L2TP VPN error

okriso · December 6, 2020, 10:24pm

Hello,

I am very new to networking in general and i have been attempting to set up a VPN between my iPhone7 and iPad back to my MikroTik router so i can access my home network.

To date i have reviewed the following to ‘teach’ me how to correctly set up my VPN and used the forum to assist however i still cannot achieve a connection:

Manual - Road Warrior set up https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
Forum - similar problem i think but solution did not appear to work for me http://forum.mikrotik.com/t/problem-with-l2pt-vpn/115524/1
Forum - my first form post looking for assistance http://forum.mikrotik.com/t/setting-up-vpn-on-mt-router-for-iphone-client/143405/1

as of today, i have reviewed debug logs and i note the following:
`

19:34:53 ipsec no template matches 
19:34:53 ipsec failed to get proposal for responder. 
19:34:53 ipsec,error 192.168.88.186 failed to pre-process ph2 packet.

`

192.168.88.186 is my iPhone.

When i look at my configuration i note the following problem is flagged:

/ip ipsec peer print 
Flags: X - disabled, D - dynamic, R - responder 
 0  DR name="l2tp-in-server" passive=yes profile=default exchange-mode=main send-initial-contact=yes 
 1   R ;;; This entry is unreachable
 name="peer1" passive=yes profile=default exchange-mode=main send-initial-contact=yes

The unreachable entry was configured in response to the suggestion from my original form post which you can see in the links above. On my iPhone i am using the correct server address, Account = vpn and passwords match.

I’m not sure what the next steps are to fix this issue.

Thanks in advance for you time and assistance.

sindy · December 7, 2020, 1:54pm

First, if you look at the two peers, they are identical except the name. It’s because the use-ipsec setting of /interface l2tp-server server should actually read create-ipsec-part-dynamically. So you should either set it to yes (as you did) and not create the peer and identity manually, or set it to no and manually configure the peer and identity; the former approach is simpler, the latter allows you to use an other than default /ip ipsec profile row for the peer, and other than default policy-template-group for the /ip ipsec identity (and the policy template in that other group may use a different row of /ip ipsec proposal). Using own profiles and proposals makes sense in more complex setups; for a single L2TP/IPsec server, it is way easier to use the automatically created settings and modify the default profile and proposal.

Your log says that Phase 2 has failed. It is not crystal clear what exactly has failed, as it claims both no template matches and failed to get proposal for responder, but let’s assume that the default policy template of “any address to any address with proposal default” exists; if so, the proposal default doesn’t match any of the supported algorithm tuples proposed for Phase 2 by the Apple devices.

So activate IPsec logging:
/system logging add topics=ipsec,!packet
Then, run
/log print follow-only file=ipsec-start where topics~“ipsec”
Next, press [Connect] on the Apple device
Once it fails, stop the /log print … command, download the file ipsec-start.txt, and start reading it. It will show you what algorithm tuples (“transforms”) the Apple device offers for Phase 2.

okriso · December 7, 2020, 10:30pm

@sindy, Thank you for your response, much appreciated…

Please find the output from the process you have outlined. Am i right in thinking “IKE” is what the Apple device is offering for phase 2, currently i have L2TP as the vpn “Type” on my iPhone?

# dec/ 8/2020  9:12:39 by RouterOS 6.47.6
# software id = KVPC-4MCK
#
dec/08 09:12:49 ipsec received Vendor ID: RFC 3947 
dec/08 09:12:49 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 
dec/08 09:12:49 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 
dec/08 09:12:49 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 
dec/08 09:12:49 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 
dec/08 09:12:49 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 
dec/08 09:12:49 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
dec/08 09:12:49 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
dec/08 09:12:49 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n 
dec/08 09:12:49 ipsec received Vendor ID: FRAGMENTATION 
dec/08 09:12:49 ipsec Fragmentation enabled 
dec/08 09:12:49 ipsec received Vendor ID: DPD 
dec/08 09:12:49 ipsec 192.168.88.186 Selected NAT-T version: RFC 3947 
dec/08 09:12:50 ipsec sent phase1 packet 124.186.209.234[500]<=>192.168.88.186[500] 848e0a9d7d8ada16:c7a5cb03a0d6564c 
dec/08 09:12:50 ipsec NAT not detected  
dec/08 09:12:50 ipsec Adding remote and local NAT-D payloads. 
dec/08 09:12:50 ipsec sent phase1 packet XXX.XXX.XXX.XXX[500]<=>192.168.88.186[500] 848e0a9d7d8ada16:c7a5cb03a0d6564c 
dec/08 09:12:50 ipsec 192.168.88.186 ignore INITIAL-CONTACT notification, because it is only accepted after phase1. 
dec/08 09:12:51 ipsec respond new phase 2 negotiation: XXX.XXX.XXX.XXX[500]<=>192.168.88.186[500] 
dec/08 09:12:51 ipsec searching for policy for selector: XXX.XXX.XXX.XXX:XXXX ip-proto:17 <=> 192.168.88.186:53098 ip-proto:17 
dec/08 09:12:51 ipsec no template matches 
dec/08 09:12:51 ipsec failed to get proposal for responder. 
dec/08 09:13:21 ipsec purged ISAKMP-SA XXX.XXX.XXX.XXX[500]<=>192.168.88.186[500] spi=848e0a9d7d8ada16:c7a5cb03a0d6564c.

