Site-To-Site VPN AWS problem

Sob · January 9, 2022, 12:27pm

You missed a bit:

So:

/ip ipsec peer
add ... exchange-mode=ike2

sindy · January 9, 2022, 12:30pm

Out of all your policies, you need to enable all the ones in green, and disable all the ones in red. The order is correct (here, it only matters that the last one was last).

/ip ipsec policy
add action=none disabled=yes dst-address=172.16.96.0/19 src-address=0.0.0.0/0
add action=none disabled=yes dst-address=164.52.192.253/32 src-address=0.0.0.0/0
add action=none disabled=yes dst-address=0.0.0.0/0 src-address=164.52.192.253/32
add action=none disabled=yes dst-address=0.0.0.0/0 src-address=172.16.96.0/19
add dst-address=169.254.128.216/30 peer=AWS src-address=169.254.128.218/32 tunnel=yes
add dst-address=172.31.0.0/16 peer=AWS proposal=awsproposal src-address=172.16.96.0/19 tunnel=yes
add disabled=yes dst-address=0.0.0.0/0 peer=AWS proposal=awsproposal src-address=0.0.0.0/0 tunnel=yes

mankomal · January 9, 2022, 1:29pm

Using IKEv1, IKEv2 is not working out don’t know why will be testing once this setup works

mankomal · January 9, 2022, 1:38pm

This does not work
But this works:

/ip ipsec policy
add dst-address=169.254.128.216/30 peer=AWS src-address=169.254.128.218/32 tunnel=yes
add dst-address=172.31.0.0/16 peer=AWS proposal=awsproposal src-address=172.16.96.0/19 tunnel=yes


