IPsec tunnel CentOS to MikroTik

lambert · April 13, 2018, 9:46am

I’ve been trying to get CentOS 7 to connect to RouterOS 6.40.7 for a couple of days now.

Phase 1 works. Phase 2 never links up. If I intentionally change the DH Group or the lifetime, the centos box complains about them not matching. I don’t see what is not matching up. Maybe it’s an actual bug in CentOS or RouterOS? Maybe I’m just blind.

CentOS: x.x.x.x
RouterOS: y.y.y.y

CentOS log:

Apr 13 04:11:50 localhost racoon: [y.y.y.y] ERROR: unknown Informational exchange received.
Apr 13 04:11:50 localhost racoon: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>y.y.y.y[500]
Apr 13 04:11:50 localhost racoon: ERROR: not matched
Apr 13 04:11:50 localhost racoon: ERROR: no suitable policy found.
Apr 13 04:11:50 localhost racoon: [y.y.y.y] ERROR: no proposal chosen.
Apr 13 04:11:50 localhost racoon: [y.y.y.y] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Apr 13 04:12:00 localhost racoon: [y.y.y.y] ERROR: unknown Informational exchange received.
Apr 13 04:12:00 localhost racoon: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>y.y.y.y[500]
Apr 13 04:12:00 localhost racoon: ERROR: not matched
Apr 13 04:12:00 localhost racoon: ERROR: no suitable policy found.
Apr 13 04:12:00 localhost racoon: [y.y.y.y] ERROR: no proposal chosen.
Apr 13 04:12:00 localhost racoon: [y.y.y.y] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Apr 13 04:12:10 localhost racoon: INFO: IPsec-SA expired: ESP/Transport x.x.x.x[500]->y.y.y.y[500]
Apr 13 04:12:10 localhost racoon: INFO: IPsec-SA expired: ESP/Transport x.x.x.x[500]->y.y.y.y[500]
Apr 13 04:12:10 localhost racoon: INFO: IPsec-SA expired: AH/Transport y.y.y.y[500]->x.x.x.x[500] spi=143541837(0x88e464d)
Apr 13 04:12:10 localhost racoon: WARNING: PF_KEY EXPIRE message received from kernel for SA being negotiated. Stopping negotiation.
Apr 13 04:12:10 localhost racoon: ERROR: y.y.y.y give up to get IPsec-SA due to time up to wait.

RouterOS log:

04:39:27 ipsec,error no suitable proposal found.
04:39:27 ipsec,error y.y.y.y failed to pre-process ph2 packet.
04:39:37 ipsec,error y.y.y.y peer sent packet for dead phase2  
04:39:47 ipsec,error y.y.y.y peer sent packet for dead phase2  
04:39:57 ipsec,error no suitable proposal found. 
04:39:57 ipsec,error y.y.y.y failed to pre-process ph2 packet. 
04:40:07 ipsec,error y.y.y.y peer sent packet for dead phase2

I did look at the debug log on the mikrotik. I couldn’t see anything yelling at me. I re-enable the debug logs tomorrow, if needed. It’s too late to put that much thought into it tonight, sorry.

# more racoon.conf

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";04:39:27 ipsec,error no suitable proposal found.
04:39:27 ipsec,error y.y.y.y failed to pre-process ph2 packet.
04:39:37 ipsec,error y.y.y.y peer sent packet for dead phase2  
04:39:47 ipsec,error y.y.y.y peer sent packet for dead phase2  
04:39:57 ipsec,error no suitable proposal found. 
04:39:57 ipsec,error y.y.y.y failed to pre-process ph2 packet. 
04:40:07 ipsec,error y.y.y.y peer sent packet for dead phase2  

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

sainfo anonymous
{
        pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm 3des, blowfish 448, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}

include "/etc/racoon/y.y.y.y.conf";

# more y.y.y.y.conf 
remote y.y.y.y
{

        exchange_mode main;
        my_identifier address;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

MikroTik:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add enc-algorithms=aes-128-cbc lifetime=1h name=sha1-aes128-dh2
add enc-algorithms=aes-128-cbc,3des lifetime=1h name=sha1-3des
/ip ipsec peer
add address=x.x.x.x/32 dh-group=modp1024 enc-algorithm=\
    aes-128,3des,blowfish generate-policy=port-strict secret=\
    SeCrEt send-initial-contact=no
/ip ipsec policy
add dst-address=x.x.x.x/32 proposal=sha1-3des sa-dst-address=x.x.x.x \
    sa-src-address=y.y.y.y src-address=y.y.y.y/32 tunnel=yes

lambert · April 19, 2018, 11:31pm

Here is the MikroTIk’s debug log. I’ve manipulated everything I can think of on the 'Tik. It just doesn’t change the result. I am obviously missing something. A clue by four to the head would be appreciated.

