Issues Connecting to a given IPsec Server

Hi there,
First of all, i have to apologize if my question is in a wrong category, or worse, my question is just dumb.
There is a telephony provider, which gives IPSec VPN Tunnels to its customers. Many features are just available if the user/client has an active tunnel.
The Provider is Swyx, there are a few “supportet routers” howtos and configuration-samples available.

https://service.swyx.net/hc/de/articles/360000466159-SwyxON-Anschluss-eines-Lancom-Gateway-an-SwyxON-mit-IKEv2
https://service.swyx.net/hc/de/articles/360000575725-IPsec-VPN-Parameter-für-VPN-Clients
and https://service.swyx.net/hc/de/article_attachments/360004330299/Swyx_AudioCodes_VPN_TemplateSha256.txt

If i try to get a clue out of this, and rebuild all those settings on the Routerboard which I have running, I fail at combining /ip/ipsec/peer/ exchange mode “main” and ./Identities “my ID type” set to “fqdn”.
Mikrotik seems to require having “my ID Type” set to Address or Auto.
I´ve startet a long trail & error session finding a exchange mode combination which fires up that tunnel but none of those settings gotten me to a Phase1. Most likely the connections where rejected with the quote “NO-PROPOSAL-CHOSEN”.

Is the answer to that problem a quick, “MT can`t do that, its impossible” or could there be a solution and having some sort of magical settings which bring up that tunnel.
If you spent your time, digging through those swyx examples, trying to figure out a way,
thanks for that.
Manuel

The first link you’ve provided talks about IKEv2, and you describe problems to set my-id with exchange-mode=main chosen. But to use IKEv2, you need to set exchange-mode=ike2 on your peer representing the SWYX. What’s the outcome if you do it this way?

Hello. I changed the peer key exchange to IKEv2 (which sounds great)
I even managed it to get authentication granted, but it keeps failing initiliazing phase 2.
Please have a look at my screenshot of the IP/IPSEC settings,
The given structure of the VPN server:

Customer Network Address [1]: 192.168.42.0
Customer Network Subnet [1]: 255.255.255.0
Customer Network Wildcard Subnet [1]: 0.0.0.255
Datacenter Network Address: 100.70.2.18
Datacenter Network Subnet: 255.255.255.255
Datacenter Network Wildcard Subnet: 0.0.0.0
Datacenter VPN Peer IP Address: 89.31.7.243
Identity of local VPN Gateway: email@address.de
Preshared key of local VPN Gateway: secretkey
Identity of remote VPN Concentrator: vpn@swyxon.com
Preshared key of remote VPN Concentrator: secretkey

logfile output:
14:05:26 ipsec,info new ike2 SA (I): 192.168.42.1[500]-89.31.7.243[500] spi:440410c588b0907c:d8f8204f1927dc52
14:05:26 ipsec,info IPSEC: : new ike2 SA (I): 192.168.42.1[500]-89.31.7.243[500] spi:440410c588b0907c:d8f8204f1927dc52
14:05:26 ipsec IPSEC: : processing payloads: NOTIFY
14:05:26 ipsec IPSEC: : notify: NAT_DETECTION_SOURCE_IP
14:05:26 ipsec IPSEC: : notify: NAT_DETECTION_DESTINATION_IP
14:05:26 ipsec IPSEC: : init child for policy: 192.168.42.0/24 <=> 100.70.2.18
14:05:26 ipsec IPSEC: : init child continue
14:05:26 ipsec IPSEC: : offering proto: 3
14:05:26 ipsec IPSEC: : proposal #1
14:05:26 ipsec IPSEC: : enc: aes256-cbc
14:05:26 ipsec IPSEC: : auth: sha1
14:05:26 ipsec IPSEC: : ID_I (RFC822): office9596@scouter.de
14:05:26 ipsec IPSEC: : adding payload: ID_I
14:05:26 ipsec,debug IPSEC: : => (size 0x1d)
14:05:26 ipsec,debug IPSEC: : 0000001d 03000000 6f666669 63653935 39364073 636f7574 65722e64 65
14:05:26 ipsec IPSEC: : processing payload: NONCE
14:05:26 ipsec,debug IPSEC: : => auth nonce (size 0x20)
14:05:26 ipsec,debug IPSEC: : f5b5cb31 0963a143 783666bd d1340601 2e2d3c17 8bb95081 64e19f10 f84477ba
14:05:26 ipsec,debug IPSEC: : => SK_p (size 0x20)
14:05:26 ipsec,debug IPSEC: : c317c055 c48f033c 7d2969f4 ee119617 7ca1b288 27c1069c 1e5652e1 2a05ce94
14:05:26 ipsec,debug IPSEC: : => idhash (size 0x20)
14:05:26 ipsec,debug IPSEC: : bfe3c518 d4018e72 47479dc5 49c8d6b8 f836643e ff646552 6df1d503 417e5525
14:05:26 ipsec,debug IPSEC: : => my auth (size 0x20)
14:05:26 ipsec,debug IPSEC: : 28193aec c5d5aa33 82d49654 bc965eee 19322c26 ef8b135e 73e18cf5 862761ab
14:05:26 ipsec IPSEC: : adding payload: AUTH
14:05:26 ipsec,debug IPSEC: : => (size 0x28)
14:05:26 ipsec,debug IPSEC: : 00000028 02000000 28193aec c5d5aa33 82d49654 bc965eee 19322c26 ef8b135e
14:05:26 ipsec,debug IPSEC: : 73e18cf5 862761ab
14:05:26 ipsec IPSEC: : ID_R (RFC822): vpn@swyxon.com
14:05:26 ipsec IPSEC: : adding payload: ID_R
14:05:26 ipsec,debug IPSEC: : => (size 0x16)
14:05:26 ipsec,debug IPSEC: : 00000016 03000000 76706e40 73777978 6f6e2e63 6f6d
14:05:26 ipsec IPSEC: : adding notify: INITIAL_CONTACT
14:05:26 ipsec,debug IPSEC: : => (size 0x8)
14:05:26 ipsec,debug IPSEC: : 00000008 00004000
14:05:26 ipsec IPSEC: : adding payload: SA
14:05:26 ipsec,debug IPSEC: : => (size 0x2c)
14:05:26 ipsec,debug IPSEC: : 0000002c 00000028 01030403 03c818f0 0300000c 0100000c 800e0100 03000008
14:05:26 ipsec,debug IPSEC: : 03000002 00000008 05000000
14:05:26 ipsec IPSEC: : initiator selector: 192.168.42.0/24
14:05:26 ipsec IPSEC: : adding payload: TS_I
14:05:26 ipsec,debug IPSEC: : => (size 0x18)
14:05:26 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff c0a82a00 c0a82aff
14:05:26 ipsec IPSEC: : responder selector: 100.70.2.18
14:05:26 ipsec IPSEC: : adding payload: TS_R
14:05:26 ipsec,debug IPSEC: : => (size 0x18)
14:05:26 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff 64460212 64460212
14:05:26 ipsec IPSEC: : prepearing internal IPv4 address
14:05:26 ipsec IPSEC: : prepearing internal IPv4 netmask
14:05:26 ipsec IPSEC: : prepearing internal IPv6 subnet
14:05:26 ipsec IPSEC: : prepearing internal IPv4 DNS
14:05:26 ipsec IPSEC: : adding payload: CONFIG
14:05:26 ipsec,debug IPSEC: : => (size 0x2c)
14:05:26 ipsec,debug IPSEC: : 0000002c 01000000 00010004 00000000 00020004 00000000 000d0008 00000000
14:05:26 ipsec,debug IPSEC: : 00000000 00030004 00000000
14:05:26 ipsec IPSEC: : ← ike2 request, exchange: AUTH:1 89.31.7.243[500]
14:05:26 ipsec,debug IPSEC: : ===== sending 336 bytes from 192.168.42.1[500] to 89.31.7.243[500]
14:05:26 ipsec,debug IPSEC: : 1 times of 336 bytes message will be sent to 89.31.7.243[500]
14:05:31 ipsec IPSEC: : retransmit
14:05:31 ipsec,debug IPSEC: : ===== sending 336 bytes from 192.168.42.1[500] to 89.31.7.243[500]
14:05:31 ipsec,debug IPSEC: : 1 times of 336 bytes message will be sent to 89.31.7.243[500]
14:05:36 ipsec IPSEC: : retransmit
14:05:36 ipsec,debug IPSEC: : ===== sending 336 bytes from 192.168.42.1[500] to 89.31.7.243[500]
14:05:36 ipsec,debug IPSEC: : 1 times of 336 bytes message will be sent to 89.31.7.243[500]
14:05:41 ipsec IPSEC: : retransmit
14:05:41 ipsec,debug IPSEC: : ===== sending 336 bytes from 192.168.42.1[500] to 89.31.7.243[500]
14:05:41 ipsec,debug IPSEC: : 1 times of 336 bytes message will be sent to 89.31.7.243[500]
14:05:46 ipsec IPSEC: : retransmit
14:05:46 ipsec,debug IPSEC: : ===== sending 336 bytes from 192.168.42.1[500] to 89.31.7.243[500]
14:05:46 ipsec,debug IPSEC: : 1 times of 336 bytes message will be sent to 89.31.7.243[500]

/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 chain=input action=drop protocol=udp in-interface=TCom_pppoe dst-port=53 log=no log-prefix=“”
2 chain=input action=drop protocol=udp in-interface=ether2 dst-port=53 log=no log-prefix=“”
3 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
4 chain=output action=accept protocol=udp src-address=127.0.0.1 dst-address=127.0.0.1 port=5246,5247
5 chain=input action=accept protocol=udp src-address=127.0.0.1 dst-address=127.0.0.1 port=5246,5247
6 chain=input action=passthrough protocol=udp in-interface=TCom_pppoe dst-port=500,4500 log=yes log-prefix=“”
7 chain=input action=passthrough protocol=ipsec-esp in-interface=TCom_pppoe log=no log-prefix=“”
8 chain=input action=accept protocol=ipsec-esp in-interface=ether2 log=no log-prefix=“”
9 chain=input action=accept protocol=ipsec-ah in-interface=TCom_pppoe log=no log-prefix=“”
10 chain=input action=passthrough protocol=udp in-interface=ether2 dst-port=500,4500 log=no log-prefix=“”
11 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
12 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
13 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=“”

/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=TCom_pppoe log=no log-prefix=“” ipsec-policy=out,none
1 chain=srcnat action=masquerade out-interface=ether2 log=no log-prefix=“” ipsec-policy=out,none


I tried a lot of trial&error combinations but unfortunately I am not able to get that tunnel up.
I someone could give me a hint, what I am missing, that would be great.
thanks folks
Manuel

Please post your configuration in text format, your screenshots do not contain the complete configuration and are hard to handle. See the hint in my automatic signature. Press the [Terminal] button on the GUI to get a command line window.

You have mode-config set to request-only in /ip ipsec identity, and if I read the log and their web documents right, the remote party seems not to support mode-config. So set it to none and try again. If I understand right the configuration sheet on the first link, they have assigned you a local subnet on your side, supposing that you will use it only for phones so there is no need to care about the address plan of your internal network. So the /ip ipsec policy item in Mikrotik’s configuration should have the “customer network” (with the approproate mask size) as src-address (the items in the policy are named from the perspective of local sending), and the “datacenter network address” as dst-address, and refer to the right /ip ipsec proposal item and to the right /ip ipsec peer item. Maybe you’ve done it but you haven’t shown it.

In any case, if it still doesn’t work after you change the identity’s mode-config to none, take a new log and post it along with the configuration export. And when posting, use [code] and [/code] tags around each of the two.

Thanks for beeing so polite, teaching me how to use this forum correctly. I ll try to take your advice seriously using quotes and code snipplets.

First of all, wow, this setting immediately brought up the tunnel.
If I try to ping 100.70.2.18 it leads to a timeout.

# apr/12/2020 15:38:42 by RouterOS 6.45.8
# software id = AUPH-Q0VU
#
# model = RB4011iGS+5HacQ2HnD
# serial number = XXXX
/interface bridge
add admin-mac=C4:AD:34:5F:46:4D auto-mac=no comment="Interne Bridge" name=bridge-int
/interface ethernet
set [ find default-name=ether1 ] comment="VDSL uplink Port"
set [ find default-name=ether2 ] comment="Unitymendia uplink Port"
/interface wireless
# managed by CAPsMAN
# channel: 5260/20-Ceee/ac/DP(17dBm)+5210/80/P(20dBm), SSID: SSID, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=germany distance=indoors frequency=auto installation=indoor mode=ap-bridge secondary-channel=\
    auto ssid=MikroTik-5F4657 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(17dBm), SSID: SSID, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=germany distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-BE98CD \
    wireless-protocol=802.11
/interface pppoe-client
add disabled=no interface=ether1 keepalive-timeout=5 name=TCom_pppoe password=XXX user=XXX0001@t-online.de
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=SSID passphrase=XXX
/caps-man configuration
add country=germany mode=ap name=SSID security=SSID ssid=SSID
/caps-man interface
add configuration=SSID datapath.bridge=bridge-int disabled=no l2mtu=1600 mac-address=C4:AD:34:12:B3:EE master-interface=none name=cap1 radio-mac=C4:AD:34:12:B3:EE \
    radio-name=C4AD3412B3EE
add configuration=SSID datapath.bridge=bridge-int disabled=no l2mtu=1600 mac-address=C4:AD:34:12:B3:EF master-interface=none name=cap2 radio-mac=C4:AD:34:12:B3:EF \
    radio-name=C4AD3412B3EF
add configuration=SSID datapath.bridge=bridge-int disabled=no l2mtu=1600 mac-address=C4:AD:34:5F:46:57 master-interface=none name=cap3 radio-mac=C4:AD:34:5F:46:57 \
    radio-name=C4AD345F4657
add configuration=SSID datapath.bridge=bridge-int disabled=no l2mtu=1600 mac-address=74:4D:28:BE:98:CD master-interface=none name=cap4 radio-mac=74:4D:28:BE:98:CD \
    radio-name=744D28BE98CD
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] connection-mark=no-mark
/ip ipsec peer
add address=89.31.7.243/32 exchange-mode=ike2 local-address=192.168.42.1 name=swyx port=500
/ip ipsec policy group
set [ find default=yes ] name=1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 dpd-interval=1m enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=1h pfs-group=modp1536
/ip pool
add name=dhcp ranges=192.168.42.10-192.168.42.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-int lease-time=2w name="Intern_DHCPD  "
/ppp profile
set *0 on-up=":delay 180s\r\
    \n/system script run ddserver"
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge-int comment=defconf interface=ether5
add bridge=bridge-int comment=defconf interface=ether6
add bridge=bridge-int comment=defconf interface=ether7
add bridge=bridge-int comment=defconf interface=ether8
add bridge=bridge-int comment=defconf interface=ether9
add bridge=bridge-int comment=defconf interface=ether10
add bridge=bridge-int comment=defconf interface=sfp-sfpplus1
add bridge=bridge-int interface=ether3
add bridge=bridge-int interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge-int list=LAN
add interface=ether2 list=WAN
add interface=TCom_pppoe list=WAN
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=130.180.X.X/29 interface=ether2 network=130.180.X.X
add address=192.168.42.1/24 interface=bridge-int network=192.168.42.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=bridge-int
/ip dhcp-server lease
add address=192.168.42.42 mac-address=00:01:2E:48:CB:30 server="Intern_DHCPD  "
/ip dhcp-server network
add address=192.168.42.0/24 comment=LAN gateway=192.168.42.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=149.112.112.112,2620:fe::fe,9.9.9.9,2620:fe::9
/ip dns static
add address=192.168.42.1 name=router.lan
add address=100.70.2.18 name=swyx.local
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=TCom_pppoe protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether2 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=output dst-address=127.0.0.1 port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input dst-address=127.0.0.1 port=5246,5247 protocol=udp src-address=127.0.0.1
add action=passthrough chain=input dst-port=500,4500 in-interface=TCom_pppoe log=yes protocol=udp
add action=accept chain=input in-interface=TCom_pppoe protocol=ipsec-esp
add action=accept chain=input in-interface=ether2 protocol=ipsec-esp
add action=accept chain=input in-interface=TCom_pppoe protocol=ipsec-ah
add action=passthrough chain=input dst-port=500,4500 in-interface=ether2 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=!ipsec connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment=" Mark IPsec" disabled=yes ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment=" Mark IPsec" disabled=yes ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=TCom_pppoe
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether2
/ip ipsec identity
add generate-policy=port-override my-id=user-fqdn:user@address.de notrack-chain=output peer=swyx remote-id=user-fqdn:vpn@swyxon.com secret=\
    
/ip ipsec policy
add dst-address=100.70.2.18/32 peer=swyx sa-dst-address=89.31.7.243 sa-src-address=192.168.42.1 src-address=192.168.42.0/24 tunnel=yes
add disabled=yes dst-address=192.168.42.0/24 peer=swyx sa-dst-address=89.31.7.243 sa-src-address=192.168.42.1 src-address=100.70.2.18/32 tunnel=yes
/ip ipsec settings
set accounting=no
/ip route
add check-gateway=ping distance=1 gateway=130.180.X.X
add check-gateway=ping distance=2 gateway=TCom_pppoe
add check-gateway=ping distance=1 dst-address=79.133.X.X/32 gateway=TCom_pppoe
add check-gateway=ping comment=swyxon.webconnect distance=1 dst-address=89.31.7.227/32 gateway=TCom_pppoe
add check-gateway=ping comment=swyxon.webconnect distance=2 dst-address=89.31.7.227/32 gateway=ether2
add check-gateway=ping comment="swyx VPN Endpunkt" distance=1 dst-address=89.31.7.243/32 gateway=TCom_pppoe
add check-gateway=ping comment="swyx VPN Endpunkt" distance=2 dst-address=89.31.7.243/32 gateway=ether2
/ipv6 address
add from-pool=TComIPv6 interface=bridge-int
/ipv6 dhcp-client
add add-default-route=yes interface=TCom_pppoe pool-name=TComIPv6 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input comment="incoming  dns  block" dst-port=53 in-interface=TCom_pppoe protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=XXXr_router
/system logging
add prefix="IPSEC: " topics=ipsec,!packet
add prefix=FIREWALL: topics=firewall
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=TCom_pppoe only-headers=yes

The output of the active-peers after the tunnel got enabled.