sindy · December 8, 2020, 7:10am

I wonder how exactly you have filtered the log? It doesn’t show the ipsec,debug lines, so the information we actually need is not visible. Could it be that you’ve confused the ~ (regexp match) and = (literal match) symbols?

Also, show me the output of /ip ipsec policy export verbose.

Not really. L2TP/IPsec is literally that, L2TP over IPsec. L2TP’s optional embedded security mechanisms are weak, which means that it is almost never used alone, so even though you choose just “L2TP” on the Apple, it actually means “L2TP/IPsec”.

So an IPsec transport security association is created first and then used to transport bare L2TP’s transport packets. L2TP itself is a flavor of PPP using UDP as transport.

IPsec works in steps - in Phase 1, the peers agree on encryption and authentication to be used during that Phase and authentify to each other, and then they negotiate encryption, authentication, and traffic selectors for the security association(s) to be used for actual transport of data - this is Phase 2. IKE(v1) is the protocol used to control these negotiations; ISAKMP is used to manage the encryption keys during Phase 1.

In your case, either the template used to create the actual policy for Phase 2 is completely unavailable or doesn’t fit for the traffic selector required by the initiator (the Apple device), which is public.ip.of.mikrotik:1701 ip-proto:17(UDP) <=> 192.168.88.186:53098 ip-proto:17(UDP), or the template cannot be used because its associated proposal contains none of the transforms suggested by the initiator.

okriso · December 8, 2020, 7:40am

HI @sindy,

Apologies for not getting this the first time, the full file now added:

# dec/ 8/2020 18:28:50 by RouterOS 6.47.6
# software id = KVPC-4MCK
#
18:28:57 ipsec,debug ===== received 788 bytes from 192.168.88.186[500] to XXX.XXX.XXX.XXX[500] 
18:28:57 ipsec,debug === 
18:28:57 ipsec,info respond new phase 1 (Identity Protection): XXX.XXX.XXX.XXX[500]<=>192.168.88.186[500] 
18:28:57 ipsec,debug begin. 
18:28:57 ipsec,debug seen nptype=1(sa) len=516 
18:28:57 ipsec,debug seen nptype=13(vid) len=20 
18:28:57 ipsec,debug seen nptype=13(vid) len=20 
18:28:57 ipsec,debug seen nptype=13(vid) len=20 
18:28:57 ipsec,debug seen nptype=13(vid) len=20 
18:28:57 ipsec,debug seen nptype=13(vid) len=20 
18:28:57 ipsec,debug seen nptype=13(vid) len=20 
18:28:57 ipsec,debug seen nptype=13(vid) len=20 
18:28:57 ipsec,debug seen nptype=13(vid) len=20 
18:28:57 ipsec,debug seen nptype=13(vid) len=20 
18:28:57 ipsec,debug seen nptype=13(vid) len=20 
18:28:57 ipsec,debug seen nptype=13(vid) len=24 
18:28:57 ipsec,debug seen nptype=13(vid) len=20 
18:28:57 ipsec,debug succeed. 
18:28:57 ipsec received Vendor ID: RFC 3947 
18:28:57 ipsec,debug received unknown Vendor ID 
18:28:57 ipsec,debug 4df37928 e9fc4fd1 b3262170 d515c662 
18:28:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 
18:28:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 
18:28:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 
18:28:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 
18:28:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 
18:28:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
18:28:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
18:28:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n 
18:28:57 ipsec received Vendor ID: FRAGMENTATION 
18:28:57 ipsec Fragmentation enabled 
18:28:57 ipsec received Vendor ID: DPD 
18:28:57 ipsec,debug remote supports DPD 
18:28:57 ipsec 192.168.88.186 Selected NAT-T version: RFC 3947 
18:28:57 ipsec,debug total SA len=512 
18:28:57 ipsec,debug 00000001 00000001 000001f8 0101000e 03000024 01010000 800b0001 800c0e10 
18:28:57 ipsec,debug 80010007 800e0100 80030001 80020004 8004000e 03000024 02010000 800b0001 
18:28:57 ipsec,debug 800c0e10 80010007 800e0100 80030001 80020002 8004000e 03000024 03010000 
18:28:57 ipsec,debug 800b0001 800c0e10 80010007 800e0100 80030001 80020001 8004000e 03000024 
18:28:57 ipsec,debug 04010000 800b0001 800c0e10 80010007 800e0100 80030001 80020006 8004000e 
18:28:57 ipsec,debug 03000024 05010000 800b0001 800c0e10 80010007 800e0100 80030001 80020004 
18:28:57 ipsec,debug 80040005 03000024 06010000 800b0001 800c0e10 80010007 800e0100 80030001 
18:28:57 ipsec,debug 80020002 80040005 03000024 07010000 800b0001 800c0e10 80010007 800e0100 
18:28:57 ipsec,debug 80030001 80020001 80040005 03000024 08010000 800b0001 800c0e10 80010007 
18:28:57 ipsec,debug 800e0100 80030001 80020004 80040002 03000024 09010000 800b0001 800c0e10 
18:28:57 ipsec,debug 80010007 800e0100 80030001 80020002 80040002 03000024 0a010000 800b0001 
18:28:57 ipsec,debug 800c0e10 80010007 800e0100 80030001 80020001 80040002 03000024 0b010000 
18:28:57 ipsec,debug 800b0001 800c0e10 80010007 800e0080 80030001 80020002 80040002 03000024 
18:28:57 ipsec,debug 0c010000 800b0001 800c0e10 80010007 800e0080 80030001 80020001 80040002 
18:28:57 ipsec,debug 03000020 0d010000 800b0001 800c0e10 80010005 80030001 80020002 80040002 
18:28:57 ipsec,debug 00000020 0e010000 800b0001 800c0e10 80010005 80030001 80020001 80040002 
18:28:57 ipsec,debug begin. 
18:28:57 ipsec,debug seen nptype=2(prop) len=504 
18:28:57 ipsec,debug succeed. 
18:28:57 ipsec,debug proposal #1 len=504 
18:28:57 ipsec,debug begin. 
18:28:57 ipsec,debug seen nptype=3(trns) len=36 
18:28:57 ipsec,debug seen nptype=3(trns) len=36 
18:28:57 ipsec,debug seen nptype=3(trns) len=36 
18:28:57 ipsec,debug seen nptype=3(trns) len=36 
18:28:57 ipsec,debug seen nptype=3(trns) len=36 
18:28:57 ipsec,debug seen nptype=3(trns) len=36 
18:28:57 ipsec,debug seen nptype=3(trns) len=36 
18:28:57 ipsec,debug seen nptype=3(trns) len=36 
18:28:57 ipsec,debug seen nptype=3(trns) len=36 
18:28:57 ipsec,debug seen nptype=3(trns) len=36 
18:28:57 ipsec,debug seen nptype=3(trns) len=36 
18:28:57 ipsec,debug seen nptype=3(trns) len=36 
18:28:57 ipsec,debug seen nptype=3(trns) len=32 
18:28:57 ipsec,debug seen nptype=3(trns) len=32 
18:28:57 ipsec,debug succeed. 
18:28:57 ipsec,debug transform #1 len=36 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=4 
18:28:57 ipsec,debug hash(sha2_256) 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group 
å18:28:57 ipsec,debug dh(modp2048) 
18:28:57 ipsec,debug transform #2 len=36 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
18:28:57 ipsec,debug hash(sha1) 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group 
18:28:57 ipsec,debug dh(modp2048) 
18:28:57 ipsec,debug transform #3 len=36 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5 
18:28:57 ipsec,debug hash(md5) 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group 
18:28:57 ipsec,debug dh(modp2048) 
18:28:57 ipsec,debug transform #4 len=36 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=6 
18:28:57 ipsec,debug hash(sha2_512) 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group 
18:28:57 ipsec,debug dh(modp2048) 
18:28:57 ipsec,debug transform #5 len=36 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=4 
18:28:57 ipsec,debug hash(sha2_256) 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group 
18:28:57 ipsec,debug dh(modp1536) 
18:28:57 ipsec,debug transform #6 len=36 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
18:28:57 ipsec,debug hash(sha1) 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group 
18:28:57 ipsec,debug dh(modp1536) 
18:28:57 ipsec,debug transform #7 len=36 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5 
