Hellow!
Dear colleagues, please help me debug IPSEC IKE2 connection: WIN10(ISP1,natted)->CRS328-24P-4S+(IPS2,Public IP), this is typical road warrior setup with RSA.
My config:
# apr/11/2020 17:53:02 by RouterOS 6.46.5
# software id = HS7D-L3T2
#
# model = CRS328-24P-4S+
# serial number = A1A10AE98CF6
/interface bridge
add name=Bridge_IKE2 protocol-mode=none
add admin-mac=74:4D:28:B9:60:EF auto-mac=no comment=defconf fast-forward=no \
name=bridge_LAN protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full name=ether1_WAN poe-out=off \
speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] poe-out=off rx-flow-control=auto speed=\
100Mbps tx-flow-control=auto
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
set [ find default-name=ether14 ] speed=100Mbps
set [ find default-name=ether15 ] speed=100Mbps
set [ find default-name=ether16 ] speed=100Mbps
set [ find default-name=ether17 ] speed=100Mbps
set [ find default-name=ether18 ] speed=100Mbps
set [ find default-name=ether19 ] speed=100Mbps
set [ find default-name=ether20 ] rx-flow-control=auto speed=100Mbps \
tx-flow-control=auto
set [ find default-name=ether21 ] poe-out=off rx-flow-control=auto speed=\
100Mbps tx-flow-control=auto
set [ find default-name=ether22 ] mac-address=74:4D:28:B9:61:03 poe-out=off \
rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether23 ] poe-out=off speed=100Mbps
set [ find default-name=ether24 ] poe-out=off speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] disabled=yes speed=10Gbps
set [ find default-name=sfp-sfpplus2 ] disabled=yes speed=10Gbps
set [ find default-name=sfp-sfpplus3 ] disabled=yes speed=10Gbps
set [ find default-name=sfp-sfpplus4 ] disabled=yes speed=10Gbps
/interface sstp-server
add name=sstp-Emin user=ruser5
add name=sstp-arcady user=arcady
/interface bonding
add link-monitoring=none mode=802.3ad name=bonding_QNAP slaves=\
ether21,ether22
/interface list
add name=WAN
add name=LAN
/ip dhcp-server option
add code=1 name=option1
/ip ipsec policy group
add name=group_IKE2_DynemicUsers
add name=group_T
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
add enc-algorithm=aes-256,aes-128 name=Site_to_site_IKE2
add enc-algorithm=aes-256,aes-128,3des name=VPNUsers
/ip ipsec peer
add address=qp451.myqnapcloud.com exchange-mode=ike2 local-address=\
W_IP.W_IP.W_IP.W_IP name=peer_QP port=500 profile=Site_to_site_IKE2
add address=IP1.IP1.IP1.IP1/32 exchange-mode=ike2 local-address=W_IP.W_IP.W_IP.W_IP \
name=SK10_CloudSL port=500 profile=Site_to_site_IKE2 \
send-initial-contact=no
add address=IP2.IP2.IP2.IP2/32 exchange-mode=ike2 local-address=W_IP.W_IP.W_IP.W_IP \
name=SK10_HQ port=500 profile=Site_to_site_IKE2
add exchange-mode=ike2 local-address=W_IP.W_IP.W_IP.W_IP name=peer_Dynemic \
passive=yes profile=VPNUsers
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1,md5 enc-algorithms=\
aes-256-cbc,aes-128-cbc,3des
add enc-algorithms=aes-256-cbc,aes-128-cbc name=Site_to_site_IPSec pfs-group=\
modp2048
add enc-algorithms=aes-256-cbc,aes-128-cbc name=VPNUsers
/ip pool
add name=dhcp ranges=10.100.100.50-10.100.100.150
add name=VPN_Clients ranges=10.250.250.2-10.250.250.50
add name=pool_IKE2 ranges=10.255.255.2-10.255.255.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge_LAN name=dhcp1
/ip ipsec mode-config
add address-pool=pool_IKE2 address-prefix-length=32 name=IKE2_vpn \
split-include=10.100.100.0/24 system-dns=no
/ppp profile
add change-tcp-mss=yes local-address=10.250.250.1 name=SSTP remote-address=\