/ip ipsec active-peers> print 
Flags: R - responder, N - natt-peer 
 #    ID                   STATE              UPTIME          PH2-TOTAL REMOTE-ADDRESS                                                       DYNAMIC-ADDRESS                             
 0    vpn@swyxon.com       established        4m55s                   1 89.31.7.243

Logfile

16:05:44 system,info ipsec policy changed by admin 
16:05:47 ipsec IPSEC: : ph2 possible after ph1 creation 
16:05:47 ipsec IPSEC: : init child for policy: 100.70.2.18 <=> 192.168.42.0/24 
16:05:47 ipsec IPSEC: : init child continue 
16:05:47 ipsec IPSEC: : offering proto: 3 
16:05:47 ipsec IPSEC: :  proposal #1 
16:05:47 ipsec IPSEC: :   enc: aes256-cbc 
16:05:47 ipsec IPSEC: :   auth: sha1 
16:05:47 ipsec IPSEC: :   dh: modp1536 
16:05:47 ipsec IPSEC: : adding payload: NONCE 
16:05:47 ipsec,debug IPSEC: : => (size 0x1c) 
16:05:47 ipsec,debug IPSEC: : 0000001c b0a0d7e5 6b2a1451 bdff7a14 66d97474 92a447bb 172ce0e5 
16:05:47 ipsec IPSEC: : adding payload: KE 
16:05:47 ipsec,debug IPSEC: : => (size 0xc8) 
16:05:47 ipsec,debug IPSEC: : 000000c8 00050000 eb20e1e0 9a4e140c c322bd29 c4f69bcc 42c9c25f 33b707b6 
16:05:47 ipsec,debug IPSEC: : e8ea992b c238308f c2749c99 714d0b8d b63d62f2 4b8f5419 6c2ca92c b69370be 
16:05:47 ipsec,debug IPSEC: : 96622dd5 ffca10e3 3eef6936 53abaccc 035a807b 1dae7db5 cc736dae 67b07b0a 
16:05:47 ipsec,debug IPSEC: : 38aedef6 0b4f66c4 6c61deee 500de734 1b414739 b4740586 a95ae4fd 9716709a 
16:05:47 ipsec,debug IPSEC: : 8c7dba46 173a65ac 31e79e79 01f071db 539b82fd 26932d11 90025461 f9c15ce6 
16:05:47 ipsec,debug IPSEC: : 05506c43 b96129db d8aca88f 8aa843a4 2b9fdc10 937cd4bc eb8d8cc9 6a6c6d75 
16:05:47 ipsec,debug IPSEC: : ffce250d 7d76dada 
16:05:47 ipsec IPSEC: : adding payload: SA 
16:05:47 ipsec,debug IPSEC: : => (size 0x34) 
16:05:47 ipsec,debug IPSEC: : 00000034 00000030 01030404 089c38c0 0300000c 0100000c 800e0100 03000008 
16:05:47 ipsec,debug IPSEC: : 03000002 03000008 04000005 00000008 05000000 
16:05:47 ipsec IPSEC: : initiator selector: 100.70.2.18 
16:05:47 ipsec IPSEC: : adding payload: TS_I 
16:05:47 ipsec,debug IPSEC: : => (size 0x18) 
16:05:47 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff 64460212 64460212 
16:05:47 ipsec IPSEC: : responder selector: 192.168.42.0/24 
16:05:47 ipsec IPSEC: : adding payload: TS_R 
16:05:47 ipsec,debug IPSEC: : => (size 0x18) 
16:05:47 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff c0a82a00 c0a82aff 
16:05:47 ipsec IPSEC: : <- ike2 request, exchange: CREATE_CHILD_SA:6 89.31.7.243[500] 
16:05:47 ipsec,debug IPSEC: : ===== sending 544 bytes from 84.134.88.235[500] to 89.31.7.243[500] 
16:05:47 ipsec,debug IPSEC: : 1 times of 544 bytes message will be sent to 89.31.7.243[500] 
16:05:47 ipsec,debug IPSEC: : ===== received 80 bytes from 89.31.7.243[500] to 84.134.88.235[500] 
16:05:47 ipsec IPSEC: : -> ike2 reply, exchange: CREATE_CHILD_SA:6 89.31.7.243[500] 
16:05:47 ipsec IPSEC: : payload seen: ENC (52 bytes) 
16:05:47 ipsec IPSEC: : processing payload: ENC 
16:05:47 ipsec,debug IPSEC: : => iv (size 0x10) 
16:05:47 ipsec,debug IPSEC: : 94c07aac ae47ee11 9803f651 b26859fa 
16:05:47 ipsec,debug IPSEC: : => plain payload (trimmed) (size 0x8) 
16:05:47 ipsec,debug IPSEC: : 00000008 00000026 
16:05:47 ipsec,debug IPSEC: : decrypted 
16:05:47 ipsec IPSEC: : payload seen: NOTIFY (8 bytes) 
16:05:47 ipsec IPSEC: : create child: initiator finish 
16:05:47 ipsec IPSEC: : processing payloads: NOTIFY 
16:05:47 ipsec IPSEC: :   notify: TS_UNACCEPTABLE 
16:05:47 ipsec IPSEC: : got error: TS_UNACCEPTABLE 
16:05:52 ipsec IPSEC: : ph2 possible after ph1 creation 
16:05:52 ipsec IPSEC: : init child for policy: 100.70.2.18 <=> 192.168.42.0/24 
16:05:52 ipsec IPSEC: : init child continue 
16:05:52 ipsec IPSEC: : offering proto: 3 
16:05:52 ipsec IPSEC: :  proposal #1 
16:05:52 ipsec IPSEC: :   enc: aes256-cbc 
16:05:52 ipsec IPSEC: :   auth: sha1 
16:05:52 ipsec IPSEC: :   dh: modp1536 
16:05:52 ipsec IPSEC: : adding payload: NONCE 
16:05:52 ipsec,debug IPSEC: : => (size 0x1c) 
16:05:52 ipsec,debug IPSEC: : 0000001c 0b319176 dcb01f3a 316bd362 7e319278 02ff4d0d 9aeb4a6b 
16:05:52 ipsec IPSEC: : adding payload: KE 
16:05:52 ipsec,debug IPSEC: : => (size 0xc8) 
16:05:52 ipsec,debug IPSEC: : 000000c8 00050000 78968127 68d00da8 87ca2e46 31b7c975 9711565c e56529e3 
16:05:52 ipsec,debug IPSEC: : 0f5868a7 b215f61c 2765bf8f f1170ec1 6e378b73 c5fbc94d 1c3e8b25 631da3c4 
16:05:52 ipsec,debug IPSEC: : 9945b0fc a127f2fa aeb3fc76 880f48a3 0cf872d9 2740bb37 b26cf645 f17520ec 
16:05:52 ipsec,debug IPSEC: : 3f6f449b f5176ce8 179c2fe9 68377f66 b10f57ea a91d0780 635f5992 c8bd494b 
16:05:52 ipsec,debug IPSEC: : 152e4572 12d8cfd5 7596968c 1032d51c 46e0b6c6 325682aa a1bdd13e 389ad3a3 
16:05:52 ipsec,debug IPSEC: : 48c0e191 d070022e 237561ff 204e14af b27043b9 bd5a904c 505b5261 354a0ac5 
16:05:52 ipsec,debug IPSEC: : 2832715d a8cefc6f 
16:05:52 ipsec IPSEC: : adding payload: SA 
16:05:52 ipsec,debug IPSEC: : => (size 0x34) 
16:05:52 ipsec,debug IPSEC: : 00000034 00000030 01030404 01bb3033 0300000c 0100000c 800e0100 03000008 
16:05:52 ipsec,debug IPSEC: : 03000002 03000008 04000005 00000008 05000000 
16:05:52 ipsec IPSEC: : initiator selector: 100.70.2.18 
16:05:52 ipsec IPSEC: : adding payload: TS_I 
16:05:52 ipsec,debug IPSEC: : => (size 0x18) 
16:05:52 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff 64460212 64460212 
16:05:52 ipsec IPSEC: : responder selector: 192.168.42.0/24 
16:05:52 ipsec IPSEC: : adding payload: TS_R 
16:05:52 ipsec,debug IPSEC: : => (size 0x18) 
16:05:52 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff c0a82a00 c0a82aff 
16:05:52 ipsec IPSEC: : <- ike2 request, exchange: CREATE_CHILD_SA:7 89.31.7.243[500] 
16:05:52 ipsec,debug IPSEC: : ===== sending 528 bytes from 84.134.88.235[500] to 89.31.7.243[500] 
16:05:52 ipsec,debug IPSEC: : 1 times of 528 bytes message will be sent to 89.31.7.243[500] 
16:05:52 ipsec,debug IPSEC: : ===== received 80 bytes from 89.31.7.243[500] to 84.134.88.235[500] 
16:05:52 ipsec IPSEC: : -> ike2 reply, exchange: CREATE_CHILD_SA:7 89.31.7.243[500] 
16:05:52 ipsec IPSEC: : payload seen: ENC (52 bytes) 
16:05:52 ipsec IPSEC: : processing payload: ENC 
16:05:52 ipsec,debug IPSEC: : => iv (size 0x10) 
16:05:52 ipsec,debug IPSEC: : 9db54c7f 821432af f28fdc0d c02be2ab 
16:05:52 ipsec,debug IPSEC: : => plain payload (trimmed) (size 0x8) 
16:05:52 ipsec,debug IPSEC: : 00000008 00000026 
16:05:52 ipsec,debug IPSEC: : decrypted 
16:05:52 ipsec IPSEC: : payload seen: NOTIFY (8 bytes) 
16:05:52 ipsec IPSEC: : create child: initiator finish 
16:05:52 ipsec IPSEC: : processing payloads: NOTIFY 
16:05:52 ipsec IPSEC: :   notify: TS_UNACCEPTABLE 
16:05:52 ipsec IPSEC: : got error: TS_UNACCEPTABLE 
16:05:57 ipsec IPSEC: : ph2 possible after ph1 creation 
16:05:57 ipsec IPSEC: : init child for policy: 100.70.2.18 <=> 192.168.42.0/24 
16:05:57 ipsec IPSEC: : init child continue 
16:05:57 ipsec IPSEC: : offering proto: 3 
16:05:57 ipsec IPSEC: :  proposal #1 
16:05:57 ipsec IPSEC: :   enc: aes256-cbc 
16:05:57 ipsec IPSEC: :   auth: sha1 
16:05:57 ipsec IPSEC: :   dh: modp1536 
16:05:57 ipsec IPSEC: : adding payload: NONCE 
16:05:57 ipsec,debug IPSEC: : => (size 0x1c) 
16:05:57 ipsec,debug IPSEC: : 0000001c 47234f65 446352cf f4f35f6c 0196567e f349f401 a2ce6ddd 
16:05:57 ipsec IPSEC: : adding payload: KE 
16:05:57 ipsec,debug IPSEC: : => (size 0xc8) 
16:05:57 ipsec,debug IPSEC: : 000000c8 00050000 ffd29717 0b704c96 f3d3b0b6 4025466c 5629a935 b8962baf 
16:05:57 ipsec,debug IPSEC: : 0f9f4b22 72a42b17 9b8f2d5e a11452f9 e915c129 360645de f38ca589 c380fef0 
16:05:57 ipsec,debug IPSEC: : f641295a 65a590bb 6747762a db08e2b9 3efd50d9 5a18b72b 724f5028 7edd2bf3 
16:05:57 ipsec,debug IPSEC: : 3e506a4a e1ac2aaf 0c6c41ef 39885daa 3d757662 fbbd9faa 082fd7ce 13c065c6 
16:05:57 ipsec,debug IPSEC: : ca967cd6 e263f050 f3155ae9 8c9a8132 3f6834a3 029b016e b0d979c1 ac6b7ddf 
16:05:57 ipsec,debug IPSEC: : 1b130816 a3c44bae 52abf7ec a46b0e72 a1b9b0f4 1d0f99e8 1cb5965c 02592693 
16:05:57 ipsec,debug IPSEC: : 8076aac6 d4b8d8f1 
16:05:57 ipsec IPSEC: : adding payload: SA 
16:05:57 ipsec,debug IPSEC: : => (size 0x34) 
16:05:57 ipsec,debug IPSEC: : 00000034 00000030 01030404 0583d1a7 0300000c 0100000c 800e0100 03000008 
16:05:57 ipsec,debug IPSEC: : 03000002 03000008 04000005 00000008 05000000 
16:05:57 ipsec IPSEC: : initiator selector: 100.70.2.18 
16:05:57 ipsec IPSEC: : adding payload: TS_I 
16:05:57 ipsec,debug IPSEC: : => (size 0x18) 
16:05:57 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff 64460212 64460212 
16:05:57 ipsec IPSEC: : responder selector: 192.168.42.0/24 
16:05:57 ipsec IPSEC: : adding payload: TS_R 
16:05:57 ipsec,debug IPSEC: : => (size 0x18) 
16:05:57 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff c0a82a00 c0a82aff 
16:05:57 ipsec IPSEC: : <- ike2 request, exchange: CREATE_CHILD_SA:8 89.31.7.243[500] 
16:05:57 ipsec,debug IPSEC: : ===== sending 512 bytes from 84.134.88.235[500] to 89.31.7.243[500] 
16:05:57 ipsec,debug IPSEC: : 1 times of 512 bytes message will be sent to 89.31.7.243[500] 
16:05:57 ipsec,debug IPSEC: : ===== received 80 bytes from 89.31.7.243[500] to 84.134.88.235[500] 
16:05:57 ipsec IPSEC: : -> ike2 reply, exchange: CREATE_CHILD_SA:8 89.31.7.243[500] 
16:05:57 ipsec IPSEC: : payload seen: ENC (52 bytes) 
16:05:57 ipsec IPSEC: : processing payload: ENC 
16:05:57 ipsec,debug IPSEC: : => iv (size 0x10) 
16:05:57 ipsec,debug IPSEC: : eab15fa0 59214c05 61c5b385 40a9a3e1 
16:05:57 ipsec,debug IPSEC: : => plain payload (trimmed) (size 0x8) 
16:05:57 ipsec,debug IPSEC: : 00000008 00000026 
16:05:57 ipsec,debug IPSEC: : decrypted 
16:05:57 ipsec IPSEC: : payload seen: NOTIFY (8 bytes) 
16:05:57 ipsec IPSEC: : create child: initiator finish 
16:05:57 ipsec IPSEC: : processing payloads: NOTIFY 
16:05:57 ipsec IPSEC: :   notify: TS_UNACCEPTABLE 
16:05:57 ipsec IPSEC: : got error: TS_UNACCEPTABLE 
16:06:02 ipsec IPSEC: : ph2 possible after ph1 creation 
16:06:02 ipsec IPSEC: : init child for policy: 100.70.2.18 <=> 192.168.42.0/24 
16:06:02 ipsec IPSEC: : init child continue 
16:06:02 ipsec IPSEC: : offering proto: 3 
16:06:02 ipsec IPSEC: :  proposal #1 
16:06:02 ipsec IPSEC: :   enc: aes256-cbc 
16:06:02 ipsec IPSEC: :   auth: sha1 
16:06:02 ipsec IPSEC: :   dh: modp1536 
16:06:02 ipsec IPSEC: : adding payload: NONCE 
16:06:02 ipsec,debug IPSEC: : => (size 0x1c) 
16:06:02 ipsec,debug IPSEC: : 0000001c 62d00bfe 5b5596e1 20862136 bedc128a a82ccdd1 32b758f3 
16:06:02 ipsec IPSEC: : adding payload: KE 
16:06:02 ipsec,debug IPSEC: : => (size 0xc8) 
16:06:02 ipsec,debug IPSEC: : 000000c8 00050000 ded5d22c 739a1560 f5b41e74 6df8be89 a6398c25 036aef6b 
16:06:02 ipsec,debug IPSEC: : d94c2f48 e0a1cce2 0ef48bc2 4c83eb22 c4ee8594 b740572c 891fa2bb e5daf0ea 
16:06:02 ipsec,debug IPSEC: : f5f747d1 f803407d 38655c8d 4656232b 6c4846b1 6c4ace0e eaa698db 6f031534 
16:06:02 ipsec,debug IPSEC: : d8c33967 9db8eb0e eeaa7ab8 18a06179 0d507303 3588a7ee 8662e713 584db858 
16:06:02 ipsec,debug IPSEC: : 674992c6 e8f5b11b e19913ad 87081eb4 b0bc8b3c a93e5f3a 8bf912cb b9a3ebfb 
16:06:02 ipsec,debug IPSEC: : 58a49c0c 5b90c6e0 d8703325 d5013fd2 f62862fa 18e1d45b 968a4b33 8d912241 
16:06:02 ipsec,debug IPSEC: : 16ae6781 1411ac1b 
16:06:02 ipsec IPSEC: : adding payload: SA 
16:06:02 ipsec,debug IPSEC: : => (size 0x34) 
16:06:02 ipsec,debug IPSEC: : 00000034 00000030 01030404 0268efed 0300000c 0100000c 800e0100 03000008 
16:06:02 ipsec,debug IPSEC: : 03000002 03000008 04000005 00000008 05000000 
16:06:02 ipsec IPSEC: : initiator selector: 100.70.2.18 
16:06:02 ipsec IPSEC: : adding payload: TS_I 
16:06:02 ipsec,debug IPSEC: : => (size 0x18) 
