Community discussions

 
lambert
Long time Member
Long time Member
Topic Author
Posts: 529
Joined: Fri Jul 23, 2010 1:09 am

IPsec tunnel CentOS to MikroTik

Fri Apr 13, 2018 12:46 pm

I've been trying to get CentOS 7 to connect to RouterOS 6.40.7 for a couple of days now.

Phase 1 works. Phase 2 never links up. If I intentionally change the DH Group or the lifetime, the centos box complains about them not matching. I don't see what is not matching up. Maybe it's an actual bug in CentOS or RouterOS? Maybe I'm just blind.

CentOS: x.x.x.x
RouterOS: y.y.y.y

CentOS log:
Apr 13 04:11:50 localhost racoon: [y.y.y.y] ERROR: unknown Informational exchange received.
Apr 13 04:11:50 localhost racoon: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>y.y.y.y[500]
Apr 13 04:11:50 localhost racoon: ERROR: not matched
Apr 13 04:11:50 localhost racoon: ERROR: no suitable policy found.
Apr 13 04:11:50 localhost racoon: [y.y.y.y] ERROR: no proposal chosen.
Apr 13 04:11:50 localhost racoon: [y.y.y.y] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Apr 13 04:12:00 localhost racoon: [y.y.y.y] ERROR: unknown Informational exchange received.
Apr 13 04:12:00 localhost racoon: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>y.y.y.y[500]
Apr 13 04:12:00 localhost racoon: ERROR: not matched
Apr 13 04:12:00 localhost racoon: ERROR: no suitable policy found.
Apr 13 04:12:00 localhost racoon: [y.y.y.y] ERROR: no proposal chosen.
Apr 13 04:12:00 localhost racoon: [y.y.y.y] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Apr 13 04:12:10 localhost racoon: INFO: IPsec-SA expired: ESP/Transport x.x.x.x[500]->y.y.y.y[500]
Apr 13 04:12:10 localhost racoon: INFO: IPsec-SA expired: ESP/Transport x.x.x.x[500]->y.y.y.y[500]
Apr 13 04:12:10 localhost racoon: INFO: IPsec-SA expired: AH/Transport y.y.y.y[500]->x.x.x.x[500] spi=143541837(0x88e464d)
Apr 13 04:12:10 localhost racoon: WARNING: PF_KEY EXPIRE message received from kernel for SA being negotiated. Stopping negotiation.
Apr 13 04:12:10 localhost racoon: ERROR: y.y.y.y give up to get IPsec-SA due to time up to wait.
RouterOS log:
04:39:27 ipsec,error no suitable proposal found.
04:39:27 ipsec,error y.y.y.y failed to pre-process ph2 packet.
04:39:37 ipsec,error y.y.y.y peer sent packet for dead phase2  
04:39:47 ipsec,error y.y.y.y peer sent packet for dead phase2  
04:39:57 ipsec,error no suitable proposal found. 
04:39:57 ipsec,error y.y.y.y failed to pre-process ph2 packet. 
04:40:07 ipsec,error y.y.y.y peer sent packet for dead phase2  
I did look at the debug log on the mikrotik. I couldn't see anything yelling at me. I re-enable the debug logs tomorrow, if needed. It's too late to put that much thought into it tonight, sorry.
# more racoon.conf

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";04:39:27 ipsec,error no suitable proposal found.
04:39:27 ipsec,error y.y.y.y failed to pre-process ph2 packet.
04:39:37 ipsec,error y.y.y.y peer sent packet for dead phase2  
04:39:47 ipsec,error y.y.y.y peer sent packet for dead phase2  
04:39:57 ipsec,error no suitable proposal found. 
04:39:57 ipsec,error y.y.y.y failed to pre-process ph2 packet. 
04:40:07 ipsec,error y.y.y.y peer sent packet for dead phase2  

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

sainfo anonymous
{
        pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm 3des, blowfish 448, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}

include "/etc/racoon/y.y.y.y.conf";
# more y.y.y.y.conf 
remote y.y.y.y
{

        exchange_mode main;
        my_identifier address;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}
MikroTik:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add enc-algorithms=aes-128-cbc lifetime=1h name=sha1-aes128-dh2
add enc-algorithms=aes-128-cbc,3des lifetime=1h name=sha1-3des
/ip ipsec peer
add address=x.x.x.x/32 dh-group=modp1024 enc-algorithm=\
    aes-128,3des,blowfish generate-policy=port-strict secret=\
    SeCrEt send-initial-contact=no
/ip ipsec policy
add dst-address=x.x.x.x/32 proposal=sha1-3des sa-dst-address=x.x.x.x \
    sa-src-address=y.y.y.y src-address=y.y.y.y/32 tunnel=yes
 
lambert
Long time Member
Long time Member
Topic Author
Posts: 529
Joined: Fri Jul 23, 2010 1:09 am

