What is breaking my IPSec ?

Technetium · April 9, 2020, 10:14am

I have a router with 2 WAN: WAN1 and WAN2. Usually, all is using WAN2 because it’s faster.
On this router i’ve set a VPN IPSec to a database service.
Now I want add an IPSec Ikev2 to use the database service remotely but it not work.
Something is braking the IPSec.
I have to connect to the router in the same net of the lan, so IP of VPN are 192.168.1.XXX.

Client of IPSec Ike2 can connect correctly, but no traffic flow from router to client. After 2 min, the session expires because the token is not renewed.
I don’t figure out why. Firewall seems ok.

This is the settings of the router:

/interface bridge
add admin-mac=B8:69:XX:XX:XX:XX arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] comment="ROUTER FAST ISP" name=WAN2
set [ find default-name=ether9 ] arp=proxy-arp name=ether9-AP
/interface ovpn-server
add name=ovpn-ADMIN user=sysAdmin
/interface vlan
add interface=ether9-AP name=vlan-guest vlan-id=20
add interface=ether9-AP name=vlan-staff vlan-id=10
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name="group vpn.XXXXXXXX.com"
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=DB_SERVICE-IPSEC
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
    hash-algorithm=sha256 name="profile vpn.XXXXXXXX.com"
/ip ipsec peer
add address=185.XX.XX.XX/32 local-address=10.0.2.10 name=Peer-DB_SERVICE \
    profile=DB_SERVICE-IPSEC
add exchange-mode=ike2 local-address=10.0.2.10 name="peer vpn ikev2" passive=\
    yes profile="profile vpn.XXXXXXXX.com"
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=2h10m name=\
    DB_SERVICE-proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
    lifetime=8h name="proposal vpn.XXXXXXXX.com" pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
add name=Pool-OVPN ranges=10.255.255.2-10.255.255.254
add name=pool-guest ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=bridge \
    lease-time=30m name=dhcp_server_local
add add-arp=yes address-pool=pool-guest disabled=no interface=vlan-guest \
    lease-time=30m name=dhcp-guest
/ip ipsec mode-config
add address-pool=dhcp_pool1 address-prefix-length=32 name=\
    "modeconf vpn.XXXXXXXX.com" split-include=\
    192.168.1.0/24,10.0.1.0/24,10.0.2.0/24 static-dns=192.168.1.1 system-dns=\
    no
/ppp profile
add interface-list=LAN local-address=dhcp_pool1 name=ProfileOVPN \
    remote-address=dhcp_pool1
/queue tree
add disabled=yes max-limit=3700k name=uploadWAN2 parent=WAN2
add limit-at=1M max-limit=3700k name=Voip_upload_WAN2 packet-mark=fromVoip \
    parent=uploadWAN2 priority=3
add bucket-size=0.2 limit-at=1M max-limit=3700k name=otherClientWAN2 \
    packet-mark=no-mark parent=uploadWAN2
/queue type
add kind=pfifo name=queue-OVPN_250 pfifo-limit=250
/queue interface
set ovpn-ADMIN queue=queue-OVPN_250
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether9-AP
add bridge=bridge frame-types=admit-only-vlan-tagged interface=vlan-staff \
    pvid=10
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=vlan-guest list=WAN
add interface=ether9-AP list=LAN
add interface=vlan-staff list=LAN
add interface=vlan-guest list=LAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 default-profile=ProfileOVPN \
    enabled=yes port=1200 require-client-certificate=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.2.1/24 interface=vlan-guest network=192.168.2.0
/ip arp
add address=192.168.1.246 interface=bridge mac-address=9C:75:14:20:89:90
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf default-route-distance=2 disabled=no interface=WAN1
add dhcp-options=hostname disabled=no interface=WAN2
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=\
    8.8.8.8,8.8.4.4,10.0.1.1,10.0.2.1 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 dns-server=10.0.1.1,10.0.2.1 gateway=192.168.2.1
add address=192.168.11.0/24 dns-server=8.8.8.8,10.0.1.1,10.0.2.1 gateway=\
    192.168.11.1
add address=192.168.178.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.178.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="OVPN Server Accept" connection-state=\
    new dst-port=1200 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Accept input form VPN IPSEC IKEv2" \
    ipsec-policy=in,ipsec src-address=192.168.1.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Allow UDP 500,4500 IPSec for 10.0.2.10" dst-address=10.0.2.10 dst-port=\
    500,4500 protocol=udp
add action=accept chain=input comment="Allow IPSec-esp for 10.0.2.10" \
    dst-address=10.0.2.10 protocol=ipsec-esp
add action=drop chain=input comment="BLOCK UDP DNS request da WAN1" \
    disabled=yes dst-port=53 in-interface=WAN1 protocol=udp
add action=drop chain=input comment="BLOCK UDP DNS request da WAN2 - FTTH" \
    disabled=yes dst-port=53 in-interface=WAN2 protocol=udp
add action=drop chain=input comment="BLOCK TCP DNS request da WAN1" \
    disabled=yes dst-port=53 in-interface=WAN1 protocol=tcp
add action=drop chain=input comment="BLOCK TCP DNS request da WAN2 - FTTH" \
    disabled=yes dst-port=53 in-interface=WAN2 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix="Not coming LAN"
add action=drop chain=forward comment=\
    "DROP FROM DB_SERVICE a LAN interna" connection-state=new \
    dst-address=192.168.1.0/24 src-address=192.168.27.48/29
add action=drop chain=forward comment=\
    "DROP FROM LAN ad AP-guest" connection-state=new \
    dst-address=192.168.2.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment=\
    "DROP FROM AP-guest a LAN" connection-state=new \
    dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=accept chain=forward in-interface=vlan-guest src-address=\
    192.168.2.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="IntercomunicationPOOL VPN OpenVPN" \
    dst-address=10.255.255.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment="IntercomunicationPOOL VPN OpenVPN" \
    dst-address=192.168.1.0/24 src-address=10.255.255.0/24
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="Accept da WAN1" dst-address=\
    10.0.1.0/24
add action=accept chain=prerouting comment="Accept da WAN2" dst-address=\
    10.0.2.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-bridge-port=vlan-staff in-interface=bridge \
    new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=vlan-guest new-connection-mark=WAN1 passthrough=yes \
    tcp-flags=""
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
    vlan-guest new-routing-mark=WAN1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
    bridge new-routing-mark=WAN1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=\
    bridge new-routing-mark=WAN2-mark passthrough=yes
add action=mark-connection chain=forward in-interface=vlan-guest \
    new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=forward in-interface=WAN1 \
    new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=forward in-interface=WAN2 \
    new-connection-mark=WAN2 passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.27.48/29 src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=WAN1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=WAN2
add action=dst-nat chain=dstnat comment="Server on WAN1 tcp" \
    dst-port=25184 in-interface=WAN1 ipsec-policy=in,none protocol=tcp \
    to-addresses=192.168.1.253 to-ports=443
add action=dst-nat chain=dstnat comment="Server on WAN2  tcp" \
    dst-port=25184 in-interface=WAN2 ipsec-policy=in,none protocol=tcp \
    src-port="" to-addresses=192.168.1.253 to-ports=443
add action=dst-nat chain=dstnat comment="443 TCP" dst-port=443 \
    in-interface-list=WAN ipsec-policy=in,none protocol=tcp to-addresses=\
    192.168.1.5 to-ports=443
add action=dst-nat chain=dstnat comment="5060 TCP" dst-port=5060 \
    in-interface-list=WAN ipsec-policy=in,none protocol=tcp to-addresses=\
    192.168.1.5 to-ports=5060
add action=dst-nat chain=dstnat comment="5060 UDP" dst-port=5060 \
    in-interface-list=WAN ipsec-policy=in,none protocol=udp to-addresses=\
    192.168.1.5 to-ports=5060
add action=dst-nat chain=dstnat comment="5061 TCP" dst-port=5061 \
    in-interface-list=WAN ipsec-policy=in,none protocol=tcp to-addresses=\
    192.168.1.5 to-ports=5061
add action=dst-nat chain=dstnat comment="Range 10000-15000 UDP" \
    dst-port=10000-15000 in-interface-list=WAN ipsec-policy=in,none protocol=\
    udp to-addresses=192.168.1.5 to-ports=10000-15000
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=Peer-DB_SERVICE
add auth-method=digital-signature certificate=vpn.XXXXXXXX.com \
    generate-policy=port-strict match-by=certificate mode-config=\
    "modeconf vpn.XXXXXXXX.com" peer="peer vpn ikev2" policy-template-group=\
    "group vpn.XXXXXXXX.com" remote-certificate=tech@vpn.XXXXXXXX.com \
    remote-id=user-fqdn:tech@vpn.XXXXXXXX.com
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.27.48/29 peer=Peer-DB_SERVICE proposal=DB_SERVICE-proposal \
    sa-dst-address=185.XX.XX.XX sa-src-address=10.0.2.10 src-address=\
    192.168.1.0/24 tunnel=yes
add dst-address=192.168.1.0/24 group="group vpn.XXXXXXXX.com" proposal=\
    "proposal vpn.XXXXXXXX.com" src-address=0.0.0.0/0 template=yes
/ip route
add check-gateway=ping comment="WAN 1 marked route" distance=2 gateway=\
    10.0.1.1 routing-mark=WAN1-mark
add check-gateway=ping comment="WAN 2 marked route" distance=1 gateway=\
    10.0.2.1 routing-mark=WAN2-mark
add comment="Defult route WAN 2" distance=1 gateway=10.0.2.1
add comment="Defult route WAN 2" distance=1 gateway=10.0.2.1
add comment="Default route WAN 1" distance=2 gateway=10.0.1.1
add comment="Default route WAN 1" distance=2 gateway=10.0.1.1
/ip ssh
set forwarding-enabled=remote
/ppp secret
add name=sysAdmin profile=ProfileOVPN service=ovpn
/system clock
set time-zone-name=Europe/Rome
/system logging
add topics=ipsec,!packet
/system ntp client
set enabled=yes server-dns-names=ntp1.inrim.it,time.inrim.it,pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-ip-address=192.168.1.253/32