16:06:02 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff 64460212 64460212 
16:06:02 ipsec IPSEC: : responder selector: 192.168.42.0/24 
16:06:02 ipsec IPSEC: : adding payload: TS_R 
16:06:02 ipsec,debug IPSEC: : => (size 0x18) 
16:06:02 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff c0a82a00 c0a82aff 
16:06:02 ipsec IPSEC: : <- ike2 request, exchange: CREATE_CHILD_SA:9 89.31.7.243[500] 
16:06:02 ipsec,debug IPSEC: : ===== sending 480 bytes from 84.134.88.235[500] to 89.31.7.243[500] 
16:06:02 ipsec,debug IPSEC: : 1 times of 480 bytes message will be sent to 89.31.7.243[500] 
16:06:02 ipsec,debug IPSEC: : ===== received 80 bytes from 89.31.7.243[500] to 84.134.88.235[500] 
16:06:02 ipsec IPSEC: : -> ike2 reply, exchange: CREATE_CHILD_SA:9 89.31.7.243[500] 
16:06:02 ipsec IPSEC: : payload seen: ENC (52 bytes) 
16:06:02 ipsec IPSEC: : processing payload: ENC 
16:06:02 ipsec,debug IPSEC: : => iv (size 0x10) 
16:06:02 ipsec,debug IPSEC: : 2f86dbf7 0f71b6e1 32a339f5 de6ea7c3 
16:06:02 ipsec,debug IPSEC: : => plain payload (trimmed) (size 0x8) 
16:06:02 ipsec,debug IPSEC: : 00000008 00000026 
16:06:02 ipsec,debug IPSEC: : decrypted 
16:06:02 ipsec IPSEC: : payload seen: NOTIFY (8 bytes) 
16:06:02 ipsec IPSEC: : create child: initiator finish 
16:06:02 ipsec IPSEC: : processing payloads: NOTIFY 
16:06:02 ipsec IPSEC: :   notify: TS_UNACCEPTABLE 
16:06:02 ipsec IPSEC: : got error: TS_UNACCEPTABLE 
16:06:07 ipsec IPSEC: : ph2 possible after ph1 creation 
16:06:07 ipsec IPSEC: : init child for policy: 100.70.2.18 <=> 192.168.42.0/24 
16:06:07 ipsec IPSEC: : init child continue 
16:06:07 ipsec IPSEC: : offering proto: 3 
16:06:07 ipsec IPSEC: :  proposal #1 
16:06:07 ipsec IPSEC: :   enc: aes256-cbc 
16:06:07 ipsec IPSEC: :   auth: sha1 
16:06:07 ipsec IPSEC: :   dh: modp1536 
16:06:07 ipsec IPSEC: : adding payload: NONCE 
16:06:07 ipsec,debug IPSEC: : => (size 0x1c) 
16:06:07 ipsec,debug IPSEC: : 0000001c 3b904bba 9087cce3 28907b63 4f6dcf68 fd9dfa10 bbe72069 
16:06:07 ipsec IPSEC: : adding payload: KE 
16:06:07 ipsec,debug IPSEC: : => (size 0xc8) 
16:06:07 ipsec,debug IPSEC: : 000000c8 00050000 703e5fd1 716ce2ac acbb2de2 0e2e7902 5e23d49f 0ccdee7e 
16:06:07 ipsec,debug IPSEC: : 4ecce383 549d994c 6576ac28 c1920aa3 6a1569b4 791758ce f0595ce3 ef7cd3d2 
16:06:07 ipsec,debug IPSEC: : 5c3b1486 ca703d28 ecba4ccd 3a3d9f7b 1e14da0d d68e263f 39f26e4a 96256231 
16:06:07 ipsec,debug IPSEC: : 8da24003 21f2eab1 7c02a3fc 20dd6f67 92e58c4d 0c304473 b8fc5353 23fdd82e 
16:06:07 ipsec,debug IPSEC: : 83039726 af4a0a58 d5a7b726 5888390f 16abc605 18853e2f 89721e84 2c3df7a5 
16:06:07 ipsec,debug IPSEC: : b82010cb abc5d2a7 4ae06bec ad5abd33 278c6676 3b694151 fbfa1cf6 b7bfd486 
16:06:07 ipsec,debug IPSEC: : 2226aeb5 89c8ad68 
16:06:07 ipsec IPSEC: : adding payload: SA 
16:06:07 ipsec,debug IPSEC: : => (size 0x34) 
16:06:07 ipsec,debug IPSEC: : 00000034 00000030 01030404 098919f5 0300000c 0100000c 800e0100 03000008 
16:06:07 ipsec,debug IPSEC: : 03000002 03000008 04000005 00000008 05000000 
16:06:07 ipsec IPSEC: : initiator selector: 100.70.2.18 
16:06:07 ipsec IPSEC: : adding payload: TS_I 
16:06:07 ipsec,debug IPSEC: : => (size 0x18) 
16:06:07 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff 64460212 64460212 
16:06:07 ipsec IPSEC: : responder selector: 192.168.42.0/24 
16:06:07 ipsec IPSEC: : adding payload: TS_R 
16:06:07 ipsec,debug IPSEC: : => (size 0x18) 
16:06:07 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff c0a82a00 c0a82aff 
16:06:07 ipsec IPSEC: : <- ike2 request, exchange: CREATE_CHILD_SA:10 89.31.7.243[500] 
16:06:07 ipsec,debug IPSEC: : ===== sending 544 bytes from 84.134.88.235[500] to 89.31.7.243[500] 
16:06:07 ipsec,debug IPSEC: : 1 times of 544 bytes message will be sent to 89.31.7.243[500] 
16:06:07 ipsec,debug IPSEC: : ===== received 80 bytes from 89.31.7.243[500] to 84.134.88.235[500] 
16:06:07 ipsec IPSEC: : -> ike2 reply, exchange: CREATE_CHILD_SA:10 89.31.7.243[500] 
16:06:07 ipsec IPSEC: : payload seen: ENC (52 bytes) 
16:06:07 ipsec IPSEC: : processing payload: ENC 
16:06:07 ipsec,debug IPSEC: : => iv (size 0x10) 
16:06:07 ipsec,debug IPSEC: : 5895b23e 9f7e4a2b 92616923 7cf129b8 
16:06:07 ipsec,debug IPSEC: : => plain payload (trimmed) (size 0x8) 
16:06:07 ipsec,debug IPSEC: : 00000008 00000026 
16:06:07 ipsec,debug IPSEC: : decrypted 
16:06:07 ipsec IPSEC: : payload seen: NOTIFY (8 bytes) 
16:06:07 ipsec IPSEC: : create child: initiator finish 
16:06:07 ipsec IPSEC: : processing payloads: NOTIFY 
16:06:07 ipsec IPSEC: :   notify: TS_UNACCEPTABLE 
16:06:07 ipsec IPSEC: : got error: TS_UNACCEPTABLE 
16:06:12 ipsec IPSEC: : ph2 possible after ph1 creation 
16:06:12 ipsec IPSEC: : init child for policy: 100.70.2.18 <=> 192.168.42.0/24 
16:06:12 ipsec IPSEC: : init child continue 
16:06:12 ipsec IPSEC: : offering proto: 3 
16:06:12 ipsec IPSEC: :  proposal #1 
16:06:12 ipsec IPSEC: :   enc: aes256-cbc 
16:06:12 ipsec IPSEC: :   auth: sha1 
16:06:12 ipsec IPSEC: :   dh: modp1536 
16:06:12 ipsec IPSEC: : adding payload: NONCE 
16:06:12 ipsec,debug IPSEC: : => (size 0x1c) 
16:06:12 ipsec,debug IPSEC: : 0000001c edc3217a 3bb7fef4 31eb9005 ff441df2 d4f1c34c df3a94f7 
16:06:12 ipsec IPSEC: : adding payload: KE 
16:06:12 ipsec,debug IPSEC: : => (size 0xc8) 
16:06:12 ipsec,debug IPSEC: : 000000c8 00050000 297ea63f 4993fc84 c9548eef 34e791e3 f9927d5c eb68e628 
16:06:12 ipsec,debug IPSEC: : 302ef2fe 784c0024 b7007e57 4a40f88f 52b29806 fffb1450 d133affe 81a34631 
16:06:12 ipsec,debug IPSEC: : e2c7e8a2 5c3dc8f4 f443103f 29ba8921 1c327b90 28a84fa7 c23d5a6e 80eccf45 
16:06:12 ipsec,debug IPSEC: : d3068c8c 68ddc81c 2ddccb24 03d820a7 97500003 9d9d31c9 52c072d9 dbe0c050 
16:06:12 ipsec,debug IPSEC: : af7143d5 6b128dc6 13b9bae8 e0eb447e c3af0f29 5b509549 ac8311c5 d6a3fd0e 
16:06:12 ipsec,debug IPSEC: : 611616e1 c9fe01f0 bdc31d67 0ead479c 2db77555 db6724ea 53650a61 1d780ec3 
16:06:12 ipsec,debug IPSEC: : be41481c bd549029 
16:06:12 ipsec IPSEC: : adding payload: SA 
16:06:12 ipsec,debug IPSEC: : => (size 0x34) 
16:06:12 ipsec,debug IPSEC: : 00000034 00000030 01030404 0fbe9263 0300000c 0100000c 800e0100 03000008 
16:06:12 ipsec,debug IPSEC: : 03000002 03000008 04000005 00000008 05000000 
16:06:12 ipsec IPSEC: : initiator selector: 100.70.2.18 
16:06:12 ipsec IPSEC: : adding payload: TS_I 
16:06:12 ipsec,debug IPSEC: : => (size 0x18) 
16:06:12 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff 64460212 64460212 
16:06:12 ipsec IPSEC: : responder selector: 192.168.42.0/24 
16:06:12 ipsec IPSEC: : adding payload: TS_R 
16:06:12 ipsec,debug IPSEC: : => (size 0x18) 
16:06:12 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff c0a82a00 c0a82aff 
16:06:12 ipsec IPSEC: : <- ike2 request, exchange: CREATE_CHILD_SA:11 89.31.7.243[500] 
16:06:12 ipsec,debug IPSEC: : ===== sending 480 bytes from 84.134.88.235[500] to 89.31.7.243[500] 
16:06:12 ipsec,debug IPSEC: : 1 times of 480 bytes message will be sent to 89.31.7.243[500] 
16:06:12 ipsec,debug IPSEC: : ===== received 80 bytes from 89.31.7.243[500] to 84.134.88.235[500] 
16:06:12 ipsec IPSEC: : -> ike2 reply, exchange: CREATE_CHILD_SA:11 89.31.7.243[500] 
16:06:12 ipsec IPSEC: : payload seen: ENC (52 bytes) 
16:06:12 ipsec IPSEC: : processing payload: ENC 
16:06:12 ipsec,debug IPSEC: : => iv (size 0x10) 
16:06:12 ipsec,debug IPSEC: : a92add3c df1d7800 e0621be1 95be5317 
16:06:12 ipsec,debug IPSEC: : => plain payload (trimmed) (size 0x8) 
16:06:12 ipsec,debug IPSEC: : 00000008 00000026 
16:06:12 ipsec,debug IPSEC: : decrypted 
16:06:12 ipsec IPSEC: : payload seen: NOTIFY (8 bytes) 
16:06:12 ipsec IPSEC: : create child: initiator finish 
16:06:12 ipsec IPSEC: : processing payloads: NOTIFY 
16:06:12 ipsec IPSEC: :   notify: TS_UNACCEPTABLE 
16:06:12 ipsec IPSEC: : got error: TS_UNACCEPTABLE 
16:06:17 ipsec IPSEC: : ph2 possible after ph1 creation 
16:06:17 ipsec IPSEC: : init child for policy: 100.70.2.18 <=> 192.168.42.0/24 
16:06:17 ipsec IPSEC: : init child continue 
16:06:17 ipsec IPSEC: : offering proto: 3 
16:06:17 ipsec IPSEC: :  proposal #1 
16:06:17 ipsec IPSEC: :   enc: aes256-cbc 
16:06:17 ipsec IPSEC: :   auth: sha1 
16:06:17 ipsec IPSEC: :   dh: modp1536 
16:06:17 ipsec IPSEC: : adding payload: NONCE 
16:06:17 ipsec,debug IPSEC: : => (size 0x1c) 
16:06:17 ipsec,debug IPSEC: : 0000001c ee94a5cf 694f01cd 60b77069 296254b4 ec962c1d 196f0f45 
16:06:17 ipsec IPSEC: : adding payload: KE 
16:06:17 ipsec,debug IPSEC: : => (size 0xc8) 
16:06:17 ipsec,debug IPSEC: : 000000c8 00050000 98ebd2ae 311d13d3 cc671bf5 0528e31e 8e66ae0a 430075f5 
16:06:17 ipsec,debug IPSEC: : e434ee82 d1cb9a92 77d32248 7c1e5563 615c44ce af395406 4ba2f551 bff0c14d 
16:06:17 ipsec,debug IPSEC: : 250ed62e 2fac2d35 ac2e07a2 348c1372 3c2beffa 3fbbc3ef c4528ca6 30042239 
16:06:17 ipsec,debug IPSEC: : 6d7b9d58 cc3b0d11 51026de3 5da96895 d18280e1 9e3a6914 a4a11a1a 8c1bd72d 
16:06:17 ipsec,debug IPSEC: : 5e4f47ac 2414e4ec d6aa4e0a 813830cf dd5827d8 b4584e30 6bf8c3ef c42aab12 
16:06:17 ipsec,debug IPSEC: : dc65e390 86e84510 7145a910 1bb3f2bd bbdafbbf 42d76c04 2f642ab7 85ff0265 
16:06:17 ipsec,debug IPSEC: : 99b5c766 c94aa684 
16:06:17 ipsec IPSEC: : adding payload: SA 
16:06:17 ipsec,debug IPSEC: : => (size 0x34) 
16:06:17 ipsec,debug IPSEC: : 00000034 00000030 01030404 02287ab1 0300000c 0100000c 800e0100 03000008 
16:06:17 ipsec,debug IPSEC: : 03000002 03000008 04000005 00000008 05000000 
16:06:17 ipsec IPSEC: : initiator selector: 100.70.2.18 
16:06:17 ipsec IPSEC: : adding payload: TS_I 
16:06:17 ipsec,debug IPSEC: : => (size 0x18) 
16:06:17 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff 64460212 64460212 
16:06:17 ipsec IPSEC: : responder selector: 192.168.42.0/24 
16:06:17 ipsec IPSEC: : adding payload: TS_R 
16:06:17 ipsec,debug IPSEC: : => (size 0x18) 
16:06:17 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff c0a82a00 c0a82aff 
16:06:17 ipsec IPSEC: : <- ike2 request, exchange: CREATE_CHILD_SA:12 89.31.7.243[500] 
16:06:17 ipsec,debug IPSEC: : ===== sending 544 bytes from 84.134.88.235[500] to 89.31.7.243[500] 
16:06:17 ipsec,debug IPSEC: : 1 times of 544 bytes message will be sent to 89.31.7.243[500] 
16:06:17 ipsec,debug IPSEC: : ===== received 80 bytes from 89.31.7.243[500] to 84.134.88.235[500] 
16:06:17 ipsec IPSEC: : -> ike2 reply, exchange: CREATE_CHILD_SA:12 89.31.7.243[500] 
16:06:17 ipsec IPSEC: : payload seen: ENC (52 bytes) 
16:06:17 ipsec IPSEC: : processing payload: ENC 
16:06:17 ipsec,debug IPSEC: : => iv (size 0x10) 
16:06:17 ipsec,debug IPSEC: : f9e5d272 ec0d8c07 a38837ac f53598c2 
16:06:17 ipsec,debug IPSEC: : => plain payload (trimmed) (size 0x8) 
16:06:17 ipsec,debug IPSEC: : 00000008 00000026 
16:06:17 ipsec,debug IPSEC: : decrypted 
16:06:17 ipsec IPSEC: : payload seen: NOTIFY (8 bytes) 
16:06:17 ipsec IPSEC: : create child: initiator finish 
16:06:17 ipsec IPSEC: : processing payloads: NOTIFY 
16:06:17 ipsec IPSEC: :   notify: TS_UNACCEPTABLE 
16:06:17 ipsec IPSEC: : got error: TS_UNACCEPTABLE 
16:06:22 ipsec,info killing ike2 SA: 84.134.88.235[500]-89.31.7.243[500] spi:0ae41558038ac834:891190d5eacc1173 
16:06:22 ipsec,info IPSEC: : killing ike2 SA: 84.134.88.235[500]-89.31.7.243[500] spi:0ae41558038ac834:891190d5eacc1173 
16:06:22 ipsec IPSEC: : IPsec-SA killing: 89.31.7.243[500]->84.134.88.235[500] spi=0x409fbe5 
16:06:22 ipsec IPSEC: : IPsec-SA killing: 84.134.88.235[500]->89.31.7.243[500] spi=0xc9baffa1 
16:06:22 ipsec IPSEC: : adding payload: DELETE 
16:06:22 ipsec,debug IPSEC: : => (size 0x8) 
16:06:22 ipsec,debug IPSEC: : 00000008 01000000 
16:06:22 ipsec IPSEC: : <- ike2 request, exchange: INFORMATIONAL:13 89.31.7.243[500] 
