ac7e9 
11:09:19 ipsec,debug 5bc9ee86 aa0700ff c7a66a4e 57152dfe be347f36 4b892748 823cc2a6 17dc95f2 
11:09:19 ipsec,debug c0f698d8 e900acc1 0beb7aa9 9a481e1b 6d08aa25 44f99979 ed19db36 e65def27 
11:09:19 ipsec,debug 53ae5c67 6214a1cc 561796cb 77363671 85964f16 656a5c6b 22aaf39c 5fc3caf9 
11:09:19 ipsec,debug 2a8f77cc 21ff84fd b9725e43 05000010 04000000 ac100200 ffffff00 00000010 
11:09:19 ipsec,debug 04000000 01010100 ffffff00 a5b81303 
11:09:19 ipsec,debug encryption(3des) 
11:09:19 ipsec,debug with key: 
11:09:19 ipsec,debug 968b3e86 46a4e695 f14388f1 0f68ddc6 c5e919c1 86ba1879 
11:09:19 ipsec,debug encrypted payload by IV: 
11:09:19 ipsec,debug 748bf612 f81d4c7c 
11:09:19 ipsec,debug save IV for next: 
11:09:19 ipsec,debug 107892cb 02d99be7 
11:09:19 ipsec,debug encrypted. 
11:09:19 ipsec,debug 300 bytes from 192.168.222.3[500] to 192.168.222.2[500] 
11:09:19 ipsec,debug 1 times of 300 bytes message will be sent to 192.168.222.2[500] 
11:09:19 ipsec sent phase2 packet 192.168.222.3[500]<=>192.168.222.2[500] 5968d1f7b726f016:300e7acba22a38fb:98c5c145 
11:09:19 ipsec,debug ===== received 84 bytes from 192.168.222.2[500] to 192.168.222.3[500] 
11:09:19 ipsec,debug receive Information. 
11:09:19 ipsec,debug compute IV for phase2 
11:09:19 ipsec,debug phase1 last IV: 
11:09:19 ipsec,debug 1ccc9d5f b7c3a957 b18c73a2 
11:09:19 ipsec,debug hash(md5) 
11:09:19 ipsec,debug encryption(3des) 
11:09:19 ipsec,debug phase2 IV computed: 
11:09:19 ipsec,debug 1a60920e e6e20093 
11:09:19 ipsec,debug encryption(3des) 
11:09:19 ipsec,debug IV was saved for next processing: 
11:09:19 ipsec,debug 5f6b8b8d a7e0b3bc 
11:09:19 ipsec,debug encryption(3des) 
11:09:19 ipsec,debug with key: 
11:09:19 ipsec,debug 968b3e86 46a4e695 f14388f1 0f68ddc6 c5e919c1 86ba1879 
11:09:19 ipsec,debug decrypted payload by IV: 
11:09:19 ipsec,debug 1a60920e e6e20093 
11:09:19 ipsec,debug decrypted payload, but not trimed. 
11:09:19 ipsec,debug 0b000014 d9023c31 4e15c9f8 66189d43 61c9c334 0000001c 00000001 0304000e 
11:09:19 ipsec,debug 0bde7ef8 0a000038 00000001 00000001 00000000 00000000 
11:09:19 ipsec,debug padding len=1 
11:09:19 ipsec,debug skip to trim padding. 
11:09:19 ipsec,debug decrypted. 
11:09:19 ipsec,debug 5968d1f7 b726f016 300e7acb a22a38fb 08100501 b18c73a2 00000054 0b000014 
11:09:19 ipsec,debug d9023c31 4e15c9f8 66189d43 61c9c334 0000001c 00000001 0304000e 0bde7ef8 
11:09:19 ipsec,debug 0a000038 00000001 00000001 00000000 00000000 
11:09:19 ipsec,debug HASH with: 
11:09:19 ipsec,debug b18c73a2 0000001c 00000001 0304000e 0bde7ef8 0a000038 00000001 00000001 
11:09:19 ipsec,debug hmac(hmac_md5) 
11:09:19 ipsec,debug HASH computed: 
11:09:19 ipsec,debug d9023c31 4e15c9f8 66189d43 61c9c334 
11:09:19 ipsec,debug hash validated. 
11:09:19 ipsec,debug begin. 
11:09:19 ipsec,debug seen nptype=8(hash) len=20 
11:09:19 ipsec,debug seen nptype=11(notify) len=28 
11:09:19 ipsec,debug succeed. 
11:09:19 ipsec,debug 192.168.222.2 notify: NO-PROPOSAL-CHOSEN 
11:09:19 ipsec 192.168.222.2 fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. 
11:09:19 ipsec,debug 192.168.222.2 notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0bde7ef8(size=4). 
11:09:19 ipsec 192.168.222.2 Message: '8 '. 
11:09:29 ipsec,debug 300 bytes from 192.168.222.3[500] to 192.168.222.2[500] 
11:09:29 ipsec,debug 1 times of 300 bytes message will be sent to 192.168.222.2[500] 
11:09:29 ipsec resent phase2 packet 192.168.222.3[500]<=>192.168.222.2[500] 5968d1f7b726f016:300e7acba22a38fb:98c5c145

regards.

the interesting point is that as far i shut down ipsec on both sides, gre tunnel comes back and since no keepalive is set, then gre seems not to go down. i thought this feedback might catch your eyes.

i think this part of the captured log is key:

11:09:19 ipsec,debug 192.168.222.2 notify: NO-PROPOSAL-CHOSEN
11:09:19 ipsec 192.168.222.2 fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
11:09:19 ipsec,debug 192.168.222.2 notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0bde7ef8(size=4).

i googled this “NO-PROPOSAL-CHOSEN” exception and some people say it relates to wrong or bad encryption/hash/authentication algorithm selection. any ideas?
regards.

I recommend that you use the default firewall rules for the traffic to work properly. The two rollers that are visible in your configuration are not enough.
Or use this suggestion - forum.mikrotik.com/viewtopic.php?t=180838

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

thank you johnson73 for your reply, but i’m wondering how could default firewall rules affect this scenario in which the routers are connected physically directly using IPs in the same subnet? let me clarify that as far as i shut down IPSec then GRE works perfectly without even a blink. after all, i’m not sure if i’m on the right track.
regards.

I have had a similar case where iPsec worked very unstable between devices. Until the microtik router changed the firewall to the default (of course, adding its own required rules) there was no stable operation. That’s why I always use microtik in the router as a basis for “default rules”, supplementing them with the ones I need. This is from my personal experience.

OK, so two points.

First, NO_PROPOSAL_CHOSEN is indeed an indication that none of encryption and/or authentication algorithm combinations proposed by the peer receiving this message is supported or enabled at the peer sending this message.

And indeed, that is your case.
Cisco: crypto ipsec transform-set myset esp-3des esp-sha-hmac
Mikrotik: /ip ipsec proposal set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des lifetime=1d

So align the auth-algorithms (at Mikrotik side, it would be /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha1), and you should be good.

Second, the GRE being up when IPsec policy is disabled - that sounds strange to me, but I don’t pretend I know everything. The GRE tunnel is indicated as being up in two cases

• always if keepalive is disabled
• as long as at least one transport packet from the GRE peer has been received during past keepalive interval

So with keepalive enabled, and IPsec policy disabled, the GRE packets are exchanged between the routers in plaintext and the interface is shown as up; once you configure the policy, the plaintext packets stop being delivered as the policy intercepts them even if no security association is currently available for it (this is by design and works in both directions). I don’t know about any mechanism making the tunnel be reported as down when keepalive is disabled and an IPsec policy matching the transport packets is enabled, but it does not mean such mechanism does not exist.

hey mates, sorry for the long absence.
i am clearly dissapointed on this topic! ain’t know where the hell is the mismatch?? meanwhile i just followed what dear Sindy said but this time using a different IP plan having an internal LAN on both ends. so here is the output of the “ipsec-start.txt” file:

# jun/ 4/2022 22:25:46 by RouterOS 6.49.6
# software id = 0G7Y-54W3
#
22:25:53 ipsec,debug 192.168.222.2 DPD monitoring.... 
22:25:53 ipsec,debug hash(sha1) 
22:25:53 ipsec,debug 92 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:25:53 ipsec,debug 1 times of 92 bytes message will be sent to 192.168.222.2[500] 
22:25:53 ipsec,debug sendto Information notify. 
22:25:53 ipsec,debug 192.168.222.2 DPD R-U-There sent (0) 
22:25:53 ipsec,debug 192.168.222.2 rescheduling send_r_u (5). 
22:25:53 ipsec,debug ===== received 92 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
22:25:53 ipsec,debug receive Information. 
22:25:53 ipsec,debug hash(sha1) 
22:25:53 ipsec,debug hash validated. 
22:25:53 ipsec,debug begin. 
22:25:53 ipsec,debug seen nptype=8(hash) len=24 
22:25:53 ipsec,debug seen nptype=11(notify) len=32 
22:25:53 ipsec,debug succeed. 
22:25:53 ipsec,debug 192.168.222.2 notify: R_U_THERE_ACK 
22:25:53 ipsec,debug 192.168.222.2 DPD R-U-There-Ack received 
22:25:53 ipsec,debug received an R-U-THERE-ACK 
22:25:54 ipsec,debug Removing PH1... 
22:25:54 ipsec,debug Deleting a Ph2... 
22:25:54 ipsec,debug hash(sha1) 
22:25:54 ipsec,debug 76 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:25:54 ipsec,debug 1 times of 76 bytes message will be sent to 192.168.222.2[500] 
22:25:54 ipsec,debug sendto Information delete. 
22:25:54 ipsec purged IPsec-SA proto_id=ESP spi=0xdc2d768c 
22:25:54 ipsec purged IPsec-SA proto_id=ESP spi=0xfb7798a 
22:25:54 ipsec,debug hash(sha1) 
22:25:54 ipsec,debug 92 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:25:54 ipsec,debug 1 times of 92 bytes message will be sent to 192.168.222.2[500] 
22:25:54 ipsec,debug sendto Information delete. 
22:25:54 ipsec,info ISAKMP-SA deleted 192.168.222.5[500]-192.168.222.2[500] spi:b183c73d2d5f5853:fb8793123892143f rekey:1 
22:25:54 ipsec,debug ===== received 92 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
22:25:54 ipsec 192.168.222.2 unknown Informational exchange received. 
22:26:24 ipsec,debug === 
22:26:24 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.5[500]<=>192.168.222.2[500] 
22:26:24 ipsec,debug new cookie: 
22:26:24 ipsec,debug 593ad1bfbb7ee768 
22:26:24 ipsec,debug add payload of len 56, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 0 
22:26:24 ipsec,debug 348 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:26:24 ipsec,debug 1 times of 348 bytes message will be sent to 192.168.222.2[500] 
22:26:24 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 593ad1bfbb7ee768:0000000000000000 
22:26:24 ipsec,debug ===== received 108 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
22:26:24 ipsec,debug begin. 
22:26:24 ipsec,debug seen nptype=1(sa) len=60 
22:26:24 ipsec,debug seen nptype=13(vid) len=20 
22:26:24 ipsec,debug succeed. 
22:26:24 ipsec received Vendor ID: RFC 3947 
22:26:24 ipsec 192.168.222.2 Selected NAT-T version: RFC 3947 
22:26:24 ipsec,debug total SA len=56 
22:26:24 ipsec,debug 00000001 00000001 00000030 01010001 00000028 01010000 80010007 800e0080 
22:26:24 ipsec,debug 80020002 80040002 80030001 800b0001 000c0004 00015180 
22:26:24 ipsec,debug begin. 
22:26:24 ipsec,debug seen nptype=2(prop) len=48 
22:26:24 ipsec,debug succeed. 
22:26:24 ipsec,debug proposal #1 len=48 
22:26:24 ipsec,debug begin. 
22:26:24 ipsec,debug seen nptype=3(trns) len=40 
22:26:24 ipsec,debug succeed. 
22:26:24 ipsec,debug transform #1 len=40 
22:26:24 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
22:26:24 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
22:26:24 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
22:26:24 ipsec,debug hash(sha1) 
22:26:24 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
22:26:24 ipsec,debug dh(modp1024) 
22:26:24 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
22:26:24 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
22:26:24 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
22:26:24 ipsec,debug pair 1: 
22:26:24 ipsec,debug  0x4a7218: next=(nil) tnext=(nil) 
22:26:24 ipsec,debug proposal #1: 1 transform 
22:26:24 ipsec,debug -checking with pre-shared key auth- 
22:26:24 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1 
22:26:24 ipsec,debug trns#=1, trns-id=IKE 
22:26:24 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
22:26:24 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
22:26:24 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
22:26:24 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
22:26:24 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
22:26:24 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
22:26:24 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
22:26:24 ipsec,debug -compare proposal #1: Local:Peer 
22:26:24 ipsec,debug (lifetime = 86400:86400) 
22:26:24 ipsec,debug (lifebyte = 0:0) 
22:26:24 ipsec,debug enctype = AES-CBC:AES-CBC 
22:26:24 ipsec,debug (encklen = 128:128) 
22:26:24 ipsec,debug hashtype = SHA:SHA 
22:26:24 ipsec,debug authmethod = pre-shared key:pre-shared key 
22:26:24 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
22:26:24 ipsec,debug -an acceptable proposal found- 
22:26:24 ipsec,debug dh(modp1024) 
22:26:24 ipsec,debug -agreed on pre-shared key auth- 
22:26:24 ipsec,debug === 
22:26:24 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug 192.168.222.2 Hashing 192.168.222.2[500] with algo #2  
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec,debug 192.168.222.5 Hashing 192.168.222.5[500] with algo #2  
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec Adding remote and local NAT-D payloads. 
22:26:25 ipsec,debug add payload of len 128, next type 10 
22:26:25 ipsec,debug add payload of len 24, next type 20 
22:26:25 ipsec,debug add payload of len 20, next type 20 
22:26:25 ipsec,debug add payload of len 20, next type 0 
22:26:25 ipsec,debug 236 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:26:25 ipsec,debug 1 times of 236 bytes message will be sent to 192.168.222.2[500] 
22:26:25 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 593ad1bfbb7ee768:fb8793125114c415 
22:26:25 ipsec,debug ===== received 304 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=4(ke) len=132 
22:26:25 ipsec,debug seen nptype=10(nonce) len=24 
22:26:25 ipsec,debug seen nptype=13(vid) len=20 
22:26:25 ipsec,debug seen nptype=13(vid) len=20 
22:26:25 ipsec,debug seen nptype=13(vid) len=20 
22:26:25 ipsec,debug seen nptype=13(vid) len=12 
22:26:25 ipsec,debug seen nptype=20(nat-d) len=24 
22:26:25 ipsec,debug seen nptype=20(nat-d) len=24 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec received Vendor ID: CISCO-UNITY 
22:26:25 ipsec received Vendor ID: DPD 
22:26:25 ipsec,debug remote supports DPD 
22:26:25 ipsec,debug received unknown Vendor ID 
22:26:25 ipsec,debug 0e40340f 5115c415 a2ce731f 31013ee8 
22:26:25 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
22:26:25 ipsec,debug 192.168.222.5 Hashing 192.168.222.5[500] with algo #2  
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec,debug NAT-D payload #0 verified 
22:26:25 ipsec,debug 192.168.222.2 Hashing 192.168.222.2[500] with algo #2  
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec,debug NAT-D payload #1 verified 
22:26:25 ipsec NAT not detected  
22:26:25 ipsec,debug === 
22:26:25 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug nonce 1:  
22:26:25 ipsec,debug f33353c0 3f35baa7 1ae1d3de 577d2fac 3a2b8ade 66e40211 
22:26:25 ipsec,debug nonce 2:  
22:26:25 ipsec,debug f9be140f a8e0e7c1 612cd196 11b64e7f 748af59b 
22:26:25 ipsec,debug SKEYID computed: 
22:26:25 ipsec,debug ec947c52 41ff8a59 2ebb4116 39193bac 7e9dd962 
22:26:25 ipsec,debug SKEYID_d computed: 
22:26:25 ipsec,debug 5a00703d 1f283b5c 9c644034 273b45e9 23efc46f 
22:26:25 ipsec,debug SKEYID_a computed: 
22:26:25 ipsec,debug cc87fcde 3681a5a2 d6f4b349 79b327eb e46b84f0 
22:26:25 ipsec,debug SKEYID_e computed: 
22:26:25 ipsec,debug 0c8c5868 3ebd40c4 f245499b 0b223ded 94cebe36 
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec,debug final encryption key computed: 
22:26:25 ipsec,debug 0c8c5868 3ebd40c4 f245499b 0b223ded 
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec,debug IV computed: 
22:26:25 ipsec,debug f012e9fb 407b5435 09ebf537 05a3f510 
22:26:25 ipsec,debug use ID type of IPv4_address 
22:26:25 ipsec,debug add payload of len 8, next type 8 
22:26:25 ipsec,debug add payload of len 20, next type 0 
22:26:25 ipsec,debug 76 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:26:25 ipsec,debug 1 times of 76 bytes message will be sent to 192.168.222.2[500] 
22:26:25 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 593ad1bfbb7ee768:fb8793125114c415 
22:26:25 ipsec,debug ===== received 76 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=5(id) len=12 
22:26:25 ipsec,debug seen nptype=8(hash) len=24 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec,debug HASH received: 
22:26:25 ipsec,debug 795155f9 6ece4e95 a3735aea 0d29f7ed 5282da13 
22:26:25 ipsec,debug HASH for PSK validated. 
22:26:25 ipsec,debug 192.168.222.2 peer's ID: 
22:26:25 ipsec,debug 011101f4 c0a8de02 
22:26:25 ipsec,debug === 
22:26:25 ipsec ph2 possible after ph1 creation 
22:26:25 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 
22:26:25 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
22:26:25 ipsec,debug begin QUICK mode. 
22:26:25 ipsec,debug === 
22:26:25 ipsec,debug begin QUICK mode. 
22:26:25 ipsec initiate new phase 2 negotiation: 192.168.222.5[500]<=>192.168.222.2[500] 
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec,debug call pfkey_send_getspi 35 
22:26:25 ipsec,debug pfkey GETSPI sent: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500]  
22:26:25 ipsec,debug pfkey getspi sent. 
22:26:25 ipsec,info ISAKMP-SA established 192.168.222.5[500]-192.168.222.2[500] spi:593ad1bfbb7ee768:fb8793125114c415 
22:26:25 ipsec,debug === 
22:26:25 ipsec,debug ===== received 108 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
22:26:25 ipsec,debug receive Information. 
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec,debug hash validated. 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=8(hash) len=24 
22:26:25 ipsec,debug seen nptype=11(notify) len=40 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec,debug 192.168.222.2 notify: RESPONDER-LIFETIME 
22:26:25 ipsec,debug 192.168.222.2 notification message 24576:RESPONDER-LIFETIME, doi=1 proto_id=1 spi=593ad1bfbb7ee768fb8793125114c415(size=16). 
22:26:25 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug use local ID type IPv4_subnet 
22:26:25 ipsec,debug use remote ID type IPv4_subnet 
22:26:25 ipsec,debug IDci: 
22:26:25 ipsec,debug 042f0000 ac100200 ffffff00 
22:26:25 ipsec,debug IDcr: 
22:26:25 ipsec,debug 042f0000 01010100 ffffff00 
22:26:25 ipsec,debug add payload of len 56, next type 10 
22:26:25 ipsec,debug add payload of len 24, next type 4 
22:26:25 ipsec,debug add payload of len 128, next type 5 
22:26:25 ipsec,debug add payload of len 12, next type 5 
22:26:25 ipsec,debug add payload of len 12, next type 0 
22:26:25 ipsec,debug add payload of len 20, next type 1 
22:26:25 ipsec,debug 316 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:26:25 ipsec,debug 1 times of 316 bytes message will be sent to 192.168.222.2[500] 
22:26:25 ipsec sent phase2 packet 192.168.222.5[500]<=>192.168.222.2[500] 593ad1bfbb7ee768:fb8793125114c415:c6b628b5 
22:26:25 ipsec,debug ===== received 348 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=8(hash) len=24 
22:26:25 ipsec,debug seen nptype=1(sa) len=60 
22:26:25 ipsec,debug seen nptype=10(nonce) len=24 
22:26:25 ipsec,debug seen nptype=4(ke) len=132 
22:26:25 ipsec,debug seen nptype=5(id) len=16 
22:26:25 ipsec,debug seen nptype=5(id) len=16 
22:26:25 ipsec,debug seen nptype=11(notify) len=40 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec,debug 192.168.222.2 Notify Message received 
22:26:25 ipsec 192.168.222.2 ignore RESPONDER-LIFETIME notification. 
22:26:25 ipsec,debug IDci matches proposal. 
22:26:25 ipsec,debug IDcr matches proposal. 
22:26:25 ipsec,debug HASH allocated:hbuf->l=344 actual:tlen=312 
22:26:25 ipsec,debug HASH(2) received: 
22:26:25 ipsec,debug 0e5d89c5 478b57bc e635942c 81b45a6c fa806184 
22:26:25 ipsec,debug total SA len=56 
22:26:25 ipsec,debug 00000001 00000001 00000030 01030401 06459dd2 00000024 010c0000 80010001 
22:26:25 ipsec,debug 00020004 00015180 80040001 80060080 80050002 80030002 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=2(prop) len=48 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec,debug proposal #1 len=48 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=3(trns) len=36 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec,debug transform #1 len=36 
22:26:25 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
22:26:25 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
22:26:25 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
22:26:25 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
22:26:25 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
22:26:25 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
22:26:25 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug pair 1: 
22:26:25 ipsec,debug  0x4a94f8: next=(nil) tnext=(nil) 
22:26:25 ipsec,debug proposal #1: 1 transform 
22:26:25 ipsec,debug total SA len=56 
22:26:25 ipsec,debug 00000001 00000001 00000030 01030401 2b3637c0 00000024 010c0000 80040001 
22:26:25 ipsec,debug 80010001 00020004 00015180 80050002 80060080 80030002 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=2(prop) len=48 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec,debug proposal #1 len=48 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=3(trns) len=36 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec,debug transform #1 len=36 
22:26:25 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
22:26:25 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
22:26:25 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
22:26:25 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
22:26:25 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
22:26:25 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
22:26:25 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug pair 1: 
22:26:25 ipsec,debug  0x4a9510: next=(nil) tnext=(nil) 
22:26:25 ipsec,debug proposal #1: 1 transform 
22:26:25 ipsec attribute has been modified. 
22:26:25 ipsec,debug begin compare proposals. 
22:26:25 ipsec,debug pair[1]: 0x4a9510 
22:26:25 ipsec,debug  0x4a9510: next=(nil) tnext=(nil) 
22:26:25 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=AES-CBC 
22:26:25 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
22:26:25 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
22:26:25 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
22:26:25 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
22:26:25 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
22:26:25 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
22:26:25 ipsec,debug peer's single bundle: 
22:26:25 ipsec,debug  (proto_id=ESP spisize=4 spi=2b3637c0 spi_p=00000000 encmode=Tunnel reqid=0:0) 
22:26:25 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
22:26:25 ipsec,debug my single bundle: 
22:26:25 ipsec,debug  (proto_id=ESP spisize=4 spi=06459dd2 spi_p=00000000 encmode=Tunnel reqid=0:0) 
22:26:25 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
22:26:25 ipsec,debug matched 
22:26:25 ipsec,debug === 
22:26:25 ipsec,debug HASH(3) generate 
22:26:25 ipsec,debug add payload of len 20, next type 0 
22:26:25 ipsec,debug 60 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:26:25 ipsec,debug 1 times of 60 bytes message will be sent to 192.168.222.2[500] 
22:26:25 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug encryption(aes-cbc) 
22:26:25 ipsec,debug hmac(sha1) 
22:26:25 ipsec,debug encklen=128 authklen=160 
22:26:25 ipsec,debug generating 480 bits of key (dupkeymat=3) 
22:26:25 ipsec,debug generating K1...K3 for KEYMAT. 
22:26:25 ipsec,debug 6de7b605 f30b640d 369a0dd7 a1ee0404 865d452c 835ccf0b 90b0ff4d 0012716e 
22:26:25 ipsec,debug 20d880e9 c2bafe54 57637907 2a2faa1f aba42202 e2a58929 b6f037cc 
22:26:25 ipsec,debug encryption(aes-cbc) 
22:26:25 ipsec,debug hmac(sha1) 
22:26:25 ipsec,debug encklen=128 authklen=160 
22:26:25 ipsec,debug generating 480 bits of key (dupkeymat=3) 
22:26:25 ipsec,debug generating K1...K3 for KEYMAT. 
22:26:25 ipsec,debug bc85d41f 31ca82ab 96048ac9 8e4ab705 8ba5fd70 d9278c28 e0ed4b9f 1e6f56d4 
22:26:25 ipsec,debug 51c440aa 14428599 4f32e146 81fe46e7 14660aa6 2e3d38ef f614388e 
22:26:25 ipsec,debug KEYMAT computed. 
22:26:25 ipsec,debug call pk_sendupdate 
22:26:25 ipsec,debug encryption(aes-cbc) 
22:26:25 ipsec,debug hmac(sha1) 
22:26:25 ipsec,debug call pfkey_send_update_nat 
22:26:25 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500] spi=0x6459dd2 
22:26:25 ipsec,debug pfkey update sent. 
22:26:25 ipsec,debug encryption(aes-cbc) 
22:26:25 ipsec,debug hmac(sha1) 
22:26:25 ipsec,debug call pfkey_send_add_nat 
22:26:25 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.5[500]->192.168.222.2[500] spi=0x2b3637c0 
22:26:25 ipsec,debug pfkey add sent.