Re: IPsec tunnel CentOS to MikroTik

Fri Apr 20, 2018 2:31 am

Here is the MikroTIk's debug log. I've manipulated everything I can think of on the 'Tik. It just doesn't change the result. I am obviously missing something. A clue by four to the head would be appreciated.
18:16:12 ipsec,debug proposal #1: 8 transform 
18:16:12 ipsec,debug got the local address from ID payload y.y.y.y[0] prefixlen=32 ul_proto=255 
18:16:12 ipsec,debug got the peer address from ID payload x.x.x.x[0] prefixlen=32 ul_proto=255 
18:16:12 ipsec searching for policy for selector: y.y.y.y <=> x.x.x.x 
18:16:12 ipsec generating policy 
18:16:12 ipsec,debug  (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=1127:1127) 
18:16:12 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
18:16:12 ipsec,debug begin compare proposals. 
18:16:12 ipsec,debug pair[1]: 0x4a9bd0 
18:16:12 ipsec,debug  0x4a9bd0: next=0x48bef8 tnext=0x4940a0 
18:16:12 ipsec,debug   0x48bef8: next=(nil) tnext=0x4a6b00 
18:16:12 ipsec,debug    0x4a6b00: next=(nil) tnext=0x4ad6d0 
18:16:12 ipsec,debug     0x4ad6d0: next=(nil) tnext=0x4ae548 
18:16:12 ipsec,debug      0x4ae548: next=(nil) tnext=0x49b928 
18:16:12 ipsec,debug       0x49b928: next=(nil) tnext=0x4a85c8 
18:16:12 ipsec,debug        0x4a85c8: next=(nil) tnext=(nil) 
18:16:12 ipsec,debug   0x4940a0: next=(nil) tnext=(nil) 
18:16:12 ipsec,debug prop#=1 prot-id=AH spi-size=4 #trns=2 trns#=1 trns-id=SHA 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug prop#=1 prot-id=AH spi-size=4 #trns=2 trns#=2 trns-id=MD5 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=1 trns-id=3DES 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=2 trns-id=3DES 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=3 trns-id=BLOWFISH 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Key Length, flag=0x8000, lorv=448 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=4 trns-id=BLOWFISH 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Key Length, flag=0x8000, lorv=448 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=5 trns-id=AES-CBC 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=6 trns-id=AES-CBC 
18:16:12 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
18:16:12 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
18:16:12 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
18:16:12 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
18:16:12 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
18:16:12 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
18:16:12 ipsec,debug peer's single bundle: 
18:16:12 ipsec,debug  (proto_id=AH spisize=4 spi=055ae66d spi_p=00000000 encmode=Transport reqid=0:0) 
18:16:12 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
18:16:12 ipsec,debug   (trns_id=MD5 authtype=hmac-md5) 
18:16:12 ipsec,debug  (proto_id=ESP spisize=4 spi=06635116 spi_p=00000000 encmode=Transport reqid=0:0) 
18:16:12 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-sha1) 
18:16:12 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-md5) 
18:16:12 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-sha1) 
18:16:12 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-md5) 
18:16:12 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
18:16:12 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-md5) 
18:16:12 ipsec,debug my single bundle: 
18:16:12 ipsec,debug  (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=1127:1127) 
18:16:12 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
18:16:12 ipsec,debug not matched 
18:16:12 ipsec,error no suitable proposal found. 
18:16:12 ipsec failed to get proposal for responder. 
18:16:12 ipsec,error x.x.x.x failed to pre-process ph2 packet. 

 
sindy
Forum Guru
Forum Guru
Posts: 3809
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec tunnel CentOS to MikroTik

Fri Apr 20, 2018 4:37 pm

Here is the MikroTIk's debug log. I've manipulated everything I can think of on the 'Tik. It just doesn't change the result. I am obviously missing something. A clue by four to the head would be appreciated.
Your configurations from the first post do not match what I can see in the log in the second post.

In the log, I can see that CentOS offers AH or ESP/Transport mode, while Mikrotik only accepts AH mode. Although the AH proposal at Mikrotik side as if matches one of the CentOS's proposals (trns_id=SHA authtype=hmac-sha1), I don't like the
spi=00000000
at Mikrotik side (but it's just a feeling).