LOG of fail:
Jan/09/2022 13:09:08 ipsec,debug ===
Jan/09/2022 13:09:08 ipsec,info initiate new phase 1 (Identity Protection): 164.52.192.253[500]<=>3.226.95.68[500]
Jan/09/2022 13:09:08 ipsec,debug new cookie:
Jan/09/2022 13:09:08 ipsec,debug 9d7e4e14c9051c95
Jan/09/2022 13:09:08 ipsec,debug add payload of len 52, next type 13
Jan/09/2022 13:09:08 ipsec,debug add payload of len 16, next type 13
Jan/09/2022 13:09:08 ipsec,debug add payload of len 16, next type 0
Jan/09/2022 13:09:08 ipsec,debug 124 bytes from 164.52.192.253[500] to 3.226.95.68[500]
Jan/09/2022 13:09:08 ipsec,debug 1 times of 124 bytes message will be sent to 3.226.95.68[500]
Jan/09/2022 13:09:08 ipsec,debug,packet 9d7e4e14 c9051c95 00000000 00000000 01100200 00000000 0000007c 0d000038
Jan/09/2022 13:09:08 ipsec,debug,packet 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c7080
Jan/09/2022 13:09:08 ipsec,debug,packet 80010007 800e0080 80030001 80020002 80040002 0d000014 12f5f28c 457168a9
Jan/09/2022 13:09:08 ipsec,debug,packet 702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Jan/09/2022 13:09:08 ipsec sent phase1 packet 164.52.192.253[500]<=>3.226.95.68[500] 9d7e4e14c9051c95:0000000000000000
Jan/09/2022 13:09:08 ipsec,debug ===== received 104 bytes from 3.226.95.68[500] to 164.52.192.253[500]
Jan/09/2022 13:09:08 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 01100200 00000000 00000068 0d000038
Jan/09/2022 13:09:08 ipsec,debug,packet 00000001 00000001 0000002c 01010001 00000024 01010000 80010007 800e0080
Jan/09/2022 13:09:08 ipsec,debug,packet 80020002 80040002 80030001 800b0001 800c7080 00000014 afcad713 68a1f1c9
Jan/09/2022 13:09:08 ipsec,debug,packet 6b8696fc 77570100
Jan/09/2022 13:09:08 ipsec,debug begin.
Jan/09/2022 13:09:08 ipsec,debug seen nptype=1(sa) len=56
Jan/09/2022 13:09:08 ipsec,debug seen nptype=13(vid) len=20
Jan/09/2022 13:09:08 ipsec,debug succeed.
Jan/09/2022 13:09:08 ipsec received Vendor ID: DPD
Jan/09/2022 13:09:08 ipsec,debug remote supports DPD
Jan/09/2022 13:09:08 ipsec,debug total SA len=52
Jan/09/2022 13:09:08 ipsec,debug 00000001 00000001 0000002c 01010001 00000024 01010000 80010007 800e0080
Jan/09/2022 13:09:08 ipsec,debug 80020002 80040002 80030001 800b0001 800c7080
Jan/09/2022 13:09:08 ipsec,debug begin.
Jan/09/2022 13:09:08 ipsec,debug seen nptype=2(prop) len=44
Jan/09/2022 13:09:08 ipsec,debug succeed.
Jan/09/2022 13:09:08 ipsec,debug proposal #1 len=44
Jan/09/2022 13:09:08 ipsec,debug begin.
Jan/09/2022 13:09:08 ipsec,debug seen nptype=3(trns) len=36
Jan/09/2022 13:09:08 ipsec,debug succeed.
Jan/09/2022 13:09:08 ipsec,debug transform #1 len=36
Jan/09/2022 13:09:08 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
Jan/09/2022 13:09:08 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:08 ipsec,debug type=Key Length, flag=0x8000, lorv=128
Jan/09/2022 13:09:08 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
Jan/09/2022 13:09:08 ipsec,debug hash(sha1)
Jan/09/2022 13:09:08 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Jan/09/2022 13:09:08 ipsec,debug dh(modp1024)
Jan/09/2022 13:09:08 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
Jan/09/2022 13:09:08 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
Jan/09/2022 13:09:08 ipsec,debug type=Life Duration, flag=0x8000, lorv=28800
Jan/09/2022 13:09:08 ipsec,debug pair 1:
Jan/09/2022 13:09:08 ipsec,debug  0x80cf280: next=(nil) tnext=(nil)
Jan/09/2022 13:09:08 ipsec,debug proposal #1: 1 transform
Jan/09/2022 13:09:08 ipsec,debug -checking with pre-shared key auth-
Jan/09/2022 13:09:08 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
Jan/09/2022 13:09:08 ipsec,debug trns#=1, trns-id=IKE
Jan/09/2022 13:09:08 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
Jan/09/2022 13:09:08 ipsec,debug type=Key Length, flag=0x8000, lorv=128
Jan/09/2022 13:09:08 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
Jan/09/2022 13:09:08 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Jan/09/2022 13:09:08 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
Jan/09/2022 13:09:08 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
Jan/09/2022 13:09:08 ipsec,debug type=Life Duration, flag=0x8000, lorv=28800
Jan/09/2022 13:09:08 ipsec,debug -compare proposal #1: Local:Peer
Jan/09/2022 13:09:08 ipsec,debug (lifetime = 28800:28800)
Jan/09/2022 13:09:08 ipsec,debug (lifebyte = 0:0)
Jan/09/2022 13:09:08 ipsec,debug enctype = AES-CBC:AES-CBC
Jan/09/2022 13:09:08 ipsec,debug (encklen = 128:128)
Jan/09/2022 13:09:08 ipsec,debug hashtype = SHA:SHA
Jan/09/2022 13:09:08 ipsec,debug authmethod = pre-shared key:pre-shared key
Jan/09/2022 13:09:08 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group
Jan/09/2022 13:09:08 ipsec,debug -an acceptable proposal found-
Jan/09/2022 13:09:08 ipsec,debug dh(modp1024)
Jan/09/2022 13:09:08 ipsec,debug -agreed on pre-shared key auth-
Jan/09/2022 13:09:08 ipsec,debug ===
Jan/09/2022 13:09:08 ipsec,debug dh(modp1024)
Jan/09/2022 13:09:08 ipsec,debug,packet compute DH's private.
Jan/09/2022 13:09:08 ipsec,debug,packet 763827db c634dd91 3d9d1312 44e1e83a 22c1d85f 024edcb0 c1a25f00 0f2499cf
Jan/09/2022 13:09:08 ipsec,debug,packet 753d58ef 8a27dc7c 7a98f4b0 9b0e387f 6a3560f4 8381597d a026600d c728443a
Jan/09/2022 13:09:08 ipsec,debug,packet d2afe292 3c67abc5 43178bb6 d69abcc1 bb3282e4 fe937334 977168fd ce1fec16
Jan/09/2022 13:09:08 ipsec,debug,packet ed8f3868 0e5d71cb 3b7114b8 5784b9c0 7afaedd6 0d26d6c7 3b66f7bd 59d9f60e
Jan/09/2022 13:09:08 ipsec,debug,packet compute DH's public.
Jan/09/2022 13:09:08 ipsec,debug,packet 63e1a48c 4b7fc966 ce83c5f8 69d2ffdd a58dd39f db050094 80a54f0f 98ef39f2
Jan/09/2022 13:09:08 ipsec,debug,packet b6485613 060fd712 f9d4b263 51a70e73 d056985e c2589766 05f62c3a 41ed8e77
Jan/09/2022 13:09:08 ipsec,debug,packet b68ec562 ad786919 26280450 153b2393 fe3b7325 d49f8693 7d7b4298 87689f81
Jan/09/2022 13:09:08 ipsec,debug,packet 44f934f5 ec47f3ea 70edbfa7 b44927e9 e7fb5d2a 0d9a70b5 ac1a58a7 fb6dd8ae
Jan/09/2022 13:09:08 ipsec,debug add payload of len 128, next type 10
Jan/09/2022 13:09:08 ipsec,debug add payload of len 24, next type 0
Jan/09/2022 13:09:08 ipsec,debug 188 bytes from 164.52.192.253[500] to 3.226.95.68[500]
Jan/09/2022 13:09:08 ipsec,debug 1 times of 188 bytes message will be sent to 3.226.95.68[500]
Jan/09/2022 13:09:08 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 04100200 00000000 000000bc 0a000084
Jan/09/2022 13:09:08 ipsec,debug,packet 63e1a48c 4b7fc966 ce83c5f8 69d2ffdd a58dd39f db050094 80a54f0f 98ef39f2
Jan/09/2022 13:09:08 ipsec,debug,packet b6485613 060fd712 f9d4b263 51a70e73 d056985e c2589766 05f62c3a 41ed8e77
Jan/09/2022 13:09:08 ipsec,debug,packet b68ec562 ad786919 26280450 153b2393 fe3b7325 d49f8693 7d7b4298 87689f81
Jan/09/2022 13:09:08 ipsec,debug,packet 44f934f5 ec47f3ea 70edbfa7 b44927e9 e7fb5d2a 0d9a70b5 ac1a58a7 fb6dd8ae
Jan/09/2022 13:09:08 ipsec,debug,packet 0000001c 8f194492 e24a3f75 3ed3661a 92cf8373 877bfcb9 ed9e3d48
Jan/09/2022 13:09:08 ipsec sent phase1 packet 164.52.192.253[500]<=>3.226.95.68[500] 9d7e4e14c9051c95:8e3100d954d41224
Jan/09/2022 13:09:08 ipsec,debug ===== received 196 bytes from 3.226.95.68[500] to 164.52.192.253[500]
Jan/09/2022 13:09:08 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 04100200 00000000 000000c4 0a000084
Jan/09/2022 13:09:08 ipsec,debug,packet 772793c1 244d0a8d 30b8c0ef 8a607f26 5738de82 2766e147 60927140 2d8b5fd4
Jan/09/2022 13:09:08 ipsec,debug,packet ab4015b5 7d8e54c9 60803c60 ddaeea47 c4d00a99 b76048b7 664a7e15 4c49c16c
Jan/09/2022 13:09:08 ipsec,debug,packet 2a39d808 3b3bded8 7bc797ca 964af05c 1c82060a e5c5b447 f402ee24 01f13078
Jan/09/2022 13:09:08 ipsec,debug,packet 1da95824 730f2ea5 25643b2d 5f197c06 d6ba2c07 0caeecd8 cbfaefee ade2d526
Jan/09/2022 13:09:08 ipsec,debug,packet 00000024 b8f5f0cb 85bed21b f767d913 c6ae5e5a beb6a5df a8ae8bc7 48b70168
Jan/09/2022 13:09:08 ipsec,debug,packet 2ea6d561
Jan/09/2022 13:09:08 ipsec,debug begin.
Jan/09/2022 13:09:08 ipsec,debug seen nptype=4(ke) len=132
Jan/09/2022 13:09:08 ipsec,debug seen nptype=10(nonce) len=36
Jan/09/2022 13:09:08 ipsec,debug succeed.
Jan/09/2022 13:09:08 ipsec,debug ===
Jan/09/2022 13:09:08 ipsec,debug dh(modp1024)
Jan/09/2022 13:09:08 ipsec,debug,packet compute DH's shared.
Jan/09/2022 13:09:08 ipsec,debug,packet 
Jan/09/2022 13:09:08 ipsec,debug,packet cf6afb1e 869a381a ecb845c0 ad97da9f e16fe630 6c1f97d6 2cc25889 7a972c9a
Jan/09/2022 13:09:08 ipsec,debug,packet f8f9e5b0 66c9b225 87b17558 f938c181 92f44b3a 518aacc2 a5a946f0 aab04689
Jan/09/2022 13:09:08 ipsec,debug,packet 7574e3fd 1c395eaf dd5a93e2 afbbeef3 3e4e1b81 983e994c f39ed619 6a677fc2
Jan/09/2022 13:09:08 ipsec,debug,packet 617efdec 6e21c158 6d129b47 cd2ad397 309065c6 d069a930 36555e01 d16edca8
Jan/09/2022 13:09:08 ipsec,debug nonce 1: 
Jan/09/2022 13:09:08 ipsec,debug 8f194492 e24a3f75 3ed3661a 92cf8373 877bfcb9 ed9e3d48
Jan/09/2022 13:09:08 ipsec,debug nonce 2: 
Jan/09/2022 13:09:08 ipsec,debug b8f5f0cb 85bed21b f767d913 c6ae5e5a beb6a5df a8ae8bc7 48b70168 2ea6d561
Jan/09/2022 13:09:08 ipsec,debug,packet hmac(hmac_sha1)
Jan/09/2022 13:09:08 ipsec,debug SKEYID computed:
Jan/09/2022 13:09:08 ipsec,debug 94647f6f 9decbb82 c6f81081 40633c9a 40c3241b
Jan/09/2022 13:09:08 ipsec,debug,packet hmac(hmac_sha1)
Jan/09/2022 13:09:08 ipsec,debug SKEYID_d computed:
Jan/09/2022 13:09:08 ipsec,debug 6663e350 c35cde6a f67e822b 8e7e167c 6f1205ec
Jan/09/2022 13:09:08 ipsec,debug,packet hmac(hmac_sha1)
Jan/09/2022 13:09:08 ipsec,debug SKEYID_a computed:
Jan/09/2022 13:09:08 ipsec,debug 7584ab38 65400458 5b15dedb 424528bd b0810e07
Jan/09/2022 13:09:08 ipsec,debug,packet hmac(hmac_sha1)
Jan/09/2022 13:09:08 ipsec,debug SKEYID_e computed:
Jan/09/2022 13:09:08 ipsec,debug 11c4a816 d5022947 74324bed 77d64f8a 95d32075
Jan/09/2022 13:09:08 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:08 ipsec,debug hash(sha1)
Jan/09/2022 13:09:08 ipsec,debug final encryption key computed:
Jan/09/2022 13:09:08 ipsec,debug 11c4a816 d5022947 74324bed 77d64f8a
Jan/09/2022 13:09:08 ipsec,debug hash(sha1)
Jan/09/2022 13:09:08 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:08 ipsec,debug IV computed:
Jan/09/2022 13:09:08 ipsec,debug 711289c7 00585446 e6bbf3ec 4f7676a4
Jan/09/2022 13:09:08 ipsec,debug use ID type of IPv4_address
Jan/09/2022 13:09:08 ipsec,debug,packet HASH with:
Jan/09/2022 13:09:08 ipsec,debug,packet 63e1a48c 4b7fc966 ce83c5f8 69d2ffdd a58dd39f db050094 80a54f0f 98ef39f2
Jan/09/2022 13:09:08 ipsec,debug,packet b6485613 060fd712 f9d4b263 51a70e73 d056985e c2589766 05f62c3a 41ed8e77
Jan/09/2022 13:09:08 ipsec,debug,packet b68ec562 ad786919 26280450 153b2393 fe3b7325 d49f8693 7d7b4298 87689f81
Jan/09/2022 13:09:08 ipsec,debug,packet 44f934f5 ec47f3ea 70edbfa7 b44927e9 e7fb5d2a 0d9a70b5 ac1a58a7 fb6dd8ae
Jan/09/2022 13:09:08 ipsec,debug,packet 772793c1 244d0a8d 30b8c0ef 8a607f26 5738de82 2766e147 60927140 2d8b5fd4
Jan/09/2022 13:09:08 ipsec,debug,packet ab4015b5 7d8e54c9 60803c60 ddaeea47 c4d00a99 b76048b7 664a7e15 4c49c16c
Jan/09/2022 13:09:08 ipsec,debug,packet 2a39d808 3b3bded8 7bc797ca 964af05c 1c82060a e5c5b447 f402ee24 01f13078
Jan/09/2022 13:09:08 ipsec,debug,packet 1da95824 730f2ea5 25643b2d 5f197c06 d6ba2c07 0caeecd8 cbfaefee ade2d526
Jan/09/2022 13:09:08 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 00000001 00000001 0000002c 01010001
Jan/09/2022 13:09:08 ipsec,debug,packet 00000024 01010000 800b0001 800c7080 80010007 800e0080 80030001 80020002