let me post the new configs so perhaps you guys can see the mismatch:
cisco config:

Building configuration...


Current configuration : 1955 bytes
!
! Last configuration change at 18:20:37 UTC Sat Jun 4 2022
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TunnelRouter
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9_ivs-mz.151-4.M.bin
boot-end-marker
!
!
enable secret 5 $1$BYTG$gM4Dh523JfjHCtbiU..T60
!
no aaa new-model
!
!
dot11 syslog
ip source-route

!
!
ip cef
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn FHK1413F35T
archive
 log config
  hidekeys
!
redundancy
!
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key Test1234 address 192.168.222.5 no-xauth
!
!
crypto ipsec transform-set myset1 esp-aes esp-sha-hmac
!
crypto map gremap 1 ipsec-isakmp
 set peer 192.168.222.5
 set pfs group2
 match address gretraffic
crypto map gremap 10 ipsec-isakmp
 set peer 192.168.222.5
 set transform-set myset1
 set pfs group2
 match address gretraffic
! 
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.0.1 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 192.168.222.5
!
interface FastEthernet0/0
 ip address 192.168.222.2 255.255.255.248
 duplex auto
 speed auto
 crypto map gremap
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip route 172.16.2.0 255.255.255.0 192.168.0.2
!
ip access-list extended gretraffic
 permit ip 172.16.2.0 0.0.0.255 1.1.1.0 0.0.0.255
 permit gre any any
!
logging esm config
!
!
!
!
!
!
control-plane

mikrotik config:

# jun/04/2022 22:30:26 by RouterOS 6.49.6
# software id = **********
#
# model = 951Ui-2HnD
# serial number = **********
/interface ethernet
set [ find default-name=ether1 ] name=ether1_toCisco
set [ find default-name=ether2 ] name=ether2_toLAN
set [ find default-name=ether4 ] name=ether4_toLaptop
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface gre
add allow-fast-path=no !keepalive local-address=192.168.222.5 name=\
    gre-tunnel1 remote-address=192.168.222.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=192.168.222.2/32 local-address=192.168.222.5 name=myset1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=profile1 \
    nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=1d
/ip pool
add name=dhcp_pool0 ranges=172.16.2.1,172.16.2.3-172.16.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2_toLAN name=dhcp1
/ip address
add address=192.168.222.5/29 interface=ether1_toCisco network=192.168.222.0
add address=192.168.0.2/30 interface=gre-tunnel1 network=192.168.0.0
add address=172.16.2.2/24 interface=ether2_toLAN network=172.16.2.0
/ip dhcp-server network
add address=172.16.2.0/24 gateway=172.16.2.2
/ip firewall filter
add action=accept chain=input dst-address=192.168.222.5 src-address=\
    192.168.222.2
add action=accept chain=output dst-address=192.168.222.2 src-address=\
    192.168.222.5
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall nat
add action=accept chain=srcnat dst-address=1.1.1.0/24 src-address=\
    172.16.2.0/24
add action=masquerade chain=srcnat
/ip ipsec identity
add peer=myset1 secret=Test1234
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=1.1.1.0/24 peer=myset1 protocol=gre src-address=\
    172.16.2.0/24 tunnel=yes
/ip route
add distance=1 dst-address=1.1.1.0/24 gateway=gre-tunnel1
add distance=1 dst-address=192.168.0.0/24 gateway=192.168.0.1
/system clock
set time-zone-name=Asia/Tehran
/system logging
add topics=ipsec,!packet

right now, all pings go timeout after ipsec phase2 is established; without ipsec all pings are ok.

on cisco side the following ogs are shown at the same time as mikrotik creating its log file:

*Jun  4 18:24:51.118: IPSEC(validate_proposal_request): proposal part #1
*Jun  4 18:24:51.118: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.222.2:0, remote= 192.168.222.5:0,
    local_proxy= 1.1.1.0/255.255.255.0/47/0 (type=4),
    remote_proxy= 172.16.2.0/255.255.255.0/47/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jun  4 18:24:51.118: Crypto mapdb : proxy_match
        src addr     : 1.1.1.0
        dst addr     : 172.16.2.0
        protocol     : 47
        src port     : 0
        dst port     : 0
*Jun  4 18:24:51.118: %CRYPTO-6-IPSEC_USING_DEFAULT: IPSec is using default transforms
*Jun  4 18:24:51.210: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun  4 18:24:51.210: Crypto mapdb : proxy_match
        src addr     : 1.1.1.0
        dst addr     : 172.16.2.0
        protocol     : 47
        src port     : 0
        dst port     : 0
*Jun  4 18:24:51.210: IPSEC(create_sibling_entry): Transport mode requested, but tunnel mode negotiated
*Jun  4 18:24:51.210: IPSEC(policy_db_add_ident): src 1.1.1.0, dest 172.16.2.0, dest_port 0

*Jun  4 18:24:51.210: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.222.2, sa_proto= 50,
    sa_spi= 0x2B3637C0(724973504),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2025
    sa_lifetime(k/sec)= (4544998/3600)
*Jun  4 18:24:51.210: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.222.5, sa_proto= 50,
    sa_spi= 0x6459DD2(105225682),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2026
    sa_lifetime(k/sec)= (4544998/3600)
*Jun  4 18:24:51.218: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun  4 18:24:51.218: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Jun  4 18:24:51.218: IPSEC(key_engine_enable_outbound): enable SA with spi 105225682/50
*Jun  4 18:24:51.218: IPSEC(update_current_outbound_sa): get enable SA peer 192.168.222.5 current outbound sa to SPI 6459DD2
*Jun  4 18:24:51.218: IPSEC(update_current_outbound_sa): updated peer 192.168.222.5 current outbound sa to SPI 6459DD2
*Jun  4 18:25:23.730: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.222.2, src_addr= 192.168.222.5, prot= 47
*Jun  4 18:25:32.682: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun  4 18:25:32.686: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Jun  4 18:25:32.686: IPSEC(key_engine_delete_sas): delete SA with spi 0x6459DD2 proto 50 for 192.168.222.5
*Jun  4 18:25:32.686: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 192.168.222.2, sa_proto= 50,
    sa_spi= 0x2B3637C0(724973504),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2025
    sa_lifetime(k/sec)= (4544998/3600),
  (identity) local= 192.168.222.2:0, remote= 192.168.222.5:0,
    local_proxy= 1.1.1.0/255.255.255.0/47/0 (type=4),
    remote_proxy= 172.16.2.0/255.255.255.0/47/0 (type=4)
*Jun  4 18:25:32.686: IPSEC(update_current_outbound_sa): updated peer 192.168.222.5 current outbound sa to SPI 0
*Jun  4 18:25:32.686: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 192.168.222.5, sa_proto= 50,
    sa_spi= 0x6459DD2(105225682),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2026
    sa_lifetime(k/sec)= (4544998/3600),
  (identity) local= 192.168.222.2:0, remote= 192.168.222.5:0,
    local_proxy= 1.1.1.0/255.255.255.0/47/0 (type=4),
    remote_proxy= 172.16.2.0/255.255.255.0/47/0 (type=4)

all in all, no ping yet.

At IPsec level, the log shows that Phase 1 and Phase 2 establish properly.

However, the export of the Mikrotik configuration doesn’t match the one of the Cisco - on Mikrotik, both the default policy template and the single policy configured manually are shown as disabled, and the policy has protocol=gre whereas on Cisco, the extended access-list gretraffic matches on ip for the addresses matching the policy at Mikrotik. As you have clearly exported a different configuration than the one which was in place while you took the log, it is hard to say what exactly was wrong.

