Community discussions

MikroTik App
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

new user manager for ipsec vpn

Mon Aug 23, 2021 2:43 pm

hi everyone,

today for the 1st time I upgraded to ROS 7.1 Rc1 and decided to use new user manager with IpSec VPN (currently I use certificates )

I installed the new user manager, I but I think I am missing some options, do I go to radius section as well and enable it?

My OLD VPN section:

/ip ipsec mode-config
add address-pool=pool_ikev2_vpn name=IKEv2-cfg static-dns=10.10.0.1 system-dns=no
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add dh-group=modp3072,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=IKEv2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=VPN_Server generate-policy=port-strict mode-config=IKEv2-cfg peer=IKEv2-peer policy-template-group=\
ikev2-policies
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes



new section


/ip ipsec mode-config
add address-pool=pool_ikev2_vpn name=IKEv2-cfg static-dns=10.10.0.1 system-dns=no
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add dh-group=modp3072,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=IKEv2 pfs-group=none
/ip ipsec identity
add auth-method=eap-radius certificate="" generate-policy=port-strict mode-config=IKEv2-cfg peer=IKEv2-peer policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes



/user-manager user
add name=test_user
/user-manager
set enabled=yes

the test user cannot login, i think I am missing some configuration steps

please advise thank you
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: new user manager for ipsec vpn

Mon Aug 23, 2021 3:25 pm

You need certificate configuration with eap-radius as well. You can use the newly added Let's Encrypt support (/certificate/enable-ssl-certificate) if your device has TCP/80 port access from the Internet. When the certificate is generated, simply set it under the user manager and IPsec configuration. In most cases (depending on the client side) you will not need to install any certificates on the client side.
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: new user manager for ipsec vpn

Tue Aug 24, 2021 6:05 am

You need certificate configuration with eap-radius as well. You can use the newly added Let's Encrypt support (/certificate/enable-ssl-certificate) if your device has TCP/80 port access from the Internet. When the certificate is generated, simply set it under the user manager and IPsec configuration. In most cases (depending on the client side) you will not need to install any certificates on the client side.

thank you emils, however I was not able to get it work and I did generate Let's Encrypt cert on the device but still have an error messages in the logs

Aug 24 18:18:48 00[DMN] Starting IKE service (strongSwan 5.9.3rc1, Android 12 - SPB4.210715.011/2021-08-05, Pixel 5 - google/redfin/Google, Linux 4.19.191-g04974, aarch64)
Aug 24 18:18:48 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Aug 24 18:18:48 00[JOB] spawning 16 worker threads
Aug 24 18:18:48 00[LIB] all OCSP validation disabled
Aug 24 18:18:48 00[LIB] all CRL validation disabled
Aug 24 18:18:49 07[IKE] initiating IKE_SA android[95] to 121.99.xxx.xxx
Aug 24 18:18:49 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 24 18:18:49 07[NET] sending packet: from 100.84.xx.xx[45134] to 121.99.xxx.xxx[500] (716 bytes)
Aug 24 18:18:49 09[NET] received packet: from 121.99.xxx.xxx[500] to 100.84.xx.xx[45134] (38 bytes)
Aug 24 18:18:49 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Aug 24 18:18:49 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072
Aug 24 18:18:49 09[IKE] initiating IKE_SA android[95] to 121.99.xxx.xxx
Aug 24 18:18:49 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 24 18:18:49 09[NET] sending packet: from 100.84.xx.xx[45134] to 121.99.xxx.xxx[500] (1036 bytes)
Aug 24 18:18:49 10[NET] received packet: from 121.99.xxx.xxx[500] to 100.84.xx.xx[45134] (565 bytes)
Aug 24 18:18:49 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) CERTREQ ]
Aug 24 18:18:49 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Aug 24 18:18:49 10[IKE] local host is behind NAT, sending keep alives
Aug 24 18:18:49 10[IKE] establishing CHILD_SA android{93}
Aug 24 18:18:49 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Aug 24 18:18:49 10[NET] sending packet: from 100.84.xx.xx[38956] to 121.99.xxx.xxx[4500] (432 bytes)
Aug 24 18:18:50 12[NET] received packet: from 121.99.xxx.xxx[4500] to 100.84.xx.xx[38956] (1252 bytes)
Aug 24 18:18:50 12[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Aug 24 18:18:50 12[ENC] received fragment #1 of 2, waiting for complete IKE message
Aug 24 18:18:50 11[NET] received packet: from 121.99.xxx.xxx[4500] to 100.84.xx.xx[38956] (804 bytes)
Aug 24 18:18:50 11[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Aug 24 18:18:50 11[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1744 bytes)
Aug 24 18:18:50 11[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Aug 24 18:18:50 11[IKE] received end entity cert "CN=d126xx.xx.sn.mynetname.net"
Aug 24 18:18:50 11[CFG]   using certificate "CN=d126xx.xx.sn.mynetname.net"
Aug 24 18:18:50 11[CFG] no issuer certificate found for "CN=d126xx.xx.sn.mynetname.net"
Aug 24 18:18:50 11[CFG]   issuer is "C=US, O=Let's Encrypt, CN=R3"
Aug 24 18:18:50 11[IKE] no trusted RSA public key found for 'd126xx.xx.sn.mynetname.net'
Aug 24 18:18:50 11[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Aug 24 18:18:50 11[NET] sending packet: from 100.84.xx.xx[38956] to 121.99.xxx.xxx[4500] (80 bytes)
You do not have the required permissions to view the files attached to this post.
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: new user manager for ipsec vpn

Tue Aug 24, 2021 11:00 am

Looks like the client implementation (I suspect you use StrongSwan on Android), does not trust Lets Encrypt certificates by default. You need to import both Root and Intermediate CA's on your device for it to trust the server's certificate.
https://letsencrypt.org/certificates/
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: new user manager for ipsec vpn

Tue Aug 24, 2021 11:31 am

Looks like the client implementation (I suspect you use StrongSwan on Android), does not trust Lets Encrypt certificates by default. You need to import both Root and Intermediate CA's on your device for it to trust the server's certificate.
https://letsencrypt.org/certificates/
thank you emils, i did try using a different client (native on android) and in windows 10,

in win 1- i get IKE authentication credentials are unacceptable

there are barely any logs on it and no errors
You do not have the required permissions to view the files attached to this post.
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: new user manager for ipsec vpn

Tue Aug 24, 2021 11:38 am

You can enable extended debug logging under the System Logging menu.
/system logging add topics=ipsec,!packet
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: new user manager for ipsec vpn