18:16:12 ipsec,debug proposal #1: 8 transform 
18:16:12 ipsec,debug got the local address from ID payload y.y.y.y[0] prefixlen=32 ul_proto=255 
18:16:12 ipsec,debug got the peer address from ID payload x.x.x.x[0] prefixlen=32 ul_proto=255 
18:16:12 ipsec searching for policy for selector: y.y.y.y <=> x.x.x.x 
18:16:12 ipsec generating policy 
18:16:12 ipsec,debug  (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=1127:1127) 
18:16:12 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
18:16:12 ipsec,debug begin compare proposals. 
18:16:12 ipsec,debug pair[1]: 0x4a9bd0 
18:16:12 ipsec,debug  0x4a9bd0: next=0x48bef8 tnext=0x4940a0 
18:16:12 ipsec,debug   0x48bef8: next=(nil) tnext=0x4a6b00 
18:16:12 ipsec,debug    0x4a6b00: next=(nil) tnext=0x4ad6d0 
18:16:12 ipsec,debug     0x4ad6d0: next=(nil) tnext=0x4ae548 
18:16:12 ipsec,debug      0x4ae548: next=(nil) tnext=0x49b928 
18:16:12 ipsec,debug       0x49b928: next=(nil) tnext=0x4a85c8 
18:16:12 ipsec,debug        0x4a85c8: next=(nil) tnext=(nil) 
18:16:12 ipsec,debug   0x4940a0: next=(nil) tnext=(nil) 
18:16:12 ipsec,debug prop#=1 prot-id=AH spi-size=4 #trns=2 trns#=1 trns-id=SHA 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug prop#=1 prot-id=AH spi-size=4 #trns=2 trns#=2 trns-id=MD5 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=1 trns-id=3DES 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=2 trns-id=3DES 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=3 trns-id=BLOWFISH 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Key Length, flag=0x8000, lorv=448 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=4 trns-id=BLOWFISH 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Key Length, flag=0x8000, lorv=448 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=5 trns-id=AES-CBC 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=6 trns-id=AES-CBC 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug peer's single bundle: 
18:16:12 ipsec,debug  (proto_id=AH spisize=4 spi=055ae66d spi_p=00000000 encmode=Transport reqid=0:0) 
18:16:12 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
18:16:12 ipsec,debug   (trns_id=MD5 authtype=hmac-md5) 
18:16:12 ipsec,debug  (proto_id=ESP spisize=4 spi=06635116 spi_p=00000000 encmode=Transport reqid=0:0) 
18:16:12 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-sha1) 
18:16:12 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-md5) 
18:16:12 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-sha1) 
18:16:12 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-md5) 
18:16:12 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
18:16:12 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-md5) 
18:16:12 ipsec,debug my single bundle: 
18:16:12 ipsec,debug  (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=1127:1127) 
18:16:12 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
18:16:12 ipsec,debug not matched 
18:16:12 ipsec,error no suitable proposal found. 
18:16:12 ipsec failed to get proposal for responder. 
18:16:12 ipsec,error x.x.x.x failed to pre-process ph2 packet.

sindy · April 20, 2018, 1:37pm

Your configurations from the first post do not match what I can see in the log in the second post.

In the log, I can see that CentOS offers AH or ESP/Transport mode, while Mikrotik only accepts AH mode. Although the AH proposal at Mikrotik side as if matches one of the CentOS’s proposals (trns_id=SHA authtype=hmac-sha1), I don’t like the ****

spi=00000000

at Mikrotik side (but it’s just a feeling).

So do not change anything at CentOS side, and at Mikrotik side, choose ESP rather than AH, and Transport mode (i.e. ****

tunnel=no

) and post the debug for that case along with a corresponding

/ip ipsec export

.

lambert · April 21, 2018, 6:54am

My policy was set to encrypt/require/esp/tunnel. I have now changed that to encrypt/require/ah/no tunnel. The logs look very similar to me. I don’t get it.

