Community discussions

MikroTik App
  4. RouterOS
  5. General

IPSEC Phase 2 not establishing  [SOLVED]

Post Reply
 
amazen
just joined
Topic Author
Posts: 2
Joined: Mon Apr 15, 2024 2:56 pm

IPSEC Phase 2 not establishing

Mon Apr 15, 2024 3:28 pm

Hello, it's my first time configuring IPSEC on Mikrotik and HP and I've been troubleshooting it for over a week now and still unable to make the phase 2 established. I'm trying to secure the connectivity between the 2 sites since they're on GRE.
I have 2 routers and below is the setup and configs of both routers.

lo1 (192.168.89.1/32) - Mikrotik - 1.1.1.1 (Public IP) --- ISP --- 2.2.2.2 (Public IP) HPE - lo1 (192.168.90.1/24)

By the way I also tried this config on our lab but the connectivity of both routers are only point-to-point and ph2 is working fine.
Any help is greatly appreciated

Mikrotik config
Code: Select all
# apr/15/2024 12:02:55 by RouterOS 6.49.8
# software id = PR8G-6A53
#
# model = RB3011UiAS
# serial number = <edit>
/interface bridge
add name=lo1
add comment=MGMT name=loopback0
/interface ethernet
set [ find default-name=ether2 ] comment="=[Customer LAN]="
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] comment="=[LOCAL_MANAGEMENT]="
/interface pppoe-client
add disabled=no interface=ether1 keepalive-timeout=disabled max-mtu=1492 name=pppoe-out1 user=username123
/interface gre
add !keepalive mtu=1420 name=gre-tunnel1 remote-address=remotepublicip
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=IKE_PRO_AES256_SHA1_DH2 nat-traversal=no prf-algorithm=sha256
/ip ipsec peer
add address=2.2.2.2/32 exchange-mode=ike2 name=TEST_VPN profile=IKE_PRO_AES256_SHA1_DH2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=IPSEC_PROPOSAL
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether10 name=dhcp1
/routing bgp instance
set default disabled=yes
add as=65135 client-to-client-reflection=no name=BGP redistribute-connected=yes router-id=10.254.248.93
/snmp community
set [ find default=yes ] name=OTLSNMP
/ip address
add address=10.5.215.254/21 interface=ether2 network=10.5.208.0
add address=10.254.248.93 comment=MGMT interface=loopback0 network=10.254.248.93
add address=192.168.88.1/24 interface=ether10 network=192.168.88.0
add address=privateip/30 interface=gre-tunnel1
add address=192.168.89.1 interface=lo1 network=192.168.89.1
/ip dhcp-relay
add dhcp-server=192.168.17.129 disabled=no interface=ether2 local-address=10.5.215.254 name=DHCP_RELAY
/ip dhcp-server network
add address=192.168.88.0/24
/ip dns
set allow-remote-requests=yes servers=dnsip
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=ether2 new-routing-mark=TO_PAT passthrough=yes src-address=10.5.208.0/21
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.90.0/24 src-address=192.168.89.1
/ip firewall raw
add action=notrack chain=prerouting disabled=yes dst-address=192.168.90.0/24 src-address=192.168.89.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.89.0/24 src-address=192.168.90.0/24
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=TEST_VPN
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.90.0/24 peer=TEST_VPN proposal=IPSEC_PROPOSAL src-address=192.168.89.0/24 tunnel=yes
add dst-address=192.168.89.0/24 peer=TEST_VPN proposal=IPSEC_PROPOSAL src-address=192.168.90.0/24 tunnel=yes
/ip route
add distance=1 gateway=gre-tunnel1 routing-mark=TO_PAT
add distance=1 gateway=pppoe-out1
add distance=1 dst-address=192.168.90.0/24 gateway=ISP_IP
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.10.200.0/24,10.10.248.0/24,10.10.247.0/24,10.10.224.0/22,10.10.242.0/24,192.168.88.0/24
set www-ssl certificate=root disabled=no
set api disabled=yes
set api-ssl disabled=yes
/lcd
set time-interval=weekly
/radius
add address=radiusip service=login
/routing bgp peer
add in-filter=MPLS instance=BGP name=BGP_THE out-filter=MPLS remote-address=remoteip remote-as=206999 update-source=gre-tunnel1
/routing filter
add action=accept append-bgp-communities=65135:201 chain=connected-in prefix=10.254.248.0/24 prefix-length=24-32 protocol=connect
add action=accept chain=connected-in protocol=connect
add action=accept chain=MPLS prefix=10.254.248.0/24 prefix-length=24-32
add action=accept chain=MPLS prefix=publicip/24 prefix-length=24-32
add action=accept chain=MPLS prefix=10.0.0.0/8 prefix-length=8-32
add action=accept chain=MPLS prefix=172.16.0.0/12 prefix-length=12-32
add action=discard chain=MPLS prefix=192.168.88.0/24 prefix-length=24-32
add action=accept chain=MPLS prefix=192.168.0.0/16 prefix-length=16-32
add action=discard chain=MPLS prefix=0.0.0.0/0 prefix-length=0-32
/snmp
set contact=OIS enabled=yes location=TEST src-address=10.254.248.93 trap-target=10.10.248.2,10.10.248.3
/system identity
set name=OCE-PAT-TEST
/system logging
add topics=ipsec,!packet
/system note
set note=" ##   ####  #  #  ####  ##   ####  ###          #  ###\
    \n#  #  #  #  # #   #    #  #  #  #  #  #         #  #\
    \n#  #  ####  # #   ###  #  #  # #   #  #   ###   #   #\
    \n ##   #  #  #  #  #     ##   #  #  ###          # ###\
    \n\
    \n\
    \n\
    \nUNAUTHORISED ACCESS PROHIBITED:\
    \n\
    \n\
    \nThis System and Data Is The Property of Oakford Internet Services\
    \n\
    \n\
    \nDirect queries to support@oakfordis.com."