sindy · April 9, 2020, 1:02pm

I’d say that the remote subnet where the database is located (192.168.27.48/29) is missing in the split-include list in the /ip ipsec mode-config item for the IKEv2 client. On the other hand, unless you really need that client to connect to something in your WAN subnets, you’d better remove 10.0.1.0/24 and 10.0.2.0/24 from the split-include list - if the client implementation is eventually stupid enough, it may override the route to 10.0.2.10 by the installed policy.

Technetium · April 9, 2020, 1:49pm

The problem is not that i can’t reach the database service. I know that is not included in the split-include list.
I can’t reach 192.168.1.1 that is the router itself! And that’s the fist step..
There is no packet flow from LAN to my IPSec client and vice-versa after the first connection negotiation that is fully succesful.. the session expire after 2 minutes because the router doesn’t receive any renew message back.

I think that IPSec packet are not processed correctly for something in the firewall or mangle.

andriys · April 9, 2020, 2:21pm

Have you checked what’s in the logs? Mind sharing it here?

sindy · April 9, 2020, 2:30pm

In that case remove the 10.0.2.0/24 from the split-include and try to disconnect the client and connect it again. What comes in question is chain=input in /ip firewall filter and the /ip firewall mangle rules, and none of these appears to prevent IPsec traffic (UDP 4500 nor ESP) from working.

If that does not help, your best friend now is /tool sniffer quick ip-address=the.ip.of.client - run it in a terminal window as wide as your screen permits, and then activate the VPN connection at the client. You should see whether UDP or ESP is used for transport at each side, what is the source IP of Mikrotik’s IKEv2 responses, and whether the packets sent to the client are sent to LAN or something forces them via WAN instead.

Technetium · April 9, 2020, 2:43pm

Yes. I have a log of the whole session.
From authentication to the removal of the peer.