 
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add auth-algorithms=sha1,md5 enc-algorithms=aes-128-cbc,3des,blowfish lifetime=1h name=centos
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 disabled=yes enc-algorithm=3des exchange-mode=main-l2tp \
    generate-policy=port-override lifetime=8h
add address=x.x.x.x/32 dh-group=modp2048,modp1536,modp1024 enc-algorithm=\
    aes-128,3des,blowfish generate-policy=port-strict send-initial-contact=no
/ip ipsec policy
add dst-address=x.x.x.x/32 ipsec-protocols=ah proposal=centos src-address=\
    y.y.y.y/32

BTW, I also ran it with generate-policy=port-override and got the same results. I then ran it with ipsec-protocols=esp. The only difference was the MD5 part of “my single bundle” went missing with esp.

01:34:34 ipsec,debug ===== received 100 bytes from x.x.x.x[500] to y.y.y.y[500] 
01:34:34 ipsec,debug === 
01:34:34 ipsec,info respond new phase 1 (Identity Protection): y.y.y.y[500]<=>x.x.x.x[500] 
01:34:34 ipsec,debug begin. 
01:34:34 ipsec,debug seen nptype=1(sa) len=52 
01:34:34 ipsec,debug seen nptype=13(vid) len=20 
01:34:34 ipsec,debug succeed. 
01:34:34 ipsec received Vendor ID: DPD 
01:34:34 ipsec,debug remote supports DPD 
01:34:34 ipsec,debug total SA len=48 
01:34:34 ipsec,debug 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 
01:34:34 ipsec,debug 80010005 80030001 80020002 80040002 
01:34:34 ipsec,debug begin. 
01:34:34 ipsec,debug seen nptype=2(prop) len=40 
01:34:34 ipsec,debug succeed. 
01:34:34 ipsec,debug proposal #1 len=40 
01:34:34 ipsec,debug begin. 
01:34:34 ipsec,debug seen nptype=3(trns) len=32 
01:34:34 ipsec,debug succeed. 
01:34:34 ipsec,debug transform #1 len=32 
01:34:34 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=Life Duration, flag=0x8000, lorv=28800 
01:34:34 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 
01:34:34 ipsec,debug encryption(3des) 
01:34:34 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
01:34:34 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
01:34:34 ipsec,debug hash(sha1) 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug pair 1: 
01:34:34 ipsec,debug  0x48c058: next=(nil) tnext=(nil) 
01:34:34 ipsec,debug proposal #1: 1 transform 
01:34:34 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1 
01:34:34 ipsec,debug trns#=1, trns-id=IKE 
01:34:34 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=Life Duration, flag=0x8000, lorv=28800 
01:34:34 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 
01:34:34 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
01:34:34 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
01:34:34 ipsec,debug Compared: Local:Peer 
01:34:34 ipsec,debug (lifetime = 86400:28800) 
01:34:34 ipsec,debug (lifebyte = 0:0) 
01:34:34 ipsec,debug enctype = AES-CBC:3DES-CBC 
01:34:34 ipsec,debug (encklen = 128:0) 
01:34:34 ipsec,debug hashtype = SHA:SHA 
01:34:34 ipsec,debug authmethod = pre-shared key:pre-shared key 
01:34:34 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
01:34:34 ipsec,debug Compared: Local:Peer 
01:34:34 ipsec,debug (lifetime = 86400:28800) 
01:34:34 ipsec,debug (lifebyte = 0:0) 
01:34:34 ipsec,debug enctype = AES-CBC:3DES-CBC 
01:34:34 ipsec,debug (encklen = 128:0) 
01:34:34 ipsec,debug hashtype = SHA:SHA 
01:34:34 ipsec,debug authmethod = pre-shared key:pre-shared key 
01:34:34 ipsec,debug dh_group = 1536-bit MODP group:1024-bit MODP group 
01:34:34 ipsec,debug Compared: Local:Peer 
01:34:34 ipsec,debug (lifetime = 86400:28800) 
01:34:34 ipsec,debug (lifebyte = 0:0) 
01:34:34 ipsec,debug enctype = AES-CBC:3DES-CBC 
01:34:34 ipsec,debug (encklen = 128:0) 
01:34:34 ipsec,debug hashtype = SHA:SHA 
01:34:34 ipsec,debug authmethod = pre-shared key:pre-shared key 
01:34:34 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
01:34:34 ipsec,debug Compared: Local:Peer 
01:34:34 ipsec,debug (lifetime = 86400:28800) 
01:34:34 ipsec,debug (lifebyte = 0:0) 
01:34:34 ipsec,debug enctype = 3DES-CBC:3DES-CBC 
01:34:34 ipsec,debug (encklen = 0:0) 
01:34:34 ipsec,debug hashtype = SHA:SHA 
01:34:34 ipsec,debug authmethod = pre-shared key:pre-shared key 
01:34:34 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
01:34:34 ipsec,debug Compared: Local:Peer 
01:34:34 ipsec,debug (lifetime = 86400:28800) 
01:34:34 ipsec,debug (lifebyte = 0:0) 
01:34:34 ipsec,debug enctype = 3DES-CBC:3DES-CBC 
01:34:34 ipsec,debug (encklen = 0:0) 