So do not change anything at CentOS side, and at Mikrotik side, choose ESP rather than AH, and Transport mode (i.e.
tunnel=no
) and post the debug for that case along with a corresponding
/ip ipsec export
.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
lambert
Long time Member
Long time Member
Topic Author
Posts: 529
Joined: Fri Jul 23, 2010 1:09 am

Re: IPsec tunnel CentOS to MikroTik

Sat Apr 21, 2018 9:54 am

My policy was set to encrypt/require/esp/tunnel. I have now changed that to encrypt/require/ah/no tunnel. The logs look very similar to me. I don't get it.
 
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add auth-algorithms=sha1,md5 enc-algorithms=aes-128-cbc,3des,blowfish lifetime=1h name=centos
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 disabled=yes enc-algorithm=3des exchange-mode=main-l2tp \
    generate-policy=port-override lifetime=8h
add address=x.x.x.x/32 dh-group=modp2048,modp1536,modp1024 enc-algorithm=\
    aes-128,3des,blowfish generate-policy=port-strict send-initial-contact=no
/ip ipsec policy
add dst-address=x.x.x.x/32 ipsec-protocols=ah proposal=centos src-address=\
    y.y.y.y/32
BTW, I also ran it with generate-policy=port-override and got the same results. I then ran it with ipsec-protocols=esp. The only difference was the MD5 part of "my single bundle" went missing with esp.
01:34:34 ipsec,debug ===== received 100 bytes from x.x.x.x[500] to y.y.y.y[500] 
01:34:34 ipsec,debug === 
01:34:34 ipsec,info respond new phase 1 (Identity Protection): y.y.y.y[500]<=>x.x.x.x[500] 
01:34:34 ipsec,debug begin. 
01:34:34 ipsec,debug seen nptype=1(sa) len=52 
01:34:34 ipsec,debug seen nptype=13(vid) len=20 
01:34:34 ipsec,debug succeed. 
01:34:34 ipsec received Vendor ID: DPD 
01:34:34 ipsec,debug remote supports DPD 
01:34:34 ipsec,debug total SA len=48 
01:34:34 ipsec,debug 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 
01:34:34 ipsec,debug 80010005 80030001 80020002 80040002 
01:34:34 ipsec,debug begin. 
01:34:34 ipsec,debug seen nptype=2(prop) len=40 
01:34:34 ipsec,debug succeed. 
01:34:34 ipsec,debug proposal #1 len=40 
01:34:34 ipsec,debug begin. 
01:34:34 ipsec,debug seen nptype=3(trns) len=32 
01:34:34 ipsec,debug succeed. 
01:34:34 ipsec,debug transform #1 len=32 
01:34:34 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=Life Duration, flag=0x8000, lorv=28800 
01:34:34 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 
01:34:34 ipsec,debug encryption(3des) 
01:34:34 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
01:34:34 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
01:34:34 ipsec,debug hash(sha1) 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug pair 1: 
01:34:34 ipsec,debug  0x48c058: next=(nil) tnext=(nil) 
01:34:34 ipsec,debug proposal #1: 1 transform 
01:34:34 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1 
01:34:34 ipsec,debug trns#=1, trns-id=IKE 
01:34:34 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=Life Duration, flag=0x8000, lorv=28800 
01:34:34 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 
01:34:34 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
01:34:34 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
01:34:34 ipsec,debug Compared: Local:Peer 
01:34:34 ipsec,debug (lifetime = 86400:28800) 
01:34:34 ipsec,debug (lifebyte = 0:0) 
01:34:34 ipsec,debug enctype = AES-CBC:3DES-CBC 
01:34:34 ipsec,debug (encklen = 128:0) 
01:34:34 ipsec,debug hashtype = SHA:SHA 
01:34:34 ipsec,debug authmethod = pre-shared key:pre-shared key 
01:34:34 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
01:34:34 ipsec,debug Compared: Local:Peer 
01:34:34 ipsec,debug (lifetime = 86400:28800) 
01:34:34 ipsec,debug (lifebyte = 0:0) 
01:34:34 ipsec,debug enctype = AES-CBC:3DES-CBC 
01:34:34 ipsec,debug (encklen = 128:0) 
01:34:34 ipsec,debug hashtype = SHA:SHA 
01:34:34 ipsec,debug authmethod = pre-shared key:pre-shared key 
01:34:34 ipsec,debug dh_group = 1536-bit MODP group:1024-bit MODP group 
01:34:34 ipsec,debug Compared: Local:Peer 
01:34:34 ipsec,debug (lifetime = 86400:28800) 
01:34:34 ipsec,debug (lifebyte = 0:0) 
01:34:34 ipsec,debug enctype = AES-CBC:3DES-CBC 
01:34:34 ipsec,debug (encklen = 128:0) 
01:34:34 ipsec,debug hashtype = SHA:SHA 
01:34:34 ipsec,debug authmethod = pre-shared key:pre-shared key 
01:34:34 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
01:34:34 ipsec,debug Compared: Local:Peer 
01:34:34 ipsec,debug (lifetime = 86400:28800) 
01:34:34 ipsec,debug (lifebyte = 0:0) 
01:34:34 ipsec,debug enctype = 3DES-CBC:3DES-CBC 
01:34:34 ipsec,debug (encklen = 0:0) 
01:34:34 ipsec,debug hashtype = SHA:SHA 
01:34:34 ipsec,debug authmethod = pre-shared key:pre-shared key 
01:34:34 ipsec,debug dh_group = 2048-bit MODP group:1024-bit MODP group 
01:34:34 ipsec,debug Compared: Local:Peer 
01:34:34 ipsec,debug (lifetime = 86400:28800) 
01:34:34 ipsec,debug (lifebyte = 0:0) 
01:34:34 ipsec,debug enctype = 3DES-CBC:3DES-CBC 
01:34:34 ipsec,debug (encklen = 0:0) 