16:29:48 ipsec,debug ===== received 528 bytes from MY_IP_XXXXX[500] to 10.0.2.10[500] 
16:29:48 ipsec -> ike2 request, exchange: SA_INIT:0 MY_IP_XXXXX[500] 8b3eda775a92de39:0000000000000000 
16:29:48 ipsec ike2 respond 
16:29:48 ipsec payload seen: SA (256 bytes) 
16:29:48 ipsec payload seen: KE (136 bytes) 
16:29:48 ipsec payload seen: NONCE (52 bytes) 
16:29:48 ipsec payload seen: NOTIFY (28 bytes) 
16:29:48 ipsec payload seen: NOTIFY (28 bytes) 
16:29:48 ipsec processing payload: NONCE 
16:29:48 ipsec processing payload: SA 
16:29:48 ipsec,debug unknown auth: #13 
16:29:48 ipsec,debug unknown prf: #6 
16:29:48 ipsec,debug unknown auth: #13 
16:29:48 ipsec,debug unknown prf: #6 
16:29:48 ipsec IKE Protocol: IKE 
16:29:48 ipsec  proposal #1 
16:29:48 ipsec   enc: 3des-cbc 
16:29:48 ipsec   prf: hmac-sha1 
16:29:48 ipsec   auth: sha1 
16:29:48 ipsec   dh: modp1024 
16:29:48 ipsec  proposal #2 
16:29:48 ipsec   enc: aes256-cbc 
16:29:48 ipsec   prf: hmac-sha1 
16:29:48 ipsec   auth: sha1 
16:29:48 ipsec   dh: modp1024 
16:29:48 ipsec  proposal #3 
16:29:48 ipsec   enc: 3des-cbc 
16:29:48 ipsec   prf: hmac-sha256 
16:29:48 ipsec   auth: sha256 
16:29:48 ipsec   dh: modp1024 
16:29:48 ipsec  proposal #4 
16:29:48 ipsec   enc: aes256-cbc 
16:29:48 ipsec   prf: hmac-sha256 
16:29:48 ipsec   auth: sha256 
16:29:48 ipsec   dh: modp1024 
16:29:48 ipsec  proposal #5 
16:29:48 ipsec   enc: 3des-cbc 
16:29:48 ipsec   prf: unknown 
16:29:48 ipsec   auth: unknown 
16:29:48 ipsec   dh: modp1024 
16:29:48 ipsec  proposal #6 
16:29:48 ipsec   enc: aes256-cbc 
16:29:48 ipsec   prf: unknown 
16:29:48 ipsec   auth: unknown 
16:29:48 ipsec   dh: modp1024 
16:29:48 ipsec matched proposal: 
16:29:48 ipsec  proposal #4 
16:29:48 ipsec   enc: aes256-cbc 
16:29:48 ipsec   prf: hmac-sha256 
16:29:48 ipsec   auth: sha256 
16:29:48 ipsec   dh: modp1024 
16:29:48 ipsec processing payload: KE 
16:29:48 ipsec,debug => shared secret (size 0x80) 
16:29:48 ipsec,debug a2ec7ab5 7f824e7c 73177d93 b7d4151f 232298ee 8bdc3e94 29377c64 f50cf13f 
16:29:48 ipsec,debug a49b3c70 78e39a06 544ef149 632f0db0 f2fa5a2b aef6c86a a30e2dd1 94f125f1 
16:29:48 ipsec,debug e335ec26 390d3390 9156ec59 83d4d087 3b5c51d1 0b968b83 eb62c7dd e0f48cab 
16:29:48 ipsec,debug 0c602177 619d7e4c 110f66ba e5f2b845 ba7658b1 08bb14dd 4ed0a174 a4f34fff 
16:29:48 ipsec adding payload: SA 
16:29:48 ipsec,debug => (size 0x30) 
16:29:48 ipsec,debug 00000030 0000002c 04010004 0300000c 0100000c 800e0100 03000008 02000005 
16:29:48 ipsec,debug 03000008 0300000c 00000008 04000002 
16:29:48 ipsec adding payload: KE 
16:29:48 ipsec,debug => (size 0x88) 
16:29:48 ipsec,debug 00000088 00020000 fcf0f10f e2719333 d1b88d28 9b537d89 6266886b dd3a6ed2 
16:29:48 ipsec,debug b91171e3 cc310c74 3909a919 8d952823 38c5ab60 f893f5cc 4918ea6a 99b96d8d 
16:29:48 ipsec,debug d3b85163 eac3ff29 a7992ced 9bc9ba80 44aaab9c 7447f024 1d806410 0cf37b30 
16:29:48 ipsec,debug bcbdbcd4 30a5ec3e ec774950 252a7089 dfbdf970 a30abcf8 642c4311 5c5824a9 
16:29:48 ipsec,debug b6bbf1eb 38b72cc6 
16:29:48 ipsec adding payload: NONCE 
16:29:48 ipsec,debug => (size 0x1c) 
16:29:48 ipsec,debug 0000001c 52a55141 7ad307f2 7d27051f 676fca51 0d7287d4 6553a87b 
16:29:48 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
16:29:48 ipsec,debug => (size 0x1c) 
16:29:48 ipsec,debug 0000001c 00004004 405d5f7e 5559f554 50c235e0 764e26be 1c0b2593 
16:29:48 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
16:29:48 ipsec,debug => (size 0x1c) 
16:29:48 ipsec,debug 0000001c 00004005 25e67802 98fa4d11 eb579015 3b27b12b c5f6d302 
16:29:48 ipsec adding payload: CERTREQ 
16:29:48 ipsec,debug => (size 0x5) 
16:29:48 ipsec,debug 00000005 04 
16:29:48 ipsec <- ike2 reply, exchange: SA_INIT:0 MY_IP_XXXXX[500] 8b3eda775a92de39:51405ab83f84e917 
16:29:48 ipsec,debug ===== sending 301 bytes from 10.0.2.10[500] to MY_IP_XXXXX[500] 
16:29:48 ipsec,debug 1 times of 301 bytes message will be sent to MY_IP_XXXXX[500] 
16:29:48 ipsec,debug => skeyseed (size 0x20) 
16:29:48 ipsec,debug bee14c44 9b3cf895 96b36e7c 57739af1 ad114e9c a7c548a5 379b91d3 73f08376 
16:29:48 ipsec,debug => keymat (size 0x20) 
16:29:48 ipsec,debug 882ec6b8 64814b71 a0a42e39 e8760a87 694d8f21 9456b1fe e42324db 64341778 
16:29:48 ipsec,debug => SK_ai (size 0x20) 
16:29:48 ipsec,debug 9b46f8be e821eba1 59ecba87 0b3037a8 875e9640 68169b15 027d5c86 4867ea7c 
16:29:48 ipsec,debug => SK_ar (size 0x20) 
