IPSec VPN to Cisco 1841 help

Jasonk · May 26, 2012, 12:57am

Hi there.

I have a new RB493G running ROS 5.16. I need to setup an IPSec tunnel to a Cisco 1841.

I have watched the Greg Sowell video on the subject, and done many google searches, but can’t for the life of me get this tunnel to come up.

This is the cisco config: (I have removed non-related config)

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxx address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set Site-Site-Vpn esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set Site-Site-Vpn
 match address VPN-ACL
!
!
!
crypto ctcp port 10000
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.16.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.0.0.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode itu-dmt
 dsl bitswap both
!
interface ATM0/0/0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
!
!
interface Dialer0
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxx
 ppp chap password 0 xxxxxx
 ppp pap sent-username xxxxxx password 0 xxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended VPN-ACL
 remark Site to Site VPN ACL:
 remark CCP_ACL Category=4
 permit ip 192.168.5.0 0.0.0.255 192.168.16.0 0.0.0.255
!
ip radius source-interface FastEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.0.2
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
dialer-list 1 protocol ip permit

Mikrotik IPSec config:

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=***CISCO-IP***/32 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
    exchange-mode=main generate-policy=yes hash-algorithm=sha1 lifebytes=0 \
    lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
    obey secret=test send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.16.0/24 dst-port=any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
    all sa-dst-address=***CISCO-IP*** sa-src-address=0.0.0.0 src-address=\
    192.168.5.0/24 src-port=any tunnel=yes

Now this is the log from the Mikrotik. I really don’t know what to make of this, but you can see the “NO-PROPOSAL-CHOSEN” toward the end…