18:28:57 ipsec,debug hash(md5) 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group 
18:28:57 ipsec,debug dh(modp1536) 
18:28:57 ipsec,debug transform #8 len=36 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=4 
18:28:57 ipsec,debug hash(sha2_256) 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
18:28:57 ipsec,debug dh(modp1024) 
18:28:57 ipsec,debug transform #9 len=36 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
18:28:57 ipsec,debug hash(sha1) 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
18:28:57 ipsec,debug dh(modp1024) 
18:28:57 ipsec,debug transform #10 len=36 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5 
18:28:57 ipsec,debug hash(md5) 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
18:28:57 ipsec,debug dh(modp1024) 
18:28:57 ipsec,debug transform #11 len=36 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
18:28:57 ipsec,debug hash(sha1) 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
18:28:57 ipsec,debug dh(modp1024) 
18:28:57 ipsec,debug transform #12 len=36 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5 
18:28:57 ipsec,debug hash(md5) 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
18:28:57 ipsec,debug dh(modp1024) 
18:28:57 ipsec,debug transform #13 len=32 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
18:28:57 ipsec,debug hash(sha1) 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
18:28:57 ipsec,debug dh(modp1024) 
18:28:57 ipsec,debug transform #14 len=32 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5 
18:28:57 ipsec,debug hash(md5) 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
18:28:57 ipsec,debug dh(modp1024) 
18:28:57 ipsec,debug pair 1: 
18:28:57 ipsec,debug  0x4a5868: next=(nil) tnext=0x4a0d00 
18:28:57 ipsec,debug   0x4a0d00: next=(nil) tnext=0x4a6da8 
18:28:57 ipsec,debug    0x4a6da8: next=(nil) tnext=0x4a5b38 
18:28:57 ipsec,debug     0x4a5b38: next=(nil) tnext=0x4a5b50 
18:28:57 ipsec,debug      0x4a5b50: next=(nil) tnext=0x4a5698 
18:28:57 ipsec,debug       0x4a5698: next=(nil) tnext=0x4a56b0 
18:28:57 ipsec,debug        0x4a56b0: next=(nil) tnext=0x4a66a8 
18:28:57 ipsec,debug         0x4a66a8: next=(nil) tnext=0x4a66c0 
18:28:57 ipsec,debug          0x4a66c0: next=(nil) tnext=0x4a62b8 
18:28:57 ipsec,debug           0x4a62b8: next=(nil) tnext=0x4a62d0 
18:28:57 ipsec,debug            0x4a62d0: next=(nil) tnext=0x4a6a28 
18:28:57 ipsec,debug             0x4a6a28: next=(nil) tnext=0x4a6a40 
18:28:57 ipsec,debug              0x4a6a40: next=(nil) tnext=0x4a67a0 
18:28:57 ipsec,debug               0x4a67a0: next=(nil) tnext=(nil) 
18:28:57 ipsec,debug proposal #1: 14 transform 
18:28:57 ipsec,debug -checking with pre-shared key auth- 
18:28:57 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=14 
18:28:57 ipsec,debug trns#=1, trns-id=IKE 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=4 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #1: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #2: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #3: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #4: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #5: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #6: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=14 
18:28:57 ipsec,debug trns#=2, trns-id=IKE 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #1: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #2: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #3: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #4: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #5: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #6: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=14 
18:28:57 ipsec,debug trns#=3, trns-id=IKE 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #1: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #2: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #3: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #4: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #5: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #6: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=14 
18:28:57 ipsec,debug trns#=4, trns-id=IKE 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=6 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #1: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:6 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #2: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:6 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #3: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:6 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #4: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:6 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #5: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:6 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug -compare proposal #6: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:6 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group 
18:28:57 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=14 
18:28:57 ipsec,debug trns#=5, trns-id=IKE 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=4 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #1: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #2: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #3: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #4: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #5: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #6: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=14 
18:28:57 ipsec,debug trns#=6, trns-id=IKE 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #1: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #2: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #3: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #4: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #5: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #6: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=14 