16:06:22 ipsec,debug IPSEC: : ===== sending 272 bytes from 84.134.88.235[500] to 89.31.7.243[500] 
16:06:22 ipsec,debug IPSEC: : 1 times of 272 bytes message will be sent to 89.31.7.243[500] 
16:06:22 system,info ipsec peer swyx changed by admin 
16:06:22 ipsec,debug IPSEC: : ===== received 80 bytes from 89.31.7.243[500] to 84.134.88.235[500] 
16:06:22 ipsec IPSEC: : -> ike2 reply, exchange: INFORMATIONAL:13 89.31.7.243[500] 
16:06:22 ipsec IPSEC: : SPI 34c88a035815e40a not registered for 89.31.7.243[500] 
16:06:24 ipsec IPSEC: : ike2 starting for: 89.31.7.243 
16:06:24 ipsec IPSEC: : adding payload: NONCE 
16:06:24 ipsec,debug IPSEC: : => (size 0x1c) 
16:06:24 ipsec,debug IPSEC: : 0000001c 4ed1a5f9 ba048f42 93a612d0 917bdf71 5c6d1f5b 70f393f4 
16:06:24 ipsec IPSEC: : adding payload: KE 
16:06:24 ipsec,debug IPSEC: : => (size 0xc8) 
16:06:24 ipsec,debug IPSEC: : 000000c8 00050000 ecf9e672 95f093f0 a953ea0b 280ba8b6 7979506e 54cece3e 
16:06:24 ipsec,debug IPSEC: : b0269451 c4822a3c 3f3fddb6 8ba9bf08 782621ea 7f0bf0a4 5e923bb9 bb2ad349 
16:06:24 ipsec,debug IPSEC: : a882b52d eedc0daf e4193f22 f505f813 ccdc9686 20010c07 5c9ea09f 56d18b39 
16:06:24 ipsec,debug IPSEC: : be525354 57072903 c5662b93 4a957347 2f084d70 cc3d7154 a973cdeb 5e35918c 
16:06:24 ipsec,debug IPSEC: : 696eee58 5ad6b0a3 31fe1a9a 5ccb8a94 074f5a26 7faf23a1 ca5848ae 3e38554c 
16:06:24 ipsec,debug IPSEC: : e531cff7 aecf7a6d 52fa6ec0 ceff78e3 197445ec 17784571 5d4fc369 df76e967 
16:06:24 ipsec,debug IPSEC: : efe78155 823d01ad 
16:06:24 ipsec IPSEC: : adding payload: SA 
16:06:24 ipsec,debug IPSEC: : => (size 0x30) 
16:06:24 ipsec,debug IPSEC: : 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 
16:06:24 ipsec,debug IPSEC: : 03000008 0300000c 00000008 04000005 
16:06:24 ipsec IPSEC: : <- ike2 request, exchange: SA_INIT:0 89.31.7.243[500] 
16:06:24 ipsec,debug IPSEC: : ===== sending 304 bytes from 192.168.42.1[500] to 89.31.7.243[500] 
16:06:24 ipsec,debug IPSEC: : 1 times of 304 bytes message will be sent to 89.31.7.243[500] 
16:06:24 ipsec,debug IPSEC: : ===== received 398 bytes from 89.31.7.243[500] to 192.168.42.1[500] 
16:06:24 ipsec IPSEC: : -> ike2 reply, exchange: SA_INIT:0 89.31.7.243[500] 
16:06:24 ipsec IPSEC: : ike2 initialize recv 
16:06:24 ipsec IPSEC: : payload seen: SA (48 bytes) 
16:06:24 ipsec IPSEC: : payload seen: KE (200 bytes) 
16:06:24 ipsec IPSEC: : payload seen: NONCE (36 bytes) 
16:06:24 ipsec IPSEC: : payload seen: VID (23 bytes) 
16:06:24 ipsec,debug IPSEC: : 434953434f2d44454c4554452d524541534f4e 
16:06:24 ipsec IPSEC: : payload seen: VID (19 bytes) 
16:06:24 ipsec,debug IPSEC: : 434953434f56504e2d5245562d3032 
16:06:24 ipsec IPSEC: : payload seen: VID (23 bytes) 
16:06:24 ipsec,debug IPSEC: : 434953434f2d44594e414d49432d524f555445 
16:06:24 ipsec IPSEC: : payload seen: VID (21 bytes) 
16:06:24 ipsec,debug IPSEC: : 464c455856504e2d535550504f52544544 
16:06:24 ipsec IPSEC: : processing payload: NONCE 
16:06:24 ipsec IPSEC: : processing payload: SA 
16:06:24 ipsec IPSEC: : IKE Protocol: IKE 
16:06:24 ipsec IPSEC: :  proposal #1 
16:06:24 ipsec IPSEC: :   enc: aes256-cbc 
16:06:24 ipsec IPSEC: :   prf: hmac-sha256 
16:06:24 ipsec IPSEC: :   auth: sha256 
16:06:24 ipsec IPSEC: :   dh: modp1536 
16:06:24 ipsec IPSEC: : matched proposal: 
16:06:24 ipsec IPSEC: :  proposal #1 
16:06:24 ipsec IPSEC: :   enc: aes256-cbc 
16:06:24 ipsec IPSEC: :   prf: hmac-sha256 
16:06:24 ipsec IPSEC: :   auth: sha256 
16:06:24 ipsec IPSEC: :   dh: modp1536 
16:06:24 ipsec IPSEC: : processing payload: KE 
16:06:24 ipsec,debug IPSEC: : => shared secret (size 0xc0) 
16:06:24 ipsec,debug IPSEC: : cbe24586 98a22b42 3a02c455 09e7a3d5 637ab14a 3bf8214b 9446e88a 9f59cf1e 
16:06:24 ipsec,debug IPSEC: : fa754096 1edd2544 232145a1 c70c0286 ff595470 796537f8 63c0078b 70afde6a 
16:06:24 ipsec,debug IPSEC: : f3d7a462 907ef550 379a89b9 ea470a29 3dacfdb8 a26588e3 23b5257f 909aa6ae 
16:06:24 ipsec,debug IPSEC: : f06d0a2e 1acc0d8e 6c979da0 ddb76036 0cebbc5f fb319895 e3187252 6f53dd34 
16:06:24 ipsec,debug IPSEC: : bbababe5 ddcab197 76a67388 a015379b 1d5d632b d021fe8c 96a8e93c b5dc4ca5 
16:06:24 ipsec,debug IPSEC: : f3305b2d 91e57484 79127848 8986e4a9 8ceb2aab fe424e3a 01a24be9 b5fac1d9 
16:06:24 ipsec,debug IPSEC: : => skeyseed (size 0x20) 
16:06:24 ipsec,debug IPSEC: : d3f6c4bd 637b4b7d 5e40e547 08a05d04 3c9cf3e6 10298c3e 603a8fa4 8d5ab148 
16:06:24 ipsec,debug IPSEC: : => keymat (size 0x20) 
16:06:24 ipsec,debug IPSEC: : a37b0c7d c797a170 9a7148c8 8dabd867 0995cf81 e8e00049 c67a5ce9 f94a3c2d 
16:06:24 ipsec,debug IPSEC: : => SK_ai (size 0x20) 
16:06:24 ipsec,debug IPSEC: : d206f41b 1dfcd00b 176a3ed4 edcbfeab 6dc71bfa af316715 c40d4a8b 43c2d6b7 
16:06:24 ipsec,debug IPSEC: : => SK_ar (size 0x20) 
16:06:24 ipsec,debug IPSEC: : d2f440d9 0c547c5f 4cc8f87f 3d910c4c 2e1d6c2e 6dd4c68a 8541cacb f5cc2e81 
16:06:24 ipsec,debug IPSEC: : => SK_ei (size 0x20) 
16:06:24 ipsec,debug IPSEC: : 37313cf2 88439b24 31e89d97 fdbb45cd f9e2a67f a8ec827d f9804bca f8602b29 
16:06:24 ipsec,debug IPSEC: : => SK_er (size 0x20) 
16:06:24 ipsec,debug IPSEC: : bfda7f03 6512b128 0a711ce6 4f1eafbc d1833787 92e6d5b3 1ce13f9a e9e17eac 
16:06:24 ipsec,debug IPSEC: : => SK_pi (size 0x20) 
16:06:24 ipsec,debug IPSEC: : d82708d0 c5b1f9cd af730ea6 d45a5151 80b42126 604c2259 9ec69f09 2fc09824 
16:06:24 ipsec,debug IPSEC: : => SK_pr (size 0x20) 
16:06:24 ipsec,debug IPSEC: : 3162d169 54f2fea0 2dc2d72d 8a77ca44 457c1caa 77ae76a7 d1394547 ac679692 
16:06:24 ipsec,info new ike2 SA (I): 192.168.42.1[500]-89.31.7.243[500] spi:3db88fe22e534ad2:46e0fa4582b98060 
16:06:24 ipsec,info IPSEC: : new ike2 SA (I): 192.168.42.1[500]-89.31.7.243[500] spi:3db88fe22e534ad2:46e0fa4582b98060 
16:06:24 ipsec IPSEC: : processing payloads: NOTIFY (none found) 
16:06:24 ipsec IPSEC: : init child for policy: 192.168.42.0/24 <=> 100.70.2.18 
16:06:24 ipsec IPSEC: : init child continue 
16:06:24 ipsec IPSEC: : offering proto: 3 
16:06:24 ipsec IPSEC: :  proposal #1 
16:06:24 ipsec IPSEC: :   enc: aes256-cbc 
16:06:24 ipsec IPSEC: :   auth: sha1 
16:06:24 ipsec IPSEC: : ID_I (RFC822): office9596@scouter.de 
16:06:24 ipsec IPSEC: : adding payload: ID_I 
16:06:24 ipsec,debug IPSEC: : => (size 0x1d) 
16:06:24 ipsec,debug IPSEC: : 0000001d 03000000 6f666669 63653935 39364073 636f7574 65722e64 65 
16:06:24 ipsec IPSEC: : processing payload: NONCE 
16:06:24 ipsec,debug IPSEC: : => auth nonce (size 0x20) 
16:06:24 ipsec,debug IPSEC: : 1c6004e9 f1fbc118 923485e7 cce49449 b176363c 24eb7373 496b18ec 40b7db2e 
16:06:24 ipsec,debug IPSEC: : => SK_p (size 0x20) 
16:06:24 ipsec,debug IPSEC: : d82708d0 c5b1f9cd af730ea6 d45a5151 80b42126 604c2259 9ec69f09 2fc09824 
16:06:24 ipsec,debug IPSEC: : => idhash (size 0x20) 
16:06:24 ipsec,debug IPSEC: : 383dd0bc ee0ec785 252b004b b4a59454 94596bd0 46939262 c2087e56 fc41851f 
16:06:24 ipsec,debug IPSEC: : => my auth (size 0x20) 
16:06:24 ipsec,debug IPSEC: : 73324cc7 8c7f5813 ce17e00f 264760df 76562835 41f2ba06 eed79956 0796c243 
16:06:24 ipsec IPSEC: : adding payload: AUTH 
16:06:24 ipsec,debug IPSEC: : => (size 0x28) 
16:06:24 ipsec,debug IPSEC: : 00000028 02000000 73324cc7 8c7f5813 ce17e00f 264760df 76562835 41f2ba06 
16:06:24 ipsec,debug IPSEC: : eed79956 0796c243 
16:06:24 ipsec IPSEC: : ID_R (RFC822): vpn@swyxon.com 
16:06:24 ipsec IPSEC: : adding payload: ID_R 
16:06:24 ipsec,debug IPSEC: : => (size 0x16) 
16:06:24 ipsec,debug IPSEC: : 00000016 03000000 76706e40 73777978 6f6e2e63 6f6d 
16:06:24 ipsec IPSEC: : adding notify: INITIAL_CONTACT 
16:06:24 ipsec,debug IPSEC: : => (size 0x8) 
16:06:24 ipsec,debug IPSEC: : 00000008 00004000 
16:06:24 ipsec IPSEC: : adding payload: SA 
16:06:24 ipsec,debug IPSEC: : => (size 0x2c) 
16:06:24 ipsec,debug IPSEC: : 0000002c 00000028 01030403 03f22b36 0300000c 0100000c 800e0100 03000008 
16:06:24 ipsec,debug IPSEC: : 03000002 00000008 05000000 
16:06:24 ipsec IPSEC: : initiator selector: 192.168.42.0/24 
16:06:24 ipsec IPSEC: : adding payload: TS_I 
16:06:24 ipsec,debug IPSEC: : => (size 0x18) 
16:06:24 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff c0a82a00 c0a82aff 
16:06:24 ipsec IPSEC: : responder selector: 100.70.2.18 
16:06:24 ipsec IPSEC: : adding payload: TS_R 
16:06:24 ipsec,debug IPSEC: : => (size 0x18) 
16:06:24 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff 64460212 64460212 
16:06:24 ipsec IPSEC: : <- ike2 request, exchange: AUTH:1 89.31.7.243[500] 
16:06:24 ipsec,debug IPSEC: : ===== sending 336 bytes from 192.168.42.1[500] to 89.31.7.243[500] 
16:06:24 ipsec,debug IPSEC: : 1 times of 336 bytes message will be sent to 89.31.7.243[500] 
16:06:24 ipsec,debug IPSEC: : ===== received 272 bytes from 89.31.7.243[500] to 192.168.42.1[500] 
16:06:24 ipsec IPSEC: : -> ike2 reply, exchange: AUTH:1 89.31.7.243[500] 
16:06:24 ipsec IPSEC: : payload seen: ENC (244 bytes) 
16:06:24 ipsec IPSEC: : processing payload: ENC 
16:06:24 ipsec,debug IPSEC: : => iv (size 0x10) 
16:06:24 ipsec,debug IPSEC: : f51efca3 42006404 1d8075fc 246dd36e 
16:06:24 ipsec,debug IPSEC: : => plain payload (trimmed) (size 0xca) 
16:06:24 ipsec,debug IPSEC: : 24000014 47e0fb45 918e7327 6a5d95eb 3d058e3b 27000016 03000000 76706e40 
16:06:24 ipsec,debug IPSEC: : 73777978 6f6e2e63 6f6d2100 00280200 00004c6a 61d01c8d 6261dbfc 0700b619 
16:06:24 ipsec,debug IPSEC: : af0bb19c 8dfa6593 b188fc93 8d5d2de1 06f92c00 002c0000 00280103 0403f61c 
16:06:24 ipsec,debug IPSEC: : 99fc0300 000c0100 000c800e 01000300 00080300 00020000 00080500 00002d00 
16:06:24 ipsec,debug IPSEC: : 00180100 00000700 00100000 ffffc0a8 2a00c0a8 2aff2900 00180100 00000700 
16:06:24 ipsec,debug IPSEC: : 00100000 ffff6446 02126446 02122900 000c0000 40010000 00052900 00080000 
16:06:24 ipsec,debug IPSEC: : 400a0000 00080000 400b 
16:06:24 ipsec,debug IPSEC: : decrypted 
16:06:24 ipsec IPSEC: : payload seen: VID (20 bytes) 
16:06:24 ipsec,debug IPSEC: : 47e0fb45918e73276a5d95eb3d058e3b 
16:06:24 ipsec IPSEC: : payload seen: ID_R (22 bytes) 
16:06:24 ipsec IPSEC: : payload seen: AUTH (40 bytes) 
16:06:24 ipsec IPSEC: : payload seen: SA (44 bytes) 
16:06:24 ipsec IPSEC: : payload seen: TS_I (24 bytes) 
16:06:24 ipsec IPSEC: : payload seen: TS_R (24 bytes) 
16:06:24 ipsec IPSEC: : payload seen: NOTIFY (12 bytes) 
16:06:24 ipsec IPSEC: : payload seen: NOTIFY (8 bytes) 
16:06:24 ipsec IPSEC: : payload seen: NOTIFY (8 bytes) 
16:06:24 ipsec IPSEC: : processing payloads: NOTIFY 
16:06:24 ipsec IPSEC: :   notify: SET_WINDOW_SIZE 
16:06:24 ipsec,debug IPSEC: : 00000005 
16:06:24 ipsec IPSEC: :   notify: ESP_TFC_PADDING_NOT_SUPPORTED 
16:06:24 ipsec IPSEC: :   notify: NON_FIRST_FRAGMENTS_ALSO 
16:06:24 ipsec IPSEC: : ike auth: initiator finish 
16:06:24 ipsec IPSEC: : processing payload: ID_R 
16:06:24 ipsec IPSEC: : ID_R (RFC822): vpn@swyxon.com 
16:06:24 ipsec IPSEC: : processing payload: AUTH 
16:06:24 ipsec IPSEC: : requested auth method: SKEY 
16:06:24 ipsec,debug IPSEC: : => peer's auth (size 0x20) 
16:06:24 ipsec,debug IPSEC: : 4c6a61d0 1c8d6261 dbfc0700 b619af0b b19c8dfa 6593b188 fc938d5d 2de106f9 
16:06:24 ipsec,debug IPSEC: : => auth nonce (size 0x18) 
16:06:24 ipsec,debug IPSEC: : 4ed1a5f9 ba048f42 93a612d0 917bdf71 5c6d1f5b 70f393f4 
16:06:24 ipsec,debug IPSEC: : => SK_p (size 0x20) 
16:06:24 ipsec,debug IPSEC: : 3162d169 54f2fea0 2dc2d72d 8a77ca44 457c1caa 77ae76a7 d1394547 ac679692 
16:06:24 ipsec,debug IPSEC: : => idhash (size 0x20) 
16:06:24 ipsec,debug IPSEC: : 5f9cd683 1a4a5881 63a897db e1ebaa17 fe14f08e a8ee2ec9 248ef36b f05743a8 
16:06:24 ipsec,debug IPSEC: : => calculated peer's AUTH (size 0x20) 
16:06:24 ipsec,debug IPSEC: : 4c6a61d0 1c8d6261 dbfc0700 b619af0b b19c8dfa 6593b188 fc938d5d 2de106f9 
