VPN (IPSec, L2TP) - error 810 when using certificates

rsck · April 23, 2015, 8:11am

Hi all

I’m trying to setup a simple test VPN connection between my PC and a MikroTik router using certificates. I keep getting a 810 error while trying to connect, though. So here’s the full story:

First I created VPN using IPSec + L2TP + PSK. Everything went smoothly and in 10 minutes it was working. I used this manual: http://blog.f1mikrotik.com/2014/08/18/l2tp-ipsec-vpn/

Then I created certificates (CA + user certificate) for myself using this manual: http://wiki.mikrotik.com/wiki/Manual:Create_Certificates#Generate_certificates_on_RouterOS I exported them, installed on my computer. Then I changed VPN settings (both on Windows and router sides) to use certificates rather than PSK. I tried to connect, all I got was a 766 error. So I went into windows MMC as an admin, reinstalled certificates on local computer rathen than local user account - now when trying to connect, I keep getting 810 error.

I tried to solve this by recreating certificates on Debian (https://wiki.debian.org/Self-Signed_Certificate), but no change.

Here are my logs:

10:02:17 ipsec,debug,packet IPSEC —: 384 bytes message received from 192.168.88.11[500] to 192.168.88.1[500]
10:02:17 ipsec,debug,packet IPSEC —: fd1dbe6c 1442d417 00000000 00000000 01100200 00000000 00000180 0d0000d4
10:02:17 ipsec,debug,packet IPSEC —: 00000001 00000001 000000c8 01010005 03000028 01010000 80010007 800e0100
10:02:17 ipsec,debug,packet IPSEC —: 80020002 80040014 80030003 800b0001 000c0004 00007080 03000028 02010000
10:02:17 ipsec,debug,packet IPSEC —: 80010007 800e0080 80020002 80040013 80030003 800b0001 000c0004 00007080
10:02:17 ipsec,debug,packet IPSEC —: 03000028 03010000 80010007 800e0100 80020002 8004000e 80030003 800b0001
10:02:17 ipsec,debug,packet IPSEC —: 000c0004 00007080 03000024 04010000 80010005 80020002 8004000e 80030003
10:02:17 ipsec,debug,packet IPSEC —: 800b0001 000c0004 00007080 00000024 05010000 80010005 80020002 80040002
10:02:17 ipsec,debug,packet IPSEC —: 80030003 800b0001 000c0004 00007080 0d000018 1e2b5169 05991c7d 7c96fcbf
10:02:17 ipsec,debug,packet IPSEC —: b587e461 00000008 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014
10:02:17 ipsec,debug,packet IPSEC —: 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4048b7d5 6ebce885 25e7de7f
10:02:17 ipsec,debug,packet IPSEC —: 00d6c2d3 0d000014 fb1de3cd f341b7ea 16b7e5be 0855f120 0d000014 26244d38
10:02:17 ipsec,debug,packet IPSEC —: eddb61b3 172a36e3 d0cfb819 00000014 e3a5966a 76379fe7 07228231 e5ce8652
10:02:17 ipsec,debug,packet IPSEC —: ===
10:02:17 ipsec IPSEC —: respond new phase 1 negotiation: 192.168.88.1[500]<=>192.168.88.11[500]
10:02:17 ipsec IPSEC —: begin Identity Protection mode.
10:02:17 ipsec,debug,packet IPSEC —: begin.
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=1(sa)
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=13(vid)
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=13(vid)
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=13(vid)
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=13(vid)
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=13(vid)
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=13(vid)
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=13(vid)
10:02:17 ipsec,debug,packet IPSEC —: succeed.
10:02:17 ipsec,debug IPSEC —: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
10:02:17 ipsec,debug IPSEC —: received Vendor ID: RFC 3947
10:02:17 ipsec,debug IPSEC —: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
10:02:17 ipsec,debug IPSEC —:
10:02:17 ipsec,debug IPSEC —: received Vendor ID: FRAGMENTATION
10:02:17 ipsec,debug,packet IPSEC —: received unknown Vendor ID
10:02:17 ipsec,debug,packet IPSEC —: received unknown Vendor ID
10:02:17 ipsec,debug,packet IPSEC —: received unknown Vendor ID
10:02:17 ipsec,debug IPSEC —: Selected NAT-T version: RFC 3947
10:02:17 ipsec,debug,packet IPSEC —: total SA len=208
10:02:17 ipsec,debug,packet IPSEC —: 00000001 00000001 000000c8 01010005 03000028 01010000 80010007 800e0100
10:02:17 ipsec,debug,packet IPSEC —: 80020002 80040014 80030003 800b0001 000c0004 00007080 03000028 02010000
10:02:17 ipsec,debug,packet IPSEC —: 80010007 800e0080 80020002 80040013 80030003 800b0001 000c0004 00007080
10:02:17 ipsec,debug,packet IPSEC —: 03000028 03010000 80010007 800e0100 80020002 8004000e 80030003 800b0001
10:02:17 ipsec,debug,packet IPSEC —: 000c0004 00007080 03000024 04010000 80010005 80020002 8004000e 80030003
10:02:17 ipsec,debug,packet IPSEC —: 800b0001 000c0004 00007080 00000024 05010000 80010005 80020002 80040002
10:02:17 ipsec,debug,packet IPSEC —: 80030003 800b0001 000c0004 00007080
10:02:17 ipsec,debug,packet IPSEC —: begin.
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=2(prop)
10:02:17 ipsec,debug,packet IPSEC —: succeed.