18:28:57 ipsec,debug trns#=7, trns-id=IKE 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #1: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #2: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #3: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #4: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #5: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug -compare proposal #6: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1536-bit MODP group 
18:28:57 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=14 
18:28:57 ipsec,debug trns#=8, trns-id=IKE 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=4 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #1: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #2: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #3: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #4: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #5: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #6: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:4 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=14 
18:28:57 ipsec,debug trns#=9, trns-id=IKE 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #1: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #2: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #3: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #4: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #5: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #6: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=14 
18:28:57 ipsec,debug trns#=10, trns-id=IKE 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #1: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #2: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #3: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #4: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #5: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #6: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = 3DES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 0:256) 
18:28:57 ipsec,debug hashtype = SHA:MD5 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=14 
18:28:57 ipsec,debug trns#=11, trns-id=IKE 
18:28:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
18:28:57 ipsec,debug type=Life Duration, flag=0x8000, lorv=3600 
18:28:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
18:28:57 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
18:28:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
18:28:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
18:28:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #1: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:128) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #2: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 192:128) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #3: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:128) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -compare proposal #4: Local:Peer 
18:28:57 ipsec,debug (lifetime = 86400:3600) 
18:28:57 ipsec,debug (lifebyte = 0:0) 
18:28:57 ipsec,debug enctype = AES-CBC:AES-CBC 
18:28:57 ipsec,debug (encklen = 128:128) 
18:28:57 ipsec,debug hashtype = SHA:SHA 
18:28:57 ipsec,debug authmethod = pre-shared key:pre-shared key 
18:28:57 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
18:28:57 ipsec,debug -an acceptable proposal found- 
18:28:57 ipsec,debug dh(modp1024) 
18:28:57 ipsec,debug -agreed on pre-shared key auth- 
18:28:57 ipsec,debug === 
18:28:57 ipsec,debug new cookie: 
18:28:57 ipsec,debug 2dabecf291d347ed 
18:28:57 ipsec,debug add payload of len 52, next type 13 
18:28:57 ipsec,debug add payload of len 16, next type 13 
18:28:57 ipsec,debug add payload of len 16, next type 13 
18:28:57 ipsec,debug add payload of len 20, next type 0 
18:28:57 ipsec,debug 148 bytes from XXX.XXX.XXX.XXX[500] to 192.168.88.186[500] 
18:28:57 ipsec,debug 1 times of 148 bytes message will be sent to 192.168.88.186[500] 
18:28:57 ipsec sent phase1 packet XXX.XXX.XXX.XXX[500]<=>192.168.88.186[500] 6b262a833ec543b8:2dabecf291d347ed 
18:28:58 ipsec,debug ===== received 228 bytes from 192.168.88.186[500] to XXX.XXX.XXX.XXX[500] 
18:28:58 ipsec,debug begin. 
18:28:58 ipsec,debug seen nptype=4(ke) len=132 
18:28:58 ipsec,debug seen nptype=10(nonce) len=20 
18:28:58 ipsec,debug seen nptype=20(nat-d) len=24 
18:28:58 ipsec,debug seen nptype=20(nat-d) len=24 
18:28:58 ipsec,debug succeed. 
18:28:58 ipsec,debug XXX.XXX.XXX.XXX Hashing XXX.XXX.XXX.XXX[500] with algo #2  
18:28:58 ipsec,debug hash(sha1) 
18:28:58 ipsec,debug NAT-D payload #0 verified 
18:28:58 ipsec,debug 192.168.88.186 Hashing 192.168.88.186[500] with algo #2  
18:28:58 ipsec,debug hash(sha1) 
18:28:58 ipsec,debug NAT-D payload #1 verified 
18:28:58 ipsec NAT not detected  
18:28:58 ipsec,debug === 
18:28:58 ipsec,debug dh(modp1024) 
18:28:58 ipsec,debug 192.168.88.186 Hashing 192.168.88.186[500] with algo #2  
18:28:58 ipsec,debug hash(sha1) 
18:28:58 ipsec,debug XXX.XXX.XXX.XXX Hashing XXX.XXX.XXX.XXX[500] with algo #2  
18:28:58 ipsec,debug hash(sha1) 
18:28:58 ipsec Adding remote and local NAT-D payloads. 
18:28:58 ipsec,debug add payload of len 128, next type 10 
18:28:58 ipsec,debug add payload of len 24, next type 20 
18:28:58 ipsec,debug add payload of len 20, next type 20 
18:28:58 ipsec,debug add payload of len 20, next type 0 
18:28:58 ipsec,debug 236 bytes from XXX.XXX.XXX.XXX[500] to 192.168.88.186[500] 
18:28:58 ipsec,debug 1 times of 236 bytes message will be sent to 192.168.88.186[500] 
18:28:58 ipsec sent phase1 packet XXX.XXX.XXX.XXX[500]<=>192.168.88.186[500] 6b262a833ec543b8:2dabecf291d347ed 