16:06:24 ipsec,info,account peer authorized: 192.168.42.1[500]-89.31.7.243[500] spi:3db88fe22e534ad2:46e0fa4582b98060 
16:06:24 ipsec,info,account IPSEC: : peer authorized: 192.168.42.1[500]-89.31.7.243[500] spi:3db88fe22e534ad2:46e0fa4582b98060 
16:06:24 ipsec IPSEC: : processing payloads: NOTIFY 
16:06:24 ipsec IPSEC: :   notify: SET_WINDOW_SIZE 
16:06:24 ipsec,debug IPSEC: : 00000005 
16:06:24 ipsec IPSEC: :   notify: ESP_TFC_PADDING_NOT_SUPPORTED 
16:06:24 ipsec IPSEC: :   notify: NON_FIRST_FRAGMENTS_ALSO 
16:06:24 ipsec IPSEC: : peer selected tunnel mode 
16:06:24 ipsec IPSEC: : processing payload: TS_I 
16:06:24 ipsec IPSEC: : 192.168.42.0/24 
16:06:24 ipsec IPSEC: : processing payload: TS_R 
16:06:24 ipsec IPSEC: : 100.70.2.18 
16:06:24 ipsec IPSEC: : my vs peer's selectors: 
16:06:24 ipsec IPSEC: : 192.168.42.0/24 vs 192.168.42.0/24 
16:06:24 ipsec IPSEC: : 100.70.2.18 vs 100.70.2.18 
16:06:24 ipsec IPSEC: : processing payload: SA 
16:06:24 ipsec IPSEC: : IKE Protocol: ESP 
16:06:24 ipsec IPSEC: :  proposal #1 
16:06:24 ipsec IPSEC: :   enc: aes256-cbc 
16:06:24 ipsec IPSEC: :   auth: sha1 
16:06:24 ipsec IPSEC: : matched proposal: 
16:06:24 ipsec IPSEC: :  proposal #1 
16:06:24 ipsec IPSEC: :   enc: aes256-cbc 
16:06:24 ipsec IPSEC: :   auth: sha1 
16:06:24 ipsec,debug IPSEC: : => child keymat (size 0x80) 
16:06:24 ipsec,debug IPSEC: : b3ed27f9 431a8335 f9e9a724 bd027714 e9506afa 1e0d15ca a6f7e5fd 35b52d95 
16:06:24 ipsec,debug IPSEC: : 3a550d13 5734de34 e7c3463e d2734fb6 918b69c5 1156f1c4 72978af5 f8782b75 
16:06:24 ipsec,debug IPSEC: : 5764a564 2b2bf1d8 94bf8b85 3f811a90 7f191f78 72b7207d 31bff936 89a6ce77 
16:06:24 ipsec,debug IPSEC: : c0facc6e 114692a2 9671e1ed d1804f56 9a004ac3 17e76526 61f41254 e12c04a9 
16:06:24 ipsec IPSEC: : IPsec-SA established: 89.31.7.243[500]->192.168.42.1[500] spi=0x3f22b36 
16:06:24 ipsec IPSEC: : IPsec-SA established: 192.168.42.1[500]->89.31.7.243[500] spi=0xf61c99fc 
16:06:24 ipsec IPSEC: : ph2 possible after ph1 creation 
16:06:24 ipsec IPSEC: : init child for policy: 100.70.2.18 <=> 192.168.42.0/24 
16:06:24 ipsec IPSEC: : init child continue 
16:06:24 ipsec IPSEC: : offering proto: 3 
16:06:24 ipsec IPSEC: :  proposal #1 
16:06:24 ipsec IPSEC: :   enc: aes256-cbc 
16:06:24 ipsec IPSEC: :   auth: sha1 
16:06:24 ipsec IPSEC: :   dh: modp1536 
16:06:24 ipsec IPSEC: : adding payload: NONCE 
16:06:24 ipsec,debug IPSEC: : => (size 0x1c) 
16:06:24 ipsec,debug IPSEC: : 0000001c 3cd429f5 ca4d6324 7637bd93 bd8ae22a b78edc38 bdf84841 
16:06:24 ipsec IPSEC: : adding payload: KE 
16:06:24 ipsec,debug IPSEC: : => (size 0xc8) 
16:06:24 ipsec,debug IPSEC: : 000000c8 00050000 f8f47cec 77a70bbc 1edcd1e6 3b85eaf5 5a03e061 914dea67 
16:06:24 ipsec,debug IPSEC: : f7cf005f 976010ea ce1a154f 62cc7522 cd3fc64b 114b6e42 db16bde2 f42cfbcd 
16:06:24 ipsec,debug IPSEC: : 3fa0f3c8 4dcbde0a 620fe250 5ec1f974 9214e3ec 5192e2c9 a3eeaf5c 00016e32 
16:06:24 ipsec,debug IPSEC: : 2acef4fe 0b1087d9 2f25ba49 087ac487 b3c7666b 1539c8b3 16fd914a 404fa192 
16:06:24 ipsec,debug IPSEC: : 94114f98 5e141041 690872db 97b20b41 31942aeb d9b1e83c 7aa574f8 fefabda9 
16:06:24 ipsec,debug IPSEC: : 639e8b28 2ab5695f 1187e24e fa93a4bf 28dd0bf5 526790d5 ed832bb2 0634cdca 
16:06:24 ipsec,debug IPSEC: : d5eacf35 2cee7c0a 
16:06:24 ipsec IPSEC: : adding payload: SA 
16:06:24 ipsec,debug IPSEC: : => (size 0x34) 
16:06:24 ipsec,debug IPSEC: : 00000034 00000030 01030404 07044624 0300000c 0100000c 800e0100 03000008 
16:06:24 ipsec,debug IPSEC: : 03000002 03000008 04000005 00000008 05000000 
16:06:24 ipsec IPSEC: : initiator selector: 100.70.2.18 
16:06:24 ipsec IPSEC: : adding payload: TS_I 
16:06:24 ipsec,debug IPSEC: : => (size 0x18) 
16:06:24 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff 64460212 64460212 
16:06:24 ipsec IPSEC: : responder selector: 192.168.42.0/24 
16:06:24 ipsec IPSEC: : adding payload: TS_R 
16:06:24 ipsec,debug IPSEC: : => (size 0x18) 
16:06:24 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff c0a82a00 c0a82aff 
16:06:24 ipsec IPSEC: : <- ike2 request, exchange: CREATE_CHILD_SA:2 89.31.7.243[500] 
16:06:24 ipsec,debug IPSEC: : ===== sending 544 bytes from 192.168.42.1[500] to 89.31.7.243[500] 
16:06:24 ipsec,debug IPSEC: : 1 times of 544 bytes message will be sent to 89.31.7.243[500] 
16:06:29 ipsec IPSEC: : retransmit 
16:06:29 ipsec,debug IPSEC: : ===== sending 544 bytes from 192.168.42.1[500] to 89.31.7.243[500] 
16:06:29 ipsec,debug IPSEC: : 1 times of 544 bytes message will be sent to 89.31.7.243[500] 
16:06:29 ipsec,debug IPSEC: : ===== received 80 bytes from 89.31.7.243[500] to 192.168.42.1[500] 
16:06:29 ipsec IPSEC: : -> ike2 reply, exchange: CREATE_CHILD_SA:2 89.31.7.243[500] 
16:06:29 ipsec IPSEC: : payload seen: ENC (52 bytes) 
16:06:29 ipsec IPSEC: : processing payload: ENC 
16:06:29 ipsec,debug IPSEC: : => iv (size 0x10) 
16:06:29 ipsec,debug IPSEC: : 62c3b476 201e0a99 c698402a ecdd5e3d 
16:06:29 ipsec,debug IPSEC: : => plain payload (trimmed) (size 0x8) 
16:06:29 ipsec,debug IPSEC: : 00000008 00000026 
16:06:29 ipsec,debug IPSEC: : decrypted 
16:06:29 ipsec IPSEC: : payload seen: NOTIFY (8 bytes) 
16:06:29 ipsec IPSEC: : create child: initiator finish 
16:06:29 ipsec IPSEC: : processing payloads: NOTIFY 
16:06:29 ipsec IPSEC: :   notify: TS_UNACCEPTABLE 
16:06:29 ipsec IPSEC: : got error: TS_UNACCEPTABLE 
16:06:34 ipsec IPSEC: : ph2 possible after ph1 creation 
16:06:34 ipsec IPSEC: : init child for policy: 100.70.2.18 <=> 192.168.42.0/24 
16:06:34 ipsec IPSEC: : init child continue 
16:06:34 ipsec IPSEC: : offering proto: 3 
16:06:34 ipsec IPSEC: :  proposal #1 
16:06:34 ipsec IPSEC: :   enc: aes256-cbc 
16:06:34 ipsec IPSEC: :   auth: sha1 
16:06:34 ipsec IPSEC: :   dh: modp1536 
16:06:34 ipsec IPSEC: : adding payload: NONCE 
16:06:34 ipsec,debug IPSEC: : => (size 0x1c) 
16:06:34 ipsec,debug IPSEC: : 0000001c 5a0e0bba d011ad0b 2943823d 647f24b1 a18e412d 19767c79 
16:06:34 ipsec IPSEC: : adding payload: KE 
16:06:34 ipsec,debug IPSEC: : => (size 0xc8) 
16:06:34 ipsec,debug IPSEC: : 000000c8 00050000 f9ca46ce 5bf778f3 ac426958 922356d6 475f847c 3bda01c1 
16:06:34 ipsec,debug IPSEC: : 9dd5de69 bf6098b7 5a1e135a 42e7823e dabb2f07 0b883a2b 31949c12 5cea86bd 
16:06:34 ipsec,debug IPSEC: : 0ee6170d 38371502 19b325c8 c5533627 eacc6456 889ce9d1 7d54ced3 8fd8e3e5 
16:06:34 ipsec,debug IPSEC: : c5e522a5 6e5969bf af9c0133 cb0b920d faa21e7f ac165d1e 3bfb84c0 13f787e6 
16:06:34 ipsec,debug IPSEC: : fa6d15db bc95f0a9 fb5c45a1 9422384a 5ab7b4ce 37cd3df9 0156b5e2 999438a0 
16:06:34 ipsec,debug IPSEC: : 47dc9a66 e74c3de9 9eeb63e5 e75d8085 efb1b2c0 291d666f 9ec2d767 772d1c3e 
16:06:34 ipsec,debug IPSEC: : b7b327ee 9ee6fd0d 
16:06:34 ipsec IPSEC: : adding payload: SA 
16:06:34 ipsec,debug IPSEC: : => (size 0x34) 
16:06:34 ipsec,debug IPSEC: : 00000034 00000030 01030404 05698ae4 0300000c 0100000c 800e0100 03000008 
16:06:34 ipsec,debug IPSEC: : 03000002 03000008 04000005 00000008 05000000 
16:06:34 ipsec IPSEC: : initiator selector: 100.70.2.18 
16:06:34 ipsec IPSEC: : adding payload: TS_I 
16:06:34 ipsec,debug IPSEC: : => (size 0x18) 
16:06:34 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff 64460212 64460212 
16:06:34 ipsec IPSEC: : responder selector: 192.168.42.0/24 
16:06:34 ipsec IPSEC: : adding payload: TS_R 
16:06:34 ipsec,debug IPSEC: : => (size 0x18) 
16:06:34 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff c0a82a00 c0a82aff 
16:06:34 ipsec IPSEC: : <- ike2 request, exchange: CREATE_CHILD_SA:3 89.31.7.243[500] 
16:06:34 ipsec,debug IPSEC: : ===== sending 496 bytes from 192.168.42.1[500] to 89.31.7.243[500] 
16:06:34 ipsec,debug IPSEC: : 1 times of 496 bytes message will be sent to 89.31.7.243[500] 
16:06:34 ipsec,debug IPSEC: : ===== received 80 bytes from 89.31.7.243[500] to 192.168.42.1[500] 
16:06:34 ipsec IPSEC: : -> ike2 reply, exchange: CREATE_CHILD_SA:3 89.31.7.243[500] 
16:06:34 ipsec IPSEC: : payload seen: ENC (52 bytes) 
16:06:34 ipsec IPSEC: : processing payload: ENC 
16:06:34 ipsec,debug IPSEC: : => iv (size 0x10) 
16:06:34 ipsec,debug IPSEC: : 5a2499b6 3dfd505a d027c447 7c09c175 
16:06:34 ipsec,debug IPSEC: : => plain payload (trimmed) (size 0x8) 
16:06:34 ipsec,debug IPSEC: : 00000008 00000026 
16:06:34 ipsec,debug IPSEC: : decrypted 
16:06:34 ipsec IPSEC: : payload seen: NOTIFY (8 bytes) 
16:06:34 ipsec IPSEC: : create child: initiator finish 
16:06:34 ipsec IPSEC: : processing payloads: NOTIFY 
16:06:34 ipsec IPSEC: :   notify: TS_UNACCEPTABLE 
16:06:34 ipsec IPSEC: : got error: TS_UNACCEPTABLE 
16:06:39 ipsec IPSEC: : ph2 possible after ph1 creation 
16:06:39 ipsec IPSEC: : init child for policy: 100.70.2.18 <=> 192.168.42.0/24 
16:06:39 ipsec IPSEC: : init child continue 
16:06:39 ipsec IPSEC: : offering proto: 3 
16:06:39 ipsec IPSEC: :  proposal #1 
16:06:39 ipsec IPSEC: :   enc: aes256-cbc 
16:06:39 ipsec IPSEC: :   auth: sha1 
16:06:39 ipsec IPSEC: :   dh: modp1536 
16:06:39 ipsec IPSEC: : adding payload: NONCE 
16:06:39 ipsec,debug IPSEC: : => (size 0x1c) 
16:06:39 ipsec,debug IPSEC: : 0000001c 8c93519e 1ffa6eb9 b4ef7ed2 bd48b7b7 2c3e1a68 55c35437 
16:06:39 ipsec IPSEC: : adding payload: KE 
16:06:39 ipsec,debug IPSEC: : => (size 0xc8) 
16:06:39 ipsec,debug IPSEC: : 000000c8 00050000 8f40e715 c022b26f e20614b2 f79a4a4d 16493260 a186a8cc 
16:06:39 ipsec,debug IPSEC: : cd4c5b6c c963fde9 bc29d98e 92c5d0a5 559a5120 3c33cebf a7234271 31182e68 
16:06:39 ipsec,debug IPSEC: : 6a842b57 04332003 dfbb0969 c3e17ba7 088d00bd 314ffef0 c24026de e29972f4 
16:06:39 ipsec,debug IPSEC: : b507f1c0 41bec591 c0fd9f4e e08fbf36 13506cbf 6fc1c5a7 1fd74a04 97cea660 
16:06:39 ipsec,debug IPSEC: : ccb0a96a fe7ea170 b57bab15 0fd62a07 b0639323 087edd2f fb009ac9 fc41f765 
16:06:39 ipsec,debug IPSEC: : 3b44bc4e e5d41a74 bad22aff 1fc556b8 91817eda 3c431f1f 40bb93b7 20b4276a 
16:06:39 ipsec,debug IPSEC: : a19939bf 6bf8a9d8 
16:06:39 ipsec IPSEC: : adding payload: SA 
16:06:39 ipsec,debug IPSEC: : => (size 0x34) 
16:06:39 ipsec,debug IPSEC: : 00000034 00000030 01030404 0d6113df 0300000c 0100000c 800e0100 03000008 
16:06:39 ipsec,debug IPSEC: : 03000002 03000008 04000005 00000008 05000000 
16:06:39 ipsec IPSEC: : initiator selector: 100.70.2.18 
16:06:39 ipsec IPSEC: : adding payload: TS_I 
16:06:39 ipsec,debug IPSEC: : => (size 0x18) 
16:06:39 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff 64460212 64460212 
16:06:39 ipsec IPSEC: : responder selector: 192.168.42.0/24 
16:06:39 ipsec IPSEC: : adding payload: TS_R 
16:06:39 ipsec,debug IPSEC: : => (size 0x18) 
16:06:39 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff c0a82a00 c0a82aff 
16:06:39 ipsec IPSEC: : <- ike2 request, exchange: CREATE_CHILD_SA:4 89.31.7.243[500] 
16:06:39 ipsec,debug IPSEC: : ===== sending 528 bytes from 192.168.42.1[500] to 89.31.7.243[500] 
16:06:39 ipsec,debug IPSEC: : 1 times of 528 bytes message will be sent to 89.31.7.243[500] 
16:06:39 ipsec,debug IPSEC: : ===== received 80 bytes from 89.31.7.243[500] to 192.168.42.1[500] 
16:06:39 ipsec IPSEC: : -> ike2 reply, exchange: CREATE_CHILD_SA:4 89.31.7.243[500] 
16:06:39 ipsec IPSEC: : payload seen: ENC (52 bytes) 
16:06:39 ipsec IPSEC: : processing payload: ENC 
16:06:39 ipsec,debug IPSEC: : => iv (size 0x10) 
16:06:39 ipsec,debug IPSEC: : 0012e34e d9730565 d8c71b4e 9540c719 
16:06:39 ipsec,debug IPSEC: : => plain payload (trimmed) (size 0x8) 
16:06:39 ipsec,debug IPSEC: : 00000008 00000026 
16:06:39 ipsec,debug IPSEC: : decrypted 
16:06:39 ipsec IPSEC: : payload seen: NOTIFY (8 bytes) 
16:06:39 ipsec IPSEC: : create child: initiator finish 
16:06:39 ipsec IPSEC: : processing payloads: NOTIFY 
16:06:39 ipsec IPSEC: :   notify: TS_UNACCEPTABLE 
16:06:39 ipsec IPSEC: : got error: TS_UNACCEPTABLE