10:02:17 ipsec,debug,packet IPSEC —: proposal #1 len=200
10:02:17 ipsec,debug,packet IPSEC —: begin.
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=3(trns)
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=3(trns)
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=3(trns)
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=3(trns)
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=3(trns)
10:02:17 ipsec,debug,packet IPSEC —: succeed.
10:02:17 ipsec,debug,packet IPSEC —: transform #1 len=40
10:02:17 ipsec,debug,packet IPSEC —: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
10:02:17 ipsec,debug,packet IPSEC —: encryption(aes)
10:02:17 ipsec,debug,packet IPSEC —: type=Key Length, flag=0x8000, lorv=256
10:02:17 ipsec,debug,packet IPSEC —: type=Hash Algorithm, flag=0x8000, lorv=SHA
10:02:17 ipsec,debug,packet IPSEC —: hash(sha1)
10:02:17 ipsec,debug,packet IPSEC —: type=Group Description, flag=0x8000, lorv=20
10:02:17 ipsec,debug IPSEC —: invalid DH group 20.
10:02:17 ipsec,debug,packet IPSEC —: transform #2 len=40
10:02:17 ipsec,debug,packet IPSEC —: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
10:02:17 ipsec,debug,packet IPSEC —: encryption(aes)
10:02:17 ipsec,debug,packet IPSEC —: type=Key Length, flag=0x8000, lorv=128
10:02:17 ipsec,debug,packet IPSEC —: type=Hash Algorithm, flag=0x8000, lorv=SHA
10:02:17 ipsec,debug,packet IPSEC —: hash(sha1)
10:02:17 ipsec,debug,packet IPSEC —: type=Group Description, flag=0x8000, lorv=19
10:02:17 ipsec,debug IPSEC —: invalid DH group 19.
10:02:17 ipsec,debug,packet IPSEC —: transform #3 len=40
10:02:17 ipsec,debug,packet IPSEC —: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
10:02:17 ipsec,debug,packet IPSEC —: encryption(aes)
10:02:17 ipsec,debug,packet IPSEC —: type=Key Length, flag=0x8000, lorv=256
10:02:17 ipsec,debug,packet IPSEC —: type=Hash Algorithm, flag=0x8000, lorv=SHA
10:02:17 ipsec,debug,packet IPSEC —: hash(sha1)
10:02:17 ipsec,debug,packet IPSEC —: type=Group Description, flag=0x8000, lorv=2048-bit MODP group
10:02:17 ipsec,debug,packet IPSEC —: dh(modp2048)
10:02:17 ipsec,debug,packet IPSEC —: type=Authentication Method, flag=0x8000, lorv=RSA signatures
10:02:17 ipsec,debug,packet IPSEC —: type=Life Type, flag=0x8000, lorv=seconds
10:02:17 ipsec,debug,packet IPSEC —: type=Life Duration, flag=0x0000, lorv=4
10:02:17 ipsec,debug,packet IPSEC —: transform #4 len=36
10:02:17 ipsec,debug,packet IPSEC —: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
10:02:17 ipsec,debug,packet IPSEC —: encryption(3des)
10:02:17 ipsec,debug,packet IPSEC —: type=Hash Algorithm, flag=0x8000, lorv=SHA
10:02:17 ipsec,debug,packet IPSEC —: hash(sha1)
10:02:17 ipsec,debug,packet IPSEC —: type=Group Description, flag=0x8000, lorv=2048-bit MODP group
10:02:17 ipsec,debug,packet IPSEC —: dh(modp2048)
10:02:17 ipsec,debug,packet IPSEC —: type=Authentication Method, flag=0x8000, lorv=RSA signatures
10:02:17 ipsec,debug,packet IPSEC —: type=Life Type, flag=0x8000, lorv=seconds
10:02:17 ipsec,debug,packet IPSEC —: type=Life Duration, flag=0x0000, lorv=4
10:02:17 ipsec,debug,packet IPSEC —: transform #5 len=36
10:02:17 ipsec,debug,packet IPSEC —: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
10:02:17 ipsec,debug,packet IPSEC —: encryption(3des)
10:02:17 ipsec,debug,packet IPSEC —: type=Hash Algorithm, flag=0x8000, lorv=SHA
10:02:17 ipsec,debug,packet IPSEC —: hash(sha1)
10:02:17 ipsec,debug,packet IPSEC —: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
10:02:17 ipsec,debug,packet IPSEC —: dh(modp1024)
10:02:17 ipsec,debug,packet IPSEC —: type=Authentication Method, flag=0x8000, lorv=RSA signatures
10:02:17 ipsec,debug,packet IPSEC —: type=Life Type, flag=0x8000, lorv=seconds
10:02:17 ipsec,debug,packet IPSEC —: type=Life Duration, flag=0x0000, lorv=4
10:02:17 ipsec,debug,packet IPSEC —: pair 1:
10:02:17 ipsec,debug,packet IPSEC —: 0xc9db8: next=(nil) tnext=0xc8c90
10:02:17 ipsec,debug,packet IPSEC —: 0xc8c90: next=(nil) tnext=0xc8500
10:02:17 ipsec,debug,packet IPSEC —: 0xc8500: next=(nil) tnext=(nil)
10:02:17 ipsec,debug,packet IPSEC —: proposal #1: 3 transform
10:02:17 ipsec,debug,packet IPSEC —: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
10:02:17 ipsec,debug,packet IPSEC —: trns#=3, trns-id=IKE
10:02:17 ipsec,debug,packet IPSEC —: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
10:02:17 ipsec,debug,packet IPSEC —: type=Key Length, flag=0x8000, lorv=256
10:02:17 ipsec,debug,packet IPSEC —: type=Hash Algorithm, flag=0x8000, lorv=SHA
10:02:17 ipsec,debug,packet IPSEC —: type=Group Description, flag=0x8000, lorv=2048-bit MODP group
10:02:17 ipsec,debug,packet IPSEC —: type=Authentication Method, flag=0x8000, lorv=RSA signatures
10:02:17 ipsec,debug,packet IPSEC —: type=Life Type, flag=0x8000, lorv=seconds
10:02:17 ipsec,debug,packet IPSEC —: type=Life Duration, flag=0x0000, lorv=4
10:02:17 ipsec,debug,packet IPSEC —: Compared: Local:Peer
