Community discussions

MikroTik App
 
hanz
just joined
Topic Author
Posts: 1
Joined: Thu May 13, 2021 12:31 pm

IPSEC: ignore the packet, received unexpecting payload type 130

Thu May 13, 2021 1:26 pm

Hi guys,

I need help solving a problem with IPsec.
I am trying to create an IPsec tunnel between Juniper SRX and mikrotik RB912R-2nD.

Mikrotik is behind NAT. SRX have public IP address.
In the log, I just changed the SRX IP address to 1.1.1.1.

Mikrotik configuration
/ip ipsec profile
add dh-group=modp1024 dpd-interval=30s enc-algorithm=aes-256 lifetime=8h name=\
    SRX
/ip ipsec peer
add address=1.1.1.1/32 disabled=yes exchange-mode=aggressive name=\
    1.1.1.1 profile=SRX
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=1d pfs-group=\
    modp1536
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=SRX \
    pfs-group=none
/ip ipsec identity
add generate-policy=port-strict my-id=fqdn:ipsec-test peer=1.1.1.1 \
    secret=secret
/ip ipsec policy
add dst-address=192.168.0.0/24 level=use peer=1.1.1.1 proposal=SRX \
    src-address=192.168.1.0/24 tunnel=yes


SRX configurations
----- IKE ---------------
proposal pre-g2-aes256-sha-28800 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}

policy test_pol_p1 {
mode aggressive;
proposals pre-g2-aes256-sha-28800;
pre-shared-key ascii-text ## SECRET-DATA
}


gateway test_gw_p2 {
ike-policy test_pol_p1;
dynamic hostname ipsec-test;
dead-peer-detection {
interval 30;
threshold 5;
}
external-interface ge-0/0/4;
}

--------------------------------
----IPsec-----

proposal esp-aes256-sha256-1h {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}

policy test_pol_p2 {
proposals esp-aes256-sha256-1h;
}


vpn test_vpn_p2 {
bind-interface st0.113;
ike {
gateway test_gw_p2;
ipsec-policy test_pol_p2;
}
}