The hide-sensitive is there on purpose - you’ve edited out the pppoe username and password but forgot to edit the IPsec secret from the identity. Edit the post quickly or even better ask swyx for a new secret.

I’ll come back, I just wanted to let you know about the leaked secret quickly.

shame on me, thanks for the note. i will follow your suggestion.

The log confuses me - on one hand, it says that the traffic selectors are the same:

16:06:24 ipsec IPSEC: : processing payload: TS_I 
16:06:24 ipsec IPSEC: : 192.168.42.0/24 
16:06:24 ipsec IPSEC: : processing payload: TS_R 
16:06:24 ipsec IPSEC: : 100.70.2.18 
16:06:24 ipsec IPSEC: : my vs peer's selectors: 
16:06:24 ipsec IPSEC: : 192.168.42.0/24 vs 192.168.42.0/24 
16:06:24 ipsec IPSEC: : 100.70.2.18 vs 100.70.2.18

On the other hand, it says that the swyx side rejects our traffic selector:

16:06:24 ipsec IPSEC: : initiator selector: 100.70.2.18 
16:06:24 ipsec IPSEC: : adding payload: TS_I 
16:06:24 ipsec,debug IPSEC: : => (size 0x18) 
16:06:24 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff 64460212 64460212 
16:06:24 ipsec IPSEC: : responder selector: 192.168.42.0/24 
16:06:24 ipsec IPSEC: : adding payload: TS_R 
16:06:24 ipsec,debug IPSEC: : => (size 0x18) 
16:06:24 ipsec,debug IPSEC: : 00000018 01000000 07000010 0000ffff c0a82a00 c0a82aff 
16:06:24 ipsec IPSEC: : <- ike2 request, exchange: CREATE_CHILD_SA:2 89.31.7.243[500] 
16:06:24 ipsec,debug IPSEC: : ===== sending 544 bytes from 192.168.42.1[500] to 89.31.7.243[500] 
...
16:06:29 ipsec IPSEC: : -> ike2 reply, exchange: CREATE_CHILD_SA:2 89.31.7.243[500] 
...
16:06:29 ipsec IPSEC: : payload seen: NOTIFY (8 bytes) 
16:06:29 ipsec IPSEC: : create child: initiator finish 
16:06:29 ipsec IPSEC: : processing payloads: NOTIFY 
16:06:29 ipsec IPSEC: :   notify: TS_UNACCEPTABLE 
16:06:29 ipsec IPSEC: : got error: TS_UNACCEPTABLE

Could it be that while you were taking the logs, you still had both the correct policy (src-address=192.168.42.0/24) and the wrong policy (dst-address=192.168.42.0/24) enabled simultaneously?

I also do not like that you have a manually configured policy and at the same time generate-policy in /ip ipsec identity is set to port-override; there is a point in having both a static policy and an open possibility that the peer can add another one, but it’s not the case here so set the generate-policy to no.

Once you clean that up, what does /ip ipsec installed-sa show while /ip ipsec active-peers print says the tunnel is up? In the output of this installed-sa command, you normally don’t need to filter out the keys as they are only used for an hour or so and there is a replay attack protection, but if there is almost no traffc like in your case, better do filter them out before posting.

I currently cannot see any reason at your side why the ping should not get through except for the possible rejection of the policy at the remote end. Some security-oriented people tend to ignore incoming ping requests, so if your phones register with them, the fact that ping doesn’t get through is not relevant; if they don’t, I’ll have to read your configuration again.

I cleaned up the policy creation (auto to none)

[admin@CMPN_router] /ip ipsec> /export hide-sensitive
# apr/12/2020 16:49:52 by RouterOS 6.45.8
# software id = AUPH-Q0VU
#
# model = RB4011iGS+5HacQ2HnD
# serial number = B8E00BB49C2C
/interface bridge
add admin-mac=C4:AD:34:5F:46:4D auto-mac=no comment="CMPN Interne Bridge" name=bridge-CMPN
/interface ethernet
set [ find default-name=ether1 ] comment="VDSL uplink Port"
set [ find default-name=ether2 ] comment="Unitymendia uplink Port"
/interface wireless
# managed by CAPsMAN
# channel: 5260/20-Ceee/ac/DP(17dBm)+5210/80/P(20dBm), SSID: SSID, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=germany distance=indoors frequency=auto installation=indoor mode=ap-bridge secondary-channel=\
    auto ssid=MikroTik-5F4657 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(17dBm), SSID: SSID, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=germany distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-BE98CD \
    wireless-protocol=802.11
/interface pppoe-client
add disabled=no interface=ether1 keepalive-timeout=5 name=TCom_pppoe user=XXXX@t-online.de
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=SSID
/caps-man configuration
add country=germany mode=ap name=SSID security=SSID ssid=SSID
/caps-man interface
add configuration=SSID datapath.bridge=bridge-CMPN disabled=no l2mtu=1600 mac-address=C4:AD:34:12:B3:EE master-interface=none name=cap1 radio-mac=C4:AD:34:12:B3:EE \
    radio-name=C4AD3412B3EE
add configuration=SSID datapath.bridge=bridge-CMPN disabled=no l2mtu=1600 mac-address=C4:AD:34:12:B3:EF master-interface=none name=cap2 radio-mac=C4:AD:34:12:B3:EF \
    radio-name=C4AD3412B3EF
add configuration=SSID datapath.bridge=bridge-CMPN disabled=no l2mtu=1600 mac-address=C4:AD:34:5F:46:57 master-interface=none name=cap3 radio-mac=C4:AD:34:5F:46:57 \
    radio-name=C4AD345F4657
add configuration=SSID datapath.bridge=bridge-CMPN disabled=no l2mtu=1600 mac-address=74:4D:28:BE:98:CD master-interface=none name=cap4 radio-mac=74:4D:28:BE:98:CD \
    radio-name=744D28BE98CD
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] connection-mark=no-mark
/ip ipsec peer
add address=89.31.7.243/32 exchange-mode=ike2 name=swyx port=500
/ip ipsec policy group
set [ find default=yes ] name=1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 dpd-interval=1m enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=1h pfs-group=modp1536
/ip pool
add name=dhcp ranges=192.168.42.10-192.168.42.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-CMPN lease-time=2w name="CMPN-Intern_DHCPD  "
/ppp profile
set *0 on-up=":delay 180s\r\
    \n/system script run ddserver"
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge-CMPN comment=defconf interface=ether5
add bridge=bridge-CMPN comment=defconf interface=ether6
add bridge=bridge-CMPN comment=defconf interface=ether7
add bridge=bridge-CMPN comment=defconf interface=ether8
add bridge=bridge-CMPN comment=defconf interface=ether9
add bridge=bridge-CMPN comment=defconf interface=ether10
add bridge=bridge-CMPN comment=defconf interface=sfp-sfpplus1
add bridge=bridge-CMPN interface=ether3
add bridge=bridge-CMPN interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge-CMPN list=LAN
add interface=ether2 list=WAN
add interface=TCom_pppoe list=WAN
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=130.180.XX.XX/29 interface=ether2 network=130.180.118.112
add address=192.168.42.1/24 interface=bridge-CMPN network=192.168.42.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=bridge-CMPN
/ip dhcp-server lease
add address=192.168.42.42 mac-address=00:01:2E:48:CB:30 server="CMPN-Intern_DHCPD  "
/ip dhcp-server network
add address=192.168.42.0/24 comment=CMPNLAN gateway=192.168.42.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=149.112.112.112,2620:fe::fe,9.9.9.9,2620:fe::9
/ip dns static
add address=192.168.42.1 name=router.lan
add address=100.70.2.18 name=swyx.CMPN.local
/ip firewall address-list
add address=100.70.2.18 list=SWYX
/ip firewall filter
add action=accept chain=forward comment="accept in ipsec policy" in-interface=TCom_pppoe ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec out-interface=TCom_pppoe
add action=drop chain=input dst-port=53 in-interface=TCom_pppoe protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether2 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=output dst-address=127.0.0.1 port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input dst-address=127.0.0.1 port=5246,5247 protocol=udp src-address=127.0.0.1
add action=passthrough chain=input dst-port=500,4500 in-interface=TCom_pppoe log=yes protocol=udp
add action=accept chain=input in-interface=TCom_pppoe protocol=ipsec-esp
add action=accept chain=input in-interface=ether2 protocol=ipsec-esp
add action=passthrough chain=input dst-port=500,4500 in-interface=ether2 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=!ipsec connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=TCom_pppoe
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether2
/ip ipsec identity
add my-id=user-fqdn:email@CMPN.de notrack-chain=output peer=swyx remote-id=user-fqdn:vpn@swyxon.com
/ip ipsec policy
set 0 disabled=yes
add dst-address=100.70.2.18/32 peer=swyx sa-dst-address=89.31.7.243 sa-src-address=0.0.0.0 src-address=192.168.42.0/24 tunnel=yes
add disabled=yes dst-address=89.31.7.243/32 peer=swyx src-address=0.0.0.0/0
/ip ipsec settings
set accounting=no
/ip route
add check-gateway=ping distance=1 gateway=130.180.X.X
add check-gateway=ping distance=2 gateway=TCom_pppoe
add check-gateway=ping distance=1 dst-address=79.133.49.101/32 gateway=TCom_pppoe
add check-gateway=ping comment=swyxon.webconnect distance=1 dst-address=89.31.7.227/32 gateway=TCom_pppoe
add check-gateway=ping comment=swyxon.webconnect distance=2 dst-address=89.31.7.227/32 gateway=ether2
add check-gateway=ping comment="swyx VPN Endpunkt" distance=1 dst-address=89.31.7.243/32 gateway=TCom_pppoe
add check-gateway=ping comment="swyx VPN Endpunkt" distance=2 dst-address=89.31.7.243/32 gateway=ether2
/ipv6 address
add from-pool=TComIPv6 interface=bridge-CMPN
/ipv6 dhcp-client
add add-default-route=yes interface=TCom_pppoe pool-name=TComIPv6 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input comment="incoming  dns  block" dst-port=53 in-interface=TCom_pppoe protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=CMPN_router
/system logging
add prefix="IPSEC: " topics=ipsec,!packet
add prefix=FIREWALL: topics=firewall
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=TCom_pppoe only-headers=yes

