IPsec tunel digital signature max retransmit failures reached

kronos · March 28, 2020, 12:52am

Up until a week ago I had an IPsec tunnel between a Mikrotik RB760iGS 6.46.4 (initiator 2.2.2.2 on the logs) and strongswan (responder 1.1.1.1 on the logs).

My ISP on the beginning of the week changed my IP ( i have a cable connection where I can be >6 months with the same ip) which was one of the identifiers for the connection so the VPN connection was lost I changed it, and it didn’t got back up. I rebooted everything and still nothing.

In the past week I have been tweaking every option, and I don’t know what to pursue anymore.
On the strongswan side I have backups of the configuration I it’s unchanged apart from the ip identifying my connection.

These are my configs changed the destination IP and domain names.

/ip ipsec profile
add dh-group=modp4096,modp3072,modp2048 dpd-interval=29s enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name=secure

/ip ipsec peer
add address=domain.eu exchange-mode=ike2 name=cpartilha profile=secure

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=modp2048

/ip ipsec identity
add auth-method=digital-signature certificate=mikro.p12_0 generate-policy=port-strict mode-config=request-only my-id=user-fqdn:kronos@domain.eu notrack-chain=\
    prerouting peer=cpartilha remote-certificate=mikro.p12_1 remote-id=fqdn:domain.eu

/ip ipsec policy
add dst-address=10.44.0.0/24 level=unique peer=cpartilha sa-dst-address=1.1.1.1 sa-src-address=0.0.0.0 src-address=192.168.0.0/24 tunnel=yes

/ip ipsec settings
set accounting=no

strongswan receives the first packets and responds

tcpdump:

23:37:14.802947 IP 2.2.2.2.4500 > 1.1.1.1.4500: NONESP-encap: isakmp: parent_sa ikev2_init[I]
23:37:14.805163 IP 1.1.1.1.4500 > 2.2.2.2.4500: NONESP-encap: isakmp: parent_sa ikev2_init[R]
23:37:15.227067 IP 2.2.2.2.4500 > 1.1.1.1.4500: NONESP-encap: isakmp: parent_sa ikev2_init[I]
23:37:15.246830 IP 1.1.1.1.4500 > 2.2.2.2.4500: NONESP-encap: isakmp: parent_sa ikev2_init[R]

on strongswan I have this:

..snip..
12[ CFG] <7316> selecting proposal:
12[ CFG] <7316>   no acceptable DIFFIE_HELLMAN_GROUP found
12[ CFG] <7316> selecting proposal:
12[ CFG] <7316>   no acceptable INTEGRITY_ALGORITHM found
12[ CFG] <7316> selecting proposal:
12[ CFG] <7316>   proposal matches
12[ CFG] <7316> received proposals: IKE:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
12[ CFG] <7316> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
12[ CFG] <7316> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
12[ LIB] <7316> size of DH secret exponent: 2047 bits
12[ IKE] <7316> sending cert request for "C=FR, O=VPN, CN=VPN Root CA"
12[ ENC] <7316> generating IKE_SA_INIT response 0 [ SA KE No CERTREQ N(CHDLESS_SUP) N(MULT_AUTH) ]
12[ NET] <7316> sending packet: from 1.1.1.1[4500 ] to 2.2.2.2[4500 ] (417 bytes)
12[ MGR] <7316> checkin IKE_SA (unnamed)[7316 ]
04[ NET] sending packet: from 1.1.1.1[4500 ] to 2.2.2.2[4500 ]
01[ JOB] next event in 29s 999ms, waiting
12[ MGR] <7316> checkin of IKE_SA successful

after this I get a timeout on the response and on mikrotik I get max retransmit failures reached