VPN_Clients use-encryption=required use-mpls=no
add address-list=EXTVPN change-tcp-mss=yes local-address=10.250.250.1 name=\
SSTP_EXTVPN remote-address=VPN_Clients use-encryption=required use-mpls=\
no
set *FFFFFFFE use-encryption=required
/queue simple
add disabled=yes max-limit=45M/45M name=Other packet-marks=no-mark queue=\
pcq-upload-default/pcq-download-default target=bridge_LAN
add disabled=yes max-limit=2M/2M name=VoIP packet-marks=VoIP priority=2/2 \
queue=pcq-upload-default/pcq-download-default target=bridge_LAN
/queue tree
add name=VoIP_Download packet-mark=VoIP_pReceive parent=global priority=2 \
queue=pcq-download-default
add name=VoIP_Upload packet-mark=VoIP_pSend parent=global priority=2 queue=\
pcq-upload-default
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/certificate settings
set crl-download=no crl-store=system
/interface bridge port
add bridge=bridge_LAN comment=defconf interface=ether2
add bridge=bridge_LAN comment=defconf interface=ether3
add bridge=bridge_LAN comment=defconf interface=ether4
add bridge=bridge_LAN comment=defconf interface=ether5
add bridge=bridge_LAN comment=defconf interface=ether6
add bridge=bridge_LAN comment=defconf interface=ether7
add bridge=bridge_LAN comment=defconf interface=ether8
add bridge=bridge_LAN comment=defconf interface=ether9
add bridge=bridge_LAN comment=defconf interface=ether10
add bridge=bridge_LAN comment=defconf interface=ether11
add bridge=bridge_LAN comment=defconf interface=ether12
add bridge=bridge_LAN comment=defconf interface=ether13
add bridge=bridge_LAN comment=defconf interface=ether14
add bridge=bridge_LAN comment=defconf interface=ether15
add bridge=bridge_LAN comment=defconf interface=ether16
add bridge=bridge_LAN comment=defconf interface=ether17
add bridge=bridge_LAN comment=defconf interface=ether18
add bridge=bridge_LAN comment=defconf interface=ether19
add bridge=bridge_LAN comment=defconf interface=ether20
add bridge=bridge_LAN comment=defconf interface=ether23
add bridge=bridge_LAN comment=defconf interface=ether24
add bridge=bridge_LAN comment=defconf interface=sfp-sfpplus1
add bridge=bridge_LAN comment=defconf interface=sfp-sfpplus2
add bridge=bridge_LAN comment=defconf interface=sfp-sfpplus3
add bridge=bridge_LAN comment=defconf interface=sfp-sfpplus4
add bridge=bridge_LAN interface=bonding_QNAP
/ip firewall connection tracking
set generic-timeout=0ms icmp-timeout=0ms loose-tcp-tracking=no \
tcp-close-timeout=0ms tcp-close-wait-timeout=0ms tcp-established-timeout=\
0ms tcp-fin-wait-timeout=0ms tcp-last-ack-timeout=0ms \
tcp-max-retrans-timeout=0ms tcp-syn-received-timeout=0ms \
tcp-syn-sent-timeout=0ms tcp-time-wait-timeout=0ms tcp-unacked-timeout=\
0ms udp-stream-timeout=0ms udp-timeout=0ms
/interface l2tp-server server
set authentication=mschap2 use-ipsec=required
/interface list member
add interface=bridge_LAN list=LAN
add interface=ether1_WAN list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=VPNDNS default-profile=\
default-encryption enabled=yes force-aes=yes
/ip address
add address=10.100.100.1/24 comment=defconf interface=bridge_LAN network=\
10.100.100.0
add address=W_IP.W_IP.W_IP.W_IP/30 interface=ether1_WAN network=W_NET.W_NET.W_NET.W_NET
add address=10.255.255.1/24 interface=Bridge_IKE2 network=10.255.255.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server network
add address=10.100.100.0/24 dns-server=10.100.100.1 domain=tm.local gateway=\