01:34:34 ipsec,debug hashtype = SHA:SHA 
01:34:34 ipsec,debug authmethod = pre-shared key:pre-shared key 
01:34:34 ipsec,debug dh_group = 1536-bit MODP group:1024-bit MODP group 
01:34:34 ipsec,debug Compared: Local:Peer 
01:34:34 ipsec,debug (lifetime = 86400:28800) 
01:34:34 ipsec,debug (lifebyte = 0:0) 
01:34:34 ipsec,debug enctype = 3DES-CBC:3DES-CBC 
01:34:34 ipsec,debug (encklen = 0:0) 
01:34:34 ipsec,debug hashtype = SHA:SHA 
01:34:34 ipsec,debug authmethod = pre-shared key:pre-shared key 
01:34:34 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
01:34:34 ipsec,debug an acceptable proposal found. 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug agreed on pre-shared key auth. 
01:34:34 ipsec,debug === 
01:34:34 ipsec,debug new cookie: 
01:34:34 ipsec,debug 962ab4613d613c6f  
01:34:34 ipsec,debug add payload of len 48, next type 13 
01:34:34 ipsec,debug add payload of len 16, next type 0 
01:34:34 ipsec,debug 100 bytes from y.y.y.y[500] to x.x.x.x[500] 
01:34:34 ipsec,debug 1 times of 100 bytes message will be sent to x.x.x.x[500] 
01:34:34 ipsec sent phase1 packet y.y.y.y[500]<=>x.x.x.x[500] 77b96f864966876c:962ab4613d613c6f 
01:34:34 ipsec,debug ===== received 508 bytes from x.x.x.x[500] to y.y.y.y[500] 
01:34:34 ipsec,debug compute IV for phase2 
01:34:34 ipsec,debug phase1 last IV: 
01:34:34 ipsec,debug 228697a1 06403767 ac306ed1 
01:34:34 ipsec,debug hash(sha1) 
01:34:34 ipsec,debug encryption(3des) 
01:34:34 ipsec,debug phase2 IV computed: 
01:34:34 ipsec,debug 76669a1c 0cf3bdb7 
01:34:34 ipsec,debug === 
01:34:34 ipsec respond new phase 2 negotiation: y.y.y.y[500]<=>x.x.x.x[500] 
01:34:34 ipsec,debug encryption(3des) 
01:34:34 ipsec,debug IV was saved for next processing: 
01:34:34 ipsec,debug b756eb70 a056decb 
01:34:34 ipsec,debug encryption(3des) 
01:34:34 ipsec,debug with key: 
01:34:34 ipsec,debug 4745fffc 6ff98373 4793adf6 51dbf5ad ba578763 33413823 
01:34:34 ipsec,debug decrypted payload by IV: 
01:34:34 ipsec,debug 76669a1c 0cf3bdb7 
01:34:34 ipsec,debug decrypted payload, but not trimed. 
01:34:34 ipsec,debug 01000018 1cc89047 d3b9cbbb 39fe20e7 b80e406e bfb1e9a3 0a000114 00000001 
01:34:34 ipsec,debug 00000001 02000044 01020402 093f95f5 0300001c 01030000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 80050002 80030002 0000001c 02020000 80010001 80020e10 80040002 
01:34:34 ipsec,debug 80050001 80030002 000000c4 01030406 08ba7628 0300001c 01030000 80010001 
01:34:34 ipsec,debug 80020e10 80040002 80050002 80030002 0300001c 02030000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 80050001 80030002 03000020 03070000 80010001 80020e10 80040002 
01:34:34 ipsec,debug 800601c0 80050002 80030002 03000020 04070000 80010001 80020e10 80040002 
01:34:34 ipsec,debug 800601c0 80050001 80030002 03000020 050c0000 80010001 80020e10 80040002 
01:34:34 ipsec,debug 80060080 80050002 80030002 00000020 060c0000 80010001 80020e10 80040002 
01:34:34 ipsec,debug 80060080 80050001 80030002 04000014 938f89c8 eff781b5 168ef74d 92dc1fde 
01:34:34 ipsec,debug 05000084 2fc726a6 e0db00be a2d87850 cd304bd8 44a52b0b bb114871 88a8cfed 
01:34:34 ipsec,debug 5d0d901f 3963d6d7 20fcdcde bc2eed15 5a69b154 24a2dfd5 dde3b755 d78cc7ee 
01:34:34 ipsec,debug 4d3db56a 7f0c6ab5 83528ae8 9e2d117f 2ae17ede fa74551a 4a7b1237 c74e6eac 
01:34:34 ipsec,debug 6d88c2d0 fac32bab 9bbcca57 a2fa9906 060e84d9 7bcec839 d075fced bb0a32d0 
01:34:34 ipsec,debug 3c715018 0500000c 01000000 d8e6e7e2 0000000c 01000000 40fa290d 9db59603 
01:34:34 ipsec,debug padding len=4 
01:34:34 ipsec,debug skip to trim padding. 
01:34:34 ipsec,debug decrypted. 
01:34:34 ipsec,debug 5a9fd6f1 3261a995 11721b76 3786bf24 08102001 ac306ed1 000001fc 01000018 
01:34:34 ipsec,debug 1cc89047 d3b9cbbb 39fe20e7 b80e406e bfb1e9a3 0a000114 00000001 00000001 
01:34:34 ipsec,debug 02000044 01020402 093f95f5 0300001c 01030000 80010001 80020e10 80040002 
01:34:34 ipsec,debug 80050002 80030002 0000001c 02020000 80010001 80020e10 80040002 80050001 
01:34:34 ipsec,debug 80030002 000000c4 01030406 08ba7628 0300001c 01030000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 80050002 80030002 0300001c 02030000 80010001 80020e10 80040002 
01:34:34 ipsec,debug 80050001 80030002 03000020 03070000 80010001 80020e10 80040002 800601c0 
01:34:34 ipsec,debug 80050002 80030002 03000020 04070000 80010001 80020e10 80040002 800601c0 
01:34:34 ipsec,debug 80050001 80030002 03000020 050c0000 80010001 80020e10 80040002 80060080 
01:34:34 ipsec,debug 80050002 80030002 00000020 060c0000 80010001 80020e10 80040002 80060080 
01:34:34 ipsec,debug 80050001 80030002 04000014 938f89c8 eff781b5 168ef74d 92dc1fde 05000084 
01:34:34 ipsec,debug 2fc726a6 e0db00be a2d87850 cd304bd8 44a52b0b bb114871 88a8cfed 5d0d901f 
01:34:34 ipsec,debug 3963d6d7 20fcdcde bc2eed15 5a69b154 24a2dfd5 dde3b755 d78cc7ee 4d3db56a 
01:34:34 ipsec,debug 7f0c6ab5 83528ae8 9e2d117f 2ae17ede fa74551a 4a7b1237 c74e6eac 6d88c2d0 
01:34:34 ipsec,debug fac32bab 9bbcca57 a2fa9906 060e84d9 7bcec839 d075fced bb0a32d0 3c715018 