/system ntp client
set enabled=yes primary-ntp=ntpip secondary-ntp=ntpip
/tool sniffer
set filter-ip-address=192.168.89.1/32
/user aaa
set default-group=full use-radius=yes

HPE config
Code: Select all
<HPE>shrun configuration ikev2-keychain
#
ikev2 keychain TEST_keychain
 peer peer1
  address 1.1.1.1 255.255.255.255
  identity address 1.1.1.1
  pre-shared-key ciphertext $c$3$4NU/sPcLOhk3BnVfHKOkNdP3bMnldrwnL4whcWjblA327w==
#
return
<HPE>shrun configuration ikev2-proposal
#
ikev2 proposal IKE_PRO_AES256_SHA256_DH14
 encryption aes-cbc-256
 integrity sha256
 dh group14
 prf sha256
#
return
<HPE>shrun configuration ikev2-profile
#
ikev2 profile OCE_IKE_POL
 authentication-method local pre-share
 authentication-method remote pre-share
 keychain TEST_keychain
 match remote identity address 1.1.1.1 255.255.255.255
#
return
<HPE>shrun configuration ikev2-policy
#
ikev2 policy V2_POLICY
 proposal IKE_PRO_AES256_SHA256_DH14
#
return
<HPE>shrun configuration ipsec-transform-set
#
ipsec transform-set PH2_PRO_AES256_SHA256
 esp encryption-algorithm aes-cbc-256
 esp authentication-algorithm sha256
 pfs dh-group2
#
return
<HPE>shrun configuration ipsec-policy
#
ipsec policy IPSEC_VPN 10 isakmp
 transform-set IPSEC_PRO_AES256_SHA256_DH14
 security acl 3102
 local-address 2.2.2.2
 remote-address 1.1.1.1
 ikev2-profile OCE_IKE_POL
 sa duration time-based 1800
#
return
<HPE>sh acl 3102
Advanced ACL  3102, named -none-, 2 rules,
ACL's step is 5
 rule 10 permit ip source 192.168.90.0 0.0.0.255 destination 192.168.89.0 0.0.0.255 (93 times matched)
 rule 15 permit ip source 192.168.89.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
<HPE>shrun int te 1/1/2
#
interface Ten-GigabitEthernet1/1/2
 port link-mode route
 ip address 2.2.2.2 255.255.255.252
 ospf cost 1
 mpls enable
 mpls ldp enable
 ip mtu 1600
 ipsec apply policy IPSEC_VPN
#
return
<HPE>show ip routing-table 192.168.89.1

Summary Count : 2

Destination/Mask    Proto  Pre  Cost         NextHop         Interface
192.168.89.0/24     Static 60   0            ISP_IP   XGE1/1/2

Here's the ipsec log on Mikrotik as well
Code: Select all
# apr/15/2024 11:43:34 by RouterOS 6.49.8
# software id = PR8G-6A53
#
11:43:36 ipsec ph2 possible after ph1 creation 
11:43:36 ipsec init child for policy: 192.168.89.0/24 <=> 192.168.90.0/24 
11:43:36 ipsec init child continue 
11:43:36 ipsec offering proto: 3 
11:43:36 ipsec  proposal #1 
11:43:36 ipsec   enc: aes256-cbc 
11:43:36 ipsec   auth: sha256 
11:43:36 ipsec   dh: modp1024 
11:43:36 ipsec adding payload: NONCE 
11:43:36 ipsec,debug => (size 0x1c) 
11:43:36 ipsec,debug 0000001c 5fe119f4 94741f9b e8e4be2a bcacd240 49d4791d 1fb8af3f 
11:43:36 ipsec adding payload: KE 
11:43:36 ipsec,debug => (size 0x88) 
11:43:36 ipsec,debug 00000088 00020000 f6924510 a2659711 b9aac46b 6d63e621 46ca629d 195b6140 
11:43:36 ipsec,debug 20e32146 acab036b fbdacdf1 cdf54adc e33bad30 bc9dc3d6 5f9b0326 620c645f 
11:43:36 ipsec,debug 20f3ce4e e0fc659f 4441e61a e3280ff8 ef69e3e2 8801b2eb 6c8bab92 a61b6328 
11:43:36 ipsec,debug 1dd320c5 9effbe9a 66d0f963 38c5fc4f ffc7f1e0 8a204ff6 4572a4ac 208d5a55 
11:43:36 ipsec,debug c1e24bea 387413d5 
11:43:36 ipsec adding payload: SA 
11:43:36 ipsec,debug => (size 0x34) 
11:43:36 ipsec,debug 00000034 00000030 01030404 071e7b29 0300000c 0100000c 800e0100 03000008 
11:43:36 ipsec,debug 0300000c 03000008 04000002 00000008 05000000 
11:43:36 ipsec initiator selector: 192.168.89.0/24  
11:43:36 ipsec adding payload: TS_I 
11:43:36 ipsec,debug => (size 0x18) 
11:43:36 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85900 c0a859ff 
11:43:36 ipsec responder selector: 192.168.90.0/24  
11:43:36 ipsec adding payload: TS_R 
11:43:36 ipsec,debug => (size 0x18) 
11:43:36 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85a00 c0a85aff 
11:43:36 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:3294 2.2.2.2[4500] 8b7117d91259e40d:0b4ecd1d0d2a13e1 
11:43:36 ipsec,debug ===== sending 528 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:43:36 ipsec,debug 1 times of 532 bytes message will be sent to 2.2.2.2[4500] 
11:43:36 ipsec,debug ===== received 80 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:43:36 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:3294 2.2.2.2[4500] 8b7117d91259e40d:0b4ecd1d0d2a13e1 
11:43:36 ipsec payload seen: ENC (52 bytes) 
11:43:36 ipsec processing payload: ENC 
11:43:36 ipsec,debug => iv (size 0x10) 
11:43:36 ipsec,debug b2a2fb31 6ef08fb4 0e8435cb 891ef58f 
11:43:36 ipsec,debug => decrypted and trimmed payload (size 0x8) 
11:43:36 ipsec,debug 00000008 00000026 
11:43:36 ipsec,debug decrypted packet 
11:43:36 ipsec payload seen: NOTIFY (8 bytes) 
11:43:36 ipsec create child: initiator finish 
11:43:36 ipsec processing payloads: NOTIFY 
11:43:36 ipsec   notify: TS_UNACCEPTABLE 
11:43:36 ipsec got error: TS_UNACCEPTABLE 
11:43:41 ipsec ph2 possible after ph1 creation 
11:43:41 ipsec init child for policy: 192.168.89.0/24 <=> 192.168.90.0/24 
11:43:41 ipsec init child continue 
11:43:41 ipsec offering proto: 3 
11:43:41 ipsec  proposal #1 