Mar/28/2020 00:33:09 ipsec acquire for policy: 192.168.0.0/24 <=> 10.44.0.0/24
Mar/28/2020 00:33:09 ipsec peer is IKEv2
Mar/28/2020 00:33:09 ipsec ike2 starting for: 1.1.1.1
Mar/28/2020 00:33:12 ipsec adding payload: NONCE
Mar/28/2020 00:33:12 ipsec,debug => (size 0x1c)
Mar/28/2020 00:33:12 ipsec,debug 0000001c 601e37f1 fa56a46c 561c24de b68900f3 b868ce6c dbf9d11d
Mar/28/2020 00:33:12 ipsec adding payload: KE
Mar/28/2020 00:33:12 ipsec,debug => (first 0x100 of 0x208)
Mar/28/2020 00:33:12 ipsec,debug 00000208 00100000 3e460b70 df552e8b 19314331 c79d519e 3eb28762 aa79ee22
Mar/28/2020 00:33:12 ipsec,debug ef411921 66867a9f a6ffd4d7 f03810c2 dcfebdc8 ef460227 ef92cd36 628895c8
Mar/28/2020 00:33:12 ipsec,debug 5a9f2221 ee86ffd2 68e71254 aef60378 6a4d0b0e c624fae9 af53bdd6 dd298293
Mar/28/2020 00:33:12 ipsec,debug 34a0bfa2 262e5cab 55eb77a5 6631ef98 4bcbe1b9 3eb2d94c 75ef5853 295fe75b
Mar/28/2020 00:33:12 ipsec,debug 2a3f5bbb e28053df 1d0d21ce fd19f5b2 9d2c5186 342bc6d3 b990f4c6 ebdec67d
Mar/28/2020 00:33:12 ipsec,debug 7909596a 5c3933fa c8752f8d 36eae5c7 66152728 5bd499dc e656aabf fba7cc99
Mar/28/2020 00:33:12 ipsec,debug 06eedd5c 6847a14b 7154eaf5 619d1b46 b3060cdc 0593eb3d ea8b2318 304f6fdb
Mar/28/2020 00:33:12 ipsec,debug 64ed55f8 07f03e63 f4c8ce3c 199382a9 b457d814 b957d89d a2f4a757 ed02831b
Mar/28/2020 00:33:12 ipsec adding payload: SA
Mar/28/2020 00:33:12 ipsec,debug => (size 0x50)
Mar/28/2020 00:33:12 ipsec,debug 00000050 0000004c 01010007 0300000c 0100000c 800e0100 0300000c 0100000c
Mar/28/2020 00:33:12 ipsec,debug 800e00c0 0300000c 0100000c 800e0080 03000008 02000005 03000008 0300000c
Mar/28/2020 00:33:12 ipsec,debug 03000008 04000010 00000008 0400000e
Mar/28/2020 00:33:12 ipsec <- ike2 request, exchange: SA_INIT:0 1.1.1.1[4500] f8fd514c2c5349f4:0000000000000000
Mar/28/2020 00:33:12 ipsec,debug ===== sending 656 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
Mar/28/2020 00:33:12 ipsec,debug 1 times of 660 bytes message will be sent to 1.1.1.1[4500]
Mar/28/2020 00:33:12 ipsec,debug ===== received 38 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
Mar/28/2020 00:33:12 ipsec -> ike2 reply, exchange: SA_INIT:0 1.1.1.1[4500] f8fd514c2c5349f4:0000000000000000
Mar/28/2020 00:33:12 ipsec payload seen: NOTIFY (10 bytes)
Mar/28/2020 00:33:12 ipsec first payload is NOTIFY
Mar/28/2020 00:33:12 ipsec processing payloads: NOTIFY
Mar/28/2020 00:33:12 ipsec   notify: INVALID_KE_PAYLOAD
Mar/28/2020 00:33:12 ipsec   requested DH group: 14
Mar/28/2020 00:33:12 ipsec retrying with different KE value
Mar/28/2020 00:33:12 ipsec adding payload: NONCE
Mar/28/2020 00:33:12 ipsec,debug => (size 0x1c)