Tue Aug 24, 2021 12:36 pm

You can enable extended debug logging under the System Logging menu.
/system logging add topics=ipsec,!packet
thanks again emils, yes I was looking at the debug logs before, just cannot find any obvious errors :(
21:28:37 ipsec,debug ===== received 1104 bytes from 10.10.0.33[500] to 121.99.xx.xxx[500] 
21:28:37 ipsec,debug,packet a6d9603d b2c2c8d9 00000000 00000000 21202208 00000000 00000450 220002e0 
21:28:37 ipsec,debug,packet 02000028 01010004 03000008 01000003 03000008 03000002 03000008 02000002 
21:28:37 ipsec,debug,packet 00000008 04000002 02000028 02010004 03000008 01000003 03000008 0300000c 
21:28:37 ipsec,debug,packet 03000008 02000005 00000008 04000002 02000028 03010004 03000008 01000003 
21:28:37 ipsec,debug,packet 03000008 0300000d 03000008 02000006 00000008 04000002 0200002c 04010004 
21:28:37 ipsec,debug,packet 0300000c 0100000c 800e0080 03000008 03000002 03000008 02000002 00000008 
21:28:37 ipsec,debug,packet 04000002 0200002c 05010004 0300000c 0100000c 800e0080 03000008 0300000c 
21:28:37 ipsec,debug,packet 03000008 02000005 00000008 04000002 0200002c 06010004 0300000c 0100000c 
21:28:37 ipsec,debug,packet 800e0080 03000008 0300000d 03000008 02000006 00000008 04000002 0200002c 
21:28:37 ipsec,debug,packet 07010004 0300000c 0100000c 800e00c0 03000008 03000002 03000008 02000002 
21:28:37 ipsec,debug,packet 00000008 04000002 0200002c 08010004 0300000c 0100000c 800e00c0 03000008 
21:28:37 ipsec,debug,packet 0300000c 03000008 02000005 00000008 04000002 0200002c 09010004 0300000c 
21:28:37 ipsec,debug,packet 0100000c 800e00c0 03000008 0300000d 03000008 02000006 00000008 04000002 
21:28:37 ipsec,debug,packet 0200002c 0a010004 0300000c 0100000c 800e0100 03000008 03000002 03000008 
21:28:37 ipsec,debug,packet 02000002 00000008 04000002 0200002c 0b010004 0300000c 0100000c 800e0100 
21:28:37 ipsec,debug,packet 03000008 0300000c 03000008 02000005 00000008 04000002 0200002c 0c010004 
21:28:37 ipsec,debug,packet 0300000c 0100000c 800e0100 03000008 0300000d 03000008 02000006 00000008 
21:28:37 ipsec,debug,packet 04000002 02000024 0d010003 0300000c 01000014 800e0080 03000008 02000002 
21:28:37 ipsec,debug,packet 00000008 04000002 02000024 0e010003 0300000c 01000014 800e0080 03000008 
21:28:37 ipsec,debug,packet 02000005 00000008 04000002 02000024 0f010003 0300000c 01000014 800e0080 
21:28:37 ipsec,debug,packet 03000008 02000006 00000008 04000002 02000024 10010003 0300000c 01000014 
21:28:37 ipsec,debug,packet 800e0100 03000008 02000002 00000008 04000002 02000024 11010003 0300000c 
21:28:37 ipsec,debug,packet 01000014 800e0100 03000008 02000005 00000008 04000002 00000024 12010003 
21:28:37 ipsec,debug,packet 0300000c 01000014 800e0100 03000008 02000006 00000008 04000002 28000088 
21:28:37 ipsec,debug,packet 00020000 4feb6709 a3f0bdc6 e07c9aa3 6ab4b359 c7a8ae79 f6be35a1 5e8c302f 
21:28:37 ipsec,debug,packet 22890561 3796768c c3875bbb 3c8be1ac b714e7d0 025076a9 f37efed3 efc506b5 
21:28:37 ipsec,debug,packet 3e388f5f 9cf6d9fc c8eea687 40efca63 68e23047 36940161 c01f24c8 3a72f8eb 
21:28:37 ipsec,debug,packet 166ee53b c1fd0632 069323fa 97afb6d6 0f32df8b 36fcb981 bde9ba00 a8b64385 
21:28:37 ipsec,debug,packet 0551ac62 29000034 ecb51812 6baf0164 fa8482fd 39e7210e 8512ac69 189ac609 
21:28:37 ipsec,debug,packet 07a962ef c21bcde3 6f130989 12c7b5f7 756e6060 ec4be626 29000008 0000402e 
21:28:37 ipsec,debug,packet 2900001c 00004004 c9279ac7 d586ec7b dea45952 d7fa06e9 6dccc883 2b00001c 
21:28:37 ipsec,debug,packet 00004005 6d32e2bf 94611f06 a012e702 bcd199fe e7d449a7 2b000018 1e2b5169 
21:28:37 ipsec,debug,packet 05991c7d 7c96fcbf b587e461 00000009 2b000014 fb1de3cd f341b7ea 16b7e5be 
21:28:37 ipsec,debug,packet 0855f120 2b000014 26244d38 eddb61b3 172a36e3 d0cfb819 00000018 01528bbb 
21:28:37 ipsec,debug,packet c0069612 1849ab9a 1c5b2a51 00000002 
21:28:37 ipsec -> ike2 request, exchange: SA_INIT:0 10.10.0.33[500] a6d9603db2c2c8d9:0000000000000000 
21:28:37 ipsec ike2 respond 
21:28:37 ipsec payload seen: SA (736 bytes) 
21:28:37 ipsec payload seen: KE (136 bytes) 
21:28:37 ipsec payload seen: NONCE (52 bytes) 
21:28:37 ipsec payload seen: NOTIFY (8 bytes) 
21:28:37 ipsec payload seen: NOTIFY (28 bytes) 
21:28:37 ipsec payload seen: NOTIFY (28 bytes) 
21:28:37 ipsec payload seen: VID (24 bytes) 
21:28:37 ipsec,debug 1e2b516905991c7d7c96fcbfb587e46100000009 
21:28:37 ipsec payload seen: VID (20 bytes) 
21:28:37 ipsec,debug fb1de3cdf341b7ea16b7e5be0855f120 
21:28:37 ipsec payload seen: VID (20 bytes) 
21:28:37 ipsec,debug 26244d38eddb61b3172a36e3d0cfb819 
21:28:37 ipsec payload seen: VID (24 bytes) 
21:28:37 ipsec,debug 01528bbbc00696121849ab9a1c5b2a5100000002 
21:28:37 ipsec processing payload: SA 
21:28:37 ipsec IKE Protocol: IKE 
21:28:37 ipsec  proposal #1 
21:28:37 ipsec   enc: 3des-cbc 
21:28:37 ipsec   prf: hmac-sha1 
21:28:37 ipsec   auth: sha1 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #2 
21:28:37 ipsec   enc: 3des-cbc 
21:28:37 ipsec   prf: hmac-sha256 
21:28:37 ipsec   auth: sha256 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #3 
21:28:37 ipsec   enc: 3des-cbc 
21:28:37 ipsec   prf: hmac-sha384 
21:28:37 ipsec   auth: sha384 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #4 
21:28:37 ipsec   enc: aes128-cbc 
21:28:37 ipsec   prf: hmac-sha1 
21:28:37 ipsec   auth: sha1 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #5 
21:28:37 ipsec   enc: aes128-cbc 
21:28:37 ipsec   prf: hmac-sha256 
21:28:37 ipsec   auth: sha256 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #6 
21:28:37 ipsec   enc: aes128-cbc 
21:28:37 ipsec   prf: hmac-sha384 
21:28:37 ipsec   auth: sha384 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #7 
21:28:37 ipsec   enc: aes192-cbc 
21:28:37 ipsec   prf: hmac-sha1 
21:28:37 ipsec   auth: sha1 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #8 
21:28:37 ipsec   enc: aes192-cbc 
21:28:37 ipsec   prf: hmac-sha256 
21:28:37 ipsec   auth: sha256 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #9 
21:28:37 ipsec   enc: aes192-cbc 
21:28:37 ipsec   prf: hmac-sha384 
21:28:37 ipsec   auth: sha384 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #10 
21:28:37 ipsec   enc: aes256-cbc 
21:28:37 ipsec   prf: hmac-sha1 
21:28:37 ipsec   auth: sha1 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #11 
21:28:37 ipsec   enc: aes256-cbc 
21:28:37 ipsec   prf: hmac-sha256 
21:28:37 ipsec   auth: sha256 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #12 
21:28:37 ipsec   enc: aes256-cbc 
21:28:37 ipsec   prf: hmac-sha384 
21:28:37 ipsec   auth: sha384 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #13 
21:28:37 ipsec   enc: aes128-gcm 
21:28:37 ipsec   prf: hmac-sha1 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #14 
21:28:37 ipsec   enc: aes128-gcm 
21:28:37 ipsec   prf: hmac-sha256 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #15 
21:28:37 ipsec   enc: aes128-gcm 
21:28:37 ipsec   prf: hmac-sha384 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #16 
21:28:37 ipsec   enc: aes256-gcm 
21:28:37 ipsec   prf: hmac-sha1 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #17 
21:28:37 ipsec   enc: aes256-gcm 
21:28:37 ipsec   prf: hmac-sha256 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec  proposal #18 
21:28:37 ipsec   enc: aes256-gcm 
21:28:37 ipsec   prf: hmac-sha384 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec matched proposal: 
21:28:37 ipsec  proposal #11 
21:28:37 ipsec   enc: aes256-cbc 
21:28:37 ipsec   prf: hmac-sha256 
21:28:37 ipsec   auth: sha256 
21:28:37 ipsec   dh: modp1024 
21:28:37 ipsec processing payload: KE 
21:28:37 ipsec,debug => shared secret (size 0x80) 
21:28:37 ipsec,debug 16d08c57 8f6d7984 cc44e631 f4087c23 6f5739b4 a49781f4 161a2b0b d526e9f7 
21:28:37 ipsec,debug 4e298340 d1342923 f8c28866 374bad62 29ec09b5 fd675f78 8fdc59b2 07822c69 
21:28:37 ipsec,debug 843843ca f41a2aba 2684e957 3bdd4476 0c7fab25 0c358c78 58d433eb b23bbecb 
21:28:37 ipsec,debug 925333a4 908ea82b 964fd7a6 d97fcd35 31bab2e0 90979a5a 65bcd1f5 2236484b 
21:28:37 ipsec ike2 respond finish: request, exchange: SA_INIT:0 10.10.0.33[500] a6d9603db2c2c8d9:0000000000000000 
21:28:37 ipsec processing payload: NONCE 
21:28:37 ipsec adding payload: SA 
21:28:37 ipsec,debug => (size 0x30) 
21:28:37 ipsec,debug 00000030 0000002c 0b010004 0300000c 0100000c 800e0100 03000008 02000005 
21:28:37 ipsec,debug 03000008 0300000c 00000008 04000002 
21:28:37 ipsec adding payload: KE 
21:28:37 ipsec,debug => (size 0x88) 
21:28:37 ipsec,debug 00000088 00020000 0e404e3a c567acf2 1ec51716 94c56491 2424b138 1e08426e 
21:28:37 ipsec,debug e18a98ee 0c682c27 a18f56b9 d91dc7db 0ede4084 48ceb4a4 2e5950a1 613a5b8d 
21:28:37 ipsec,debug 605bbfc0 6e5a7601 6d904e73 f131bb20 1d0687e2 8bee0c19 94470494 94e74978 
21:28:37 ipsec,debug 45ce039e db81ebe6 d09aa3cf c61aa288 bcbac2cf 42e15868 6d68d749 7977c1b1 
21:28:37 ipsec,debug 1e0e5cc9 97dd8982 
21:28:37 ipsec adding payload: NONCE 
21:28:37 ipsec,debug => (size 0x1c) 
21:28:37 ipsec,debug 0000001c 4dbbe646 2d72a4be d4622522 5296414d 5b959728 45136512 
21:28:37 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
21:28:37 ipsec,debug => (size 0x1c) 
21:28:37 ipsec,debug 0000001c 00004004 8570692a b8129e38 1a8e9e15 7ce5e4f4 1e236fa0 
21:28:37 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
21:28:37 ipsec,debug => (size 0x1c) 
21:28:37 ipsec,debug 0000001c 00004005 92f085d5 6e27ca8e 8c3cdb36 84171360 55bf3c19 
21:28:37 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED 
21:28:37 ipsec,debug => (size 0x8) 
21:28:37 ipsec,debug 00000008 0000402e 
21:28:37 ipsec adding payload: CERTREQ 
21:28:37 ipsec,debug => (size 0x5) 
21:28:37 ipsec,debug 00000005 04 
21:28:37 ipsec <- ike2 reply, exchange: SA_INIT:0 10.10.0.33[500] a6d9603db2c2c8d9:35c6584adb83f5c0 
21:28:37 ipsec,debug ===== sending 309 bytes from 121.99.xx.xxx[500] to 10.10.0.33[500] 
21:28:37 ipsec,debug 1 times of 309 bytes message will be sent to 10.10.0.33[500] 
21:28:37 ipsec,debug,packet a6d9603d b2c2c8d9 35c6584a db83f5c0 21202220 00000000 00000135 22000030 
21:28:37 ipsec,debug,packet 0000002c 0b010004 0300000c 0100000c 800e0100 03000008 02000005 03000008 
21:28:37 ipsec,debug,packet 0300000c 00000008 04000002 28000088 00020000 0e404e3a c567acf2 1ec51716 
21:28:37 ipsec,debug,packet 94c56491 2424b138 1e08426e e18a98ee 0c682c27 a18f56b9 d91dc7db 0ede4084 
21:28:37 ipsec,debug,packet 48ceb4a4 2e5950a1 613a5b8d 605bbfc0 6e5a7601 6d904e73 f131bb20 1d0687e2 
21:28:37 ipsec,debug,packet 8bee0c19 94470494 94e74978 45ce039e db81ebe6 d09aa3cf c61aa288 bcbac2cf 
21:28:37 ipsec,debug,packet 42e15868 6d68d749 7977c1b1 1e0e5cc9 97dd8982 2900001c 4dbbe646 2d72a4be 
21:28:37 ipsec,debug,packet d4622522 5296414d 5b959728 45136512 2900001c 00004004 8570692a b8129e38 
21:28:37 ipsec,debug,packet 1a8e9e15 7ce5e4f4 1e236fa0 2900001c 00004005 92f085d5 6e27ca8e 8c3cdb36 
21:28:37 ipsec,debug,packet 84171360 55bf3c19 26000008 0000402e 00000005 04 
21:28:37 ipsec,debug => skeyseed (size 0x20) 
21:28:37 ipsec,debug 6fa0e340 3de508ba 1793ccd8 fca94177 b648d772 ce72e3f9 dd9fb1b5 cd617573 
21:28:37 ipsec,debug => keymat (size 0x20) 
21:28:37 ipsec,debug 3de80daa 7996f868 440cadd2 7351ae8d 0b3053ba 1494780e cf1d5020 b13b4c79 
21:28:37 ipsec,debug => SK_ai (size 0x20) 
21:28:37 ipsec,debug 64c5caad 69404018 6357e54d 2f2e04c2 fb2af734 caa76168 0255d659 5a6e0086 
21:28:37 ipsec,debug => SK_ar (size 0x20) 
21:28:37 ipsec,debug c59d16bd b2c92b9f ede56724 e8ece19c e57d83ea b8cdaa00 2e425dfa ad5c9cb0 
21:28:37 ipsec,debug => SK_ei (size 0x20) 
21:28:37 ipsec,debug 72625516 b8114dfe 997c84a6 1e1f89b1 f040217c afc41383 a6af443e 8f041f44 
21:28:37 ipsec,debug => SK_er (size 0x20) 
21:28:37 ipsec,debug 64a00c09 28a5eb1b 239b78b0 b07d9065 d54f11d9 0d7ab92c f10ffb07 e3d423f0 
21:28:37 ipsec,debug => SK_pi (size 0x20) 
21:28:37 ipsec,debug b5ca39e5 edd92c61 f8a10e78 38881ed8 fe9f67c6 01c5c03f ed8f8439 9442e10a 
21:28:37 ipsec,debug => SK_pr (size 0x20) 
21:28:37 ipsec,debug 2bf5190b 147d56d2 5d78f6f6 9bb26211 2ee100e7 b24b291c 3d38c835 107a58ef 
21:28:37 ipsec,info new ike2 SA (R): IKEv2-peer 121.99.xx.xxx[500]-10.10.0.33[500] spi:35c6584adb83f5c0:a6d9603db2c2c8d9 
21:28:37 ipsec processing payloads: VID 
21:28:37 ipsec peer is MS Windows (ISAKMPOAKLEY 9) 
21:28:37 ipsec processing payloads: NOTIFY 
21:28:37 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED 
21:28:37 ipsec   notify: NAT_DETECTION_SOURCE_IP 
21:28:37 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
21:28:37 ipsec (NAT-T) REMOTE  
21:28:37 ipsec KA list add: 121.99.xx.xxx[4500]->10.10.0.33[4500] 
21:28:37 ipsec fragmentation negotiated 
21:28:38 ipsec,debug ===== received 580 bytes from 10.10.0.33[4500] to 121.99.xx.xxx[4500] 
21:28:38 ipsec,debug,packet a6d9603d b2c2c8d9 35c6584a db83f5c0 35202308 00000001 00000244 23000228 
21:28:38 ipsec,debug,packet 00010004 21aae5f5 41c72445 978dc798 69a00a7d 23d2c45b f8243a01 4e80e8a8 