You also haven’t written from where you ping and to which address; e.g. if you ping 1.1.1.x from the Mikrotik itself, the policy won’t match on the pings because the gateway of the route to 1.1.1.0/24 is set to gre-tunnel1, so the pings to 1.1.1.x get a source address 192.168.0.2 (which is attached to gre-tunnel1), so they do not match the src-address of the policy.

So provide a consistent and complete set of information - log and exports matching together and details of the ping.

Off topic, the default behaviour of Mikrotik firewall chains is accept, so most of the firewall rules are effectively useless as what is not accepted explicitly by one off them is accepted anyway. by default.

thank you Sindy so much for your attention. YES you’re right, this was a fault of mine. here is a more consistent cisco config with less clutter:

!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key Test1234 address 192.168.222.5 no-xauth
!
!
crypto ipsec transform-set myset1 esp-aes esp-sha-hmac
!
crypto map gremap 10 ipsec-isakmp
 set peer 192.168.222.5
 set transform-set myset1
 set pfs group2
 match address gretraffic
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.0.1 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 192.168.222.5
!
interface FastEthernet0/0
 ip address 192.168.222.2 255.255.255.248
 duplex auto
 speed auto
 crypto map gremap
!
!
ip route 172.16.2.0 255.255.255.0 192.168.0.2
!
ip access-list extended gretraffic
 permit gre any any
 permit ip 1.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255
!

about pinging, with this configuration i can ping the two ends of the tunnel from inside the two routers and also the two LAN IPs from other LAN sides. i mean i can ping 192.168.0.2 from inside cisco and 192.168.0.1 from inside mikrotik. then i can ping 1.1.1.1 from laptop connected to LAN of mikrotik and as well, ping 172.16.2.1 from 1.1.1.1 which is cisco’s loopback0.
i hope it would be ok this time.
thanks,

and sequential to cisco config, here is better config of my routerboard:

...
/interface ethernet
set [ find default-name=ether1 ] name=ether1_toCisco
set [ find default-name=ether2 ] name=ether2_toLAN
set [ find default-name=ether4 ] name=ether4_toLaptop
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface gre
add allow-fast-path=no !keepalive local-address=192.168.222.5 mtu=1576 name=\
    gre-tunnel1 remote-address=192.168.222.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=192.168.222.2/32 local-address=192.168.222.5 name=myset1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=1d
/ip pool
add name=dhcp_pool0 ranges=172.16.2.1,172.16.2.3-172.16.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2_toLAN name=dhcp1
/ip address
add address=192.168.222.5/29 interface=ether1_toCisco network=192.168.222.0
add address=192.168.0.2/30 interface=gre-tunnel1 network=192.168.0.0
add address=172.16.2.2/24 interface=ether2_toLAN network=172.16.2.0
/ip dhcp-server network
add address=172.16.2.0/24 gateway=172.16.2.2
/ip firewall filter
add action=accept chain=input disabled=yes dst-address=192.168.222.5 \
    src-address=192.168.222.2
add action=accept chain=output disabled=yes dst-address=192.168.222.2 \
    src-address=192.168.222.5
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
/ip firewall nat
add action=accept chain=srcnat out-interface=gre-tunnel1
add action=masquerade chain=srcnat
/ip ipsec identity
add peer=myset1 secret=Test1234
/ip ipsec policy
set 0 disabled=yes
add dst-address=1.1.1.0/24 peer=myset1 protocol=gre src-address=172.16.2.0/24 \
    tunnel=yes
/ip route
add distance=1 dst-address=1.1.1.0/24 gateway=gre-tunnel1
add distance=1 dst-address=192.168.0.0/24 gateway=192.168.0.1
...

dear Sindy, i was reading this reply of yours in a similar thread:
http://forum.mikrotik.com/t/ipsec-over-gre-sa-installed-but-gre-interface-is-down/144165/1

is it possible that the problem in my scenario lies within my firewall rules? however, as i said earlier the pings of GRE two ends, i.e 192.168.0.1 & 192.168.0.2, as well as pings of the LAN sides, i.e 1.1.1.1 & 172.16.2.1, come back right after i disable ipsec peers on both devices.

Even the “correct” export contains an inconsistence between the log contents and the configuration:

/ip ipsec policy
…
add dst-address=1.1.1.0/24 peer=myset1 protocol=gre src-address=172.16.2.0/24 tunnel=yes

but

22:26:25 ipsec,debug use local ID type IPv4_subnet
22:26:25 ipsec,debug use remote ID type IPv4_subnet
22:26:25 ipsec,debug IDci:
22:26:25 ipsec,debug 042f0000 ac100200 ffffff00
22:26:25 ipsec,debug IDcr:
22:26:25 ipsec,debug 042f0000 01010100 ffffff00

You also ask whether the firewall may be an issue but the export shows all firewall rules to be disabled, which means everything is accepted.

So it is hard to be sure what is the actual configuration when you encouter the ping failures.For a proper analysis, I need a snapshot of both configurations taken in the state when the pings fail.

In general, you can use the IPsec

• either to enrypt the GRE transport packets (which would require a tunnel mode policy with src-address equal to interface gre’s local-address and dst-address equal to interface gre’s remote-address (or it may even be a transport mode policy if the peers’ addresses are the same like the GRE tunnel’s ones).
• or to directly encrypt the payload between 172.16.2.0/24 and 1.1.1.0/24 where the GRE tunnel is bypassed

The fact that enabling the peers causes the pings to fail suggests that you use the second way. When you disable a policy, or the peer it uses, the policy does nothing. If both the policy and its relevant peer are enabled, the policy intercepts matching packets no matter whether a corresponding security association exists or not, and also drops incoming packets that reverse-match it but did not arive via the corresponding security association. This is by design of the overall security model associated to the IPsec protocol.

So when you enable the peer (at least at Mikrotik side), the pings stop being sent via the GRE tunnel because they get intercepted by the policy just before reaching the tunnel. This suggests that the policy actually doesn’t contain the protocol=gre part, otherwise it would ignore other packets than GRE transport ones.

Now two possible scenarios exist - either Phase 2 failed, so the packets intercepted by the policy are effectively dropped, or Phase 2 succeeded but something is wrong about the encryption, so the pings get encrypted and sent to the peer but the peer cannot decrypt them (or doesn’t receive them, hard to say).

At Cisco side, the access list used by the crypto map says “anything between local 1.1.1.0/24 and remote 172.16.2.0/24 or GRE between any addresses”, so I guess once you enable the crypto map, all GRE transport traffic gets intercepted and therefore stops getting through (at least because there is no matching policy at Mikrotik side), so even pings between the payload addresses attached to the endpoints of the GRE tunnel cannot pass through as the GRE transport packets carrying them cannot.

So let me cite (well, I’m afraid it is actually a paraphrase as I’ve never read that particular book in the English original) Sir Terry Pratchett: “whenever I see the poster saying ‘Dead or Alive’, it seems to me they f-ing cannot make their mind”. Choose one way (encrypted GRE) or the other (direct encryption of the payload), clean up the configuration to match only the chosen way, and let’s debug that.

dear sindy, the configs that i posted in the previous reply are exactly the configs at the time of ping fail. therefore, looking at the last posted configs, if and only if i halt ipsec on booth ends (ex. by disabling peers) pings will come back. i guess this is a sign for a working gre tunnel between the two as if i see counting packets in mikrotik gre interface hile pinging. am right?
about the gre types … yes i am exactly trying “encrypted gre” which i guess is known as “gre over ipsec”. i think the other method where the gre is in transport mode is called “ipsec over gre”. anyway, i loved your explanations, i highly appreciate the distinction you made; great for a beginner like me
about the inconsistence of logs, yes you’re right. so i tried to re-enable logging at the time when ping fails that is, when ipsec is applied to gre tunnel. here is the content of “ipsec-start.txt” file:

# jan/ 2/1970  0:16:11 by RouterOS 6.49.6
# software id = 0G7Y-54W3
#
00:17:01 ipsec,debug 192.168.222.2 DPD monitoring.... 
00:17:01 ipsec,debug hash(sha1) 
00:17:01 ipsec,debug 92 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:01 ipsec,debug 1 times of 92 bytes message will be sent to 192.168.222.2[500] 
00:17:01 ipsec,debug sendto Information notify. 
00:17:01 ipsec,debug 192.168.222.2 DPD R-U-There sent (0) 
00:17:01 ipsec,debug 192.168.222.2 rescheduling send_r_u (5). 
00:17:01 ipsec,debug ===== received 92 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:01 ipsec,debug receive Information. 
00:17:01 ipsec,debug hash(sha1) 
00:17:01 ipsec,debug hash validated. 
00:17:01 ipsec,debug begin. 
00:17:01 ipsec,debug seen nptype=8(hash) len=24 
00:17:01 ipsec,debug seen nptype=11(notify) len=32 
00:17:01 ipsec,debug succeed. 
00:17:01 ipsec,debug 192.168.222.2 notify: R_U_THERE_ACK 
00:17:01 ipsec,debug 192.168.222.2 DPD R-U-There-Ack received 
00:17:01 ipsec,debug received an R-U-THERE-ACK 
00:17:07 ipsec,debug ===== received 316 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:07 ipsec,debug hash(sha1) 
00:17:07 ipsec,debug === 
00:17:07 ipsec respond new phase 2 negotiation: 192.168.222.5[500]<=>192.168.222.2[500] 
00:17:07 ipsec,debug begin. 
00:17:07 ipsec,debug seen nptype=8(hash) len=24 
00:17:07 ipsec,debug seen nptype=1(sa) len=68 
00:17:07 ipsec,debug seen nptype=10(nonce) len=24 
00:17:07 ipsec,debug seen nptype=4(ke) len=132 
00:17:07 ipsec,debug seen nptype=5(id) len=16 
00:17:07 ipsec,debug seen nptype=5(id) len=16 
00:17:07 ipsec,debug succeed. 
00:17:07 ipsec,debug received IDci2: 
00:17:07 ipsec,debug 042f0000 00000000 00000000 
00:17:07 ipsec,debug received IDcr2: 
00:17:07 ipsec,debug 042f0000 00000000 00000000 
00:17:07 ipsec,debug HASH(1) validate: 
00:17:07 ipsec,debug 3c3cdbdf c0ad8564 8da891a6 1b66b3af b1c01759 
00:17:07 ipsec,debug total SA len=64 
00:17:07 ipsec,debug 00000001 00000001 00000038 01030401 a8a09e6d 0000002c 010c0000 80040001 
00:17:07 ipsec,debug 80010001 80020e10 80010002 00020004 00465000 80050002 80060080 80030002 
00:17:07 ipsec,debug begin. 
00:17:07 ipsec,debug seen nptype=2(prop) len=56 
00:17:07 ipsec,debug succeed. 
00:17:07 ipsec,debug proposal #1 len=56 
00:17:07 ipsec,debug begin. 
00:17:07 ipsec,debug seen nptype=3(trns) len=44 
00:17:07 ipsec,debug succeed. 
00:17:07 ipsec,debug transform #1 len=44 
00:17:07 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:07 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:07 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
00:17:07 ipsec,debug life duration was in TLV. 
00:17:07 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes 
00:17:07 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:07 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:07 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:07 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:07 ipsec,debug dh(modp1024) 
00:17:07 ipsec,debug pair 1: 
00:17:07 ipsec,debug  0x4a3808: next=(nil) tnext=(nil) 
00:17:07 ipsec,debug proposal #1: 1 transform 
00:17:07 ipsec,debug got the local address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47 
00:17:07 ipsec,debug got the peer address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47 
00:17:07 ipsec searching for policy for selector: 0.0.0.0/0 ip-proto:47 <=> 0.0.0.0/0 ip-proto:47 
00:17:07 ipsec policy not found 
00:17:07 ipsec failed to get proposal for responder. 
00:17:07 ipsec,error 192.168.222.2 failed to pre-process ph2 packet. 
00:17:07 ipsec,debug hash(sha1) 
00:17:07 ipsec,debug 76 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:07 ipsec,debug 1 times of 76 bytes message will be sent to 192.168.222.2[500] 
00:17:07 ipsec,debug sendto Information notify. 
00:17:07 ipsec,debug ===== received 92 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:07 ipsec,debug receive Information. 
00:17:07 ipsec,debug hash(sha1) 
00:17:07 ipsec,debug hash validated. 
00:17:07 ipsec,debug begin. 
00:17:07 ipsec,debug seen nptype=8(hash) len=24 
00:17:07 ipsec,debug seen nptype=12(delete) len=28 
00:17:07 ipsec,debug succeed. 
00:17:07 ipsec,debug 192.168.222.2 delete payload for protocol ISAKMP 
00:17:07 ipsec,info purging ISAKMP-SA 192.168.222.5[500]<=>192.168.222.2[500] spi=9d29a0e1abfb7d44:3fc807dfdf888ad4. 
00:17:07 ipsec purged IPsec-SA proto_id=ESP spi=0xfc67a2c2 
00:17:07 ipsec purged IPsec-SA proto_id=ESP spi=0x13b403c 
00:17:07 ipsec purged ISAKMP-SA 192.168.222.5[500]<=>192.168.222.2[500] spi=9d29a0e1abfb7d44:3fc807dfdf888ad4. 
00:17:07 ipsec,debug purged SAs. 
00:17:07 ipsec,info ISAKMP-SA deleted 192.168.222.5[500]-192.168.222.2[500] spi:9d29a0e1abfb7d44:3fc807dfdf888ad4 rekey:1 
00:17:11 ipsec,debug === 
00:17:11 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.5[500]<=>192.168.222.2[500] 
00:17:11 ipsec,debug new cookie: 
00:17:11 ipsec,debug 71ffcbce1a50cb0e 
00:17:11 ipsec,debug add payload of len 56, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 0 
00:17:11 ipsec,debug 348 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:11 ipsec,debug 1 times of 348 bytes message will be sent to 192.168.222.2[500] 
00:17:11 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 71ffcbce1a50cb0e:0000000000000000 
00:17:11 ipsec,debug ===== received 108 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=1(sa) len=60 
00:17:11 ipsec,debug seen nptype=13(vid) len=20 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec received Vendor ID: RFC 3947 
00:17:11 ipsec 192.168.222.2 Selected NAT-T version: RFC 3947 
00:17:11 ipsec,debug total SA len=56 
00:17:11 ipsec,debug 00000001 00000001 00000030 01010001 00000028 01010000 80010007 800e0080 
00:17:11 ipsec,debug 80020002 80040002 80030001 800b0001 000c0004 00015180 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=2(prop) len=48 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug proposal #1 len=48 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=3(trns) len=40 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug transform #1 len=40 
00:17:11 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
00:17:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:11 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
00:17:11 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
00:17:11 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
00:17:11 ipsec,debug pair 1: 
00:17:11 ipsec,debug  0x4a9908: next=(nil) tnext=(nil) 
00:17:11 ipsec,debug proposal #1: 1 transform 
00:17:11 ipsec,debug -checking with pre-shared key auth- 
00:17:11 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1 
00:17:11 ipsec,debug trns#=1, trns-id=IKE 
00:17:11 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
00:17:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:11 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
00:17:11 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
00:17:11 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
00:17:11 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
00:17:11 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
00:17:11 ipsec,debug -compare proposal #1: Local:Peer 
00:17:11 ipsec,debug (lifetime = 86400:86400) 
00:17:11 ipsec,debug (lifebyte = 0:0) 
00:17:11 ipsec,debug enctype = AES-CBC:AES-CBC 
00:17:11 ipsec,debug (encklen = 128:128) 
00:17:11 ipsec,debug hashtype = SHA:SHA 
00:17:11 ipsec,debug authmethod = pre-shared key:pre-shared key 
00:17:11 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
00:17:11 ipsec,debug -an acceptable proposal found- 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug -agreed on pre-shared key auth- 
00:17:11 ipsec,debug === 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug 192.168.222.2 Hashing 192.168.222.2[500] with algo #2  
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug 192.168.222.5 Hashing 192.168.222.5[500] with algo #2  
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec Adding remote and local NAT-D payloads. 
00:17:11 ipsec,debug add payload of len 128, next type 10 
00:17:11 ipsec,debug add payload of len 24, next type 20 
00:17:11 ipsec,debug add payload of len 20, next type 20 
00:17:11 ipsec,debug add payload of len 20, next type 0 
00:17:11 ipsec,debug 236 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:11 ipsec,debug 1 times of 236 bytes message will be sent to 192.168.222.2[500] 
00:17:11 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 71ffcbce1a50cb0e:3fc807df1dc73e73 
00:17:11 ipsec,debug ===== received 304 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=4(ke) len=132 
00:17:11 ipsec,debug seen nptype=10(nonce) len=24 
00:17:11 ipsec,debug seen nptype=13(vid) len=20 
00:17:11 ipsec,debug seen nptype=13(vid) len=20 
00:17:11 ipsec,debug seen nptype=13(vid) len=20 
00:17:11 ipsec,debug seen nptype=13(vid) len=12 
00:17:11 ipsec,debug seen nptype=20(nat-d) len=24 
00:17:11 ipsec,debug seen nptype=20(nat-d) len=24 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec received Vendor ID: CISCO-UNITY 
00:17:11 ipsec received Vendor ID: DPD 
00:17:11 ipsec,debug remote supports DPD 
00:17:11 ipsec,debug received unknown Vendor ID 
00:17:11 ipsec,debug ca0fa0c2 1dc63e73 78abcb9a f94a523b 
00:17:11 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
00:17:11 ipsec,debug 192.168.222.5 Hashing 192.168.222.5[500] with algo #2  
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug NAT-D payload #0 verified 
00:17:11 ipsec,debug 192.168.222.2 Hashing 192.168.222.2[500] with algo #2  
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug NAT-D payload #1 verified 
00:17:11 ipsec NAT not detected  
00:17:11 ipsec,debug === 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug nonce 1:  
00:17:11 ipsec,debug 9daa4075 f5892b90 99e02a51 7fd37b46 19722727 5c81e14c 
00:17:11 ipsec,debug nonce 2:  
00:17:11 ipsec,debug 666bc150 1bb004a6 9f5795b4 f919cf63 5684108e 
00:17:11 ipsec,debug SKEYID computed: 
00:17:11 ipsec,debug 8d80fc4c 87d45b59 f8279d33 4c37100f b491e060 
00:17:11 ipsec,debug SKEYID_d computed: 
00:17:11 ipsec,debug 5c929e91 ca102cc2 b59a2b0b ea16e0ad 8cb06001 
00:17:11 ipsec,debug SKEYID_a computed: 
00:17:11 ipsec,debug bda8c1d3 2d599ed9 d98317c6 362a55a1 c39eea7b 
00:17:11 ipsec,debug SKEYID_e computed: 
00:17:11 ipsec,debug b7b0fd46 13f18fcb bd614fea 29b30877 e105d7ff 
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug final encryption key computed: 
00:17:11 ipsec,debug b7b0fd46 13f18fcb bd614fea 29b30877 
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug IV computed: 
00:17:11 ipsec,debug aa4ef65c 0ed7ab01 55a9d3d2 7707dacd 
00:17:11 ipsec,debug use ID type of IPv4_address 
00:17:11 ipsec,debug add payload of len 8, next type 8 
00:17:11 ipsec,debug add payload of len 20, next type 0 
00:17:11 ipsec,debug 76 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:11 ipsec,debug 1 times of 76 bytes message will be sent to 192.168.222.2[500] 
00:17:11 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 71ffcbce1a50cb0e:3fc807df1dc73e73 
00:17:11 ipsec,debug ===== received 76 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=5(id) len=12 
00:17:11 ipsec,debug seen nptype=8(hash) len=24 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug HASH received: 
00:17:11 ipsec,debug d20117da e9dc5bcb fd5bfe45 869a2978 10063dec 
00:17:11 ipsec,debug HASH for PSK validated. 
00:17:11 ipsec,debug 192.168.222.2 peer's ID: 
00:17:11 ipsec,debug 011101f4 c0a8de02 
00:17:11 ipsec,debug === 
00:17:11 ipsec ph2 possible after ph1 creation 
00:17:11 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:17:11 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:17:11 ipsec,debug begin QUICK mode. 