Mar/28/2020 00:33:12 ipsec,debug 0000001c 601e37f1 fa56a46c 561c24de b68900f3 b868ce6c dbf9d11d
Mar/28/2020 00:33:12 ipsec adding payload: KE
Mar/28/2020 00:33:12 ipsec,debug => (first 0x100 of 0x108)
Mar/28/2020 00:33:12 ipsec,debug 00000108 000e0000 51aa362c bf9cbb5e 21901be0 09c83da5 51a9be60 9a79d2fc
Mar/28/2020 00:33:12 ipsec,debug f3c97a27 4bea780d 28efc17e 47a8295f f12e9ab2 9f4c73d7 3d30127e 311a02e6
Mar/28/2020 00:33:12 ipsec,debug bb806901 5384d51b f68ccb06 60cac6e3 c2dfad85 3ecbc697 8242c79d 40304968
Mar/28/2020 00:33:12 ipsec,debug 18494c47 c07a2ecf 415f4c33 3133ebde 80a3ce2a 108d9196 5610d781 3bfbb6df
Mar/28/2020 00:33:12 ipsec,debug cd8e875a 64dcaf6b 9804bf3b 62d15716 f09337f4 67c145b6 601eb918 f396c1ef
Mar/28/2020 00:33:12 ipsec,debug ec92ad28 193f82a4 c0a20b17 75ab1647 02742fae b19cfcf4 aeacfda6 af714a75
Mar/28/2020 00:33:12 ipsec,debug 911bf55e 5bd959e0 e989dc65 82f24ba2 340f70a0 fc4906a3 7402b3e8 96e24bea
Mar/28/2020 00:33:12 ipsec,debug 11a453f9 911d8eee 34c45ece cdfc612e 2446a723 bf8b65e5 b2f78610 cf795672
Mar/28/2020 00:33:12 ipsec adding payload: SA
Mar/28/2020 00:33:12 ipsec,debug => (size 0x48)
Mar/28/2020 00:33:12 ipsec,debug 00000048 00000044 01010006 0300000c 0100000c 800e0100 0300000c 0100000c
Mar/28/2020 00:33:12 ipsec,debug 800e00c0 0300000c 0100000c 800e0080 03000008 02000005 03000008 0300000c
Mar/28/2020 00:33:12 ipsec,debug 00000008 0400000e
Mar/28/2020 00:33:12 ipsec,debug ===== sending 392 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
Mar/28/2020 00:33:12 ipsec,debug 1 times of 396 bytes message will be sent to 1.1.1.1[4500]
Mar/28/2020 00:33:12 ipsec,debug ===== received 417 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
Mar/28/2020 00:33:12 ipsec -> ike2 reply, exchange: SA_INIT:0 1.1.1.1[4500] f8fd514c2c5349f4:45ef09244d7b0675
Mar/28/2020 00:33:12 ipsec ike2 initialize recv
Mar/28/2020 00:33:12 ipsec payload seen: SA (48 bytes)
Mar/28/2020 00:33:12 ipsec payload seen: KE (264 bytes)
Mar/28/2020 00:33:12 ipsec payload seen: NONCE (36 bytes)
Mar/28/2020 00:33:12 ipsec payload seen: CERTREQ (25 bytes)
Mar/28/2020 00:33:12 ipsec payload seen: NOTIFY (8 bytes)
Mar/28/2020 00:33:12 ipsec payload seen: NOTIFY (8 bytes)
Mar/28/2020 00:33:12 ipsec processing payload: NONCE
Mar/28/2020 00:33:12 ipsec processing payload: SA
Mar/28/2020 00:33:12 ipsec IKE Protocol: IKE
Mar/28/2020 00:33:12 ipsec  proposal #1
Mar/28/2020 00:33:12 ipsec   enc: aes128-cbc
Mar/28/2020 00:33:12 ipsec   prf: hmac-sha256
Mar/28/2020 00:33:12 ipsec   auth: sha256
Mar/28/2020 00:33:12 ipsec   dh: modp2048
Mar/28/2020 00:33:12 ipsec matched proposal:
Mar/28/2020 00:33:12 ipsec  proposal #1
Mar/28/2020 00:33:12 ipsec   enc: aes128-cbc