11:43:41 ipsec   enc: aes256-cbc 
11:43:41 ipsec   auth: sha256 
11:43:41 ipsec   dh: modp1024 
11:43:41 ipsec adding payload: NONCE 
11:43:41 ipsec,debug => (size 0x1c) 
11:43:41 ipsec,debug 0000001c 5901aa64 1047c7b4 47a2258e 1cfece8a e42c0692 69c30e34 
11:43:41 ipsec adding payload: KE 
11:43:41 ipsec,debug => (size 0x88) 
11:43:41 ipsec,debug 00000088 00020000 49488403 c4129716 dcb54170 6c767480 5345cae1 ef5326f6 
11:43:41 ipsec,debug f2596089 44253c1d 9f15c087 e99b01ff b80350f8 66fd46bb a13d83f0 ea69fa93 
11:43:41 ipsec,debug 05502d7b 86561049 517664f9 65763912 57ce0c32 59f607e3 44c7e206 a79a9402 
11:43:41 ipsec,debug af997cfd 3808b974 c5e0bd7a 5abf500e 1b29b3d7 e658fc0a 132f06dc 2c41a3dc 
11:43:41 ipsec,debug 2bbeb3ac 4478c97b 
11:43:41 ipsec adding payload: SA 
11:43:41 ipsec,debug => (size 0x34) 
11:43:41 ipsec,debug 00000034 00000030 01030404 049aea56 0300000c 0100000c 800e0100 03000008 
11:43:41 ipsec,debug 0300000c 03000008 04000002 00000008 05000000 
11:43:41 ipsec initiator selector: 192.168.89.0/24  
11:43:41 ipsec adding payload: TS_I 
11:43:41 ipsec,debug => (size 0x18) 
11:43:41 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85900 c0a859ff 
11:43:41 ipsec responder selector: 192.168.90.0/24  
11:43:41 ipsec adding payload: TS_R 
11:43:41 ipsec,debug => (size 0x18) 
11:43:41 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85a00 c0a85aff 
11:43:41 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:3295 2.2.2.2[4500] 8b7117d91259e40d:0b4ecd1d0d2a13e1 
11:43:41 ipsec,debug ===== sending 512 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:43:41 ipsec,debug 1 times of 516 bytes message will be sent to 2.2.2.2[4500] 
11:43:41 ipsec,debug ===== received 80 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:43:41 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:3295 2.2.2.2[4500] 8b7117d91259e40d:0b4ecd1d0d2a13e1 
11:43:41 ipsec payload seen: ENC (52 bytes) 
11:43:41 ipsec processing payload: ENC 
11:43:41 ipsec,debug => iv (size 0x10) 
11:43:41 ipsec,debug b8b98f61 2c5299d7 401add94 6a1ff349 
11:43:41 ipsec,debug => decrypted and trimmed payload (size 0x8) 
11:43:41 ipsec,debug 00000008 00000026 
11:43:41 ipsec,debug decrypted packet 
11:43:41 ipsec payload seen: NOTIFY (8 bytes) 
11:43:41 ipsec create child: initiator finish 
11:43:41 ipsec processing payloads: NOTIFY 
11:43:41 ipsec   notify: TS_UNACCEPTABLE 
11:43:41 ipsec got error: TS_UNACCEPTABLE 
11:43:46 ipsec ph2 possible after ph1 creation 
11:43:46 ipsec init child for policy: 192.168.89.0/24 <=> 192.168.90.0/24 
11:43:46 ipsec init child continue 
11:43:46 ipsec offering proto: 3 
11:43:46 ipsec  proposal #1 
11:43:46 ipsec   enc: aes256-cbc 
11:43:46 ipsec   auth: sha256 
11:43:46 ipsec   dh: modp1024 
11:43:46 ipsec adding payload: NONCE 
11:43:46 ipsec,debug => (size 0x1c) 
11:43:46 ipsec,debug 0000001c 8df4e340 fe53bc37 92da0b5e 7c5a3aa1 a1b6ca3f e22cb580 
11:43:46 ipsec adding payload: KE 
11:43:46 ipsec,debug => (size 0x88) 
11:43:46 ipsec,debug 00000088 00020000 30d53fdf e2695eb9 3d47aba8 a4e60318 af45d52b 64f65c45 
11:43:46 ipsec,debug 457a92e0 050cb159 c3a24285 2f857e95 4339f062 22c93bfe 4c99a76b f8f2e456 
11:43:46 ipsec,debug fb5e629b ae8d4d41 62ddfc8f 656690ab 8a1ead4d ef15d440 fbb1847d 24556869 
11:43:46 ipsec,debug f9abdac1 1023d92a 8a2f3f54 51cb5ea8 a43ab377 d944fab2 32bf3759 ff891378 
11:43:46 ipsec,debug 7ee7ed07 2d3226b6 
11:43:46 ipsec adding payload: SA 
11:43:46 ipsec,debug => (size 0x34) 
11:43:46 ipsec,debug 00000034 00000030 01030404 0b5d22e1 0300000c 0100000c 800e0100 03000008 
11:43:46 ipsec,debug 0300000c 03000008 04000002 00000008 05000000 
11:43:46 ipsec initiator selector: 192.168.89.0/24  
11:43:46 ipsec adding payload: TS_I 
11:43:46 ipsec,debug => (size 0x18) 
11:43:46 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85900 c0a859ff 
11:43:46 ipsec responder selector: 192.168.90.0/24  
11:43:46 ipsec adding payload: TS_R 
11:43:46 ipsec,debug => (size 0x18) 
11:43:46 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85a00 c0a85aff 
11:43:46 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:3296 2.2.2.2[4500] 8b7117d91259e40d:0b4ecd1d0d2a13e1 
11:43:46 ipsec,debug ===== sending 528 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:43:46 ipsec,debug 1 times of 532 bytes message will be sent to 2.2.2.2[4500] 
11:43:46 ipsec,debug ===== received 80 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:43:46 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:3296 2.2.2.2[4500] 8b7117d91259e40d:0b4ecd1d0d2a13e1 
11:43:46 ipsec payload seen: ENC (52 bytes) 
11:43:46 ipsec processing payload: ENC 
11:43:46 ipsec,debug => iv (size 0x10) 
11:43:46 ipsec,debug 9956d5e7 d59ba6d7 7a74f48a db2ce18c 
11:43:46 ipsec,debug => decrypted and trimmed payload (size 0x8) 
11:43:46 ipsec,debug 00000008 00000026 
11:43:46 ipsec,debug decrypted packet 
11:43:46 ipsec payload seen: NOTIFY (8 bytes) 
11:43:46 ipsec create child: initiator finish 
11:43:46 ipsec processing payloads: NOTIFY 
11:43:46 ipsec   notify: TS_UNACCEPTABLE 
11:43:46 ipsec got error: TS_UNACCEPTABLE 