10.100.100.1 netmask=24 wins-server=10.100.100.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.100.100.31 regexp="host[0-9]|[0-9]{2}.test"
add address=W_IP.W_IP.W_IP.W_IP name=server.techno-mir.net
/ip firewall address-list
add address=10.100.100.11-10.100.100.20 list="VoIP Phones"
add address=10.0.14.0/23 list="VPN lans"
add address=192.168.0.0/24 list="VPN lans"
add address=10.0.12.0/24 list="VPN lans"
add address=10.250.250.254 list=EXTVPN
add address=10.255.255.0/24 list="VPN lans"
add address=172.16.250.0/24 list="VPN lans"
add address=192.168.88.0/24 list="VPN lans"
/ip firewall filter
add action=accept chain=forward comment="Accept est/ and related conn" \
connection-state=established,related,untracked
add action=accept chain=input comment="Accept est/ and related conn" \
connection-state=established,related,untracked
add action=accept chain=input connection-state="" ipsec-policy=in,ipsec
add action=accept chain=forward comment="IPsec in" connection-state="" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="IPsec out" connection-state="" \
ipsec-policy=out,ipsec
add action=accept chain=input comment="Winbox & HTTPS from WAN" dst-port=\
8291,443,80 protocol=tcp
add action=accept chain=input comment="" dst-port=\
500,4500,1701 in-interface=ether1_WAN protocol=udp
add action=accept chain=input comment="" in-interface=\
ether1_WAN protocol=ipsec-esp
add action=accept chain=input comment="Accept est/ and related conn" \
protocol=icmp
add action=drop chain=forward dst-address=!10.100.100.31 src-address-list=\
EXTVPN
add action=fasttrack-connection chain=forward comment="Accept fasttrack" \
connection-state=established,related disabled=yes
add action=drop chain=input comment="Drop all from WAN" in-interface-list=\
!LAN log-prefix="Drop from input"
add action=drop chain=forward comment="Drop inalid" connection-state=invalid
add action=drop chain=input comment="Drop all from WAN" connection-state=\
invalid log-prefix="Drop from input"
add action=drop chain=forward comment="Drop WAN -> LAN" connection-nat-state=\
!dstnat in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1360 \
passthrough=yes protocol=tcp src-address-list="VPN lans" tcp-flags=syn \
tcp-mss=!0-1360
add action=change-mss chain=forward dst-address-list="VPN lans" ipsec-policy=\
out,ipsec new-mss=1360 passthrough=yes protocol=tcp src-address-list="" \
tcp-flags=syn tcp-mss=!0-1360
add action=mark-connection chain=prerouting new-connection-mark=VoIP_send \
passthrough=yes src-address-list="VoIP Phones" tcp-flags=""
add action=mark-connection chain=forward dst-address-list="VoIP Phones" \
new-connection-mark=VoIP_Receve passthrough=yes
add action=mark-packet chain=prerouting connection-mark=VoIP_send \
new-packet-mark=VoIP_pSend passthrough=no
add action=mark-packet chain=forward connection-mark=VoIP_Receve \
new-packet-mark=VoIP_pReceive passthrough=no
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address-list="VPN lans"
add action=dst-nat chain=dstnat dst-port=4080 in-interface-list=WAN protocol=\
tcp to-addresses=10.100.100.31 to-ports=80
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN src-address=10.100.100.0/24
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate=SK10_MT_IKE2.crt_0 match-by=\
certificate peer=SK10_HQ remote-certificate=cert_export_SSTP_Server.crt_0
add peer=peer_QP
add auth-method=digital-signature certificate=Server generate-policy=\
port-strict match-by=certificate mode-config=IKE2_vpn notrack-chain=\
prerouting peer=peer_Dynemic policy-template-group=\