00:17:11 ipsec,debug === 
00:17:11 ipsec,debug begin QUICK mode. 
00:17:11 ipsec initiate new phase 2 negotiation: 192.168.222.5[500]<=>192.168.222.2[500] 
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug call pfkey_send_getspi 6 
00:17:11 ipsec,debug pfkey GETSPI sent: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500]  
00:17:11 ipsec,debug pfkey getspi sent. 
00:17:11 ipsec,info ISAKMP-SA established 192.168.222.5[500]-192.168.222.2[500] spi:71ffcbce1a50cb0e:3fc807df1dc73e73 
00:17:11 ipsec,debug === 
00:17:11 ipsec,debug ===== received 108 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:11 ipsec,debug receive Information. 
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug hash validated. 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=8(hash) len=24 
00:17:11 ipsec,debug seen nptype=11(notify) len=40 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug 192.168.222.2 notify: RESPONDER-LIFETIME 
00:17:11 ipsec,debug 192.168.222.2 notification message 24576:RESPONDER-LIFETIME, doi=1 proto_id=1 spi=71ffcbce1a50cb0e3fc807df1dc73e73(size=16). 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug use local ID type IPv4_subnet 
00:17:11 ipsec,debug use remote ID type IPv4_subnet 
00:17:11 ipsec,debug IDci: 
00:17:11 ipsec,debug 042f0000 ac100200 ffffff00 
00:17:11 ipsec,debug IDcr: 
00:17:11 ipsec,debug 042f0000 01010100 ffffff00 
00:17:11 ipsec,debug add payload of len 56, next type 10 
00:17:11 ipsec,debug add payload of len 24, next type 4 
00:17:11 ipsec,debug add payload of len 128, next type 5 
00:17:11 ipsec,debug add payload of len 12, next type 5 
00:17:11 ipsec,debug add payload of len 12, next type 0 
00:17:11 ipsec,debug add payload of len 20, next type 1 
00:17:11 ipsec,debug 316 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:11 ipsec,debug 1 times of 316 bytes message will be sent to 192.168.222.2[500] 
00:17:11 ipsec sent phase2 packet 192.168.222.5[500]<=>192.168.222.2[500] 71ffcbce1a50cb0e:3fc807df1dc73e73:b2a57df5 
00:17:11 ipsec,debug ===== received 348 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=8(hash) len=24 
00:17:11 ipsec,debug seen nptype=1(sa) len=60 
00:17:11 ipsec,debug seen nptype=10(nonce) len=24 
00:17:11 ipsec,debug seen nptype=4(ke) len=132 
00:17:11 ipsec,debug seen nptype=5(id) len=16 
00:17:11 ipsec,debug seen nptype=5(id) len=16 
00:17:11 ipsec,debug seen nptype=11(notify) len=40 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug 192.168.222.2 Notify Message received 
00:17:11 ipsec 192.168.222.2 ignore RESPONDER-LIFETIME notification. 
00:17:11 ipsec,debug IDci matches proposal. 
00:17:11 ipsec,debug IDcr matches proposal. 
00:17:11 ipsec,debug HASH allocated:hbuf->l=344 actual:tlen=312 
00:17:11 ipsec,debug HASH(2) received: 
00:17:11 ipsec,debug 8d0ecf44 0a115c6a 57b520a4 195c8409 c9928c46 
00:17:11 ipsec,debug total SA len=56 
00:17:11 ipsec,debug 00000001 00000001 00000030 01030401 0d41992d 00000024 010c0000 80010001 
00:17:11 ipsec,debug 00020004 00015180 80040001 80060080 80050002 80030002 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=2(prop) len=48 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug proposal #1 len=48 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=3(trns) len=36 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug transform #1 len=36 
00:17:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:11 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:11 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:11 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:11 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug pair 1: 
00:17:11 ipsec,debug  0x4aa290: next=(nil) tnext=(nil) 
00:17:11 ipsec,debug proposal #1: 1 transform 
00:17:11 ipsec,debug total SA len=56 
00:17:11 ipsec,debug 00000001 00000001 00000030 01030401 16e169e8 00000024 010c0000 80040001 
00:17:11 ipsec,debug 80010001 00020004 00015180 80050002 80060080 80030002 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=2(prop) len=48 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug proposal #1 len=48 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=3(trns) len=36 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug transform #1 len=36 
00:17:11 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:11 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:11 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:11 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug pair 1: 
00:17:11 ipsec,debug  0x4aa4b8: next=(nil) tnext=(nil) 
00:17:11 ipsec,debug proposal #1: 1 transform 
00:17:11 ipsec attribute has been modified. 
00:17:11 ipsec,debug begin compare proposals. 
00:17:11 ipsec,debug pair[1]: 0x4aa4b8 
00:17:11 ipsec,debug  0x4aa4b8: next=(nil) tnext=(nil) 
00:17:11 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=AES-CBC 
00:17:11 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:11 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:11 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:11 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:11 ipsec,debug peer's single bundle: 
00:17:11 ipsec,debug  (proto_id=ESP spisize=4 spi=16e169e8 spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:17:11 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:17:11 ipsec,debug my single bundle: 
00:17:11 ipsec,debug  (proto_id=ESP spisize=4 spi=0d41992d spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:17:11 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:17:11 ipsec,debug matched 
00:17:11 ipsec,debug === 
00:17:11 ipsec,debug HASH(3) generate 
00:17:11 ipsec,debug add payload of len 20, next type 0 
00:17:11 ipsec,debug 60 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:11 ipsec,debug 1 times of 60 bytes message will be sent to 192.168.222.2[500] 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug encryption(aes-cbc) 
00:17:11 ipsec,debug hmac(sha1) 
00:17:11 ipsec,debug encklen=128 authklen=160 
00:17:11 ipsec,debug generating 480 bits of key (dupkeymat=3) 
00:17:11 ipsec,debug generating K1...K3 for KEYMAT. 
00:17:11 ipsec,debug 9f14e177 32f04649 cb7fd47a 10723391 d8bea395 3ccc465c cef04c88 7122db55 
00:17:11 ipsec,debug 192a0736 0cac4512 5257853d 5890b327 4dbb74ba 3a9a2cc3 ad38954e 
00:17:11 ipsec,debug encryption(aes-cbc) 
00:17:11 ipsec,debug hmac(sha1) 
00:17:11 ipsec,debug encklen=128 authklen=160 
00:17:11 ipsec,debug generating 480 bits of key (dupkeymat=3) 
00:17:11 ipsec,debug generating K1...K3 for KEYMAT. 
00:17:11 ipsec,debug 51b1da8f 4bc1ced0 6f3256e5 adb8dab4 f43b40ae 212cb2eb 2f1c4080 71a7244d 
00:17:11 ipsec,debug 931476a6 f36af815 25fddfba 743e4454 02a2ba1c f42f4ec2 de1446ee 
00:17:11 ipsec,debug KEYMAT computed. 
00:17:11 ipsec,debug call pk_sendupdate 
00:17:11 ipsec,debug encryption(aes-cbc) 
00:17:11 ipsec,debug hmac(sha1) 
00:17:11 ipsec,debug call pfkey_send_update_nat 
00:17:11 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500] spi=0xd41992d 
00:17:11 ipsec,debug pfkey update sent. 
00:17:11 ipsec,debug encryption(aes-cbc) 
00:17:11 ipsec,debug hmac(sha1) 
00:17:11 ipsec,debug call pfkey_send_add_nat 
00:17:11 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.5[500]->192.168.222.2[500] spi=0x16e169e8 
00:17:11 ipsec,debug pfkey add sent. 
00:17:37 ipsec,debug ===== received 316 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:37 ipsec,debug hash(sha1) 
00:17:37 ipsec,debug === 
00:17:37 ipsec respond new phase 2 negotiation: 192.168.222.5[500]<=>192.168.222.2[500] 
00:17:37 ipsec,debug begin. 
00:17:37 ipsec,debug seen nptype=8(hash) len=24 
00:17:37 ipsec,debug seen nptype=1(sa) len=68 
00:17:37 ipsec,debug seen nptype=10(nonce) len=24 
00:17:37 ipsec,debug seen nptype=4(ke) len=132 
00:17:37 ipsec,debug seen nptype=5(id) len=16 
00:17:37 ipsec,debug seen nptype=5(id) len=16 
00:17:37 ipsec,debug succeed. 
00:17:37 ipsec,debug received IDci2: 
00:17:37 ipsec,debug 042f0000 00000000 00000000 
00:17:37 ipsec,debug received IDcr2: 
00:17:37 ipsec,debug 042f0000 00000000 00000000 
00:17:37 ipsec,debug HASH(1) validate: 
00:17:37 ipsec,debug 1e86a402 22ffbd5c 8036935d 402734be 5063aa8a 
00:17:37 ipsec,debug total SA len=64 
00:17:37 ipsec,debug 00000001 00000001 00000038 01030401 ef8079ea 0000002c 010c0000 80040001 
00:17:37 ipsec,debug 80010001 80020e10 80010002 00020004 00465000 80050002 80060080 80030002 
00:17:37 ipsec,debug begin. 
00:17:37 ipsec,debug seen nptype=2(prop) len=56 
00:17:37 ipsec,debug succeed. 
00:17:37 ipsec,debug proposal #1 len=56 
00:17:37 ipsec,debug begin. 
00:17:37 ipsec,debug seen nptype=3(trns) len=44 
00:17:37 ipsec,debug succeed. 
00:17:37 ipsec,debug transform #1 len=44 
00:17:37 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:37 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:37 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
00:17:37 ipsec,debug life duration was in TLV. 
00:17:37 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes 
00:17:37 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:37 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:37 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:37 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:37 ipsec,debug dh(modp1024) 
00:17:37 ipsec,debug pair 1: 
00:17:37 ipsec,debug  0x4aab08: next=(nil) tnext=(nil) 
00:17:37 ipsec,debug proposal #1: 1 transform 
00:17:37 ipsec,debug got the local address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47 
00:17:37 ipsec,debug got the peer address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47 
00:17:37 ipsec searching for policy for selector: 0.0.0.0/0 ip-proto:47 <=> 0.0.0.0/0 ip-proto:47 
00:17:37 ipsec policy not found 
00:17:37 ipsec failed to get proposal for responder. 
00:17:37 ipsec,error 192.168.222.2 failed to pre-process ph2 packet. 
00:17:37 ipsec,debug hash(sha1) 
00:17:37 ipsec,debug 76 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:37 ipsec,debug 1 times of 76 bytes message will be sent to 192.168.222.2[500] 
00:17:37 ipsec,debug sendto Information notify. 
00:17:37 ipsec,debug ===== received 92 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:37 ipsec,debug receive Information. 
00:17:37 ipsec,debug hash(sha1) 
00:17:37 ipsec,debug hash validated. 
00:17:37 ipsec,debug begin. 
00:17:37 ipsec,debug seen nptype=8(hash) len=24 
00:17:37 ipsec,debug seen nptype=12(delete) len=28 
00:17:37 ipsec,debug succeed. 
00:17:37 ipsec,debug 192.168.222.2 delete payload for protocol ISAKMP 
00:17:37 ipsec,info purging ISAKMP-SA 192.168.222.5[500]<=>192.168.222.2[500] spi=71ffcbce1a50cb0e:3fc807df1dc73e73. 
00:17:37 ipsec purged IPsec-SA proto_id=ESP spi=0x16e169e8 
00:17:37 ipsec purged IPsec-SA proto_id=ESP spi=0xd41992d 
00:17:37 ipsec purged ISAKMP-SA 192.168.222.5[500]<=>192.168.222.2[500] spi=71ffcbce1a50cb0e:3fc807df1dc73e73. 
00:17:37 ipsec,debug purged SAs. 
00:17:37 ipsec,info ISAKMP-SA deleted 192.168.222.5[500]-192.168.222.2[500] spi:71ffcbce1a50cb0e:3fc807df1dc73e73 rekey:1 
00:17:41 ipsec,debug === 
00:17:41 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.5[500]<=>192.168.222.2[500] 
00:17:41 ipsec,debug new cookie: 
00:17:41 ipsec,debug 0e8ff9c25a73fec3 
00:17:41 ipsec,debug add payload of len 56, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 0 
00:17:41 ipsec,debug 348 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:41 ipsec,debug 1 times of 348 bytes message will be sent to 192.168.222.2[500] 
00:17:41 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 0e8ff9c25a73fec3:0000000000000000 
00:17:41 ipsec,debug ===== received 108 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=1(sa) len=60 