May/26/2012 10:29:39 ipsec,debug suitable outbound SP found: 192.168.5.0/24[0] 192.168.16.0/24[0] proto=any dir=out
May/26/2012 10:29:39 ipsec,debug suitable inbound SP found: 192.168.16.0/24[0] 192.168.5.0/24[0] proto=any dir=in
May/26/2012 10:29:39 ipsec,debug new acquire 192.168.5.0/24[0] 192.168.16.0/24[0] proto=any dir=out
May/26/2012 10:29:39 ipsec,debug,packet  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
May/26/2012 10:29:39 ipsec,debug,packet   (trns_id=3DES encklen=0 authtype=hmac-sha)
May/26/2012 10:29:39 ipsec,debug IPsec-SA request for ***CISCO-IP*** queued due to no phase1 found.
May/26/2012 10:29:39 ipsec,debug,packet ===
May/26/2012 10:29:39 ipsec,debug initiate new phase 1 negotiation: ***MIKROTIK-IP***[500]<=>***CISCO-IP***[500]
May/26/2012 10:29:39 ipsec,debug begin Identity Protection mode.
May/26/2012 10:29:39 ipsec,debug,packet new cookie:
May/26/2012 10:29:39 ipsec,debug,packet ed22523cda60675f 
May/26/2012 10:29:39 ipsec,debug,packet add payload of len 52, next type 13
May/26/2012 10:29:39 ipsec,debug,packet add payload of len 16, next type 0
May/26/2012 10:29:39 ipsec,debug,packet 104 bytes from ***MIKROTIK-IP***[500] to ***CISCO-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet sockname ***MIKROTIK-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet send packet from ***MIKROTIK-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet send packet to ***CISCO-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet src4 ***MIKROTIK-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet dst4 ***CISCO-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet 1 times of 104 bytes message will be sent to ***CISCO-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet ed22523c da60675f 00000000 00000000 01100200 00000000 00000068 0d000038
May/26/2012 10:29:39 ipsec,debug,packet 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
May/26/2012 10:29:39 ipsec,debug,packet 00015180 80010005 80030001 80020002 80040002 00000014 afcad713 68a1f1c9
May/26/2012 10:29:39 ipsec,debug,packet 6b8696fc 77570100
May/26/2012 10:29:39 ipsec,debug,packet resend phase1 packet ed22523cda60675f:0000000000000000
May/26/2012 10:29:39 ipsec,debug,packet ==========
May/26/2012 10:29:39 ipsec,debug,packet 84 bytes message received from ***CISCO-IP***[500] to ***MIKROTIK-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet ed22523c da60675f 6b0cf7eb 9ae2aaf1 01100200 00000000 00000054 00000038
May/26/2012 10:29:39 ipsec,debug,packet 00000001 00000001 0000002c 01010001 00000024 01010000 80010005 80020002
May/26/2012 10:29:39 ipsec,debug,packet 80040002 80030001 800b0001 000c0004 00015180
May/26/2012 10:29:39 ipsec,debug,packet begin.
May/26/2012 10:29:39 ipsec,debug,packet seen nptype=1(sa)
May/26/2012 10:29:39 ipsec,debug,packet succeed.
May/26/2012 10:29:39 ipsec,debug,packet total SA len=52
May/26/2012 10:29:39 ipsec,debug,packet 00000001 00000001 0000002c 01010001 00000024 01010000 80010005 80020002
May/26/2012 10:29:39 ipsec,debug,packet 80040002 80030001 800b0001 000c0004 00015180
May/26/2012 10:29:39 ipsec,debug,packet begin.
May/26/2012 10:29:39 ipsec,debug,packet seen nptype=2(prop)
May/26/2012 10:29:39 ipsec,debug,packet succeed.
May/26/2012 10:29:39 ipsec,debug,packet proposal #1 len=44
May/26/2012 10:29:39 ipsec,debug,packet begin.
May/26/2012 10:29:39 ipsec,debug,packet seen nptype=3(trns)
May/26/2012 10:29:39 ipsec,debug,packet succeed.
May/26/2012 10:29:39 ipsec,debug,packet transform #1 len=36
May/26/2012 10:29:39 ipsec,debug,packet type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
May/26/2012 10:29:39 ipsec,debug,packet encryption(3des)
May/26/2012 10:29:39 ipsec,debug,packet type=Hash Algorithm, flag=0x8000, lorv=SHA
May/26/2012 10:29:39 ipsec,debug,packet hash(sha1)
May/26/2012 10:29:39 ipsec,debug,packet type=Group Description, flag=0x8000, lorv=1024-bit MODP group
May/26/2012 10:29:39 ipsec,debug,packet hmac(modp1024)
May/26/2012 10:29:39 ipsec,debug,packet type=Authentication Method, flag=0x8000, lorv=pre-shared key
May/26/2012 10:29:39 ipsec,debug,packet type=Life Type, flag=0x8000, lorv=seconds
May/26/2012 10:29:39 ipsec,debug,packet type=Life Duration, flag=0x0000, lorv=4
May/26/2012 10:29:39 ipsec,debug,packet pair 1:
May/26/2012 10:29:39 ipsec,debug,packet  0x493038: next=(nil) tnext=(nil)
May/26/2012 10:29:39 ipsec,debug,packet proposal #1: 1 transform
May/26/2012 10:29:39 ipsec,debug,packet prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
May/26/2012 10:29:39 ipsec,debug,packet trns#=1, trns-id=IKE
May/26/2012 10:29:39 ipsec,debug,packet type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
May/26/2012 10:29:39 ipsec,debug,packet type=Hash Algorithm, flag=0x8000, lorv=SHA
May/26/2012 10:29:39 ipsec,debug,packet type=Group Description, flag=0x8000, lorv=1024-bit MODP group
May/26/2012 10:29:39 ipsec,debug,packet type=Authentication Method, flag=0x8000, lorv=pre-shared key
May/26/2012 10:29:39 ipsec,debug,packet type=Life Type, flag=0x8000, lorv=seconds
May/26/2012 10:29:39 ipsec,debug,packet type=Life Duration, flag=0x0000, lorv=4
May/26/2012 10:29:39 ipsec,debug,packet Compared: DB:Peer
May/26/2012 10:29:39 ipsec,debug,packet (lifetime = 86400:86400)
May/26/2012 10:29:39 ipsec,debug,packet (lifebyte = 0:0)
May/26/2012 10:29:39 ipsec,debug,packet enctype = 3DES-CBC:3DES-CBC
May/26/2012 10:29:39 ipsec,debug,packet (encklen = 0:0)
May/26/2012 10:29:39 ipsec,debug,packet hashtype = SHA:SHA
May/26/2012 10:29:39 ipsec,debug,packet authmethod = pre-shared key:pre-shared key
May/26/2012 10:29:39 ipsec,debug,packet dh_group = 1024-bit MODP group:1024-bit MODP group
May/26/2012 10:29:39 ipsec,debug,packet an acceptable proposal found.
May/26/2012 10:29:39 ipsec,debug,packet hmac(modp1024)
May/26/2012 10:29:39 ipsec,debug,packet agreed on pre-shared key auth.
May/26/2012 10:29:39 ipsec,debug,packet ===
May/26/2012 10:29:39 ipsec,debug,packet compute DH's private.
May/26/2012 10:29:39 ipsec,debug,packet 5c28ec28 c9ae7d77 e1a778c6 274a33b0 3cb6395f 2b8817ba e859d9d4 56c8dbdb
May/26/2012 10:29:39 ipsec,debug,packet 4ed4f0c1 8368a73d 5e15baea d69e5164 1abc5b2e 08a5f884 d75a8b01 669583bd
May/26/2012 10:29:39 ipsec,debug,packet 7e2dc6a0 9c50e63b 862f4a12 826b16ea 1c37374b 4850fdd9 74c894df 27e3d5d2
May/26/2012 10:29:39 ipsec,debug,packet d5c03412 4b4710c8 dad508ae 849a43f4 985ece73 3a23b0b8 5c70427f 3e6c2f07
May/26/2012 10:29:39 ipsec,debug,packet compute DH's public.
May/26/2012 10:29:39 ipsec,debug,packet 54f05cb6 a60e5c15 a574bb09 80abca74 cbf2edba f5a36b9f 24bb6021 3681c642
May/26/2012 10:29:39 ipsec,debug,packet b642d041 8c694b17 3d5ef750 b742ce19 819ece56 8fce0017 da5539dd f48e32c8
May/26/2012 10:29:39 ipsec,debug,packet f8faf037 e38ae9d6 95fd7910 d9bb4dfb 73281555 aa886a6e 47ff3f0e dd24c6ef