18:28:58 ipsec,debug dh(modp1024) 
18:28:58 ipsec,debug nonce 1:  
18:28:58 ipsec,debug a334c3c9 4472b389 d91fa873 c76b4ef9 
18:28:58 ipsec,debug nonce 2:  
18:28:58 ipsec,debug 9ff9704e d3957f2c f11f48d7 0184bc82 7a4ba0ab f2551caa 
18:28:58 ipsec,debug SKEYID computed: 
18:28:58 ipsec,debug 417a6e83 26bc417c 125652c3 16fe972c 5572673c 
18:28:58 ipsec,debug SKEYID_d computed: 
18:28:58 ipsec,debug 09d655cb 21d52dbc 0dd133f2 b2e059fa 8fa3e906 
18:28:58 ipsec,debug SKEYID_a computed: 
18:28:58 ipsec,debug f9c041fa 8059a83f e7bd8970 7dd8aa8e 0998fd9e 
18:28:58 ipsec,debug SKEYID_e computed: 
18:28:58 ipsec,debug d6abdfc9 34068014 b4eeb6db 1b340c34 91352cd8 
18:28:58 ipsec,debug hash(sha1) 
18:28:58 ipsec,debug final encryption key computed: 
18:28:58 ipsec,debug d6abdfc9 34068014 b4eeb6db 1b340c34 
18:28:58 ipsec,debug hash(sha1) 
18:28:58 ipsec,debug IV computed: 
18:28:58 ipsec,debug 62d5d7da d6004bfd ca5d9d77 8d85e4aa 
18:28:58 ipsec,debug ===== received 108 bytes from 192.168.88.186[500] to XXX.XXX.XXX.XXX[500] 
18:28:58 ipsec,debug begin. 
18:28:58 ipsec,debug seen nptype=5(id) len=12 
18:28:58 ipsec,debug seen nptype=8(hash) len=24 
18:28:58 ipsec,debug seen nptype=11(notify) len=28 
18:28:58 ipsec,debug succeed. 
18:28:58 ipsec,debug 192.168.88.186 Notify Message received 
18:28:58 ipsec 192.168.88.186 ignore INITIAL-CONTACT notification, because it is only accepted after phase1. 
18:28:58 ipsec,debug HASH received: 
18:28:58 ipsec,debug 267754a5 fd03936f d60449be dec86f41 49020144 
18:28:58 ipsec,debug HASH for PSK validated. 
18:28:58 ipsec,debug 192.168.88.186 peer's ID 
18:28:58 ipsec,debug 011101f4 c0a858ba 
18:28:58 ipsec,debug === 
18:28:58 ipsec,debug use ID type of IPv4_address 
18:28:58 ipsec,debug generate HASH_R 
18:28:58 ipsec,debug add payload of len 8, next type 8 
18:28:58 ipsec,debug add payload of len 20, next type 0 
18:28:58 ipsec,debug 76 bytes from XXX.XXX.XXX.XXX[500] to 192.168.88.186[500] 
18:28:58 ipsec,debug 1 times of 76 bytes message will be sent to 192.168.88.186[500] 
18:28:58 ipsec,info ISAKMP-SA established XXX.XXX.XXX.XXX[500]-192.168.88.186[500] spi:6b262a833ec543b8:2dabecf291d347ed 
18:28:58 ipsec,debug === 
18:28:58 ipsec,debug ===== received 364 bytes from 192.168.88.186[500] to XXX.XXX.XXX.XXX[500] 
18:28:58 ipsec,debug hash(sha1) 
18:28:58 ipsec,debug === 
18:28:58 ipsec respond new phase 2 negotiation: XXX.XXX.XXX.XXX[500]<=>192.168.88.186[500] 
18:28:58 ipsec,debug begin. 
18:28:58 ipsec,debug seen nptype=8(hash) len=24 
18:28:58 ipsec,debug seen nptype=1(sa) len=264 
18:28:58 ipsec,debug seen nptype=10(nonce) len=20 
18:28:58 ipsec,debug seen nptype=5(id) len=12 
18:28:58 ipsec,debug seen nptype=5(id) len=12 
18:28:58 ipsec,debug succeed. 
18:28:58 ipsec,debug received IDci2: 
18:28:58 ipsec,debug 0111c002 c0a858ba 
18:28:58 ipsec,debug received IDcr2: 
18:28:58 ipsec,debug 011106a5 7cbad1ea 
18:28:58 ipsec,debug HASH(1) validate: 
18:28:58 ipsec,debug 9899854b c76aa6c7 8337b77d 55470fe4 16f91a22 
18:28:58 ipsec,debug total SA len=260 
18:28:58 ipsec,debug 00000001 00000001 000000fc 01030409 05268cfd 0300001c 010c0000 80010001 
18:28:58 ipsec,debug 80020e10 80040002 80060100 80050005 0300001c 020c0000 80010001 80020e10 
18:28:58 ipsec,debug 80040002 80060100 80050002 0300001c 030c0000 80010001 80020e10 80040002 
18:28:58 ipsec,debug 80060100 80050001 0300001c 040c0000 80010001 80020e10 80040002 80060080 
18:28:58 ipsec,debug 80050005 0300001c 050c0000 80010001 80020e10 80040002 80060080 80050002 
18:28:58 ipsec,debug 0300001c 060c0000 80010001 80020e10 80040002 80060080 80050001 03000018 
18:28:58 ipsec,debug 07030000 80010001 80020e10 80040002 80050005 03000018 08030000 80010001 
18:28:58 ipsec,debug 80020e10 80040002 80050002 00000018 09030000 80010001 80020e10 80040002 
18:28:58 ipsec,debug 80050001 
18:28:58 ipsec,debug begin. 
18:28:58 ipsec,debug seen nptype=2(prop) len=252 
18:28:58 ipsec,debug succeed. 
18:28:58 ipsec,debug proposal #1 len=252 
18:28:58 ipsec,debug begin. 
18:28:58 ipsec,debug seen nptype=3(trns) len=28 
18:28:58 ipsec,debug seen nptype=3(trns) len=28 
18:28:58 ipsec,debug seen nptype=3(trns) len=28 
18:28:58 ipsec,debug seen nptype=3(trns) len=28 
18:28:58 ipsec,debug seen nptype=3(trns) len=28 
18:28:58 ipsec,debug seen nptype=3(trns) len=28 
18:28:58 ipsec,debug seen nptype=3(trns) len=24 
18:28:58 ipsec,debug seen nptype=3(trns) len=24 
18:28:58 ipsec,debug seen nptype=3(trns) len=24 
18:28:58 ipsec,debug succeed. 
18:28:58 ipsec,debug transform #1 len=28 
18:28:58 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:28:58 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:28:58 ipsec,debug life duration was in TLV. 
18:28:58 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:28:58 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:58 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha256 
18:28:58 ipsec,debug transform #2 len=28 
18:28:58 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:28:58 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:28:58 ipsec,debug life duration was in TLV. 
18:28:58 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:28:58 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:58 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
18:28:58 ipsec,debug transform #3 len=28 
18:28:58 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:28:58 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:28:58 ipsec,debug life duration was in TLV. 
18:28:58 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:28:58 ipsec,debug type=Key Length, flag=0x8000, lorv=256 
18:28:58 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
18:28:58 ipsec,debug transform #4 len=28 