11:43:51 ipsec ph2 possible after ph1 creation 
11:43:51 ipsec init child for policy: 192.168.89.0/24 <=> 192.168.90.0/24 
11:43:51 ipsec init child continue 
11:43:51 ipsec offering proto: 3 
11:43:51 ipsec  proposal #1 
11:43:51 ipsec   enc: aes256-cbc 
11:43:51 ipsec   auth: sha256 
11:43:51 ipsec   dh: modp1024 
11:43:51 ipsec adding payload: NONCE 
11:43:51 ipsec,debug => (size 0x1c) 
11:43:51 ipsec,debug 0000001c f8861749 ef57d93e 4329b829 4ad4275e ff413412 656f137a 
11:43:51 ipsec adding payload: KE 
11:43:51 ipsec,debug => (size 0x88) 
11:43:51 ipsec,debug 00000088 00020000 c573dac2 82850fc9 3582bc5f 8467f6fe 7b56882d f122fb4b 
11:43:51 ipsec,debug 2666c382 05a662c3 1c3d05b1 a1aed1e6 40dce15c 596da449 10b51a19 7e0ba710 
11:43:51 ipsec,debug 3ac0a71a 5f3fcdac 7cc6823e d46d953e e5fce512 cc46fca3 97d382cd 2ff4be95 
11:43:51 ipsec,debug d254e274 004dd996 ec6387af 7d8b2f16 147dbc91 3a177e01 97aad953 27861ca5 
11:43:51 ipsec,debug 75c8d03b 879958ff 
11:43:51 ipsec adding payload: SA 
11:43:51 ipsec,debug => (size 0x34) 
11:43:51 ipsec,debug 00000034 00000030 01030404 0dca77a7 0300000c 0100000c 800e0100 03000008 
11:43:51 ipsec,debug 0300000c 03000008 04000002 00000008 05000000 
11:43:51 ipsec initiator selector: 192.168.89.0/24  
11:43:51 ipsec adding payload: TS_I 
11:43:51 ipsec,debug => (size 0x18) 
11:43:51 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85900 c0a859ff 
11:43:51 ipsec responder selector: 192.168.90.0/24  
11:43:51 ipsec adding payload: TS_R 
11:43:51 ipsec,debug => (size 0x18) 
11:43:51 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85a00 c0a85aff 
11:43:51 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:3297 2.2.2.2[4500] 8b7117d91259e40d:0b4ecd1d0d2a13e1 
11:43:51 ipsec,debug ===== sending 496 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:43:51 ipsec,debug 1 times of 500 bytes message will be sent to 2.2.2.2[4500] 
11:43:51 ipsec,debug ===== received 80 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:43:51 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:3297 2.2.2.2[4500] 8b7117d91259e40d:0b4ecd1d0d2a13e1 
11:43:51 ipsec payload seen: ENC (52 bytes) 
11:43:51 ipsec processing payload: ENC 
11:43:51 ipsec,debug => iv (size 0x10) 
11:43:51 ipsec,debug e6ed31e4 d2f80ff3 03220c45 70d3a565 
11:43:51 ipsec,debug => decrypted and trimmed payload (size 0x8) 
11:43:51 ipsec,debug 00000008 00000026 
11:43:51 ipsec,debug decrypted packet 
11:43:51 ipsec payload seen: NOTIFY (8 bytes) 
11:43:51 ipsec create child: initiator finish 
11:43:51 ipsec processing payloads: NOTIFY 
11:43:51 ipsec   notify: TS_UNACCEPTABLE 
11:43:51 ipsec got error: TS_UNACCEPTABLE 
11:43:55 ipsec,info killing ike2 SA: TEST_VPN 1.1.1.1[4500]-2.2.2.2[4500] spi:8b7117d91259e40d:0b4ecd1d0d2a13e1 
11:43:55 ipsec adding payload: DELETE 
11:43:55 ipsec,debug => (size 0x8) 
11:43:55 ipsec,debug 00000008 01000000 
11:43:55 ipsec <- ike2 request, exchange: INFORMATIONAL:3298 2.2.2.2[4500] 8b7117d91259e40d:0b4ecd1d0d2a13e1 
11:43:55 ipsec,debug ===== sending 256 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:43:55 ipsec,debug 1 times of 260 bytes message will be sent to 2.2.2.2[4500] 
11:43:55 ipsec,debug ===== received 80 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:43:55 ipsec -> ike2 reply, exchange: INFORMATIONAL:3298 2.2.2.2[4500] 8b7117d91259e40d:0b4ecd1d0d2a13e1 
11:43:55 ipsec SPI de45912d917718b not registered for 2.2.2.2[4500] 
11:43:58 ipsec ike2 starting for: 2.2.2.2 
11:43:58 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED 
11:43:58 ipsec,debug => (size 0x8) 
11:43:58 ipsec,debug 00000008 0000402e 
11:43:58 ipsec adding payload: NONCE 
11:43:58 ipsec,debug => (size 0x1c) 
11:43:58 ipsec,debug 0000001c eb7ef50a 11d3703d d2bb5dd5 10639e3c e3b1e9b1 02e900e4 
11:43:58 ipsec adding payload: KE 
11:43:58 ipsec,debug => (first 0x100 of 0x108) 
11:43:58 ipsec,debug 00000108 000e0000 5dfeda95 c0c2e831 760bee0a ff086538 61cc18c4 db52d56f 
11:43:58 ipsec,debug 6d6fcaa0 5d96ddab e459769a 91ac28b2 fe209988 6daa8b2f 9ffa7a3d c52c169f 
11:43:58 ipsec,debug 779761ee 79c32e31 3e12102b 4a1f5c41 19189cdf 130c5d52 8ea27ff5 ac6ba541 
11:43:58 ipsec,debug 571207d2 34a99783 7bd22153 48743e91 7f0cf16b b779639f a1806315 3bf65cb6 
11:43:58 ipsec,debug b916e5a1 029d35bf 2b0b2976 11803753 a765f54a fb730f5f 5746cde2 503ef03f 
11:43:58 ipsec,debug 23bc2900 404476fa 8a0e11be 56849432 2618d50d e0cb4db9 85a69de5 282331f6 
11:43:58 ipsec,debug 65bbeb3a ade7522c 8339180d 0d09bbd4 4f655775 2eb8f28a 2c846235 8629b45d 
11:43:58 ipsec,debug 1347798e f6ebc31b c4ed0550 03b64aba 7e72d54b ae7ad5df de51b482 c1f10f5a 
11:43:58 ipsec adding payload: SA 
11:43:58 ipsec,debug => (size 0x30) 
11:43:58 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 
11:43:58 ipsec,debug 03000008 0300000c 00000008 0400000e 
11:43:58 ipsec <- ike2 request, exchange: SA_INIT:0 2.2.2.2[4500] e2e703323db3da4d:0000000000000000 
11:43:58 ipsec,debug ===== sending 376 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:43:58 ipsec,debug 1 times of 380 bytes message will be sent to 2.2.2.2[4500] 