May/26/2012 10:29:39 ipsec,debug,packet 5136bd9f bf5aa9c5 9f5ec9a5 675a76da 035827c1 971ed99c 0bacbd2f e497414f
May/26/2012 10:29:39 ipsec,debug,packet add payload of len 128, next type 10
May/26/2012 10:29:39 ipsec,debug,packet add payload of len 24, next type 0
May/26/2012 10:29:39 ipsec,debug,packet 188 bytes from ***MIKROTIK-IP***[500] to ***CISCO-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet sockname ***MIKROTIK-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet send packet from ***MIKROTIK-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet send packet to ***CISCO-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet src4 ***MIKROTIK-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet dst4 ***CISCO-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet 1 times of 188 bytes message will be sent to ***CISCO-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet ed22523c da60675f 6b0cf7eb 9ae2aaf1 04100200 00000000 000000bc 0a000084
May/26/2012 10:29:39 ipsec,debug,packet 54f05cb6 a60e5c15 a574bb09 80abca74 cbf2edba f5a36b9f 24bb6021 3681c642
May/26/2012 10:29:39 ipsec,debug,packet b642d041 8c694b17 3d5ef750 b742ce19 819ece56 8fce0017 da5539dd f48e32c8
May/26/2012 10:29:39 ipsec,debug,packet f8faf037 e38ae9d6 95fd7910 d9bb4dfb 73281555 aa886a6e 47ff3f0e dd24c6ef
May/26/2012 10:29:39 ipsec,debug,packet 5136bd9f bf5aa9c5 9f5ec9a5 675a76da 035827c1 971ed99c 0bacbd2f e497414f
May/26/2012 10:29:39 ipsec,debug,packet 0000001c bf066d4a e68c781b 23126541 4e1a2a59 c31fec52 e7e07752
May/26/2012 10:29:39 ipsec,debug,packet resend phase1 packet ed22523cda60675f:6b0cf7eb9ae2aaf1
May/26/2012 10:29:39 ipsec,debug,packet ==========
May/26/2012 10:29:39 ipsec,debug,packet 256 bytes message received from ***CISCO-IP***[500] to ***MIKROTIK-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet ed22523c da60675f 6b0cf7eb 9ae2aaf1 04100200 00000000 00000100 0a000084
May/26/2012 10:29:39 ipsec,debug,packet 8d5be53d f1e4c34a 13cef041 8f5e7d64 e0e364bc a89f25c6 9bbdcb28 0506675d
May/26/2012 10:29:39 ipsec,debug,packet 3c73b5af b6b1cd95 8de899b2 6571c870 54e4fa24 de50936f 7417368f 08b2ea68
May/26/2012 10:29:39 ipsec,debug,packet 0e741d23 e1183da5 2b959c3e e93c96f1 db785c4d 32bd6d97 44400342 0fa513d3
May/26/2012 10:29:39 ipsec,debug,packet 77781559 7acca6e9 9504d377 73eb3678 c76885a0 d8523b47 2c4d7e99 196e005a
May/26/2012 10:29:39 ipsec,debug,packet 0d000018 4eec78c6 a6b80050 ddb3019d 1c3b31cd 1e9ebf33 0d000014 12f5f28c
May/26/2012 10:29:39 ipsec,debug,packet 457168a9 702d9fe2 74cc0100 0d000014 afcad713 68a1f1c9 6b8696fc 77570100
May/26/2012 10:29:39 ipsec,debug,packet 0d000014 9ecb50f6 9ae3aaf1 4bd041a4 cc89e66b 0000000c 09002689 dfd6b712
May/26/2012 10:29:39 ipsec,debug,packet begin.
May/26/2012 10:29:39 ipsec,debug,packet seen nptype=4(ke)
May/26/2012 10:29:39 ipsec,debug,packet seen nptype=10(nonce)
May/26/2012 10:29:39 ipsec,debug,packet seen nptype=13(vid)
May/26/2012 10:29:39 ipsec,debug,packet seen nptype=13(vid)
May/26/2012 10:29:39 ipsec,debug,packet seen nptype=13(vid)
May/26/2012 10:29:39 ipsec,debug,packet seen nptype=13(vid)
May/26/2012 10:29:39 ipsec,debug,packet succeed.
May/26/2012 10:29:39 ipsec,debug received Vendor ID: CISCO-UNITY
May/26/2012 10:29:39 ipsec,debug received Vendor ID: DPD
May/26/2012 10:29:39 ipsec,debug,packet received unknown Vendor ID
May/26/2012 10:29:39 ipsec,debug received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
May/26/2012 10:29:39 ipsec,debug,packet ===
May/26/2012 10:29:39 ipsec,debug,packet compute DH's shared.
May/26/2012 10:29:39 ipsec,debug,packet 
May/26/2012 10:29:39 ipsec,debug,packet 7abd3347 a7adc56a cd7867de b5be9f7a 94c614a0 2c7b6ffe 74ab5056 4247f05e
May/26/2012 10:29:39 ipsec,debug,packet bae26951 eb3e06f1 979b3437 156ee1d1 27c28e6c cf0c5646 545ff6c4 f3d83b02
May/26/2012 10:29:39 ipsec,debug,packet 260825e3 8844d644 7c68e96c 2ed3c856 e60b7793 68026b75 3c3de17b c0b8c765
May/26/2012 10:29:39 ipsec,debug,packet 0ed5b488 02615e81 e85875e8 38c79449 c6f21f63 fc2aef1b 552aa350 da20aced
May/26/2012 10:29:39 ipsec,debug,packet the psk found.
May/26/2012 10:29:39 ipsec,debug,packet nonce 1: 
May/26/2012 10:29:39 ipsec,debug,packet bf066d4a e68c781b 23126541 4e1a2a59 c31fec52 e7e07752
May/26/2012 10:29:39 ipsec,debug,packet nonce 2: 
May/26/2012 10:29:39 ipsec,debug,packet 4eec78c6 a6b80050 ddb3019d 1c3b31cd 1e9ebf33
May/26/2012 10:29:39 ipsec,debug,packet hmac(hmac_sha1)
May/26/2012 10:29:39 ipsec,debug,packet SKEYID computed:
May/26/2012 10:29:39 ipsec,debug,packet 0ff755e8 f991b330 0f0c2433 d11a26bd d444ead2
May/26/2012 10:29:39 ipsec,debug,packet hmac(hmac_sha1)
May/26/2012 10:29:39 ipsec,debug,packet SKEYID_d computed:
May/26/2012 10:29:39 ipsec,debug,packet 238df012 9468c204 d10d800b e1f727ec 98f182a6
May/26/2012 10:29:39 ipsec,debug,packet hmac(hmac_sha1)
May/26/2012 10:29:39 ipsec,debug,packet SKEYID_a computed:
May/26/2012 10:29:39 ipsec,debug,packet 4a888cca 883e2dad cd7a1af5 713e4b81 a96425d8
May/26/2012 10:29:39 ipsec,debug,packet hmac(hmac_sha1)
May/26/2012 10:29:39 ipsec,debug,packet SKEYID_e computed:
May/26/2012 10:29:39 ipsec,debug,packet cc5f5bc5 9cfa1c98 05262d86 94817c74 7f7e36eb
May/26/2012 10:29:39 ipsec,debug,packet encryption(3des)
May/26/2012 10:29:39 ipsec,debug,packet hash(sha1)
May/26/2012 10:29:39 ipsec,debug,packet len(SKEYID_e) < len(Ka) (20 < 24), generating long key (Ka = K1 | K2 | ...)
May/26/2012 10:29:39 ipsec,debug,packet hmac(hmac_sha1)
May/26/2012 10:29:39 ipsec,debug,packet compute intermediate encryption key K1
May/26/2012 10:29:39 ipsec,debug,packet 00
May/26/2012 10:29:39 ipsec,debug,packet dd620bf0 01d5ea09 e9418fd5 f681975f 4454a715
May/26/2012 10:29:39 ipsec,debug,packet hmac(hmac_sha1)
May/26/2012 10:29:39 ipsec,debug,packet compute intermediate encryption key K2
May/26/2012 10:29:39 ipsec,debug,packet dd620bf0 01d5ea09 e9418fd5 f681975f 4454a715
May/26/2012 10:29:39 ipsec,debug,packet 216f0525 f35877d8 68b5f8d8 1666228b bf28e371
May/26/2012 10:29:39 ipsec,debug,packet final encryption key computed:
May/26/2012 10:29:39 ipsec,debug,packet dd620bf0 01d5ea09 e9418fd5 f681975f 4454a715 216f0525
May/26/2012 10:29:39 ipsec,debug,packet hash(sha1)
May/26/2012 10:29:39 ipsec,debug,packet encryption(3des)
May/26/2012 10:29:39 ipsec,debug,packet IV computed:
May/26/2012 10:29:39 ipsec,debug,packet e62bf928 b458494a
May/26/2012 10:29:39 ipsec,debug,packet use ID type of IPv4_address
May/26/2012 10:29:39 ipsec,debug,packet HASH with:
May/26/2012 10:29:39 ipsec,debug,packet 54f05cb6 a60e5c15 a574bb09 80abca74 cbf2edba f5a36b9f 24bb6021 3681c642
May/26/2012 10:29:39 ipsec,debug,packet b642d041 8c694b17 3d5ef750 b742ce19 819ece56 8fce0017 da5539dd f48e32c8
May/26/2012 10:29:39 ipsec,debug,packet f8faf037 e38ae9d6 95fd7910 d9bb4dfb 73281555 aa886a6e 47ff3f0e dd24c6ef