18:28:58 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:28:58 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:28:58 ipsec,debug life duration was in TLV. 
18:28:58 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:28:58 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
18:28:58 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha256 
18:28:58 ipsec,debug transform #5 len=28 
18:28:58 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:28:58 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:28:58 ipsec,debug life duration was in TLV. 
18:28:58 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:28:58 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
18:28:58 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
18:28:58 ipsec,debug transform #6 len=28 
18:28:58 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:28:58 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:28:58 ipsec,debug life duration was in TLV. 
18:28:58 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:28:58 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
18:28:58 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
18:28:58 ipsec,debug transform #7 len=24 
18:28:58 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:28:58 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:28:58 ipsec,debug life duration was in TLV. 
18:28:58 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:28:58 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha256 
18:28:58 ipsec,debug transform #8 len=24 
18:28:58 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:28:58 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:28:58 ipsec,debug life duration was in TLV. 
18:28:58 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:28:58 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
18:28:58 ipsec,debug transform #9 len=24 
18:28:58 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:28:58 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:28:58 ipsec,debug life duration was in TLV. 
18:28:58 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:28:58 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
18:28:58 ipsec,debug pair 1: 
18:28:58 ipsec,debug  0x4a7c08: next=(nil) tnext=0x4a6cb8 
18:28:58 ipsec,debug   0x4a6cb8: next=(nil) tnext=0x4a75c8 
18:28:58 ipsec,debug    0x4a75c8: next=(nil) tnext=0x4a75e0 
18:28:58 ipsec,debug     0x4a75e0: next=(nil) tnext=0x4a75f8 
18:28:58 ipsec,debug      0x4a75f8: next=(nil) tnext=0x4a7610 
18:28:58 ipsec,debug       0x4a7610: next=(nil) tnext=0x4a7648 
18:28:58 ipsec,debug        0x4a7648: next=(nil) tnext=0x4a7660 
18:28:58 ipsec,debug         0x4a7660: next=(nil) tnext=0x4a7678 
18:28:58 ipsec,debug          0x4a7678: next=(nil) tnext=(nil) 
18:28:58 ipsec,debug proposal #1: 9 transform 
18:28:58 ipsec,debug got the local address from ID payload XXX.XXX.XXX.XXX[1701] prefixlen=32 ul_proto=17 
18:28:58 ipsec,debug got the peer address from ID payload 192.168.88.186[49154] prefixlen=32 ul_proto=17 
18:28:58 ipsec searching for policy for selector: XXX.XXX.XXX.XXX:1701 ip-proto:17 <=> 192.168.88.186:49154 ip-proto:17 
18:28:58 ipsec no template matches 
18:28:58 ipsec failed to get proposal for responder. 
18:28:58 ipsec,error 192.168.88.186 failed to pre-process ph2 paket. 
18:28:58 ipsec,debug hash(sha1) 
18:28:58 ipsec,debug 76 bytes from XXX.XXX.XXX.XXX[500] to 192.168.88.186[500] 
18:28:58 ipsec,debug 1 times of 76 bytes message will be sent to 192.168.88.186[500] 
18:28:58 ipsec,debug sendto Information notify. 
18:29:02 ipsec,debug ===== received 364 bytes from 192.168.88.186[500] to XXX.XXX.XXX.XXX[500] 
18:29:02 ipsec,error 192.168.88.186 peer sent packet for dead phase2 
18:29:05 ipsec,debug ===== received 364 bytes from 192.168.88.186[500] to XXX.XXX.XXX.XXX[500] 
18:29:05 ipsec,error 192.168.88.186 peer sent packet for dead phase2 
18:29:08 ipsec,debug ===== received 364 bytes from 192.168.88.186[500] to XXX.XXX.XXX.XXX[500] 
18:29:08 ipsec,error 192.168.88.186 peer sent packet for dead phase2 
18:29:11 ipsec,debug ===== received 364 bytes from 192.168.88.186[500] to XXX.XXX.XXX.XXX[500] 
18:29:11 ipsec,error 192.168.88.186 peer sent packet for dead phase2 
18:29:14 ipsec,debug ===== received 364 bytes from 192.168.88.186[500] to XXX.XXX.XXX.XXX[500] 
18:29:14 ipsec,error 192.168.88.186 peer sent packet for dead phase2 
18:29:17 ipsec,debug ===== received 364 bytes from 192.168.88.186[500] to XXX.XXX.XXX.XXX[500] 
18:29:17 ipsec,error 192.168.88.186 peer sent packet for dead phase2 
18:29:21 ipsec,debug ===== received 364 bytes from 192.168.88.186[500] to XXX.XXX.XXX.XXX[500] 
18:29:21 ipsec,error 192.168.88.186 peer sent packet for dead phase2 
18:29:24 ipsec,debug ===== received 364 bytes from 192.168.88.186[500] to XXX.XXX.XXX.XXX[500] 
18:29:24 ipsec,error 192.168.88.186 peer sent packet for dead phase2 
18:29:27 ipsec,debug ===== received 364 bytes from 192.168.88.186[500] to XXX.XXX.XXX.XXX[500] 
18:29:27 ipsec,error 192.168.88.186 peer sent packet for dead phase2 
18:29:28 ipsec,debug ===== received 92 bytes from 192.168.88.186[500] to XXX.XXX.XXX.XXX[500] 
18:29:28 ipsec,debug receive Information. 
18:29:28 ipsec,debug hash(sha1) 
18:29:28 ipsec,debug hash validated. 
18:29:28 ipsec,debug begin. 
18:29:28 ipsec,debug seen nptype=8(hash) len=24 
18:29:28 ipsec,debug seen nptype=12(delete) len=28 
18:29:28 ipsec,debug succeed. 
18:29:28 ipsec,debug 192.168.88.186 delete payload for protocol ISAKMP 
18:29:28 ipsec,info purging ISAKMP-SA XXX.XXX.XXX.XXX[500]<=>192.168.88.186[500] spi=6b262a833ec543b8:2dabecf291d347ed. 
18:29:28 ipsec purged ISAKMP-SA XXX.XXX.XXX.XXX[500]<=>192.168.88.186[500] spi=6b262a833ec543b8:2dabecf291d347ed. 
18:29:28 ipsec,debug purged SAs. 
18:29:28 ipsec,info ISAKMP-SA deleted XXX.XXX.XXX.XXX[500]-192.168.88.186[500] spi:6b262a833ec543b8:2dabecf291d347ed rekey:1