16:29:48 ipsec,debug 08b97860 38c10b59 073e7e20 a9801fd2 2380cf6f 85b11aaa d927648e fe31e7ab 
16:29:48 ipsec,debug => SK_ei (size 0x20) 
16:29:48 ipsec,debug 30b76b6a cb28f26d eb88d7dc de48170f 6dfa18f3 446355da 12fe73ed d095eb2a 
16:29:48 ipsec,debug => SK_er (size 0x20) 
16:29:48 ipsec,debug a2682b02 eadec370 608b73b4 49bcc294 83e8eb12 dfe78408 19fdfaeb 66a23eeb 
16:29:48 ipsec,debug => SK_pi (size 0x20) 
16:29:48 ipsec,debug c26e4945 c7e6e644 b178c2ec 36abc4e3 ba881623 8b8c68f3 49175b92 2accc5fc 
16:29:48 ipsec,debug => SK_pr (size 0x20) 
16:29:48 ipsec,debug d44510c7 fe83bbeb 9c76dee0 fb284f86 1153eca8 37dd05c2 3afa7b9c 683073bf 
16:29:48 ipsec,info new ike2 SA (R): 10.0.2.10[500]-MY_IP_XXXXX[500] spi:51405ab83f84e917:8b3eda775a92de39 
16:29:48 ipsec processing payloads: VID (none found) 
16:29:48 ipsec processing payloads: NOTIFY 
16:29:48 ipsec   notify: NAT_DETECTION_SOURCE_IP 
16:29:48 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
16:29:48 ipsec (NAT-T) REMOTE LOCAL 
16:29:48 ipsec KA list add: 10.0.2.10[4500]->MY_IP_XXXXX[4500] 
16:29:48 ipsec,debug ===== received 2800 bytes from MY_IP_XXXXX[4500] to 10.0.2.10[4500] 
16:29:48 ipsec -> ike2 request, exchange: AUTH:1 MY_IP_XXXXX[4500] 8b3eda775a92de39:51405ab83f84e917 
16:29:48 ipsec payload seen: ENC (2772 bytes) 
16:29:48 ipsec processing payload: ENC 
16:29:48 ipsec,debug => iv (size 0x10) 
16:29:48 ipsec,debug 4f0e413c 1fb78699 ac5e6c9b 8da9f464 
16:29:48 ipsec,debug => plain payload (trimmed) (first 0x100 of 0xaa3) 
16:29:48 ipsec,debug 25000076 09000000 306c310b 30090603 55040613 02495431 0f300d06 03550408 
16:29:48 ipsec,debug 0c064974 616c6961 310f300d 06035504 070c064d 696c616e 6f311630 14060355 
16:29:48 ipsec,debug 040a0c0d 73756d6d 65657473 726c2e69 74312330 21060355 04030c1a 67616272 
16:29:48 ipsec,debug 69656c65 4076706e 2e73756d 6d656574 73726c2e 69742600 040c0430 82040330 
16:29:48 ipsec,debug 8202eba0 03020102 02083a5e ebdfdc54 bbcb300d 06092a86 4886f70d 01010b05 
16:29:48 ipsec,debug 00306f31 0b300906 03550406 13024954 310f300d 06035504 080c0649 74616c69 
16:29:48 ipsec,debug 61310f30 0d060355 04070c06 4d696c61 6e6f3116 30140603 55040a0c 0d73756d 
16:29:48 ipsec,debug 6d656574 73726c2e 69743126 30240603 5504030c 1d393638 61303961 34643436 
16:29:48 ipsec,debug decrypted 
16:29:48 ipsec payload seen: ID_I (118 bytes) 
16:29:48 ipsec payload seen: CERT (1036 bytes) 
16:29:48 ipsec payload seen: CERTREQ (1145 bytes) 
16:29:48 ipsec payload seen: AUTH (264 bytes) 
16:29:48 ipsec payload seen: NOTIFY (8 bytes) 
16:29:48 ipsec payload seen: CONFIG (24 bytes) 
16:29:48 ipsec payload seen: SA (80 bytes) 
16:29:48 ipsec payload seen: TS_I (24 bytes) 
16:29:48 ipsec payload seen: TS_R (24 bytes) 
16:29:48 ipsec processing payloads: NOTIFY 
16:29:48 ipsec   notify: MOBIKE_SUPPORTED 
16:29:48 ipsec ike auth: respond 
16:29:48 ipsec processing payload: ID_I 
16:29:48 ipsec ID_I (DER DN): CN=tech@vpn.XXXXXXXX.com,C=IT,ST=COUNTRY,L=LOCATION,O=XXXXXXXX.com,OU=,SN= 
16:29:48 ipsec processing payload: ID_R (not found) 
16:29:48 ipsec processing payload: AUTH 
16:29:48 ipsec processing payload: CERT 
16:29:48 ipsec got CERT: CN=tech@vpn.XXXXXXXX.com,C=IT,ST=COUNTRY,L=LOCATION,O=XXXXXXXX.com,OU=,SN= 
16:29:48 ipsec,debug => (size 0x407) 
16:29:48 ipsec,debug 30820403 308202eb a0030201 0202083a 5eebdfdc 54bbcb30 0d06092a 864886f7 
16:29:48 ipsec,debug 0d01010b 0500306f 310b3009 06035504 06130249 54310f30 0d060355 04080c06 
16:29:48 ipsec,debug 4974616c 6961310f 300d0603 5504070c 064d696c 616e6f31 16301406 0355040a 
16:29:48 ipsec,debug 0c0d7375 6d6d6565 7473726c 2e697431 26302406 03550403 0c1d3936 38613039 
16:29:48 ipsec,debug 61346434 36332e73 6e2e6d79 6e65746e 616d652e 6e657430 1e170d32 30303430 
16:29:48 ipsec,debug 34313531 3235325a 170d3330 30343032 31353132 35325a30 6c310b30 09060355 
16:29:48 ipsec,debug 04061302 4954310f 300d0603 5504080c 06497461 6c696131 0f300d06 03550407 
16:29:48 ipsec,debug 0c064d69 6c616e6f 31163014 06035504 0a0c0d73 756d6d65 65747372 6c2e6974 
16:29:48 ipsec,debug 
16:29:48 ipsec,debug 31233021 06035504 030c1a67 61627269 656c6540 76706e2e 73756d6d 65657473 
16:29:48 ipsec,debug 726c2e69 74308201 22300d06 092a8648 86f70d01 01010500 0382010f 00308201 
16:29:48 ipsec,debug 0a028201 0100a73e 078de3f7 1165640d 46c4a833 b5621a02 36b636f9 3272cb30 
16:29:48 ipsec,debug c308de41 ed3c0ef3 634b89d5 52d00839 09c6201e 77209574 20d868c3 1b86718b 