Mar/28/2020 00:33:12 ipsec   prf: hmac-sha256
Mar/28/2020 00:33:12 ipsec   auth: sha256
Mar/28/2020 00:33:12 ipsec   dh: modp2048
Mar/28/2020 00:33:12 ipsec processing payload: KE
Mar/28/2020 00:33:12 ipsec,debug => shared secret (size 0x100)
Mar/28/2020 00:33:12 ipsec,debug 0d453a29 01e478f1 0c983f48 e51829b4 aa95f7ce 56924446 53812c15 b674cd44
Mar/28/2020 00:33:12 ipsec,debug da72c66d 30ba4f04 5267a99d ec8f2f87 4a3b3082 286d9103 66ae13ad a206a550
Mar/28/2020 00:33:12 ipsec,debug 1165d3ae 9fd708d6 3850f049 be5d8155 3643a247 d462c33b 87dadd8c 8baba56d
Mar/28/2020 00:33:12 ipsec,debug 8a98633f 4cf8b558 48ac84bb 5994f19e 6246ac37 ad54f0cb a5c343fc d74e41da
Mar/28/2020 00:33:12 ipsec,debug 535f15e1 30c30505 989341cc e84268ae c51592d7 2d611994 1421d991 474f14fa
Mar/28/2020 00:33:12 ipsec,debug b65ab7f5 98232f50 90f85412 529cf26d 76ed4ee5 dc5d2eb3 bc021bf3 a7c6b1a5
Mar/28/2020 00:33:12 ipsec,debug 3b16feb2 3e081f28 dd6ee7b7 b1181892 029255c0 5e2dba39 17eb55df ff8118e3
Mar/28/2020 00:33:12 ipsec,debug 1e3fbb32 6f1dff69 a8d10491 41c66354 1c8dcd5f e5f2cb31 c4897a03 4c87a3fd
Mar/28/2020 00:33:12 ipsec,debug => skeyseed (size 0x20)
Mar/28/2020 00:33:12 ipsec,debug 1753da06 09b2d1a8 b452a1c9 622f1d75 3485737a 4d6f2574 9021657c 2674c809
Mar/28/2020 00:33:12 ipsec,debug => keymat (size 0x20)
Mar/28/2020 00:33:12 ipsec,debug dfe32795 56cba743 26bc6b3b 930ff9fb 2e1563c4 e827952b 5a46db15 9d36fdd2
Mar/28/2020 00:33:12 ipsec,debug => SK_ai (size 0x20)
Mar/28/2020 00:33:12 ipsec,debug efe7d9f0 7351228c 9aaa011e 1a3feca8 0eec825f 172beb0c aab6d970 d163adfa
Mar/28/2020 00:33:12 ipsec,debug => SK_ar (size 0x20)
Mar/28/2020 00:33:12 ipsec,debug 5876bd91 481b44b7 98d29a55 29b50fc5 f8dc7f1c 62bb3060 4577948c ab57f9ba
Mar/28/2020 00:33:12 ipsec,debug => SK_ei (size 0x10)
Mar/28/2020 00:33:12 ipsec,debug 53c33bb6 7b8eabc3 cbcf79f5 2f632d0d
Mar/28/2020 00:33:12 ipsec,debug => SK_er (size 0x10)
Mar/28/2020 00:33:12 ipsec,debug a97bcccd 7c40d91d e80a3212 97dd6b18
Mar/28/2020 00:33:12 ipsec,debug => SK_pi (size 0x20)
Mar/28/2020 00:33:12 ipsec,debug 2304e0e2 1446e8a1 58d028ff 44641e7c 4aab3da5 1403ab8e eb11d81c e5c67fee
Mar/28/2020 00:33:12 ipsec,debug => SK_pr (size 0x20)
Mar/28/2020 00:33:12 ipsec,debug b93e39b2 57c6e8a4 6ee2725d ebf5fec0 68c64b3f 34a84b1a 963c3c4e 9241b7aa
Mar/28/2020 00:33:12 ipsec,info new ike2 SA (I): 2.2.2.2[4500]-1.1.1.1[4500] spi:f8fd514c2c5349f4:45ef09244d7b0675
Mar/28/2020 00:33:12 ipsec processing payloads: NOTIFY
Mar/28/2020 00:33:12 ipsec   notify: CHILDLESS_IKEV2_SUPPORTED
Mar/28/2020 00:33:12 ipsec   notify: MULTIPLE_AUTH_SUPPORTED
Mar/28/2020 00:33:12 ipsec init child for policy: 192.168.0.0/24 <=> 10.44.0.0/24