May/26/2012 10:29:39 ipsec,debug,packet 5136bd9f bf5aa9c5 9f5ec9a5 675a76da 035827c1 971ed99c 0bacbd2f e497414f
May/26/2012 10:29:39 ipsec,debug,packet 8d5be53d f1e4c34a 13cef041 8f5e7d64 e0e364bc a89f25c6 9bbdcb28 0506675d
May/26/2012 10:29:39 ipsec,debug,packet 3c73b5af b6b1cd95 8de899b2 6571c870 54e4fa24 de50936f 7417368f 08b2ea68
May/26/2012 10:29:39 ipsec,debug,packet 0e741d23 e1183da5 2b959c3e e93c96f1 db785c4d 32bd6d97 44400342 0fa513d3
May/26/2012 10:29:39 ipsec,debug,packet 77781559 7acca6e9 9504d377 73eb3678 c76885a0 d8523b47 2c4d7e99 196e005a
May/26/2012 10:29:39 ipsec,debug,packet ed22523c da60675f 6b0cf7eb 9ae2aaf1 00000001 00000001 0000002c 01010001
May/26/2012 10:29:39 ipsec,debug,packet 00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020002
May/26/2012 10:29:39 ipsec,debug,packet 80040002 011101f4 792c7161
May/26/2012 10:29:39 ipsec,debug,packet hmac(hmac_sha1)
May/26/2012 10:29:39 ipsec,debug,packet HASH computed:
May/26/2012 10:29:39 ipsec,debug,packet 89941932 5584b44f ec38d6e1 518416b0 14e5a65d
May/26/2012 10:29:39 ipsec,debug,packet add payload of len 8, next type 8
May/26/2012 10:29:39 ipsec,debug,packet add payload of len 20, next type 0
May/26/2012 10:29:39 ipsec,debug,packet begin encryption.
May/26/2012 10:29:39 ipsec,debug,packet encryption(3des)
May/26/2012 10:29:39 ipsec,debug,packet pad length = 4
May/26/2012 10:29:39 ipsec,debug,packet 0800000c 011101f4 792c7161 00000018 89941932 5584b44f ec38d6e1 518416b0
May/26/2012 10:29:39 ipsec,debug,packet 14e5a65d 5fc62403
May/26/2012 10:29:39 ipsec,debug,packet encryption(3des)
May/26/2012 10:29:39 ipsec,debug,packet with key:
May/26/2012 10:29:39 ipsec,debug,packet dd620bf0 01d5ea09 e9418fd5 f681975f 4454a715 216f0525
May/26/2012 10:29:39 ipsec,debug,packet encrypted payload by IV:
May/26/2012 10:29:39 ipsec,debug,packet e62bf928 b458494a
May/26/2012 10:29:39 ipsec,debug,packet save IV for next:
May/26/2012 10:29:39 ipsec,debug,packet 2463c1e4 032880e3
May/26/2012 10:29:39 ipsec,debug,packet encrypted.
May/26/2012 10:29:39 ipsec,debug,packet 68 bytes from ***MIKROTIK-IP***[500] to ***CISCO-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet sockname ***MIKROTIK-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet send packet from ***MIKROTIK-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet send packet to ***CISCO-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet src4 ***MIKROTIK-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet dst4 ***CISCO-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet 1 times of 68 bytes message will be sent to ***CISCO-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet ed22523c da60675f 6b0cf7eb 9ae2aaf1 05100201 00000000 00000044 26f086c9
May/26/2012 10:29:39 ipsec,debug,packet 50e202e3 7aa627b7 fd9ad502 a473ebdb f1136f07 9fc7bcbd 0f78aa85 2463c1e4
May/26/2012 10:29:39 ipsec,debug,packet 032880e3
May/26/2012 10:29:39 ipsec,debug,packet resend phase1 packet ed22523cda60675f:6b0cf7eb9ae2aaf1
May/26/2012 10:29:39 ipsec,debug,packet ==========
May/26/2012 10:29:39 ipsec,debug,packet 68 bytes message received from ***CISCO-IP***[500] to ***MIKROTIK-IP***[500]
May/26/2012 10:29:39 ipsec,debug,packet ed22523c da60675f 6b0cf7eb 9ae2aaf1 05100201 00000000 00000044 1f4a9090
May/26/2012 10:29:39 ipsec,debug,packet a7ff60da 1c78fc9a dc5ddfa3 901e83a5 00e64e48 aee551f7 1bb5bcdb fb73364d
May/26/2012 10:29:39 ipsec,debug,packet c8cf97c1
May/26/2012 10:29:39 ipsec,debug,packet encryption(3des)
May/26/2012 10:29:39 ipsec,debug,packet IV was saved for next processing:
May/26/2012 10:29:39 ipsec,debug,packet fb73364d c8cf97c1
May/26/2012 10:29:39 ipsec,debug,packet encryption(3des)
May/26/2012 10:29:39 ipsec,debug,packet with key:
May/26/2012 10:29:39 ipsec,debug,packet dd620bf0 01d5ea09 e9418fd5 f681975f 4454a715 216f0525
May/26/2012 10:29:39 ipsec,debug,packet decrypted payload by IV:
May/26/2012 10:29:39 ipsec,debug,packet 2463c1e4 032880e3
May/26/2012 10:29:39 ipsec,debug,packet decrypted payload, but not trimed.
May/26/2012 10:29:39 ipsec,debug,packet 0800000c 011101f4 3ba7f595 00000018 eb5f0ce4 8d44c001 3d0d502e 835eec71
May/26/2012 10:29:39 ipsec,debug,packet 8be68ae5 00000000
May/26/2012 10:29:39 ipsec,debug,packet padding len=1
May/26/2012 10:29:39 ipsec,debug,packet skip to trim padding.
May/26/2012 10:29:39 ipsec,debug,packet decrypted.
May/26/2012 10:29:39 ipsec,debug,packet ed22523c da60675f 6b0cf7eb 9ae2aaf1 05100201 00000000 00000044 0800000c
May/26/2012 10:29:39 ipsec,debug,packet 011101f4 3ba7f595 00000018 eb5f0ce4 8d44c001 3d0d502e 835eec71 8be68ae5
May/26/2012 10:29:39 ipsec,debug,packet 00000000
May/26/2012 10:29:39 ipsec,debug,packet begin.
May/26/2012 10:29:39 ipsec,debug,packet seen nptype=5(id)
May/26/2012 10:29:39 ipsec,debug,packet seen nptype=8(hash)
May/26/2012 10:29:39 ipsec,debug,packet succeed.
May/26/2012 10:29:39 ipsec,debug,packet HASH received:
May/26/2012 10:29:39 ipsec,debug,packet eb5f0ce4 8d44c001 3d0d502e 835eec71 8be68ae5
May/26/2012 10:29:39 ipsec,debug,packet HASH with:
May/26/2012 10:29:39 ipsec,debug,packet 8d5be53d f1e4c34a 13cef041 8f5e7d64 e0e364bc a89f25c6 9bbdcb28 0506675d
May/26/2012 10:29:39 ipsec,debug,packet 3c73b5af b6b1cd95 8de899b2 6571c870 54e4fa24 de50936f 7417368f 08b2ea68
May/26/2012 10:29:39 ipsec,debug,packet 0e741d23 e1183da5 2b959c3e e93c96f1 db785c4d 32bd6d97 44400342 0fa513d3
May/26/2012 10:29:39 ipsec,debug,packet 77781559 7acca6e9 9504d377 73eb3678 c76885a0 d8523b47 2c4d7e99 196e005a
May/26/2012 10:29:39 ipsec,debug,packet 54f05cb6 a60e5c15 a574bb09 80abca74 cbf2edba f5a36b9f 24bb6021 3681c642
May/26/2012 10:29:39 ipsec,debug,packet b642d041 8c694b17 3d5ef750 b742ce19 819ece56 8fce0017 da5539dd f48e32c8
May/26/2012 10:29:39 ipsec,debug,packet f8faf037 e38ae9d6 95fd7910 d9bb4dfb 73281555 aa886a6e 47ff3f0e dd24c6ef
May/26/2012 10:29:39 ipsec,debug,packet 5136bd9f bf5aa9c5 9f5ec9a5 675a76da 035827c1 971ed99c 0bacbd2f e497414f
May/26/2012 10:29:39 ipsec,debug,packet 6b0cf7eb 9ae2aaf1 ed22523c da60675f 00000001 00000001 0000002c 01010001
May/26/2012 10:29:39 ipsec,debug,packet 00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020002
May/26/2012 10:29:39 ipsec,debug,packet 80040002 011101f4 3ba7f595
May/26/2012 10:29:39 ipsec,debug,packet hmac(hmac_sha1)
May/26/2012 10:29:39 ipsec,debug,packet HASH computed:
May/26/2012 10:29:39 ipsec,debug,packet eb5f0ce4 8d44c001 3d0d502e 835eec71 8be68ae5
May/26/2012 10:29:39 ipsec,debug,packet HASH for PSK validated.
May/26/2012 10:29:39 ipsec,debug,packet peer's ID:
May/26/2012 10:29:39 ipsec,debug,packet 011101f4 3ba7f595
May/26/2012 10:29:39 ipsec,debug,packet ===
May/26/2012 10:29:39 ipsec,debug ISAKMP-SA established ***MIKROTIK-IP***[500]-***CISCO-IP***[500] 