21:28:38 ipsec,debug,packet ba00634a 6107ce07 79730bcd 2284a56d bc9ff6d5 3d111f8e 83dc599d 5e4ea955 
21:28:38 ipsec,debug,packet c1532e51 a2ea1981 d24530ad 14b4b0db d1fc297c 5f6fd71f 7ffd9511 026259d7 
21:28:38 ipsec,debug,packet 944921e0 3c066935 68429b7f 400cfaba 7da62dc4 2720e529 98d240eb 06997730 
21:28:38 ipsec,debug,packet 4beddcd8 cc77fe4f 7ff744ba c0dd7ebb aa400140 b40d42c2 8db38dd6 040a9f2c 
21:28:38 ipsec,debug,packet fb4c11da dd3babcc 54e62b21 ddd7b5d7 8ff3036b 2e044a85 8eeea192 3d9f2935 
21:28:38 ipsec,debug,packet d4ec8ee5 1a99f1b0 713ea94b 288d717a d4bc1bf0 c8714e60 5ff87acc 624a610d 
21:28:38 ipsec,debug,packet 57f8b941 80082b78 d5142c1f 08d4a54e 3abddebe 7f5d02be bde1aa03 ef5165f6 
21:28:38 ipsec,debug,packet c005be77 cdfdc3fe 3e2eefd5 355b2bb1 e05db06b 9878dc00 633b01b0 f871942d 
21:28:38 ipsec,debug,packet 091595f5 f7449c57 9ef3b098 b5e8176e 56ee165c 40afc4ec 7d0e4e56 4160b77d 
21:28:38 ipsec,debug,packet 172008b7 f55d9e96 32724a98 c3426c81 f5c938a7 44ea3ab7 ed5d519a 9fd114d7 
21:28:38 ipsec,debug,packet d0b65512 c347262a 0f6db2d6 0a921fd8 1216b2fb c060d181 4c793783 7be7ca29 
21:28:38 ipsec,debug,packet 7d00e12b f1ef937a 9644338c 7cc03639 2a7656ca 93df9bc1 98b0eac6 82aaa2b1 
21:28:38 ipsec,debug,packet 774e4cfb e20e594c 5e325655 93795eb4 b40662af 4719af92 44856b5b 269bd47d 
21:28:38 ipsec,debug,packet 5fe58160 c3d03fd0 88c99151 5988ebcb fed62df1 510a2730 0eea0118 b3246de7 
21:28:38 ipsec,debug,packet a0e35e97 5b2584c4 46de5236 dac69cc1 5b3d5282 fcb74d35 9c5947c9 0de6d7ee 
21:28:38 ipsec,debug,packet 1d32a9ad be0316ed d3236fd5 7cd80baa f8f4417e 99280144 267c9494 1fa3d922 
21:28:38 ipsec,debug,packet 9516c659 
21:28:38 ipsec -> ike2 request, exchange: AUTH:1 10.10.0.33[4500] a6d9603db2c2c8d9:35c6584adb83f5c0 
21:28:38 ipsec payload seen: SKF (552 bytes) 
21:28:38 ipsec processing payload: ENC (not found) 
21:28:38 ipsec processing payload: SKF 
21:28:38 ipsec,debug => iv (size 0x10) 
21:28:38 ipsec,debug 21aae5f5 41c72445 978dc798 69a00a7d 
21:28:38 ipsec,debug decrypted fragment 1 out of 4 
21:28:38 ipsec,debug,packet => plain fragment (size 0x1f0) 
21:28:38 ipsec,debug,packet 2600000c 01000000 c0a85dec 290004a1 040eac82 60405627 97e52513 fc2ae10a 
21:28:38 ipsec,debug,packet 539559e4 a440d7f6 c75665a8 f22720e6 2335fdfd 3d659971 d0ddbcbd 869c3f07 
21:28:38 ipsec,debug,packet ed40e31b 08efcec4 d188cd3b 154a5c75 22aa46bf a4089d39 974ebdb4 a360f7a0 
21:28:38 ipsec,debug,packet 1d5cb869 fe8defc1 ed6627ee b2120f72 1bb80a0e 046a47a2 67c92e2f 19688b9b 
21:28:38 ipsec,debug,packet 86616695 edc12c13 0001f033 4c1aa1d9 ee5b7ba9 de43bc02 7d570933 fbce9d1a 
21:28:38 ipsec,debug,packet 498434d2 c38936b4 9a1c2e1f 4a5ae2b2 3a88a95a efc084fc 1374416b b16332c2 
21:28:38 ipsec,debug,packet cf9259bb 3bf927b6 1b0a37f3 c31afa17 ec2d4617 16129d0c 0e344f30 2d256931 
21:28:38 ipsec,debug,packet 91eaf773 5cabf586 8d378240 ec3edf29 0cc1f5cc 732ceb3d 24e17e52 dabd27e2 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet f021bcce bb53bfd7 0369f653 7672e64b 14908390 4b7c32d4 85fd890a 66b597ce 
21:28:38 ipsec,debug,packet 86f4d526 a92107e8 3e641df8 d50e2331 c229b250 cb32f56d f55c8e00 fae1a05a 
21:28:38 ipsec,debug,packet 95347578 a7ff4dcf 32525df2 f82c1ae1 15daed64 74149c14 3cabdd99 a9bd5b28 
21:28:38 ipsec,debug,packet 4d8b3cc9 d887e3bf 322427c1 405d2736 c381e01d 1a71d4a0 39f8920b e908a9c5 
21:28:38 ipsec,debug,packet d5a0fbf3 9aaa98a5 743749ad 9f5e8c53 1822601d 5671d66a a0cc64a0 600743d5 
21:28:38 ipsec,debug,packet a88626cb 1bc554b3 9fbd6bed 637fb989 a980f1f4 8aed0dc8 d62cd313 29d882fe 
21:28:38 ipsec,debug,packet 2dc3fcc5 10d34dbb 14a8e302 9670a68b 57ebecef cc294e91 749ad492 38b59933 
21:28:38 ipsec,debug,packet 43aca217 c508ba88 8ca6927e 26b30f87 
21:28:38 ipsec,debug need more fragments 
21:28:38 ipsec,debug ===== received 580 bytes from 10.10.0.33[4500] to 121.99.xx.xxx[4500] 
21:28:38 ipsec,debug,packet a6d9603d b2c2c8d9 35c6584a db83f5c0 35202308 00000001 00000244 00000228 
21:28:38 ipsec,debug,packet 00020004 89560327 88a2e779 f21f35d8 edc36da1 3c6287e0 ae1c30e1 82e3982a 
21:28:38 ipsec,debug,packet 5f7669e5 4a6dfa7e 0149bc2c c49e8887 96ed3df7 c236fc1f e7439bd1 4bef00d2 
21:28:38 ipsec,debug,packet 5371e728 02951fe1 0f9c92f2 c07f936c c383518a 7e24a7b5 328e2f2a b67ed9a0 
21:28:38 ipsec,debug,packet 6cb201ff 6f7c7d25 77e43567 b4ca55f0 33406d29 0e394b31 f30434e9 3b929661 
21:28:38 ipsec,debug,packet b2d8c2e9 abae5217 80f3bea1 e1efb316 0a652948 039d2ca7 3442b705 2de74bc7 
21:28:38 ipsec,debug,packet 76f12940 61b30333 2431e595 8912cc33 fb7fea23 b6ebdd1a 3d4d25bd 67d9cd80 
21:28:38 ipsec,debug,packet 9c53ca98 3e8785ec 2061a3a7 32a73865 5f4bd4ee 9f8b8340 52275291 76c8fd7b 
21:28:38 ipsec,debug,packet 6d61c12c d08c2425 1233055a b9997deb 6e3324ce 751d8a3c 9985168c 5dedcaca 
21:28:38 ipsec,debug,packet b8c70127 526fcf12 ca0bfe21 0258dc85 1801cc52 26f0c850 3dd96565 dcbee8b1 
21:28:38 ipsec,debug,packet c6eb7d5a 2fe25f3c 5f6a2547 0121e3ab 049d5170 c0cc4cdc fcdc18fd 8d2ce472 
21:28:38 ipsec,debug,packet ec6be65a 6af2e52f 4976039c 301f532f 5e539c19 e6c08a5e bc43b183 4c2c92af 
21:28:38 ipsec,debug,packet 14fbd34b 15b24f4b 6bd28fd3 462e92e5 2bd26c8d fd9ab765 c099325e b95a4d54 
21:28:38 ipsec,debug,packet 3588c1d9 2871b326 8daf2d2a 30ea76d3 10c6a0e8 07201c7f c7114912 299d2727 
21:28:38 ipsec,debug,packet d618ce49 f0afda74 83033e3a 63187e37 c4d3a74f d8a2a301 e647c8c1 5106d9f3 
21:28:38 ipsec,debug,packet 61f46b7b c6ec61c2 909b726a 06c90afb 8a8f1c3b 2814cd56 7df15717 09d04dba 
21:28:38 ipsec,debug,packet 28996338 0d86f852 d44a90dc 80c7b91a 230d8df2 e3bcacd0 fcf2c744 c233aecf 
21:28:38 ipsec,debug,packet 8441751a 1585aecc 5217d8bc 6df787d3 d1692822 b42665e8 8b65b9c2 2caabc71 
21:28:38 ipsec,debug,packet e9846cd8 
21:28:38 ipsec -> ike2 request, exchange: AUTH:1 10.10.0.33[4500] a6d9603db2c2c8d9:35c6584adb83f5c0 
21:28:38 ipsec payload seen: SKF (552 bytes) 
21:28:38 ipsec processing payload: ENC (not found) 
21:28:38 ipsec processing payload: SKF 
21:28:38 ipsec,debug => iv (size 0x10) 
21:28:38 ipsec,debug 89560327 88a2e779 f21f35d8 edc36da1 
21:28:38 ipsec,debug decrypted fragment 2 out of 4 
21:28:38 ipsec,debug,packet => plain fragment (size 0x1f0) 
21:28:38 ipsec,debug,packet a9f79319 efdfc1f5 20fbac85 552cf2d2 8f5ab9ca 0b30a4e6 4fde768a fced5a90 
21:28:38 ipsec,debug,packet 84283046 792c2915 7048e668 f92bd2b2 95d747d8 2320104f 3398909f d4c43028 
21:28:38 ipsec,debug,packet c5d3e308 0c10448b 2c77ba24 539760bb f990e241 c211418b 95b1a9e0 9c37247e 
21:28:38 ipsec,debug,packet 849fe4be a1f81651 3cfd1b44 9f2e6b28 a197221f b81f514e 3c739782 eab40416 
21:28:38 ipsec,debug,packet 6e25d482 3c37dbf8 a812fbcf 26699f1b 7ae9b8da 18496c60 8bce4f4e aaf9f0b7 
21:28:38 ipsec,debug,packet aa69c427 db596968 1847e252 170ae0e5 7fab9def 0fba42b0 81885388 1d8663bd 
21:28:38 ipsec,debug,packet 4cc05e08 feea6ebb 7787dbd4 5fb0928d 4e1df815 67e7f2ab afd62b67 756e584e 
21:28:38 ipsec,debug,packet 3375bd57 f6d5421b 1601c2d8 c0f53a9f 6e4a810c def0c090 0f190642 3135a2a2 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet 8dd344fd 08d52e13 c1abe349 dae8b495 94ef7c38 43606466 bd28a4ba ee613e0a 
21:28:38 ipsec,debug,packet b8158395 654e4fcc 13c170e3 e3ab30d3 af4bd8f1 6b5869ee 456929da 84b87394 
21:28:38 ipsec,debug,packet 884232b6 16fa04fd fe5d4b7a c3fdf74c 401d5a43 afa5068a 78cf84bd 7432dd58 
21:28:38 ipsec,debug,packet f965eb3a 55e7c780 dce27f7b d877d5df 9e0a3f9e b4cb0e2e a9efdb69 776daa9b 
21:28:38 ipsec,debug,packet 0987c4d0 d422ed40 07374d19 f191ffde d383317e 62854253 d6d77831 90ec9190 
21:28:38 ipsec,debug,packet 56e991b9 e33b37c0 c5473dfc 5b9a0d01 5b123b53 ccadb754 663e22d4 2c1f0244 
21:28:38 ipsec,debug,packet b8041065 617cc76b aeda8729 9c55e481 d11180be d889b908 a331f9a1 240916b9 
21:28:38 ipsec,debug,packet 70b18108 1a19a4c0 941ffae8 9528c124 
21:28:38 ipsec,debug need more fragments 
21:28:38 ipsec,debug ===== received 580 bytes from 10.10.0.33[4500] to 121.99.xx.xxx[4500] 
21:28:38 ipsec,debug,packet a6d9603d b2c2c8d9 35c6584a db83f5c0 35202308 00000001 00000244 00000228 
21:28:38 ipsec,debug,packet 00030004 1cfa41f9 d03a5e1e 2ba55e70 f69b3f3a e7c27c09 51d2d875 edbcefab 
21:28:38 ipsec,debug,packet 87ddc189 dba5343b b6dcd683 5656a06b 9a0d9c17 03f28c9b 2bf301d3 1a20ca31 
21:28:38 ipsec,debug,packet 3fe03848 4c16eb38 30a7b3db 1ced8eea 5b1ade90 809612a5 6f47d2cc 2cae6b8c 
21:28:38 ipsec,debug,packet 22a30ab0 0e3b9bd2 a6fb9628 ad90fc50 fdcfe981 2f219417 69358257 ccac8d87 
21:28:38 ipsec,debug,packet 5a5d3061 14d07505 fe8eda0a 63de73d6 e1ca4c78 92c7b295 6231c326 c7ff5b65 
21:28:38 ipsec,debug,packet 5f346aa3 a088f710 2e3d76bd 32f0da84 14d6d90d 7a3d5775 4952e66f 1172d648 
21:28:38 ipsec,debug,packet 23a107d0 8cadb3bd 21d9aaf4 1925c449 db737990 b7d3fae8 e811e306 d6c9d8a2 
21:28:38 ipsec,debug,packet f71cd0ad 14db6995 199d32fd d4ac486f f82deff6 0aef093b a217d661 6cbadd27 
21:28:38 ipsec,debug,packet 0e5122dc 62ce6cfb 7acab923 64439c63 d9a2eee2 161383f9 993f8e40 8c7250d1 
21:28:38 ipsec,debug,packet 208f6d07 99a31350 772c230a 274a756a 7e80ae7f 95ffc9a5 c84bc90b 77be6fc6 
21:28:38 ipsec,debug,packet a0c51a8f d22a182e 9c4afa69 1e2b2d92 d022e399 3ed954d8 b916a65e 53bd3df0 
21:28:38 ipsec,debug,packet a1d53511 d589dd66 27afe3b6 488f14b8 800271ff 1cab52a4 f8b4b885 6e93fb10 
21:28:38 ipsec,debug,packet 2cd299b1 e65d0729 1c7f5a36 7085d01d 3e3edb11 9f08629b 5b9615b3 421a39df 
21:28:38 ipsec,debug,packet 3173bc75 24be7d86 92733ff6 f43da55f 2273b345 5970c836 ebb5b648 4f5b367f 
21:28:38 ipsec,debug,packet 5e7bf75b 492e0520 22d7e3a7 212b9256 d40ed81d 455d19ba b95784ff 12798d5e 
21:28:38 ipsec,debug,packet 9f6c5b06 0b895136 c89ed998 6f519064 617df8f0 fb618a1c 14616664 dd8c73ba 
21:28:38 ipsec,debug,packet f5434ac2 4ac5f685 1afe3798 1ab33cee d7b1ded8 d343112e 81411313 897b1d18 
21:28:38 ipsec,debug,packet 14815096 
21:28:38 ipsec -> ike2 request, exchange: AUTH:1 10.10.0.33[4500] a6d9603db2c2c8d9:35c6584adb83f5c0 
21:28:38 ipsec payload seen: SKF (552 bytes) 
21:28:38 ipsec processing payload: ENC (not found) 
21:28:38 ipsec processing payload: SKF 
21:28:38 ipsec,debug => iv (size 0x10) 
21:28:38 ipsec,debug 1cfa41f9 d03a5e1e 2ba55e70 f69b3f3a 
21:28:38 ipsec,debug decrypted fragment 3 out of 4 
21:28:38 ipsec,debug,packet => plain fragment (size 0x1f0) 
21:28:38 ipsec,debug,packet c99b34ac c7210f2c 89f7c4cd 5d1b825e 38d6c659 3ba69375 aee6ffc3 94e83859 
21:28:38 ipsec,debug,packet 7f51d480 42197627 cfdb948e c6bbc23e 290bb328 771dad3e a24dbdf4 23bd06b0 
21:28:38 ipsec,debug,packet 3dc89513 68019728 0a2c55c3 fcd390f5 3a053bc9 fbeee59f 1e2aa544 c3cb2543 
21:28:38 ipsec,debug,packet a69a5bd4 6a25bcbb 8e4c75d4 858062aa a9449c66 151e6c58 13053a9c 7267ec9f 
21:28:38 ipsec,debug,packet 902dcd64 aefe7ebc cdf88c51 28f1932c 12174ab8 2b5ffb05 677527ad 495a4a5d 
21:28:38 ipsec,debug,packet c422ccea 4e68330e 61358521 592983a3 c8d2d2e1 406e7ab3 c14f9c7d 21799cad 
21:28:38 ipsec,debug,packet 0ed8b90c 579f1a02 99e790f3 872f0000 08000040 0c210000 24010000 00000100 
21:28:38 ipsec,debug,packet 00000300 00000400 005ba000 00000800 00000a00 005ba100 002c0000 c0020000 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet 28010304 03e0a315 d0030000 0c010000 0c800e01 00030000 08030000 02000000 
21:28:38 ipsec,debug,packet 08050000 00020000 28020304 03e0a315 d0030000 0c010000 0c800e00 80030000 
21:28:38 ipsec,debug,packet 08030000 02000000 08050000 00020000 24030304 03e0a315 d0030000 08010000 
21:28:38 ipsec,debug,packet 03030000 08030000 02000000 08050000 00020000 24040304 03e0a315 d0030000 
21:28:38 ipsec,debug,packet 08010000 02030000 08030000 02000000 08050000 00000000 24050304 03e0a315 
21:28:38 ipsec,debug,packet d0030000 08010000 0b030000 08030000 02000000 08050000 002d0000 40020000 
21:28:38 ipsec,debug,packet 00070000 100000ff ff000000 00ffffff ff080000 280000ff ff000000 00000000 
21:28:38 ipsec,debug,packet 00000000 00000000 00ffffff ffffffff 
21:28:38 ipsec,debug need more fragments 
21:28:38 ipsec,debug ===== received 148 bytes from 10.10.0.33[4500] to 121.99.xx.xxx[4500] 
21:28:38 ipsec,debug,packet a6d9603d b2c2c8d9 35c6584a db83f5c0 35202308 00000001 00000094 00000078 
21:28:38 ipsec,debug,packet 00040004 7940a32b 4ee80b06 e0956b89 c7d387d1 5f4b372c b861aa75 81e716bc 
21:28:38 ipsec,debug,packet c1b67d83 5722b8e4 6c449fe9 b3b4c9b4 55ab3109 af8dbb13 c04d7a4b d253507a 
21:28:38 ipsec,debug,packet 569992b4 ab98fbf5 587fe032 edc065b3 6425cc91 ae7e842f 728651ca 922f1f2d 
21:28:38 ipsec,debug,packet 2a04bffb b02f421e 453f652f b3297994 4064cc68 
21:28:38 ipsec -> ike2 request, exchange: AUTH:1 10.10.0.33[4500] a6d9603db2c2c8d9:35c6584adb83f5c0 
21:28:38 ipsec payload seen: SKF (120 bytes) 
21:28:38 ipsec processing payload: ENC (not found) 
21:28:38 ipsec processing payload: SKF 
21:28:38 ipsec,debug => iv (size 0x10) 
21:28:38 ipsec,debug 7940a32b 4ee80b06 e0956b89 c7d387d1 
21:28:38 ipsec,debug decrypted fragment 4 out of 4 
21:28:38 ipsec,debug,packet => plain fragment (size 0x49) 
21:28:38 ipsec,debug,packet ffffffff ffffffff ff000000 40020000 00070000 100000ff ff000000 00ffffff 