01:34:34 ipsec,debug hashtype = SHA:SHA 
01:34:34 ipsec,debug authmethod = pre-shared key:pre-shared key 
01:34:34 ipsec,debug dh_group = 1536-bit MODP group:1024-bit MODP group 
01:34:34 ipsec,debug Compared: Local:Peer 
01:34:34 ipsec,debug (lifetime = 86400:28800) 
01:34:34 ipsec,debug (lifebyte = 0:0) 
01:34:34 ipsec,debug enctype = 3DES-CBC:3DES-CBC 
01:34:34 ipsec,debug (encklen = 0:0) 
01:34:34 ipsec,debug hashtype = SHA:SHA 
01:34:34 ipsec,debug authmethod = pre-shared key:pre-shared key 
01:34:34 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
01:34:34 ipsec,debug an acceptable proposal found. 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug agreed on pre-shared key auth. 
01:34:34 ipsec,debug === 
01:34:34 ipsec,debug new cookie: 
01:34:34 ipsec,debug 962ab4613d613c6f  
01:34:34 ipsec,debug add payload of len 48, next type 13 
01:34:34 ipsec,debug add payload of len 16, next type 0 
01:34:34 ipsec,debug 100 bytes from y.y.y.y[500] to x.x.x.x[500] 
01:34:34 ipsec,debug 1 times of 100 bytes message will be sent to x.x.x.x[500] 
01:34:34 ipsec sent phase1 packet y.y.y.y[500]<=>x.x.x.x[500] 77b96f864966876c:962ab4613d613c6f 
01:34:34 ipsec,debug ===== received 508 bytes from x.x.x.x[500] to y.y.y.y[500] 
01:34:34 ipsec,debug compute IV for phase2 
01:34:34 ipsec,debug phase1 last IV: 
01:34:34 ipsec,debug 228697a1 06403767 ac306ed1 
01:34:34 ipsec,debug hash(sha1) 
01:34:34 ipsec,debug encryption(3des) 
01:34:34 ipsec,debug phase2 IV computed: 
01:34:34 ipsec,debug 76669a1c 0cf3bdb7 
01:34:34 ipsec,debug === 
01:34:34 ipsec respond new phase 2 negotiation: y.y.y.y[500]<=>x.x.x.x[500] 
01:34:34 ipsec,debug encryption(3des) 
01:34:34 ipsec,debug IV was saved for next processing: 
01:34:34 ipsec,debug b756eb70 a056decb 
01:34:34 ipsec,debug encryption(3des) 
01:34:34 ipsec,debug with key: 
01:34:34 ipsec,debug 4745fffc 6ff98373 4793adf6 51dbf5ad ba578763 33413823 
01:34:34 ipsec,debug decrypted payload by IV: 
01:34:34 ipsec,debug 76669a1c 0cf3bdb7 
01:34:34 ipsec,debug decrypted payload, but not trimed. 
01:34:34 ipsec,debug 01000018 1cc89047 d3b9cbbb 39fe20e7 b80e406e bfb1e9a3 0a000114 00000001 
01:34:34 ipsec,debug 00000001 02000044 01020402 093f95f5 0300001c 01030000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 80050002 80030002 0000001c 02020000 80010001 80020e10 80040002 
01:34:34 ipsec,debug 80050001 80030002 000000c4 01030406 08ba7628 0300001c 01030000 80010001 
01:34:34 ipsec,debug 80020e10 80040002 80050002 80030002 0300001c 02030000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 80050001 80030002 03000020 03070000 80010001 80020e10 80040002 
01:34:34 ipsec,debug 800601c0 80050002 80030002 03000020 04070000 80010001 80020e10 80040002 
01:34:34 ipsec,debug 800601c0 80050001 80030002 03000020 050c0000 80010001 80020e10 80040002 
01:34:34 ipsec,debug 80060080 80050002 80030002 00000020 060c0000 80010001 80020e10 80040002 
01:34:34 ipsec,debug 80060080 80050001 80030002 04000014 938f89c8 eff781b5 168ef74d 92dc1fde 
01:34:34 ipsec,debug 05000084 2fc726a6 e0db00be a2d87850 cd304bd8 44a52b0b bb114871 88a8cfed 
01:34:34 ipsec,debug 5d0d901f 3963d6d7 20fcdcde bc2eed15 5a69b154 24a2dfd5 dde3b755 d78cc7ee 
01:34:34 ipsec,debug 4d3db56a 7f0c6ab5 83528ae8 9e2d117f 2ae17ede fa74551a 4a7b1237 c74e6eac 
01:34:34 ipsec,debug 6d88c2d0 fac32bab 9bbcca57 a2fa9906 060e84d9 7bcec839 d075fced bb0a32d0 
01:34:34 ipsec,debug 3c715018 0500000c 01000000 d8e6e7e2 0000000c 01000000 40fa290d 9db59603 
01:34:34 ipsec,debug padding len=4 
01:34:34 ipsec,debug skip to trim padding. 
01:34:34 ipsec,debug decrypted. 
01:34:34 ipsec,debug 5a9fd6f1 3261a995 11721b76 3786bf24 08102001 ac306ed1 000001fc 01000018 
01:34:34 ipsec,debug 1cc89047 d3b9cbbb 39fe20e7 b80e406e bfb1e9a3 0a000114 00000001 00000001 
01:34:34 ipsec,debug 02000044 01020402 093f95f5 0300001c 01030000 80010001 80020e10 80040002 
01:34:34 ipsec,debug 80050002 80030002 0000001c 02020000 80010001 80020e10 80040002 80050001 
01:34:34 ipsec,debug 80030002 000000c4 01030406 08ba7628 0300001c 01030000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 80050002 80030002 0300001c 02030000 80010001 80020e10 80040002 
01:34:34 ipsec,debug 80050001 80030002 03000020 03070000 80010001 80020e10 80040002 800601c0 
01:34:34 ipsec,debug 80050002 80030002 03000020 04070000 80010001 80020e10 80040002 800601c0 
01:34:34 ipsec,debug 80050001 80030002 03000020 050c0000 80010001 80020e10 80040002 80060080 