spi:ed22523cda60675f:6b0cf7eb9ae2aaf1
May/26/2012 10:29:39 ipsec,debug,packet ===
May/26/2012 10:29:40 ipsec,debug,packet ===
May/26/2012 10:29:40 ipsec,debug,packet begin QUICK mode.
May/26/2012 10:29:40 ipsec,debug initiate new phase 2 negotiation: ***MIKROTIK-IP***[500]<=>***CISCO-IP***[500]
May/26/2012 10:29:40 ipsec,debug,packet compute IV for phase2
May/26/2012 10:29:40 ipsec,debug,packet phase1 last IV:
May/26/2012 10:29:40 ipsec,debug,packet fb73364d c8cf97c1 b7a485be
May/26/2012 10:29:40 ipsec,debug,packet hash(sha1)
May/26/2012 10:29:40 ipsec,debug,packet encryption(3des)
May/26/2012 10:29:40 ipsec,debug,packet phase2 IV computed:
May/26/2012 10:29:40 ipsec,debug,packet 77416aab b6930f74
May/26/2012 10:29:40 ipsec,debug,packet call pfkey_send_getspi
May/26/2012 10:29:40 ipsec,debug,packet pfkey GETSPI sent: ESP/Tunnel ***CISCO-IP***[500]->***MIKROTIK-IP***[500] 
May/26/2012 10:29:40 ipsec,debug,packet pfkey getspi sent.
May/26/2012 10:29:40 ipsec,debug pfkey GETSPI succeeded: ESP/Tunnel ***CISCO-IP***[500]->***MIKROTIK-IP***[500] spi=34555750