16:29:48 ipsec,debug e507384b 7a2d0aa2 b4ca3b6b 0e5579ea caab86a5 a9bbb825 1baf86a0 86a919d3 
16:29:48 ipsec,debug 9ddc6fb4 9e8ba814 e52e1101 ff540e9d c40e2265 10f43c36 cca9af38 a7a52c12 
16:29:48 ipsec,debug 43090484 10b580ce 79d913a9 da75b864 57553625 e5619571 4130efe0 8f70d4e8 
16:29:48 ipsec,debug 7cafb763 c1dc3b5d 5cb4a7ba dfb51c52 b3bbecab 6bb4ee52 a8061cdb f46f42d7 
16:29:48 ipsec,debug 
16:29:48 ipsec,debug 577d7c6b be33127e 3059511e 64739a2b e37571dc 6758153e 426fdcf2 f2ae85c1 
16:29:48 ipsec,debug f8475ae6 d2306126 b82765d6 8ae60b09 c040bb50 9c62c4d3 0c2f3acd 895a2934 
16:29:48 ipsec,debug 6b25b524 c0d90203 010001a3 81a53081 a2301306 03551d25 040c300a 06082b06 
16:29:48 ipsec,debug 01050507 0302301d 0603551d 0e041604 14a0d3b8 37b53d11 7b2bee74 6c4c2b57 
16:29:48 ipsec,debug fe995929 23301f06 03551d23 04183016 80143811 71a97214 2da79f85 4ad6f9da 
16:29:48 ipsec,debug 54a72549 40c03025 0603551d 11041e30 1c811a67 61627269 656c6540 76706e2e 
16:29:48 ipsec,debug 73756d6d 65657473 726c2e69 74302406 09608648 0186f842 010d0417 16154765 
16:29:48 ipsec,debug 6e657261 74656420 62792052 6f757465 724f5330 0d06092a 864886f7 0d01010b 
16:29:48 ipsec,debug 
16:29:48 ipsec,debug 05000382 01010052 233e9f97 97dbc73f bf3ad612 04090590 7a9a89eb 68c17275 
16:29:48 ipsec,debug 17504428 6aa55a81 ac671b12 4321fa2a 372e0c5d 98e90897 56ef9d10 95d87d15 
16:29:48 ipsec,debug ef6510a0 8227e1cc 25942047 3788d0be 63aba0a9 5da6bc49 36a0f247 d6c2272e 
16:29:48 ipsec,debug 9184e0a4 e4e85d53 051ad34f 4a6ba66c d311913d 1dd90885 8c638a50 74af1774 
16:29:48 ipsec,debug acf5ecab 324b0fa7 63c2d258 20353fdb 6670713a 24f2b031 1e7b8349 fe942cbe 
16:29:48 ipsec,debug e84db41e 360b9632 eed77bcd 87feb803 7b2a34b4 e663ae6d f6b8c7ba 7a03d939 
16:29:48 ipsec,debug 143e11a9 97b7d38b b57bef02 9931965f f710deb0 03a42cb9 db5273f7 2beea1cc 
16:29:48 ipsec,debug 41fdd446 4613e6fa 15d5f4c0 4ee142d6 18da3901 f7e3fc05 2540f796 b73f38ca 
16:29:48 ipsec,debug 
16:29:48 ipsec,debug b0a491a0 733234 
16:29:48 ipsec processing payloads: NOTIFY 
16:29:48 ipsec   notify: MOBIKE_SUPPORTED 
16:29:48 ipsec processing payload: AUTH 
16:29:48 ipsec requested auth method: RSA 
16:29:48 ipsec,debug => peer's auth (size 0x100) 
16:29:48 ipsec,debug 377a0384 d592a4df 19edfbc4 53394aaf 66703c7b a3547131 d477b2e5 8e92348c 
16:29:48 ipsec,debug b9e25f87 f914c77f 168c74a7 76b5bd8d c373f4c2 9ea6de8c c24fdd90 dbbbfa58 
16:29:48 ipsec,debug 9a0ab1a3 4d266495 05890292 38dede4c bf809ffd 24af0ed1 9124b2e8 347a6a4c 
16:29:48 ipsec,debug b7ed313b d1cdefd4 3f18225d 15e3bb92 ba5a4f8d 1601c4f6 067c2119 a7593cb2 
16:29:48 ipsec,debug b6c644bd 455c1b11 e2cacb4f 0887c23b 9533530e 9f542598 913ae2ed 3126dd78 
16:29:48 ipsec,debug 280937a7 7b1b65c0 63e75689 bf1e227b 68826e86 ec9106ad df3a5ce9 b72b60dd 
16:29:48 ipsec,debug 97ee0d95 358b08a3 7854525c 4ce429bf 32617b2a 7362191e 8573b416 9151303c 
16:29:48 ipsec,debug 3b84325b 5879b1db 38554578 4c18614f 1787a234 b28250cd 953ee92d eb128b99 
16:29:48 ipsec,debug => auth nonce (size 0x18) 
16:29:48 ipsec,debug 52a55141 7ad307f2 7d27051f 676fca51 0d7287d4 6553a87b 
16:29:48 ipsec,debug => SK_p (size 0x20) 
16:29:48 ipsec,debug c26e4945 c7e6e644 b178c2ec 36abc4e3 ba881623 8b8c68f3 49175b92 2accc5fc 
16:29:48 ipsec,debug => idhash (size 0x20) 
16:29:48 ipsec,debug 1afc3d1f 1f30bdcf 3ddba051 4add581d a5b945ac 691bb0e5 c8022e06 6128dd79 
16:29:48 ipsec,info,account peer authorized: 10.0.2.10[4500]-MY_IP_XXXXX[4500] spi:51405ab83f84e917:8b3eda775a92de39 
16:29:48 ipsec processing payloads: NOTIFY 
16:29:48 ipsec   notify: MOBIKE_SUPPORTED 
16:29:48 ipsec peer wants tunnel mode 
16:29:48 ipsec processing payload: CONFIG 
16:29:48 ipsec   attribute: internal IPv4 address 
16:29:48 ipsec   attribute: internal IPv4 DNS 
16:29:48 ipsec   attribute: internal IPv4 NBNS 
16:29:48 ipsec   attribute: MS internal IPv4 server 
16:29:48 ipsec,info acquired 192.168.1.82 address for MY_IP_XXXXX, CN=tech@vpn.XXXXXXXX.com,C=IT,ST=COUNTRY,L=LOCATION,O=XXXXXXXX.com,OU=,SN= 
16:29:48 ipsec processing payload: TS_I 
16:29:48 ipsec 0.0.0.0/0 
16:29:48 ipsec processing payload: TS_R 
16:29:48 ipsec 0.0.0.0/0 
16:29:48 ipsec TSi in tunnel mode replaced with config address: 192.168.1.82 
16:29:48 ipsec TSr in tunnel mode replaced with split subnet: 192.168.1.0/24 
16:29:48 ipsec canditate selectors: 192.168.1.0/24 <=> 192.168.1.82 
16:29:48 ipsec processing payload: SA 
16:29:48 ipsec IKE Protocol: ESP 
16:29:48 ipsec  proposal #1 