10:02:17 ipsec,debug,packet IPSEC —: (lifetime = 86400:28800)
10:02:17 ipsec,debug,packet IPSEC —: (lifebyte = 0:0)
10:02:17 ipsec,debug,packet IPSEC —: enctype = AES-CBC:AES-CBC
10:02:17 ipsec,debug,packet IPSEC —: (encklen = 256:256)
10:02:17 ipsec,debug,packet IPSEC —: hashtype = SHA:SHA
10:02:17 ipsec,debug,packet IPSEC —: authmethod = RSA signatures:RSA signatures
10:02:17 ipsec,debug,packet IPSEC —: dh_group = 2048-bit MODP group:2048-bit MODP group
10:02:17 ipsec,debug,packet IPSEC —: an acceptable proposal found.
10:02:17 ipsec,debug,packet IPSEC —: dh(modp2048)
10:02:17 ipsec,debug,packet IPSEC —: agreed on RSA signatures auth.
10:02:17 ipsec,debug,packet IPSEC —: ===
10:02:17 ipsec,debug,packet IPSEC —: new cookie:
10:02:17 ipsec,debug,packet IPSEC —: 0c158f41f8f78948
10:02:17 ipsec,debug,packet IPSEC —: add payload of len 56, next type 13
10:02:17 ipsec,debug,packet IPSEC —: add payload of len 16, next type 13
10:02:17 ipsec,debug,packet IPSEC —: add payload of len 16, next type 0
10:02:17 ipsec,debug,packet IPSEC —: 128 bytes from 192.168.88.1[500] to 192.168.88.11[500]
10:02:17 ipsec,debug,packet IPSEC —: sockname 192.168.88.1[500]
10:02:17 ipsec,debug,packet IPSEC —: send packet from 192.168.88.1[500]
10:02:17 ipsec,debug,packet IPSEC —: send packet to 192.168.88.11[500]
10:02:17 ipsec,debug,packet IPSEC —: src4 192.168.88.1[500]
10:02:17 ipsec,debug,packet IPSEC —: dst4 192.168.88.11[500]
10:02:17 ipsec,debug,packet IPSEC —: 1 times of 128 bytes message will be sent to 192.168.88.11[500]
10:02:17 ipsec,debug,packet IPSEC —: fd1dbe6c 1442d417 0c158f41 f8f78948 01100200 00000000 00000080 0d00003c
10:02:17 ipsec,debug,packet IPSEC —: 00000001 00000001 00000030 01010001 00000028 03010000 80010007 800e0100
10:02:17 ipsec,debug,packet IPSEC —: 80020002 8004000e 80030003 800b0001 000c0004 00007080 0d000014 4a131c81
10:02:17 ipsec,debug,packet IPSEC —: 07035845 5c5728f2 0e95452f 00000014 afcad713 68a1f1c9 6b8696fc 77570100
10:02:17 ipsec,debug IPSEC —: sent phase1 packet 192.168.88.1[500]<=>192.168.88.11[500] fd1dbe6c1442d417:0c158f41f8f78948
10:02:17 ipsec,debug,packet IPSEC —: ==========
10:02:17 ipsec,debug,packet IPSEC —: 388 bytes message received from 192.168.88.11[500] to 192.168.88.1[500]
10:02:17 ipsec,debug,packet IPSEC —: fd1dbe6c 1442d417 0c158f41 f8f78948 04100200 00000000 00000184 0a000104
10:02:17 ipsec,debug,packet IPSEC —: e4602368 5f93cb8e c21830e5 d2e9727a db1986c1 f93176c1 4a3301b3 39be4f10
10:02:17 ipsec,debug,packet IPSEC —: 730a7189 d9271e7c 026d4eef 3a48fec8 cb95f274 d76e5fb4 4757f725 4442b99f
10:02:17 ipsec,debug,packet IPSEC —: 86cf2f60 d88076f0 617b0aee d1eaf434 76a821bf 65278e9a a2633e44 f6888c92
10:02:17 ipsec,debug,packet IPSEC —: 5a49cdc9 a7aa36dd e8b7ad77 04e7a65f 5dae9515 e8b6a7fb 89a70ff8 75258af3
10:02:17 ipsec,debug,packet IPSEC —: ef91a3a8 22c6d64b 016f8433 95f1ed91 3b5bc49b 49eeffcc 62b5a222 e9ea55b9
10:02:17 ipsec,debug,packet IPSEC —: 9eaac165 224f95b9 987eaabf 0a7b4f15 be33eaac 7d1c5109 24ebdb88 39489f31
10:02:17 ipsec,debug,packet IPSEC —: 78dd2541 b95a94bb 7b0c3a57 ff480648 dd9f37b5 aa1967fa efc04879 a2bdf752
10:02:17 ipsec,debug,packet IPSEC —: 181983b9 d6c17614 e5541491 946b6eb8 6fed7dee f1a76a44 63748fa5 0912e74d
10:02:17 ipsec,debug,packet IPSEC —: 14000034 fa96906f 8eba715f 59c78906 c307d07d b5617348 a7b6196d 6a9ce2ee
10:02:17 ipsec,debug,packet IPSEC —: f1c0799a 73036953 d27f0c77 c8588d96 8ae729c6 14000018 83fcb61e 2935d358
10:02:17 ipsec,debug,packet IPSEC —: dc265083 033225e5 c50060f6 00000018 974a887b 9c8cdba1 3fb65b56 2c3d36b6
10:02:17 ipsec,debug,packet IPSEC —: 69ae02ff
10:02:17 ipsec,debug,packet IPSEC —: begin.
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=4(ke)
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=10(nonce)
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=20(nat-d)
10:02:17 ipsec,debug,packet IPSEC —: seen nptype=20(nat-d)
10:02:17 ipsec,debug,packet IPSEC —: succeed.
10:02:17 ipsec,debug IPSEC —: Hashing 192.168.88.1[500] with algo #2
10:02:17 ipsec,debug,packet IPSEC —: hash(sha1)
10:02:17 ipsec,debug IPSEC —: NAT-D payload #0 verified
10:02:17 ipsec,debug IPSEC —: Hashing 192.168.88.11[500] with algo #2
10:02:17 ipsec,debug,packet IPSEC —: hash(sha1)
10:02:17 ipsec,debug IPSEC —: NAT-D payload #1 verified
10:02:17 ipsec,debug IPSEC —: NAT not detected
10:02:17 ipsec,debug,packet IPSEC —: ===
10:02:17 ipsec,debug,packet IPSEC —: compute DH’s private.
10:02:17 ipsec,debug,packet IPSEC —: 4b15e7eb 479626bd 5e557b8f d17ab28d def23e8f bb93f345 3dcb14c9 523b4a56
10:02:17 ipsec,debug,packet IPSEC —: 4f4896ce c4259f79 1215fcf3 4dbc84b1 1f79b344 f203e1d9 96543580 39707a3b
10:02:17 ipsec,debug,packet IPSEC —: af3eac1c 4e52d746 35660133 67011ec3 1f3b4382 dfbeace1 a6a95cca f323a407
10:02:17 ipsec,debug,packet IPSEC —: 6132b087 a9cf33b4 7bb08013 1db8d204 71f3d204 79426779 6cf04949 a1890533
