Community discussions

MUM Europe 2020
 
pommo
just joined
Topic Author
Posts: 4
Joined: Sun Dec 01, 2019 9:50 am

VPN Problem

Sun Dec 01, 2019 10:07 am

Hello,
i decided to upgrade an old Linksys/Cisco router and i now a have Mikrotik
Problem is that i had a VPN Gateway to Gatwey with another Lynksys router, i setup the Mikrotik but it doesn't pass phase 2 of authentification it conects phase 1 for 30s but that's it.
The Linksys router config:
Local security: Ip only
Remote security: Ip only
Keying Mode: Ike with preshared key
Phase1 DH Group: Group 1
Phase1 Encryption: 3DES
Phase1 Authentication: SHA1
Phase1 SA Life Time: 28800 seconds
Perfect Forward Secrecy: Yes

Phase2 DH Group: Group 1
Phase2 SA Life Time: 3600 seconds
Preshared key: secret

and on the Mikrotik i have this config:

Code: Select all

# nov/29/2019 20:16:41 by RouterOS 6.43.16
# software id = GLDH-AY03
#
# model = RB1100Dx4
# serial number = blabla
/interface bridge
add admin-mac=bla.bla auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=isp1 name=ether1-wan
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface list
add comment="WAN ports" name=WAN
add comment="LAN ports" name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
set [ find default=yes ] dh-group=\
modp8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024,modp768 \
enc-algorithm=aes-256,aes-192,aes-128,3des,des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1,md5,null \
enc-algorithms="aes-256-cbc,aes-256-ctr,aes-256-gcm,camellia-256,aes-192-c\
bc,aes-192-ctr,aes-192-gcm,camellia-192,aes-128-cbc,aes-128-ctr,aes-128-gc\
m,camellia-128,3des,blowfish,twofish,des,null" pfs-group=modp768
/ip pool
add name=pool-lan ranges=192.168.1.100-192.168.1.190
/ip dhcp-server
add address-pool=pool-lan disabled=no interface=bridge-local name=dhcp-lan
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
add bridge=bridge-local interface=ether9
add bridge=bridge-local interface=ether10
add bridge=bridge-local interface=ether11
add bridge=bridge-local interface=ether12
add bridge=bridge-local interface=ether13
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether1-wan list=WAN
/ip address
add address=192.168.1.199/24 interface=bridge-local network=192.168.1.0
add address=192.77.63.18 interface=ether1-wan network=192.77.63.1
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.199 gateway=192.168.1.199
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.199 name=router
/ip firewall address-list
add address=192.168.1.0/24 list=Internet
/ip firewall filter
add action=accept chain=input comment="Accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept all from bridge-local" \
in-interface=bridge-local
add action=accept chain=input comment="Accept access for ManageIP group" \
src-address-list=ManageIP
add action=drop chain=input comment="Drop all other"
add action=fasttrack-connection chain=forward comment=fasttrack \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment=\
"Accept Internet via ISP1 for Internet group" connection-state=new \
in-interface=bridge-local out-interface=ether1-wan src-address-list=\
Internet
add action=drop chain=forward comment="Drop all other"
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
out-interface-list=WAN
/ip ipsec peer
add address=25.2.198.15/32 comment=Office secret=secret
/ip ipsec policy
add comment=Office dst-address=192.168.2.0/24 sa-dst-address=25.2.198.15 \
sa-src-address=192.77.63.18 src-address=192.168.1.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.77.63.1
/system clock
set time-zone-name=RO/RO
/system identity
set name=MyRouter
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
i feel like i'm missing something here, but still can't make-it work.
Thank you for all the help.
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN Problem

Sun Dec 01, 2019 12:43 pm

You should see the answer in the log. Use /system logging add topics=ipsec,!packet to enable detailed logging of IPsec. Then, disable the peer at Tik side, let it "cool down" for 5 minutes, then run /log print follow-only file=ipsec-startup where topics~"ipsec" and re-enable the peer. Once phase 1 comes up and phase 2 fails, break the /log print ... command, download the file and read it.

If you cannot find the reason on your own, post the file here, after anonymizing it the way suggested in my automatic signature right below.

Also, you may want to upgrade the machine from 6.43.16 to 6.44.6 (long-term) if not 6.45.7 (stable). I don't suggest that the old RouterOS version is the reason why phase 2 fails, but the structure of the IPsec configuration has changed between 6.43 and 6.44, so once you are starting with IPsec on Tik anyway, maybe better to learn the new way already now.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
LeonaFayre
just joined
Posts: 2
Joined: Mon Nov 25, 2019 12:05 pm

Re: VPN Problem

Sun Dec 01, 2019 5:18 pm

Upgrade the machine, this should solve your issue I think.
 
pommo
just joined
Topic Author
Posts: 4
Joined: Sun Dec 01, 2019 9:50 am

Re: VPN Problem

Mon Dec 02, 2019 5:21 pm

Hello, and thank you, i updated the router and bellow is the log for ipsec.