16:29:48 ipsec   enc: aes256-cbc 
16:29:48 ipsec   auth: sha1 
16:29:48 ipsec  proposal #2 
16:29:48 ipsec   enc: 3des-cbc 
16:29:48 ipsec   auth: sha1 
16:29:48 ipsec searching for policy for selector: 192.168.1.0/24 <=> 192.168.1.82 
16:29:48 ipsec generating policy 
16:29:48 ipsec matched proposal: 
16:29:48 ipsec  proposal #1 
16:29:48 ipsec   enc: aes256-cbc 
16:29:48 ipsec   auth: sha1 
16:29:48 ipsec ike auth: finish 
16:29:48 ipsec ID_R (FQDN): XXXXXXXXXXX.sn.mynetname.net 
16:29:48 ipsec processing payload: NONCE 
16:29:48 ipsec,debug => auth nonce (size 0x30) 
16:29:48 ipsec,debug 6a527cca 7acc9979 ed34d66b b3b1fd1e 35ef90c9 84dbf54d 4b9798c1 ef7b0643 
16:29:48 ipsec,debug 7594ee42 cd9560a2 9f624e1f 8008fadc 
16:29:48 ipsec,debug => SK_p (size 0x20) 
16:29:48 ipsec,debug d44510c7 fe83bbeb 9c76dee0 fb284f86 1153eca8 37dd05c2 3afa7b9c 683073bf 
16:29:48 ipsec,debug => idhash (size 0x20) 
16:29:48 ipsec,debug 4452ab92 e959546f 9bc08c59 2ca723a5 e3daf819 0b61a272 109f860d b5667c8d 
16:29:48 ipsec,debug => my auth (size 0x100) 
16:29:48 ipsec,debug 318d656b 26716a47 c6faf4d5 74477721 cbc400df bc8e6c81 51359d5e 68938e76 
16:29:48 ipsec,debug 8da84412 d6ae4790 63cbe2ff 1a2d9e3a 8ea1df46 be7cb369 8c30487b b8784e06 
16:29:48 ipsec,debug 8e9edb4a b52feab4 9992060c 66f749a8 0162df96 6d50a136 bca05c3c 91375dcf 
16:29:48 ipsec,debug 24a20bdc 4a8977f6 47fbafa0 765cef23 1ee5449e e4b99b00 3430479f 17a637c4 
16:29:48 ipsec,debug cbc37ee7 2e85cc85 f4fb7fee 175f614e 5179a5f6 766db314 6d55d481 dee884ee 
16:29:48 ipsec,debug a129148d 654d63d5 71989f0a 29ea6bcc c8352afa 1be5817d 1400a9a3 0cc1840b 
16:29:48 ipsec,debug 7adc9254 f5961593 ea6c97c0 02cffa69 ce532420 02906c6f d60aa251 a853a294 
16:29:48 ipsec,debug f4a9a1c0 d1d28c8e d0742a24 9edf945c f8414944 ada8c903 7a68d455 308526c1 
16:29:48 ipsec cert: CN=XXXXXXXXXXX.sn.mynetname.net,C=IT,ST=COUNTRY,L=LOCATION,O=XXXXXXXX.com,OU=VPN,SN= 
16:29:48 ipsec adding payload: CERT 
16:29:48 ipsec,debug => (first 0x100 of 0x420) 
16:29:48 ipsec,debug 00000420 04308204 17308202 ffa00302 01020208 36795940 0914cf81 300d0609 
16:29:48 ipsec,debug 2a864886 f70d0101 0b050030 6f310b30 09060355 04061302 4954310f 300d0603 
16:29:48 ipsec,debug 5504080c 06497461 6c696131 0f300d06 03550407 0c064d69 6c616e6f 31163014 
16:29:48 ipsec,debug 06035504 0a0c0d73 756d6d65 65747372 6c2e6974 31263024 06035504 030c1d39 
16:29:48 ipsec,debug 36386130 39613464 3436332e 736e2e6d 796e6574 6e616d65 2e6e6574 301e170d 
16:29:48 ipsec,debug 32303034 30343135 31313532 5a170d33 30303430 32313531 3135325a 307d310b 
16:29:48 ipsec,debug 30090603 55040613 02495431 0f300d06 03550408 0c064974 616c6961 310f300d 
16:29:48 ipsec,debug 06035504 070c064d 696c616e 6f311630 14060355 040a0c0d 73756d6d 65657473 
16:29:48 ipsec adding payload: ID_R 
16:29:48 ipsec,debug => (size 0x25) 
16:29:48 ipsec,debug 00000025 02000000 39363861 30396134 64343633 2e736e2e 6d796e65 746e616d 
16:29:48 ipsec,debug 652e6e65 74 
16:29:48 ipsec adding payload: AUTH 
16:29:48 ipsec,debug => (first 0x100 of 0x108) 
16:29:48 ipsec,debug 00000108 01000000 318d656b 26716a47 c6faf4d5 74477721 cbc400df bc8e6c81 
16:29:48 ipsec,debug 51359d5e 68938e76 8da84412 d6ae4790 63cbe2ff 1a2d9e3a 8ea1df46 be7cb369 
16:29:48 ipsec,debug 8c30487b b8784e06 8e9edb4a b52feab4 9992060c 66f749a8 0162df96 6d50a136 
16:29:48 ipsec,debug bca05c3c 91375dcf 24a20bdc 4a8977f6 47fbafa0 765cef23 1ee5449e e4b99b00 
16:29:48 ipsec,debug 3430479f 17a637c4 cbc37ee7 2e85cc85 f4fb7fee 175f614e 5179a5f6 766db314 
16:29:48 ipsec,debug 6d55d481 dee884ee a129148d 654d63d5 71989f0a 29ea6bcc c8352afa 1be5817d 
16:29:48 ipsec,debug 1400a9a3 0cc1840b 7adc9254 f5961593 ea6c97c0 02cffa69 ce532420 02906c6f 
16:29:48 ipsec,debug d60aa251 a853a294 f4a9a1c0 d1d28c8e d0742a24 9edf945c f8414944 ada8c903 
16:29:48 ipsec prepearing internal IPv4 address 
16:29:48 ipsec prepearing internal IPv4 netmask 
16:29:48 ipsec prepearing internal IPv6 subnet 
16:29:48 ipsec prepearing internal IPv4 DNS 
16:29:48 ipsec adding payload: CONFIG 
16:29:48 ipsec,debug => (size 0x2c) 
16:29:48 ipsec,debug 0000002c 02000000 00010004 c0a80152 00020004 ffffffff 000d0008 c0a80100 
16:29:48 ipsec,debug ffffff00 00030004 c0a80101 
16:29:48 ipsec initiator selector: 192.168.1.82 
16:29:48 ipsec adding payload: TS_I 
16:29:48 ipsec,debug => (size 0x18) 
16:29:48 ipsec,debug 00000018 01000000 07000010 0000ffff c0a80152 c0a80152 
16:29:48 ipsec responder selector: 192.168.1.0/24 