Jan/09/2022 13:09:08 ipsec,debug,packet 80040002 011101f4 a434c0fd
Jan/09/2022 13:09:08 ipsec,debug,packet hmac(hmac_sha1)
Jan/09/2022 13:09:08 ipsec,debug,packet HASH computed:
Jan/09/2022 13:09:08 ipsec,debug,packet 18803786 fc6884b3 61fe7c6b 9c475c95 a3dfa0e4
Jan/09/2022 13:09:08 ipsec,debug add payload of len 8, next type 8
Jan/09/2022 13:09:08 ipsec,debug add payload of len 20, next type 0
Jan/09/2022 13:09:08 ipsec,debug,packet begin encryption.
Jan/09/2022 13:09:08 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:08 ipsec,debug,packet pad length = 12
Jan/09/2022 13:09:08 ipsec,debug,packet 0800000c 011101f4 a434c0fd 00000018 18803786 fc6884b3 61fe7c6b 9c475c95
Jan/09/2022 13:09:08 ipsec,debug,packet a3dfa0e4 a8aec6b7 e2dc8dac ebdcf50b
Jan/09/2022 13:09:08 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:08 ipsec,debug,packet with key:
Jan/09/2022 13:09:08 ipsec,debug,packet 11c4a816 d5022947 74324bed 77d64f8a
Jan/09/2022 13:09:08 ipsec,debug,packet encrypted payload by IV:
Jan/09/2022 13:09:08 ipsec,debug,packet 711289c7 00585446 e6bbf3ec 4f7676a4
Jan/09/2022 13:09:08 ipsec,debug,packet save IV for next:
Jan/09/2022 13:09:08 ipsec,debug,packet 6fb0b4e0 d4169565 a5effea7 b3b46584
Jan/09/2022 13:09:08 ipsec,debug,packet encrypted.
Jan/09/2022 13:09:08 ipsec,debug 76 bytes from 164.52.192.253[500] to 3.226.95.68[500]
Jan/09/2022 13:09:08 ipsec,debug 1 times of 76 bytes message will be sent to 3.226.95.68[500]
Jan/09/2022 13:09:08 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 05100201 00000000 0000004c eec8831d
Jan/09/2022 13:09:08 ipsec,debug,packet 20c4d703 f0b9cd73 85d7acbe c3acb61f 46d1d4dc d205e41b d4356040 6fb0b4e0
Jan/09/2022 13:09:08 ipsec,debug,packet d4169565 a5effea7 b3b46584
Jan/09/2022 13:09:08 ipsec sent phase1 packet 164.52.192.253[500]<=>3.226.95.68[500] 9d7e4e14c9051c95:8e3100d954d41224
Jan/09/2022 13:09:08 ipsec,debug ===== received 76 bytes from 3.226.95.68[500] to 164.52.192.253[500]
Jan/09/2022 13:09:08 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 05100201 00000000 0000004c 51f406e8
Jan/09/2022 13:09:08 ipsec,debug,packet fbbec8e4 5e965d9e ac49832c d2c29b24 19a55431 0c19221e 698da9e5 e815c820
Jan/09/2022 13:09:08 ipsec,debug,packet c7a8e91c 6b1df911 ef083099
Jan/09/2022 13:09:08 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:08 ipsec,debug,packet IV was saved for next processing:
Jan/09/2022 13:09:08 ipsec,debug,packet e815c820 c7a8e91c 6b1df911 ef083099
Jan/09/2022 13:09:08 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:08 ipsec,debug,packet with key:
Jan/09/2022 13:09:08 ipsec,debug,packet 11c4a816 d5022947 74324bed 77d64f8a
Jan/09/2022 13:09:08 ipsec,debug,packet decrypted payload by IV:
Jan/09/2022 13:09:08 ipsec,debug,packet 6fb0b4e0 d4169565 a5effea7 b3b46584
Jan/09/2022 13:09:08 ipsec,debug,packet decrypted payload, but not trimed.
Jan/09/2022 13:09:08 ipsec,debug,packet 0800000c 01000000 03e25f44 00000018 38db8d9d cbffb108 b68fbefc af790fcd
Jan/09/2022 13:09:08 ipsec,debug,packet aab5a8cc 00000000 00000000 00000000
Jan/09/2022 13:09:08 ipsec,debug,packet padding len=1
Jan/09/2022 13:09:08 ipsec,debug,packet skip to trim padding.
Jan/09/2022 13:09:08 ipsec,debug,packet decrypted.
Jan/09/2022 13:09:08 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 05100201 00000000 0000004c 0800000c
Jan/09/2022 13:09:08 ipsec,debug,packet 01000000 03e25f44 00000018 38db8d9d cbffb108 b68fbefc af790fcd aab5a8cc
Jan/09/2022 13:09:08 ipsec,debug,packet 00000000 00000000 00000000
Jan/09/2022 13:09:08 ipsec,debug begin.
Jan/09/2022 13:09:08 ipsec,debug seen nptype=5(id) len=12
Jan/09/2022 13:09:08 ipsec,debug seen nptype=8(hash) len=24
Jan/09/2022 13:09:08 ipsec,debug succeed.
Jan/09/2022 13:09:08 ipsec,debug HASH received:
Jan/09/2022 13:09:08 ipsec,debug 38db8d9d cbffb108 b68fbefc af790fcd aab5a8cc
Jan/09/2022 13:09:08 ipsec,debug,packet HASH with:
Jan/09/2022 13:09:08 ipsec,debug,packet 772793c1 244d0a8d 30b8c0ef 8a607f26 5738de82 2766e147 60927140 2d8b5fd4
Jan/09/2022 13:09:08 ipsec,debug,packet ab4015b5 7d8e54c9 60803c60 ddaeea47 c4d00a99 b76048b7 664a7e15 4c49c16c
Jan/09/2022 13:09:08 ipsec,debug,packet 2a39d808 3b3bded8 7bc797ca 964af05c 1c82060a e5c5b447 f402ee24 01f13078
Jan/09/2022 13:09:08 ipsec,debug,packet 1da95824 730f2ea5 25643b2d 5f197c06 d6ba2c07 0caeecd8 cbfaefee ade2d526
Jan/09/2022 13:09:08 ipsec,debug,packet 63e1a48c 4b7fc966 ce83c5f8 69d2ffdd a58dd39f db050094 80a54f0f 98ef39f2
Jan/09/2022 13:09:08 ipsec,debug,packet b6485613 060fd712 f9d4b263 51a70e73 d056985e c2589766 05f62c3a 41ed8e77
Jan/09/2022 13:09:08 ipsec,debug,packet b68ec562 ad786919 26280450 153b2393 fe3b7325 d49f8693 7d7b4298 87689f81
Jan/09/2022 13:09:08 ipsec,debug,packet 44f934f5 ec47f3ea 70edbfa7 b44927e9 e7fb5d2a 0d9a70b5 ac1a58a7 fb6dd8ae
Jan/09/2022 13:09:08 ipsec,debug,packet 8e3100d9 54d41224 9d7e4e14 c9051c95 00000001 00000001 0000002c 01010001
Jan/09/2022 13:09:08 ipsec,debug,packet 00000024 01010000 800b0001 800c7080 80010007 800e0080 80030001 80020002
Jan/09/2022 13:09:08 ipsec,debug,packet 80040002 01000000 03e25f44
Jan/09/2022 13:09:08 ipsec,debug,packet hmac(hmac_sha1)
Jan/09/2022 13:09:08 ipsec,debug,packet HASH computed:
Jan/09/2022 13:09:08 ipsec,debug,packet 38db8d9d cbffb108 b68fbefc af790fcd aab5a8cc
Jan/09/2022 13:09:08 ipsec,debug HASH for PSK validated.
Jan/09/2022 13:09:08 ipsec,debug 3.226.95.68 peer's ID:
Jan/09/2022 13:09:08 ipsec,debug 01000000 03e25f44
Jan/09/2022 13:09:08 ipsec,debug ===
Jan/09/2022 13:09:08 ipsec ph2 possible after ph1 creation
Jan/09/2022 13:09:08 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
Jan/09/2022 13:09:08 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1)
Jan/09/2022 13:09:08 ipsec,debug begin QUICK mode.
Jan/09/2022 13:09:08 ipsec,debug ===
Jan/09/2022 13:09:08 ipsec,debug begin QUICK mode.
Jan/09/2022 13:09:08 ipsec initiate new phase 2 negotiation: 164.52.192.253[500]<=>3.226.95.68[500]
Jan/09/2022 13:09:08 ipsec,debug,packet compute IV for phase2
Jan/09/2022 13:09:08 ipsec,debug,packet phase1 last IV:
Jan/09/2022 13:09:08 ipsec,debug,packet e815c820 c7a8e91c 6b1df911 ef083099 a73e8dbb
Jan/09/2022 13:09:08 ipsec,debug hash(sha1)
Jan/09/2022 13:09:08 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:08 ipsec,debug,packet phase2 IV computed:
Jan/09/2022 13:09:08 ipsec,debug,packet c2c0ae93 0785d025 d9b14351 571e1397
Jan/09/2022 13:09:08 ipsec,debug call pfkey_send_getspi 8
Jan/09/2022 13:09:08 ipsec,debug pfkey GETSPI sent: ESP/Tunnel 3.226.95.68[500]->164.52.192.253[500] 
Jan/09/2022 13:09:08 ipsec,debug pfkey getspi sent.
Jan/09/2022 13:09:08 ipsec,info ISAKMP-SA established 164.52.192.253[500]-3.226.95.68[500] spi:9d7e4e14c9051c95:8e3100d954d41224
Jan/09/2022 13:09:08 ipsec,debug ===
Jan/09/2022 13:09:08 ipsec,debug dh(modp1024)
Jan/09/2022 13:09:08 ipsec,debug dh(modp1024)
Jan/09/2022 13:09:08 ipsec,debug dh(modp1024)
Jan/09/2022 13:09:08 ipsec,debug,packet compute DH's private.
Jan/09/2022 13:09:08 ipsec,debug,packet 5ccf9c24 58d8a8e5 0e7a90e2 037cafcb 416e291b 47fb0838 1e346cb5 e03326f3
Jan/09/2022 13:09:08 ipsec,debug,packet 7343b32b e73954c3 dea1dfa2 49329ff9 ef3d46f4 0667a3dd 0ed1aace 43da3b25
Jan/09/2022 13:09:08 ipsec,debug,packet 3768a7cc c6e42c75 36e54198 be203d36 5255485d 3b27b65d f5e15ef9 dd08d93b
Jan/09/2022 13:09:08 ipsec,debug,packet 439e73b6 4fcfd57e 471e8458 cf0b8b46 2176a8dc a786b5dd 9650f93a 9254d6ac
Jan/09/2022 13:09:08 ipsec,debug,packet compute DH's public.
Jan/09/2022 13:09:08 ipsec,debug,packet 517664ad 8e04fcda 1f68d46a 0738e8cc 594c7ac8 24c45a37 83daaac5 f2dee427
Jan/09/2022 13:09:08 ipsec,debug,packet 6fc49268 1ec5bb08 c8d4d1f4 9f155944 04e063fe 89db5a9d 1b6fbb2a 70820de3
Jan/09/2022 13:09:08 ipsec,debug,packet 237ace42 abe35ea8 049fbf1e dcac56ec 72608216 114f8128 cc3371eb 5cbe2241
Jan/09/2022 13:09:08 ipsec,debug,packet a3611bd3 d8eaa491 f4af8ae1 de8b8b7d 7c769c7e d82a80b4 039a8b3b 95967403
Jan/09/2022 13:09:08 ipsec,debug use local ID type IPv4_subnet
Jan/09/2022 13:09:08 ipsec,debug use remote ID type IPv4_subnet
Jan/09/2022 13:09:08 ipsec,debug IDci:
Jan/09/2022 13:09:08 ipsec,debug 04000000 00000000 00000000
Jan/09/2022 13:09:08 ipsec,debug IDcr:
Jan/09/2022 13:09:08 ipsec,debug 04000000 00000000 00000000
Jan/09/2022 13:09:08 ipsec,debug add payload of len 52, next type 10
Jan/09/2022 13:09:08 ipsec,debug add payload of len 24, next type 4
Jan/09/2022 13:09:08 ipsec,debug add payload of len 128, next type 5
Jan/09/2022 13:09:08 ipsec,debug add payload of len 12, next type 5
Jan/09/2022 13:09:08 ipsec,debug add payload of len 12, next type 0
Jan/09/2022 13:09:08 ipsec,debug,packet HASH with:
Jan/09/2022 13:09:08 ipsec,debug,packet a73e8dbb 0a000038 00000001 00000001 0000002c 01030401 036004f5 00000020
Jan/09/2022 13:09:08 ipsec,debug,packet 010c0000 80010001 80020e10 80040001 80060080 80050002 80030002 0400001c
Jan/09/2022 13:09:08 ipsec,debug,packet aca951c7 fdac4329 9fc16c7f 1ae59bf4 9bf97e12 e4979573 05000084 517664ad
Jan/09/2022 13:09:08 ipsec,debug,packet 8e04fcda 1f68d46a 0738e8cc 594c7ac8 24c45a37 83daaac5 f2dee427 6fc49268
Jan/09/2022 13:09:08 ipsec,debug,packet 1ec5bb08 c8d4d1f4 9f155944 04e063fe 89db5a9d 1b6fbb2a 70820de3 237ace42
Jan/09/2022 13:09:08 ipsec,debug,packet abe35ea8 049fbf1e dcac56ec 72608216 114f8128 cc3371eb 5cbe2241 a3611bd3
Jan/09/2022 13:09:08 ipsec,debug,packet d8eaa491 f4af8ae1 de8b8b7d 7c769c7e d82a80b4 039a8b3b 95967403 05000010
Jan/09/2022 13:09:08 ipsec,debug,packet 04000000 00000000 00000000 00000010 04000000 00000000 00000000
Jan/09/2022 13:09:08 ipsec,debug,packet hmac(hmac_sha1)
Jan/09/2022 13:09:08 ipsec,debug,packet HASH computed:
Jan/09/2022 13:09:08 ipsec,debug,packet 1aca0b7a 987783c4 5637eae5 0a8f5595 80b90fdf
Jan/09/2022 13:09:08 ipsec,debug add payload of len 20, next type 1
Jan/09/2022 13:09:08 ipsec,debug,packet begin encryption.
Jan/09/2022 13:09:08 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:08 ipsec,debug,packet pad length = 16
Jan/09/2022 13:09:08 ipsec,debug,packet 01000018 1aca0b7a 987783c4 5637eae5 0a8f5595 80b90fdf 0a000038 00000001
Jan/09/2022 13:09:08 ipsec,debug,packet 00000001 0000002c 01030401 036004f5 00000020 010c0000 80010001 80020e10
Jan/09/2022 13:09:08 ipsec,debug,packet 80040001 80060080 80050002 80030002 0400001c aca951c7 fdac4329 9fc16c7f
Jan/09/2022 13:09:08 ipsec,debug,packet 1ae59bf4 9bf97e12 e4979573 05000084 517664ad 8e04fcda 1f68d46a 0738e8cc
Jan/09/2022 13:09:08 ipsec,debug,packet 594c7ac8 24c45a37 83daaac5 f2dee427 6fc49268 1ec5bb08 c8d4d1f4 9f155944
Jan/09/2022 13:09:08 ipsec,debug,packet 04e063fe 89db5a9d 1b6fbb2a 70820de3 237ace42 abe35ea8 049fbf1e dcac56ec
Jan/09/2022 13:09:08 ipsec,debug,packet 72608216 114f8128 cc3371eb 5cbe2241 a3611bd3 d8eaa491 f4af8ae1 de8b8b7d
Jan/09/2022 13:09:08 ipsec,debug,packet 7c769c7e d82a80b4 039a8b3b 95967403 05000010 04000000 00000000 00000000
Jan/09/2022 13:09:08 ipsec,debug,packet 00000010 04000000 00000000 00000000 eac0f2c9 8197e29c c4fe8bad b6dba80f
Jan/09/2022 13:09:08 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:08 ipsec,debug,packet with key:
Jan/09/2022 13:09:08 ipsec,debug,packet 11c4a816 d5022947 74324bed 77d64f8a
Jan/09/2022 13:09:08 ipsec,debug,packet encrypted payload by IV:
Jan/09/2022 13:09:08 ipsec,debug,packet c2c0ae93 0785d025 d9b14351 571e1397
Jan/09/2022 13:09:08 ipsec,debug,packet save IV for next:
Jan/09/2022 13:09:08 ipsec,debug,packet fcfa34e6 13ec1a5e 1852212d 33a8b0a4
Jan/09/2022 13:09:08 ipsec,debug,packet encrypted.
Jan/09/2022 13:09:08 ipsec,debug 316 bytes from 164.52.192.253[500] to 3.226.95.68[500]
Jan/09/2022 13:09:08 ipsec,debug 1 times of 316 bytes message will be sent to 3.226.95.68[500]
Jan/09/2022 13:09:08 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 08102001 a73e8dbb 0000013c 2f88a7d4
Jan/09/2022 13:09:08 ipsec,debug,packet 0c4b3e5e 0b05a0ab c0712ea5 c688d94a ae0e4ca0 96b492cb 0680644f 54edd0bf
Jan/09/2022 13:09:08 ipsec,debug,packet 0d9758ca 587485b5 a7dfdd51 e878ca75 325f9a30 770a0fd3 62a25cdf 2c60ef48
Jan/09/2022 13:09:08 ipsec,debug,packet ac7c4010 d8698c1e f6b665e8 184e65f3 69885b60 aa8459bb cf2b9cf9 67638e3b
Jan/09/2022 13:09:08 ipsec,debug,packet cef17809 343f32ea 38159e19 4907e378 0b2d905c 78aa354a 03869fd7 0d5a83ac
Jan/09/2022 13:09:08 ipsec,debug,packet 0f2a002b 746e135e b5038345 8a7c73a2 c8b2d393 c67b851e 24e70647 69565460
Jan/09/2022 13:09:08 ipsec,debug,packet e4a8a731 5803d896 0129927f 3a1fd147 997d766e 704565ac 4e938e00 99d4f78b
Jan/09/2022 13:09:08 ipsec,debug,packet 7a5cbc11 63e93c39 49cc4dcc 6d0d30d7 3e8bf018 434ed715 99e335ff 6473cae5
Jan/09/2022 13:09:08 ipsec,debug,packet a729a17e 7c297a8c 49593a8d 29b56681 6615e8e8 78a11aed 0210e83b 0b4e61c2
Jan/09/2022 13:09:08 ipsec,debug,packet ddab7614 cabf1503 6ca8ec02 fcfa34e6 13ec1a5e 1852212d 33a8b0a4
Jan/09/2022 13:09:08 ipsec sent phase2 packet 164.52.192.253[500]<=>3.226.95.68[500] 9d7e4e14c9051c95:8e3100d954d41224:0000a73e
Jan/09/2022 13:09:09 ipsec,debug ===== received 316 bytes from 3.226.95.68[500] to 164.52.192.253[500]
Jan/09/2022 13:09:09 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 08102001 a73e8dbb 0000013c 72b5763d
Jan/09/2022 13:09:09 ipsec,debug,packet bb3f2c37 c67707f7 c7697888 ede45945 cf1d13bc e382bd1d 61d1afeb 4c129b82
Jan/09/2022 13:09:09 ipsec,debug,packet 7ea1b382 d1361a81 fd25553e 51441e68 f58f7364 0da43296 28ecee8e 9a1a27b5
Jan/09/2022 13:09:09 ipsec,debug,packet 57b70068 bebc41e4 405c6cf5 3d4f415e 6eca804e a9da356b 2e5f828d 9ac2044e
Jan/09/2022 13:09:09 ipsec,debug,packet fefd0a8a d51e70c1 8e088f7a ea359393 0445c6fe c4c68e4a a953e70a 71a4e3c0
Jan/09/2022 13:09:09 ipsec,debug,packet 2d50fa1b 56b5b1aa 0fd86529 e8578d83 c1be6563 95baabe1 f779a2a1 291fcf58
Jan/09/2022 13:09:09 ipsec,debug,packet 84413dfa 9164c43f 74898c9d d1cd59c0 2568f504 08bf9346 7792fe51 e6c1f548
Jan/09/2022 13:09:09 ipsec,debug,packet 191ca7e4 51d9e5b5 20ba44a3 06b3320c 29ebe6f6 f14e8f9d abb2305e 2979d521
Jan/09/2022 13:09:09 ipsec,debug,packet 08a95c41 45c068e7 0774d40a a8659102 9571b624 e768051a cc70e242 199f195c
Jan/09/2022 13:09:09 ipsec,debug,packet 3c09d5dd c08ab018 99936678 e58d553e 0b536535 0d329a88 06e0570d
Jan/09/2022 13:09:09 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:09 ipsec,debug,packet IV was saved for next processing:
Jan/09/2022 13:09:09 ipsec,debug,packet e58d553e 0b536535 0d329a88 06e0570d
Jan/09/2022 13:09:09 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:09 ipsec,debug,packet with key:
Jan/09/2022 13:09:09 ipsec,debug,packet 11c4a816 d5022947 74324bed 77d64f8a
Jan/09/2022 13:09:09 ipsec,debug,packet decrypted payload by IV:
Jan/09/2022 13:09:09 ipsec,debug,packet fcfa34e6 13ec1a5e 1852212d 33a8b0a4
Jan/09/2022 13:09:09 ipsec,debug,packet decrypted payload, but not trimed.
Jan/09/2022 13:09:09 ipsec,debug,packet 01000018 d1a3236e 1b1d6819 3f6eb30d be86a61c fa9a46c2 0a000038 00000001
Jan/09/2022 13:09:09 ipsec,debug,packet 00000001 0000002c 01030401 c9aa34e8 00000020 010c0000 80060080 80050002
Jan/09/2022 13:09:09 ipsec,debug,packet 80030002 80040001 80010001 80020e10 04000024 17545989 e56715b7 4ec60630
Jan/09/2022 13:09:09 ipsec,debug,packet 7b72c5b1 b040f4f7 036feaae 3bb8ba15 9961528d 05000084 11f73033 8c460b52
Jan/09/2022 13:09:09 ipsec,debug,packet a83a5f9d b533164f 14c901b3 938d5197 5b3c9f11 100b6c23 cd610784 8f1f4de0
Jan/09/2022 13:09:09 ipsec,debug,packet 8cfb9ce8 5cd21fad 67142722 3adf903f f125b0da 3b71a3ad 5beea7be f7f60e9b
Jan/09/2022 13:09:09 ipsec,debug,packet 054d5f4e 1c5a6628 94de1427 d723ed75 24b8c6d3 6e66eb0e cddf0f38 4dadd386
Jan/09/2022 13:09:09 ipsec,debug,packet fd727c85 f19272bc 6dda9430 95aa227e d4a0def1 6bbabd6b 05000010 04000000
Jan/09/2022 13:09:09 ipsec,debug,packet ac106000 ffffe000 00000010 04000000 ac1f0000 ffff0000 00000000 00000000
Jan/09/2022 13:09:09 ipsec,debug,packet padding len=1
Jan/09/2022 13:09:09 ipsec,debug,packet skip to trim padding.
Jan/09/2022 13:09:09 ipsec,debug,packet decrypted.
Jan/09/2022 13:09:09 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 08102001 a73e8dbb 0000013c 01000018
Jan/09/2022 13:09:09 ipsec,debug,packet d1a3236e 1b1d6819 3f6eb30d be86a61c fa9a46c2 0a000038 00000001 00000001
Jan/09/2022 13:09:09 ipsec,debug,packet 0000002c 01030401 c9aa34e8 00000020 010c0000 80060080 80050002 80030002
Jan/09/2022 13:09:09 ipsec,debug,packet 80040001 80010001 80020e10 04000024 17545989 e56715b7 4ec60630 7b72c5b1
Jan/09/2022 13:09:09 ipsec,debug,packet b040f4f7 036feaae 3bb8ba15 9961528d 05000084 11f73033 8c460b52 a83a5f9d
Jan/09/2022 13:09:09 ipsec,debug,packet b533164f 14c901b3 938d5197 5b3c9f11 100b6c23 cd610784 8f1f4de0 8cfb9ce8
Jan/09/2022 13:09:09 ipsec,debug,packet 5cd21fad 67142722 3adf903f f125b0da 3b71a3ad 5beea7be f7f60e9b 054d5f4e
Jan/09/2022 13:09:09 ipsec,debug,packet 1c5a6628 94de1427 d723ed75 24b8c6d3 6e66eb0e cddf0f38 4dadd386 fd727c85
Jan/09/2022 13:09:09 ipsec,debug,packet f19272bc 6dda9430 95aa227e d4a0def1 6bbabd6b 05000010 04000000 ac106000
Jan/09/2022 13:09:09 ipsec,debug,packet ffffe000 00000010 04000000 ac1f0000 ffff0000 00000000 00000000
Jan/09/2022 13:09:09 ipsec,debug begin.
Jan/09/2022 13:09:09 ipsec,debug seen nptype=8(hash) len=24
Jan/09/2022 13:09:09 ipsec,debug seen nptype=1(sa) len=56
Jan/09/2022 13:09:09 ipsec,debug seen nptype=10(nonce) len=36
Jan/09/2022 13:09:09 ipsec,debug seen nptype=4(ke) len=132
Jan/09/2022 13:09:09 ipsec,debug seen nptype=5(id) len=16
Jan/09/2022 13:09:09 ipsec,debug seen nptype=5(id) len=16
Jan/09/2022 13:09:09 ipsec,debug succeed.
Jan/09/2022 13:09:09 ipsec,debug IDci prefix: 19/ulproto: 255 does not match proposal.
Jan/09/2022 13:09:09 ipsec,error 3.226.95.68 failed to pre-process ph2 packet.
Jan/09/2022 13:09:09 ipsec,debug,packet compute IV for phase2
Jan/09/2022 13:09:09 ipsec,debug,packet phase1 last IV:
Jan/09/2022 13:09:09 ipsec,debug,packet e815c820 c7a8e91c 6b1df911 ef083099 e0384469
Jan/09/2022 13:09:09 ipsec,debug hash(sha1)
Jan/09/2022 13:09:09 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:09 ipsec,debug,packet phase2 IV computed:
Jan/09/2022 13:09:09 ipsec,debug,packet f3bd8b64 09db7dd5 2cca78ad 3d94519d
Jan/09/2022 13:09:09 ipsec,debug,packet HASH with:
Jan/09/2022 13:09:09 ipsec,debug,packet e0384469 0000000c 00000001 0100000d
Jan/09/2022 13:09:09 ipsec,debug,packet hmac(hmac_sha1)
Jan/09/2022 13:09:09 ipsec,debug,packet HASH computed:
Jan/09/2022 13:09:09 ipsec,debug,packet 383b494b 15245169 46d1c692 2f08e9af 1a65068e
Jan/09/2022 13:09:09 ipsec,debug,packet begin encryption.
Jan/09/2022 13:09:09 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:09 ipsec,debug,packet pad length = 12
Jan/09/2022 13:09:09 ipsec,debug,packet 0b000018 383b494b 15245169 46d1c692 2f08e9af 1a65068e 0000000c 00000001
Jan/09/2022 13:09:09 ipsec,debug,packet 0100000d f2f9a8c9 f2f6ed9e eacddd0b
Jan/09/2022 13:09:09 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:09 ipsec,debug,packet with key:
Jan/09/2022 13:09:09 ipsec,debug,packet 11c4a816 d5022947 74324bed 77d64f8a
Jan/09/2022 13:09:09 ipsec,debug,packet encrypted payload by IV:
Jan/09/2022 13:09:09 ipsec,debug,packet f3bd8b64 09db7dd5 2cca78ad 3d94519d
Jan/09/2022 13:09:09 ipsec,debug,packet save IV for next:
Jan/09/2022 13:09:09 ipsec,debug,packet ce45a4e5 33a4b231 495351d9 f5bb33d1
Jan/09/2022 13:09:09 ipsec,debug,packet encrypted.
Jan/09/2022 13:09:09 ipsec,debug 76 bytes from 164.52.192.253[500] to 3.226.95.68[500]
Jan/09/2022 13:09:09 ipsec,debug 1 times of 76 bytes message will be sent to 3.226.95.68[500]
Jan/09/2022 13:09:09 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 08100501 e0384469 0000004c 05eb678b
Jan/09/2022 13:09:09 ipsec,debug,packet c0a09548 4b3ca9c8 bfe9ad23 01560415 1e220e17 da460e10 18c2920a ce45a4e5
Jan/09/2022 13:09:09 ipsec,debug,packet 33a4b231 495351d9 f5bb33d1
Jan/09/2022 13:09:09 ipsec,debug sendto Information notify.
Jan/09/2022 13:09:09 ipsec 3.226.95.68 phase2 negotiation failed.
Jan/09/2022 13:09:14 ipsec IPsec-SA expired: ESP/Tunnel 3.226.95.68[500]->164.52.192.253[500] spi=0x42bd358
Jan/09/2022 13:09:15 ipsec acquire for policy: 0.0.0.0/0 <=> 0.0.0.0/0
Jan/09/2022 13:09:15 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
Jan/09/2022 13:09:15 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1)
Jan/09/2022 13:09:15 ipsec,debug begin QUICK mode.
Jan/09/2022 13:09:15 ipsec,debug ===
Jan/09/2022 13:09:15 ipsec,debug begin QUICK mode.
Jan/09/2022 13:09:15 ipsec initiate new phase 2 negotiation: 164.52.192.253[500]<=>3.226.95.68[500]
Jan/09/2022 13:09:15 ipsec,debug,packet compute IV for phase2
Jan/09/2022 13:09:15 ipsec,debug,packet phase1 last IV:
Jan/09/2022 13:09:15 ipsec,debug,packet e815c820 c7a8e91c 6b1df911 ef083099 cdf3d2e6
Jan/09/2022 13:09:15 ipsec,debug hash(sha1)
Jan/09/2022 13:09:15 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:15 ipsec,debug,packet phase2 IV computed:
Jan/09/2022 13:09:15 ipsec,debug,packet ad9fd59b 9ac7f3d1 85202fe4 b86de12a
Jan/09/2022 13:09:15 ipsec,debug call pfkey_send_getspi 9
Jan/09/2022 13:09:15 ipsec,debug pfkey GETSPI sent: ESP/Tunnel 3.226.95.68[500]->164.52.192.253[500] 
Jan/09/2022 13:09:15 ipsec,debug pfkey getspi sent.
Jan/09/2022 13:09:15 ipsec,debug dh(modp1024)
Jan/09/2022 13:09:15 ipsec,debug dh(modp1024)
Jan/09/2022 13:09:15 ipsec,debug dh(modp1024)
Jan/09/2022 13:09:15 ipsec,debug,packet compute DH's private.
Jan/09/2022 13:09:15 ipsec,debug,packet 5462cc77 cef51f6f f50cf0a0 4e663d4b 6ad24d50 3f867adf 6831dc5b ad0c6a02
Jan/09/2022 13:09:15 ipsec,debug,packet 11517af2 3bac6286 6c42e257 30c22a6d a0921ed6 2630ff73 3e98226d 81b006c0
Jan/09/2022 13:09:15 ipsec,debug,packet 8d847350 0a7d2f6c 4ab19d48 96739815 3fb3c8ea e04bbc78 ecd3837d f5655bdc
Jan/09/2022 13:09:15 ipsec,debug,packet 27a3f2d0 ebfeccb9 17947d5b c76b0e70 1a2b484a c4cf2cd2 0b73cdd4 04daf666
Jan/09/2022 13:09:15 ipsec,debug,packet compute DH's public.
Jan/09/2022 13:09:15 ipsec,debug,packet 31780de9 1150fdd5 fd1a80aa 46d1f65b f1ad3cfd 40409139 314cc9f2 40cb6e88
Jan/09/2022 13:09:15 ipsec,debug,packet e0e0d2f3 24cfe663 f730a220 34dee4cc c5a9d5d4 464e0717 960d820e afbc1147
Jan/09/2022 13:09:15 ipsec,debug,packet 134aa5ba d6fbd48f 2d47638e 038a575c 2afaa3e8 9771cf68 bef0ec79 33c304f8
Jan/09/2022 13:09:15 ipsec,debug,packet 92648793 32864966 451b40f6 7a4ba2a6 7a7e6b08 2e4d5cd3 0a7bb52d f4cd53b9
Jan/09/2022 13:09:15 ipsec,debug use local ID type IPv4_subnet
Jan/09/2022 13:09:15 ipsec,debug use remote ID type IPv4_subnet
Jan/09/2022 13:09:15 ipsec,debug IDci:
Jan/09/2022 13:09:15 ipsec,debug 04000000 00000000 00000000
Jan/09/2022 13:09:15 ipsec,debug IDcr:
Jan/09/2022 13:09:15 ipsec,debug 04000000 00000000 00000000
Jan/09/2022 13:09:15 ipsec,debug add payload of len 52, next type 10
Jan/09/2022 13:09:15 ipsec,debug add payload of len 24, next type 4
Jan/09/2022 13:09:15 ipsec,debug add payload of len 128, next type 5