The only thing that pop-up was: 16:43:48 ipsec no IKEv1 peer config for 25.2.198.15

Code: Select all

# dec/ 2/2019 16:54:50 by RouterOS 6.45.7
# software id = GLDH-AY03
#
16:43:20 ipsec,debug seen nptype=8(hash) len=24
16:43:20 ipsec,debug succeed.
16:43:20 ipsec,debug HASH received:
16:43:20 ipsec,debug 1b17fa92 876eed4c 3b0130bf 2b5d282b a0a8c53c
16:43:20 ipsec,debug HASH for PSK validated.
16:43:20 ipsec,debug 25.2.198.15 peer's ID:
16:43:20 ipsec,debug 01000000 524d3e18
16:43:20 ipsec,debug ===
16:43:20 ipsec policy installed for connected peer, creating ph2
16:43:20 ipsec,debug (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=256 authtype=254)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=256 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=288 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=256 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=288 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=256 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=288 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=256 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=288 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=256 authtype=254)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=288 authtype=254)
16:43:20 ipsec,debug (trns_id=AES-GCM-ICV16 encklen=256 authtype=254)
16:43:20 ipsec,debug (trns_id=AES-GCM-ICV16 encklen=288 authtype=254)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=256 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=256 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=256 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=256 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=256 authtype=254)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=192 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=192 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=192 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=192 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=192 authtype=254)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=192 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=224 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=192 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=224 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=192 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=224 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=192 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=224 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=192 authtype=254)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=224 authtype=254)
16:43:20 ipsec,debug (trns_id=AES-GCM-ICV16 encklen=192 authtype=254)
16:43:20 ipsec,debug (trns_id=AES-GCM-ICV16 encklen=224 authtype=254)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=192 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=192 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=192 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=192 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=192 authtype=254)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=128 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=128 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=128 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=128 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=AES-CBC encklen=128 authtype=254)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=128 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=160 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=128 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=160 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=128 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=160 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=128 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=160 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=128 authtype=254)
16:43:20 ipsec,debug (trns_id=AES-CTR encklen=160 authtype=254)
16:43:20 ipsec,debug (trns_id=AES-GCM-ICV16 encklen=128 authtype=254)
16:43:20 ipsec,debug (trns_id=AES-GCM-ICV16 encklen=160 authtype=254)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=0 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=0 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=0 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=0 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=CAMELLIA encklen=0 authtype=254)
16:43:20 ipsec,debug (trns_id=3DES encklen=0 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=3DES encklen=0 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=3DES encklen=0 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=3DES encklen=0 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=3DES encklen=0 authtype=254)
16:43:20 ipsec,debug (trns_id=BLOWFISH encklen=128 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=BLOWFISH encklen=128 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=BLOWFISH encklen=128 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=BLOWFISH encklen=128 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=BLOWFISH encklen=128 authtype=254)
16:43:20 ipsec,debug (trns_id=TWOFISH encklen=128 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=TWOFISH encklen=128 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=TWOFISH encklen=128 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=TWOFISH encklen=128 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=TWOFISH encklen=128 authtype=254)
16:43:20 ipsec,debug (trns_id=DES encklen=0 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=DES encklen=0 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=DES encklen=0 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=DES encklen=0 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=DES encklen=0 authtype=254)
16:43:20 ipsec,debug (trns_id=NULL encklen=0 authtype=hmac-sha512)
16:43:20 ipsec,debug (trns_id=NULL encklen=0 authtype=hmac-sha256)
16:43:20 ipsec,debug (trns_id=NULL encklen=0 authtype=hmac-sha1)
16:43:20 ipsec,debug (trns_id=NULL encklen=0 authtype=hmac-md5)
16:43:20 ipsec,debug (trns_id=NULL encklen=0 authtype=254)
16:43:20 ipsec,debug begin QUICK mode.
16:43:20 ipsec,debug ===
16:43:20 ipsec,debug begin QUICK mode.
16:43:20 ipsec initiate new phase 2 negotiation: 192.77.63.18[500]<=>25.2.198.15[500]
16:43:20 ipsec,debug hash(sha1)
16:43:20 ipsec,debug call pfkey_send_getspi 17