00:17:41 ipsec,debug seen nptype=13(vid) len=20 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec received Vendor ID: RFC 3947 
00:17:41 ipsec 192.168.222.2 Selected NAT-T version: RFC 3947 
00:17:41 ipsec,debug total SA len=56 
00:17:41 ipsec,debug 00000001 00000001 00000030 01010001 00000028 01010000 80010007 800e0080 
00:17:41 ipsec,debug 80020002 80040002 80030001 800b0001 000c0004 00015180 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=2(prop) len=48 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug proposal #1 len=48 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=3(trns) len=40 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug transform #1 len=40 
00:17:41 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
00:17:41 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:41 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
00:17:41 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
00:17:41 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
00:17:41 ipsec,debug pair 1: 
00:17:41 ipsec,debug  0x4a4188: next=(nil) tnext=(nil) 
00:17:41 ipsec,debug proposal #1: 1 transform 
00:17:41 ipsec,debug -checking with pre-shared key auth- 
00:17:41 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1 
00:17:41 ipsec,debug trns#=1, trns-id=IKE 
00:17:41 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
00:17:41 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:41 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
00:17:41 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
00:17:41 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
00:17:41 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
00:17:41 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
00:17:41 ipsec,debug -compare proposal #1: Local:Peer 
00:17:41 ipsec,debug (lifetime = 86400:86400) 
00:17:41 ipsec,debug (lifebyte = 0:0) 
00:17:41 ipsec,debug enctype = AES-CBC:AES-CBC 
00:17:41 ipsec,debug (encklen = 128:128) 
00:17:41 ipsec,debug hashtype = SHA:SHA 
00:17:41 ipsec,debug authmethod = pre-shared key:pre-shared key 
00:17:41 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
00:17:41 ipsec,debug -an acceptable proposal found- 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug -agreed on pre-shared key auth- 
00:17:41 ipsec,debug === 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug 192.168.222.2 Hashing 192.168.222.2[500] with algo #2  
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug 192.168.222.5 Hashing 192.168.222.5[500] with algo #2  
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec Adding remote and local NAT-D payloads. 
00:17:41 ipsec,debug add payload of len 128, next type 10 
00:17:41 ipsec,debug add payload of len 24, next type 20 
00:17:41 ipsec,debug add payload of len 20, next type 20 
00:17:41 ipsec,debug add payload of len 20, next type 0 
00:17:41 ipsec,debug 236 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:41 ipsec,debug 1 times of 236 bytes message will be sent to 192.168.222.2[500] 
00:17:41 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 0e8ff9c25a73fec3:3fc807dfe1cb3d86 
00:17:41 ipsec,debug ===== received 304 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=4(ke) len=132 
00:17:41 ipsec,debug seen nptype=10(nonce) len=24 
00:17:41 ipsec,debug seen nptype=13(vid) len=20 
00:17:41 ipsec,debug seen nptype=13(vid) len=20 
00:17:41 ipsec,debug seen nptype=13(vid) len=20 
00:17:41 ipsec,debug seen nptype=13(vid) len=12 
00:17:41 ipsec,debug seen nptype=20(nat-d) len=24 
00:17:41 ipsec,debug seen nptype=20(nat-d) len=24 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec received Vendor ID: CISCO-UNITY 
00:17:41 ipsec received Vendor ID: DPD 
00:17:41 ipsec,debug remote supports DPD 
00:17:41 ipsec,debug received unknown Vendor ID 
00:17:41 ipsec,debug ca0fa0c2 e1ca3d86 47ec367c 0004b25d 
00:17:41 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
00:17:41 ipsec,debug 192.168.222.5 Hashing 192.168.222.5[500] with algo #2  
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug NAT-D payload #0 verified 
00:17:41 ipsec,debug 192.168.222.2 Hashing 192.168.222.2[500] with algo #2  
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug NAT-D payload #1 verified 
00:17:41 ipsec NAT not detected  
00:17:41 ipsec,debug === 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug nonce 1:  
00:17:41 ipsec,debug a4a83f35 bff57990 18a9563c c623a779 da3d10b7 138b49b7 
00:17:41 ipsec,debug nonce 2:  
00:17:41 ipsec,debug bd64b1ef b16656df c0a53228 a176986e 1d3b302a 
00:17:41 ipsec,debug SKEYID computed: 
00:17:41 ipsec,debug 6a78919f a968d9d0 822d8cdc b9791b94 66b45345 
00:17:41 ipsec,debug SKEYID_d computed: 
00:17:41 ipsec,debug f55fe712 4c677562 485a55d2 d92a599e 0f4b9576 
00:17:41 ipsec,debug SKEYID_a computed: 
00:17:41 ipsec,debug 57f6c670 f2d49fc7 1451ed00 c0feac9f af10a06f 
00:17:41 ipsec,debug SKEYID_e computed: 
00:17:41 ipsec,debug 94d6e246 493672e5 69286eef 59fdc3b9 ac8ee21f 
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug final encryption key computed: 
00:17:41 ipsec,debug 94d6e246 493672e5 69286eef 59fdc3b9 
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug IV computed: 
00:17:41 ipsec,debug a7c3b93f f16e6177 2831fae1 7489ab4f 
00:17:41 ipsec,debug use ID type of IPv4_address 
00:17:41 ipsec,debug add payload of len 8, next type 8 
00:17:41 ipsec,debug add payload of len 20, next type 0 
00:17:41 ipsec,debug 76 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:41 ipsec,debug 1 times of 76 bytes message will be sent to 192.168.222.2[500] 
00:17:41 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 0e8ff9c25a73fec3:3fc807dfe1cb3d86 
00:17:41 ipsec,debug ===== received 76 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=5(id) len=12 
00:17:41 ipsec,debug seen nptype=8(hash) len=24 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug HASH received: 
00:17:41 ipsec,debug dfc5e2b3 5495722f c3d2e6de d23af136 05cdb95e 
00:17:41 ipsec,debug HASH for PSK validated. 
00:17:41 ipsec,debug 192.168.222.2 peer's ID: 
00:17:41 ipsec,debug 011101f4 c0a8de02 
00:17:41 ipsec,debug === 
00:17:41 ipsec ph2 possible after ph1 creation 
00:17:41 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:17:41 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:17:41 ipsec,debug begin QUICK mode. 
00:17:41 ipsec,debug === 
00:17:41 ipsec,debug begin QUICK mode. 
00:17:41 ipsec initiate new phase 2 negotiation: 192.168.222.5[500]<=>192.168.222.2[500] 
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug call pfkey_send_getspi 9 
00:17:41 ipsec,debug pfkey GETSPI sent: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500]  
00:17:41 ipsec,debug pfkey getspi sent. 
00:17:41 ipsec,info ISAKMP-SA established 192.168.222.5[500]-192.168.222.2[500] spi:0e8ff9c25a73fec3:3fc807dfe1cb3d86 
00:17:41 ipsec,debug === 
00:17:41 ipsec,debug ===== received 108 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:41 ipsec,debug receive Information. 
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug hash validated. 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=8(hash) len=24 
00:17:41 ipsec,debug seen nptype=11(notify) len=40 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug 192.168.222.2 notify: RESPONDER-LIFETIME 
00:17:41 ipsec,debug 192.168.222.2 notification message 24576:RESPONDER-LIFETIME, doi=1 proto_id=1 spi=0e8ff9c25a73fec33fc807dfe1cb3d86(size=16). 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug use local ID type IPv4_subnet 
00:17:41 ipsec,debug use remote ID type IPv4_subnet 
00:17:41 ipsec,debug IDci: 
00:17:41 ipsec,debug 042f0000 ac100200 ffffff00 
00:17:41 ipsec,debug IDcr: 
00:17:41 ipsec,debug 042f0000 01010100 ffffff00 
00:17:41 ipsec,debug add payload of len 56, next type 10 
00:17:41 ipsec,debug add payload of len 24, next type 4 
00:17:41 ipsec,debug add payload of len 128, next type 5 
00:17:41 ipsec,debug add payload of len 12, next type 5 
00:17:41 ipsec,debug add payload of len 12, next type 0 
00:17:41 ipsec,debug add payload of len 20, next type 1 
00:17:41 ipsec,debug 316 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:41 ipsec,debug 1 times of 316 bytes message will be sent to 192.168.222.2[500] 
00:17:41 ipsec sent phase2 packet 192.168.222.5[500]<=>192.168.222.2[500] 0e8ff9c25a73fec3:3fc807dfe1cb3d86:bb09d946 
00:17:41 ipsec,debug ===== received 348 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=8(hash) len=24 
00:17:41 ipsec,debug seen nptype=1(sa) len=60 
00:17:41 ipsec,debug seen nptype=10(nonce) len=24 
00:17:41 ipsec,debug seen nptype=4(ke) len=132 
00:17:41 ipsec,debug seen nptype=5(id) len=16 
00:17:41 ipsec,debug seen nptype=5(id) len=16 
00:17:41 ipsec,debug seen nptype=11(notify) len=40 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug 192.168.222.2 Notify Message received 
00:17:41 ipsec 192.168.222.2 ignore RESPONDER-LIFETIME notification. 
00:17:41 ipsec,debug IDci matches proposal. 
00:17:41 ipsec,debug IDcr matches proposal. 
00:17:41 ipsec,debug HASH allocated:hbuf->l=344 actual:tlen=312 
00:17:41 ipsec,debug HASH(2) received: 
00:17:41 ipsec,debug cd647641 bd1a5995 6c331634 502fe38c b59fa1c8 
00:17:41 ipsec,debug total SA len=56 
00:17:41 ipsec,debug 00000001 00000001 00000030 01030401 04022cc5 00000024 010c0000 80010001 
00:17:41 ipsec,debug 00020004 00015180 80040001 80060080 80050002 80030002 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=2(prop) len=48 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug proposal #1 len=48 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=3(trns) len=36 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug transform #1 len=36 
00:17:41 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:41 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:41 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:41 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:41 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:41 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug pair 1: 
00:17:41 ipsec,debug  0x4a9a10: next=(nil) tnext=(nil) 
00:17:41 ipsec,debug proposal #1: 1 transform 
00:17:41 ipsec,debug total SA len=56 
00:17:41 ipsec,debug 00000001 00000001 00000030 01030401 50fc8dd1 00000024 010c0000 80040001 
00:17:41 ipsec,debug 80010001 00020004 00015180 80050002 80060080 80030002 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=2(prop) len=48 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug proposal #1 len=48 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=3(trns) len=36 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug transform #1 len=36 
00:17:41 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:41 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:41 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:41 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:41 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:41 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug pair 1: 
00:17:41 ipsec,debug  0x4aae88: next=(nil) tnext=(nil) 
00:17:41 ipsec,debug proposal #1: 1 transform 
00:17:41 ipsec attribute has been modified. 
00:17:41 ipsec,debug begin compare proposals. 
00:17:41 ipsec,debug pair[1]: 0x4aae88 
00:17:41 ipsec,debug  0x4aae88: next=(nil) tnext=(nil) 
00:17:41 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=AES-CBC 
00:17:41 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:41 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:41 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:41 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:41 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:41 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:41 ipsec,debug peer's single bundle: 