Jan/09/2022 13:09:15 ipsec,debug add payload of len 12, next type 5
Jan/09/2022 13:09:15 ipsec,debug add payload of len 12, next type 0
Jan/09/2022 13:09:15 ipsec,debug,packet HASH with:
Jan/09/2022 13:09:15 ipsec,debug,packet cdf3d2e6 0a000038 00000001 00000001 0000002c 01030401 01c365e9 00000020
Jan/09/2022 13:09:15 ipsec,debug,packet 010c0000 80010001 80020e10 80040001 80060080 80050002 80030002 0400001c
Jan/09/2022 13:09:15 ipsec,debug,packet aa9d94aa d4799713 e7493dd3 29895b86 cff9a860 7d05f546 05000084 31780de9
Jan/09/2022 13:09:15 ipsec,debug,packet 1150fdd5 fd1a80aa 46d1f65b f1ad3cfd 40409139 314cc9f2 40cb6e88 e0e0d2f3
Jan/09/2022 13:09:15 ipsec,debug,packet 24cfe663 f730a220 34dee4cc c5a9d5d4 464e0717 960d820e afbc1147 134aa5ba
Jan/09/2022 13:09:15 ipsec,debug,packet d6fbd48f 2d47638e 038a575c 2afaa3e8 9771cf68 bef0ec79 33c304f8 92648793
Jan/09/2022 13:09:15 ipsec,debug,packet 32864966 451b40f6 7a4ba2a6 7a7e6b08 2e4d5cd3 0a7bb52d f4cd53b9 05000010
Jan/09/2022 13:09:15 ipsec,debug,packet 04000000 00000000 00000000 00000010 04000000 00000000 00000000
Jan/09/2022 13:09:15 ipsec,debug,packet hmac(hmac_sha1)
Jan/09/2022 13:09:15 ipsec,debug,packet HASH computed:
Jan/09/2022 13:09:15 ipsec,debug,packet 15df3e2c 6ef46454 5a333294 89253eee e7e797f4
Jan/09/2022 13:09:15 ipsec,debug add payload of len 20, next type 1
Jan/09/2022 13:09:15 ipsec,debug,packet begin encryption.
Jan/09/2022 13:09:15 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:15 ipsec,debug,packet pad length = 16
Jan/09/2022 13:09:15 ipsec,debug,packet 01000018 15df3e2c 6ef46454 5a333294 89253eee e7e797f4 0a000038 00000001
Jan/09/2022 13:09:15 ipsec,debug,packet 00000001 0000002c 01030401 01c365e9 00000020 010c0000 80010001 80020e10
Jan/09/2022 13:09:15 ipsec,debug,packet 80040001 80060080 80050002 80030002 0400001c aa9d94aa d4799713 e7493dd3
Jan/09/2022 13:09:15 ipsec,debug,packet 29895b86 cff9a860 7d05f546 05000084 31780de9 1150fdd5 fd1a80aa 46d1f65b
Jan/09/2022 13:09:15 ipsec,debug,packet f1ad3cfd 40409139 314cc9f2 40cb6e88 e0e0d2f3 24cfe663 f730a220 34dee4cc
Jan/09/2022 13:09:15 ipsec,debug,packet c5a9d5d4 464e0717 960d820e afbc1147 134aa5ba d6fbd48f 2d47638e 038a575c
Jan/09/2022 13:09:15 ipsec,debug,packet 2afaa3e8 9771cf68 bef0ec79 33c304f8 92648793 32864966 451b40f6 7a4ba2a6
Jan/09/2022 13:09:15 ipsec,debug,packet 7a7e6b08 2e4d5cd3 0a7bb52d f4cd53b9 05000010 04000000 00000000 00000000
Jan/09/2022 13:09:15 ipsec,debug,packet 00000010 04000000 00000000 00000000 9da4c687 ae93dcc7 c0f4eae3 fef4c80f
Jan/09/2022 13:09:15 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:15 ipsec,debug,packet with key:
Jan/09/2022 13:09:15 ipsec,debug,packet 11c4a816 d5022947 74324bed 77d64f8a
Jan/09/2022 13:09:15 ipsec,debug,packet encrypted payload by IV:
Jan/09/2022 13:09:15 ipsec,debug,packet ad9fd59b 9ac7f3d1 85202fe4 b86de12a
Jan/09/2022 13:09:15 ipsec,debug,packet save IV for next:
Jan/09/2022 13:09:15 ipsec,debug,packet 621171d0 ba3385db 736d6835 bc1240d7
Jan/09/2022 13:09:15 ipsec,debug,packet encrypted.
Jan/09/2022 13:09:15 ipsec,debug 316 bytes from 164.52.192.253[500] to 3.226.95.68[500]
Jan/09/2022 13:09:15 ipsec,debug 1 times of 316 bytes message will be sent to 3.226.95.68[500]
Jan/09/2022 13:09:15 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 08102001 cdf3d2e6 0000013c 56530745
Jan/09/2022 13:09:15 ipsec,debug,packet 75967807 1f9fbbaf 0ff0443f 796ac141 a8a4696d c0fc93e7 e6ca7fef 3c06796a
Jan/09/2022 13:09:15 ipsec,debug,packet 99495603 319e02ce 36a19ae2 e8e6c3f6 4f892317 b1dc82bf 5dcf15b2 90a388c4
Jan/09/2022 13:09:15 ipsec,debug,packet 132eb84e 7bf0c7b8 01ed2c19 c0b4d6d9 66fd8264 475a903e 34c4fdec fa7bb93a
Jan/09/2022 13:09:15 ipsec,debug,packet f422ba3a 1bb5d679 11244193 6f67c7af 91a13681 eda9fb03 bf5263a8 01e160e1
Jan/09/2022 13:09:15 ipsec,debug,packet 0d0da12c 07b7c44a 0aadeb7d 5fab7cb5 2feceaff d7dd4b64 89a4150e 24427284
Jan/09/2022 13:09:15 ipsec,debug,packet 256966f2 343f0728 e6b92e7b 7ca0b079 08886355 713df2fc 69456453 8be30729
Jan/09/2022 13:09:15 ipsec,debug,packet 3ca7e642 ca93d272 bf22901b 406b8fd2 4b1b02a0 0f24d174 4e35ba47 d046a0d2
Jan/09/2022 13:09:15 ipsec,debug,packet cb135086 87590e0e 9cbf1465 bf77f2e1 18be5e46 4f822f95 cb7a85eb 5743ab40
Jan/09/2022 13:09:15 ipsec,debug,packet 41774907 76379117 8907338c 621171d0 ba3385db 736d6835 bc1240d7
Jan/09/2022 13:09:15 ipsec sent phase2 packet 164.52.192.253[500]<=>3.226.95.68[500] 9d7e4e14c9051c95:8e3100d954d41224:0000cdf3
Jan/09/2022 13:09:15 ipsec,debug ===== received 316 bytes from 3.226.95.68[500] to 164.52.192.253[500]
Jan/09/2022 13:09:15 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 08102001 cdf3d2e6 0000013c 99dcfc88
Jan/09/2022 13:09:15 ipsec,debug,packet 32468b24 37883958 9c750da0 52de8db2 d08e1d9a 8f674e67 9fe75917 3308efbf
Jan/09/2022 13:09:15 ipsec,debug,packet 09140686 34ad51bb aa98f4e5 1c4ad19a 212bc0ca a064505e 706c1b73 9aa98976
Jan/09/2022 13:09:15 ipsec,debug,packet 43610df7 4d64d9d5 e495e8db 99b53e98 f84ddb8c 0556f842 2e5c7659 fddb71bd
Jan/09/2022 13:09:15 ipsec,debug,packet 975c1069 20583fab 18dbdc63 58bd7f43 316af5d5 a26e33b0 c6014002 7ed6e8c4
Jan/09/2022 13:09:15 ipsec,debug,packet 563c7674 b36a84f8 598ec42f d5c95736 f607bae8 53bc88a9 19fb6d33 1594d068
Jan/09/2022 13:09:15 ipsec,debug,packet 9c6cf56c 54771c56 37b0a73c da477995 af03db45 20aa80ee da0ad329 89e6cda6
Jan/09/2022 13:09:15 ipsec,debug,packet 761364e7 35d89b99 a8d137f8 9e1945ac 91bccbfb 91061758 8ee66402 d4ada503
Jan/09/2022 13:09:15 ipsec,debug,packet a625d906 825cabe8 cf12be8c e4cf8c63 62e388dd 9941cee8 90271e63 49736190
Jan/09/2022 13:09:15 ipsec,debug,packet 22896897 4389fa6a 5fccaed8 548e186f 0ae96ad3 e14655b7 f2603bb2
Jan/09/2022 13:09:15 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:15 ipsec,debug,packet IV was saved for next processing:
Jan/09/2022 13:09:15 ipsec,debug,packet 548e186f 0ae96ad3 e14655b7 f2603bb2
Jan/09/2022 13:09:15 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:15 ipsec,debug,packet with key:
Jan/09/2022 13:09:15 ipsec,debug,packet 11c4a816 d5022947 74324bed 77d64f8a
Jan/09/2022 13:09:15 ipsec,debug,packet decrypted payload by IV:
Jan/09/2022 13:09:15 ipsec,debug,packet 621171d0 ba3385db 736d6835 bc1240d7
Jan/09/2022 13:09:15 ipsec,debug,packet decrypted payload, but not trimed.
Jan/09/2022 13:09:15 ipsec,debug,packet 01000018 05e6a178 7b36bb18 6549c01b 92e6975a 80741dd0 0a000038 00000001
Jan/09/2022 13:09:15 ipsec,debug,packet 00000001 0000002c 01030401 c737b72d 00000020 010c0000 80060080 80050002
Jan/09/2022 13:09:15 ipsec,debug,packet 80030002 80040001 80010001 80020e10 04000024 9d0c35b4 dd95f598 5f8fb75a
Jan/09/2022 13:09:15 ipsec,debug,packet 50d7d17c 40397b66 77bb6c09 403a9e3e 9c2f1f54 05000084 5fc96969 e6617ed1
Jan/09/2022 13:09:15 ipsec,debug,packet 047f809a bb754ec5 d93a3d25 6a96b899 de3aab28 1ab43a65 40dc478e 56fd4ad2
Jan/09/2022 13:09:15 ipsec,debug,packet fcf1f459 115a2057 dc6f654f 261a1a66 f5172f7f cbc14817 aec022dc 4ce1fb66
Jan/09/2022 13:09:15 ipsec,debug,packet e92e9cb5 702ff0cc b23d658a d562d8a1 e3c725cc 366deb94 2dcba0b6 5510b763
Jan/09/2022 13:09:15 ipsec,debug,packet 8710341b c321c913 71c33790 e20e7791 913ae5d9 943323b9 05000010 04000000
Jan/09/2022 13:09:15 ipsec,debug,packet ac106000 ffffe000 00000010 04000000 ac1f0000 ffff0000 00000000 00000000
Jan/09/2022 13:09:15 ipsec,debug,packet padding len=1
Jan/09/2022 13:09:15 ipsec,debug,packet skip to trim padding.
Jan/09/2022 13:09:15 ipsec,debug,packet decrypted.
Jan/09/2022 13:09:15 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 08102001 cdf3d2e6 0000013c 01000018
Jan/09/2022 13:09:15 ipsec,debug,packet 05e6a178 7b36bb18 6549c01b 92e6975a 80741dd0 0a000038 00000001 00000001
Jan/09/2022 13:09:15 ipsec,debug,packet 0000002c 01030401 c737b72d 00000020 010c0000 80060080 80050002 80030002
Jan/09/2022 13:09:15 ipsec,debug,packet 80040001 80010001 80020e10 04000024 9d0c35b4 dd95f598 5f8fb75a 50d7d17c
Jan/09/2022 13:09:15 ipsec,debug,packet 40397b66 77bb6c09 403a9e3e 9c2f1f54 05000084 5fc96969 e6617ed1 047f809a
Jan/09/2022 13:09:15 ipsec,debug,packet bb754ec5 d93a3d25 6a96b899 de3aab28 1ab43a65 40dc478e 56fd4ad2 fcf1f459
Jan/09/2022 13:09:15 ipsec,debug,packet 115a2057 dc6f654f 261a1a66 f5172f7f cbc14817 aec022dc 4ce1fb66 e92e9cb5
Jan/09/2022 13:09:15 ipsec,debug,packet 702ff0cc b23d658a d562d8a1 e3c725cc 366deb94 2dcba0b6 5510b763 8710341b
Jan/09/2022 13:09:15 ipsec,debug,packet c321c913 71c33790 e20e7791 913ae5d9 943323b9 05000010 04000000 ac106000
Jan/09/2022 13:09:15 ipsec,debug,packet ffffe000 00000010 04000000 ac1f0000 ffff0000 00000000 00000000
Jan/09/2022 13:09:15 ipsec,debug begin.
Jan/09/2022 13:09:15 ipsec,debug seen nptype=8(hash) len=24
Jan/09/2022 13:09:15 ipsec,debug seen nptype=1(sa) len=56
Jan/09/2022 13:09:15 ipsec,debug seen nptype=10(nonce) len=36
Jan/09/2022 13:09:15 ipsec,debug seen nptype=4(ke) len=132
Jan/09/2022 13:09:15 ipsec,debug seen nptype=5(id) len=16
Jan/09/2022 13:09:15 ipsec,debug seen nptype=5(id) len=16
Jan/09/2022 13:09:15 ipsec,debug succeed.
Jan/09/2022 13:09:15 ipsec,debug IDci prefix: 19/ulproto: 255 does not match proposal.
Jan/09/2022 13:09:15 ipsec,error 3.226.95.68 failed to pre-process ph2 packet.
Jan/09/2022 13:09:15 ipsec,debug,packet compute IV for phase2
Jan/09/2022 13:09:15 ipsec,debug,packet phase1 last IV:
Jan/09/2022 13:09:15 ipsec,debug,packet e815c820 c7a8e91c 6b1df911 ef083099 b1eed516
Jan/09/2022 13:09:15 ipsec,debug hash(sha1)
Jan/09/2022 13:09:15 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:15 ipsec,debug,packet phase2 IV computed:
Jan/09/2022 13:09:15 ipsec,debug,packet 4b7f01f0 90e4c047 9178808b 2be3b9a5
Jan/09/2022 13:09:15 ipsec,debug,packet HASH with:
Jan/09/2022 13:09:15 ipsec,debug,packet b1eed516 0000000c 00000001 0100000d
Jan/09/2022 13:09:15 ipsec,debug,packet hmac(hmac_sha1)
Jan/09/2022 13:09:15 ipsec,debug,packet HASH computed:
Jan/09/2022 13:09:15 ipsec,debug,packet 411b3b2c fca22b03 4d47d458 6463890c 47667482
Jan/09/2022 13:09:15 ipsec,debug,packet begin encryption.
Jan/09/2022 13:09:15 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:15 ipsec,debug,packet pad length = 12
Jan/09/2022 13:09:15 ipsec,debug,packet 0b000018 411b3b2c fca22b03 4d47d458 6463890c 47667482 0000000c 00000001
Jan/09/2022 13:09:15 ipsec,debug,packet 0100000d d2f7cbac d5d2a7f5 fbb1b70b
Jan/09/2022 13:09:15 ipsec,debug,packet encryption(aes)
Jan/09/2022 13:09:15 ipsec,debug,packet with key:
Jan/09/2022 13:09:15 ipsec,debug,packet 11c4a816 d5022947 74324bed 77d64f8a
Jan/09/2022 13:09:15 ipsec,debug,packet encrypted payload by IV:
Jan/09/2022 13:09:15 ipsec,debug,packet 4b7f01f0 90e4c047 9178808b 2be3b9a5
Jan/09/2022 13:09:15 ipsec,debug,packet save IV for next:
Jan/09/2022 13:09:15 ipsec,debug,packet 5db5d693 1862487d 7c020860 62b74dd6
Jan/09/2022 13:09:15 ipsec,debug,packet encrypted.
Jan/09/2022 13:09:15 ipsec,debug 76 bytes from 164.52.192.253[500] to 3.226.95.68[500]
Jan/09/2022 13:09:15 ipsec,debug 1 times of 76 bytes message will be sent to 3.226.95.68[500]
Jan/09/2022 13:09:15 ipsec,debug,packet 9d7e4e14 c9051c95 8e3100d9 54d41224 08100501 b1eed516 0000004c d0b85f2f
Jan/09/2022 13:09:15 ipsec,debug,packet 38cf68a8 8beeaf7a 20cba499 0458d44a 141a8647 41d077b4 b192ab16 5db5d693
Jan/09/2022 13:09:15 ipsec,debug,packet 1862487d 7c020860 62b74dd6
Jan/09/2022 13:09:15 ipsec,debug sendto Information notify.
Jan/09/2022 13:09:15 ipsec 3.226.95.68 phase2 negotiation failed.