01:34:34 ipsec,debug 80050002 80030002 00000020 060c0000 80010001 80020e10 80040002 80060080 
01:34:34 ipsec,debug 80050001 80030002 04000014 938f89c8 eff781b5 168ef74d 92dc1fde 05000084 
01:34:34 ipsec,debug 2fc726a6 e0db00be a2d87850 cd304bd8 44a52b0b bb114871 88a8cfed 5d0d901f 
01:34:34 ipsec,debug 3963d6d7 20fcdcde bc2eed15 5a69b154 24a2dfd5 dde3b755 d78cc7ee 4d3db56a 
01:34:34 ipsec,debug 7f0c6ab5 83528ae8 9e2d117f 2ae17ede fa74551a 4a7b1237 c74e6eac 6d88c2d0 
01:34:34 ipsec,debug fac32bab 9bbcca57 a2fa9906 060e84d9 7bcec839 d075fced bb0a32d0 3c715018 
01:34:34 ipsec,debug 0500000c 01000000 d8e6e7e2 0000000c 01000000 40fa290d 9db59603 
01:34:34 ipsec,debug begin. 
01:34:34 ipsec,debug seen nptype=8(hash) len=24 
01:34:34 ipsec,debug seen nptype=1(sa) len=276 
01:34:34 ipsec,debug seen nptype=10(nonce) len=20 
01:34:34 ipsec,debug seen nptype=4(ke) len=132 
01:34:34 ipsec,debug seen nptype=5(id) len=12 
01:34:34 ipsec,debug seen nptype=5(id) len=12 
01:34:34 ipsec,debug succeed. 
01:34:34 ipsec,debug received IDci2: 
01:34:34 ipsec,debug 01000000 d8e6e7e2 
01:34:34 ipsec,debug received IDcr2: 
01:34:34 ipsec,debug 01000000 40fa290d 
01:34:34 ipsec,debug HASH(1) validate: 
01:34:34 ipsec,debug 1cc89047 d3b9cbbb 39fe20e7 b80e406e bfb1e9a3 
01:34:34 ipsec,debug HASH with: 
01:34:34 ipsec,debug ac306ed1 0a000114 00000001 00000001 02000044 01020402 093f95f5 0300001c 
01:34:34 ipsec,debug 01030000 80010001 80020e10 80040002 80050002 80030002 0000001c 02020000 
01:34:34 ipsec,debug 80010001 80020e10 80040002 80050001 80030002 000000c4 01030406 08ba7628 
01:34:34 ipsec,debug 0300001c 01030000 80010001 80020e10 80040002 80050002 80030002 0300001c 
01:34:34 ipsec,debug 02030000 80010001 80020e10 80040002 80050001 80030002 03000020 03070000 
01:34:34 ipsec,debug 80010001 80020e10 80040002 800601c0 80050002 80030002 03000020 04070000 
01:34:34 ipsec,debug 80010001 80020e10 80040002 800601c0 80050001 80030002 03000020 050c0000 
01:34:34 ipsec,debug 80010001 80020e10 80040002 80060080 80050002 80030002 00000020 060c0000 
01:34:34 ipsec,debug 80010001 80020e10 80040002 80060080 80050001 80030002 04000014 938f89c8 
01:34:34 ipsec,debug eff781b5 168ef74d 92dc1fde 05000084 2fc726a6 e0db00be a2d87850 cd304bd8 
01:34:34 ipsec,debug 44a52b0b bb114871 88a8cfed 5d0d901f 3963d6d7 20fcdcde bc2eed15 5a69b154 
01:34:34 ipsec,debug 24a2dfd5 dde3b755 d78cc7ee 4d3db56a 7f0c6ab5 83528ae8 9e2d117f 2ae17ede 
01:34:34 ipsec,debug fa74551a 4a7b1237 c74e6eac 6d88c2d0 fac32bab 9bbcca57 a2fa9906 060e84d9 
01:34:34 ipsec,debug 7bcec839 d075fced bb0a32d0 3c715018 0500000c 01000000 d8e6e7e2 0000000c 
01:34:34 ipsec,debug 01000000 40fa290d 
01:34:34 ipsec,debug hmac(hmac_sha1) 
01:34:34 ipsec,debug HASH computed: 
01:34:34 ipsec,debug 1cc89047 d3b9cbbb 39fe20e7 b80e406e bfb1e9a3 
01:34:34 ipsec,debug total SA len=272 
01:34:34 ipsec,debug 00000001 00000001 02000044 01020402 093f95f5 0300001c 01030000 80010001 
01:34:34 ipsec,debug 80020e10 80040002 80050002 80030002 0000001c 02020000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 80050001 80030002 000000c4 01030406 08ba7628 0300001c 01030000 
01:34:34 ipsec,debug 80010001 80020e10 80040002 80050002 80030002 0300001c 02030000 80010001 
01:34:34 ipsec,debug 80020e10 80040002 80050001 80030002 03000020 03070000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 800601c0 80050002 80030002 03000020 04070000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 800601c0 80050001 80030002 03000020 050c0000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 80060080 80050002 80030002 00000020 060c0000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 80060080 80050001 80030002 
01:34:34 ipsec,debug begin. 
01:34:34 ipsec,debug seen nptype=2(prop) len=68 
01:34:34 ipsec,debug seen nptype=2(prop) len=196 
01:34:34 ipsec,debug succeed. 
01:34:34 ipsec,debug proposal #1 len=68 
01:34:34 ipsec,debug begin. 
01:34:34 ipsec,debug seen nptype=3(trns) len=28 
01:34:34 ipsec,debug seen nptype=3(trns) len=28 
01:34:34 ipsec,debug succeed. 
01:34:34 ipsec,debug transform #1 len=28 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug transform #2 len=28 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug proposal #1 len=196 
01:34:34 ipsec,debug begin. 
01:34:34 ipsec,debug seen nptype=3(trns) len=28 
01:34:34 ipsec,debug seen nptype=3(trns) len=28 
01:34:34 ipsec,debug seen nptype=3(trns) len=32 