/ip ipsec installed-sa> print

Flags: H - hw-aead, A - AH, E - ESP 
 0 HE spi=0x5AFE65C src-address=89.31.7.243 dst-address=84.134.88.235 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="2b2fb98dc4f48890f3089aefdec370f09c39371a" enc-key="6de16e32eaa3eb01c9a8f462afeec11ee21736cc0c8b71f40087d58610285a64" addtime=apr/12/2020 16:48:13 expires-in=51m41s 
      add-lifetime=48m10s/1h13s current-bytes=6745 current-packets=12 replay=128 

 1 HE spi=0xC3C50D7E src-address=84.134.88.235 dst-address=89.31.7.243 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="2fe5cad63771abfffbd2e7787e73a06b284d42c8" enc-key="057a27b71244fd435b314e0a7669ef88b197ae2a7a14a5b6bc1e2954016b4a8a" addtime=apr/12/2020 16:48:13 expires-in=51m41s 
      add-lifetime=48m10s/1h13s 
 current-bytes=30649 current-packets=519 replay=128

/ip ipsec active-peers print

Flags: R - responder, N - natt-peer 
 #    ID                   STATE              UPTIME          PH2-TOTAL REMOTE-ADDRESS                                                       DYNAMIC-ADDRESS                             
 0    vpn@swyxon.com       established        9m50s                   1 89.31.7.243

If i remember right, the swyx-datacenter ip has been pingable before the router got replaced by a mikrotik.
If i traceroute that IP from a client in the LAN, I just get 1 hop, to the MT router, but not any further.

The installed-sa show traffic in both directions, and I still cannot see anything wrong with the firewall.

So run a forever ping to the 100.70.2.18 on the external machine from which you did the traceroute (not on the Mikrotik itself), and show me the output of
/ip firewall connection print detail where protocol~“icmp”
while the ping is running.

Show me also /ip ipsec policy print detail.

/ip firewall connection print detail where protocol~“icmp”

 Flags: H - hw-aead, A - AH, E - ESP 
 0 HE spi=0x5AFE65C src-address=89.31.7.243 dst-address=84.134.88.235 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="2b2fb98dc4f48890f3089aefdec370f09c39371a" enc-key="6de16e32eaa3eb01c9a8f462afeec11ee21736cc0c8b71f40087d58610285a64" addtime=apr/12/2020 16:48:13 expires-in=49m13s 
      add-lifetime=48m10s/1h13s current-bytes=8990 current-packets=16 replay=128 

 1 HE spi=0xC3C50D7E src-address=84.134.88.235 dst-address=89.31.7.243 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="2fe5cad63771abfffbd2e7787e73a06b284d42c8" enc-key="057a27b71244fd435b314e0a7669ef88b197ae2a7a14a5b6bc1e2954016b4a8a" addtime=apr/12/2020 16:48:13 expires-in=49m13s 
      add-lifetime=48m10s/1h13s current-bytes=40098 current-packets=676 replay=128 
[admin@scouter_router] /ip ipsec installed-sa> /ip firewall connection print detail where protocol~"icmp"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 0  S C     protocol=icmp src-address=130.180.118.XX dst-address=130.180.118.113 reply-src-address=130.180.118.113 reply-dst-address=130.180.118.114 icmp-type=8 icmp-code=0 
            icmp-id=55062 timeout=5s orig-packets=1 orig-bytes=56 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=1 repl-bytes=56 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps 

 1    C  s  protocol=icmp src-address=192.168.42.42 dst-address=100.70.2.18 reply-src-address=100.70.2.18 reply-dst-address=130.180.118.114 icmp-type=8 icmp-code=0 icmp-id=29042 
            timeout=9s orig-packets=3 798 orig-bytes=319 032 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=42.3kbps repl-rate=0bps

there is something wrong, the reply-dst-address=130.180.118.114 is not the one, equal to the outgoing interface. I have a dualwan setup. All IPv4 traffic should be routet to ether2/130.180.118.114
but the VPN endpoint should be preferred via TCom_pppoe.
If I disable the pppoe uplink all Data flows trough ether2, the reply-des-address is correct in that case, but, changing to the “fallback” provider does not reestablish the tunnel.
the debug log says

19:28:04 ipsec IPSEC: : ike2 starting for: 89.31.7.243 
19:28:04 ipsec IPSEC: : adding payload: NONCE 
19:28:04 ipsec,debug IPSEC: : => (size 0x1c) 
19:28:04 ipsec,debug IPSEC: : 0000001c fff04674 0edca8d2 5983ebd1 8ab3053f 8ba78ea1 e52d3fb1 
19:28:04 ipsec IPSEC: : adding payload: KE 
19:28:04 ipsec,debug IPSEC: : => (size 0xc8) 
19:28:04 ipsec,debug IPSEC: : 000000c8 00050000 c7166867 65d5ed43 1fe4b7fd 11392a80 aeeabb5a d39e5b7f 
19:28:04 ipsec,debug IPSEC: : 4ddf07e3 2a06fac2 3deb595e ed02a094 44764185 0e9474b0 6a5a30ed 6c0ac43c 
19:28:04 ipsec,debug IPSEC: : 276b1df6 efc95c48 640de335 c172bf1b 5abff772 d3826694 5fd340ce c64a3056 
19:28:04 ipsec,debug IPSEC: : 280e943f 39ae15ea 92776520 7c018d8d 755877c7 bf10fc5d f455c222 1a9fc2d9 
19:28:04 ipsec,debug IPSEC: : 21e925d8 f8e70963 a2f8b11b e714b3ad caab4b09 264b6984 aa40a470 bb8a164f 
19:28:04 ipsec,debug IPSEC: : 9f2fd700 c0d041ad 4f1a2c9e dbc22eff 593ed19c 5c1d0ba5 e0c852ff 279a4a37 
19:28:04 ipsec,debug IPSEC: : d99456c6 e4b10336 
19:28:04 ipsec IPSEC: : adding payload: SA 
19:28:04 ipsec,debug IPSEC: : => (size 0x30) 
19:28:04 ipsec,debug IPSEC: : 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 
19:28:04 ipsec,debug IPSEC: : 03000008 0300000c 00000008 04000005 
19:28:04 ipsec IPSEC: : <- ike2 request, exchange: SA_INIT:0 89.31.7.243[500] 
19:28:04 ipsec,debug IPSEC: : ===== sending 304 bytes from 130.180.118.114[500] to 89.31.7.243[500] 
19:28:04 ipsec,debug IPSEC: : 1 times of 304 bytes message will be sent to 89.31.7.243[500]

/ip ipsec policy print detail

Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 TX* group=1 src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  A  peer=swyx tunnel=yes src-address=192.168.42.0/24 src-port=any dst-address=100.70.2.18/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp 
       sa-src-address=0.0.0.0 sa-dst-address=89.31.7.243 proposal=default ph2-count=1

If the VPN tunnel is only working on the pppoe connection, it would be fine. I could live with that solution. So I’ll need a way to replace the reply-dst-address for those outgoing packages to the sa-dst-address=89.31.7.243.
Could you please give me a hint on that?
Thanks

Exactly. My reason to ask your for the /ip firewall connection output was to find out whether the firewall blocks the connection (which it doesn’t) or whether it src-nats it although it should not, which it does.

Normally, the two action=masquerade rules in the srcnat chain of /ip firewall nat should ignore any packets handled by IPsec, as they contain the ipsec-policy=out,none matcher so they should only match on packets which do not match any active IPsec policy. One possibility is that the setting notrack-chain=output in the /ip ipsec identity somehow affects that (although it should not), another possibility is that it is simply broken for some other reason. So first break the ping, neutralize that setting (which should cause a re-negotiation of the tunnel, if it doesn’t, disable and re-enable the identity), check that /ip firewall connection print detail interval=1 dst-address~“100.70.2.18” shows nothing (the icmp connection lifetime should be just 10 seconds), and then start pinging again. If the reply-dst-address is still wrong, break the ping, add a rule action=accept chain=srcnat src-address=192.168.42.0/24 dst-address=100.70.2.18 before (above) the two action=masquerade ones, let the existing icmp connection disappear if it hasn’t yet, and try pinging one more time.

This is weird. I don’t understand why one action=masquerade rule should behave different from the other one.

That’s also strange to me. If you used action=srcnat, or no srcnat rule at all, for the outgoing traffic via the PPPoE interface, I would say that it happens becaise the connection tracking keeps the IPsec control connection and thus src-nats the outgoing packets to the now-dead source address, but since you use action=masquerade, the tracked connections via that interface should be flushed immediately as it goes down. But the question is, do you disable the PPPoE interface itself, or do you disable the Ethernet port to which it is attached (ether1)? This may theoretically make a difference (although it should not). So again, run /ip firewall connection print detail interval=1s where dst-address~“:4500” while the VPN connection runs through the PPPoE, you should see exactly one connection there. Then, in another window, disable the Ethernet interface and see whether the connection disappears, or at least changes the src-address and reply-dst-address and packet count. It may be that the IPsec process doesn’t notice the disappearance of the address as the PPPoE goes down, and keeps trying to send from it until it finds out that the peer stopped responding, or something alike, so it may just need time to notice the problem and start from scratch.

In the meantime i configured load-balancing with PCC method, to make shure every packet gets sorted, depending on the outgoing interface. It seems to work fine.
If i traceroute 89.31.7.243 from the Mikrotik ist shows that it is using WAN1, IPSEC SAs seem to be installed.
After establishing the tunnel, a traceroute from the MT device to 100.70.2.18 shows, it tries to send it via WAN2 istead towards the IPSEC tunnel
below. the output while having a ping running from a network client to 100.70.2.18
/ip firewall connection print detail interval=1 where dst-address=“100.70.2.18”

Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 1    C     protocol=icmp src-address=192.168.42.42 dst-address=100.70.2.18 reply-src-address=100.70.2.18 reply-dst-address=192.168.42.42 icmp-type=8 icmp-code=0 icmp-id=18064 
            timeout=9s connection-mark="WAN2" orig-packets=2 532 orig-bytes=212 688 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 
            repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=42.3kbps repl-rate=0bps