LOG messages
May/13/2021 11:46:45 ipsec,debug ===
May/13/2021 11:46:45 ipsec,info initiate new phase 1 (Aggressive): 100.84.255.189[500]<=>1.1.1.1[500]
May/13/2021 11:46:45 ipsec,debug new cookie:
May/13/2021 11:46:45 ipsec,debug e0681131f281770d
May/13/2021 11:46:45 ipsec,debug use ID type of FQDN
May/13/2021 11:46:45 ipsec,debug dh(modp1024)
May/13/2021 11:46:45 ipsec,debug authmethod is pre-shared key
May/13/2021 11:46:45 ipsec,debug add payload of len 52, next type 4
May/13/2021 11:46:45 ipsec,debug add payload of len 128, next type 10
May/13/2021 11:46:45 ipsec,debug add payload of len 24, next type 5
May/13/2021 11:46:45 ipsec,debug add payload of len 18, next type 13
May/13/2021 11:46:45 ipsec,debug add payload of len 16, next type 13
May/13/2021 11:46:45 ipsec,debug add payload of len 16, next type 13
May/13/2021 11:46:45 ipsec,debug add payload of len 16, next type 13
May/13/2021 11:46:45 ipsec,debug add payload of len 16, next type 13
May/13/2021 11:46:45 ipsec,debug add payload of len 16, next type 13
May/13/2021 11:46:45 ipsec,debug add payload of len 16, next type 13
May/13/2021 11:46:45 ipsec,debug add payload of len 16, next type 13
May/13/2021 11:46:45 ipsec,debug add payload of len 16, next type 13
May/13/2021 11:46:45 ipsec,debug add payload of len 16, next type 13
May/13/2021 11:46:45 ipsec,debug add payload of len 16, next type 13
May/13/2021 11:46:45 ipsec,debug add payload of len 16, next type 13
May/13/2021 11:46:45 ipsec,debug add payload of len 16, next type 13
May/13/2021 11:46:45 ipsec,debug add payload of len 16, next type 0
May/13/2021 11:46:45 ipsec,debug 526 bytes from 100.84.255.189[500] to 1.1.1.1[500]
May/13/2021 11:46:45 ipsec,debug 1 times of 526 bytes message will be sent to 1.1.1.1[500]
May/13/2021 11:46:45 ipsec sent phase1 packet 100.84.255.189[500]<=>1.1.1.1[500] e0681131f281770d:0000000000000000
May/13/2021 11:46:45 ipsec,debug ===== received 524 bytes from 1.1.1.1[500] to 100.84.255.189[500]
May/13/2021 11:46:45 ipsec,debug begin.
May/13/2021 11:46:45 ipsec,debug seen nptype=1(sa) len=56
May/13/2021 11:46:45 ipsec,debug seen nptype=4(ke) len=132
May/13/2021 11:46:45 ipsec,debug seen nptype=10(nonce) len=20
May/13/2021 11:46:45 ipsec,debug seen nptype=5(id) len=12
May/13/2021 11:46:45 ipsec,debug seen nptype=8(hash) len=24
May/13/2021 11:46:45 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:45 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:45 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:45 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:45 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:45 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:45 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:45 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:45 ipsec,debug seen nptype=13(vid) len=32
May/13/2021 11:46:45 ipsec,debug seen nptype=13(vid) len=12
May/13/2021 11:46:45 ipsec,debug seen nptype=130(nat-d) len=24
May/13/2021 11:46:45 ipsec,debug seen nptype=130(nat-d) len=24
May/13/2021 11:46:45 ipsec,debug succeed.
May/13/2021 11:46:45 ipsec received Vendor ID: DPD
May/13/2021 11:46:45 ipsec,debug remote supports DPD
May/13/2021 11:46:45 ipsec,debug received unknown Vendor ID
May/13/2021 11:46:45 ipsec,debug 27bab5dc 01ea0760 ea4e3190 ac27c0d0
May/13/2021 11:46:45 ipsec,debug received unknown Vendor ID
May/13/2021 11:46:45 ipsec,debug 6105c422 e76847e4 3f968480 1292aecd
May/13/2021 11:46:45 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
May/13/2021 11:46:45 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May/13/2021 11:46:45 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
May/13/2021 11:46:45 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
May/13/2021 11:46:45 ipsec received Vendor ID: RFC 3947
May/13/2021 11:46:45 ipsec,debug received unknown Vendor ID
May/13/2021 11:46:45 ipsec,debug 69936922 8741c6d4 ca094c93 e242c9de 19e7b7c6 00000005 00000500
May/13/2021 11:46:45 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
May/13/2021 11:46:45 ipsec 1.1.1.1 ignore the packet, received unexpecting payload type 130.
May/13/2021 11:46:55 ipsec,debug 526 bytes from 100.84.255.189[500] to 1.1.1.1[500]
May/13/2021 11:46:55 ipsec,debug 1 times of 526 bytes message will be sent to 1.1.1.1[500]
May/13/2021 11:46:55 ipsec resent phase1 packet 100.84.255.189[500]<=>1.1.1.1[500] e0681131f281770d:0000000000000000
May/13/2021 11:46:55 ipsec,debug ===== received 524 bytes from 1.1.1.1[500] to 100.84.255.189[500]
May/13/2021 11:46:55 ipsec,debug begin.
May/13/2021 11:46:55 ipsec,debug seen nptype=1(sa) len=56
May/13/2021 11:46:55 ipsec,debug seen nptype=4(ke) len=132
May/13/2021 11:46:55 ipsec,debug seen nptype=10(nonce) len=20
May/13/2021 11:46:55 ipsec,debug seen nptype=5(id) len=12
May/13/2021 11:46:55 ipsec,debug seen nptype=8(hash) len=24
May/13/2021 11:46:55 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:55 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:55 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:55 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:55 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:55 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:55 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:55 ipsec,debug seen nptype=13(vid) len=20
May/13/2021 11:46:55 ipsec,debug seen nptype=13(vid) len=32
May/13/2021 11:46:55 ipsec,debug seen nptype=13(vid) len=12
May/13/2021 11:46:55 ipsec,debug seen nptype=130(nat-d) len=24
May/13/2021 11:46:55 ipsec,debug seen nptype=130(nat-d) len=24
May/13/2021 11:46:55 ipsec,debug succeed.
May/13/2021 11:46:55 ipsec received Vendor ID: DPD
May/13/2021 11:46:55 ipsec,debug remote supports DPD
May/13/2021 11:46:55 ipsec,debug received unknown Vendor ID
May/13/2021 11:46:55 ipsec,debug 27bab5dc 01ea0760 ea4e3190 ac27c0d0
May/13/2021 11:46:55 ipsec,debug received unknown Vendor ID
May/13/2021 11:46:55 ipsec,debug 6105c422 e76847e4 3f968480 1292aecd
May/13/2021 11:46:55 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
May/13/2021 11:46:55 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May/13/2021 11:46:55 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
May/13/2021 11:46:55 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
May/13/2021 11:46:55 ipsec received Vendor ID: RFC 3947
May/13/2021 11:46:55 ipsec,debug received unknown Vendor ID
May/13/2021 11:46:55 ipsec,debug 69936922 8741c6d4 ca094c93 e242c9de 19e7b7c6 00000005 00000500
May/13/2021 11:46:55 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
May/13/2021 11:46:55 ipsec 1.1.1.1 ignore the packet, received unexpecting payload type 130.
Thank you for any help.

Who is online

Users browsing this forum: Google [Bot], rplant and 70 guests