16:43:20 ipsec,debug pfkey GETSPI sent: ESP/Tunnel 25.2.198.15[500]->192.77.63.18[500]
16:43:20 ipsec,debug pfkey getspi sent.
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug dh(modp768)
16:43:20 ipsec,debug use local ID type IPv4_subnet
16:43:20 ipsec,debug use remote ID type IPv4_subnet
16:43:20 ipsec,debug IDci:
16:43:20 ipsec,debug 04000000 c0a80100 ffffff00
16:43:20 ipsec,debug IDcr:
16:43:20 ipsec,debug 04000000 c0a80600 ffffff00
16:43:20 ipsec,debug add payload of len 2736, next type 10
16:43:20 ipsec,debug add payload of len 24, next type 4
16:43:20 ipsec,debug add payload of len 96, next type 5
16:43:20 ipsec,debug add payload of len 12, next type 5
16:43:20 ipsec,debug add payload of len 12, next type 0
16:43:20 ipsec,debug add payload of len 20, next type 1
16:43:20 ipsec,debug 2956 bytes from 82.77.63.24[500] to 82.77.62.24[500]
16:43:20 ipsec,debug 1 times of 2956 bytes message will be sent to 25.2.198.15[500]
16:43:20 ipsec sent phase2 packet 192.77.63.18[500]<=>25.2.198.15[500] 54bb406253f04cf7:a21d7bac23586a6f:0000a11e
16:43:20 ipsec,info ISAKMP-SA established 192.77.63.18[500]-25.2.198.15[500] spi:54bb406253f04cf7:a21d7bac23586a6f
16:43:20 ipsec,debug ===
16:43:30 ipsec,debug 2956 bytes from 192.77.63.18[500] to 25.2.198.15[500]
16:43:30 ipsec,debug 1 times of 2956 bytes message will be sent to 25.2.198.15[500]
16:43:30 ipsec resent phase2 packet 192.77.63.18[500]<=>25.2.198.15[500] 54bb406253f04cf7:a21d7bac23586a6f:0000a11e
16:43:40 ipsec,debug 2956 bytes from 192.77.63.18[500] to 25.2.198.15[500]
16:43:40 ipsec,debug 1 times of 2956 bytes message will be sent to 25.2.198.15[500]
16:43:40 ipsec resent phase2 packet 192.77.63.18[500]<=>25.2.198.15[500] 54bb406253f04cf7:a21d7bac23586a6f:0000a11e
16:43:48 ipsec,debug ===== received 92 bytes from 25.2.198.15[500] to 192.77.63.18[500]
16:43:48 ipsec,debug receive Information.
16:43:48 ipsec,debug hash(sha1)
16:43:48 ipsec,debug hash validated.
16:43:48 ipsec,debug begin.
16:43:48 ipsec,debug seen nptype=8(hash) len=24
16:43:48 ipsec,debug seen nptype=12(delete) len=28
16:43:48 ipsec,debug succeed.
16:43:48 ipsec,debug 25.2.198.15 delete payload for protocol ISAKMP
16:43:48 ipsec,info purging ISAKMP-SA 192.77.63.18[500]<=>25.2.198.15[500] spi=54bb406253f04cf7:a21d7bac23586a6f.
16:43:48 ipsec purged ISAKMP-SA 192.77.63.18[500]<=>25.2.198.15[500] spi=54bb406253f04cf7:a21d7bac23586a6f.
16:43:48 ipsec,debug purged SAs.
16:43:48 ipsec,info ISAKMP-SA deleted 192.77.63.18[500]-25.2.198.15[500] spi:54bb406253f04cf7:a21d7bac23586a6f rekey:1
16:43:48 ipsec,debug ===== received 236 bytes from 25.2.198.15[500] to 192.77.63.18[500]
16:43:48 ipsec no IKEv1 peer config for 25.2.198.15
16:43:50 ipsec,debug ===
16:43:50 ipsec,info initiate new phase 1 (Identity Protection): 192.77.63.18[500]<=>25.2.198.15[500]
16:43:50 ipsec,debug new cookie:
16:43:50 ipsec,debug ea04183c7081318c\01
16:43:50 ipsec,debug add payload of len 1552, next type 13
16:43:50 ipsec,debug add payload of len 16, next type 13
16:43:50 ipsec,debug add payload of len 16, next type 13
16:43:50 ipsec,debug add payload of len 16, next type 13
16:43:50 ipsec,debug add payload of len 16, next type 13
16:43:50 ipsec,debug add payload of len 16, next type 13
16:43:50 ipsec,debug add payload of len 16, next type 13
16:43:50 ipsec,debug add payload of len 16, next type 13
16:43:50 ipsec,debug add payload of len 16, next type 13
16:43:50 ipsec,debug add payload of len 16, next type 13
16:43:50 ipsec,debug add payload of len 16, next type 13
16:43:50 ipsec,debug add payload of len 16, next type 13
16:43:50 ipsec,debug add payload of len 16, next type 13
16:43:50 ipsec,debug add payload of len 16, next type 0
16:43:50 ipsec,debug 1844 bytes from 192.77.63.18[500] to 25.2.198.15[500]
16:43:50 ipsec,debug 1 times of 1844 bytes message will be sent to 25.2.198.15[500]
16:43:50 ipsec sent phase1 packet 192.77.63.18[500]<=>25.2.198.15[500] ea04183c7081318c:0000000000000000
16:43:50 ipsec,debug ===== received 108 bytes from 25.2.198.15[500] to 192.77.63.18[500]
16:43:50 ipsec,debug begin.
16:43:50 ipsec,debug seen nptype=1(sa) len=60
16:43:50 ipsec,debug seen nptype=13(vid) len=20
16:43:50 ipsec,debug succeed.
16:43:50 ipsec received Vendor ID: DPD
16:43:50 ipsec,debug remote supports DPD
16:43:50 ipsec,debug total SA len=56
16:43:50 ipsec,debug 00000001 00000001 00000030 01010001 00000028 18010000 800b0001 000c0004
16:43:50 ipsec,debug 00015180 80010007 800e0080 80030001 80020002 80040001
16:43:50 ipsec,debug begin.
16:43:50 ipsec,debug seen nptype=2(prop) len=48
16:43:50 ipsec,debug succeed.
16:43:50 ipsec,debug proposal #1 len=48
16:43:50 ipsec,debug begin.
16:43:50 ipsec,debug seen nptype=3(trns) len=40
16:43:50 ipsec,debug succeed.
16:43:50 ipsec,debug transform #24 len=40
16:43:50 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
16:43:50 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
16:43:50 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
16:43:50 ipsec,debug type=Key Length, flag=0x8000, lorv=128
16:43:50 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
16:43:50 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
16:43:50 ipsec,debug hash(sha1)
16:43:50 ipsec,debug type=Group Description, flag=0x8000, lorv=768-bit MODP group
16:43:50 ipsec,debug dh(modp768)
16:43:50 ipsec,debug pair 1:
16:43:50 ipsec,debug 0x983f8: next=(nil) tnext=(nil)
16:43:50 ipsec,debug proposal #1: 1 transform
16:43:50 ipsec,debug -checking with pre-shared key auth-
16:43:50 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
16:43:50 ipsec,debug trns#=24, trns-id=IKE
16:43:50 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
16:43:50 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
16:43:50 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
16:43:50 ipsec,debug type=Key Length, flag=0x8000, lorv=128
16:43:50 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
16:43:50 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
16:43:50 ipsec,debug type=Group Description, flag=0x8000, lorv=768-bit MODP group