16:29:48 ipsec adding payload: TS_R 
16:29:48 ipsec,debug => (size 0x18) 
16:29:48 ipsec,debug 00000018 01000000 07000010 0000ffff c0a80100 c0a801ff 
16:29:48 ipsec adding payload: SA 
16:29:48 ipsec,debug => (size 0x2c) 
16:29:48 ipsec,debug 0000002c 00000028 01030403 020f0783 0300000c 0100000c 800e0100 03000008 
16:29:48 ipsec,debug 03000002 00000008 05000000 
16:29:48 ipsec <- ike2 reply, exchange: AUTH:1 MY_IP_XXXXX[4500] 8b3eda775a92de39:51405ab83f84e917 
16:29:48 ipsec,debug ===== sending 1776 bytes from 10.0.2.10[4500] to MY_IP_XXXXX[4500] 
16:29:48 ipsec,debug 1 times of 1780 bytes message will be sent to MY_IP_XXXXX[4500] 
16:29:48 ipsec,debug => child keymat (size 0x80) 
16:29:48 ipsec,debug ad32037b ba9e87ea 97d5d59a 0572f306 e0968bb2 26b1d9e9 1277272e c28c78a1 
16:29:48 ipsec,debug 869124ad 984c3365 15d2842c 35bea144 fdc41212 993325b8 3913c4a7 ae502dc6 
16:29:48 ipsec,debug d09a08fc 4a93145c 40dab38b 3a697652 3ca4efcb 8f144e03 38b98dad cc685c19 
16:29:48 ipsec,debug 5ee78460 856d6f25 0a61fe3c f23aa660 df97b7db 5015b792 20625d37 66ddfcc6 
16:29:48 ipsec IPsec-SA established: MY_IP_XXXXX[4500]->10.0.2.10[4500] spi=0x20f0783 
16:29:48 ipsec IPsec-SA established: 10.0.2.10[4500]->MY_IP_XXXXX[4500] spi=0xd0758ae6 
16:30:03 ipsec,debug KA: 10.0.2.10[4500]->MY_IP_XXXXX[4500] 
16:30:03 ipsec,debug 1 times of 1 bytes message will be sent to MY_IP_XXXXX[4500] 
16:30:23 ipsec,debug KA: 10.0.2.10[4500]->MY_IP_XXXXX[4500] 
16:30:23 ipsec,debug 1 times of 1 bytes message will be sent to MY_IP_XXXXX[4500] 
16:30:43 ipsec,debug KA: 10.0.2.10[4500]->MY_IP_XXXXX[4500] 
16:30:43 ipsec,debug 1 times of 1 bytes message will be sent to MY_IP_XXXXX[4500] 
16:31:03 ipsec,debug KA: 10.0.2.10[4500]->MY_IP_XXXXX[4500] 
16:31:03 ipsec,debug 1 times of 1 bytes message will be sent to MY_IP_XXXXX[4500] 
16:31:23 ipsec,debug KA: 10.0.2.10[4500]->MY_IP_XXXXX[4500] 
16:31:23 ipsec,debug 1 times of 1 bytes message will be sent to MY_IP_XXXXX[4500] 
16:31:43 ipsec,debug KA: 10.0.2.10[4500]->MY_IP_XXXXX[4500] 
16:31:43 ipsec,debug 1 times of 1 bytes message will be sent to MY_IP_XXXXX[4500] 
16:31:48 ipsec sending dpd packet 
16:31:48 ipsec <- ike2 request, exchange: INFORMATIONAL:0 MY_IP_XXXXX[4500] 8b3eda775a92de39:51405ab83f84e917 
16:31:48 ipsec,debug ===== sending 112 bytes from 10.0.2.10[4500] to MY_IP_XXXXX[4500] 
16:31:48 ipsec,debug 1 times of 116 bytes message will be sent to MY_IP_XXXXX[4500] 
16:31:53 ipsec dpd: retransmit 
16:31:53 ipsec,debug ===== sending 112 bytes from 10.0.2.10[4500] to MY_IP_XXXXX[4500] 
16:31:53 ipsec,debug 1 times of 116 bytes message will be sent to MY_IP_XXXXX[4500] 
16:31:58 ipsec dpd: retransmit 
16:31:58 ipsec,debug ===== sending 112 bytes from 10.0.2.10[4500] to MY_IP_XXXXX[4500] 
16:31:58 ipsec,debug 1 times of 116 bytes message will be sent to MY_IP_XXXXX[4500] 
16:32:03 ipsec,debug KA: 10.0.2.10[4500]->MY_IP_XXXXX[4500] 
16:32:03 ipsec,debug 1 times of 1 bytes message will be sent to MY_IP_XXXXX[4500] 
16:32:03 ipsec dpd: retransmit 
16:32:03 ipsec,debug ===== sending 112 bytes from 10.0.2.10[4500] to MY_IP_XXXXX[4500] 
16:32:03 ipsec,debug 1 times of 116 bytes message will be sent to MY_IP_XXXXX[4500] 
16:32:08 ipsec dpd: retransmit 
16:32:08 ipsec,debug ===== sending 112 bytes from 10.0.2.10[4500] to MY_IP_XXXXX[4500] 
16:32:08 ipsec,debug 1 times of 116 bytes message will be sent to MY_IP_XXXXX[4500] 
16:32:13 ipsec dpd: max retransmit failures reached 
16:32:13 ipsec,info killing ike2 SA: 10.0.2.10[4500]-MY_IP_XXXXX[4500] spi:51405ab83f84e917:8b3eda775a92de39 
16:32:13 ipsec IPsec-SA killing: MY_IP_XXXXX[4500]->10.0.2.10[4500] spi=0x20f0783 
16:32:13 ipsec IPsec-SA killing: 10.0.2.10[4500]->MY_IP_XXXXX[4500] spi=0xd0758ae6 
16:32:13 ipsec removing generated policy 
16:32:13 ipsec adding payload: DELETE 
16:32:13 ipsec,debug => (size 0x8) 
16:32:13 ipsec,debug 00000008 01000000 
16:32:13 ipsec <- ike2 request, exchange: INFORMATIONAL:1 MY_IP_XXXXX[4500] 8b3eda775a92de39:51405ab83f84e917 
16:32:13 ipsec,debug ===== sending 240 bytes from 10.0.2.10[4500] to MY_IP_XXXXX[4500] 
16:32:13 ipsec,debug 1 times of 244 bytes message will be sent to MY_IP_XXXXX[4500] 
16:32:13 ipsec KA remove: 10.0.2.10[4500]->MY_IP_XXXXX[4500] 
16:32:13 ipsec,debug KA tree dump: 10.0.2.10[4500]->MY_IP_XXXXX[4500] (in_use=1) 
16:32:13 ipsec,debug KA removing this one... 
16:32:13 ipsec,info releasing address 192.168.1.82