21:28:38 ipsec,debug,packet ff080000 280000ff ff000000 00000000 00000000 00000000 00ffffff ffffffff 
21:28:38 ipsec,debug,packet ffffffff ffffffff ff 
21:28:38 ipsec,debug reassembling fragments 
21:28:38 ipsec,debug,packet => decrypted packet (size 0x635) 
21:28:38 ipsec,debug,packet a6d9603d b2c2c8d9 35c6584a db83f5c0 23202308 00000001 00000635 2600000c 
21:28:38 ipsec,debug,packet 01000000 c0a85dec 290004a1 040eac82 60405627 97e52513 fc2ae10a 539559e4 
21:28:38 ipsec,debug,packet a440d7f6 c75665a8 f22720e6 2335fdfd 3d659971 d0ddbcbd 869c3f07 ed40e31b 
21:28:38 ipsec,debug,packet 08efcec4 d188cd3b 154a5c75 22aa46bf a4089d39 974ebdb4 a360f7a0 1d5cb869 
21:28:38 ipsec,debug,packet fe8defc1 ed6627ee b2120f72 1bb80a0e 046a47a2 67c92e2f 19688b9b 86616695 
21:28:38 ipsec,debug,packet edc12c13 0001f033 4c1aa1d9 ee5b7ba9 de43bc02 7d570933 fbce9d1a 498434d2 
21:28:38 ipsec,debug,packet c38936b4 9a1c2e1f 4a5ae2b2 3a88a95a efc084fc 1374416b b16332c2 cf9259bb 
21:28:38 ipsec,debug,packet 3bf927b6 1b0a37f3 c31afa17 ec2d4617 16129d0c 0e344f30 2d256931 91eaf773 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet 5cabf586 8d378240 ec3edf29 0cc1f5cc 732ceb3d 24e17e52 dabd27e2 f021bcce 
21:28:38 ipsec,debug,packet bb53bfd7 0369f653 7672e64b 14908390 4b7c32d4 85fd890a 66b597ce 86f4d526 
21:28:38 ipsec,debug,packet a92107e8 3e641df8 d50e2331 c229b250 cb32f56d f55c8e00 fae1a05a 95347578 
21:28:38 ipsec,debug,packet a7ff4dcf 32525df2 f82c1ae1 15daed64 74149c14 3cabdd99 a9bd5b28 4d8b3cc9 
21:28:38 ipsec,debug,packet d887e3bf 322427c1 405d2736 c381e01d 1a71d4a0 39f8920b e908a9c5 d5a0fbf3 
21:28:38 ipsec,debug,packet 9aaa98a5 743749ad 9f5e8c53 1822601d 5671d66a a0cc64a0 600743d5 a88626cb 
21:28:38 ipsec,debug,packet 1bc554b3 9fbd6bed 637fb989 a980f1f4 8aed0dc8 d62cd313 29d882fe 2dc3fcc5 
21:28:38 ipsec,debug,packet 10d34dbb 14a8e302 9670a68b 57ebecef cc294e91 749ad492 38b59933 43aca217 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet c508ba88 8ca6927e 26b30f87 a9f79319 efdfc1f5 20fbac85 552cf2d2 8f5ab9ca 
21:28:38 ipsec,debug,packet 0b30a4e6 4fde768a fced5a90 84283046 792c2915 7048e668 f92bd2b2 95d747d8 
21:28:38 ipsec,debug,packet 2320104f 3398909f d4c43028 c5d3e308 0c10448b 2c77ba24 539760bb f990e241 
21:28:38 ipsec,debug,packet c211418b 95b1a9e0 9c37247e 849fe4be a1f81651 3cfd1b44 9f2e6b28 a197221f 
21:28:38 ipsec,debug,packet b81f514e 3c739782 eab40416 6e25d482 3c37dbf8 a812fbcf 26699f1b 7ae9b8da 
21:28:38 ipsec,debug,packet 18496c60 8bce4f4e aaf9f0b7 aa69c427 db596968 1847e252 170ae0e5 7fab9def 
21:28:38 ipsec,debug,packet 0fba42b0 81885388 1d8663bd 4cc05e08 feea6ebb 7787dbd4 5fb0928d 4e1df815 
21:28:38 ipsec,debug,packet 67e7f2ab afd62b67 756e584e 3375bd57 f6d5421b 1601c2d8 c0f53a9f 6e4a810c 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet def0c090 0f190642 3135a2a2 8dd344fd 08d52e13 c1abe349 dae8b495 94ef7c38 
21:28:38 ipsec,debug,packet 43606466 bd28a4ba ee613e0a b8158395 654e4fcc 13c170e3 e3ab30d3 af4bd8f1 
21:28:38 ipsec,debug,packet 6b5869ee 456929da 84b87394 884232b6 16fa04fd fe5d4b7a c3fdf74c 401d5a43 
21:28:38 ipsec,debug,packet afa5068a 78cf84bd 7432dd58 f965eb3a 55e7c780 dce27f7b d877d5df 9e0a3f9e 
21:28:38 ipsec,debug,packet b4cb0e2e a9efdb69 776daa9b 0987c4d0 d422ed40 07374d19 f191ffde d383317e 
21:28:38 ipsec,debug,packet 62854253 d6d77831 90ec9190 56e991b9 e33b37c0 c5473dfc 5b9a0d01 5b123b53 
21:28:38 ipsec,debug,packet ccadb754 663e22d4 2c1f0244 b8041065 617cc76b aeda8729 9c55e481 d11180be 
21:28:38 ipsec,debug,packet d889b908 a331f9a1 240916b9 70b18108 1a19a4c0 941ffae8 9528c124 c99b34ac 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet c7210f2c 89f7c4cd 5d1b825e 38d6c659 3ba69375 aee6ffc3 94e83859 7f51d480 
21:28:38 ipsec,debug,packet 42197627 cfdb948e c6bbc23e 290bb328 771dad3e a24dbdf4 23bd06b0 3dc89513 
21:28:38 ipsec,debug,packet 68019728 0a2c55c3 fcd390f5 3a053bc9 fbeee59f 1e2aa544 c3cb2543 a69a5bd4 
21:28:38 ipsec,debug,packet 6a25bcbb 8e4c75d4 858062aa a9449c66 151e6c58 13053a9c 7267ec9f 902dcd64 
21:28:38 ipsec,debug,packet aefe7ebc cdf88c51 28f1932c 12174ab8 2b5ffb05 677527ad 495a4a5d c422ccea 
21:28:38 ipsec,debug,packet 4e68330e 61358521 592983a3 c8d2d2e1 406e7ab3 c14f9c7d 21799cad 0ed8b90c 
21:28:38 ipsec,debug,packet 579f1a02 99e790f3 872f0000 08000040 0c210000 24010000 00000100 00000300 
21:28:38 ipsec,debug,packet 00000400 005ba000 00000800 00000a00 005ba100 002c0000 c0020000 28010304 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet 03e0a315 d0030000 0c010000 0c800e01 00030000 08030000 02000000 08050000 
21:28:38 ipsec,debug,packet 00020000 28020304 03e0a315 d0030000 0c010000 0c800e00 80030000 08030000 
21:28:38 ipsec,debug,packet 02000000 08050000 00020000 24030304 03e0a315 d0030000 08010000 03030000 
21:28:38 ipsec,debug,packet 08030000 02000000 08050000 00020000 24040304 03e0a315 d0030000 08010000 
21:28:38 ipsec,debug,packet 02030000 08030000 02000000 08050000 00000000 24050304 03e0a315 d0030000 
21:28:38 ipsec,debug,packet 08010000 0b030000 08030000 02000000 08050000 002d0000 40020000 00070000 
21:28:38 ipsec,debug,packet 100000ff ff000000 00ffffff ff080000 280000ff ff000000 00000000 00000000 
21:28:38 ipsec,debug,packet 00000000 00ffffff ffffffff ffffffff ffffffff ff000000 40020000 00070000 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet 100000ff ff000000 00ffffff ff080000 280000ff ff000000 00000000 00000000 
21:28:38 ipsec,debug,packet 00000000 00ffffff ffffffff ffffffff ffffffff ff 
21:28:38 ipsec payload seen: ID_I (12 bytes) 
21:28:38 ipsec payload seen: CERTREQ (1185 bytes) 
21:28:38 ipsec payload seen: NOTIFY (8 bytes) 
21:28:38 ipsec payload seen: CONFIG (36 bytes) 
21:28:38 ipsec payload seen: SA (192 bytes) 
21:28:38 ipsec payload seen: TS_I (64 bytes) 
21:28:38 ipsec payload seen: TS_R (64 bytes) 
21:28:38 ipsec processing payloads: NOTIFY 
21:28:38 ipsec   notify: MOBIKE_SUPPORTED 
21:28:38 ipsec ike auth: respond 
21:28:38 ipsec processing payload: ID_I 
21:28:38 ipsec ID_I (ADDR4): 192.168.93.236 
21:28:38 ipsec processing payload: ID_R (not found) 
21:28:38 ipsec processing payload: AUTH (not found) 
21:28:38 ipsec processing payloads: NOTIFY 
21:28:38 ipsec   notify: MOBIKE_SUPPORTED 
21:28:38 ipsec ID_R (FQDN): d1xxxxxxxx.sn.mynetname.net 
21:28:38 ipsec adding payload: ID_R 
21:28:38 ipsec,debug => (size 0x25) 
21:28:38 ipsec,debug 00000025 02000000 64313236 30626631 39653464 2e736e2e 6d796e65 746e616d 
21:28:38 ipsec,debug 652e6e65 74 
21:28:38 ipsec cert: d1xxxxxxxx.sn.mynetname.net 
21:28:38 ipsec adding payload: CERT 
21:28:38 ipsec,debug => (first 0x100 of 0x548) 
21:28:38 ipsec,debug 00000548 04308205 3f308204 27a00302 01020212 034dae31 6cf629e1 fd1cc9d2 
21:28:38 ipsec,debug 8fac82a6 b8b4300d 06092a86 4886f70d 01010b05 00303231 0b300906 03550406 
21:28:38 ipsec,debug 13025553 31163014 06035504 0a130d4c 65742773 20456e63 72797074 310b3009 
21:28:38 ipsec,debug 06035504 03130252 33301e17 0d323130 38323430 36313631 305a170d 32313131 
21:28:38 ipsec,debug 32323036 31363039 5a302831 26302406 03550403 131d6431 32363062 66313965 
21:28:38 ipsec,debug 34642e73 6e2e6d79 6e65746e 616d652e 6e657430 82012230 0d06092a 864886f7 
21:28:38 ipsec,debug 0d010101 05000382 010f0030 82010a02 82010100 c19a3189 7ca7f866 08477e2c 
21:28:38 ipsec,debug d091a194 2ce73cb6 2b8fb72d 5306b8cb eddeddc8 d9e9ac26 cc69bd4e abc760bd 
21:28:38 ipsec,debug => auth nonce (size 0x30) 
21:28:38 ipsec,debug ecb51812 6baf0164 fa8482fd 39e7210e 8512ac69 189ac609 07a962ef c21bcde3 
21:28:38 ipsec,debug 6f130989 12c7b5f7 756e6060 ec4be626 
21:28:38 ipsec,debug => SK_p (size 0x20) 
21:28:38 ipsec,debug 2bf5190b 147d56d2 5d78f6f6 9bb26211 2ee100e7 b24b291c 3d38c835 107a58ef 
21:28:38 ipsec,debug => idhash (size 0x20) 
21:28:38 ipsec,debug 504fe8a8 6080a638 8f248c9f b2105fe9 cc9e34aa dd098a89 d680a37f e1b341cb 
21:28:38 ipsec,debug => my auth (size 0x100) 
21:28:38 ipsec,debug 7f1a3fbd 7ca6f65a d7773856 9a8f2a31 2c7f3115 cd053f01 b5c24be9 679a1cfb 
21:28:38 ipsec,debug 89e2954c b78e9abc 3bddd093 b0d85b62 266787d1 f5851539 36fb3d0b 0df4ea99 
21:28:38 ipsec,debug 706dfdb7 187e50fb a6ed4d04 f4fac58f 08da2dfe 8e87f593 101671ff cb8a22ef 
21:28:38 ipsec,debug 1c5f6a20 fb97e25a c1344fb0 c82b68b7 5eb45560 a090a0cc a5dd5e01 6955ef7d 
21:28:38 ipsec,debug 09f6aaa4 bcdc85cb 7479cb53 3e8d100b 8f1e8549 bfe81b28 92ae0180 ba52f500 
21:28:38 ipsec,debug 056b16be 8c6cd2df e0145ad2 8c44f770 1052ea10 6d41f38a 53455198 d4798936 
21:28:38 ipsec,debug ce6e50af a6762abb 2d2c9e35 ee578361 1bbafe04 16cd7564 b728b64c 84c647bc 
21:28:38 ipsec,debug 793bd76f 6331f608 75061103 4d7a0cdf c49eecff b7975607 49d45e40 64c7ea84 
21:28:38 ipsec adding payload: AUTH 
21:28:38 ipsec,debug => (first 0x100 of 0x108) 
21:28:38 ipsec,debug 00000108 01000000 7f1a3fbd 7ca6f65a d7773856 9a8f2a31 2c7f3115 cd053f01 
21:28:38 ipsec,debug b5c24be9 679a1cfb 89e2954c b78e9abc 3bddd093 b0d85b62 266787d1 f5851539 
21:28:38 ipsec,debug 36fb3d0b 0df4ea99 706dfdb7 187e50fb a6ed4d04 f4fac58f 08da2dfe 8e87f593 
21:28:38 ipsec,debug 101671ff cb8a22ef 1c5f6a20 fb97e25a c1344fb0 c82b68b7 5eb45560 a090a0cc 
21:28:38 ipsec,debug a5dd5e01 6955ef7d 09f6aaa4 bcdc85cb 7479cb53 3e8d100b 8f1e8549 bfe81b28 
21:28:38 ipsec,debug 92ae0180 ba52f500 056b16be 8c6cd2df e0145ad2 8c44f770 1052ea10 6d41f38a 
21:28:38 ipsec,debug 53455198 d4798936 ce6e50af a6762abb 2d2c9e35 ee578361 1bbafe04 16cd7564 
21:28:38 ipsec,debug b728b64c 84c647bc 793bd76f 6331f608 75061103 4d7a0cdf c49eecff b7975607 
21:28:38 ipsec adding payload: EAP 
21:28:38 ipsec,debug => (size 0x9) 
21:28:38 ipsec,debug 00000009 01000005 01 
21:28:38 ipsec <- ike2 reply, exchange: AUTH:1 10.10.0.33[4500] a6d9603db2c2c8d9:35c6584adb83f5c0 
21:28:38 ipsec,debug,packet => outgoing plain packet (size 0x69a) 
21:28:38 ipsec,debug,packet a6d9603d b2c2c8d9 35c6584a db83f5c0 24202320 00000001 0000069a 25000025 
21:28:38 ipsec,debug,packet 02000000 64313236 30626631 39653464 2e736e2e 6d796e65 746e616d 652e6e65 
21:28:38 ipsec,debug,packet 74270005 48043082 053f3082 0427a003 02010202 12034dae 316cf629 e1fd1cc9 
21:28:38 ipsec,debug,packet d28fac82 a6b8b430 0d06092a 864886f7 0d01010b 05003032 310b3009 06035504 
21:28:38 ipsec,debug,packet 06130255 53311630 14060355 040a130d 4c657427 7320456e 63727970 74310b30 
21:28:38 ipsec,debug,packet 09060355 04031302 5233301e 170d3231 30383234 30363136 31305a17 0d323131 
21:28:38 ipsec,debug,packet 31323230 36313630 395a3028 31263024 06035504 03131d64 31323630 62663139 
21:28:38 ipsec,debug,packet 6534642e 736e2e6d 796e6574 6e616d65 2e6e6574 30820122 300d0609 2a864886 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet f70d0101 01050003 82010f00 3082010a 02820101 00c19a31 897ca7f8 6608477e 
21:28:38 ipsec,debug,packet 2cd091a1 942ce73c b62b8fb7 2d5306b8 cbeddedd c8d9e9ac 26cc69bd 4eabc760 
21:28:38 ipsec,debug,packet bdaaa1f9 2c48099f 70fa28ad bbc61f7f 43297c5e 051276c8 07d9588a fca4b82b 
21:28:38 ipsec,debug,packet 64f7d6e1 b3792940 902bae21 104bd4ed 554e3921 b729f898 209426fa 31930ec5 
21:28:38 ipsec,debug,packet 4aa6cd4b 3b24280d 442ef545 d63cac5b 4b6bb5fa f4908043 e571313f 76c101b1 
21:28:38 ipsec,debug,packet 92f72a3e f3666cb8 0279ff44 d3e56ace 1e8c7a59 c4fb40e4 489477d2 e969813e 
21:28:38 ipsec,debug,packet 7dadfd97 80e1524c a562f610 ea7740b0 47826d96 cc06704c b14fae7e 9874871d 
21:28:38 ipsec,debug,packet 2b022b30 672cc379 696dc524 e2c80ed8 4ada5383 8874309f 0dbe3182 374eeada 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet fc1c2253 befd8c48 64e6e0e5 af101e8f a2baf29d 39020301 0001a382 02573082 
21:28:38 ipsec,debug,packet 0253300e 0603551d 0f0101ff 04040302 05a0301d 0603551d 25041630 1406082b 
21:28:38 ipsec,debug,packet 06010505 07030106 082b0601 05050703 02300c06 03551d13 0101ff04 02300030 
21:28:38 ipsec,debug,packet 1d060355 1d0e0416 04140e26 ce2cdd77 b0cd4d51 a125e122 0903cae9 1453301f 
21:28:38 ipsec,debug,packet 0603551d 23041830 16801414 2eb317b7 5856cbae 500940e6 1faf9d8b 14c2c630 
21:28:38 ipsec,debug,packet 5506082b 06010505 07010104 49304730 2106082b 06010505 07300186 15687474 
21:28:38 ipsec,debug,packet 703a2f2f 72332e6f 2e6c656e 63722e6f 72673022 06082b06 01050507 30028616 
21:28:38 ipsec,debug,packet 68747470 3a2f2f72 332e692e 6c656e63 722e6f72 672f3028 0603551d 11042130 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet 1f821d64 31323630 62663139 6534642e 736e2e6d 796e6574 6e616d65 2e6e6574 
21:28:38 ipsec,debug,packet 304c0603 551d2004 45304330 08060667 810c0102 01303706 0b2b0601 040182df 
21:28:38 ipsec,debug,packet 13010101 30283026 06082b06 01050507 0201161a 68747470 3a2f2f63 70732e6c 
21:28:38 ipsec,debug,packet 65747365 6e637279 70742e6f 72673082 0103060a 2b060104 01d67902 04020481 
21:28:38 ipsec,debug,packet f40481f1 00ef0075 00449465 2eb0eece afc44007 d8a8fe28 c0dae682 bed8cb31 
21:28:38 ipsec,debug,packet b53fd333 96b5b681 a8000001 7b770439 25000004 03004630 44022033 533bdce5 