16:43:50 ipsec,debug -compare proposal #1: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 256:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 8192-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #2: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 256:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 6144-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #3: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 256:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 4096-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #4: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 256:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 3072-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #5: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 256:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 2048-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #6: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 256:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 1536-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #7: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 256:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 1024-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #8: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 256:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 768-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #9: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 192:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 8192-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #10: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 192:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 6144-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #11: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 192:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 4096-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #12: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 192:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 3072-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #13: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 192:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 2048-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #14: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 192:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 1536-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #15: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 192:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 1024-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #16: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 192:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 768-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #17: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 128:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 8192-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #18: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 128:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 6144-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #19: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 128:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 4096-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #20: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 128:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 3072-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #21: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 128:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 2048-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #22: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 128:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 1536-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #23: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 128:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 1024-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -compare proposal #24: Local:Peer
16:43:50 ipsec,debug (lifetime = 86400:86400)
16:43:50 ipsec,debug (lifebyte = 0:0)
16:43:50 ipsec,debug enctype = AES-CBC:AES-CBC
16:43:50 ipsec,debug (encklen = 128:128)
16:43:50 ipsec,debug hashtype = SHA:SHA
16:43:50 ipsec,debug authmethod = pre-shared key:pre-shared key
16:43:50 ipsec,debug dh_group = 768-bit MODP group:768-bit MODP group
16:43:50 ipsec,debug -an acceptable proposal found-
16:43:50 ipsec,debug dh(modp768)
16:43:50 ipsec,debug -agreed on pre-shared key auth-
16:43:50 ipsec,debug ===
16:43:50 ipsec,debug dh(modp768)
16:43:50 ipsec,debug add payload of len 96, next type 10
16:43:50 ipsec,debug add payload of len 24, next type 0
16:43:50 ipsec,debug 156 bytes from 192.77.63.18[500] to 25.2.198.15[500]
16:43:50 ipsec,debug 1 times of 156 bytes message will be sent to 25.2.198.15[500]
16:43:50 ipsec sent phase1 packet 192.77.63.18[500]<=>25.2.198.15[500] ea04183c7081318c:cda276ae7e791301
16:43:50 ipsec,debug ===== received 148 bytes from 25.2.198.15[500] to 192.77.63.18[500]
16:43:50 ipsec,debug begin.
16:43:50 ipsec,debug seen nptype=4(ke) len=100
16:43:50 ipsec,debug seen nptype=10(nonce) len=20
16:43:50 ipsec,debug succeed.
16:43:50 ipsec,debug ===
16:43:50 ipsec,debug dh(modp768)
16:43:50 ipsec,debug nonce 1:
16:43:50 ipsec,debug b4d36683 b4ade57d 021f3a52 89817b34 ab95ac7c 8872f7f5
16:43:50 ipsec,debug nonce 2:
16:43:50 ipsec,debug 0627b6a0 a5728e36 73df3668 7ca5ad35
16:43:50 ipsec,debug SKEYID computed:
16:43:50 ipsec,debug 5c16a33e 96896bde ae443df4 738a5d34 2fc63e26
16:43:50 ipsec,debug SKEYID_d computed:
16:43:50 ipsec,debug 89b3db53 8a156108 dee88ff6 0b66dddf e61c3115
16:43:50 ipsec,debug SKEYID_a computed:
16:43:50 ipsec,debug a42138b3 071dec66 5387cb52 6e01b4fb e023b543
16:43:50 ipsec,debug SKEYID_e computed:
16:43:50 ipsec,debug a2e21ef8 81ac3025 43006304 52d9914c 011e47c3
16:43:50 ipsec,debug hash(sha1)
16:43:50 ipsec,debug final encryption key computed:
16:43:50 ipsec,debug a2e21ef8 81ac3025 43006304 52d9914c
16:43:50 ipsec,debug hash(sha1)
16:43:50 ipsec,debug IV computed:
16:43:50 ipsec,debug aa78f3b3 0668e8a7 3ebcbb53 5eee222d
16:43:50 ipsec,debug use ID type of IPv4_address
16:43:50 ipsec,debug add payload of len 8, next type 8
16:43:50 ipsec,debug add payload of len 20, next type 0
16:43:50 ipsec,debug 76 bytes from 192.77.63.18[500] to 25.2.198.15[500]
16:43:50 ipsec,debug 1 times of 76 bytes message will be sent to 25.2.198.15[500]
16:43:50 ipsec sent phase1 packet 192.77.63.18[500]<=>25.2.198.15[500] ea04183c7081318c:cda276ae7e791301
16:43:50 ipsec IPsec-SA expired: ESP/Tunnel 25.2.198.15[500]->192.77.63.18[500] spi=0x10d839a
16:43:50 ipsec,debug ===== received 76 bytes from 25.2.198.15[500] to 192.77.63.18[500]
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN Problem