10:02:17 ipsec,debug,packet IPSEC —: 2535a139 9c113548 f9518b16 f13422c4 01337903 851f4adf e559c134 fe9beefb
10:02:17 ipsec,debug,packet IPSEC —: f38c703b 525f8081 b1cdcf81 b0baaa90 be891102 a85a364c 3a225752 58881c8a
10:02:17 ipsec,debug,packet IPSEC —: 3af69551 7553e79f e6f24961 d2996953 b70c8999 5583ce6d b99285ac c33355bd
10:02:17 ipsec,debug,packet IPSEC —: c04262b6 d3d0a4e8 6ffa9ad9 31cebc51 e8d83387 987596bc 091131ba faf71967
10:02:17 ipsec,debug,packet IPSEC —: compute DH’s public.
10:02:17 ipsec,debug,packet IPSEC —: e0e85766 4af05131 3cedf761 1f5341b8 025dd075 64f26dc7 11d8c0a1 7312c953
10:02:17 ipsec,debug,packet IPSEC —: 67a2da6e 9abbcc69 26e56f02 86813d6f 0e44a64c 51e1715c 3ff3cdfe 79a0897a
10:02:17 ipsec,debug,packet IPSEC —: bac65eaf 85ea8358 2f7e651c 76e731c7 122fcf25 08892326 d08c1bc4 b20fc19d
10:02:17 ipsec,debug,packet IPSEC —: f357e210 76f08d30 d651c912 f965f1a7 480f230d 95e4ee44 16c61efa 8c422a3a
10:02:17 ipsec,debug,packet IPSEC —: e654b56e 965663f6 66415d68 360ea1a0 8174e1a5 100141fd caa4f099 84e4a11b
10:02:17 ipsec,debug,packet IPSEC —: 97a28575 4c9564bd d8393234 df0a6c13 4a3feab4 fa854c21 5e7a90b2 dbf91b90
10:02:17 ipsec,debug,packet IPSEC —: 709a96ee 43169ce2 86a524e8 70a6e563 3d5ce922 6700aac5 cf5e910f 8ada48b0
10:02:17 ipsec,debug,packet IPSEC —: cd4cc5ad ae5af630 6d065141 9758a1bc 2525534f eb752d1f 41da52ce 8d5bd30b
10:02:17 ipsec,debug IPSEC —: Hashing 192.168.88.11[500] with algo #2
10:02:17 ipsec,debug,packet IPSEC —: hash(sha1)
10:02:17 ipsec,debug IPSEC —: Hashing 192.168.88.1[500] with algo #2
10:02:17 ipsec,debug,packet IPSEC —: hash(sha1)
10:02:17 ipsec,debug IPSEC —: Adding remote and local NAT-D payloads.
10:02:17 ipsec,debug,packet IPSEC —: add payload of len 256, next type 10
10:02:17 ipsec,debug,packet IPSEC —: add payload of len 24, next type 20
10:02:17 ipsec,debug,packet IPSEC —: add payload of len 20, next type 20
10:02:17 ipsec,debug,packet IPSEC —: add payload of len 20, next type 0
10:02:17 ipsec,debug,packet IPSEC —: 364 bytes from 192.168.88.1[500] to 192.168.88.11[500]
10:02:17 ipsec,debug,packet IPSEC —: sockname 192.168.88.1[500]
10:02:17 ipsec,debug,packet IPSEC —: send packet from 192.168.88.1[500]
10:02:17 ipsec,debug,packet IPSEC —: send packet to 192.168.88.11[500]
10:02:17 ipsec,debug,packet IPSEC —: src4 192.168.88.1[500]
10:02:17 ipsec,debug,packet IPSEC —: dst4 192.168.88.11[500]
10:02:17 ipsec,debug,packet IPSEC —: 1 times of 364 bytes message will be sent to 192.168.88.11[500]
10:02:17 ipsec,debug,packet IPSEC —: fd1dbe6c 1442d417 0c158f41 f8f78948 04100200 00000000 0000016c 0a000104
10:02:17 ipsec,debug,packet IPSEC —: e0e85766 4af05131 3cedf761 1f5341b8 025dd075 64f26dc7 11d8c0a1 7312c953
10:02:17 ipsec,debug,packet IPSEC —: 67a2da6e 9abbcc69 26e56f02 86813d6f 0e44a64c 51e1715c 3ff3cdfe 79a0897a
10:02:17 ipsec,debug,packet IPSEC —: bac65eaf 85ea8358 2f7e651c 76e731c7 122fcf25 08892326 d08c1bc4 b20fc19d
10:02:17 ipsec,debug,packet IPSEC —: f357e210 76f08d30 d651c912 f965f1a7 480f230d 95e4ee44 16c61efa 8c422a3a
10:02:17 ipsec,debug,packet IPSEC —: e654b56e 965663f6 66415d68 360ea1a0 8174e1a5 100141fd caa4f099 84e4a11b
10:02:17 ipsec,debug,packet IPSEC —: 97a28575 4c9564bd d8393234 df0a6c13 4a3feab4 fa854c21 5e7a90b2 dbf91b90
10:02:17 ipsec,debug,packet IPSEC —: 709a96ee 43169ce2 86a524e8 70a6e563 3d5ce922 6700aac5 cf5e910f 8ada48b0
10:02:17 ipsec,debug,packet IPSEC —: cd4cc5ad ae5af630 6d065141 9758a1bc 2525534f eb752d1f 41da52ce 8d5bd30b
10:02:17 ipsec,debug,packet IPSEC —: 1400001c 8a7811f8 f5b1b9ec bc8d3e4b cfb925f4 6afcb91a 0f164e77 14000018
10:02:17 ipsec,debug,packet IPSEC —: 974a887b 9c8cdba1 3fb65b56 2c3d36b6 69ae02ff 00000018 83fcb61e 2935d358
10:02:17 ipsec,debug,packet IPSEC —: dc265083 033225e5 c50060f6
10:02:17 ipsec,debug IPSEC —: sent phase1 packet 192.168.88.1[500]<=>192.168.88.11[500] fd1dbe6c1442d417:0c158f41f8f78948
10:02:17 ipsec,debug,packet IPSEC —: compute DH’s shared.
10:02:17 ipsec,debug,packet IPSEC —:
10:02:17 ipsec,debug,packet IPSEC —: b08b276c a1a40762 09083b32 20941c20 1e9400a9 2fdf50ee 8feb0740 142012a6
10:02:17 ipsec,debug,packet IPSEC —: eddae410 5c4f4191 b55fb8fd 2c375b47 13aae5ff af0da056 af358c2e dc915435
10:02:17 ipsec,debug,packet IPSEC —: dcfcbda9 a93b8e80 a6d1d558 48be8737 741638da 1dafba40 fe0c5d0a ccd9eae4
10:02:17 ipsec,debug,packet IPSEC —: ce160cce 28aed042 8b01af97 4a9ace6f 9d4a7bf7 5485f5e0 4736c283 5e9d6130
10:02:17 ipsec,debug,packet IPSEC —: 0f9e0a6a 1c69beef 83f2094a 067fb2ec 66e805c0 4b7698d8 467831ba 51064ec7
10:02:17 ipsec,debug,packet IPSEC —: 536d4a96 a10c97bf b2b35aa0 15c91a15 71e39225 fd7bb172 f6627782 5cb8f38c
10:02:17 ipsec,debug,packet IPSEC —: da22148a d666ecac 5b86705f 7d63e9a1 eb80775e 08d78557 e79fb731 292981d7
10:02:17 ipsec,debug,packet IPSEC —: 089af13f 08dcc51f 399a1695 ea2831db 72a93215 e6714970 ae986d61 f3f3f61c
10:02:17 ipsec,debug,packet IPSEC —: nonce1:
10:02:17 ipsec,debug,packet IPSEC —: fa96906f 8eba715f 59c78906 c307d07d b5617348 a7b6196d 6a9ce2ee f1c0799a
10:02:17 ipsec,debug,packet IPSEC —: 73036953 d27f0c77 c8588d96 8ae729c6
10:02:17 ipsec,debug,packet IPSEC —: nonce2:
10:02:17 ipsec,debug,packet IPSEC —: 8a7811f8 f5b1b9ec bc8d3e4b cfb925f4 6afcb91a 0f164e77
10:02:17 ipsec,debug,packet IPSEC —: hmac(hmac_sha1)
10:02:17 ipsec,debug,packet IPSEC —: SKEYID computed:
10:02:17 ipsec,debug,packet IPSEC —: 10842cd1 e1834384 48a9217c 24c704c2 71ee53c7
10:02:17 ipsec,debug,packet IPSEC —: hmac(hmac_sha1)
10:02:17 ipsec,debug,packet IPSEC —: SKEYID_d computed:
10:02:17 ipsec,debug,packet IPSEC —: 6a423ca4 4f720f71 7b14ac10 bdd4fda9 12d427d8
10:02:17 ipsec,debug,packet IPSEC —: hmac(hmac_sha1)
10:02:17 ipsec,debug,packet IPSEC —: SKEYID_a computed:
10:02:17 ipsec,debug,packet IPSEC —: 55d39617 7086b81b b86a6944 c63084e3 5af595f7
10:02:17 ipsec,debug,packet IPSEC —: hmac(hmac_sha1)
10:02:17 ipsec,debug,packet IPSEC —: SKEYID_e computed:
10:02:17 ipsec,debug,packet IPSEC —: f4b8c3a4 495c47fe cc6f1800 80b8b43d efb150af
10:02:17 ipsec,debug,packet IPSEC —: encryption(aes)
10:02:17 ipsec,debug,packet IPSEC —: hash(sha1)
10:02:17 ipsec,debug,packet IPSEC —: len(SKEYID_e) < len(Ka) (20 < 32), generating long key (Ka = K1 | K2 | …)
10:02:17 ipsec,debug,packet IPSEC —: hmac(hmac_sha1)
10:02:17 ipsec,debug,packet IPSEC —: compute intermediate encryption key K1
10:02:17 ipsec,debug,packet IPSEC —: 00
10:02:17 ipsec,debug,packet IPSEC —: f17d3dba c043d9b1 2369502d c562a57e c6eddaa4
10:02:17 ipsec,debug,packet IPSEC —: hmac(hmac_sha1)
10:02:17 ipsec,debug,packet IPSEC —: compute intermediate encryption key K2
10:02:17 ipsec,debug,packet IPSEC —: f17d3dba c043d9b1 2369502d c562a57e c6eddaa4
10:02:17 ipsec,debug,packet IPSEC —: 34548bc0 c2951924 d071988e 57caee07 6c5dec44
10:02:17 ipsec,debug,packet IPSEC —: final encryption key computed:
10:02:17 ipsec,debug,packet IPSEC —: f17d3dba c043d9b1 2369502d c562a57e c6eddaa4 34548bc0 c2951924 d071988e
10:02:17 ipsec,debug,packet IPSEC —: hash(sha1)
10:02:17 ipsec,debug,packet IPSEC —: encryption(aes)
10:02:17 ipsec,debug,packet IPSEC —: IV computed:
10:02:17 ipsec,debug,packet IPSEC —: 6bae100c cc15adaa 272e2a57 9ff6ded7
10:02:17 ipsec,debug,packet IPSEC —: ==========
10:02:17 ipsec,debug,packet IPSEC —: 92 bytes message received from 192.168.88.11[500] to 192.168.88.1[500]
10:02:17 ipsec,debug,packet IPSEC —: fd1dbe6c 1442d417 0c158f41 f8f78948 08100501 804c18a4 0000005c e1694dbe
10:02:17 ipsec,debug,packet IPSEC —: ef39c231 746047be 0ec6558a 537904c3 bce015a8 470f8996 b66a40cb 57f400f7
10:02:17 ipsec,debug,packet IPSEC —: 199b2d48 7245aeeb b9132d38 a8837934 841c94a6 fd543489 43386ce5
10:02:17 ipsec,debug,packet IPSEC —: receive Information.
10:02:17 ipsec,debug,packet IPSEC —: compute IV for phase2
10:02:17 ipsec,debug,packet IPSEC —: phase1 last IV:
10:02:17 ipsec,debug,packet IPSEC —: 6bae100c cc15adaa 272e2a57 9ff6ded7 804c18a4
10:02:17 ipsec,debug,packet IPSEC —: hash(sha1)
10:02:17 ipsec,debug,packet IPSEC —: encryption(aes)
10:02:17 ipsec,debug,packet IPSEC —: phase2 IV computed:
10:02:17 ipsec,debug,packet IPSEC —: c2c6a0c4 8499a236 8d8a6c1d 948a5524
10:02:17 ipsec,debug,packet IPSEC —: encryption(aes)
10:02:17 ipsec,debug,packet IPSEC —: IV was saved for next processing:
10:02:17 ipsec,debug,packet IPSEC —: a8837934 841c94a6 fd543489 43386ce5
10:02:17 ipsec,debug,packet IPSEC —: encryption(aes)
10:02:17 ipsec,debug,packet IPSEC —: with key:
10:02:17 ipsec,debug,packet IPSEC —: f17d3dba c043d9b1 2369502d c562a57e c6eddaa4 34548bc0 c2951924 d071988e
10:02:17 ipsec,debug,packet IPSEC —: decrypted payload by IV:
10:02:17 ipsec,debug,packet IPSEC —: c2c6a0c4 8499a236 8d8a6c1d 948a5524
10:02:17 ipsec,debug,packet IPSEC —: decrypted payload, but not trimed.
10:02:17 ipsec,debug,packet IPSEC —: 0b000018 1b7228e7 9375861f f8c09c45 8ad20c62 f25424ff 0000001c 00000001
10:02:17 ipsec,debug,packet IPSEC —: 0110001c fd1dbe6c 1442d417 0c158f41 f8f78948 00000000 00000000 00000000
10:02:17 ipsec,debug,packet IPSEC —: padding len=1
10:02:17 ipsec,debug,packet IPSEC —: skip to trim padding.
10:02:17 ipsec,debug,packet IPSEC —: decrypted.
10:02:17 ipsec,debug,packet IPSEC —: fd1dbe6c 1442d417 0c158f41 f8f78948 08100501 804c18a4 0000005c 0b000018
10:02:17 ipsec,debug,packet IPSEC —: 1b7228e7 9375861f f8c09c45 8ad20c62 f25424ff 0000001c 00000001 0110001c
10:02:17 ipsec,debug,packet IPSEC —: fd1dbe6c 1442d417 0c158f41 f8f78948 00000000 00000000 00000000
10:02:17 ipsec,debug IPSEC —: ignore information because ISAKMP-SA has not been established yet.
10:02:24 system,info,account user admin logged in from 192.168.88.11 via telnet
10:02:27 ipsec,debug,packet IPSEC —: 364 bytes from 192.168.88.1[500] to 192.168.88.11[500]
10:02:27 ipsec,debug,packet IPSEC —: sockname 192.168.88.1[500]
10:02:27 ipsec,debug,packet IPSEC —: send packet from 192.168.88.1[500]