mankomal · January 9, 2022, 1:51pm

sindy · January 9, 2022, 1:53pm

If so, their instruction does not match their actual requirements. Or maybe you should indeed use exchange-mode=ike2 as the instruction refers to that, so the handling of Phase 2 may differ at their side depending on what IKE type is used.

sindy · January 9, 2022, 1:54pm

Also, your sceenshot shows that only one policy has succeeded, the other one states “no phase 2” which means it has failed to establish.

mankomal · January 9, 2022, 1:58pm

So That failed policy actually allows the ping to go thru (beats my thought process also)
Also, if the “established” policy is not on then the ping doesn’t goes thru (again beats my thought process)

mankomal · January 9, 2022, 1:59pm

I made new tunnel with IKEv1 as IKEv2 was failing and I read something about IKEv2 compatibility issue with MikroTik and AWS

mankomal · January 9, 2022, 2:25pm

WOOT WOOT! GOT IT!
AWS side VPG needed to be attached to VPC
and Route propagation was needed to be added.
Thanks a lot Sindy and Sob for providing all the inputs.

Will be posting a write up anyone else also doing this don’t face this issue with the new version.

sindy · January 9, 2022, 2:38pm

Congratulations.

Any chance you could dig the link? Uncle Google doesn’t show anything related to me…

mankomal · February 10, 2022, 7:07am

Hey Sindy,

Sorry for the late reply I have been working on you r suggestions and this is the result

I got one of the IPSECs to work with what you guided me

But at the same time I did one more config and the result was that there was an error

The log stated it was looking for prefix entered in the Site-to-Site VPN setup

sindy · February 10, 2022, 11:32am

A lot of infomation is missing - that “one more config” is at the same Mikrotik device like the working one? And is it a tunnel to another AWS instance, to some completely other IPsec peer, or a modification of the existing one?

mankomal · February 10, 2022, 11:49am

My Bad so that is a parallel setup I have created
Just over the top can different regions have different VPN endpoints (make) and that could cause the problem?
The working setup is In India region o AWS and the non-working has N America(Virginia)

sindy · February 10, 2022, 12:00pm

To me, “parallel” to me may still mean either, i.e. another AWS peer on the same Mikrotik or another Mikrotik.

That’s a question for AWS forum, not for a Mikrotik one

As for the actual issue, I’d have to see the detailed log (/system logging add topics=ipsec,!packet) and a configuration export.