21:28:38 ipsec,debug,packet 72faf3af 81dc4512 bfb62a1a 98ecc44b 14a33654 0061d338 0a0cf102 20693275 
21:28:38 ipsec,debug,packet c1e540be a99ab558 44a0f603 a2286a63 82b704e6 75e6319f 609f3a1b 0b007600 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet f65c942f d1773022 14541808 3094568e e34d1319 33bfdf0c 2f200bcc 4ef164e3 
21:28:38 ipsec,debug,packet 0000017b 77043910 00000403 00473045 02210089 5ddab483 a2907691 b6bf13ac 
21:28:38 ipsec,debug,packet 914fa0a8 c9378373 30494913 0624cdec 3bb8ed02 207ce250 9f28817a 4a1bdf71 
21:28:38 ipsec,debug,packet e029655a 7ee4fec5 16e820ed fe4eb57d dd5dc827 5b300d06 092a8648 86f70d01 
21:28:38 ipsec,debug,packet 010b0500 03820101 006a824d aad0e56c 2159bf0f 13e27f06 f7d02e87 b106751e 
21:28:38 ipsec,debug,packet 34d620a5 13de7e83 54082bd4 0b5794e3 7cddf547 aac5dc5f 7fa40c04 8fb7a9f5 
21:28:38 ipsec,debug,packet 24226773 f156129f 824f5519 719a10dc 2c5bfdb0 cb2e175f d7fef42a f7735bb3 
21:28:38 ipsec,debug,packet 01c21e68 4b3beb4c e733a404 0b6e6110 839bf632 852fcff1 03714c1f 7405ef13 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet 601f3e7d b9f7c9b3 1805e909 10c98afb 010a77b3 a8cd62e0 307716f7 c15e7ba4 
21:28:38 ipsec,debug,packet 6688204a a7b412d6 11ff3fcd 45cd94a5 316f8501 0a1da2b6 42697777 03b90f28 
21:28:38 ipsec,debug,packet cb94a16e 5b9613eb 9e3e5c43 9014ca6b 5b599c5c a9bcb410 df5d54e6 40650499 
21:28:38 ipsec,debug,packet 2661ac8c 1d018882 b9fc9ec1 00729756 27381992 6c5b5cbf 7a9016b3 99edadad 
21:28:38 ipsec,debug,packet 7df90cee 354200bc 37300001 08010000 007f1a3f bd7ca6f6 5ad77738 569a8f2a 
21:28:38 ipsec,debug,packet 312c7f31 15cd053f 01b5c24b e9679a1c fb89e295 4cb78e9a bc3bddd0 93b0d85b 
21:28:38 ipsec,debug,packet 62266787 d1f58515 3936fb3d 0b0df4ea 99706dfd b7187e50 fba6ed4d 04f4fac5 
21:28:38 ipsec,debug,packet 8f08da2d fe8e87f5 93101671 ffcb8a22 ef1c5f6a 20fb97e2 5ac1344f b0c82b68 
21:28:38 ipsec,debug,packet 
21:28:38 ipsec,debug,packet b75eb455 60a090a0 cca5dd5e 016955ef 7d09f6aa a4bcdc85 cb7479cb 533e8d10 
21:28:38 ipsec,debug,packet 0b8f1e85 49bfe81b 2892ae01 80ba52f5 00056b16 be8c6cd2 dfe0145a d28c44f7 
21:28:38 ipsec,debug,packet 701052ea 106d41f3 8a534551 98d47989 36ce6e50 afa6762a bb2d2c9e 35ee5783 
21:28:38 ipsec,debug,packet 611bbafe 0416cd75 64b728b6 4c84c647 bc793bd7 6f6331f6 08750611 034d7a0c 
21:28:38 ipsec,debug,packet dfc49eec ffb79756 0749d45e 4064c7ea 84000000 09010000 0501 
21:28:38 ipsec fragmenting into 2 chunks 
21:28:38 ipsec adding payload: SKF 
21:28:38 ipsec,debug => (first 0x100 of 0x488) 
21:28:38 ipsec,debug 24000488 00010002 fbb02f42 1e453f65 2fb32979 944064cc 14d5e3fc 95c20b16 
21:28:38 ipsec,debug 18af2bd9 2aba6d06 bd870aa1 10e6b83b 07d3cf84 509c276e 7ae46cb3 3b6a3fcd 
21:28:38 ipsec,debug 5b32c97a 9dfe6ec1 059e0b0c da613b84 ac6a1630 b898c90f 2c2575f3 10b599a3 
21:28:38 ipsec,debug 7acdedff 527001ca 2db37148 d432804f eee7b653 4a79ce09 689d9f79 76986862 
21:28:38 ipsec,debug c7867592 a2ad52b2 bcf8dfad 39537580 b7a49d06 120f63f8 b542c9cd 5e18f59e 
21:28:38 ipsec,debug 502696b4 78dfbe56 89a8af26 296bdde7 00d901eb f72fe557 70af7619 8773e8e3 
21:28:38 ipsec,debug 46e03d93 696464be 9eb9d202 b0fe8cc2 1138cd3a 0fb450d7 e4df6e09 75045f55 
21:28:38 ipsec,debug f538553d fc1e8310 da10a997 ccc18d98 69705383 5ade36dd bffe4794 0afddb73 
21:28:38 ipsec adding payload: SKF 
21:28:38 ipsec,debug => (first 0x100 of 0x318) 
21:28:38 ipsec,debug 00000318 00020002 fbb02f42 1e453f65 2fb32979 944064cc 5b8ac556 80c1f713 
21:28:38 ipsec,debug ae65474e ea94d4fc 066beebf bf9e9832 bdc09d20 aeca3818 24fba7a9 2a9d504a 
21:28:38 ipsec,debug 62c3080a 2127a630 d3d6a092 885325d2 b1af855a 3e1e4960 55c05c1a d9a7be13 
21:28:38 ipsec,debug b87212ef ce334540 af9f8b92 dbb6e066 53cd9276 a881d782 87b49022 6a23bb59 
21:28:38 ipsec,debug 533e2543 4f3620cd 110c0f73 807475b3 cb0bb925 e432ddd4 f9592c9c 854fd625 
21:28:38 ipsec,debug 71ae9719 72bd6eed bf79ba7e cae13c30 08b71d9b 7493d9fb 3c857fe1 19a6a5df 
21:28:38 ipsec,debug 0aa7687e a58b3aac 3d10d47b 1de355a8 0874bc5f 09bc57d2 dba0c3f9 9730c962 
21:28:38 ipsec,debug 8bff50b3 553bade1 127124f5 9af259d0 a7c20188 4f998356 634e8106 2d932cab 
21:28:38 ipsec,debug ===== sending 1188 bytes from 121.99.xx.xxx[4500] to 10.10.0.33[4500] 
21:28:38 ipsec,debug 1 times of 1192 bytes message will be sent to 10.10.0.33[4500] 
21:28:38 ipsec,debug,packet a6d9603d b2c2c8d9 35c6584a db83f5c0 35202320 00000001 000004a4 24000488 
21:28:38 ipsec,debug,packet 00010002 fbb02f42 1e453f65 2fb32979 944064cc 14d5e3fc 95c20b16 18af2bd9 
21:28:38 ipsec,debug,packet 2aba6d06 bd870aa1 10e6b83b 07d3cf84 509c276e 7ae46cb3 3b6a3fcd 5b32c97a 
21:28:38 ipsec,debug,packet 9dfe6ec1 059e0b0c da613b84 ac6a1630 b898c90f 2c2575f3 10b599a3 7acdedff 
21:28:38 ipsec,debug,packet 527001ca 2db37148 d432804f eee7b653 4a79ce09 689d9f79 76986862 c7867592 
 time=21:28:38 topics=ipsec,debug,packet message=a2ad52b2 bcf8dfad 39537580 b7a49d06 120f63f8 b542c9cd 5e18f59e 502696b4
 time=21:28:38 topics=ipsec,debug,packet message=78dfbe56 89a8af26 296bdde7 00d901eb f72fe557 70af7619 8773e8e3 46e03d93
 time=21:28:38 topics=ipsec,debug,packet message=696464be 9eb9d202 b0fe8cc2 1138cd3a 0fb450d7 e4df6e09 75045f55 f538553d
 time=21:28:38 topics=ipsec,debug,packet message=fc1e8310 da10a997 ccc18d98 69705383 5ade36dd bffe4794 0afddb73 6141d341
 time=21:28:38 topics=ipsec,debug,packet message=84647fc0 2ea2dee3 f350a587 e01b1510 11d8c202 64f64fb6 006a941d 99655fc2
 time=21:28:38 topics=ipsec,debug,packet message=05964403 209d2911 ade9904e 6e948ad4 6cf6a1aa 1938431f d2128071 52089fe0
 time=21:28:38 topics=ipsec,debug,packet message=22b056c7 97f14a48 8871c65e f84823a3 fb75f56e 3491e2a1 210f9b1f 4c84bda0
 time=21:28:38 topics=ipsec,debug,packet message=b3f039a3 ed0d68d0 ff3b6adb df1c9fea 562a4fa2 8b6cd4da 208e0716 5ad1d2a4
 time=21:28:38 topics=ipsec,debug,packet message=51185b11 3c3eb746 df7584f4 c234ec0f a83b78a2 d2d21ce1 632c74a9 1d48618c
 time=21:28:38 topics=ipsec,debug,packet message=52d1c976 0d5018a5 bff78b81 f8137f93 e32e3e9c e3fef93a 342e5650 6c76b64c
 time=21:28:38 topics=ipsec,debug,packet message=e3267718 2a7027f3 4e045a9b ea4f9c2e 60ce1d12 d3277bd0 51635117 5eed2c83
 time=21:28:38 topics=ipsec,debug,packet message=5553b09e 68e23526 621e90a7 d14b2df3 f1e53e1a ff181d7f b0d9a673 3046721f
 time=21:28:38 topics=ipsec,debug,packet message=7eac25a9 18b9ed45 0d0fefaf 96a4ea93 fd5d8c2f adbf3ba4 64c371c1 6454a6f7
 time=21:28:38 topics=ipsec,debug,packet message=284dfab3 1cf98aa1 64ec005d edf253f3 8d947967 a27774e3 a5ef5803 127551c2
 time=21:28:38 topics=ipsec,debug,packet message=c85884cc feaab135 2ece64ca fa40a4b0 d04c2db6 513514e4 9e8dddb8 1470f427
 time=21:28:38 topics=ipsec,debug,packet message=7d34b948 95267c8e 4a66dc4c baf456bd 8b56a955 259b495a 5806b7be 9c527042
 time=21:28:38 topics=ipsec,debug,packet message=cffbd1fe d20981a6 991c18bc 7777c7e2 cea54ae0 3f6d9690 24e3852c 7e0db03f
 time=21:28:38 topics=ipsec,debug,packet message=3090d031 753032c8 6aee5002 43601d19 9033f69b ae51e4e7 fcc5cea8 65e30085
 time=21:28:38 topics=ipsec,debug,packet message=44310bad df57878c 10540e71 9744e4a9 2faf6066 a434303d 849535e6 b72683cb
 time=21:28:38 topics=ipsec,debug,packet message=eed246d1 6adb0e80 d89eb719 8c9aa22c 9f46fa51 d1c8a7ec e931a62e b756eb86
 time=21:28:38 topics=ipsec,debug,packet message=3829c418 a93fecfa 3df0f959 62335117 e8c13598 6a4c4a94 6012d785 3bdee226
 time=21:28:38 topics=ipsec,debug,packet message=56e27f70 148b30ff c39b9a6f b7252712 fac0a7fa 73e9f0bd a8cb7c4b 0b97234d
 time=21:28:38 topics=ipsec,debug,packet message=7cdd49c6 cb18125e 098c3622 e685572e 81b44653 4ac66ace 49017ca9 a3383769
 time=21:28:38 topics=ipsec,debug,packet message=9cb7a0fa d69ac493 4f30aa78 7b93f46c 86e39faf d0b16b2a 0eef639c 47c7423b
 time=21:28:38 topics=ipsec,debug,packet message=139679e8 13a7c38d 141f354f 1feda29d 3cd3c6d7 0c5a0858 19a8ce4d b2e0db54
 time=21:28:38 topics=ipsec,debug,packet message=c91f4196 0596b4a2 7dd7a62e 4e23a848 d35c7b93 905bc22b 856e1d3d a04da82d
 time=21:28:38 topics=ipsec,debug,packet message=be95cee2 41d506d1 14ad23f1 8268d287 1b8b5877 eabc6267 4f976731 4b106058
 time=21:28:38 topics=ipsec,debug,packet message=dac00797 450c73f3 991def98 c0366224 2d4bd808 4289ca0e c1238953 8cd1f7b0
 time=21:28:38 topics=ipsec,debug,packet message=c12be48d 8969f763 0e46a757 eac45988 c723aa3b 5d393f5b b3d5e50b 24e8595e
 time=21:28:38 topics=ipsec,debug,packet message=1166cbdd 0e6e9943 9369c54b 48bb7fb2 a5d60bf2 f296734c 9c2bda0f 0b3f2afc
 time=21:28:38 topics=ipsec,debug,packet message=a74db7ec 39e40520 7369d385 9b138549 655023c1 17f68e54 1523d537 2144d38d
 time=21:28:38 topics=ipsec,debug,packet message=8313a7f1 2dc8c27c 2a2e8052 2dc5ce4e 97e8309c 499aea54 9cf3ab60 759a0e65
 time=21:28:38 topics=ipsec,debug,packet message=f4dba2be
 time=21:28:38 topics=ipsec,debug message====== sending 820 bytes from 121.99.xx.xxx[4500] to 10.10.0.33[4500]
 time=21:28:38 topics=ipsec,debug message=1 times of 824 bytes message will be sent to 10.10.0.33[4500]
 time=21:28:38 topics=ipsec,debug,packet message=a6d9603d b2c2c8d9 35c6584a db83f5c0 35202320 00000001 00000334 00000318
 time=21:28:38 topics=ipsec,debug,packet message=00020002 fbb02f42 1e453f65 2fb32979 944064cc 5b8ac556 80c1f713 ae65474e
 time=21:28:38 topics=ipsec,debug,packet message=ea94d4fc 066beebf bf9e9832 bdc09d20 aeca3818 24fba7a9 2a9d504a 62c3080a
 time=21:28:38 topics=ipsec,debug,packet message=2127a630 d3d6a092 885325d2 b1af855a 3e1e4960 55c05c1a d9a7be13 b87212ef
 time=21:28:38 topics=ipsec,debug,packet message=ce334540 af9f8b92 dbb6e066 53cd9276 a881d782 87b49022 6a23bb59 533e2543
 time=21:28:38 topics=ipsec,debug,packet message=4f3620cd 110c0f73 807475b3 cb0bb925 e432ddd4 f9592c9c 854fd625 71ae9719
 time=21:28:38 topics=ipsec,debug,packet message=72bd6eed bf79ba7e cae13c30 08b71d9b 7493d9fb 3c857fe1 19a6a5df 0aa7687e
 time=21:28:38 topics=ipsec,debug,packet message=a58b3aac 3d10d47b 1de355a8 0874bc5f 09bc57d2 dba0c3f9 9730c962 8bff50b3
 time=21:28:38 topics=ipsec,debug,packet message=553bade1 127124f5 9af259d0 a7c20188 4f998356 634e8106 2d932cab e7a4b2f4
 time=21:28:38 topics=ipsec,debug,packet message=b6204d8b 04fbde6f 0ae9370b ec180e5e c0197dbc a9a3dd62 28b2d191 75ac1d03
 time=21:28:38 topics=ipsec,debug,packet message=52b51004 768ede39 22f9e6f5 57e83122 1ea95c29 f59750ec f2adced4 3b986bc1
 time=21:28:38 topics=ipsec,debug,packet message=e43ef010 cd5fa954 fb2a9c3d 6eeb2000 6253a3fe 2cd972e1 bfc2bbad 203316b0
 time=21:28:38 topics=ipsec,debug,packet message=2e573bef db75c4ba da777ec7 368fb1be 4b5e585b b7e841c2 d0168192 a8384b15
 time=21:28:38 topics=ipsec,debug,packet message=06d35f76 6906aeab 63688397 f0b29d7a ceadf77c 164a5691 24b846e3 28543836
 time=21:28:38 topics=ipsec,debug,packet message=36e90cac 227ef81c aaa54852 68de16d4 efd71a52 e4827de3 32dade2b d9466805
 time=21:28:38 topics=ipsec,debug,packet message=91ef5b3f 28c66e97 285e15ea 6731ec3f 2526c495 0e1993ce 801e4bd0 335069ab
 time=21:28:38 topics=ipsec,debug,packet message=432e705e d4a62702 b877f553 1857cbb8 a9842bd2 3f2d46d1 80869ecf 161395c3
 time=21:28:38 topics=ipsec,debug,packet message=8edb0c0b bc5bd4c0 6a125174 2a36a9c8 9e7f89d4 3c0857d1 224ac2b8 827571cf
 time=21:28:38 topics=ipsec,debug,packet message=e64e9fd9 34328538 40d3e877 946d23f5 134f963a ef062ab7 15f4893b 7de53ec0
 time=21:28:38 topics=ipsec,debug,packet message=20408031 c5d5ea6d 7f6f37ab e137af88 9c3e925e 9abc7d8f 66ae5ed4 c8cf5b82
 time=21:28:38 topics=ipsec,debug,packet message=acad1cd3 0292bedb 6b9c39ef 7b7272f1 7ef391d0 3e4432b0 da6c83d1 009a3af6
 time=21:28:38 topics=ipsec,debug,packet message=c9a56316 28613f04 eaf8f4d3 7005c59d 5dae3b8f ac6bf37f 9b9b392d 24f8e3d3
 time=21:28:38 topics=ipsec,debug,packet message=72c7cb1b 14610bbf e7a80053 8a45f3a7 cf58baca a0b7a501 9d935bc2 4687945c
 time=21:28:38 topics=ipsec,debug,packet message=e6e30c39 d3e7affd 079f486d 744f62d8 f45fb28e 11bfad99 cacef45f bb8de83c
 time=21:28:38 topics=ipsec,debug,packet message=5a5accc7 01b0819a d989b65e 08442809 17ee279e 45d4be67 149fa1af e0f17da7
 time=21:28:38 topics=ipsec,debug,packet message=143f9b08 cc9e570d 4407f21b 8598fd27 002802d3
 time=21:28:53 topics=ipsec,debug message=KA: 121.99.xx.xxx[4500]->10.10.0.33[4500]
 time=21:28:53 topics=ipsec,debug message=1 times of 1 bytes message will be sent to 10.10.0.33[4500]
 time=21:28:53 topics=ipsec,debug,packet message=ff
 time=21:29:08 topics=ipsec message=child negitiation timeout in state 2
 time=21:29:08 topics=ipsec,info message=killing ike2 SA: IKEv2-peer 121.99.xx.xxx[4500]-10.10.0.33[4500] spi:35c6584adb83f5c0:a6d9603db2c2c8d9
 time=21:29:08 topics=ipsec message=KA remove: 121.99.xx.xxx[4500]->10.10.0.33[4500]
 time=21:29:08 topics=ipsec,debug message=KA tree dump: 121.99.xx.xxx[4500]->10.10.0.33[4500] (in_use=1)
 time=21:29:08 topics=ipsec,debug message=KA removing this one...
 time=21:30:13 topics=system,info,account message=user admin logged in from 10.10.0.4 via telnet
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: new user manager for ipsec vpn