Complete config including load balancing

/interface bridge
add admin-mac=C4:AD:34:5F:46:4D auto-mac=no comment="XXX Interne Bridge" name=bridge-XXX
/interface ethernet
set [ find default-name=ether1 ] comment="VDSL uplink Port"
set [ find default-name=ether2 ] comment="Unitymendia uplink Port"
/interface wireless
# managed by CAPsMAN
# channel: 5260/20-Ceee/ac/DP(17dBm)+5210/80/P(20dBm), SSID: SSID, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=germany distance=indoors frequency=auto installation=indoor mode=ap-bridge secondary-channel=\
    auto ssid=MikroTik-5F4657 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(17dBm), SSID: SSID, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=germany distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-BE98CD \
    wireless-protocol=802.11
/interface pppoe-client
add disabled=no interface=ether1 keepalive-timeout=5 name=TCom_pppoe user=XX@t-online.de
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=SSID
/caps-man configuration
add country=germany mode=ap name=SSID security=SSID ssid=SSID
/caps-man interface
add configuration=SSID datapath.bridge=bridge-XXX disabled=no l2mtu=1600 mac-address=C4:AD:34:12:B3:EE master-interface=none name=cap1 radio-mac=C4:AD:34:12:B3:EE \
    radio-name=C4AD3412B3EE
add configuration=SSID datapath.bridge=bridge-XXX disabled=no l2mtu=1600 mac-address=C4:AD:34:12:B3:EF master-interface=none name=cap2 radio-mac=C4:AD:34:12:B3:EF \
    radio-name=C4AD3412B3EF
add configuration=SSID datapath.bridge=bridge-XXX disabled=no l2mtu=1600 mac-address=C4:AD:34:5F:46:57 master-interface=none name=cap3 radio-mac=C4:AD:34:5F:46:57 \
    radio-name=C4AD345F4657
add configuration=SSID datapath.bridge=bridge-XXX disabled=no l2mtu=1600 mac-address=74:4D:28:BE:98:CD master-interface=none name=cap4 radio-mac=74:4D:28:BE:98:CD \
    radio-name=744D28BE98CD
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] connection-mark=no-mark
/ip ipsec peer
add address=89.31.7.243/32 exchange-mode=ike2 name=swyx port=500
/ip ipsec policy group
set [ find default=yes ] name=1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 dpd-interval=1m enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=1h pfs-group=modp1536
/ip pool
add name=dhcp ranges=192.168.42.10-192.168.42.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-XXX lease-time=2w name="XXX-Intern_DHCPD  "
/ppp profile
set *0 on-up=":delay 180s\r\
    \n/system script run ddserver"
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge-XXX comment=defconf interface=ether5
add bridge=bridge-XXX comment=defconf interface=ether6
add bridge=bridge-XXX comment=defconf interface=ether7
add bridge=bridge-XXX comment=defconf interface=ether8
add bridge=bridge-XXX comment=defconf interface=ether9
add bridge=bridge-XXX comment=defconf interface=ether10
add bridge=bridge-XXX comment=defconf interface=sfp-sfpplus1
add bridge=bridge-XXX interface=ether3
add bridge=bridge-XXX interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge-XXX list=LAN
add interface=ether2 list=WAN
add interface=TCom_pppoe list=WAN
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=130.180.118.114/29 interface=ether2 network=130.180.118.112
add address=192.168.42.1/24 interface=bridge-XXX network=192.168.42.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=bridge-XXX
/ip dhcp-server lease
add address=192.168.42.42 mac-address=00:01:2E:48:CB:30 server="XXX-Intern_DHCPD  "
/ip dhcp-server network
add address=192.168.42.0/24 comment=XXXLAN gateway=192.168.42.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=149.112.112.112,2620:fe::fe,9.9.9.9,2620:fe::9
/ip dns static
add address=192.168.42.1 name=router.lan
add address=100.70.2.18 name=swyx.XXX.local
/ip firewall address-list
add address=100.70.2.18 list=SWYX
/ip firewall filter
add action=accept chain=forward comment="accept in ipsec policy" in-interface=TCom_pppoe ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec out-interface=TCom_pppoe
add action=drop chain=input dst-port=53 in-interface=TCom_pppoe protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether2 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=output dst-address=127.0.0.1 port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input dst-address=127.0.0.1 port=5246,5247 protocol=udp src-address=127.0.0.1
add action=passthrough chain=input dst-port=500,4500 in-interface=TCom_pppoe log=yes protocol=udp
add action=accept chain=input in-interface=TCom_pppoe protocol=ipsec-esp
add action=accept chain=input in-interface=ether2 protocol=ipsec-esp
add action=passthrough chain=input dst-port=500,4500 in-interface=ether2 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=!ipsec connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=TCom_pppoe new-connection-mark=WAN1 passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=ether2 new-connection-mark=WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=WAN1 out-interface=TCom_pppoe passthrough=no
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=WAN2 out-interface=ether2 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-XXX new-connection-mark=WAN1 per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-XXX new-connection-mark=WAN2 per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=bridge-XXX new-routing-mark=WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=bridge-XXX new-routing-mark=WAN2 passthrough=no
/ip firewall nat
add action=accept chain=srcnat dst-address=100.70.2.18 src-address=192.168.42.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=TCom_pppoe
add action=masquerade chain=srcnat out-interface=TCom_pppoe packet-mark=no-mark
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether2
/ip ipsec identity
add my-id=user-fqdn:email@XXX.de notrack-chain=prerouting peer=swyx remote-id=user-fqdn:vpn@swyxon.com
/ip ipsec policy
set 0 disabled=yes
add dst-address=100.70.2.18/32 peer=swyx sa-dst-address=89.31.7.243 sa-src-address=0.0.0.0 src-address=192.168.42.0/24 tunnel=yes
/ip ipsec settings
set accounting=no
/ip route
add check-gateway=ping distance=1 gateway=TCom_pppoe routing-mark=WAN1
add check-gateway=ping distance=1 gateway=130.180.118.113 routing-mark=WAN2
add check-gateway=arp distance=1 gateway=TCom_pppoe
add check-gateway=ping distance=2 gateway=130.180.118.113
add check-gateway=ping distance=1 dst-address=79.133.49.101/32 gateway=TCom_pppoe
add check-gateway=ping comment=swyxon.webconnect distance=1 dst-address=89.31.7.227/32 gateway=TCom_pppoe
add check-gateway=ping comment=swyxon.webconnect distance=2 dst-address=89.31.7.227/32 gateway=ether2
add check-gateway=ping comment="swyx VPN Endpunkt" distance=1 dst-address=89.31.7.243/32 gateway=TCom_pppoe
add check-gateway=ping comment="swyx VPN Endpunkt" distance=2 dst-address=89.31.7.243/32 gateway=ether2
/ipv6 address
add from-pool=TComIPv6 interface=bridge-XXX
/ipv6 dhcp-client
add add-default-route=yes interface=TCom_pppoe pool-name=TComIPv6 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input comment="incoming  dns  block" dst-port=53 in-interface=TCom_pppoe protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=XXX_router
/system logging
add prefix="IPSEC: " topics=ipsec,!packet
add prefix=FIREWALL: topics=firewall
/system package update
set channel=long-term
/system script
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=TCom_pppoe only-headers=yes

Unless something has dramatically changed, IPsec policies ignore any connection-marks, routing-marks and other stuff, they just steal packets they like. So the mere fact that the connection shows a connection mark WAN2 should not mean that it is actually routed through there. Only /tool sniffer quick ip-address=100.70.2.18 while pinging will show you which interfaces the ping actually traverses. As you have a public IP on your machine, the SAs use plain ESP, so there is a good chance that the PCC sends the ESP via another interface than the control traffic of the IPsec, so the remote peer ignores the ESP as it comes to it from a wrong address, which explains why the pings remain unresponded even though the reply-dst-address (which is actually the src-nated-src-address) is not changed any more so they should be handled by the SA.

So it would be good to finish one task first, i.e. set up the IPsec session completely via one WAN with the other one disabled, test that it completely works, and only then return to the load distribution, taking the specifics of IPsec into account. I’m not really sure whether the ESP connection inherits connection-mark from the control connection; if it does, choice of WAN according to connection-mark (by means of translating connection-mark to routing-mark in mangle) would save the show; assigning routing-mark directly using PCC with no specific treatment for the IPsec is definitely not the right way to go.

I did disable the second uplink. yesterday i disabled the pppoe-device to trigger a fallback, now i disabled ether2 to completle depend on the pppoe connection.
So, there is just one possible way for packages to reach the outer world. The ipsec tunnel seems to come up fine, but…
If i try to ping/traceroute 100.70.2.18 from the MT device, I’ll get an answer of my pppoe gateway “network unrechable”.

/tool sniffer quick ip-address=100.70.2.18

INTERFACE                      TIME    NUM DIR SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                         DST-ADDRESS                         PROTOCOL   SIZE CPU FP 
ether9                       17.292      5 <-  00:01:2E:48:CB:30 C4:AD:34:5F:46:4D        192.168.42.42                       100.70.2.18                         ip:icmp      98   2 no 
bridge-scouter               17.292      6 <-  00:01:2E:48:CB:30 C4:AD:34:5F:46:4D        192.168.42.42                       100.70.2.18                         ip:icmp      98   2 no 
ether9                       18.316      7 <-  00:01:2E:48:CB:30 C4:AD:34:5F:46:4D        192.168.42.42                       100.70.2.18                         ip:icmp      98   2 no 
bridge-scouter               18.316      8 <-  00:01:2E:48:CB:30 C4:AD:34:5F:46:4D        192.168.42.42                       100.70.2.18                         ip:icmp      98   2 no 
ether6                         18.5      9 <-  7C:2F:80:77:8D:EC C4:AD:34:5F:46:4D        192.168.42.26:6013                  100.70.2.18:5060 (sip)              ip:udp       60   1 no 
bridge-scouter                 18.5     10 <-  7C:2F:80:77:8D:EC C4:AD:34:5F:46:4D        192.168.42.26:6013                  100.70.2.18:5060 (sip)              ip:udp       60   1 no 
ether6                        18.61     11 <-  7C:2F:80:77:8E:A9 C4:AD:34:5F:46:4D        192.168.42.7:6008                   100.70.2.18:5060 (sip)              ip:udp       60   0 no 
bridge-scouter                18.61     12 <-  7C:2F:80:77:8E:A9 C4:AD:34:5F:46:4D        192.168.42.7:6008                   100.70.2.18:5060 (sip)              ip:udp       60   0 no 
ether9                        19.34     13 <-  00:01:2E:48:CB:30 C4:AD:34:5F:46:4D        192.168.42.42                       100.70.2.18                         ip:icmp      98   2 no 
bridge-scouter                19.34     14 <-  00:01:2E:48:CB:30 C4:AD:34:5F:46:4D        192.168.42.42                       100.70.2.18                         ip:icmp      98   2 no 
ether9                       20.364     15 <-  00:01:2E:48:CB:30 C4:AD:34:5F:46:4D        192.168.42.42                       100.70.2.18                         ip:icmp      98   2 no 
bridge-scouter               20.364     16 <-  00:01:2E:48:CB:30 C4:AD:34:5F:46:4D        192.168.42.42                       100.70.2.18                         ip:icmp      98   2 no ether9                       21.388     17 <-  00:01:2E:48:CB:30 C4:AD:34:5F:46:4D        192.168.42.42                       100.70.2.18

If i lookup
/ip firewall connection> print

Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 #          PROTOCOL SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT     ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS      ORIG-BYTES      REPL-BYTES
 7  S C     ipsec... 84.138.232.226        89.31.7.243                       9m59s         1216bps      0bps       10 267        1 078       1 806 568         680 048
12  SAC     udp      84.138.232.226:500    89.31.7.243:500                   2m39s            0bps      0bps          870          870         156 088         105 808

It seems to have a connection established, and there are packages going in each direction.
While have a oing from a client running, i again checked
/ip firewall connection print detail where protocol~“icmp”

Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 0    C     protocol=icmp src-address=192.168.42.42 dst-address=100.70.2.18 reply-src-address=100.70.2.18 reply-dst-address=192.168.42.42 icmp-type=8 icmp-code=0 icmp-id=27977 
            timeout=9s connection-mark="WAN2" orig-packets=922 orig-bytes=77 448 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=672bps repl-rate=0bps

Besides it gets the connection-mark WAN2 (which is disabled by interface) it looks right to me.
With the /tool sniffer there are connections from sip2dect devices popping up, but they have the same problem, no reachable route.
I must have still something essential missing, or I am not able to see it.
With ipsec debug enabled there are “reply ignored” showing in the logfile. Is this about right?

11:35:28 ipsec,debug IPSEC: : reply ignored 
11:36:28 ipsec IPSEC: : sending dpd packet 
11:36:28 ipsec IPSEC: : <- ike2 request, exchange: INFORMATIONAL:50 89.31.7.243[500] 
11:36:28 ipsec,debug IPSEC: : ===== sending 160 bytes from 84.138.232.226[500] to 89.31.7.243[500] 
11:36:28 ipsec,debug IPSEC: : 1 times of 160 bytes message will be sent to 89.31.7.243[500] 
11:36:28 ipsec,debug IPSEC: : ===== received 80 bytes from 89.31.7.243[500] to 84.138.232.226[500] 
11:36:28 ipsec IPSEC: : -> ike2 reply, exchange: INFORMATIONAL:50 89.31.7.243[500] 
11:36:28 ipsec IPSEC: : payload seen: ENC (52 bytes) 
11:36:28 ipsec IPSEC: : processing payload: ENC 
11:36:28 ipsec,debug IPSEC: : => iv (size 0x10) 
11:36:28 ipsec,debug IPSEC: : 5a49879d ed76b1a9 354738d9 c19dd265 
11:36:28 ipsec,debug IPSEC: : => plain payload (trimmed) (size 0x0) 
11:36:28 ipsec,debug IPSEC: : decrypted 
11:36:28 ipsec IPSEC: : respond: info 
11:36:28 ipsec,debug IPSEC: : reply ignored 
11:37:28 ipsec IPSEC: : sending dpd packet 
11:37:28 ipsec IPSEC: : <- ike2 request, exchange: INFORMATIONAL:51 89.31.7.243[500] 
11:37:28 ipsec,debug IPSEC: : ===== sending 144 bytes from 84.138.232.226[500] to 89.31.7.243[500] 
11:37:28 ipsec,debug IPSEC: : 1 times of 144 bytes message will be sent to 89.31.7.243[500] 
11:37:28 ipsec,debug IPSEC: : ===== received 80 bytes from 89.31.7.243[500] to 84.138.232.226[500] 
11:37:28 ipsec IPSEC: : -> ike2 reply, exchange: INFORMATIONAL:51 89.31.7.243[500] 
11:37:28 ipsec IPSEC: : payload seen: ENC (52 bytes) 
11:37:28 ipsec IPSEC: : processing payload: ENC 
11:37:28 ipsec,debug IPSEC: : => iv (size 0x10) 
11:37:28 ipsec,debug IPSEC: : 02baed13 c06c6551 660a6edb 0ae9fbb1 
11:37:28 ipsec,debug IPSEC: : => plain payload (trimmed) (size 0x0) 
11:37:28 ipsec,debug IPSEC: : decrypted 
11:37:28 ipsec IPSEC: : respond: info 
11:37:28 ipsec,debug IPSEC: : reply ignored

It’s really weird… what do /ip ipsec policy print detail and /ip ipsec installed-sa print detail show in the state you’ve described above?

BTW, and running ahead of the events, the firewall does not recognize the ESP flow related to an IPsec control connection as connection-state=related, so it doesn’t inherit the connection-mark from the control connection, hence you’ll have to assign the same connection-mark to both (or, better to say, all three possible as the ESP connection can be initiated from any side) connections “by hand” in order to make them always take the same WAN.

Well thanks sindy, you really helped me out. It seems to be just like you suspected yesterday, the swyx-internal-ip just does not ping back. If i use a client to telnet 100.70.2.18 5060 i do get a response. So I assume now that it ist working already. It probably was working yesterday already but I have been to focused getting a ping reply from inside the IPsec tunnel that i was not able to think about that.
Sorry for that but thanks a lot for your time, helping me out to get my configs straight.

Hello everyone,

I'm having trouble establishing a connection to a partner's IPsec VPN server after they updated their system. The VPN tunnel used to work, but after the update, I received new configuration requirements and can't seem to make it work anymore. I'm using a RB4011iGS+5HacQ2HnD running RouterOS 7.19.4.

My current configuration (sanitized):

/ip ipsec profile
add name=swyx2025 dh-group=ecp521,modp3072 dpd-interval=1m enc-algorithm=aes-256 hash-algorithm=sha256

/ip ipsec peer
add address=89.184.160.252/32 exchange-mode=ike2 name=swyx port=500 profile=swyx2025

/ip ipsec identity
add my-id=user-fqdn:office9596@fqdn.de peer=swyx remote-id=user-fqdn:vpn@swyxon.com notrack-chain=prerouting

/ip ipsec proposal
add name=swyx-proposal enc-algorithms=aes-256-cbc auth-algorithms=sha256 lifetime=1h pfs-group=ecp521

/ip ipsec policy
add dst-address=100.70.2.18/32 src-address=192.168.42.0/24 peer=swyx tunnel=yes proposal=swyx-proposal

The remote side now requires aes-256-gcm and modern DH groups (ECP521 or MODP3072), and this is where I'm stuck.

Problem:

Whenever I try to change the proposal to use aes-256-gcm, I get this error:

/ip/ipsec/proposal> set swyx-proposal enc-algorithms=aes-256-gcm pfs-group=ecp521 lifetime=1h
failure: AEAD already provides authentication

I also tried:

add name=swyx-proposal enc-algorithms=aes-256-gcm auth-algorithms=none pfs-group=ecp521 lifetime=1h

And even:

auth-algorithms=null

None of these worked — I always get the same "AEAD already provides authentication" error.

Remote Site Requirements:

• IKE version: IKEv2
• Gateway: DNS-based (FQDN)
• DPD: 60 seconds
• NAT Traversal: Automatic / Enabled
• IKE Exchange: Main Mode
• Short Hold Time: 9999

Phase 1 (IKE):

• DH Groups: 21 (ecp521), 15 (modp3072)
• IKE Proposal List:
  • AES256GCM-PRFSHA256
  • AES256GCM-PRFSHA384
• Authentication: Pre-Shared Key
• Lifetime: 86400 seconds

Phase 2 (ESP):

• Encryption: AES-GCM-256
• PFS Group: 21 or 15
• Authentication (ESP): HMAC-SHA256
• AH: None
• IPCOMP: None
• Lifetime: 3600 seconds

My Questions:

1. How do I properly configure a proposal using aes-256-gcm without hitting the AEAD/authentication conflict?
2. Is there a known workaround in RouterOS 7.19.4 for using GCM without conflicting auth-algorithms?
3. Am I missing a key setting or workaround to make this compatible with the new server setup?

Simply remove the proposal and make a new one where you do not provide the auth-algorithms parameter.

well, it does not allow me to
/ip/ipsec/proposal> set swyx-proposal enc-algorithms=aes-256-gcm pfs-group=ecp521 lifetime=1h
failure: AEAD already provides authentication