10:02:27 ipsec,debug,packet IPSEC —: send packet to 192.168.88.11[500]
10:02:27 ipsec,debug,packet IPSEC —: src4 192.168.88.1[500]
10:02:27 ipsec,debug,packet IPSEC —: dst4 192.168.88.11[500]
10:02:27 ipsec,debug,packet IPSEC —: 1 times of 364 bytes message will be sent to 192.168.88.11[500]
10:02:27 ipsec,debug,packet IPSEC —: fd1dbe6c 1442d417 0c158f41 f8f78948 04100200 00000000 0000016c 0a000104
10:02:27 ipsec,debug,packet IPSEC —: e0e85766 4af05131 3cedf761 1f5341b8 025dd075 64f26dc7 11d8c0a1 7312c953
10:02:27 ipsec,debug,packet IPSEC —: 67a2da6e 9abbcc69 26e56f02 86813d6f 0e44a64c 51e1715c 3ff3cdfe 79a0897a
10:02:27 ipsec,debug,packet IPSEC —: bac65eaf 85ea8358 2f7e651c 76e731c7 122fcf25 08892326 d08c1bc4 b20fc19d
10:02:27 ipsec,debug,packet IPSEC —: f357e210 76f08d30 d651c912 f965f1a7 480f230d 95e4ee44 16c61efa 8c422a3a
10:02:27 ipsec,debug,packet IPSEC —: e654b56e 965663f6 66415d68 360ea1a0 8174e1a5 100141fd caa4f099 84e4a11b
10:02:27 ipsec,debug,packet IPSEC —: 97a28575 4c9564bd d8393234 df0a6c13 4a3feab4 fa854c21 5e7a90b2 dbf91b90
10:02:27 ipsec,debug,packet IPSEC —: 709a96ee 43169ce2 86a524e8 70a6e563 3d5ce922 6700aac5 cf5e910f 8ada48b0
10:02:27 ipsec,debug,packet IPSEC —: cd4cc5ad ae5af630 6d065141 9758a1bc 2525534f eb752d1f 41da52ce 8d5bd30b
10:02:27 ipsec,debug,packet IPSEC —: 1400001c 8a7811f8 f5b1b9ec bc8d3e4b cfb925f4 6afcb91a 0f164e77 14000018
10:02:27 ipsec,debug,packet IPSEC —: 974a887b 9c8cdba1 3fb65b56 2c3d36b6 69ae02ff 00000018 83fcb61e 2935d358
10:02:27 ipsec,debug,packet IPSEC —: dc265083 033225e5 c50060f6
10:02:27 ipsec,debug IPSEC —: resent phase1 packet 192.168.88.1[500]<=>192.168.88.11[500] fd1dbe6c1442d417:0c158f41f8f78948
10:02:37 ipsec,debug,packet IPSEC —: 364 bytes from 192.168.88.1[500] to 192.168.88.11[500]
10:02:37 ipsec,debug,packet IPSEC —: sockname 192.168.88.1[500]
10:02:37 ipsec,debug,packet IPSEC —: send packet from 192.168.88.1[500]
10:02:37 ipsec,debug,packet IPSEC —: send packet to 192.168.88.11[500]
10:02:37 ipsec,debug,packet IPSEC —: src4 192.168.88.1[500]
10:02:37 ipsec,debug,packet IPSEC —: dst4 192.168.88.11[500]
10:02:37 ipsec,debug,packet IPSEC —: 1 times of 364 bytes message will be sent to 192.168.88.11[500]
10:02:37 ipsec,debug,packet IPSEC —: fd1dbe6c 1442d417 0c158f41 f8f78948 04100200 00000000 0000016c 0a000104
10:02:37 ipsec,debug,packet IPSEC —: e0e85766 4af05131 3cedf761 1f5341b8 025dd075 64f26dc7 11d8c0a1 7312c953
10:02:37 ipsec,debug,packet IPSEC —: 67a2da6e 9abbcc69 26e56f02 86813d6f 0e44a64c 51e1715c 3ff3cdfe 79a0897a
10:02:37 ipsec,debug,packet IPSEC —: bac65eaf 85ea8358 2f7e651c 76e731c7 122fcf25 08892326 d08c1bc4 b20fc19d
10:02:37 ipsec,debug,packet IPSEC —: f357e210 76f08d30 d651c912 f965f1a7 480f230d 95e4ee44 16c61efa 8c422a3a
10:02:37 ipsec,debug,packet IPSEC —: e654b56e 965663f6 66415d68 360ea1a0 8174e1a5 100141fd caa4f099 84e4a11b
10:02:37 ipsec,debug,packet IPSEC —: 97a28575 4c9564bd d8393234 df0a6c13 4a3feab4 fa854c21 5e7a90b2 dbf91b90
10:02:37 ipsec,debug,packet IPSEC —: 709a96ee 43169ce2 86a524e8 70a6e563 3d5ce922 6700aac5 cf5e910f 8ada48b0
10:02:37 ipsec,debug,packet IPSEC —: cd4cc5ad ae5af630 6d065141 9758a1bc 2525534f eb752d1f 41da52ce 8d5bd30b
10:02:37 ipsec,debug,packet IPSEC —: 1400001c 8a7811f8 f5b1b9ec bc8d3e4b cfb925f4 6afcb91a 0f164e77 14000018
10:02:37 ipsec,debug,packet IPSEC —: 974a887b 9c8cdba1 3fb65b56 2c3d36b6 69ae02ff 00000018 83fcb61e 2935d358
10:02:37 ipsec,debug,packet IPSEC —: dc265083 033225e5 c50060f6
10:02:37 ipsec,debug IPSEC —: resent phase1 packet 192.168.88.1[500]<=>192.168.88.11[500] fd1dbe6c1442d417:0c158f41f8f78948
10:02:47 ipsec,debug,packet IPSEC —: 364 bytes from 192.168.88.1[500] to 192.168.88.11[500]
10:02:47 ipsec,debug,packet IPSEC —: sockname 192.168.88.1[500]
10:02:47 ipsec,debug,packet IPSEC —: send packet from 192.168.88.1[500]
10:02:47 ipsec,debug,packet IPSEC —: send packet to 192.168.88.11[500]
10:02:47 ipsec,debug,packet IPSEC —: src4 192.168.88.1[500]
10:02:47 ipsec,debug,packet IPSEC —: dst4 192.168.88.11[500]
10:02:47 ipsec,debug,packet IPSEC —: 1 times of 364 bytes message will be sent to 192.168.88.11[500]
10:02:47 ipsec,debug,packet IPSEC —: fd1dbe6c 1442d417 0c158f41 f8f78948 04100200 00000000 0000016c 0a000104
10:02:47 ipsec,debug,packet IPSEC —: e0e85766 4af05131 3cedf761 1f5341b8 025dd075 64f26dc7 11d8c0a1 7312c953
10:02:47 ipsec,debug,packet IPSEC —: 67a2da6e 9abbcc69 26e56f02 86813d6f 0e44a64c 51e1715c 3ff3cdfe 79a0897a
10:02:47 ipsec,debug,packet IPSEC —: bac65eaf 85ea8358 2f7e651c 76e731c7 122fcf25 08892326 d08c1bc4 b20fc19d
10:02:47 ipsec,debug,packet IPSEC —: f357e210 76f08d30 d651c912 f965f1a7 480f230d 95e4ee44 16c61efa 8c422a3a
10:02:47 ipsec,debug,packet IPSEC —: e654b56e 965663f6 66415d68 360ea1a0 8174e1a5 100141fd caa4f099 84e4a11b
10:02:47 ipsec,debug,packet IPSEC —: 97a28575 4c9564bd d8393234 df0a6c13 4a3feab4 fa854c21 5e7a90b2 dbf91b90