Tue Aug 24, 2021 12:45 pm

Check what is reported in logs (Event Viewer) on Windows side. Look for messages from RasClient.
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: new user manager for ipsec vpn

Tue Aug 24, 2021 1:07 pm

Check what is reported in logs (Event Viewer) on Windows side. Look for messages from RasClient.
found them:


CoId={341526BE-9736-0002-F63E-1C343697D701}: The user SYSTEM dialed a connection named testvpn which has failed. The error code returned on failure is 13801.

from the Internet

VPN Error 13801 on Windows 10
Error 13801 expresses the message – IKE authentication credentials are unacceptable.

This Internet Key Exchange version 2 (IKEv2) errors are related to problems with the server authentication certificate. Basically, the machine certificate required for authentication is either invalid or doesn’t exist on your client computer, on the server, or both.

====

does it mean that the let's encrypt certificate just cannot be used for IPsec vpn on win/android?

thank you
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: new user manager for ipsec vpn

Tue Aug 24, 2021 1:27 pm

Now that you mention it, Windows requires the Chain of trust to be installed separately for VPN as well. Try installing the certificates I linked before. Simply download the .der files on your Windows machine, open them and click next, next, next.
Capture.PNG
You do not have the required permissions to view the files attached to this post.
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: new user manager for ipsec vpn

Tue Aug 24, 2021 1:49 pm

deleted this post as made some progress in the certificate import
Last edited by nevolex on Wed Aug 25, 2021 12:25 pm, edited 1 time in total.
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: new user manager for ipsec vpn

Wed Aug 25, 2021 12:08 pm

Hi everyone,


I have managed to get the certificate from another place, not from mikrotik itself (directly via let's encrypt), exported it to android as well (.crt part), on android I now get a different message -"radius timeout", what do I do wrong ?

I have attached 3 files:
config for ipsec
ipsec debug from mikrotik server
ipsec debug from vpn client (android strongswan)


my ipsec configuration (it works fine with standard certificates, but not with the new user manager ver 7 via radius eap)

/ip ipsec mode-config
add address-pool=pool_ikev2_vpn name=IKEv2-cfg static-dns=10.10.0.1 system-dns=no
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add dh-group=modp3072,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=IKEv2 pfs-group=none
/ip ipsec identity
add auth-method=eap-radius certificate=vpn.example.com.crt_0 generate-policy=port-strict mode-config=IKEv2-cfg peer=IKEv2-peer policy-template-group=\
    ikev2-policies
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes


/user-manager user
add name=test
/user-manager
set certificate=vpn.example.com.crt_0 enabled=yes
[admin@MikroTik_RB4011] /user-manager> 

=============================================


/ip firewall address-list
add address=10.10.0.0/24 list=main_network
add address=10.20.0.0/24 list=guest_network
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="Block guest network from accessing main gateway address" dst-address=10.10.0.1 src-address-list=guest_network
add action=accept chain=input comment="accept connection to IKEv2 ports" dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="management over VPN" dst-port=22,80,8291 ipsec-policy=in,ipsec protocol=tcp
add action=accept chain=input comment="DNS over VPN" dst-port=53 ipsec-policy=in,ipsec protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="allow acess emby from guest network" dst-address=10.10.0.5 dst-port=8096 protocol=tcp src-address-list=\
    guest_network
add action=accept chain=forward comment="allow emby to respond back to guest network" dst-address-list=guest_network protocol=tcp src-address=10.10.0.5 \
    src-port=8096
add action=accept chain=forward comment="defconf: accept in ipsec policy" in-interface-list=WAN ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="simple queues rule  for guest network" connection-state=established,related dst-address-list=guest_network
add action=fasttrack-connection chain=forward comment="fasttrack with guest network exclusion" connection-state=established,related hw-offload=yes \
    src-address=!10.20.0.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop all else coming from guest to main" dst-address-list=main_network src-address-list=guest_network
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Primary_ISP out-interface=1_ISP
add action=masquerade chain=srcnat comment=Secondary_ISP out-interface=2_ISP
ipsec server debug
 