group_IKE2_DynemicUsers remote-certificate=RUser
add generate-policy=port-strict my-id=fqdn:server.techno-mir.net peer=\
peer_Dynemic policy-template-group=group_T remote-id=\
user-fqdn:alex32c@tm.net
add generate-policy=port-strict notrack-chain=prerouting peer=peer_Dynemic \
policy-template-group=group_T
add peer=SK10_CloudSL
/ip ipsec policy
add dst-address=10.0.12.0/24 peer=SK10_CloudSL proposal=Site_to_site_IPSec \
sa-dst-address=92.246.148.41 sa-src-address=W_IP.W_IP.W_IP.W_IP src-address=\
10.100.100.0/24 tunnel=yes
add dst-address=10.0.14.0/23 peer=SK10_HQ proposal=Site_to_site_IPSec \
sa-dst-address=87.117.9.31 sa-src-address=W_IP.W_IP.W_IP.W_IP src-address=\
10.100.100.0/24 tunnel=yes
add dst-address=172.16.91.0/24 peer=SK10_HQ proposal=Site_to_site_IPSec \
sa-dst-address=87.117.9.31 sa-src-address=W_IP.W_IP.W_IP.W_IP src-address=\
10.100.100.0/24 tunnel=yes
add dst-address=192.168.0.0/24 peer=peer_QP proposal=Site_to_site_IPSec \
sa-dst-address=5.167.50.85 sa-src-address=W_IP.W_IP.W_IP.W_IP src-address=\
10.100.100.0/24 tunnel=yes
add dst-address=10.255.255.0/24 group=group_IKE2_DynemicUsers proposal=\
VPNUsers src-address=0.0.0.0/0 template=yes
add comment="IKE2 Site2Site dynemic" dst-address=192.168.0.0/16 group=group_T \
proposal=VPNUsers src-address=10.100.100.0/24 template=yes
add comment="IKE2 Site2Site dynemic" dst-address=172.16.0.0/12 group=group_T \
proposal=VPNUsers src-address=10.100.100.0/24 template=yes
/ip route
add distance=1 gateway==W_GW.W_GW.W_GW.W_GW
add distance=1 dst-address=10.0.12.0/24 gateway=bridge_LAN pref-src=\
10.100.100.1
add distance=1 dst-address=172.16.200.0/24 gateway=sstp-Emin
add distance=1 dst-address=192.168.11.0/24 gateway=sstp-arcady
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set interfaces=bridge_LAN
/ppp secret
add name=ruser profile=default-encryption
add name=alik profile=SSTP service=sstp
add name=arcady profile=SSTP service=sstp
add name=olgan profile=SSTP service=sstp
add name=komar61 profile=SSTP service=sstp
add name=ruser1 profile=SSTP service=sstp
add name=ruser2 profile=SSTP service=sstp
add name=ruser3 profile=SSTP service=sstp
add name=ruser4 profile=SSTP service=sstp
add name=ruser5 profile=SSTP service=sstp
add name=ruser6 profile=SSTP_EXTVPN service=sstp
add name=ruser7 profile=SSTP_EXTVPN service=sstp
add name=ruser8 profile=SSTP_EXTVPN service=sstp
add name=ruser9 profile=SSTP_EXTVPN service=sstp
add name=ruser10 profile=SSTP_EXTVPN service=sstp
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=CRS328.tm.local
/system logging
add topics=ipsec,!packet
add disabled=yes topics=sstp
add disabled=yes topics=l2tp
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org
/system routerboard settings
set auto-upgrade=yes boot-os=router-os
/tool sniffer
set filter-interface=ether8
/tool traffic-monitor
add interface=ether8 name=tmon1 threshold=0
Debug:
# apr/11/2020 17:07:24 by RouterOS 6.46.5
# software id = HS7D-L3T2
#
# model = CRS328-24P-4S+
# serial number = *********
/ip ipsec mode-config
add address-pool=pool_IKE2 address-prefix-length=32 name=IKE2_vpn split-include=10.100.100.0/24 system-dns=no
/ip ipsec policy group
add name=group_IKE2_DynemicUsers
add name=group_T
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
add enc-algorithm=aes-256,aes-128,3des name=VPNUsers
/ip ipsec peer
add exchange-mode=ike2 local-address=xxx.xxx.xxx.xxx name=peer_Dynemic passive=yes profile=VPNUsers