Mar/28/2020 00:33:12 ipsec init child continue
Mar/28/2020 00:33:12 ipsec offering proto: 3
Mar/28/2020 00:33:12 ipsec  proposal #1
Mar/28/2020 00:33:12 ipsec   enc: aes256-cbc
Mar/28/2020 00:33:12 ipsec   auth: sha256
Mar/28/2020 00:33:12 ipsec ID_I (RFC822): kronos@domain.eu
Mar/28/2020 00:33:12 ipsec adding payload: ID_I
Mar/28/2020 00:33:12 ipsec,debug => (size 0x1b)
Mar/28/2020 00:33:12 ipsec,debug 0000001b 03000000 6368726f 6e6f7340 63737472 61747573 2e6575
Mar/28/2020 00:33:12 ipsec processing payload: NONCE
Mar/28/2020 00:33:12 ipsec,debug => auth nonce (size 0x20)
Mar/28/2020 00:33:12 ipsec,debug 29126977 9ae8d19a e0d30733 b24634ca 7512c1b3 8b6b0fea 16638827 5fcffd14
Mar/28/2020 00:33:12 ipsec,debug => SK_p (size 0x20)
Mar/28/2020 00:33:12 ipsec,debug 2304e0e2 1446e8a1 58d028ff 44641e7c 4aab3da5 1403ab8e eb11d81c e5c67fee
Mar/28/2020 00:33:12 ipsec,debug => idhash (size 0x20)
Mar/28/2020 00:33:12 ipsec,debug 97fb1fe4 199c8ffa 677ccf48 b6d87cff 9013c824 285b4f42 3b268893 6dd46829
Mar/28/2020 00:33:13 ipsec,debug => my auth (first 0x100 of 0x200)
Mar/28/2020 00:33:13 ipsec,debug 185674b0 87842f6a 7f796e9c fd13ef65 0c8a68fa 0e93621e 11cd40c7 9b24000c
Mar/28/2020 00:33:13 ipsec,debug 5b82e2aa e8b477dc 7c893e73 fd8b5778 9f3e2ab2 8619ed28 eac67df6 0ab2094f
Mar/28/2020 00:33:13 ipsec,debug a9794e34 452ebd59 27cd6cee 1d07b32e 38135ae6 0ef8393f e4c34b56 7b411a52
Mar/28/2020 00:33:13 ipsec,debug dd429b5e be4a1841 fd985fc4 7b320ab3 b5767053 547c2867 5578fe7d 303b84b5
Mar/28/2020 00:33:13 ipsec,debug f098a95d 9378eda7 0a000fc6 fe8088c5 063b0a49 b8ea2dd5 4d264b72 7c1d192a
Mar/28/2020 00:33:13 ipsec,debug cca33502 eb73f45c bcc61945 667c155c 896efbd7 fe004a45 ef12273e fba3cde2
Mar/28/2020 00:33:13 ipsec,debug 88bc59e9 59578d07 e2605db8 3d24a13c 1df04dca c0aa1c72 f5839160 11d0cea9
Mar/28/2020 00:33:13 ipsec,debug 3fff905c 67a5ae2e 0e6e1404 c8314a8f 879f0e42 5eae88fa 78d7963e debcead0
Mar/28/2020 00:33:13 ipsec adding payload: AUTH
Mar/28/2020 00:33:13 ipsec,debug => (first 0x100 of 0x208)
Mar/28/2020 00:33:13 ipsec,debug 00000208 01000000 185674b0 87842f6a 7f796e9c fd13ef65 0c8a68fa 0e93621e
Mar/28/2020 00:33:13 ipsec,debug 11cd40c7 9b24000c 5b82e2aa e8b477dc 7c893e73 fd8b5778 9f3e2ab2 8619ed28
Mar/28/2020 00:33:13 ipsec,debug eac67df6 0ab2094f a9794e34 452ebd59 27cd6cee 1d07b32e 38135ae6 0ef8393f
Mar/28/2020 00:33:13 ipsec,debug e4c34b56 7b411a52 dd429b5e be4a1841 fd985fc4 7b320ab3 b5767053 547c2867
Mar/28/2020 00:33:13 ipsec,debug 5578fe7d 303b84b5 f098a95d 9378eda7 0a000fc6 fe8088c5 063b0a49 b8ea2dd5
Mar/28/2020 00:33:13 ipsec,debug 4d264b72 7c1d192a cca33502 eb73f45c bcc61945 667c155c 896efbd7 fe004a45