20:52:06 ipsec,debug ===== received 716 bytes from 118.149.xxx.xxx[43722] to 121.99.xxx.xxx[500] 
20:52:06 ipsec -> ike2 request, exchange: SA_INIT:0 118.149.xxx.xxx[43722] 7b1891c3b3daf457:0000000000000000 
20:52:06 ipsec ike2 respond 
20:52:06 ipsec payload seen: SA (492 bytes) 
20:52:06 ipsec payload seen: KE (72 bytes) 
20:52:06 ipsec payload seen: NONCE (36 bytes) 
20:52:06 ipsec payload seen: NOTIFY (28 bytes) 
20:52:06 ipsec payload seen: NOTIFY (28 bytes) 
20:52:06 ipsec payload seen: NOTIFY (8 bytes) 
20:52:06 ipsec payload seen: NOTIFY (16 bytes) 
20:52:06 ipsec payload seen: NOTIFY (8 bytes) 
20:52:06 ipsec processing payload: SA 
20:52:06 ipsec,debug unknown auth: #5 
20:52:06 ipsec,debug unknown prf: #4 
20:52:06 ipsec,debug unknown DH group: #28 
20:52:06 ipsec,debug unknown DH group: #29 
20:52:06 ipsec,debug unknown DH group: #30 
20:52:06 ipsec,debug unknown DH group: #31 
20:52:06 ipsec,debug unknown enc: #28 
20:52:06 ipsec,debug unknown enc: #19 
20:52:06 ipsec,debug unknown enc: #19 
20:52:06 ipsec,debug unknown enc: #19 
20:52:06 ipsec,debug unknown enc: #18 
20:52:06 ipsec,debug unknown enc: #18 
20:52:06 ipsec,debug unknown enc: #18 
20:52:06 ipsec,debug unknown prf: #4 
20:52:06 ipsec,debug unknown DH group: #28 
20:52:06 ipsec,debug unknown DH group: #29 
20:52:06 ipsec,debug unknown DH group: #30 
20:52:06 ipsec,debug unknown DH group: #31 
20:52:06 ipsec IKE Protocol: IKE 
20:52:06 ipsec  proposal #1 
20:52:06 ipsec   enc: aes128-cbc 
20:52:06 ipsec   enc: aes192-cbc 
20:52:06 ipsec   enc: aes256-cbc 
20:52:06 ipsec   enc: 3des-cbc 
20:52:06 ipsec   prf: hmac-sha256 
20:52:06 ipsec   prf: hmac-sha384 
20:52:06 ipsec   prf: hmac-sha512 
20:52:06 ipsec   prf: unknown 
20:52:06 ipsec   prf: hmac-sha1 
20:52:06 ipsec   auth: sha256 
20:52:06 ipsec   auth: sha384 
20:52:06 ipsec   auth: sha512 
20:52:06 ipsec   auth: sha1 
20:52:06 ipsec   auth: unknown 
20:52:06 ipsec   dh: ecp256 
20:52:06 ipsec   dh: ecp384 
20:52:06 ipsec   dh: ecp521 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: modp3072 
20:52:06 ipsec   dh: modp4096 
20:52:06 ipsec   dh: modp6144 
20:52:06 ipsec   dh: modp8192 
20:52:06 ipsec   dh: modp2048 
20:52:06 ipsec  proposal #2 
20:52:06 ipsec   enc: aes128-gcm 
20:52:06 ipsec   enc: aes192-gcm 
20:52:06 ipsec   enc: aes256-gcm 
20:52:06 ipsec   enc: unknown 
20:52:06 ipsec   enc: unknown 
20:52:06 ipsec   enc: unknown 
20:52:06 ipsec   enc: unknown 
20:52:06 ipsec   enc: unknown 
20:52:06 ipsec   enc: unknown 
20:52:06 ipsec   enc: unknown 
20:52:06 ipsec   prf: hmac-sha256 
20:52:06 ipsec   prf: hmac-sha384 
20:52:06 ipsec   prf: hmac-sha512 
20:52:06 ipsec   prf: unknown 
20:52:06 ipsec   prf: hmac-sha1 
20:52:06 ipsec   dh: ecp256 
20:52:06 ipsec   dh: ecp384 
20:52:06 ipsec   dh: ecp521 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: modp3072 
20:52:06 ipsec   dh: modp4096 
20:52:06 ipsec   dh: modp6144 
20:52:06 ipsec   dh: modp8192 
20:52:06 ipsec   dh: modp2048 
20:52:06 ipsec matched proposal: 
20:52:06 ipsec  proposal #1 
20:52:06 ipsec   enc: aes256-cbc 
20:52:06 ipsec   prf: hmac-sha256 
20:52:06 ipsec   auth: sha256 
20:52:06 ipsec   dh: modp3072 
20:52:06 ipsec processing payload: KE 
20:52:06 ipsec DH group number mismatch: 15 != 19 
20:52:06 ipsec adding notify: INVALID_KE_PAYLOAD 
20:52:06 ipsec,debug => (size 0xa) 
20:52:06 ipsec,debug 0000000a 00000011 000f 
20:52:06 ipsec,debug ===== sending 38 bytes from 121.99.xxx.xxx[500] to 118.149.xxx.xxx[43722] 
20:52:06 ipsec,debug 1 times of 38 bytes message will be sent to 118.149.xxx.xxx[43722] 
20:52:06 ipsec,debug ===== received 1036 bytes from 118.149.xxx.xxx[43722] to 121.99.xxx.xxx[500] 
20:52:06 ipsec -> ike2 request, exchange: SA_INIT:0 118.149.xxx.xxx[43722] 7b1891c3b3daf457:0000000000000000 
20:52:06 ipsec ike2 respond 
20:52:06 ipsec payload seen: SA (492 bytes) 
20:52:06 ipsec payload seen: KE (392 bytes) 
20:52:06 ipsec payload seen: NONCE (36 bytes) 
20:52:06 ipsec payload seen: NOTIFY (28 bytes) 
20:52:06 ipsec payload seen: NOTIFY (28 bytes) 
20:52:06 ipsec payload seen: NOTIFY (8 bytes) 
20:52:06 ipsec payload seen: NOTIFY (16 bytes) 
20:52:06 ipsec payload seen: NOTIFY (8 bytes) 
20:52:06 ipsec processing payload: SA 
20:52:06 ipsec,debug unknown auth: #5 
20:52:06 ipsec,debug unknown prf: #4 
20:52:06 ipsec,debug unknown DH group: #28 
20:52:06 ipsec,debug unknown DH group: #29 
20:52:06 ipsec,debug unknown DH group: #30 
20:52:06 ipsec,debug unknown DH group: #31 
20:52:06 ipsec,debug unknown enc: #28 
20:52:06 ipsec,debug unknown enc: #19 
20:52:06 ipsec,debug unknown enc: #19 
20:52:06 ipsec,debug unknown enc: #19 
20:52:06 ipsec,debug unknown enc: #18 
20:52:06 ipsec,debug unknown enc: #18 
20:52:06 ipsec,debug unknown enc: #18 
20:52:06 ipsec,debug unknown prf: #4 
20:52:06 ipsec,debug unknown DH group: #28 
20:52:06 ipsec,debug unknown DH group: #29 
20:52:06 ipsec,debug unknown DH group: #30 
20:52:06 ipsec,debug unknown DH group: #31 
20:52:06 ipsec IKE Protocol: IKE 
20:52:06 ipsec  proposal #1 
20:52:06 ipsec   enc: aes128-cbc 
20:52:06 ipsec   enc: aes192-cbc 
20:52:06 ipsec   enc: aes256-cbc 
20:52:06 ipsec   enc: 3des-cbc 
20:52:06 ipsec   prf: hmac-sha256 
20:52:06 ipsec   prf: hmac-sha384 
20:52:06 ipsec   prf: hmac-sha512 
20:52:06 ipsec   prf: unknown 
20:52:06 ipsec   prf: hmac-sha1 
20:52:06 ipsec   auth: sha256 
20:52:06 ipsec   auth: sha384 
20:52:06 ipsec   auth: sha512 
20:52:06 ipsec   auth: sha1 
20:52:06 ipsec   auth: unknown 
20:52:06 ipsec   dh: modp3072 
20:52:06 ipsec   dh: ecp256 
20:52:06 ipsec   dh: ecp384 
20:52:06 ipsec   dh: ecp521 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: modp4096 
20:52:06 ipsec   dh: modp6144 
20:52:06 ipsec   dh: modp8192 
20:52:06 ipsec   dh: modp2048 
20:52:06 ipsec  proposal #2 
20:52:06 ipsec   enc: aes128-gcm 
20:52:06 ipsec   enc: aes192-gcm 
20:52:06 ipsec   enc: aes256-gcm 
20:52:06 ipsec   enc: unknown 
20:52:06 ipsec   enc: unknown 
20:52:06 ipsec   enc: unknown 
20:52:06 ipsec   enc: unknown 
20:52:06 ipsec   enc: unknown 
20:52:06 ipsec   enc: unknown 
20:52:06 ipsec   enc: unknown 
20:52:06 ipsec   prf: hmac-sha256 
20:52:06 ipsec   prf: hmac-sha384 
20:52:06 ipsec   prf: hmac-sha512 
20:52:06 ipsec   prf: unknown 
20:52:06 ipsec   prf: hmac-sha1 
20:52:06 ipsec   dh: modp3072 
20:52:06 ipsec   dh: ecp256 
20:52:06 ipsec   dh: ecp384 
20:52:06 ipsec   dh: ecp521 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: unknown 
20:52:06 ipsec   dh: modp4096 
20:52:06 ipsec   dh: modp6144 
20:52:06 ipsec   dh: modp8192 
20:52:06 ipsec   dh: modp2048 
20:52:06 ipsec matched proposal: 
20:52:06 ipsec  proposal #1 
20:52:06 ipsec   enc: aes256-cbc 
20:52:06 ipsec   prf: hmac-sha256 
20:52:06 ipsec   auth: sha256 
20:52:06 ipsec   dh: modp3072 
20:52:06 ipsec processing payload: KE 
20:52:06 ipsec,debug => shared secret (first 0x100 of 0x180) 
20:52:06 ipsec,debug b631d272 e2607542 385a1018 3d28b922 a23546cf ba08fd35 c38e6a10 06c9bb8b 
20:52:06 ipsec,debug 1221ccfd a082e13f c8a30368 e67af929 9cbbd872 9d840e07 41b0be0d d720ac70 
20:52:06 ipsec,debug 62c1e847 0d746fce 3035faab 5b22a3eb 55f9be58 ef0bc462 9533e422 8d825faf 
20:52:06 ipsec,debug 04a85184 67f35ba1 c24214be 9e8fb806 67746faa a5a1a731 ad7404a6 6bd602df 
20:52:06 ipsec,debug 502ea0c2 abc21a57 c0292b55 3e9be628 7b3c5388 76b82efc 48322d51 3fe3f564 
20:52:06 ipsec,debug ca91e90e f760c52d cb1aa8b3 ddf81771 40a92860 c31c1b97 ffc7fa56 f0e8b958 
20:52:06 ipsec,debug 3b339c0f ce948eb8 fcde8da1 ec6b1b9b ed1b4136 9dd07161 7299fc60 5b1ba8a2 
20:52:06 ipsec,debug 8398dfa8 a28cd8c1 3b61e1c7 2d7714ca 22d584e0 4c6be30d a3ba6476 53388169 
20:52:06 ipsec ike2 respond finish: request, exchange: SA_INIT:0 118.149.xxx.xxx[43722] 7b1891c3b3daf457:0000000000000000 
20:52:06 ipsec processing payload: NONCE 
20:52:06 ipsec adding payload: SA 
20:52:06 ipsec,debug => (size 0x30) 
20:52:06 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 
20:52:06 ipsec,debug 03000008 0300000c 00000008 0400000f 
20:52:06 ipsec adding payload: KE 
20:52:06 ipsec,debug => (first 0x100 of 0x188) 
20:52:06 ipsec,debug 00000188 000f0000 32cf9d07 7bcafdd1 ab1240e3 fd976cfe ffc97979 84ad88be 
20:52:06 ipsec,debug 471e1613 5aeed5b5 680ae421 cda144d3 70b1a9e6 72f11121 fbd07260 5142022d 
20:52:06 ipsec,debug c1c16b75 4ae8160a cd665a13 4e7760d8 59f411ec 7aab02a7 2aaf21ff f22f1e93 
20:52:06 ipsec,debug bd86dc7b 0f3c6efd a73210bc 1d64d256 c2116eb2 c7ed14f0 95ded225 b23cfa82 
20:52:06 ipsec,debug 511d4ed0 2c0e550c ed79d1af bef1d5e2 8624c071 21c9398d 8f9ec111 2ee4118a 
20:52:06 ipsec,debug 600fe5c1 e01dccce 2451424d 8a0bb3e7 97c8c1f2 33386ca7 2b3cf09a 70986138 
20:52:06 ipsec,debug e6deb25c 123c4e95 6e0f58d9 85a43185 456b79ed e6435c8a d4747058 7ff6187b 
20:52:06 ipsec,debug 51310a0e 7723f92d 4005a995 599e1e58 b35ead37 b1af6a7a 81d87dc3 5fc8affe 
20:52:06 ipsec adding payload: NONCE 
20:52:06 ipsec,debug => (size 0x1c) 
 time=20:52:06 topics=ipsec,debug message=0000001c e2c54cbb 2bc350c3 cd3fd9f3 098631fd 1447da4b 8e9db102
 time=20:52:06 topics=ipsec message=adding notify: NAT_DETECTION_SOURCE_IP
 time=20:52:06 topics=ipsec,debug message==> (size 0x1c)
 time=20:52:06 topics=ipsec,debug message=0000001c 00004004 7c59fee8 03c45703 113fe7dd 73f698c3 0b99f47c
 time=20:52:06 topics=ipsec message=adding notify: NAT_DETECTION_DESTINATION_IP
 time=20:52:06 topics=ipsec,debug message==> (size 0x1c)
 time=20:52:06 topics=ipsec,debug message=0000001c 00004005 c3229efa bb1e1052 44ea8fe9 af8973d8 03e20de1
 time=20:52:06 topics=ipsec message=adding notify: IKEV2_FRAGMENTATION_SUPPORTED
 time=20:52:06 topics=ipsec,debug message==> (size 0x8)
 time=20:52:06 topics=ipsec,debug message=00000008 0000402e
 time=20:52:06 topics=ipsec message=adding payload: CERTREQ
 time=20:52:06 topics=ipsec,debug message==> (size 0x5)
 time=20:52:06 topics=ipsec,debug message=00000005 04
 time=20:52:06 topics=ipsec message=<- ike2 reply, exchange: SA_INIT:0 118.149.xxx.xxx[43722] 7b1891c3b3daf457:9d7febaaf931cc71
 time=20:52:06 topics=ipsec,debug message====== sending 565 bytes from 121.99.xxx.xxx[500] to 118.149.xxx.xxx[43722]
 time=20:52:06 topics=ipsec,debug message=1 times of 565 bytes message will be sent to 118.149.xxx.xxx[43722]
 time=20:52:06 topics=ipsec,debug message==> skeyseed (size 0x20)
 time=20:52:06 topics=ipsec,debug message=83b24e8c 880d7d2d e0cb9851 82b216c3 a3521e73 c7d878fb 9e2a9afd 3684f436
 time=20:52:06 topics=ipsec,debug message==> keymat (size 0x20)
 time=20:52:06 topics=ipsec,debug message=87a35618 584ce1cc b9f2d874 5df68b25 5f8613a4 4c0af557 e3988598 d5c8f00c
 time=20:52:06 topics=ipsec,debug message==> SK_ai (size 0x20)
 time=20:52:06 topics=ipsec,debug message=34687c0b 34858afc ee79cfa5 e9e07a3e ce5e424e 7d1ad8e1 218fc8d5 288658d0
 time=20:52:06 topics=ipsec,debug message==> SK_ar (size 0x20)
 time=20:52:06 topics=ipsec,debug message=fabcb2ad e9849292 c2bee93a 57b2230c 61654929 087712f9 92e8a031 2ce62320
 time=20:52:06 topics=ipsec,debug message==> SK_ei (size 0x20)
 time=20:52:06 topics=ipsec,debug message=518a8a92 b0144dbf 97b48658 18f39fe9 e497b060 cb85164a 43a9a701 cdc52aa4
 time=20:52:06 topics=ipsec,debug message==> SK_er (size 0x20)
 time=20:52:06 topics=ipsec,debug message=152995ad a2f64a5b 633ab339 ad22e9f0 6665c080 6eaceab3 d6e2f94f 96435300
 time=20:52:06 topics=ipsec,debug message==> SK_pi (size 0x20)
 time=20:52:06 topics=ipsec,debug message=bb48059d 66312dd8 4a5f1f33 60e0bffb 1d805d0f d64212f9 d55fc1c0 3d5bb9fc
 time=20:52:06 topics=ipsec,debug message==> SK_pr (size 0x20)
 time=20:52:06 topics=ipsec,debug message=a96d5dd6 848d0e52 34f1e3b9 3e804b4e cd864841 926c52dc 78d7135f 62f29ce8
 time=20:52:06 topics=ipsec,info message=new ike2 SA (R): IKEv2-peer 121.99.xxx.xxx[500]-118.149.xxx.xxx[43722] spi:9d7febaaf931cc71:7b1891c3b3daf457
 time=20:52:06 topics=ipsec message=processing payloads: VID (none found)
 time=20:52:06 topics=ipsec message=processing payloads: NOTIFY
 time=20:52:06 topics=ipsec message=  notify: NAT_DETECTION_SOURCE_IP
 time=20:52:06 topics=ipsec message=  notify: NAT_DETECTION_DESTINATION_IP
 time=20:52:06 topics=ipsec message=  notify: IKEV2_FRAGMENTATION_SUPPORTED
 time=20:52:06 topics=ipsec message=  notify: SIGNATURE_HASH_ALGORITHMS
 time=20:52:06 topics=ipsec,debug message=0002000300040005
 time=20:52:06 topics=ipsec message=  notify: REDIRECT_SUPPORTED
 time=20:52:06 topics=ipsec message=(NAT-T) REMOTE 
 time=20:52:06 topics=ipsec message=KA list add: 121.99.xxx.xxx[4500]->118.149.xxx.xxx[43722]
 time=20:52:06 topics=ipsec message=fragmentation negotiated
 time=20:52:06 topics=ipsec,debug message====== received 432 bytes from 118.149.xxx.xxx[43770] to 121.99.xxx.xxx[4500]
 time=20:52:06 topics=ipsec message=-> ike2 request, exchange: AUTH:1 118.149.xxx.xxx[43770] 7b1891c3b3daf457:9d7febaaf931cc71
 time=20:52:06 topics=ipsec message=peer ports changed: 43722 -> 43770
 time=20:52:06 topics=ipsec message=KA remove: 121.99.xxx.xxx[4500]->118.149.xxx.xxx[43722]
 time=20:52:06 topics=ipsec,debug message=KA tree dump: 121.99.xxx.xxx[4500]->118.149.xxx.xxx[43722] (in_use=1)
 time=20:52:06 topics=ipsec,debug message=KA removing this one...
 time=20:52:06 topics=ipsec message=KA list add: 121.99.xxx.xxx[4500]->118.149.xxx.xxx[43770]
 time=20:52:06 topics=ipsec message=payload seen: ENC (404 bytes)
 time=20:52:06 topics=ipsec message=processing payload: ENC
 time=20:52:06 topics=ipsec,debug message==> iv (size 0x10)
 time=20:52:06 topics=ipsec,debug message=45951be8 f9816239 0477c819 7470acdc
 time=20:52:06 topics=ipsec,debug message=decrypted packet
 time=20:52:06 topics=ipsec message=payload seen: ID_I (12 bytes)
 time=20:52:06 topics=ipsec message=payload seen: NOTIFY (8 bytes)
 time=20:52:06 topics=ipsec message=payload seen: CONFIG (24 bytes)
 time=20:52:06 topics=ipsec message=payload seen: NOTIFY (8 bytes)
 time=20:52:06 topics=ipsec message=payload seen: SA (144 bytes)
 time=20:52:06 topics=ipsec message=payload seen: TS_I (64 bytes)
 time=20:52:06 topics=ipsec message=payload seen: TS_R (64 bytes)
 time=20:52:06 topics=ipsec message=payload seen: NOTIFY (8 bytes)
 time=20:52:06 topics=ipsec message=payload seen: NOTIFY (8 bytes)
 time=20:52:06 topics=ipsec message=payload seen: NOTIFY (8 bytes)
 time=20:52:06 topics=ipsec message=payload seen: NOTIFY (8 bytes)
 time=20:52:06 topics=ipsec message=processing payloads: NOTIFY
 time=20:52:06 topics=ipsec message=  notify: INITIAL_CONTACT
 time=20:52:06 topics=ipsec message=  notify: ESP_TFC_PADDING_NOT_SUPPORTED
 time=20:52:06 topics=ipsec message=  notify: MOBIKE_SUPPORTED
 time=20:52:06 topics=ipsec message=  notify: NO_ADDITIONAL_ADDRESSES
 time=20:52:06 topics=ipsec message=  notify: EAP_ONLY_AUTHENTICATION
 time=20:52:06 topics=ipsec message=  notify: IKEV2_MESSAGE_ID_SYNC_SUPPORTED
 time=20:52:06 topics=ipsec message=ike auth: respond
 time=20:52:06 topics=ipsec message=processing payload: ID_I
 time=20:52:06 topics=ipsec message=ID_I (FQDN): test
 time=20:52:06 topics=ipsec message=processing payload: ID_R (not found)
 time=20:52:06 topics=ipsec message=processing payload: AUTH (not found)
 time=20:52:06 topics=ipsec message=processing payloads: NOTIFY
 time=20:52:06 topics=ipsec message=  notify: INITIAL_CONTACT
 time=20:52:06 topics=ipsec message=  notify: ESP_TFC_PADDING_NOT_SUPPORTED
 time=20:52:06 topics=ipsec message=  notify: MOBIKE_SUPPORTED
 time=20:52:06 topics=ipsec message=  notify: NO_ADDITIONAL_ADDRESSES
 time=20:52:06 topics=ipsec message=  notify: EAP_ONLY_AUTHENTICATION
 time=20:52:06 topics=ipsec message=  notify: IKEV2_MESSAGE_ID_SYNC_SUPPORTED
 time=20:52:06 topics=ipsec message=ignoring 'EAP only authentication'
 time=20:52:06 topics=ipsec message=ID_R (FQDN): vpn.example.com
 time=20:52:06 topics=ipsec message=adding payload: ID_R
 time=20:52:06 topics=ipsec,debug message==> (size 0x16)
 time=20:52:06 topics=ipsec,debug message=00000016 02000000 76706e2e 6e65766f 6c65782e 7275
 time=20:52:06 topics=ipsec message=cert: vpn.example.com
 time=20:52:06 topics=ipsec message=adding payload: CERT
 time=20:52:06 topics=ipsec,debug message==> (first 0x100 of 0x643)
 time=20:52:06 topics=ipsec,debug message=00000643 04308206 3a308205 22a00302 01020210 402554a9 db58b69c b5962350
 time=20:52:06 topics=ipsec,debug message=b0691e6e 300d0609 2a864886 f70d0101 0b050030 818f310b 30090603 55040613
 time=20:52:06 topics=ipsec,debug message=02474231 1b301906 03550408 13124772 65617465 72204d61 6e636865 73746572
 time=20:52:06 topics=ipsec,debug message=3110300e 06035504 07130753 616c666f 72643118 30160603 55040a13 0f536563
 time=20:52:06 topics=ipsec,debug message=7469676f 204c696d 69746564 31373035 06035504 03132e53 65637469 676f2052
 time=20:52:06 topics=ipsec,debug message=53412044 6f6d6169 6e205661 6c696461 74696f6e 20536563 75726520 53657276
 time=20:52:06 topics=ipsec,debug message=65722043 41301e17 0d323130 38323530 30303030 305a170d 32323038 32353233
 time=20:52:06 topics=ipsec,debug message=35393539 5a301931 17301506 03550403 130e7670 6e2e6e65 766f6c65 782e7275
 time=20:52:06 topics=ipsec,debug message==> auth nonce (size 0x20)
 time=20:52:06 topics=ipsec,debug message=efcda446 d84c9f24 72a45e32 df9ce280 371d9e8c 9e4d4dc3 8fc9d5d0 bcd0d178
 time=20:52:06 topics=ipsec,debug message==> SK_p (size 0x20)
 time=20:52:06 topics=ipsec,debug message=a96d5dd6 848d0e52 34f1e3b9 3e804b4e cd864841 926c52dc 78d7135f 62f29ce8
 time=20:52:06 topics=ipsec,debug message==> idhash (size 0x20)
 time=20:52:06 topics=ipsec,debug message=cc0c0b90 58766fbf cfbe9e6d 761aa71c b7395c4c ea03e6c5 ed1a2c69 589f8aa6
 time=20:52:06 topics=ipsec,debug message==> my auth (size 0x100)
 time=20:52:06 topics=ipsec,debug message=b4cb840b 1b5d8f88 ea8cd38b 5ae59162 a4015ee3 5a0639ad cfbea516 08e24a80
 time=20:52:06 topics=ipsec,debug message=2071847e f92079a1 6598589f afa1ac11 0ea5ac6d 7026dd22 18f60602 f22f8175
 time=20:52:06 topics=ipsec,debug message=0c9f8889 af395f54 da5d3d10 bee803f5 e022141e b172e59d 6438b711 f2941c2b
 time=20:52:06 topics=ipsec,debug message=e797acab 64bc482e 1426723f 4cccb211 a7fd6d25 11d98850 fef4e0d7 49ab41f7
 time=20:52:06 topics=ipsec,debug message=aee0b350 b559d74f 161f31af 7fecd81a 14344b14 b84b1595 bdbedd00 2ae95a48
 time=20:52:06 topics=ipsec,debug message=a38ca35a ab53ef1c a2b55d06 0b9bd90a 86aeda14 9c45699c c16c9784 2b7b7ec9
 time=20:52:06 topics=ipsec,debug message=d1dc3f23 06104930 547a68c5 deb8805d 334f9088 d351e8a6 f0aa73fa 5f27152b
 time=20:52:06 topics=ipsec,debug message=5fc7deb9 afa9ab63 d0fb6494 d3063865 c30ceb0a 40312675 d9cce6d9 bd9494c0
 time=20:52:06 topics=ipsec message=adding payload: AUTH
 time=20:52:06 topics=ipsec,debug message==> (first 0x100 of 0x108)
 time=20:52:06 topics=ipsec,debug message=00000108 01000000 b4cb840b 1b5d8f88 ea8cd38b 5ae59162 a4015ee3 5a0639ad
 time=20:52:06 topics=ipsec,debug message=cfbea516 08e24a80 2071847e f92079a1 6598589f afa1ac11 0ea5ac6d 7026dd22
 time=20:52:06 topics=ipsec,debug message=18f60602 f22f8175 0c9f8889 af395f54 da5d3d10 bee803f5 e022141e b172e59d
 time=20:52:06 topics=ipsec,debug message=6438b711 f2941c2b e797acab 64bc482e 1426723f 4cccb211 a7fd6d25 11d98850
 time=20:52:06 topics=ipsec,debug message=fef4e0d7 49ab41f7 aee0b350 b559d74f 161f31af 7fecd81a 14344b14 b84b1595
 time=20:52:06 topics=ipsec,debug message=bdbedd00 2ae95a48 a38ca35a ab53ef1c a2b55d06 0b9bd90a 86aeda14 9c45699c
 time=20:52:06 topics=ipsec,debug message=c16c9784 2b7b7ec9 d1dc3f23 06104930 547a68c5 deb8805d 334f9088 d351e8a6
 time=20:52:06 topics=ipsec,debug message=f0aa73fa 5f27152b 5fc7deb9 afa9ab63 d0fb6494 d3063865 c30ceb0a 40312675
 time=20:52:06 topics=ipsec message=adding payload: EAP
 time=20:52:06 topics=ipsec,debug message==> (size 0x9)
 time=20:52:06 topics=ipsec,debug message=00000009 01000005 01
 time=20:52:06 topics=ipsec message=<- ike2 reply, exchange: AUTH:1 118.149.xxx.xxx[43770] 7b1891c3b3daf457:9d7febaaf931cc71
 time=20:52:06 topics=ipsec message=fragmenting into 2 chunks
 time=20:52:06 topics=ipsec message=adding payload: SKF
 time=20:52:06 topics=ipsec,debug message==> (first 0x100 of 0x4b8)
 time=20:52:06 topics=ipsec,debug message=240004b8 00010002 51f557cc 5a0e915d 47f06344 9da61161 1627ea38 df039897
 time=20:52:06 topics=ipsec,debug message=54e8935e d913e143 6ac30c35 332e4ec2 bcf90751 f5b280b4 3d350d62 97acb437
 time=20:52:06 topics=ipsec,debug message=91b0d49a 0f3b6d44 43f23af2 e2408938 413c6cda 9c3990c4 312ee3d8 a9326e6c
 time=20:52:06 topics=ipsec,debug message=25f5908a 6742e5fe b43ddb7f 9453edf6 ddc1a699 634ea04b 6e90082e 8b87f477
 time=20:52:06 topics=ipsec,debug message=1149fc85 90f5ed8b f5d50b74 9b25675e 93c3f8e2 1d72b9c4 ecdbecdf f3ba4c12
 time=20:52:06 topics=ipsec,debug message=b5778503 7c4b1a19 2fdd45fa 9c6bce4a 45ef1031 50dab7cf d12d5a36 60ad1856
 time=20:52:06 topics=ipsec,debug message=80a52e4d 80a2a4b4 c244e80d 4331ae9b 2c06e557 9b141fde 7e1c782f e4d273e0
 time=20:52:06 topics=ipsec,debug message=5404fbb6 57c119fd db5449a3 749a39fd 049b490d eb50d2da 6c905dc4 fe401ad9
 time=20:52:06 topics=ipsec message=adding payload: SKF
 time=20:52:06 topics=ipsec,debug message==> (first 0x100 of 0x3c8)
 time=20:52:06 topics=ipsec,debug message=000003c8 00020002 51f557cc 5a0e915d 47f06344 9da61161 f9a580d0 0b3589e8
 time=20:52:06 topics=ipsec,debug message=3755da15 c64426fe 29f28e20 f9fc6db4 a69230cc 3ab48f47 2af97ec4 37ce7f7d
 time=20:52:06 topics=ipsec,debug message=22a4c6d9 eff8beb2 2c7ea5c7 b27b1f9f 2c5667d9 d9df1610 416f0265 31802a86
 time=20:52:06 topics=ipsec,debug message=818597de 2f423c60 89d9c947 b7078038 cb65525e 560d9639 12c5db24 a106e851
 time=20:52:06 topics=ipsec,debug message=87a47484 c5b921b1 9d5d3918 5a219ed0 a2fb1a66 c61fc0cc bdd2c413 b4593073
 time=20:52:06 topics=ipsec,debug message=166e53de 1c6fd7ed d38757bd 5820b92b 2c3d1c91 99ad7368 7431dc9c 74876a35
 time=20:52:06 topics=ipsec,debug message=e90f03b8 2bd67f3f 4673f6e0 779f09f9 cf14ad37 30f2cf49 f6b0c6e5 56a0e245
 time=20:52:06 topics=ipsec,debug message=da9ebbdf b79df438 18565259 e85e2c26 fe14cdc4 fb13e349 66f7fdd2 dfb57630
 time=20:52:06 topics=ipsec,debug message====== sending 1236 bytes from 121.99.xxx.xxx[4500] to 118.149.xxx.xxx[43770]
 time=20:52:06 topics=ipsec,debug message=1 times of 1240 bytes message will be sent to 118.149.xxx.xxx[43770]
 time=20:52:06 topics=ipsec,debug message====== sending 996 bytes from 121.99.xxx.xxx[4500] to 118.149.xxx.xxx[43770]
 time=20:52:06 topics=ipsec,debug message=1 times of 1000 bytes message will be sent to 118.149.xxx.xxx[43770]
 time=20:52:07 topics=ipsec,debug message====== received 80 bytes from 118.149.xxx.xxx[43770] to 121.99.xxx.xxx[4500]
 time=20:52:07 topics=ipsec message=-> ike2 request, exchange: AUTH:2 118.149.xxx.xxx[43770] 7b1891c3b3daf457:9d7febaaf931cc71
 time=20:52:07 topics=ipsec message=payload seen: ENC (52 bytes)
 time=20:52:07 topics=ipsec message=processing payload: ENC
 time=20:52:07 topics=ipsec,debug message==> iv (size 0x10)
 time=20:52:07 topics=ipsec,debug message=15960e28 80439adf 43c047ba 134768ac
 time=20:52:07 topics=ipsec,debug message=decrypted packet
 time=20:52:07 topics=ipsec message=payload seen: EAP (13 bytes)
 time=20:52:07 topics=ipsec message=processing payloads: NOTIFY (none found)
 time=20:52:07 topics=ipsec message=processing payload: EAP
 time=20:52:07 topics=ipsec,error message=radius timeout
 time=20:52:07 topics=ipsec message=reply notify: AUTHENTICATION_FAILED
 time=20:52:07 topics=ipsec message=adding notify: AUTHENTICATION_FAILED
 time=20:52:07 topics=ipsec,debug message==> (size 0x8)
 time=20:52:07 topics=ipsec,debug message=00000008 00000018
 time=20:52:07 topics=ipsec message=<- ike2 reply, exchange: AUTH:2 118.149.xxx.xxx[43770] 7b1891c3b3daf457:9d7febaaf931cc71
 time=20:52:07 topics=ipsec,debug message====== sending 240 bytes from 121.99.xxx.xxx[4500] to 118.149.xxx.xxx[43770]
 time=20:52:07 topics=ipsec,debug message=1 times of 244 bytes message will be sent to 118.149.xxx.xxx[43770]
 time=20:52:07 topics=ipsec,info message=killing ike2 SA: IKEv2-peer 121.99.xxx.xxx[4500]-118.149.xxx.xxx[43770] spi:9d7febaaf931cc71:7b1891c3b3daf457
 time=20:52:07 topics=ipsec message=KA remove: 121.99.xxx.xxx[4500]->118.149.xxx.xxx[43770]
 time=20:52:07 topics=ipsec,debug message=KA tree dump: 121.99.xxx.xxx[4500]->118.149.xxx.xxx[43770] (in_use=1)
 time=20:52:07 topics=ipsec,debug message=KA removing this one...