mankomal · February 10, 2022, 12:14pm

Completely separate setup

I will share logs with you in next 2~3 hours setting up the stuff now

mankomal · February 14, 2022, 9:10am

Feb/14/2022 09:09:44 ipsec,debug ===== received 348 bytes from 43.254.32.5[500] to 103.54.222.93[500]
Feb/14/2022 09:09:44 ipsec no IKEv1 peer config for 43.254.32.5
Feb/14/2022 09:09:46 ipsec ike2 starting for: 34.204.157.120
Feb/14/2022 09:09:46 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
Feb/14/2022 09:09:46 ipsec,debug => (size 0x8)
Feb/14/2022 09:09:46 ipsec,debug 00000008 0000402e
Feb/14/2022 09:09:46 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Feb/14/2022 09:09:46 ipsec,debug => (size 0x1c)
Feb/14/2022 09:09:46 ipsec,debug 0000001c 00004005 f57de113 6527d407 037aefd4 c6399037 ceb4a7dc
Feb/14/2022 09:09:46 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Feb/14/2022 09:09:46 ipsec,debug => (size 0x1c)
Feb/14/2022 09:09:46 ipsec,debug 0000001c 00004004 bc6f0d9f 72e72f35 e75cc8df 8880c54c 71383df2
Feb/14/2022 09:09:46 ipsec adding payload: NONCE
Feb/14/2022 09:09:46 ipsec,debug => (size 0x1c)
Feb/14/2022 09:09:46 ipsec,debug 0000001c 35fece10 3b48054c ebe1f48b 81bd083d bafd9907 3995f2b3
Feb/14/2022 09:09:46 ipsec adding payload: KE
Feb/14/2022 09:09:46 ipsec,debug => (size 0x88)
Feb/14/2022 09:09:46 ipsec,debug 00000088 00020000 5339a21d 7319ec3c bcb67aa7 d22c5031 970b5d7c e26e7e1c
Feb/14/2022 09:09:46 ipsec,debug 14438282 93f91017 6961eb11 02674a20 22c875d4 336e60f0 f25d1a0d e15bca6b
Feb/14/2022 09:09:46 ipsec,debug 44634286 aec7e77e be15f14a cb5ffe80 c8e28cbf e8029dec 0b3d09f4 4811a10b
Feb/14/2022 09:09:46 ipsec,debug ea45b606 d013ef41 aff4f7c7 5ed25f9e 0b66bff4 0a879f2a 17f1d5a5 ac13055d
Feb/14/2022 09:09:46 ipsec,debug aec5295d 54c76477
Feb/14/2022 09:09:46 ipsec adding payload: SA
Feb/14/2022 09:09:46 ipsec,debug => (size 0x30)
Feb/14/2022 09:09:46 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0080 03000008 02000002
Feb/14/2022 09:09:46 ipsec,debug 03000008 03000002 00000008 04000002
Feb/14/2022 09:09:46 ipsec <- ike2 request, exchange: SA_INIT:0 34.204.157.120[4500] b9e62bbc9dd576a1:0000000000000000
Feb/14/2022 09:09:46 ipsec,debug ===== sending 304 bytes from 103.54.222.93[4500] to 34.204.157.120[4500]
Feb/14/2022 09:09:46 ipsec,debug 1 times of 308 bytes message will be sent to 34.204.157.120[4500]
Feb/14/2022 09:09:46 ipsec,debug ===== received 320 bytes from 34.204.157.120[4500] to 103.54.222.93[4500]
Feb/14/2022 09:09:46 ipsec -> ike2 reply, exchange: SA_INIT:0 34.204.157.120[4500] b9e62bbc9dd576a1:122292e0bde85c72
Feb/14/2022 09:09:46 ipsec ike2 initialize recv
Feb/14/2022 09:09:46 ipsec payload seen: SA (48 bytes)
Feb/14/2022 09:09:46 ipsec payload seen: KE (136 bytes)
Feb/14/2022 09:09:46 ipsec payload seen: NONCE (36 bytes)
Feb/14/2022 09:09:46 ipsec payload seen: NOTIFY (28 bytes)
Feb/14/2022 09:09:46 ipsec payload seen: NOTIFY (28 bytes)
Feb/14/2022 09:09:46 ipsec payload seen: NOTIFY (8 bytes)
Feb/14/2022 09:09:46 ipsec payload seen: NOTIFY (8 bytes)
Feb/14/2022 09:09:46 ipsec processing payload: NONCE
Feb/14/2022 09:09:46 ipsec processing payload: SA
Feb/14/2022 09:09:46 ipsec IKE Protocol: IKE
Feb/14/2022 09:09:46 ipsec  proposal #1
Feb/14/2022 09:09:46 ipsec   enc: aes128-cbc
Feb/14/2022 09:09:46 ipsec   prf: hmac-sha1
Feb/14/2022 09:09:46 ipsec   auth: sha1
Feb/14/2022 09:09:46 ipsec   dh: modp1024
Feb/14/2022 09:09:46 ipsec matched proposal:
Feb/14/2022 09:09:46 ipsec  proposal #1
Feb/14/2022 09:09:46 ipsec   enc: aes128-cbc
Feb/14/2022 09:09:46 ipsec   prf: hmac-sha1
Feb/14/2022 09:09:46 ipsec   auth: sha1
Feb/14/2022 09:09:46 ipsec   dh: modp1024
Feb/14/2022 09:09:46 ipsec processing payload: KE
Feb/14/2022 09:09:46 ipsec,debug => shared secret (size 0x80)
Feb/14/2022 09:09:46 ipsec,debug b6ec8440 89e76276 c43e9882 afe5c0f0 c2cdfa4f 31b25660 4dd8c031 982ab742
Feb/14/2022 09:09:46 ipsec,debug 2dc9db75 259cdc61 5ae2f816 9eaa916f bba3f025 0eb770ac 0c539922 d087c785
Feb/14/2022 09:09:46 ipsec,debug ef5e1f37 4f2e82da 3d6b0585 18298749 c4e8e5e1 38f4772a 30b7b832 c938112e
Feb/14/2022 09:09:46 ipsec,debug c1d368e9 527c9b03 c25634c5 eb9d185d 66ba1493 c5a0c6c5 b3256802 8c763849
Feb/14/2022 09:09:46 ipsec,debug => skeyseed (size 0x14)
Feb/14/2022 09:09:46 ipsec,debug bf2b66d5 554d10d7 1e8a792c 438306ef 17890821
Feb/14/2022 09:09:46 ipsec,debug => keymat (size 0x14)
Feb/14/2022 09:09:46 ipsec,debug 14f16141 30ea31e1 c6da097f f3c4d4c4 2d37e534
Feb/14/2022 09:09:46 ipsec,debug => SK_ai (size 0x14)
Feb/14/2022 09:09:46 ipsec,debug 5d1a9d78 af12be30 21796531 4e45a692 005b2589
Feb/14/2022 09:09:46 ipsec,debug => SK_ar (size 0x14)
Feb/14/2022 09:09:46 ipsec,debug 16917181 e73d3e7f f076eafc f2088de9 ee53a592
Feb/14/2022 09:09:46 ipsec,debug => SK_ei (size 0x10)
Feb/14/2022 09:09:46 ipsec,debug dfc63d47 6384f218 52a07701 53a4d665
Feb/14/2022 09:09:46 ipsec,debug => SK_er (size 0x10)
Feb/14/2022 09:09:46 ipsec,debug 06ec4a4d a2f38bd3 62639367 89f3a6fe
Feb/14/2022 09:09:46 ipsec,debug => SK_pi (size 0x14)
Feb/14/2022 09:09:46 ipsec,debug 3f45eb6e db6c9e11 5565e17e b13e287f 88b38069
Feb/14/2022 09:09:46 ipsec,debug => SK_pr (size 0x14)
Feb/14/2022 09:09:46 ipsec,debug 5a4dee74 14644482 662e5902 03d9bd6a 9903cf6a
Feb/14/2022 09:09:46 ipsec,info new ike2 SA (I): AWS 103.54.222.93[4500]-34.204.157.120[4500] spi:b9e62bbc9dd576a1:122292e0bde85c72
Feb/14/2022 09:09:46 ipsec processing payloads: NOTIFY
Feb/14/2022 09:09:46 ipsec   notify: NAT_DETECTION_SOURCE_IP
Feb/14/2022 09:09:46 ipsec   notify: NAT_DETECTION_DESTINATION_IP
Feb/14/2022 09:09:46 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
Feb/14/2022 09:09:46 ipsec   notify: MULTIPLE_AUTH_SUPPORTED
Feb/14/2022 09:09:46 ipsec (NAT-T) REMOTE 
Feb/14/2022 09:09:46 ipsec KA list add: 103.54.222.93[4500]->34.204.157.120[4500]
Feb/14/2022 09:09:46 ipsec fragmentation negotiated
Feb/14/2022 09:09:46 ipsec init child for policy: 0.0.0.0/0 <=> 0.0.0.0/0
Feb/14/2022 09:09:46 ipsec init child continue
Feb/14/2022 09:09:46 ipsec offering proto: 3
Feb/14/2022 09:09:46 ipsec  proposal #1
Feb/14/2022 09:09:46 ipsec   enc: aes128-cbc
Feb/14/2022 09:09:46 ipsec   auth: sha1
Feb/14/2022 09:09:46 ipsec ID_I (ADDR4): 103.54.222.93
Feb/14/2022 09:09:46 ipsec adding payload: ID_I
Feb/14/2022 09:09:46 ipsec,debug => (size 0xc)
Feb/14/2022 09:09:46 ipsec,debug 0000000c 01000000 6736de5d
Feb/14/2022 09:09:46 ipsec,debug => auth nonce (size 0x20)
Feb/14/2022 09:09:46 ipsec,debug 029ea58b 95893c01 2dac83f1 654c9e6c 71112961 84c933f1 c8820e62 8dd68b26
Feb/14/2022 09:09:46 ipsec,debug => SK_p (size 0x14)
Feb/14/2022 09:09:46 ipsec,debug 3f45eb6e db6c9e11 5565e17e b13e287f 88b38069
Feb/14/2022 09:09:46 ipsec,debug => idhash (size 0x14)
Feb/14/2022 09:09:46 ipsec,debug f4a2ac3f 172d294c ce5c4e34 78205e93 22a7fe98
Feb/14/2022 09:09:46 ipsec,debug => my auth (size 0x14)
Feb/14/2022 09:09:46 ipsec,debug 9f2f7bc2 2b3fd909 be13403f 9269b4ed ed709119
Feb/14/2022 09:09:46 ipsec adding payload: AUTH
Feb/14/2022 09:09:46 ipsec,debug => (size 0x1c)
Feb/14/2022 09:09:46 ipsec,debug 0000001c 02000000 9f2f7bc2 2b3fd909 be13403f 9269b4ed ed709119
Feb/14/2022 09:09:46 ipsec adding notify: INITIAL_CONTACT
Feb/14/2022 09:09:46 ipsec,debug => (size 0x8)
Feb/14/2022 09:09:46 ipsec,debug 00000008 00004000
Feb/14/2022 09:09:46 ipsec adding payload: SA
Feb/14/2022 09:09:46 ipsec,debug => (size 0x2c)
Feb/14/2022 09:09:46 ipsec,debug 0000002c 00000028 01030403 030b0247 0300000c 0100000c 800e0080 03000008
Feb/14/2022 09:09:46 ipsec,debug 03000002 00000008 05000000
Feb/14/2022 09:09:46 ipsec initiator selector: 0.0.0.0/0 
Feb/14/2022 09:09:46 ipsec adding payload: TS_I
Feb/14/2022 09:09:46 ipsec,debug => (size 0x18)
Feb/14/2022 09:09:46 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff
Feb/14/2022 09:09:46 ipsec responder selector: 0.0.0.0/0 
Feb/14/2022 09:09:46 ipsec adding payload: TS_R
Feb/14/2022 09:09:46 ipsec,debug => (size 0x18)
Feb/14/2022 09:09:46 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff
Feb/14/2022 09:09:46 ipsec <- ike2 request, exchange: AUTH:1 34.204.157.120[4500] b9e62bbc9dd576a1:122292e0bde85c72
Feb/14/2022 09:09:46 ipsec,debug ===== sending 332 bytes from 103.54.222.93[4500] to 34.204.157.120[4500]
Feb/14/2022 09:09:46 ipsec,debug 1 times of 336 bytes message will be sent to 34.204.157.120[4500]
Feb/14/2022 09:09:46 ipsec,debug ===== received 204 bytes from 34.204.157.120[4500] to 103.54.222.93[4500]
Feb/14/2022 09:09:46 ipsec -> ike2 reply, exchange: AUTH:1 34.204.157.120[4500] b9e62bbc9dd576a1:122292e0bde85c72
Feb/14/2022 09:09:46 ipsec payload seen: ENC (176 bytes)
Feb/14/2022 09:09:46 ipsec processing payload: ENC
Feb/14/2022 09:09:46 ipsec,debug => iv (size 0x10)
Feb/14/2022 09:09:46 ipsec,debug 2672b2d3 239604ee cded176b 5efa18e8
Feb/14/2022 09:09:46 ipsec,debug => decrypted and trimmed payload (size 0x84)
Feb/14/2022 09:09:46 ipsec,debug 2700000c 01000000 22cc9d78 2100001c 02000000 51e2ea8b d5aa1377 bb59ccb2
Feb/14/2022 09:09:46 ipsec,debug 7493f41f b1690508 2c00002c 00000028 01030403 c9848272 0300000c 0100000c
Feb/14/2022 09:09:46 ipsec,debug 800e0080 03000008 03000002 00000008 05000000 2d000018 01000000 07000010
Feb/14/2022 09:09:46 ipsec,debug 0000ffff ac1f0000 ac1fffff 00000018 01000000 07000010 0000ffff 0a0a0a00
Feb/14/2022 09:09:46 ipsec,debug 0a0a0aff
Feb/14/2022 09:09:46 ipsec,debug decrypted packet
Feb/14/2022 09:09:46 ipsec payload seen: ID_R (12 bytes)
Feb/14/2022 09:09:46 ipsec payload seen: AUTH (28 bytes)
Feb/14/2022 09:09:46 ipsec payload seen: SA (44 bytes)
Feb/14/2022 09:09:46 ipsec payload seen: TS_I (24 bytes)
Feb/14/2022 09:09:46 ipsec payload seen: TS_R (24 bytes)
Feb/14/2022 09:09:46 ipsec processing payloads: NOTIFY (none found)
Feb/14/2022 09:09:46 ipsec ike auth: initiator finish
Feb/14/2022 09:09:46 ipsec processing payload: ID_R
Feb/14/2022 09:09:46 ipsec ID_R (ADDR4): 34.204.157.120
Feb/14/2022 09:09:46 ipsec processing payload: AUTH
Feb/14/2022 09:09:46 ipsec requested auth method: SKEY
Feb/14/2022 09:09:46 ipsec,debug => peer's auth (size 0x14)
Feb/14/2022 09:09:46 ipsec,debug 51e2ea8b d5aa1377 bb59ccb2 7493f41f b1690508
Feb/14/2022 09:09:46 ipsec,debug => auth nonce (size 0x18)
Feb/14/2022 09:09:46 ipsec,debug 35fece10 3b48054c ebe1f48b 81bd083d bafd9907 3995f2b3
Feb/14/2022 09:09:46 ipsec,debug => SK_p (size 0x14)
Feb/14/2022 09:09:46 ipsec,debug 5a4dee74 14644482 662e5902 03d9bd6a 9903cf6a
Feb/14/2022 09:09:46 ipsec,debug => idhash (size 0x14)
Feb/14/2022 09:09:46 ipsec,debug 9a8541ce b50ece12 fe80e457 aee7060d b695d1de
Feb/14/2022 09:09:46 ipsec,debug => calculated peer's AUTH (size 0x14)
Feb/14/2022 09:09:46 ipsec,debug 51e2ea8b d5aa1377 bb59ccb2 7493f41f b1690508
Feb/14/2022 09:09:46 ipsec,info,account peer authorized: AWS 103.54.222.93[4500]-34.204.157.120[4500] spi:b9e62bbc9dd576a1:122292e0bde85c72
Feb/14/2022 09:09:46 ipsec processing payloads: NOTIFY (none found)
Feb/14/2022 09:09:46 ipsec peer selected tunnel mode
Feb/14/2022 09:09:46 ipsec processing payload: SA
Feb/14/2022 09:09:46 ipsec IKE Protocol: ESP
Feb/14/2022 09:09:46 ipsec  proposal #1
Feb/14/2022 09:09:46 ipsec   enc: aes128-cbc
Feb/14/2022 09:09:46 ipsec   auth: sha1
Feb/14/2022 09:09:46 ipsec matched proposal:
Feb/14/2022 09:09:46 ipsec  proposal #1
Feb/14/2022 09:09:46 ipsec   enc: aes128-cbc
Feb/14/2022 09:09:46 ipsec   auth: sha1
Feb/14/2022 09:09:46 ipsec processing payload: TS_I
Feb/14/2022 09:09:46 ipsec 172.31.0.0/16
Feb/14/2022 09:09:46 ipsec processing payload: TS_R
Feb/14/2022 09:09:46 ipsec 10.10.10.0/24
Feb/14/2022 09:09:46 ipsec my vs peer's selectors:
Feb/14/2022 09:09:46 ipsec 0.0.0.0/0 vs 172.31.0.0/16
Feb/14/2022 09:09:46 ipsec 0.0.0.0/0 vs 10.10.10.0/24
Feb/14/2022 09:09:46 ipsec,error responder selectors does not match my policy
Feb/14/2022 09:09:46 ipsec send notify: TS_UNACCEPTABLE
Feb/14/2022 09:09:46 ipsec adding notify: TS_UNACCEPTABLE
Feb/14/2022 09:09:46 ipsec,debug => (size 0x8)
Feb/14/2022 09:09:46 ipsec,debug 00000008 00000026
Feb/14/2022 09:09:46 ipsec <- ike2 request, exchange: INFORMATIONAL:2 34.204.157.120[4500] b9e62bbc9dd576a1:122292e0bde85c72
Feb/14/2022 09:09:46 ipsec,debug ===== sending 268 bytes from 103.54.222.93[4500] to 34.204.157.120[4500]
Feb/14/2022 09:09:46 ipsec,debug 1 times of 272 bytes message will be sent to 34.204.157.120[4500]
Feb/14/2022 09:09:46 ipsec,info killing ike2 SA: AWS 103.54.222.93[4500]-34.204.157.120[4500] spi:b9e62bbc9dd576a1:122292e0bde85c72
Feb/14/2022 09:09:46 ipsec adding payload: DELETE
Feb/14/2022 09:09:46 ipsec,debug => (size 0x8)
Feb/14/2022 09:09:46 ipsec,debug 00000008 01000000
Feb/14/2022 09:09:46 ipsec <- ike2 request, exchange: INFORMATIONAL:3 34.204.157.120[4500] b9e62bbc9dd576a1:122292e0bde85c72
Feb/14/2022 09:09:46 ipsec,debug ===== sending 284 bytes from 103.54.222.93[4500] to 34.204.157.120[4500]
Feb/14/2022 09:09:46 ipsec,debug 1 times of 288 bytes message will be sent to 34.204.157.120[4500]
Feb/14/2022 09:09:46 ipsec KA remove: 103.54.222.93[4500]->34.204.157.120[4500]
Feb/14/2022 09:09:46 ipsec,debug KA tree dump: 103.54.222.93[4500]->34.204.157.120[4500] (in_use=1)
Feb/14/2022 09:09:46 ipsec,debug KA removing this one...