(0x20f4766)
May/26/2012 10:29:40 ipsec,debug,packet hmac(modp1024)
May/26/2012 10:29:40 ipsec,debug,packet hmac(modp1024)
May/26/2012 10:29:40 ipsec,debug,packet hmac(modp1024)
May/26/2012 10:29:40 ipsec,debug,packet compute DH's private.
May/26/2012 10:29:40 ipsec,debug,packet 61297489 6afb8408 09bd11d3 5b191a31 84cc2164 925836d0 feb76156 7d315891
May/26/2012 10:29:40 ipsec,debug,packet e31944d0 2e573a5f a91cda8f c1b5177a 3cd584d5 6e3fdf44 31dc4f6b 7d4e1730
May/26/2012 10:29:40 ipsec,debug,packet 95c7bae9 96e5e8c7 d3048ff5 9179b2a7 6c73fe68 97a8365c d67e63e7 ad25fad6
May/26/2012 10:29:40 ipsec,debug,packet b1d7ffd8 64207c77 d8e139d0 1a2f82c7 27ad844b 0b460df6 5e624aed c61bb793
May/26/2012 10:29:40 ipsec,debug,packet compute DH's public.
May/26/2012 10:29:40 ipsec,debug,packet 30b395ff e7ec8dfd 8cffc655 ce94a01b b835f06a 48bbd6d3 bde3cadc 407d149d
May/26/2012 10:29:40 ipsec,debug,packet f52b017c c4a34ae8 ad89e881 6235a5a4 16e62842 1e833cfb dbe8b8ae f4cab79e
May/26/2012 10:29:40 ipsec,debug,packet 6baeea47 59f1df8d e514d9f9 75e313a6 a2c9de8c 476ca193 6e7bfe0b a5d85e21
May/26/2012 10:29:40 ipsec,debug,packet 222181ce 58fde2c3 9da80b87 effe40af bb2c9583 4bbcdde6 1d633fd2 4853f55f
May/26/2012 10:29:40 ipsec,debug,packet use local ID type IPv4_subnet
May/26/2012 10:29:40 ipsec,debug,packet use remote ID type IPv4_subnet
May/26/2012 10:29:40 ipsec,debug,packet IDci:
May/26/2012 10:29:40 ipsec,debug,packet 04000000 c0a80500 ffffff00
May/26/2012 10:29:40 ipsec,debug,packet IDcr:
May/26/2012 10:29:40 ipsec,debug,packet 04000000 c0a81000 ffffff00
May/26/2012 10:29:40 ipsec,debug,packet add payload of len 48, next type 10
May/26/2012 10:29:40 ipsec,debug,packet add payload of len 24, next type 4
May/26/2012 10:29:40 ipsec,debug,packet add payload of len 128, next type 5
May/26/2012 10:29:40 ipsec,debug,packet add payload of len 12, next type 5
May/26/2012 10:29:40 ipsec,debug,packet add payload of len 12, next type 0
May/26/2012 10:29:40 ipsec,debug,packet HASH with:
May/26/2012 10:29:40 ipsec,debug,packet b7a485be 0a000034 00000001 00000001 00000028 01030401 020f4766 0000001c
May/26/2012 10:29:40 ipsec,debug,packet 01030000 80010001 80020708 80040001 80050002 80030002 0400001c edfb951e
May/26/2012 10:29:40 ipsec,debug,packet 0f983a70 f62adeb6 3cc7182f da89dbfd 751b8c18 05000084 30b395ff e7ec8dfd
May/26/2012 10:29:40 ipsec,debug,packet 8cffc655 ce94a01b b835f06a 48bbd6d3 bde3cadc 407d149d f52b017c c4a34ae8
May/26/2012 10:29:40 ipsec,debug,packet ad89e881 6235a5a4 16e62842 1e833cfb dbe8b8ae f4cab79e 6baeea47 59f1df8d
May/26/2012 10:29:40 ipsec,debug,packet e514d9f9 75e313a6 a2c9de8c 476ca193 6e7bfe0b a5d85e21 222181ce 58fde2c3
May/26/2012 10:29:40 ipsec,debug,packet 9da80b87 effe40af bb2c9583 4bbcdde6 1d633fd2 4853f55f 05000010 04000000
May/26/2012 10:29:40 ipsec,debug,packet c0a80500 ffffff00 00000010 04000000 c0a81000 ffffff00
May/26/2012 10:29:40 ipsec,debug,packet hmac(hmac_sha1)
May/26/2012 10:29:40 ipsec,debug,packet HASH computed:
May/26/2012 10:29:40 ipsec,debug,packet 1ef8dee0 53ee5a25 376ea1ad 51aa0275 1aa63c70
May/26/2012 10:29:40 ipsec,debug,packet add payload of len 20, next type 1
May/26/2012 10:29:40 ipsec,debug,packet begin encryption.
May/26/2012 10:29:40 ipsec,debug,packet encryption(3des)
May/26/2012 10:29:40 ipsec,debug,packet pad length = 4
May/26/2012 10:29:40 ipsec,debug,packet 01000018 1ef8dee0 53ee5a25 376ea1ad 51aa0275 1aa63c70 0a000034 00000001
May/26/2012 10:29:40 ipsec,debug,packet 00000001 00000028 01030401 020f4766 0000001c 01030000 80010001 80020708
May/26/2012 10:29:40 ipsec,debug,packet 80040001 80050002 80030002 0400001c edfb951e 0f983a70 f62adeb6 3cc7182f
May/26/2012 10:29:40 ipsec,debug,packet da89dbfd 751b8c18 05000084 30b395ff e7ec8dfd 8cffc655 ce94a01b b835f06a
May/26/2012 10:29:40 ipsec,debug,packet 48bbd6d3 bde3cadc 407d149d f52b017c c4a34ae8 ad89e881 6235a5a4 16e62842
May/26/2012 10:29:40 ipsec,debug,packet 1e833cfb dbe8b8ae f4cab79e 6baeea47 59f1df8d e514d9f9 75e313a6 a2c9de8c
May/26/2012 10:29:40 ipsec,debug,packet 476ca193 6e7bfe0b a5d85e21 222181ce 58fde2c3 9da80b87 effe40af bb2c9583
May/26/2012 10:29:40 ipsec,debug,packet 4bbcdde6 1d633fd2 4853f55f 05000010 04000000 c0a80500 ffffff00 00000010
May/26/2012 10:29:40 ipsec,debug,packet 04000000 c0a81000 ffffff00 1bfc1903
May/26/2012 10:29:40 ipsec,debug,packet encryption(3des)
May/26/2012 10:29:40 ipsec,debug,packet with key:
May/26/2012 10:29:40 ipsec,debug,packet dd620bf0 01d5ea09 e9418fd5 f681975f 4454a715 216f0525
May/26/2012 10:29:40 ipsec,debug,packet encrypted payload by IV:
May/26/2012 10:29:40 ipsec,debug,packet 77416aab b6930f74
May/26/2012 10:29:40 ipsec,debug,packet save IV for next:
May/26/2012 10:29:40 ipsec,debug,packet 2047c58b e0a6e001
May/26/2012 10:29:40 ipsec,debug,packet encrypted.
May/26/2012 10:29:40 ipsec,debug,packet 300 bytes from ***MIKROTIK-IP***[500] to ***CISCO-IP***[500]
May/26/2012 10:29:40 ipsec,debug,packet sockname ***MIKROTIK-IP***[500]
May/26/2012 10:29:40 ipsec,debug,packet send packet from ***MIKROTIK-IP***[500]
May/26/2012 10:29:40 ipsec,debug,packet send packet to ***CISCO-IP***[500]
May/26/2012 10:29:40 ipsec,debug,packet src4 ***MIKROTIK-IP***[500]
May/26/2012 10:29:40 ipsec,debug,packet dst4 ***CISCO-IP***[500]
May/26/2012 10:29:40 ipsec,debug,packet 1 times of 300 bytes message will be sent to ***CISCO-IP***[500]
May/26/2012 10:29:40 ipsec,debug,packet ed22523c da60675f 6b0cf7eb 9ae2aaf1 08102001 b7a485be 0000012c f6bf13c7
May/26/2012 10:29:40 ipsec,debug,packet f0998fdc 4362f974 69f96868 66e5020a 863ab482 121271ac b7fc3e87 6440e813
May/26/2012 10:29:40 ipsec,debug,packet 812ac249 05dd1a35 4c6722ad 80f39af3 109bed3e 9a1c73f0 7e66d13c 51830fd1
May/26/2012 10:29:40 ipsec,debug,packet 6dee046b 868afa1a 01f5cf6b bd46b23a b43e24ea e918a5c2 534a300e 0f2a5fce
May/26/2012 10:29:40 ipsec,debug,packet 08c241ce 1541a1e7 1c7f1e42 f9d42334 f9c0a178 a1f84e39 751d400c 4c35040d
May/26/2012 10:29:40 ipsec,debug,packet 93883c92 9622d03e df2c8b04 4178025f f3d2011c 01f7498d f4b62a5c 3733d07c
May/26/2012 10:29:40 ipsec,debug,packet 13298a4f 7b5bfedf 3c7400e1 0f63cc7b ed1c8370 ec8941f6 73d546f4 1a2223c4
May/26/2012 10:29:40 ipsec,debug,packet 9444eb41 87a807aa 5a337151 58c02819 b6812e29 ffda4fe3 f59fe5df d9e4a1b0
May/26/2012 10:29:40 ipsec,debug,packet 891df783 b08528f0 cace8ace 72c4327d f9b6b28e 8f67f83c 0eb6e060 4bf55bd4
May/26/2012 10:29:40 ipsec,debug,packet bb636560 2047c58b e0a6e001
May/26/2012 10:29:40 ipsec,debug,packet resend phase2 packet ed22523cda60675f:6b0cf7eb9ae2aaf1:b7a485be
May/26/2012 10:29:40 ipsec,debug,packet ==========
May/26/2012 10:29:40 ipsec,debug,packet 84 bytes message received from ***CISCO-IP***[500] to ***MIKROTIK-IP***[500]