01:34:34 ipsec,debug seen nptype=3(trns) len=32 
01:34:34 ipsec,debug seen nptype=3(trns) len=32 
01:34:34 ipsec,debug seen nptype=3(trns) len=32 
01:34:34 ipsec,debug succeed. 
01:34:34 ipsec,debug transform #1 len=28 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug transform #2 len=28 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug transform #3 len=32 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=448 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug transform #4 len=32 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=448 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug transform #5 len=32 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug transform #6 len=32 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug pair 1: 
01:34:34 ipsec,debug  0x4ac460: next=0x49cc18 tnext=0x48ce50 
01:34:34 ipsec,debug   0x49cc18: next=(nil) tnext=0x49cff8 
01:34:34 ipsec,debug    0x49cff8: next=(nil) tnext=0x493e18 
01:34:34 ipsec,debug     0x493e18: next=(nil) tnext=0x48b8a8 
01:34:34 ipsec,debug      0x48b8a8: next=(nil) tnext=0x4b1150 
01:34:34 ipsec,debug       0x4b1150: next=(nil) tnext=0x4a2b58 
01:34:34 ipsec,debug        0x4a2b58: next=(nil) tnext=(nil) 
01:34:34 ipsec,debug   0x48ce50: next=(nil) tnext=(nil) 
01:34:34 ipsec,debug proposal #1: 8 transform 
01:34:34 ipsec,debug got the local address from ID payload y.y.y.y[0] prefixlen=32 ul_proto=255 
01:34:34 ipsec,debug got the peer address from ID payload x.x.x.x[0] prefixlen=32 ul_proto=255 
01:34:34 ipsec searching for policy for selector: y.y.y.y <=> x.x.x.x 
01:34:34 ipsec using strict match: y.y.y.y <=> x.x.x.x 
01:34:34 ipsec,debug  (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) 
01:34:34 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
01:34:34 ipsec,debug   (trns_id=MD5 authtype=hmac-md5) 
01:34:34 ipsec,debug begin compare proposals. 
01:34:34 ipsec,debug pair[1]: 0x4ac460 
01:34:34 ipsec,debug  0x4ac460: next=0x49cc18 tnext=0x48ce50 
01:34:34 ipsec,debug   0x49cc18: next=(nil) tnext=0x49cff8 
01:34:34 ipsec,debug    0x49cff8: next=(nil) tnext=0x493e18 
01:34:34 ipsec,debug     0x493e18: next=(nil) tnext=0x48b8a8 
01:34:34 ipsec,debug      0x48b8a8: next=(nil) tnext=0x4b1150 
01:34:34 ipsec,debug       0x4b1150: next=(nil) tnext=0x4a2b58 
01:34:34 ipsec,debug        0x4a2b58: next=(nil) tnext=(nil) 
01:34:34 ipsec,debug   0x48ce50: next=(nil) tnext=(nil) 
01:34:34 ipsec,debug prop#=1 prot-id=AH spi-size=4 #trns=2 trns#=1 trns-id=SHA 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug prop#=1 prot-id=AH spi-size=4 #trns=2 trns#=2 trns-id=MD5 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=1 trns-id=3DES 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=2 trns-id=3DES 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=3 trns-id=BLOWFISH 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=448 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=4 trns-id=BLOWFISH 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=448 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=5 trns-id=AES-CBC 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=6 trns-id=AES-CBC 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug peer's single bundle: 
01:34:34 ipsec,debug  (proto_id=AH spisize=4 spi=093f95f5 spi_p=00000000 encmode=Transport reqid=0:0) 
01:34:34 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
01:34:34 ipsec,debug   (trns_id=MD5 authtype=hmac-md5) 
01:34:34 ipsec,debug  (proto_id=ESP spisize=4 spi=08ba7628 spi_p=00000000 encmode=Transport reqid=0:0) 
01:34:34 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-sha1) 
01:34:34 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-md5) 
01:34:34 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-sha1) 
01:34:34 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-md5) 
01:34:34 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
01:34:34 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-md5) 
01:34:34 ipsec,debug my single bundle: 
01:34:34 ipsec,debug  (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) 
01:34:34 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
01:34:34 ipsec,debug   (trns_id=MD5 authtype=hmac-md5) 
01:34:34 ipsec,debug not matched 
01:34:34 ipsec,error no suitable proposal found. 
01:34:34 ipsec failed to get proposal for responder. 
01:34:34 ipsec,error x.x.x.x failed to pre-process ph2 packet.