sindy · April 9, 2020, 2:52pm

Sorry, from your description I had a feeling that you have the client on the LAN. The log shows that I was wrong, hence my theory about split-include is irrelevant.

If /tool sniffer shows you the transport packets carrying the DPD ones to be leaving via WAN towards the client’s public IP, the issue is at the client side.

Technetium · April 9, 2020, 3:04pm

The client is remote.. The IP assigned by the VPN is in the same pool of the LAN because are the only that can access the remote database service.
After connection to the VPN i can’t ping the router.. the ruter can’t ping the VPN client.

I exclude problem on the client side. I’m testing this setup and i have no problem with other IPSec Ikev2 with similar setup.

sindy · April 9, 2020, 3:45pm

This point is clear.

Again… I cannot see anything strange in the mangle rules, static routes or dhcp client configuration which could divert the outgoing packets from UDP 4500 to UDP 4500 via the wrong WAN, but please do use the sniffer and check that the commnication at port 4500 uses the same WAN2 like the incoming IKE traffic and like the outgoing traffic at port 500. The log shows that the communication at 500 was bi-directional (as the response to a packet sent by the router from 500 o 500 has caused a subsequent packet to come from 4500 to 4500), but after the router has received the first packet from the client’s port 4500 on its own port 4500, none of the further packets the router has sent from 4500 has ever been responded by the client. So the only explanation is that either already the router has sent it out via WAN1 (and thus the packet has arrived to the client with an unexpected source IP), or the ISP to which you are connected using WAN2 is handling port forwarding in some weird way.

sindy · April 11, 2020, 10:23am

So there is this topic where we’ve tracked a similar issue down to packet size and issues in handling packet fragments on an intermediate router/firewall. As you also use certificate-based authentication on the IKEv2 connection, maybe you can try the same solution? It’s not the size of the DPD packets that makes problems of course but the size of the last AUTH packet.

Technetium · April 14, 2020, 8:05pm

I’ve red the topic you linked.
If i generate all certificates with “key-size=secp384r1” when i install all certificates on windows i receive an error when try connecting to the VPN: Error 13806: IKEV2: no machine certificate found.

/certificate add name=CA.XXXXX.com country=COUNTRY state=STATE locality=LOC organization=XXXXX.com common-name=XXXXXXX.sn.mynetname.net subject-alt-name=DNS:XXXXXX.sn.mynetname.net key-size=secp384r1 days-valid=3650 trusted=yes key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign

sindy · April 14, 2020, 8:44pm

What versions of Windows do you run? And have you had any errors when importing the certifcate to Windows?

sindy · April 15, 2020, 6:35am

And one more, have you uninstalled the previous certificate from the Windows, or used this method to tell explicitly the VPN connection which certificate to use (you have to indicate the CA certificate for some reason, not the client one itself)?

Technetium · April 15, 2020, 8:43am

I have mostly Windows 10 clients.

sindy · April 15, 2020, 9:10am

OK, so what about the second question (telling the VPN interface configuration which certificate to use, or keeping just one CA cert and one client cert in the machine cert store)?

Older Windows than 10 may have a trouble with ECDSA certificates, though.

sindy · April 15, 2020, 9:15am

this article may also be relevant, although the other user who had the similar issue didn’t report any trouble after switching to ECDSA certificates. The last solution explains it in detail, I could not find a way to send a link pointing directly to that item.