Mon Dec 02, 2019 6:33 pm

Hm. In the IKE session where Mikrotik acts as initiator, it sends the Phase 2 negotiation packet multiple times and the remote peer doesn't respond to it at all:
16:43:20 ipsec,debug 1 times of 2956 bytes message will be sent to 25.2.198.15[500] 
then 16:43:30, then 16:43:40.

At 16:43:48, an incoming attempt from the remote peer is received but it seems not to be accepted, so I guess the configuration conversion from 6.43.16 to 6.45.7 didn't go completely well. Please show me the current /export verbose hide-sensitive.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
pommo
just joined
Topic Author
Posts: 4
Joined: Sun Dec 01, 2019 9:50 am

Re: VPN Problem

Tue Dec 03, 2019 1:11 pm

Hello,
thank you very much. Bellow is the export. Sorry for the late response

Code: Select all










MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.45.7 (c) 1999-2019 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
# dec/03/2019 12:49:09 by RouterOS 6.45.7
# software id = GLDH-AY03
#
# model = RB1100Dx4
# serial number = bla bla
/interface bridge
add admin-mac=84:4D:28:D6:44:DD ageing-time=5m arp=enabled arp-timeout=auto \
auto-mac=no dhcp-snooping=no disabled=no fast-forward=yes forward-delay=15s \
igmp-snooping=no max-message-age=20s mtu=auto name=bridge-local priority=\
0x8000 protocol-mode=rstp transmit-hold-count=6 vlan-filtering=no
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
comment=isp1 disabled=no full-duplex=yes l2mtu=1592 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
14:4D:28:D8:44:DC mtu=1500 name=ether1-wan orig-mac-address=\
14:4D:28:D8:44:DC rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1592 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
14:4D:28:D8:44:DD mtu=1500 name=ether2 orig-mac-address=74:3D:28:D8:44:DD \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1592 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
74:3D:28:D8:44:DE mtu=1500 name=ether3 orig-mac-address=74:3D:28:D8:44:DE \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1592 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
74:3D:28:D8:44:DF mtu=1500 name=ether4 orig-mac-address=74:3D:28:D8:44:DF \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1592 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
74:3D:28:D8:44:E0 mtu=1500 name=ether5 orig-mac-address=74:3D:28:D8:44:E0 \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1592 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
74:3D:28:D8:44:E1 mtu=1500 name=ether6 orig-mac-address=74:3D:28:D8:44:E1 \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1592 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
74:3D:28:D8:44:E2 mtu=1500 name=ether7 orig-mac-address=74:3D:28:D8:44:E2 \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1592 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
74:3D:28:D8:44:E3 mtu=1500 name=ether8 orig-mac-address=74:3D:28:D8:44:E3 \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1592 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
74:3D:28:D8:44:E4 mtu=1500 name=ether9 orig-mac-address=74:3D:28:D8:44:E4 \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1592 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
74:3D:28:D8:44:E5 mtu=1500 name=ether10 orig-mac-address=74:3D:28:D8:44:E5 \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether11 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1592 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
74:3D:28:D8:44:E6 mtu=1500 name=ether11 orig-mac-address=74:3D:28:D8:44:E6 \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether12 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1592 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
74:3D:28:D8:44:E7 mtu=1500 name=ether12 orig-mac-address=74:3D:28:D8:44:E7 \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether13 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1592 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
74:3D:28:D8:44:E8 mtu=1500 name=ether13 orig-mac-address=74:3D:28:D8:44:E8 \
rx-flow-control=off speed=1Gbps tx-flow-control=off
/queue interface
set bridge-local queue=no-queue
/interface ethernet switch
set 0 !cpu-flow-control mirror-source=none mirror-target=none name=switch1
set 1 !cpu-flow-control mirror-source=none mirror-target=none name=switch2
set 2 !cpu-flow-control mirror-source=none mirror-target=none name=switch3
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" \
name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" \
name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" \
include="" name=dynamic
add comment="WAN ports" exclude="" include="" name=WAN
add comment="LAN ports" exclude="" include="" name=LAN
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet \
default-route-distance=2 name=default use-peer-dns=yes
/interface wireless security-profiles
set [ find default=yes ] authentication-types="" disable-pmkid=no eap-methods=\
passthrough group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
management-protection=disabled mode=none mschapv2-username="" name=default \
radius-called-format=mac:ssid radius-eap-accounting=no \
radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\
disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none \
static-sta-private-algo=none static-transmit-key=key-0 supplicant-identity=\
MikroTik tls-certificate=none tls-mode=no-certificates unicast-ciphers=\
aes-ccm
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=\
0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" smtp-server=\
0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none \
!insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=\
default !parent-queue !queue-type shared-users=1 status-autorefresh=1m \
transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=\
modp8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024,modp768 \
dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
aes-256,aes-192,aes-128,3des,des hash-algorithm=sha1 lifetime=1d name=\
default nat-traversal=yes proposal-check=obey
/ip ipsec peer
add address=25.2.198.15/32 comment=Office disabled=no exchange-mode=main name=\
peer1 profile=default send-initial-contact=yes
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1,md5,null disabled=\
no enc-algorithms="aes-256-cbc,aes-256-ctr,aes-256-gcm,camellia-256,aes-192-\
cbc,aes-192-ctr,aes-192-gcm,camellia-192,aes-128-cbc,aes-128-ctr,aes-128-gcm\
,camellia-128,3des,blowfish,twofish,des,null" lifetime=30m name=default \
pfs-group=modp768
/ip pool
add name=pool-lan ranges=192.168.1.100-192.168.1.190
/ip dhcp-server
add address-pool=pool-lan authoritative=yes disabled=no interface=bridge-local \
lease-script="" lease-time=10m name=dhcp-lan use-radius=no
/port
set 0 baud-rate=115200 data-bits=8 flow-control=none name=serial0 parity=none \
stop-bits=1
set 1 baud-rate=115200 data-bits=8 flow-control=none name=serial1 parity=none \
stop-bits=1
/ppp profile
set *0 address-list="" !bridge !bridge-horizon !bridge-path-cost \
!bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout \
!incoming-filter !insert-queue-before !interface-list !local-address name=\
default on-down="" on-up="" only-one=default !outgoing-filter !parent-queue \
!queue-type !rate-limit !remote-address !session-timeout use-compression=\
default use-encryption=default use-mpls=default use-upnp=default \
!wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon !bridge-path-cost \
!bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout \
!incoming-filter !insert-queue-before !interface-list !local-address name=\
default-encryption on-down="" on-up="" only-one=default !outgoing-filter \
!parent-queue !queue-type !rate-limit !remote-address !session-timeout \
use-compression=default use-encryption=yes use-mpls=default use-upnp=\