11:43:58 ipsec,debug ===== received 432 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:43:58 ipsec -> ike2 reply, exchange: SA_INIT:0 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:43:58 ipsec ike2 initialize recv 
11:43:58 ipsec payload seen: SA (48 bytes) 
11:43:58 ipsec payload seen: KE (264 bytes) 
11:43:58 ipsec payload seen: NONCE (36 bytes) 
11:43:58 ipsec payload seen: NOTIFY (28 bytes) 
11:43:58 ipsec payload seen: NOTIFY (28 bytes) 
11:43:58 ipsec processing payload: NONCE 
11:43:58 ipsec processing payload: SA 
11:43:58 ipsec IKE Protocol: IKE 
11:43:58 ipsec  proposal #1 
11:43:58 ipsec   enc: aes256-cbc 
11:43:58 ipsec   prf: hmac-sha256 
11:43:58 ipsec   auth: sha256 
11:43:58 ipsec   dh: modp2048 
11:43:58 ipsec matched proposal: 
11:43:58 ipsec  proposal #1 
11:43:58 ipsec   enc: aes256-cbc 
11:43:58 ipsec   prf: hmac-sha256 
11:43:58 ipsec   auth: sha256 
11:43:58 ipsec   dh: modp2048 
11:43:58 ipsec processing payload: KE 
11:43:59 ipsec,debug => shared secret (size 0x100) 
11:43:59 ipsec,debug e8bf73d1 9a1ad259 81eaa044 e5664105 b5b8065a 7475318b 5cb6aa6a 68bf6d1a 
11:43:59 ipsec,debug 1b19c5f9 c9fa27bd dc77b3b9 51436c64 a4e51914 230843ed a8c65ee1 0802fccf 
11:43:59 ipsec,debug 15681feb b03a2d9c 6793da6f a26bbc47 3d0e6dc7 25501ea3 e28923de a99e8f4f 
11:43:59 ipsec,debug 3c0f74cc 8dcb4b27 73862a22 2db53ce7 f729f5d1 5dfd29a8 bd35b686 5a2d88ff 
11:43:59 ipsec,debug 5af9bd7b 85a51cc8 3cae0d83 58c9efeb 397c25d5 b1e36f3f 3a9a39d0 0e2bc51e 
11:43:59 ipsec,debug e13ca5ab 9afd1c80 474df7fe 4479e9ed dac97d44 43c29f10 8807c873 757583e0 
11:43:59 ipsec,debug 4f48fd8d 50b842ab 3fc51381 6ce6cae1 6957c6b5 2de8052c 0aee307d 4e95c97b 
11:43:59 ipsec,debug b85ea7bb 850861f0 a166e3a8 f602442c 52f9e479 2be4853c d7596ca8 47535b66 
11:43:59 ipsec,debug => skeyseed (size 0x20) 
11:43:59 ipsec,debug 9250d381 5cf24300 007807f6 bf26f797 d10788b4 e5103d65 7f386aac 8aff60bf 
11:43:59 ipsec,debug => keymat (size 0x20) 
11:43:59 ipsec,debug 2325bcaa 5b3d8377 32ae32f9 131060f2 76772961 90a620a6 ce226916 909a9f91 
11:43:59 ipsec,debug => SK_ai (size 0x20) 
11:43:59 ipsec,debug e37b0ce0 23e2877f 3cfe60d9 d50798dc 037ced90 045f21f0 b6884735 1c0a7c13 
11:43:59 ipsec,debug => SK_ar (size 0x20) 
11:43:59 ipsec,debug 424dc458 1850f533 efb2d018 0fc52104 91179857 83b5d848 ce010cfb bb875fc9 
11:43:59 ipsec,debug => SK_ei (size 0x20) 
11:43:59 ipsec,debug 88604dc5 fc749c0e 798940df f4901d68 fb643f69 a7e189a1 91c4f2bc fa0cc8a5 
11:43:59 ipsec,debug => SK_er (size 0x20) 
11:43:59 ipsec,debug 45005b67 4524a5d8 69f43a7a d8c26a3c bf366f3d e988e288 6157116d b6383238 
11:43:59 ipsec,debug => SK_pi (size 0x20) 
11:43:59 ipsec,debug 30594037 75fcdba6 cf544671 389d5914 6d767d91 83e64f07 bacdde08 ebe7f340 
11:43:59 ipsec,debug => SK_pr (size 0x20) 
11:43:59 ipsec,debug d518011a 444c2d73 63925346 39292c0d 28e72822 207e0bf2 55883df4 d25043c1 
11:43:59 ipsec,info new ike2 SA (I): TEST_VPN 1.1.1.1[4500]-2.2.2.2[4500] spi:e2e703323db3da4d:4f935b6f4c636af3 
11:43:59 ipsec processing payloads: NOTIFY 
11:43:59 ipsec   notify: NAT_DETECTION_SOURCE_IP 
11:43:59 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
11:43:59 ipsec init child for policy: 192.168.89.0/24 <=> 192.168.90.0/24 
11:43:59 ipsec init child continue 
11:43:59 ipsec offering proto: 3 
11:43:59 ipsec  proposal #1 
11:43:59 ipsec   enc: aes256-cbc 
11:43:59 ipsec   auth: sha256 
11:43:59 ipsec ID_I (ADDR4): 1.1.1.1 
11:43:59 ipsec adding payload: ID_I 
11:43:59 ipsec,debug => (size 0xc) 
11:43:59 ipsec,debug 0000000c 01000000 8a7cad38 
11:43:59 ipsec,debug => auth nonce (size 0x20) 
11:43:59 ipsec,debug 1a08d5d1 5c14a841 a8d44c02 c3dd51a9 c6bb9cb9 93ce41e1 9f531539 3901bbca 
11:43:59 ipsec,debug => SK_p (size 0x20) 
11:43:59 ipsec,debug 30594037 75fcdba6 cf544671 389d5914 6d767d91 83e64f07 bacdde08 ebe7f340 
11:43:59 ipsec,debug => idhash (size 0x20) 
11:43:59 ipsec,debug f2a14689 2e372511 bf36a17e fbee10f8 fb384549 8c8d5289 886172da 41a16502 
11:43:59 ipsec,debug => my auth (size 0x20) 
11:43:59 ipsec,debug 2c1174ac 708a996a f35b4684 0ec1dd7b ae021eb9 151c39af bb8b2042 2dcc1467 
11:43:59 ipsec adding payload: AUTH 
11:43:59 ipsec,debug => (size 0x28) 
11:43:59 ipsec,debug 00000028 02000000 2c1174ac 708a996a f35b4684 0ec1dd7b ae021eb9 151c39af 
11:43:59 ipsec,debug bb8b2042 2dcc1467 
11:43:59 ipsec adding notify: INITIAL_CONTACT 
11:43:59 ipsec,debug => (size 0x8) 
11:43:59 ipsec,debug 00000008 00004000 
11:43:59 ipsec adding payload: SA 
11:43:59 ipsec,debug => (size 0x2c) 
11:43:59 ipsec,debug 0000002c 00000028 01030403 03753575 0300000c 0100000c 800e0100 03000008 
11:43:59 ipsec,debug 0300000c 00000008 05000000 
11:43:59 ipsec initiator selector: 192.168.89.0/24  
11:43:59 ipsec adding payload: TS_I 
11:43:59 ipsec,debug => (size 0x18) 
11:43:59 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85900 c0a859ff 
11:43:59 ipsec responder selector: 192.168.90.0/24  
11:43:59 ipsec adding payload: TS_R 
11:43:59 ipsec,debug => (size 0x18) 
11:43:59 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85a00 c0a85aff 