10:02:47 ipsec,debug,packet IPSEC —: 709a96ee 43169ce2 86a524e8 70a6e563 3d5ce922 6700aac5 cf5e910f 8ada48b0
10:02:47 ipsec,debug,packet IPSEC —: cd4cc5ad ae5af630 6d065141 9758a1bc 2525534f eb752d1f 41da52ce 8d5bd30b
10:02:47 ipsec,debug,packet IPSEC —: 1400001c 8a7811f8 f5b1b9ec bc8d3e4b cfb925f4 6afcb91a 0f164e77 14000018
10:02:47 ipsec,debug,packet IPSEC —: 974a887b 9c8cdba1 3fb65b56 2c3d36b6 69ae02ff 00000018 83fcb61e 2935d358
10:02:47 ipsec,debug,packet IPSEC —: dc265083 033225e5 c50060f6
10:02:47 ipsec,debug IPSEC —: resent phase1 packet 192.168.88.1[500]<=>192.168.88.11[500] fd1dbe6c1442d417:0c158f41f8f78948
10:02:57 ipsec,debug,packet IPSEC —: 364 bytes from 192.168.88.1[500] to 192.168.88.11[500]
10:02:57 ipsec,debug,packet IPSEC —: sockname 192.168.88.1[500]
10:02:57 ipsec,debug,packet IPSEC —: send packet from 192.168.88.1[500]
10:02:57 ipsec,debug,packet IPSEC —: send packet to 192.168.88.11[500]
10:02:57 ipsec,debug,packet IPSEC —: src4 192.168.88.1[500]
10:02:57 ipsec,debug,packet IPSEC —: dst4 192.168.88.11[500]
10:02:57 ipsec,debug,packet IPSEC —: 1 times of 364 bytes message will be sent to 192.168.88.11[500]
10:02:57 ipsec,debug,packet IPSEC —: fd1dbe6c 1442d417 0c158f41 f8f78948 04100200 00000000 0000016c 0a000104
10:02:57 ipsec,debug,packet IPSEC —: e0e85766 4af05131 3cedf761 1f5341b8 025dd075 64f26dc7 11d8c0a1 7312c953
10:02:57 ipsec,debug,packet IPSEC —: 67a2da6e 9abbcc69 26e56f02 86813d6f 0e44a64c 51e1715c 3ff3cdfe 79a0897a
10:02:57 ipsec,debug,packet IPSEC —: bac65eaf 85ea8358 2f7e651c 76e731c7 122fcf25 08892326 d08c1bc4 b20fc19d
10:02:57 ipsec,debug,packet IPSEC —: f357e210 76f08d30 d651c912 f965f1a7 480f230d 95e4ee44 16c61efa 8c422a3a
10:02:57 ipsec,debug,packet IPSEC —: e654b56e 965663f6 66415d68 360ea1a0 8174e1a5 100141fd caa4f099 84e4a11b
10:02:57 ipsec,debug,packet IPSEC —: 97a28575 4c9564bd d8393234 df0a6c13 4a3feab4 fa854c21 5e7a90b2 dbf91b90
10:02:57 ipsec,debug,packet IPSEC —: 709a96ee 43169ce2 86a524e8 70a6e563 3d5ce922 6700aac5 cf5e910f 8ada48b0
10:02:57 ipsec,debug,packet IPSEC —: cd4cc5ad ae5af630 6d065141 9758a1bc 2525534f eb752d1f 41da52ce 8d5bd30b
10:02:57 ipsec,debug,packet IPSEC —: 1400001c 8a7811f8 f5b1b9ec bc8d3e4b cfb925f4 6afcb91a 0f164e77 14000018
10:02:57 ipsec,debug,packet IPSEC —: 974a887b 9c8cdba1 3fb65b56 2c3d36b6 69ae02ff 00000018 83fcb61e 2935d358
10:02:57 ipsec,debug,packet IPSEC —: dc265083 033225e5 c50060f6
10:02:57 ipsec,debug IPSEC —: resent phase1 packet 192.168.88.1[500]<=>192.168.88.11[500] fd1dbe6c1442d417:0c158f41f8f78948
10:03:07 ipsec,debug,packet IPSEC —: 364 bytes from 192.168.88.1[500] to 192.168.88.11[500]
10:03:07 ipsec,debug,packet IPSEC —: sockname 192.168.88.1[500]
10:03:07 ipsec,debug,packet IPSEC —: send packet from 192.168.88.1[500]
10:03:07 ipsec,debug,packet IPSEC —: send packet to 192.168.88.11[500]
10:03:07 ipsec,debug,packet IPSEC —: src4 192.168.88.1[500]
10:03:07 ipsec,debug,packet IPSEC —: dst4 192.168.88.11[500]
10:03:07 ipsec,debug,packet IPSEC —: 1 times of 364 bytes message will be sent to 192.168.88.11[500]
10:03:07 ipsec,debug,packet IPSEC —: fd1dbe6c 1442d417 0c158f41 f8f78948 04100200 00000000 0000016c 0a000104
10:03:07 ipsec,debug,packet IPSEC —: e0e85766 4af05131 3cedf761 1f5341b8 025dd075 64f26dc7 11d8c0a1 7312c953
10:03:07 ipsec,debug,packet IPSEC —: 67a2da6e 9abbcc69 26e56f02 86813d6f 0e44a64c 51e1715c 3ff3cdfe 79a0897a
10:03:07 ipsec,debug,packet IPSEC —: bac65eaf 85ea8358 2f7e651c 76e731c7 122fcf25 08892326 d08c1bc4 b20fc19d
10:03:07 ipsec,debug,packet IPSEC —: f357e210 76f08d30 d651c912 f965f1a7 480f230d 95e4ee44 16c61efa 8c422a3a
10:03:07 ipsec,debug,packet IPSEC —: e654b56e 965663f6 66415d68 360ea1a0 8174e1a5 100141fd caa4f099 84e4a11b
10:03:07 ipsec,debug,packet IPSEC —: 97a28575 4c9564bd d8393234 df0a6c13 4a3feab4 fa854c21 5e7a90b2 dbf91b90
10:03:07 ipsec,debug,packet IPSEC —: 709a96ee 43169ce2 86a524e8 70a6e563 3d5ce922 6700aac5 cf5e910f 8ada48b0
10:03:07 ipsec,debug,packet IPSEC —: cd4cc5ad ae5af630 6d065141 9758a1bc 2525534f eb752d1f 41da52ce 8d5bd30b
10:03:07 ipsec,debug,packet IPSEC —: 1400001c 8a7811f8 f5b1b9ec bc8d3e4b cfb925f4 6afcb91a 0f164e77 14000018
10:03:07 ipsec,debug,packet IPSEC —: 974a887b 9c8cdba1 3fb65b56 2c3d36b6 69ae02ff 00000018 83fcb61e 2935d358
10:03:07 ipsec,debug,packet IPSEC —: dc265083 033225e5 c50060f6
10:03:07 ipsec,debug IPSEC —: resent phase1 packet 192.168.88.1[500]<=>192.168.88.11[500] fd1dbe6c1442d417:0c158f41f8f78948
10:03:17 ipsec,error phase1 negotiation failed due to time up 192.168.88.1[500]<=>192.168.88.11[500] fd1dbe6c1442d417:0c158f41f8f78948
10:03:17 ipsec,error IPSEC —: phase1 negotiation failed due to time up 192.168.88.1[500]<=>192.168.88.11[500] fd1dbe6c1442d417:0c158f41f8f78948
10:04:05 system,info,account user admin logged out from 192.168.88.11 via telnet
10:04:25 system,info,account user admin logged in from 192.168.88.11 via telnet