Mar/28/2020 00:33:13 ipsec,debug ef12273e fba3cde2 88bc59e9 59578d07 e2605db8 3d24a13c 1df04dca c0aa1c72
Mar/28/2020 00:33:13 ipsec,debug f5839160 11d0cea9 3fff905c 67a5ae2e 0e6e1404 c8314a8f 879f0e42 5eae88fa
Mar/28/2020 00:33:13 ipsec cert: CN=kronos@domain.eu,C=FR,ST=,L=,O=VPN,OU=,SN=
Mar/28/2020 00:33:13 ipsec adding payload: CERT
Mar/28/2020 00:33:13 ipsec,debug => (first 0x100 of 0x54e)
Mar/28/2020 00:33:13 ipsec,debug 0000054e 04308205 45308203 2da00302 01020208 38c05fe9 77a210ad 300d0609
Mar/28/2020 00:33:13 ipsec,debug 2a864886 f70d0101 0c050030 37310b30 09060355 04061302 4652310c 300a0603
Mar/28/2020 00:33:13 ipsec,debug 55040a13 0356504e 311a3018 06035504 03131163 70617274 696c6861 20526f6f
Mar/28/2020 00:33:13 ipsec,debug 74204341 301e170d 32303033 32363034 33303239 5a170d32 35303232 38303433
Mar/28/2020 00:33:13 ipsec,debug 3032395a 3039310b 30090603 55040613 02465231 0c300a06 0355040a 13035650
Mar/28/2020 00:33:13 ipsec,debug 4e311c30 1a060355 04030c13 6368726f 6e6f7340 63737472 61747573 2e657530
Mar/28/2020 00:33:13 ipsec,debug 82022230 0d06092a 864886f7 0d010101 05000382 020f0030 82020a02 82020100
Mar/28/2020 00:33:13 ipsec,debug ab4f388d 7238cf18 e2a14012 8b5d15b0 8f6a8453 1251a5c0 052d6f87 6e1e02c8
Mar/28/2020 00:33:13 ipsec adding payload: CERTREQ
Mar/28/2020 00:33:13 ipsec,debug => (size 0x5)
Mar/28/2020 00:33:13 ipsec,debug 00000005 04
Mar/28/2020 00:33:13 ipsec ID_R (FQDN): domain.eu
Mar/28/2020 00:33:13 ipsec adding payload: ID_R
Mar/28/2020 00:33:13 ipsec,debug => (size 0x1d)
Mar/28/2020 00:33:13 ipsec,debug 0000001d 02000000 63706172 74696c68 612e6373 74726174 75732e65 75
Mar/28/2020 00:33:13 ipsec adding notify: INITIAL_CONTACT
Mar/28/2020 00:33:13 ipsec,debug => (size 0x8)
Mar/28/2020 00:33:13 ipsec,debug 00000008 00004000
Mar/28/2020 00:33:13 ipsec adding payload: SA
Mar/28/2020 00:33:13 ipsec,debug => (size 0x2c)
Mar/28/2020 00:33:13 ipsec,debug 0000002c 00000028 01030403 04a778b1 0300000c 0100000c 800e0100 03000008
Mar/28/2020 00:33:13 ipsec,debug 0300000c 00000008 05000000
Mar/28/2020 00:33:13 ipsec initiator selector: 192.168.0.0/24
Mar/28/2020 00:33:13 ipsec adding payload: TS_I
Mar/28/2020 00:33:13 ipsec,debug => (size 0x18)
Mar/28/2020 00:33:13 ipsec,debug 00000018 01000000 07000010 0000ffff c0a80000 c0a800ff
Mar/28/2020 00:33:13 ipsec responder selector: 10.44.0.0/24
Mar/28/2020 00:33:13 ipsec adding payload: TS_R
Mar/28/2020 00:33:13 ipsec,debug => (size 0x18)
Mar/28/2020 00:33:13 ipsec,debug 00000018 01000000 07000010 0000ffff 0a2c0000 0a2c00ff
Mar/28/2020 00:33:13 ipsec prepearing internal IPv4 address
Mar/28/2020 00:33:13 ipsec prepearing internal IPv4 netmask
Mar/28/2020 00:33:13 ipsec prepearing internal IPv6 subnet