11:43:59 ipsec <- ike2 request, exchange: AUTH:1 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:43:59 ipsec,debug ===== sending 224 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:43:59 ipsec,debug 1 times of 228 bytes message will be sent to 2.2.2.2[4500] 
11:43:59 ipsec,debug ===== received 128 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:43:59 ipsec -> ike2 reply, exchange: AUTH:1 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:43:59 ipsec payload seen: ENC (100 bytes) 
11:43:59 ipsec processing payload: ENC 
11:43:59 ipsec,debug => iv (size 0x10) 
11:43:59 ipsec,debug 2e66e0e4 fa74a467 097c5739 aff07972 
11:43:59 ipsec,debug => decrypted and trimmed payload (size 0x3c) 
11:43:59 ipsec,debug 24000008 00000026 2700000c 01000000 b9494372 00000028 02000000 ce421273 
11:43:59 ipsec,debug 53569bc2 e870af74 09d43997 f9f6c249 a561f373 989597f8 0c1e247b 
11:43:59 ipsec,debug decrypted packet 
11:43:59 ipsec payload seen: NOTIFY (8 bytes) 
11:43:59 ipsec payload seen: ID_R (12 bytes) 
11:43:59 ipsec payload seen: AUTH (40 bytes) 
11:43:59 ipsec processing payloads: NOTIFY 
11:43:59 ipsec   notify: TS_UNACCEPTABLE 
11:43:59 ipsec ike auth: initiator finish 
11:43:59 ipsec processing payload: ID_R 
11:43:59 ipsec ID_R (ADDR4): 2.2.2.2 
11:43:59 ipsec processing payload: AUTH 
11:43:59 ipsec requested auth method: SKEY 
11:43:59 ipsec,debug => peer's auth (size 0x20) 
11:43:59 ipsec,debug ce421273 53569bc2 e870af74 09d43997 f9f6c249 a561f373 989597f8 0c1e247b 
11:43:59 ipsec,debug => auth nonce (size 0x18) 
11:43:59 ipsec,debug eb7ef50a 11d3703d d2bb5dd5 10639e3c e3b1e9b1 02e900e4 
11:43:59 ipsec,debug => SK_p (size 0x20) 
11:43:59 ipsec,debug d518011a 444c2d73 63925346 39292c0d 28e72822 207e0bf2 55883df4 d25043c1 
11:43:59 ipsec,debug => idhash (size 0x20) 
11:43:59 ipsec,debug ab33294c 4753e345 3877c2ed a69068d1 f2ea5e4b 53bb1b0a 679a4be8 98a5e899 
11:43:59 ipsec,debug => calculated peer's AUTH (size 0x20) 
11:43:59 ipsec,debug ce421273 53569bc2 e870af74 09d43997 f9f6c249 a561f373 989597f8 0c1e247b 
11:43:59 ipsec,info,account peer authorized: TEST_VPN 1.1.1.1[4500]-2.2.2.2[4500] spi:e2e703323db3da4d:4f935b6f4c636af3 
11:43:59 ipsec processing payloads: NOTIFY 
11:43:59 ipsec   notify: TS_UNACCEPTABLE 
11:43:59 ipsec got error: TS_UNACCEPTABLE 
11:44:04 ipsec ph2 possible after ph1 creation 
11:44:04 ipsec init child for policy: 192.168.89.0/24 <=> 192.168.90.0/24 
11:44:04 ipsec init child continue 
11:44:04 ipsec offering proto: 3 
11:44:04 ipsec  proposal #1 
11:44:04 ipsec   enc: aes256-cbc 
11:44:04 ipsec   auth: sha256 
11:44:04 ipsec   dh: modp1024 
11:44:04 ipsec adding payload: NONCE 
11:44:04 ipsec,debug => (size 0x1c) 
11:44:04 ipsec,debug 0000001c df9b7624 d79dcde5 9b9f0f9b eb2762c4 d7bc0a66 7df5dc74 
11:44:04 ipsec adding payload: KE 
11:44:04 ipsec,debug => (size 0x88) 
11:44:04 ipsec,debug 00000088 00020000 12a4d982 017fbd4b 737fbf03 cdfc3bc1 97c26543 b13d8bd5 
11:44:04 ipsec,debug 75c3f26a 7bf36df4 30a1a0db b5694346 f1bcf0cb c155e870 174051bd 49610af6 
11:44:04 ipsec,debug e621655c 8983dab5 991fada3 50b99819 741ef2ac 0227d642 c213aece cff75db8 
11:44:04 ipsec,debug d191ceee e29354ab c92674a6 39cbc54f a849d4b2 b5bafdb6 c6b7e24e fd4c0d34 
11:44:04 ipsec,debug 1fa66f92 b6016d9b 
11:44:04 ipsec adding payload: SA 
11:44:04 ipsec,debug => (size 0x34) 
11:44:04 ipsec,debug 00000034 00000030 01030404 022031da 0300000c 0100000c 800e0100 03000008 
11:44:04 ipsec,debug 0300000c 03000008 04000002 00000008 05000000 
11:44:04 ipsec initiator selector: 192.168.89.0/24  
11:44:04 ipsec adding payload: TS_I 
11:44:04 ipsec,debug => (size 0x18) 
11:44:04 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85900 c0a859ff 
11:44:04 ipsec responder selector: 192.168.90.0/24  
11:44:04 ipsec adding payload: TS_R 
11:44:04 ipsec,debug => (size 0x18) 
11:44:04 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85a00 c0a85aff 
11:44:04 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:2 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:04 ipsec,debug ===== sending 528 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:44:04 ipsec,debug 1 times of 532 bytes message will be sent to 2.2.2.2[4500] 
11:44:04 ipsec,debug ===== received 80 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:44:04 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:2 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:04 ipsec payload seen: ENC (52 bytes) 
11:44:04 ipsec processing payload: ENC 
11:44:04 ipsec,debug => iv (size 0x10) 
11:44:04 ipsec,debug e8232cf7 b3f298dd 74370b4c e4368bec 
11:44:04 ipsec,debug => decrypted and trimmed payload (size 0x8) 
11:44:04 ipsec,debug 00000008 00000026 
11:44:04 ipsec,debug decrypted packet 
11:44:04 ipsec payload seen: NOTIFY (8 bytes) 
11:44:04 ipsec create child: initiator finish 
11:44:04 ipsec processing payloads: NOTIFY 
11:44:04 ipsec   notify: TS_UNACCEPTABLE 
11:44:04 ipsec got error: TS_UNACCEPTABLE 
11:44:09 ipsec ph2 possible after ph1 creation 
11:44:09 ipsec init child for policy: 192.168.89.0/24 <=> 192.168.90.0/24 