01:34:34 ipsec,debug 0500000c 01000000 d8e6e7e2 0000000c 01000000 40fa290d 9db59603 
01:34:34 ipsec,debug begin. 
01:34:34 ipsec,debug seen nptype=8(hash) len=24 
01:34:34 ipsec,debug seen nptype=1(sa) len=276 
01:34:34 ipsec,debug seen nptype=10(nonce) len=20 
01:34:34 ipsec,debug seen nptype=4(ke) len=132 
01:34:34 ipsec,debug seen nptype=5(id) len=12 
01:34:34 ipsec,debug seen nptype=5(id) len=12 
01:34:34 ipsec,debug succeed. 
01:34:34 ipsec,debug received IDci2: 
01:34:34 ipsec,debug 01000000 d8e6e7e2 
01:34:34 ipsec,debug received IDcr2: 
01:34:34 ipsec,debug 01000000 40fa290d 
01:34:34 ipsec,debug HASH(1) validate: 
01:34:34 ipsec,debug 1cc89047 d3b9cbbb 39fe20e7 b80e406e bfb1e9a3 
01:34:34 ipsec,debug HASH with: 
01:34:34 ipsec,debug ac306ed1 0a000114 00000001 00000001 02000044 01020402 093f95f5 0300001c 
01:34:34 ipsec,debug 01030000 80010001 80020e10 80040002 80050002 80030002 0000001c 02020000 
01:34:34 ipsec,debug 80010001 80020e10 80040002 80050001 80030002 000000c4 01030406 08ba7628 
01:34:34 ipsec,debug 0300001c 01030000 80010001 80020e10 80040002 80050002 80030002 0300001c 
01:34:34 ipsec,debug 02030000 80010001 80020e10 80040002 80050001 80030002 03000020 03070000 
01:34:34 ipsec,debug 80010001 80020e10 80040002 800601c0 80050002 80030002 03000020 04070000 
01:34:34 ipsec,debug 80010001 80020e10 80040002 800601c0 80050001 80030002 03000020 050c0000 
01:34:34 ipsec,debug 80010001 80020e10 80040002 80060080 80050002 80030002 00000020 060c0000 
01:34:34 ipsec,debug 80010001 80020e10 80040002 80060080 80050001 80030002 04000014 938f89c8 
01:34:34 ipsec,debug eff781b5 168ef74d 92dc1fde 05000084 2fc726a6 e0db00be a2d87850 cd304bd8 
01:34:34 ipsec,debug 44a52b0b bb114871 88a8cfed 5d0d901f 3963d6d7 20fcdcde bc2eed15 5a69b154 
01:34:34 ipsec,debug 24a2dfd5 dde3b755 d78cc7ee 4d3db56a 7f0c6ab5 83528ae8 9e2d117f 2ae17ede 
01:34:34 ipsec,debug fa74551a 4a7b1237 c74e6eac 6d88c2d0 fac32bab 9bbcca57 a2fa9906 060e84d9 
01:34:34 ipsec,debug 7bcec839 d075fced bb0a32d0 3c715018 0500000c 01000000 d8e6e7e2 0000000c 
01:34:34 ipsec,debug 01000000 40fa290d 
01:34:34 ipsec,debug hmac(hmac_sha1) 
01:34:34 ipsec,debug HASH computed: 
01:34:34 ipsec,debug 1cc89047 d3b9cbbb 39fe20e7 b80e406e bfb1e9a3 
01:34:34 ipsec,debug total SA len=272 
01:34:34 ipsec,debug 00000001 00000001 02000044 01020402 093f95f5 0300001c 01030000 80010001 
01:34:34 ipsec,debug 80020e10 80040002 80050002 80030002 0000001c 02020000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 80050001 80030002 000000c4 01030406 08ba7628 0300001c 01030000 
01:34:34 ipsec,debug 80010001 80020e10 80040002 80050002 80030002 0300001c 02030000 80010001 
01:34:34 ipsec,debug 80020e10 80040002 80050001 80030002 03000020 03070000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 800601c0 80050002 80030002 03000020 04070000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 800601c0 80050001 80030002 03000020 050c0000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 80060080 80050002 80030002 00000020 060c0000 80010001 80020e10 
01:34:34 ipsec,debug 80040002 80060080 80050001 80030002 
01:34:34 ipsec,debug begin. 
01:34:34 ipsec,debug seen nptype=2(prop) len=68 
01:34:34 ipsec,debug seen nptype=2(prop) len=196 
01:34:34 ipsec,debug succeed. 
01:34:34 ipsec,debug proposal #1 len=68 
01:34:34 ipsec,debug begin. 
01:34:34 ipsec,debug seen nptype=3(trns) len=28 
01:34:34 ipsec,debug seen nptype=3(trns) len=28 
01:34:34 ipsec,debug succeed. 
01:34:34 ipsec,debug transform #1 len=28 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug transform #2 len=28 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug proposal #1 len=196 
01:34:34 ipsec,debug begin. 
01:34:34 ipsec,debug seen nptype=3(trns) len=28 
01:34:34 ipsec,debug seen nptype=3(trns) len=28 
01:34:34 ipsec,debug seen nptype=3(trns) len=32 
01:34:34 ipsec,debug seen nptype=3(trns) len=32 
01:34:34 ipsec,debug seen nptype=3(trns) len=32 
01:34:34 ipsec,debug seen nptype=3(trns) len=32 
01:34:34 ipsec,debug succeed. 
01:34:34 ipsec,debug transform #1 len=28 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug transform #2 len=28 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug transform #3 len=32 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=448 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug transform #4 len=32 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=448 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug transform #5 len=32 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug transform #6 len=32 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug life duration was in TLV. 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug dh(modp1024) 
01:34:34 ipsec,debug pair 1: 
01:34:34 ipsec,debug  0x4ac460: next=0x49cc18 tnext=0x48ce50 
01:34:34 ipsec,debug   0x49cc18: next=(nil) tnext=0x49cff8 
01:34:34 ipsec,debug    0x49cff8: next=(nil) tnext=0x493e18 
01:34:34 ipsec,debug     0x493e18: next=(nil) tnext=0x48b8a8 