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add enc-algorithms=aes-256-cbc,aes-128-cbc name=VPNUsers
/ip ipsec identity
add auth-method=digital-signature certificate=Server generate-policy=port-strict match-by=certificate mode-config=IKE2_vpn notrack-chain=prerouting peer=peer_Dynemic policy-template-group=group_IKE2_DynemicUsers remote-certificate=RUser
/ip ipsec policy
add dst-address=10.255.255.0/24 group=group_IKE2_DynemicUsers proposal=VPNUsers src-address=0.0.0.0/0 template=yes
Debug
16:55:11 ipsec -> ike2 request, exchange: SA_INIT:0 109.172.70.44[223] 6d3d606cb0e19562:0000000000000000
16:55:11 ipsec ike2 respond
16:55:11 ipsec payload seen: SA (256 bytes)
16:55:11 ipsec payload seen: KE (136 bytes)
16:55:11 ipsec payload seen: NONCE (52 bytes)
16:55:11 ipsec payload seen: NOTIFY (8 bytes)
16:55:11 ipsec payload seen: NOTIFY (28 bytes)
16:55:11 ipsec payload seen: NOTIFY (28 bytes)
16:55:11 ipsec payload seen: VID (24 bytes)
16:55:11 ipsec,debug 1e2b516905991c7d7c96fcbfb587e46100000009
16:55:11 ipsec payload seen: VID (20 bytes)
16:55:11 ipsec,debug fb1de3cdf341b7ea16b7e5be0855f120
16:55:11 ipsec payload seen: VID (20 bytes)
16:55:11 ipsec,debug 26244d38eddb61b3172a36e3d0cfb819
16:55:11 ipsec payload seen: VID (24 bytes)
16:55:11 ipsec,debug 01528bbbc00696121849ab9a1c5b2a5100000002
16:55:11 ipsec processing payload: NONCE
16:55:11 ipsec processing payload: SA
16:55:11 ipsec,debug unknown auth: #13
16:55:11 ipsec,debug unknown prf: #6
16:55:11 ipsec,debug unknown auth: #13
16:55:11 ipsec,debug unknown prf: #6
16:55:11 ipsec IKE Protocol: IKE
16:55:11 ipsec proposal #1
16:55:11 ipsec enc: 3des-cbc
16:55:11 ipsec prf: hmac-sha1
16:55:11 ipsec auth: sha1
16:55:11 ipsec dh: modp1024
16:55:11 ipsec proposal #2
16:55:11 ipsec enc: aes256-cbc
16:55:11 ipsec prf: hmac-sha1
16:55:11 ipsec auth: sha1
16:55:11 ipsec dh: modp1024
16:55:11 ipsec proposal #3
16:55:11 ipsec enc: 3des-cbc
16:55:11 ipsec prf: hmac-sha256
16:55:11 ipsec auth: sha256
16:55:11 ipsec dh: modp1024
16:55:11 ipsec proposal #4
16:55:11 ipsec enc: aes256-cbc
16:55:11 ipsec prf: hmac-sha256
16:55:11 ipsec auth: sha256
16:55:11 ipsec dh: modp1024
16:55:11 ipsec proposal #5
16:55:11 ipsec enc: 3des-cbc
16:55:11 ipsec prf: unknown
16:55:11 ipsec auth: unknown
16:55:11 ipsec dh: modp1024
16:55:11 ipsec proposal #6
16:55:11 ipsec enc: aes256-cbc
16:55:11 ipsec prf: unknown
16:55:11 ipsec auth: unknown
16:55:11 ipsec dh: modp1024
16:55:11 ipsec matched proposal:
16:55:11 ipsec proposal #2
16:55:11 ipsec enc: aes256-cbc
16:55:11 ipsec prf: hmac-sha1
16:55:11 ipsec auth: sha1
16:55:11 ipsec dh: modp1024
16:55:11 ipsec processing payload: KE
16:55:11 ipsec,debug => shared secret (size 0x80)
16:55:11 ipsec,debug 4dc86b54 541c1a68 4486fbd1 315042fb ce923ecc 2f63f201 f2e3f2a0 40f0af05
16:55:11 ipsec,debug 35ff351b 9731dad8 5baed6df 9f4939e0 56f4c3f1 e858979e 1af3a08c afe446aa
16:55:11 ipsec,debug f13ac102 88f8d6e3 e216f630 25838738 407ab192 7d4c3d64 df950033 abf4373c
16:55:11 ipsec,debug a3283322 52328fd0 18ddbc30 019294e1 2fd6b70b 21b77d87 c2a1a1c8 d30f590e
16:55:11 ipsec adding payload: SA
16:55:11 ipsec,debug => (size 0x30)
16:55:11 ipsec,debug 00000030 0000002c 02010004 0300000c 0100000c 800e0100 03000008 02000002
16:55:11 ipsec,debug 03000008 03000002 00000008 04000002
16:55:11 ipsec adding payload: KE
16:55:11 ipsec,debug => (size 0x88)
16:55:11 ipsec,debug 00000088 00020000 6a390a71 1c9c6b69 5a8ceab0 763a7fe7 135f8adb 8860e38d
16:55:11 ipsec,debug e99ce94e c1629671 a2bca42a 179244a9 d5611256 c54703a2 cbdffd01 ac06ca0c