port-override:
01:44:54 ipsec,debug peer's single bundle: 
01:44:54 ipsec,debug  (proto_id=AH spisize=4 spi=0010a686 spi_p=00000000 encmode=Transport reqid=0:0) 
01:44:54 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
01:44:54 ipsec,debug   (trns_id=MD5 authtype=hmac-md5) 
01:44:54 ipsec,debug  (proto_id=ESP spisize=4 spi=0eee26e7 spi_p=00000000 encmode=Transport reqid=0:0) 
01:44:54 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-sha1) 
01:44:54 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-md5) 
01:44:54 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-sha1) 
01:44:54 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-md5) 
01:44:54 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
01:44:54 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-md5) 
01:44:54 ipsec,debug my single bundle: 
01:44:54 ipsec,debug  (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) 
01:44:54 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
01:44:54 ipsec,debug   (trns_id=MD5 authtype=hmac-md5) 
01:44:54 ipsec,debug not matched 
01:44:54 ipsec,error no suitable proposal found. 
01:44:54 ipsec failed to get proposal for responder. 
01:44:54 ipsec,error 216.230.231.226 failed to pre-process ph2 packet. 

ipsec-protocols=esp:
01:48:31 ipsec,debug peer's single bundle: 
01:48:31 ipsec,debug  (proto_id=AH spisize=4 spi=0e245677 spi_p=00000000 encmode=Transport reqid=0:0) 
01:48:31 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
01:48:31 ipsec,debug   (trns_id=MD5 authtype=hmac-md5) 
01:48:31 ipsec,debug  (proto_id=ESP spisize=4 spi=099a2d97 spi_p=00000000 encmode=Transport reqid=0:0) 
01:48:31 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-sha1) 
01:48:31 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-md5) 
01:48:31 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-sha1) 
01:48:31 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-md5) 
01:48:31 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
01:48:31 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-md5) 
01:48:31 ipsec,debug my single bundle: 
01:48:31 ipsec,debug  (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=4711:4711) 
01:48:31 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
01:48:31 ipsec,debug not matched 
01:48:31 ipsec,error no suitable proposal found. 
01:48:31 ipsec failed to get proposal for responder. 
01:48:31 ipsec,error 216.230.231.226 failed to pre-process ph2 packet.