01:34:34 ipsec,debug      0x48b8a8: next=(nil) tnext=0x4b1150 
01:34:34 ipsec,debug       0x4b1150: next=(nil) tnext=0x4a2b58 
01:34:34 ipsec,debug        0x4a2b58: next=(nil) tnext=(nil) 
01:34:34 ipsec,debug   0x48ce50: next=(nil) tnext=(nil) 
01:34:34 ipsec,debug proposal #1: 8 transform 
01:34:34 ipsec,debug got the local address from ID payload y.y.y.y[0] prefixlen=32 ul_proto=255 
01:34:34 ipsec,debug got the peer address from ID payload x.x.x.x[0] prefixlen=32 ul_proto=255 
01:34:34 ipsec searching for policy for selector: y.y.y.y <=> x.x.x.x 
01:34:34 ipsec using strict match: y.y.y.y <=> x.x.x.x 
01:34:34 ipsec,debug  (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) 
01:34:34 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
01:34:34 ipsec,debug   (trns_id=MD5 authtype=hmac-md5) 
01:34:34 ipsec,debug begin compare proposals. 
01:34:34 ipsec,debug pair[1]: 0x4ac460 
01:34:34 ipsec,debug  0x4ac460: next=0x49cc18 tnext=0x48ce50 
01:34:34 ipsec,debug   0x49cc18: next=(nil) tnext=0x49cff8 
01:34:34 ipsec,debug    0x49cff8: next=(nil) tnext=0x493e18 
01:34:34 ipsec,debug     0x493e18: next=(nil) tnext=0x48b8a8 
01:34:34 ipsec,debug      0x48b8a8: next=(nil) tnext=0x4b1150 
01:34:34 ipsec,debug       0x4b1150: next=(nil) tnext=0x4a2b58 
01:34:34 ipsec,debug        0x4a2b58: next=(nil) tnext=(nil) 
01:34:34 ipsec,debug   0x48ce50: next=(nil) tnext=(nil) 
01:34:34 ipsec,debug prop#=1 prot-id=AH spi-size=4 #trns=2 trns#=1 trns-id=SHA 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug prop#=1 prot-id=AH spi-size=4 #trns=2 trns#=2 trns-id=MD5 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=1 trns-id=3DES 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=2 trns-id=3DES 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=3 trns-id=BLOWFISH 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=448 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=4 trns-id=BLOWFISH 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=448 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=5 trns-id=AES-CBC 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=6 trns-id=AES-CBC 
01:34:34 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
01:34:34 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
01:34:34 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
01:34:34 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
01:34:34 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
01:34:34 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
01:34:34 ipsec,debug peer's single bundle: 
01:34:34 ipsec,debug  (proto_id=AH spisize=4 spi=093f95f5 spi_p=00000000 encmode=Transport reqid=0:0) 
01:34:34 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
01:34:34 ipsec,debug   (trns_id=MD5 authtype=hmac-md5) 
01:34:34 ipsec,debug  (proto_id=ESP spisize=4 spi=08ba7628 spi_p=00000000 encmode=Transport reqid=0:0) 
01:34:34 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-sha1) 
01:34:34 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-md5) 
01:34:34 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-sha1) 
01:34:34 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-md5) 
01:34:34 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
01:34:34 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-md5) 
01:34:34 ipsec,debug my single bundle: 
01:34:34 ipsec,debug  (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) 
01:34:34 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
01:34:34 ipsec,debug   (trns_id=MD5 authtype=hmac-md5) 
01:34:34 ipsec,debug not matched 
01:34:34 ipsec,error no suitable proposal found. 
01:34:34 ipsec failed to get proposal for responder. 
01:34:34 ipsec,error x.x.x.x failed to pre-process ph2 packet.
port-override:
01:44:54 ipsec,debug peer's single bundle: 
01:44:54 ipsec,debug  (proto_id=AH spisize=4 spi=0010a686 spi_p=00000000 encmode=Transport reqid=0:0) 
01:44:54 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
01:44:54 ipsec,debug   (trns_id=MD5 authtype=hmac-md5) 
01:44:54 ipsec,debug  (proto_id=ESP spisize=4 spi=0eee26e7 spi_p=00000000 encmode=Transport reqid=0:0) 
01:44:54 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-sha1) 
01:44:54 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-md5) 
01:44:54 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-sha1) 
01:44:54 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-md5) 
01:44:54 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
01:44:54 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-md5) 
01:44:54 ipsec,debug my single bundle: 
01:44:54 ipsec,debug  (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) 
01:44:54 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
01:44:54 ipsec,debug   (trns_id=MD5 authtype=hmac-md5) 
01:44:54 ipsec,debug not matched 
01:44:54 ipsec,error no suitable proposal found. 
01:44:54 ipsec failed to get proposal for responder. 
01:44:54 ipsec,error 216.230.231.226 failed to pre-process ph2 packet. 