16:55:11 ipsec,debug b7ca6633 7db9901e 1d217c62 c87fa085 893149c7 68f0ed32 c3a835fa 806118e6
16:55:11 ipsec,debug 6e29d69f 1988c6b2 9b47ecb8 3a1d8cb7 fd162eda b63869f7 b0e6659e 4e78b89f
16:55:11 ipsec,debug 529b2ad8 4d06b367
16:55:11 ipsec adding payload: NONCE
16:55:11 ipsec,debug => (size 0x1c)
16:55:11 ipsec,debug 0000001c 7eb5bf4a f4999c3f d3f42a88 bc383193 19071fc1 65104f47
16:55:11 ipsec adding notify: NAT_DETECTION_SOURCE_IP
16:55:11 ipsec,debug => (size 0x1c)
16:55:11 ipsec,debug 0000001c 00004004 21d45705 d076eb89 bc6bdd0a 3cbcf014 cd1a319f
16:55:11 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
16:55:11 ipsec,debug => (size 0x1c)
16:55:11 ipsec,debug 0000001c 00004005 57956165 87fb93b7 4e7dc4ae 94209352 a2d11879
16:55:11 ipsec adding payload: CERTREQ
16:55:11 ipsec,debug => (size 0x5)
16:55:11 ipsec,debug 00000005 04
16:55:11 ipsec <- ike2 reply, exchange: SA_INIT:0 109.172.70.44[223] 6d3d606cb0e19562:ef2f19c1c765fc1a
16:55:11 ipsec,debug ===== sending 301 bytes from W_IP.W_IP.W_IP.W_IP[500] to 109.172.70.44[223]
16:55:11 ipsec,debug 1 times of 301 bytes message will be sent to 109.172.70.44[223]
16:55:11 ipsec,debug => skeyseed (size 0x14)
16:55:11 ipsec,debug 61c574cc 680657c7 c1894032 732798a7 a4a0561d
16:55:11 ipsec,debug => keymat (size 0x14)
16:55:11 ipsec,debug a2babe96 fc96a1db c21c45e0 4e628260 d8d15d6a
16:55:11 ipsec,debug => SK_ai (size 0x14)
16:55:11 ipsec,debug 1be94ac4 42844d68 e3d30c9e 4b442d2b 0174abb5
16:55:11 ipsec,debug => SK_ar (size 0x14)
16:55:11 ipsec,debug 8b3a80b6 26b44196 a7211d2c 29f77418 f71b7d5b
16:55:11 ipsec,debug => SK_ei (size 0x20)
16:55:11 ipsec,debug 63a8a29a 8d5cd850 263edd6b 02bff7c7 6ff4855d dbad8165 aee839ec 7329b9c5
16:55:11 ipsec,debug => SK_er (size 0x20)
16:55:11 ipsec,debug 8378d215 ea6f780b d1e34665 1e68b0ad f855ba1f 35b4d024 4af8b82b a7bb84be
16:55:11 ipsec,debug => SK_pi (size 0x14)
16:55:11 ipsec,debug 45adac7f 37fc54a5 87474d8f d64ee499 b2b7470a
16:55:11 ipsec,debug => SK_pr (size 0x14)
16:55:11 ipsec,debug 5234960c 78aa54d6 f498f32d 0d1d4d65 b842376f
16:55:11 ipsec,info new ike2 SA (R): W_IP.W_IP.W_IP.W_IP[500]-109.172.70.44[223] spi:ef2f19c1c765fc1a:6d3d606cb0e19562
16:55:11 ipsec processing payloads: VID
16:55:11 ipsec peer is MS Windows (ISAKMPOAKLEY 9)
16:55:11 ipsec processing payloads: NOTIFY
16:55:11 ipsec notify: IKEV2_FRAGMENTATION_SUPPORTED
16:55:11 ipsec notify: NAT_DETECTION_SOURCE_IP
16:55:11 ipsec notify: NAT_DETECTION_DESTINATION_IP
16:55:11 ipsec (NAT-T) REMOTE
16:55:11 ipsec KA list add: W_IP.W_IP.W_IP.W_IP[4500]->109.172.70.44[223]
16:55:20 ipsec,debug KA: W_IP.W_IP.W_IP.W_IP[4500]->109.172.70.44[223]
16:55:20 ipsec,debug 1 times of 1 bytes message will be sent to 109.172.70.44[223]
16:55:40 ipsec,debug KA: W_IP.W_IP.W_IP.W_IP[4500]->109.172.70.44[223]
16:55:40 ipsec,debug 1 times of 1 bytes message will be sent to 109.172.70.44[223]
16:55:41 ipsec child negitiation timeout in state 0
16:55:41 ipsec,info killing ike2 SA: W_IP.W_IP.W_IP.W_IP[4500]-109.172.70.44[223] spi:ef2f19c1c765fc1a:6d3d606cb0e19562
16:55:41 ipsec KA remove: W_IP.W_IP.W_IP.W_IP[4500]->109.172.70.44[223]
16:55:41 ipsec,debug KA tree dump: W_IP.W_IP.W_IP.W_IP[4500]->109.172.70.44[223] (in_use=1)
16:55:41 ipsec,debug KA removing this one...
WIN10 get error 809. I try connect to two another different Mikrotik routers use IKE2 RSA from my WIN10. All connection was successful.
Please ask if need additional information to debug…