Will post additional screenshots / logs if needed.

Do any of you know what I could be doing wrong? I think it’s something trivial, but so far it’s been two days and I can’t find it. It surely has to be related to certificates, because when using the exactly same config, only going back to PSK (VPN settings in Windows + IPSec / Peers / Authentication Method in Mikrotik), VPN works perfectly.

Anyway, many thanks in advance!

cwade · April 26, 2015, 1:02pm

I am confirming that I’ve seen a very similar problem to what you described, and I even went through many of the steps you outlined. Everything works fine with PSK for the IPsec tunnel, but I cannot find any way to get IPsec working with certificates with L2TP/IPsec clients. Note, I’ve successfully created IPsec tunnels using certificates in the past, but without L2TP.

I believe that a part of the problem is just incomplete documentation. The L2TP setup only supports an IPsec peer setting using PSK. There is probably a way to override this IPsec peer configuration, but I have not found the trick, yet. I ran out of time to work on this, but I hope to get back to investigating this soon.

If anyone has an example of L2TP/IPsec working with certificates and widely-supported client implementations, please share.

rsck · April 28, 2015, 9:39am

Thanks for your input, Cwade. Yesterday I talked to a colleague of mine, who claims to have succesfully set-up IPSec / L2TP VPN in the past. So it seems to be possible. Question remains: how? Mentioned coworker do not remembers set-up steps.

jaytcsd · April 30, 2015, 3:14am

Maybe Mikrotik can start a separate forum category for VPN stuff, lots of posts with unanswered questions.

rsck · May 15, 2015, 7:52am

Still trying to run certificates. Recently I’ve been trying to follow a different procedure. There’s an unexpected obstacle, however.

I am trying to run this command:

/certificate sign template=self-signed-certificate ca-crl-host=192.168.0.101 name=common-name ca-on-smart-card=no;

But it seems there is even no such option on my router (it’s running RouterOS 6.28, so it’s up to date):

[admin@MikroTik] > /certificate sign template=self-signed-certificate ca-crl-host=192.168.0.101 name=common-name ca-on-smart-card=no;
expected end of command (line 1 column 27)
[admin@MikroTik] > /certificate sign 

<numbers> -- List of item numbers
ca -- issuer CA
ca-crl-host -- adds CRL URL to issued CA
ca-on-smart-card -- stores CA's private key on smart card
name --

I was following these two manuals / topics:
http://wiki.mikrotik.com/wiki/Manual:Create_Certificates
http://forum.mikrotik.com/t/certificates-how-to-create-ca-or-import-ca/78153/1
Do you know what’s wrong?