11:44:09 ipsec init child continue 
11:44:09 ipsec offering proto: 3 
11:44:09 ipsec  proposal #1 
11:44:09 ipsec   enc: aes256-cbc 
11:44:09 ipsec   auth: sha256 
11:44:09 ipsec   dh: modp1024 
11:44:09 ipsec adding payload: NONCE 
11:44:09 ipsec,debug => (size 0x1c) 
11:44:09 ipsec,debug 0000001c 508e9d2d 9adeef60 e553adf4 0e82f10b c682fd71 d6b718cc 
11:44:09 ipsec adding payload: KE 
11:44:09 ipsec,debug => (size 0x88) 
11:44:09 ipsec,debug 00000088 00020000 8ae73a4e 7cbf3242 f0194771 1da1b87e 70df50b2 d24b62ef 
11:44:09 ipsec,debug 3ebe6825 cd1d67c8 b7f5dafc 404c8baa 0d3c1000 e84f4c17 c5bb65ec 16d71cec 
11:44:09 ipsec,debug b265ca09 fbb24b76 959163d5 5396e521 801bead8 b8930a7a a4b2bddd 09b8a1b4 
11:44:09 ipsec,debug db348060 cbdec714 0fc9ec67 dc5d0494 19080ac4 04c3dd7b d9b926e2 a8e069a2 
11:44:09 ipsec,debug 20cb580d ad339d94 
11:44:09 ipsec adding payload: SA 
11:44:09 ipsec,debug => (size 0x34) 
11:44:09 ipsec,debug 00000034 00000030 01030404 034babf6 0300000c 0100000c 800e0100 03000008 
11:44:09 ipsec,debug 0300000c 03000008 04000002 00000008 05000000 
11:44:09 ipsec initiator selector: 192.168.89.0/24  
11:44:09 ipsec adding payload: TS_I 
11:44:09 ipsec,debug => (size 0x18) 
11:44:09 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85900 c0a859ff 
11:44:09 ipsec responder selector: 192.168.90.0/24  
11:44:09 ipsec adding payload: TS_R 
11:44:09 ipsec,debug => (size 0x18) 
11:44:09 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85a00 c0a85aff 
11:44:09 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:3 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:09 ipsec,debug ===== sending 480 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:44:09 ipsec,debug 1 times of 484 bytes message will be sent to 2.2.2.2[4500] 
11:44:09 ipsec,debug ===== received 80 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:44:09 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:3 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:09 ipsec payload seen: ENC (52 bytes) 
11:44:09 ipsec processing payload: ENC 
11:44:09 ipsec,debug => iv (size 0x10) 
11:44:09 ipsec,debug aeb18827 98069844 cf45fb5e 755e27eb 
11:44:09 ipsec,debug => decrypted and trimmed payload (size 0x8) 
11:44:09 ipsec,debug 00000008 00000026 
11:44:09 ipsec,debug decrypted packet 
11:44:09 ipsec payload seen: NOTIFY (8 bytes) 
11:44:09 ipsec create child: initiator finish 
11:44:09 ipsec processing payloads: NOTIFY 
11:44:09 ipsec   notify: TS_UNACCEPTABLE 
11:44:09 ipsec got error: TS_UNACCEPTABLE 
11:44:13 ipsec policy installed for connected peer, creating child SA 
11:44:13 ipsec init child for policy: 192.168.89.0/24 <=> 192.168.90.0/24 
11:44:13 ipsec init child continue 
11:44:13 ipsec offering proto: 3 
11:44:13 ipsec  proposal #1 
11:44:13 ipsec   enc: aes256-cbc 
11:44:13 ipsec   auth: sha256 
11:44:13 ipsec   dh: modp1024 
11:44:13 ipsec adding payload: NONCE 
11:44:13 ipsec,debug => (size 0x1c) 
11:44:13 ipsec,debug 0000001c 7fae5446 272b8420 3f58efa9 12aa677e ca001f2e f5e4acb8 
11:44:13 ipsec adding payload: KE 
11:44:13 ipsec,debug => (size 0x88) 
11:44:13 ipsec,debug 00000088 00020000 090e88c7 2a6bc6bd aeb67644 57fd009b 12d112cf a786f797 
11:44:13 ipsec,debug ebb05a1b fc426b2b 325ff1bc 00dcc2d8 8a36f308 87f4902a 47567486 2edb02ce 
11:44:13 ipsec,debug ac04ed22 bbfb397a 2976bea7 88476fe6 93334016 6e9cb0f6 c15fb54f 5cd9846d 
11:44:13 ipsec,debug c77fae5d f947824a 5e961531 d43d75bd d67219f3 c73be89e fc5ecf4e 37f94b62 
11:44:13 ipsec,debug 66ab198d a53bb828 
11:44:13 ipsec adding payload: SA 
11:44:13 ipsec,debug => (size 0x34) 
11:44:13 ipsec,debug 00000034 00000030 01030404 02d191da 0300000c 0100000c 800e0100 03000008 
11:44:13 ipsec,debug 0300000c 03000008 04000002 00000008 05000000 
11:44:13 ipsec initiator selector: 192.168.89.0/24  
11:44:13 ipsec adding payload: TS_I 
11:44:13 ipsec,debug => (size 0x18) 
11:44:13 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85900 c0a859ff 
11:44:13 ipsec responder selector: 192.168.90.0/24  
11:44:13 ipsec adding payload: TS_R 
11:44:13 ipsec,debug => (size 0x18) 
11:44:13 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85a00 c0a85aff 
11:44:13 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:4 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:13 ipsec,debug ===== sending 544 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:44:13 ipsec,debug 1 times of 548 bytes message will be sent to 2.2.2.2[4500] 
11:44:13 ipsec,debug ===== received 80 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:44:13 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:4 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:13 ipsec payload seen: ENC (52 bytes) 
11:44:13 ipsec processing payload: ENC 
11:44:13 ipsec,debug => iv (size 0x10) 
11:44:13 ipsec,debug 2daad70b 0431e319 3de18a18 a57ba7f5 
11:44:13 ipsec,debug => decrypted and trimmed payload (size 0x8) 
11:44:13 ipsec,debug 00000008 00000026 
11:44:13 ipsec,debug decrypted packet 
11:44:13 ipsec payload seen: NOTIFY (8 bytes) 
11:44:13 ipsec create child: initiator finish 