sindy · April 21, 2018, 7:15am

In both cases the 'Tik is reporting to the log to be ready only for AH. I’m not sure what happens when you ask for ESP/Tunnel mode for a policy which has ****

src-address

equal to

sa-src-address

and

dst-address

equal to

sa-dst-address

, because it is an unusual configuration. Normally, ESP/Transport or AH mode suit for this, as encapsulation of the original source and destination addresses along with the payload, which is what tunnel mode does, is a useless waste of packet space in this case.

So one explanation could be that Mikrotik chooses AH mode instead of ESP/Tunnel mode in this case (which would be a bug itself but would pop up under unusual circumstances), another explanation is a completely broken IPsec in the RouterOS version you currently use. Which one is it? I remember some issues reported and later fixed in 6.41.x and/or 6.42rc.y. I have currently 6.41.3 on one box and 6.42 on another and both are running fine with IPsec.

CZFan · April 21, 2018, 10:39am

Since the OP is on 6.40.7, it might very well be that IPSec is broken, I read in the below topic that Mikrotik rewrote the IPSec stack completely in 6.40.x, so maybe a good point to upgrade to 6.41.3 and test

lambert · April 23, 2018, 6:51am

Tried 6.42. Same results.

sindy · April 23, 2018, 7:21am

Try ESP/transport (= no tunnel) and post the log, please. Is there no other IPsec configuration (including any dynamically created one from l2tp, eoip or some other tunnelling protocol secured using ipsec (by ticking ****

use-ipsec=yes

) on the Mikrotik? Please attach the output of

/ip ipsec peer print

and

/ip ipsec policy print

, after editing eventual public addresses you don’t want to reveal.