00:17:41 ipsec,debug  (proto_id=ESP spisize=4 spi=50fc8dd1 spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:17:41 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:17:41 ipsec,debug my single bundle: 
00:17:41 ipsec,debug  (proto_id=ESP spisize=4 spi=04022cc5 spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:17:41 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:17:41 ipsec,debug matched 
00:17:41 ipsec,debug === 
00:17:41 ipsec,debug HASH(3) generate 
00:17:41 ipsec,debug add payload of len 20, next type 0 
00:17:41 ipsec,debug 60 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:41 ipsec,debug 1 times of 60 bytes message will be sent to 192.168.222.2[500] 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug encryption(aes-cbc) 
00:17:41 ipsec,debug hmac(sha1) 
00:17:41 ipsec,debug encklen=128 authklen=160 
00:17:41 ipsec,debug generating 480 bits of key (dupkeymat=3) 
00:17:41 ipsec,debug generating K1...K3 for KEYMAT. 
00:17:41 ipsec,debug feea0b12 f2ec21d0 59028591 0a17a902 62bf1099 f25b4723 cd84a39c 809f495a 
00:17:41 ipsec,debug b773dc67 2b79f19d 2e2c9477 eb615496 0f86d989 37581cd5 ed37ceef 
00:17:41 ipsec,debug encryption(aes-cbc) 
00:17:41 ipsec,debug hmac(sha1) 
00:17:41 ipsec,debug encklen=128 authklen=160 
00:17:41 ipsec,debug generating 480 bits of key (dupkeymat=3) 
00:17:41 ipsec,debug generating K1...K3 for KEYMAT. 
00:17:41 ipsec,debug fe719e9d cbe9e275 c1679ba4 8708e008 7eefb819 d8f755c6 1748b7b7 eeba0945 
00:17:41 ipsec,debug 301d9e1e 426b509b 6ca47e22 7ad1c123 c4ab805c 64b28270 9d9d770a 
00:17:41 ipsec,debug KEYMAT computed. 
00:17:41 ipsec,debug call pk_sendupdate 
00:17:41 ipsec,debug encryption(aes-cbc) 
00:17:41 ipsec,debug hmac(sha1) 
00:17:41 ipsec,debug call pfkey_send_update_nat 
00:17:41 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500] spi=0x4022cc5 
00:17:41 ipsec,debug pfkey update sent. 
00:17:41 ipsec,debug encryption(aes-cbc) 
00:17:41 ipsec,debug hmac(sha1) 
00:17:41 ipsec,debug call pfkey_send_add_nat 
00:17:41 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.5[500]->192.168.222.2[500] spi=0x50fc8dd1 
00:17:41 ipsec,debug pfkey add sent. 
00:18:06 ipsec,debug ===== received 76 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:18:06 ipsec,debug receive Information. 
00:18:06 ipsec,debug hash(sha1) 
00:18:06 ipsec,debug hash validated. 
00:18:06 ipsec,debug begin. 
00:18:06 ipsec,debug seen nptype=8(hash) len=24 
00:18:06 ipsec,debug seen nptype=12(delete) len=16 
00:18:06 ipsec,debug succeed. 
00:18:06 ipsec,debug 192.168.222.2 delete payload for protocol ESP 
00:18:06 ipsec,debug purged SAs. 
00:18:06 ipsec,debug ===== received 76 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:18:06 ipsec,debug receive Information. 
00:18:06 ipsec,debug hash(sha1) 
00:18:06 ipsec,debug hash validated. 
00:18:06 ipsec,debug begin. 
00:18:06 ipsec,debug seen nptype=8(hash) len=24 
00:18:06 ipsec,debug seen nptype=12(delete) len=16 
00:18:06 ipsec,debug succeed. 
00:18:06 ipsec,debug 192.168.222.2 delete payload for protocol ESP 
00:18:06 ipsec,debug purged SAs. 
00:18:11 ipsec,debug ===== received 316 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:18:11 ipsec,debug hash(sha1) 
00:18:11 ipsec,debug === 
00:18:11 ipsec respond new phase 2 negotiation: 192.168.222.5[500]<=>192.168.222.2[500] 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=8(hash) len=24 
00:18:11 ipsec,debug seen nptype=1(sa) len=68 
00:18:11 ipsec,debug seen nptype=10(nonce) len=24 
00:18:11 ipsec,debug seen nptype=4(ke) len=132 
00:18:11 ipsec,debug seen nptype=5(id) len=16 
00:18:11 ipsec,debug seen nptype=5(id) len=16 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug received IDci2: 
00:18:11 ipsec,debug 042f0000 01010100 ffffff00 
00:18:11 ipsec,debug received IDcr2: 
00:18:11 ipsec,debug 042f0000 ac100200 ffffff00 
00:18:11 ipsec,debug HASH(1) validate: 
00:18:11 ipsec,debug 2f4b408c 00cce621 8c00155c 3d04680d 0d8e1063 
00:18:11 ipsec,debug total SA len=64 
00:18:11 ipsec,debug 00000001 00000001 00000038 01030401 07ff298f 0000002c 010c0000 80040001 
00:18:11 ipsec,debug 80010001 80020e10 80010002 00020004 00465000 80050002 80060080 80030002 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=2(prop) len=56 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug proposal #1 len=56 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=3(trns) len=44 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug transform #1 len=44 
00:18:11 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:18:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:18:11 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
00:18:11 ipsec,debug life duration was in TLV. 
00:18:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes 
00:18:11 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:18:11 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:18:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:18:11 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:18:11 ipsec,debug dh(modp1024) 
00:18:11 ipsec,debug pair 1: 
00:18:11 ipsec,debug  0x4ab7d8: next=(nil) tnext=(nil) 
00:18:11 ipsec,debug proposal #1: 1 transform 
00:18:11 ipsec,debug got the local address from ID payload 172.16.2.0[0] prefixlen=24 ul_proto=47 
00:18:11 ipsec,debug got the peer address from ID payload 1.1.1.0[0] prefixlen=24 ul_proto=47 
00:18:11 ipsec searching for policy for selector: 172.16.2.0/24 ip-proto:47 <=> 1.1.1.0/24 ip-proto:47 
00:18:11 ipsec using strict match: 172.16.2.0/24 <=> 1.1.1.0/24 ip-proto:47 
00:18:11 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:18:11 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:18:11 ipsec,debug begin compare proposals. 
00:18:11 ipsec,debug pair[1]: 0x4ab7d8 
00:18:11 ipsec,debug  0x4ab7d8: next=(nil) tnext=(nil) 
00:18:11 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=AES-CBC 
00:18:11 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:18:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:18:11 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
00:18:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes 
00:18:11 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:18:11 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:18:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:18:11 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:18:11 ipsec,debug peer's single bundle: 
00:18:11 ipsec,debug  (proto_id=ESP spisize=4 spi=07ff298f spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:18:11 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:18:11 ipsec,debug my single bundle: 
00:18:11 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:18:11 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:18:11 ipsec,debug matched 
00:18:11 ipsec,debug === 
00:18:11 ipsec,debug call pfkey_send_getspi a 
00:18:11 ipsec,debug pfkey GETSPI sent: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500]  
00:18:11 ipsec,debug pfkey getspi sent. 
00:18:11 ipsec,debug ===== received 76 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:18:11 ipsec,debug receive Information. 
00:18:11 ipsec,debug hash(sha1) 
00:18:11 ipsec,debug hash validated. 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=8(hash) len=24 
00:18:11 ipsec,debug seen nptype=12(delete) len=16 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug 192.168.222.2 delete payload for protocol ESP 
00:18:11 ipsec,debug purged SAs. 
00:18:11 ipsec,debug total SA len=64 
00:18:11 ipsec,debug 00000001 00000001 00000038 01030401 00000000 0000002c 010c0000 80040001 
00:18:11 ipsec,debug 80010001 80020e10 80010002 00020004 00465000 80050002 80060080 80030002 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=2(prop) len=56 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug proposal #1 len=56 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=3(trns) len=44 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug transform #1 len=44 
00:18:11 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:18:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:18:11 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
00:18:11 ipsec,debug life duration was in TLV. 
00:18:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes 
00:18:11 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:18:11 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:18:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:18:11 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:18:11 ipsec,debug dh(modp1024) 
00:18:11 ipsec,debug pair 1: 
00:18:11 ipsec,debug  0x4ab808: next=(nil) tnext=(nil) 
00:18:11 ipsec,debug proposal #1: 1 transform 
00:18:11 ipsec,debug dh(modp1024) 
00:18:11 ipsec,debug add payload of len 64, next type 10 
00:18:11 ipsec,debug add payload of len 24, next type 4 
00:18:11 ipsec,debug add payload of len 128, next type 5 
00:18:11 ipsec,debug add payload of len 12, next type 5 
00:18:11 ipsec,debug add payload of len 12, next type 0 
00:18:11 ipsec,debug add payload of len 20, next type 1 
00:18:11 ipsec,debug 316 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:18:11 ipsec,debug 1 times of 316 bytes message will be sent to 192.168.222.2[500] 
00:18:11 ipsec sent phase2 packet 192.168.222.5[500]<=>192.168.222.2[500] 0e8ff9c25a73fec3:3fc807dfe1cb3d86:606f293d 
00:18:11 ipsec,debug ===== received 76 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:18:11 ipsec,debug receive Information. 
00:18:11 ipsec,debug hash(sha1) 
00:18:11 ipsec,debug hash validated. 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=8(hash) len=24 
00:18:11 ipsec,debug seen nptype=12(delete) len=16 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug 192.168.222.2 delete payload for protocol ESP 
00:18:11 ipsec purged IPsec-SA proto_id=ESP spi=0x50fc8dd1 
00:18:11 ipsec purged IPsec-SA proto_id=ESP spi=0x4022cc5 
00:18:11 ipsec,debug purged SAs. 
00:18:11 ipsec,debug ===== received 60 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=8(hash) len=24 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug HASH(3) validate: 
00:18:11 ipsec,debug a0cf7e31 11a4a211 aa4b3876 d4382240 f0e601d7 
00:18:11 ipsec,debug === 
00:18:11 ipsec,debug dh(modp1024) 
00:18:12 ipsec,debug encryption(aes-cbc) 
00:18:12 ipsec,debug hmac(sha1) 
00:18:12 ipsec,debug encklen=128 authklen=160 
00:18:12 ipsec,debug generating 480 bits of key (dupkeymat=3) 
00:18:12 ipsec,debug generating K1...K3 for KEYMAT. 
00:18:12 ipsec,debug d5e37685 5851e424 db1d218d 39b67298 630880af 83b64055 3b592daf cbcc28be 
00:18:12 ipsec,debug d046c5c0 0106ef44 f04625d8 47209c43 5420cbf2 6bfacd2c 7302f32a 
00:18:12 ipsec,debug encryption(aes-cbc) 
00:18:12 ipsec,debug hmac(sha1) 
00:18:12 ipsec,debug encklen=128 authklen=160 
00:18:12 ipsec,debug generating 480 bits of key (dupkeymat=3) 
00:18:12 ipsec,debug generating K1...K3 for KEYMAT. 
00:18:12 ipsec,debug 986d244e 11974aac 6ddc1217 6a980409 329f6f2c b953f9a0 9ca3a045 461b9c25 
00:18:12 ipsec,debug 367ca0fa be92017f db3eec22 e3375b62 aaca1161 c7c31376 7b632dac 
00:18:12 ipsec,debug KEYMAT computed. 
00:18:12 ipsec,debug call pk_sendupdate 
00:18:12 ipsec,debug encryption(aes-cbc) 
00:18:12 ipsec,debug hmac(sha1) 
00:18:12 ipsec,debug call pfkey_send_update_nat 
00:18:12 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500] spi=0x889d24a 
00:18:12 ipsec,debug pfkey update sent. 
00:18:12 ipsec,debug encryption(aes-cbc) 
00:18:12 ipsec,debug hmac(sha1) 
00:18:12 ipsec,debug call pfkey_send_add_nat 
00:18:12 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.5[500]->192.168.222.2[500] spi=0x7ff298f 
00:18:12 ipsec,debug pfkey add sent.

please let me know if there still exists any ambiguity or inconsisence.