ipsec-protocols=esp:
01:48:31 ipsec,debug peer's single bundle: 
01:48:31 ipsec,debug  (proto_id=AH spisize=4 spi=0e245677 spi_p=00000000 encmode=Transport reqid=0:0) 
01:48:31 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
01:48:31 ipsec,debug   (trns_id=MD5 authtype=hmac-md5) 
01:48:31 ipsec,debug  (proto_id=ESP spisize=4 spi=099a2d97 spi_p=00000000 encmode=Transport reqid=0:0) 
01:48:31 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-sha1) 
01:48:31 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-md5) 
01:48:31 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-sha1) 
01:48:31 ipsec,debug   (trns_id=BLOWFISH encklen=448 authtype=hmac-md5) 
01:48:31 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
01:48:31 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-md5) 
01:48:31 ipsec,debug my single bundle: 
01:48:31 ipsec,debug  (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=4711:4711) 
01:48:31 ipsec,debug   (trns_id=SHA authtype=hmac-sha1) 
01:48:31 ipsec,debug not matched 
01:48:31 ipsec,error no suitable proposal found. 
01:48:31 ipsec failed to get proposal for responder. 
01:48:31 ipsec,error 216.230.231.226 failed to pre-process ph2 packet. 
 
sindy
Forum Guru
Forum Guru
Posts: 3809
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec tunnel CentOS to MikroTik