default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=\
32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=\
32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1-wan queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
set ether6 queue=only-hardware-queue
set ether7 queue=only-hardware-queue
set ether8 queue=only-hardware-queue
set ether9 queue=only-hardware-queue
set ether10 queue=only-hardware-queue
set ether11 queue=only-hardware-queue
set ether12 queue=only-hardware-queue
set ether13 queue=only-hardware-queue
/routing bgp instance
set default as=65530 client-to-client-reflection=yes !cluster-id !confederation \
disabled=no ignore-as-path-len=no name=default out-filter="" \
redistribute-connected=no redistribute-ospf=no redistribute-other-bgp=no \
redistribute-rip=no redistribute-static=no router-id=0.0.0.0 routing-table=\
""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never !domain-id \
!domain-tag in-filter=ospf-in metric-bgp=auto metric-connected=20 \
metric-default=1 metric-other-ospf=auto metric-rip=20 metric-static=20 \
!mpls-te-area !mpls-te-router-id name=default out-filter=ospf-out \
redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no \
redistribute-rip=no redistribute-static=no router-id=0.0.0.0 !routing-table \
!use-dn
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=\
backbone type=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 \
encryption-protocol=DES name=public read-access=yes security=none \
write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 \
disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=\
0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=\
bsd-syslog target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,web\
,sniff,sensitive,api,romon,tikapp,!ftp,!write,!policy,!dude" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pass\
word,web,sniff,sensitive,api,romon,tikapp,!ftp,!policy,!dude" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,wi\
nbox,password,web,sniff,sensitive,api,romon,dude,tikapp" skin=default
/caps-man aaa
set called-format=mac:ssid interim-update=disabled mac-caching=disabled \
mac-format=XX:XX:XX:XX:XX:XX mac-mode=as-username
/caps-man manager
set ca-certificate=none certificate=none enabled=no package-path="" \
require-peer-certificate=no upgrade-policy=none
/caps-man manager interface
set [ find default=yes ] disabled=no forbid=no interface=all
/certificate settings
set crl-download=yes crl-store=ram crl-use=yes
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridge-local broadcast-flood=yes \
disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=\
yes ingress-filtering=no interface=ether2 internal-path-cost=10 learn=auto \
multicast-router=temporary-query path-cost=10 point-to-point=auto priority=\
0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge-local broadcast-flood=yes \
disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=\
yes ingress-filtering=no interface=ether3 internal-path-cost=10 learn=auto \
multicast-router=temporary-query path-cost=10 point-to-point=auto priority=\
0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge-local broadcast-flood=yes \
disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=\
yes ingress-filtering=no interface=ether4 internal-path-cost=10 learn=auto \
multicast-router=temporary-query path-cost=10 point-to-point=auto priority=\
0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge-local broadcast-flood=yes \
disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=\
yes ingress-filtering=no interface=ether5 internal-path-cost=10 learn=auto \
multicast-router=temporary-query path-cost=10 point-to-point=auto priority=\
0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge-local broadcast-flood=yes \
disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=\
yes ingress-filtering=no interface=ether6 internal-path-cost=10 learn=auto \
multicast-router=temporary-query path-cost=10 point-to-point=auto priority=\
0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge-local broadcast-flood=yes \
disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=\
yes ingress-filtering=no interface=ether7 internal-path-cost=10 learn=auto \
multicast-router=temporary-query path-cost=10 point-to-point=auto priority=\
0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge-local broadcast-flood=yes \
disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=\
yes ingress-filtering=no interface=ether8 internal-path-cost=10 learn=auto \
multicast-router=temporary-query path-cost=10 point-to-point=auto priority=\
0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge-local broadcast-flood=yes \
disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=\
yes ingress-filtering=no interface=ether9 internal-path-cost=10 learn=auto \
multicast-router=temporary-query path-cost=10 point-to-point=auto priority=\
0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge-local broadcast-flood=yes \
disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=\
yes ingress-filtering=no interface=ether10 internal-path-cost=10 learn=auto \
multicast-router=temporary-query path-cost=10 point-to-point=auto priority=\
0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge-local broadcast-flood=yes \
disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=\
yes ingress-filtering=no interface=ether11 internal-path-cost=10 learn=auto \
multicast-router=temporary-query path-cost=10 point-to-point=auto priority=\
0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge-local broadcast-flood=yes \
disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=\
yes ingress-filtering=no interface=ether12 internal-path-cost=10 learn=auto \
multicast-router=temporary-query path-cost=10 point-to-point=auto priority=\
0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge-local broadcast-flood=yes \
disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=\
yes ingress-filtering=no interface=ether13 internal-path-cost=10 learn=auto \
multicast-router=temporary-query path-cost=10 point-to-point=auto priority=\
0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes \
tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=\
5m tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s \
tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m \
udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=\
30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
max-neighbor-entries=8192 route-cache=yes rp-filter=no secure-redirects=yes \
send-redirects=yes tcp-syncookies=no
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=\
none wan-interface-list=none
/interface l2tp-server server
set allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=\
ip-address default-profile=default-encryption enabled=no keepalive-timeout=\
30 max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled \
one-session-per-host=no use-ipsec=no
/interface list member
add disabled=no interface=ether2 list=LAN
add disabled=no interface=ether3 list=LAN
add disabled=no interface=ether4 list=LAN
add disabled=no interface=ether5 list=LAN
add disabled=no interface=ether6 list=LAN
add disabled=no interface=ether7 list=LAN
add disabled=no interface=ether8 list=LAN
add disabled=no interface=ether9 list=LAN
add disabled=no interface=ether10 list=LAN
add disabled=no interface=ether11 list=LAN
add disabled=no interface=ether12 list=LAN
add disabled=no interface=ether13 list=LAN
add disabled=no interface=ether1-wan list=WAN
/interface ovpn-server server
set auth=sha1,md5 cipher=blowfish128,aes128 default-profile=default enabled=no \
keepalive-timeout=60 mac-address=FE:C2:6C:AB:8A:4A max-mtu=1500 mode=ip \
netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=\
no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
default enabled=no force-aes=no keepalive-timeout=60 max-mru=1500 max-mtu=\