May/26/2012 10:29:40 ipsec,debug,packet ed22523c da60675f 6b0cf7eb 9ae2aaf1 08100501 44bed0e7 00000054 f25286bd
May/26/2012 10:29:40 ipsec,debug,packet 94cb90f9 8581a75c 84db1e28 b37e078f 195996a1 d102b75c 214c36f7 1fb0b05d
May/26/2012 10:29:40 ipsec,debug,packet 9aff8d00 310a4e1a fa615f95 153b57b4 e4f8ff09
May/26/2012 10:29:40 ipsec,debug,packet receive Information.
May/26/2012 10:29:40 ipsec,debug,packet compute IV for phase2
May/26/2012 10:29:40 ipsec,debug,packet phase1 last IV:
May/26/2012 10:29:40 ipsec,debug,packet fb73364d c8cf97c1 44bed0e7
May/26/2012 10:29:40 ipsec,debug,packet hash(sha1)
May/26/2012 10:29:40 ipsec,debug,packet encryption(3des)
May/26/2012 10:29:40 ipsec,debug,packet phase2 IV computed:
May/26/2012 10:29:40 ipsec,debug,packet c790b9df b5945663
May/26/2012 10:29:40 ipsec,debug,packet encryption(3des)
May/26/2012 10:29:40 ipsec,debug,packet IV was saved for next processing:
May/26/2012 10:29:40 ipsec,debug,packet 153b57b4 e4f8ff09
May/26/2012 10:29:40 ipsec,debug,packet encryption(3des)
May/26/2012 10:29:40 ipsec,debug,packet with key:
May/26/2012 10:29:40 ipsec,debug,packet dd620bf0 01d5ea09 e9418fd5 f681975f 4454a715 216f0525
May/26/2012 10:29:40 ipsec,debug,packet decrypted payload by IV:
May/26/2012 10:29:40 ipsec,debug,packet c790b9df b5945663
May/26/2012 10:29:40 ipsec,debug,packet decrypted payload, but not trimed.
May/26/2012 10:29:40 ipsec,debug,packet 0b000018 11f19af1 360b16bc 240e5385 4a45c31e 07450eda 0000001c 00000001
May/26/2012 10:29:40 ipsec,debug,packet 0304000e 020f4766 0a000034 00000001 00000001 00000000
May/26/2012 10:29:40 ipsec,debug,packet padding len=1
May/26/2012 10:29:40 ipsec,debug,packet skip to trim padding.
May/26/2012 10:29:40 ipsec,debug,packet decrypted.
May/26/2012 10:29:40 ipsec,debug,packet ed22523c da60675f 6b0cf7eb 9ae2aaf1 08100501 44bed0e7 00000054 0b000018
May/26/2012 10:29:40 ipsec,debug,packet 11f19af1 360b16bc 240e5385 4a45c31e 07450eda 0000001c 00000001 0304000e
May/26/2012 10:29:40 ipsec,debug,packet 020f4766 0a000034 00000001 00000001 00000000
May/26/2012 10:29:40 ipsec,debug,packet HASH with:
May/26/2012 10:29:40 ipsec,debug,packet 44bed0e7 0000001c 00000001 0304000e 020f4766 0a000034 00000001 00000001
May/26/2012 10:29:40 ipsec,debug,packet hmac(hmac_sha1)
May/26/2012 10:29:40 ipsec,debug,packet HASH computed:
May/26/2012 10:29:40 ipsec,debug,packet 11f19af1 360b16bc 240e5385 4a45c31e 07450eda
May/26/2012 10:29:40 ipsec,debug,packet hash validated.
May/26/2012 10:29:40 ipsec,debug,packet begin.
May/26/2012 10:29:40 ipsec,debug,packet seen nptype=8(hash)
May/26/2012 10:29:40 ipsec,debug,packet seen nptype=11(notify)
May/26/2012 10:29:40 ipsec,debug,packet succeed.
May/26/2012 10:29:40 ipsec,debug fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
May/26/2012 10:29:40 ipsec,debug,packet notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=020f4766(size=4).
May/26/2012 10:29:40 ipsec,debug Message: '4 '.
May/26/2012 10:29:50 ipsec,debug,packet 300 bytes from ***MIKROTIK-IP***[500] to ***CISCO-IP***[500]
May/26/2012 10:29:50 ipsec,debug,packet sockname ***MIKROTIK-IP***[500]
May/26/2012 10:29:50 ipsec,debug,packet send packet from ***MIKROTIK-IP***[500]
May/26/2012 10:29:50 ipsec,debug,packet send packet to ***CISCO-IP***[500]
May/26/2012 10:29:50 ipsec,debug,packet src4 ***MIKROTIK-IP***[500]
May/26/2012 10:29:50 ipsec,debug,packet dst4 ***CISCO-IP***[500]
May/26/2012 10:29:50 ipsec,debug,packet 1 times of 300 bytes message will be sent to ***CISCO-IP***[500]
May/26/2012 10:29:50 ipsec,debug,packet ed22523c da60675f 6b0cf7eb 9ae2aaf1 08102001 b7a485be 0000012c f6bf13c7
May/26/2012 10:29:50 ipsec,debug,packet f0998fdc 4362f974 69f96868 66e5020a 863ab482 121271ac b7fc3e87 6440e813
May/26/2012 10:29:50 ipsec,debug,packet 812ac249 05dd1a35 4c6722ad 80f39af3 109bed3e 9a1c73f0 7e66d13c 51830fd1
May/26/2012 10:29:50 ipsec,debug,packet 6dee046b 868afa1a 01f5cf6b bd46b23a b43e24ea e918a5c2 534a300e 0f2a5fce
May/26/2012 10:29:50 ipsec,debug,packet 08c241ce 1541a1e7 1c7f1e42 f9d42334 f9c0a178 a1f84e39 751d400c 4c35040d
May/26/2012 10:29:50 ipsec,debug,packet 93883c92 9622d03e df2c8b04 4178025f f3d2011c 01f7498d f4b62a5c 3733d07c
May/26/2012 10:29:50 ipsec,debug,packet 13298a4f 7b5bfedf 3c7400e1 0f63cc7b ed1c8370 ec8941f6 73d546f4 1a2223c4
May/26/2012 10:29:50 ipsec,debug,packet 9444eb41 87a807aa 5a337151 58c02819 b6812e29 ffda4fe3 f59fe5df d9e4a1b0
May/26/2012 10:29:50 ipsec,debug,packet 891df783 b08528f0 cace8ace 72c4327d f9b6b28e 8f67f83c 0eb6e060 4bf55bd4
May/26/2012 10:29:50 ipsec,debug,packet bb636560 2047c58b e0a6e001
May/26/2012 10:29:50 ipsec,debug,packet resend phase2 packet ed22523cda60675f:6b0cf7eb9ae2aaf1:b7a485be
May/26/2012 10:30:00 ipsec,debug,packet 300 bytes from ***MIKROTIK-IP***[500] to ***CISCO-IP***[500]
May/26/2012 10:30:00 ipsec,debug,packet sockname ***MIKROTIK-IP***[500]
May/26/2012 10:30:00 ipsec,debug,packet send packet from ***MIKROTIK-IP***[500]
May/26/2012 10:30:00 ipsec,debug,packet send packet to ***CISCO-IP***[500]
May/26/2012 10:30:00 ipsec,debug,packet src4 ***MIKROTIK-IP***[500]
May/26/2012 10:30:00 ipsec,debug,packet dst4 ***CISCO-IP***[500]
May/26/2012 10:30:00 ipsec,debug,packet 1 times of 300 bytes message will be sent to ***CISCO-IP***[500]
May/26/2012 10:30:00 ipsec,debug,packet ed22523c da60675f 6b0cf7eb 9ae2aaf1 08102001 b7a485be 0000012c f6bf13c7
May/26/2012 10:30:00 ipsec,debug,packet f0998fdc 4362f974 69f96868 66e5020a 863ab482 121271ac b7fc3e87 6440e813
May/26/2012 10:30:00 ipsec,debug,packet 812ac249 05dd1a35 4c6722ad 80f39af3 109bed3e 9a1c73f0 7e66d13c 51830fd1
May/26/2012 10:30:00 ipsec,debug,packet 6dee046b 868afa1a 01f5cf6b bd46b23a b43e24ea e918a5c2 534a300e 0f2a5fce
May/26/2012 10:30:00 ipsec,debug,packet 08c241ce 1541a1e7 1c7f1e42 f9d42334 f9c0a178 a1f84e39 751d400c 4c35040d
May/26/2012 10:30:00 ipsec,debug,packet 93883c92 9622d03e df2c8b04 4178025f f3d2011c 01f7498d f4b62a5c 3733d07c
May/26/2012 10:30:00 ipsec,debug,packet 13298a4f 7b5bfedf 3c7400e1 0f63cc7b ed1c8370 ec8941f6 73d546f4 1a2223c4
May/26/2012 10:30:00 ipsec,debug,packet 9444eb41 87a807aa 5a337151 58c02819 b6812e29 ffda4fe3 f59fe5df d9e4a1b0
May/26/2012 10:30:00 ipsec,debug,packet 891df783 b08528f0 cace8ace 72c4327d f9b6b28e 8f67f83c 0eb6e060 4bf55bd4
May/26/2012 10:30:00 ipsec,debug,packet bb636560 2047c58b e0a6e001
May/26/2012 10:30:00 ipsec,debug,packet resend phase2 packet ed22523cda60675f:6b0cf7eb9ae2aaf1:b7a485be
May/26/2012 10:30:10 ipsec,debug ***CISCO-IP*** give up to get IPsec-SA due to time up to wait.
May/26/2012 10:30:10 ipsec,debug,packet an undead schedule has been deleted.
May/26/2012 10:30:10 ipsec IPsec-SA expired: ESP/Tunnel ***CISCO-IP***[0]->***MIKROTIK-IP***[0] spi=34555750(0x20f4766)