This is the debug
My policy is:

 1      peer="" src-address=0.0.0.0/0 src-port=any dst-address=10.10.10.0/24 dst-port=any protocol=all action=none 

 2      peer="" src-address=103.54.222.93/32 src-port=any dst-address=0.0.0.0/0 dst-port=any protocol=all action=none 

 3   I  peer=AWS tunnel=yes src-address=0.0.0.0/0 src-port=any dst-address=0.0.0.0/0 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=103.54.222.93 sa-dst-address=:: proposal=AWS-proposal ph2-count=0

sindy · February 14, 2022, 10:00am

The answer is in this part:

Feb/14/2022 09:09:46 ipsec processing payload: TS_I
Feb/14/2022 09:09:46 ipsec 172.31.0.0/16
Feb/14/2022 09:09:46 ipsec processing payload: TS_R
Feb/14/2022 09:09:46 ipsec 10.10.10.0/24
Feb/14/2022 09:09:46 ipsec my vs peer’s selectors:
Feb/14/2022 09:09:46 ipsec 0.0.0.0/0 vs 172.31.0.0/16
Feb/14/2022 09:09:46 ipsec 0.0.0.0/0 vs 10.10.10.0/24
Feb/14/2022 09:09:46 ipsec,error responder selectors does not match my policy
Feb/14/2022 09:09:46 ipsec send notify: TS_UNACCEPTABLE

Your policy is a static one, not a template:
peer=AWS tunnel=yes src-address=0.0.0.0/0 src-port=any dst-address=0.0.0.0/0 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=103.54.222.93 sa-dst-address=:: proposal=AWS-proposal

So even though IKEv2 is used, the policy at your side cannot accommodate to the one suggested by the AWS side.

If the suggestion by AWG is what you actually need, i.e. of these are the subnets you actually want to link, just accommodate your policy to that, set src-address=10.10.10.0/24 dst-address=172.31.0.0/16 in your policy, and you should be good.

mankomal · February 14, 2022, 11:13am

The answer is in this part:

Feb/14/2022 09:09:46 ipsec processing payload: TS_I
Feb/14/2022 09:09:46 ipsec 172.31.0.0/16
Feb/14/2022 09:09:46 ipsec processing payload: TS_R
Feb/14/2022 09:09:46 ipsec 10.10.10.0/24
Feb/14/2022 09:09:46 ipsec my vs peer’s selectors:
Feb/14/2022 09:09:46 ipsec 0.0.0.0/0 vs 172.31.0.0/16
Feb/14/2022 09:09:46 ipsec 0.0.0.0/0 vs 10.10.10.0/24
Feb/14/2022 09:09:46 ipsec,error responder selectors does not match my policy
Feb/14/2022 09:09:46 ipsec send notify: TS_UNACCEPTABLE

Your policy is a static one, not a template:
peer=AWS tunnel=yes src-address=0.0.0.0/0 src-port=any dst-address=0.0.0.0/0 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=103.54.222.93 sa-dst-address=:: proposal=AWS-proposal

So even though IKEv2 is used, the policy at your side cannot accommodate to the one suggested by the AWS side.

If the suggestion by AWG is what you actually need, i.e. of these are the subnets you actually want to link, just accommodate your policy to that, set src-address=10.10.10.0/24 dst-address=172.31.0.0/16 in your policy, and you should be good.

That does not work, below is a log for reference

Feb/14/2022 16:44:45 ipsec ph2 possible after ph1 creation
Feb/14/2022 16:44:45 ipsec init child for policy: 10.10.10.0/24 <=> 172.31.0.0/16
Feb/14/2022 16:44:45 ipsec init child continue
Feb/14/2022 16:44:45 ipsec offering proto: 3
Feb/14/2022 16:44:45 ipsec  proposal #1
Feb/14/2022 16:44:45 ipsec   enc: aes128-cbc
Feb/14/2022 16:44:45 ipsec   auth: sha1
Feb/14/2022 16:44:45 ipsec   dh: modp1024
Feb/14/2022 16:44:45 ipsec adding payload: NONCE
Feb/14/2022 16:44:45 ipsec,debug => (size 0x1c)
Feb/14/2022 16:44:45 ipsec,debug 0000001c 922d8c11 fa262c85 3765ede7 3784624f 221a33c0 64bb1f88
Feb/14/2022 16:44:45 ipsec adding payload: KE
Feb/14/2022 16:44:45 ipsec,debug => (size 0x88)
Feb/14/2022 16:44:45 ipsec,debug 00000088 00020000 9c97bb83 37140c79 6b965092 7b830ee8 68cd3f87 9f7bf3c6
Feb/14/2022 16:44:45 ipsec,debug c3c56d85 b47eee77 0b7561d3 1a3f6ae7 4ae5781e 814e68eb 88aa9d7f e0e04adc
Feb/14/2022 16:44:45 ipsec,debug 962e6756 e3728f19 d30d7cae 34b0fe3b 00549ae3 87c27e06 12b9df01 274745a2
Feb/14/2022 16:44:45 ipsec,debug a4800655 0951b273 4751e537 65d1055f 0e22e9d0 330009d9 687ed13a 03f5d776
Feb/14/2022 16:44:45 ipsec,debug 874ba04b 686a6d09
Feb/14/2022 16:44:45 ipsec adding payload: SA
Feb/14/2022 16:44:45 ipsec,debug => (size 0x34)
Feb/14/2022 16:44:45 ipsec,debug 00000034 00000030 01030404 01a7ec14 0300000c 0100000c 800e0080 03000008
Feb/14/2022 16:44:45 ipsec,debug 03000002 03000008 04000002 00000008 05000000
Feb/14/2022 16:44:45 ipsec initiator selector: 10.10.10.0/24 
Feb/14/2022 16:44:45 ipsec adding payload: TS_I
Feb/14/2022 16:44:45 ipsec,debug => (size 0x18)
Feb/14/2022 16:44:45 ipsec,debug 00000018 01000000 07000010 0000ffff 0a0a0a00 0a0a0aff
Feb/14/2022 16:44:45 ipsec responder selector: 172.31.0.0/16 
Feb/14/2022 16:44:45 ipsec adding payload: TS_R
Feb/14/2022 16:44:45 ipsec,debug => (size 0x18)
Feb/14/2022 16:44:45 ipsec,debug 00000018 01000000 07000010 0000ffff ac1f0000 ac1fffff
Feb/14/2022 16:44:45 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:2 3.219.43.131[4500] 68ff03252a9d997d:08d4613eceee417c
Feb/14/2022 16:44:45 ipsec,debug ===== sending 476 bytes from 103.54.222.93[4500] to 3.219.43.131[4500]
Feb/14/2022 16:44:45 ipsec,debug 1 times of 480 bytes message will be sent to 3.219.43.131[4500]
Feb/14/2022 16:44:45 ipsec,debug ===== received 76 bytes from 3.219.43.131[4500] to 103.54.222.93[4500]
Feb/14/2022 16:44:45 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:2 3.219.43.131[4500] 68ff03252a9d997d:08d4613eceee417c
Feb/14/2022 16:44:45 ipsec payload seen: ENC (48 bytes)
Feb/14/2022 16:44:45 ipsec processing payload: ENC
Feb/14/2022 16:44:45 ipsec,debug => iv (size 0x10)
Feb/14/2022 16:44:45 ipsec,debug 38432b8d a2aefa40 888db897 e6a4be33
Feb/14/2022 16:44:45 ipsec,debug decrypted packet
Feb/14/2022 16:44:45 ipsec payload seen: NOTIFY (8 bytes)
Feb/14/2022 16:44:45 ipsec create child: initiator finish
Feb/14/2022 16:44:45 ipsec processing payloads: NOTIFY
Feb/14/2022 16:44:45 ipsec   notify: TS_UNACCEPTABLE
Feb/14/2022 16:44:45 ipsec got error: TS_UNACCEPTABLE

sindy · February 14, 2022, 11:47am

Strange, so try the following:

/ip ipsec policy disable [find peer=AWS]
/ip ipsec policy group add name=AWS
/ip ipsec policy add template=yes group=AWS proposal=AWS-proposal
/ip ipsec identity set [find peer=AWS] policy-template-group=AWS generate-policy=port-strict

and see what happens. Because in your previous log, the TS offer came from the AWS side; in the last one, it was sent from the Mikrotik side. By using the template, the Mikrotik won’t actively attempt to establish the SA. If it turns out to work this way, you’ll be able to restrict the template policy to what you want to actually permit.