Sat Apr 21, 2018 10:15 am

My policy was set to encrypt/require/esp/tunnel. I have now changed that to encrypt/require/ah/no tunnel. The logs look very similar to me. I don't get it.
In both cases the 'Tik is reporting to the log to be ready only for AH. I'm not sure what happens when you ask for ESP/Tunnel mode for a policy which has
src-address
equal to
sa-src-address
and
dst-address
equal to
sa-dst-address
, because it is an unusual configuration. Normally, ESP/Transport or AH mode suit for this, as encapsulation of the original source and destination addresses along with the payload, which is what tunnel mode does, is a useless waste of packet space in this case.

So one explanation could be that Mikrotik chooses AH mode instead of ESP/Tunnel mode in this case (which would be a bug itself but would pop up under unusual circumstances), another explanation is a completely broken IPsec in the RouterOS version you currently use. Which one is it? I remember some issues reported and later fixed in 6.41.x and/or 6.42rc.y. I have currently 6.41.3 on one box and 6.42 on another and both are running fine with IPsec.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: IPsec tunnel CentOS to MikroTik

Sat Apr 21, 2018 1:39 pm

.... another explanation is a completely broken IPsec in the RouterOS version you currently use. Which one is it? I remember some issues reported and later fixed in 6.41.x and/or 6.42rc.y. I have currently 6.41.3 on one box and 6.42 on another and both are running fine with IPsec.

Since the OP is on 6.40.7, it might very well be that IPSec is broken, I read in the below topic that Mikrotik rewrote the IPSec stack completely in 6.40.x, so maybe a good point to upgrade to 6.41.3 and test

viewtopic.php?f=2&t=133440
MTCNA, MTCTCE, MTCRE & MTCINE
 
lambert
Long time Member
Long time Member
Topic Author
Posts: 529
Joined: Fri Jul 23, 2010 1:09 am

Re: IPsec tunnel CentOS to MikroTik

Mon Apr 23, 2018 9:51 am

Tried 6.42. Same results.
 
sindy
Forum Guru
Forum Guru
Posts: 3809
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec tunnel CentOS to MikroTik

Mon Apr 23, 2018 10:21 am

Tried 6.42. Same results.
Try ESP/transport (= no tunnel) and post the log, please. Is there no other IPsec configuration (including any dynamically created one from l2tp, eoip or some other tunnelling protocol secured using ipsec (by ticking
use-ipsec=yes
) on the Mikrotik? Please attach the output of
/ip ipsec peer print
and
/ip ipsec policy print
, after editing eventual public addresses you don't want to reveal.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: MSN [Bot] and 102 guests