I would be very appreciative of any help.

Cheers,
Jason

Jasonk · May 28, 2012, 7:41am

Well, as it turns out, it seems that the cisco doesn’t like talking to the mikrotik when using a dynamic crypto-map. When setting it to the public IP instead of 0.0.0.0 (which cisco’s documentation says to do when using a dynamic IP on the other end), the tunnel is established.

The issue I’m having now, is no traffic is being passed over the tunnel. A ping from either side brings up the tunnel, but no response on either side.
Any suggestions?

Cheers,
Jason

ujemvi · August 6, 2012, 8:54pm

Hi there! I have the same problem. Did you find any way to make it work?

Jasonk · August 7, 2012, 8:48am

Unfortunately not…I put this project on the backburner for a bit

psamsig · August 7, 2012, 11:31am

The most common problem (in the MikroTik end) would be the lack of an exception in /ip firewall nat to accept the VPN trafic before it hits the general masquerading rule.

For the configuration in the posted example it would be something like this:

/ip firewall nat add place-before=0 action=accept chain=srcnat disabled=no dst-address=192.168.16.0/24

ChrisP · August 7, 2012, 8:17pm

I don’t see a NAT exemption on the Cisco config either, normally in the ACL for the ip nat inside you add deny statements from the internal network to the far end internal network. Also if you put an ACL on the outside interface you’d need to allow UDP 500, 4500 & ESP via appropriate permit statements.