Mar/28/2020 00:33:13 ipsec prepearing internal IPv4 DNS
Mar/28/2020 00:33:13 ipsec adding payload: CONFIG
Mar/28/2020 00:33:13 ipsec,debug => (size 0x2c)
Mar/28/2020 00:33:13 ipsec,debug 0000002c 01000000 00010004 00000000 00020004 00000000 000d0008 00000000
Mar/28/2020 00:33:13 ipsec,debug 00000000 00030004 00000000
Mar/28/2020 00:33:13 ipsec <- ike2 request, exchange: AUTH:1 1.1.1.1[4500] f8fd514c2c5349f4:45ef09244d7b0675
Mar/28/2020 00:33:13 ipsec,debug ===== sending 2240 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
Mar/28/2020 00:33:13 ipsec,debug 1 times of 2244 bytes message will be sent to 1.1.1.1[4500]
Mar/28/2020 00:33:18 ipsec retransmit
Mar/28/2020 00:33:18 ipsec,debug ===== sending 2240 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
Mar/28/2020 00:33:18 ipsec,debug 1 times of 2244 bytes message will be sent to 1.1.1.1[4500]
Mar/28/2020 00:33:23 ipsec retransmit
Mar/28/2020 00:33:23 ipsec,debug ===== sending 2240 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
Mar/28/2020 00:33:23 ipsec,debug 1 times of 2244 bytes message will be sent to 1.1.1.1[4500]
Mar/28/2020 00:33:28 ipsec retransmit
Mar/28/2020 00:33:28 ipsec,debug ===== sending 2240 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
Mar/28/2020 00:33:28 ipsec,debug 1 times of 2244 bytes message will be sent to 1.1.1.1[4500]
Mar/28/2020 00:33:33 ipsec retransmit
Mar/28/2020 00:33:33 ipsec,debug ===== sending 2240 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
Mar/28/2020 00:33:33 ipsec,debug 1 times of 2244 bytes message will be sent to 1.1.1.1[4500]
Mar/28/2020 00:33:38 ipsec max retransmit failures reached
Mar/28/2020 00:33:38 ipsec,info killing ike2 SA: 2.2.2.2[4500]-1.1.1.1[4500] spi:f8fd514c2c5349f4:45ef09244d7b0675

I have the vpn working from android and pcs on the same network but i can’t get routerOS to do it. On the certs which are generated on strongswan side I have added the ip which previously didn’t have, I not sure what to look at anymore.

kronos · March 31, 2020, 11:13pm

So after a few more analysis on the packets in both ends I saw that the ESP packets originating from mikrotik (or with a source port of 4500) were not getting to the responder but were leaving the router.
ESP packets were passing through mikrotik and arriving at the server but the ones from RouterOS weren’t, I changed the MTU thinking it could be a problem with the fragmentation/size of the packets but without success. I rebooted the ISP modem which is in bridge mode and after that the packets started to be delivered.

What I can’t understand is why/how this could be happening. If anyone has any insight into this I would appreciate it.