1500 mrru=disabled pfs=no port=443 tls-version=any \
verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
frames-per-second=25 receive-all=no ssid-all=no
/interface wireless cap
set bridge=none caps-man-addresses="" caps-man-certificate-common-names="" \
caps-man-names="" certificate=none discovery-interfaces="" enabled=no \
interfaces="" lock-to-caps-man=no static-virtual=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=no \
streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.1.199/24 disabled=no interface=bridge-local network=\
192.168.1.0
add address=192.77.63.18/24 disabled=no interface=ether1-wan network=192.77.63.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-server config
set accounting=yes interim-update=0s store-leases-disk=5m
/ip dhcp-server network
add address=192.168.1.0/24 caps-manager="" dhcp-option="" dns-server=\
192.168.1.199 gateway=192.168.1.199 ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-concurrent-queries=100 max-concurrent-tcp-sessions=20 \
max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s \
servers=8.8.8.8
/ip dns static
add address=192.168.1.199 disabled=no name=router regexp="" ttl=1d
/ip firewall address-list
add address=192.168.1.0/24 disabled=no list=Internet
/ip firewall filter
add action=accept chain=input comment="Accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept all from bridge-local" \
in-interface=bridge-local
add action=accept chain=input comment="Accept access for ManageIP group" \
src-address-list=ManageIP
add action=drop chain=input comment="Drop all other"
add action=fasttrack-connection chain=forward comment=fasttrack \
connection-state=established,related disabled=yes
add action=accept chain=forward comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment=\
"Accept Internet via ISP1 for Internet group" connection-state=new \
in-interface=bridge-local out-interface=ether1-wan src-address-list=\
Internet
add action=drop chain=forward comment="Drop all other"
/ip firewall nat
add action=accept chain=srcnat !connection-bytes !connection-limit \
!connection-mark !connection-rate !connection-type !content disabled=yes \
!dscp dst-address=192.168.2.0/24 !dst-address-list !dst-address-type \
!dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
!in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
!ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
!nth !out-bridge-port !out-bridge-port-list !out-interface \
!out-interface-list !packet-mark !packet-size !per-connection-classifier \
!port !priority !protocol !psd !random !routing-mark !routing-table \
src-address=192.168.1.0/24 !src-address-list !src-address-type \
!src-mac-address !src-port !tcp-mss !time !tls-host !to-addresses !to-ports \
!ttl
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
out-interface-list=WAN !to-addresses !to-ports
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" \
disabled=no name=default-trial
/ip ipsec identity
add auth-method=pre-shared-key disabled=no generate-policy=no peer=peer1
add auth-method=pre-shared-key disabled=no generate-policy=no peer=peer2
add auth-method=pre-shared-key disabled=no generate-policy=no peer=peer3
add auth-method=pre-shared-key disabled=no generate-policy=no peer=peer4
add auth-method=pre-shared-key disabled=no generate-policy=no peer=peer5
add auth-method=pre-shared-key disabled=no generate-policy=no peer=peer6
add auth-method=pre-shared-key disabled=no generate-policy=no peer=peer7
add auth-method=pre-shared-key disabled=no generate-policy=no peer=peer8
add auth-method=pre-shared-key disabled=no generate-policy=no peer=peer9
add auth-method=pre-shared-key disabled=no generate-policy=no peer=peer10
add auth-method=pre-shared-key disabled=no generate-policy=no peer=peer11
add auth-method=pre-shared-key disabled=no generate-policy=no peer=peer12
add auth-method=pre-shared-key disabled=no generate-policy=no peer=peer13
/ip ipsec policy
set 0 disabled=yes dst-address=::/0 group=default proposal=default protocol=all \
src-address=::/0 template=yes
add action=encrypt comment=Office disabled=no dst-address=192.168.2.0/24 \
dst-port=any ipsec-protocols=esp level=require peer=peer1 proposal=default \
protocol=all sa-dst-address=:: sa-src-address=:: src-address=192.168.1.0/24 \
src-port=any tunnel=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster \
cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
max-cache-object-size=2048KiB max-cache-size=unlimited \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no \
src-address=::
/ip route
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref \
!bgp-med !bgp-origin !bgp-prepend !check-gateway disabled=no distance=1 \
dst-address=0.0.0.0/0 gateway=192.77.63.1 !route-tag !routing-mark scope=30 \
target-scope=10
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=no port=8728
set winbox address="" disabled=no port=8291
set api-ssl address="" certificate=none disabled=no port=8729
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no \
max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no \
host-key-size=2048 strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=256k enabled=no \
inactive-flow-timeout=15s interfaces=all
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes \
dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes \
ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=yes \
nat-dst-port=yes nat-src-address=yes nat-src-port=yes out-interface=yes \
packets=yes protocol=yes src-address=yes src-address-mask=yes \
src-mac-address=yes src-port=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=\
yes tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
use-explicit-null=no
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no \
use-radius=no
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s \
multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no \
routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-community=public \
trap-generators=temp-exception trap-target="" trap-version=1
/system clock
set time-zone-autodetect=yes time-zone-name=Europe/Bucharest
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
"jan/01/1970 00:00:00" time-zone=+00:00
/system console
set [ find port=serial0 ] channel=0 disabled=no port=serial0 term=vt102
/system identity
set name=MyRouter
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
add action=memory disabled=no prefix="" topics=ipsec,!packet
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0 server-dns-names=""
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
/system resource irq rps
set ether1-wan disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
set ether11 disabled=yes
set ether12 disabled=yes
set ether13 disabled=yes
/system routerboard settings
set auto-upgrade=no baud-rate=115200 boot-delay=2s boot-device=\
nand-if-fail-then-ethernet boot-protocol=bootp enable-jumper-reset=yes \
enter-setup-on=any-key protected-routerboot=disabled reformat-hold-button=\
20s reformat-hold-button-max=10m silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m \
ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set address=0.0.0.0 from=<> port=25 start-tls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" auto-erase=no channel=0 port=none receive-enabled=no
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any \
filter-interface="" filter-ip-address="" filter-ip-protocol="" \
filter-ipv6-address="" filter-mac-address="" filter-mac-protocol="" \
filter-operator-between-entries=or filter-port="" filter-stream=no \
memory-limit=100KiB memory-scroll=yes only-headers=no streaming-enabled=no \
streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no \
stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
use-radius=no
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN Problem