And policy:
`

/ip ipsec policy group
set [ find default=yes ] name=default

/ip ipsec policy
set 0 disabled=no dst-address=::/0 protocol=all src-address=::/0 template=yes

`

sindy · December 8, 2020, 8:24am

That’s strange, as the policy template is neither restricted nor disabled so it should match the selector suggested by the peer. So it looks like some other conflict between the dynamically generated and static IPsec configurations. Post the output of /ip ipsec peer print detail, /ip ipsec policy print detail, /ip ipsec identity print detail.

okriso · December 8, 2020, 9:04am

HI,

per request:

/ip ipsec peer print detail 

Flags: X - disabled, D - dynamic, R - responder 
0  DR name="l2tp-in-server" passive=yes profile=default exchange-mode=main send-initial-contact=yes 

1   R ;;; This entry is unreachable
name="peer1" passive=yes profile=default exchange-mode=main send-initial-contact=yes

/ip ipsec policy print detail 

Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T  * group=*3 src-address=::/0 dst-address=::/0 protocol=all proposal=*1 template=yes
 
 /ip ipsec identity print detail 

Flags: D - dynamic, X - disabled 
 0 D  ;;; l2tp-in-server
peer=l2tp-in-server auth-method=pre-shared-key remote-id=ignore secret="XXXXXXXXXX" generate-policy=port-strict

sindy · December 8, 2020, 9:31am

Hm, so the /ip ipsec policy export didn’t show the issue, whereas /ip ipsec policy print detail does. The only policy template has been moved to a policy group which has been deleted since, and linked to a proposal which has also been deleted since, whereas the (dynamically generated) identity says that policy group default should be used. Hence the template cannot be found because it is not in group default.

To fix that, use /ip ipsec policy set [find default] group=default proposal=default.

okriso · December 8, 2020, 10:37am

OMG… i have sat and read hundreds of posts, watched hours of youtube… and there it is… the magical VPN icon on my iPhone…

@sindy i have read allot of your posts and can see your prolific at helping people, you have helped me and thank you.

One other thing this has showed me is that i need to do a little more formalized networking training/learning.