ipsec client debug
Aug 25 20:52:03 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Aug 25 20:52:03 00[DMN] Starting IKE service (strongSwan 5.9.3rc1, Android 12 - SPB4.210715.011/2021-08-05, Pixel 5 - google/redfin/Google, Linux 4.19.191-g0497b954b53a-ab7538714, aarch64)
Aug 25 20:52:03 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Aug 25 20:52:03 00[JOB] spawning 16 worker threads
Aug 25 20:52:03 00[LIB] all OCSP validation disabled
Aug 25 20:52:03 00[LIB] all CRL validation disabled
Aug 25 20:52:04 13[IKE] initiating IKE_SA android[42] to 121.99.xxx.xxx
Aug 25 20:52:04 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 25 20:52:04 13[NET] sending packet: from 100.83.xxx.xxx[42622] to 121.99.xxx.xxx[500] (716 bytes)
Aug 25 20:52:04 09[NET] received packet: from 121.99.xxx.xxx[500] to 100.83.xxx.xxx[42622] (38 bytes)
Aug 25 20:52:04 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Aug 25 20:52:04 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072
Aug 25 20:52:04 09[IKE] initiating IKE_SA android[42] to 121.99.xxx.xxx
Aug 25 20:52:04 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 25 20:52:04 09[NET] sending packet: from 100.83.xxx.xxx[42622] to 121.99.xxx.xxx[500] (1036 bytes)
Aug 25 20:52:04 10[NET] received packet: from 121.99.xxx.xxx[500] to 100.83.xxx.xxx[42622] (565 bytes)
Aug 25 20:52:04 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) CERTREQ ]
Aug 25 20:52:04 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Aug 25 20:52:04 10[IKE] local host is behind NAT, sending keep alives
Aug 25 20:52:04 10[IKE] establishing CHILD_SA android{42}
Aug 25 20:52:04 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Aug 25 20:52:04 10[NET] sending packet: from 100.83.xxx.xxx[37540] to 121.99.xxx.xxx[4500] (432 bytes)
Aug 25 20:52:05 11[NET] received packet: from 121.99.xxx.xxx[4500] to 100.83.xxx.xxx[37540] (1236 bytes)
Aug 25 20:52:05 11[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Aug 25 20:52:05 11[ENC] received fragment #1 of 2, waiting for complete IKE message
Aug 25 20:52:05 12[NET] received packet: from 121.99.xxx.xxx[4500] to 100.83.xxx.xxx[37540] (996 bytes)
Aug 25 20:52:05 12[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Aug 25 20:52:05 12[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1968 bytes)
Aug 25 20:52:05 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Aug 25 20:52:05 12[IKE] received end entity cert "CN=vpn.example.com"
Aug 25 20:52:05 12[CFG] no issuer certificate found for "CN=vpn.example.com"
Aug 25 20:52:05 12[CFG]   issuer is "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
Aug 25 20:52:05 12[CFG]   using trusted certificate "CN=vpn.example.com"
Aug 25 20:52:05 12[IKE] authentication of 'vpn.example.com' with RSA signature successful
Aug 25 20:52:05 12[IKE] server requested EAP_IDENTITY (id 0x00), sending 'test'
Aug 25 20:52:05 12[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Aug 25 20:52:05 12[NET] sending packet: from 100.83.xxx.xxx[37540] to 121.99.xxx.xxx[4500] (80 bytes)
Aug 25 20:52:05 14[NET] received packet: from 121.99.xxx.xxx[4500] to 100.83.xxx.xxx[37540] (240 bytes)
Aug 25 20:52:05 14[ENC] parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ]
Aug 25 20:52:05 14[IKE] received AUTHENTICATION_FAILED notify error


guys, do you have any thoughts what should I try next:

@bpwl
@sindy
@emils

thank you everyonr for help

ps:

i get the same error when I try to connect on windows machine, that means that the cert at least is working, maybe there is now an issue with the usernanager/radius itself?
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: bigfei and 11 guests