Tue Dec 03, 2019 3:29 pm

These two things fo not match each other to me, except if Cisco uses other exchange mode than main and the log message is confusing:
16:43:48 ipsec,debug ===== received 236 bytes from 25.2.198.15[500] to 192.77.63.18[500]
16:43:48 ipsec no IKEv1 peer config for 25.2.198.15 
vs.
/ip ipsec peer
add address=25.2.198.15/32 comment=Office disabled=no exchange-mode=main name=peer1 profile=default send-initial-contact=yes
So to obtain some additional information, I'd recommend to set passive=yes on the Mikrotik peer, so that we could see the Phase 2 proposal coming from the Cisco while it acts as an initiator, and if you keep seeing "no IKEv1 peer config for 25.2.198.15" message, try to set that peer's exchange-mode to aggressive and base one-by-one.

The Cisco obviously did respond to our initial message, so exchange mode main is not a show stopper on its own, but as we want to see the Cisco's phase 2 proposal, we need to accommodate to its initial request.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
pommo
just joined
Topic Author
Posts: 4
Joined: Sun Dec 01, 2019 9:50 am

Re: VPN Problem

Tue Dec 03, 2019 4:53 pm

Hello, thank you, i didn't changed the peer as you suggested, but it give me an idea, I changed on the Linksys (actually i disabled) Aggressive mode and now the VPN work's.
The rest off the config is the same.
I don't understand how come this mattered so much.
In the old config (with Cisco/Linksys) i used Aggressive mode for DEAD peer.

Who is online

Users browsing this forum: Google [Bot] and 69 guests