11:44:13 ipsec processing payloads: NOTIFY 
11:44:13 ipsec   notify: TS_UNACCEPTABLE 
11:44:13 ipsec got error: TS_UNACCEPTABLE 
11:44:14 ipsec policy installed for connected peer, creating child SA 
11:44:14 ipsec init child for policy: 192.168.90.0/24 <=> 192.168.89.0/24 
11:44:14 ipsec init child continue 
11:44:14 ipsec offering proto: 3 
11:44:14 ipsec  proposal #1 
11:44:14 ipsec   enc: aes256-cbc 
11:44:14 ipsec   auth: sha256 
11:44:14 ipsec   dh: modp1024 
11:44:14 ipsec adding payload: NONCE 
11:44:14 ipsec,debug => (size 0x1c) 
11:44:14 ipsec,debug 0000001c 7902c417 f0441fb8 07e8f0d1 7070de7e 1e9b2ac2 9eac02ae 
11:44:14 ipsec adding payload: KE 
11:44:14 ipsec,debug => (size 0x88) 
11:44:14 ipsec,debug 00000088 00020000 b66871f8 f0149760 79d996d1 e021f2f1 210a7fb2 c67a4906 
11:44:14 ipsec,debug d8c57cc6 c54c55ab f7ff19c4 698fbdfc c81a3d9b 99866b00 5a079057 3160de56 
11:44:14 ipsec,debug d511b549 82d69c10 7277013f 6946f709 9d8a4f4a afa768b7 9ac62a4c 07383591 
11:44:14 ipsec,debug b431ed85 5bd30ab1 c75463a3 9668d175 d9bddb47 50ce8bdf dd98cca2 2df33b00 
11:44:14 ipsec,debug bdd43700 f04f0798 
11:44:14 ipsec adding payload: SA 
11:44:14 ipsec,debug => (size 0x34) 
11:44:14 ipsec,debug 00000034 00000030 01030404 039cf399 0300000c 0100000c 800e0100 03000008 
11:44:14 ipsec,debug 0300000c 03000008 04000002 00000008 05000000 
11:44:14 ipsec initiator selector: 192.168.90.0/24  
11:44:14 ipsec adding payload: TS_I 
11:44:14 ipsec,debug => (size 0x18) 
11:44:14 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85a00 c0a85aff 
11:44:14 ipsec responder selector: 192.168.89.0/24  
11:44:14 ipsec adding payload: TS_R 
11:44:14 ipsec,debug => (size 0x18) 
11:44:14 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85900 c0a859ff 
11:44:14 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:5 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:14 ipsec,debug ===== sending 528 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:44:14 ipsec,debug 1 times of 532 bytes message will be sent to 2.2.2.2[4500] 
11:44:14 ipsec,debug ===== received 80 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:44:14 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:5 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:14 ipsec payload seen: ENC (52 bytes) 
11:44:14 ipsec processing payload: ENC 
11:44:14 ipsec,debug => iv (size 0x10) 
11:44:14 ipsec,debug f0a9892e df82476d ad3b7400 4e3b61a9 
11:44:14 ipsec,debug => decrypted and trimmed payload (size 0x8) 
11:44:14 ipsec,debug 00000008 00000026 
11:44:14 ipsec,debug decrypted packet 
11:44:14 ipsec payload seen: NOTIFY (8 bytes) 
11:44:14 ipsec create child: initiator finish 
11:44:14 ipsec processing payloads: NOTIFY 
11:44:14 ipsec   notify: TS_UNACCEPTABLE 
11:44:14 ipsec got error: TS_UNACCEPTABLE 
11:44:19 ipsec ph2 possible after ph1 creation 
11:44:19 ipsec init child for policy: 192.168.89.0/24 <=> 192.168.90.0/24 
11:44:19 ipsec init child continue 
11:44:19 ipsec offering proto: 3 
11:44:19 ipsec  proposal #1 
11:44:19 ipsec   enc: aes256-cbc 
11:44:19 ipsec   auth: sha256 
11:44:19 ipsec   dh: modp1024 
11:44:19 ipsec adding payload: NONCE 
11:44:19 ipsec,debug => (size 0x1c) 
11:44:19 ipsec,debug 0000001c f7c97c54 2779e6f8 f1982f0e 5a52b220 8b168fe0 3b22cadf 
11:44:19 ipsec adding payload: KE 
11:44:19 ipsec,debug => (size 0x88) 
11:44:19 ipsec,debug 00000088 00020000 29859d54 c377928a 7c9d4700 9883bef2 1a88dca3 81290ac7 
11:44:19 ipsec,debug f45df4fe f1d9558b 9fdaa0c5 26025706 2f65226c 845d8a37 c98ddc09 e4d64589 
11:44:19 ipsec,debug fabb059a ec8104b6 24109947 ffd4b092 3f8a1152 adddb719 814bd939 d369272e 
11:44:19 ipsec,debug 127e2e40 5d683a2e 6d02fc9f 39080f73 dbbd9723 24041875 51e7b4fa 5f8a8b33 
11:44:19 ipsec,debug 281b7230 8f1e2015 
11:44:19 ipsec adding payload: SA 
11:44:19 ipsec,debug => (size 0x34) 
11:44:19 ipsec,debug 00000034 00000030 01030404 08183204 0300000c 0100000c 800e0100 03000008 
11:44:19 ipsec,debug 0300000c 03000008 04000002 00000008 05000000 
11:44:19 ipsec initiator selector: 192.168.89.0/24  
11:44:19 ipsec adding payload: TS_I 
11:44:19 ipsec,debug => (size 0x18) 
11:44:19 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85900 c0a859ff 
11:44:19 ipsec responder selector: 192.168.90.0/24  
11:44:19 ipsec adding payload: TS_R 
11:44:19 ipsec,debug => (size 0x18) 
11:44:19 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85a00 c0a85aff 
11:44:19 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:6 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:19 ipsec,debug ===== sending 512 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:44:19 ipsec,debug 1 times of 516 bytes message will be sent to 2.2.2.2[4500] 
11:44:19 ipsec,debug ===== received 80 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:44:19 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:6 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:19 ipsec payload seen: ENC (52 bytes) 
11:44:19 ipsec processing payload: ENC 
11:44:19 ipsec,debug => iv (size 0x10) 
11:44:19 ipsec,debug feb21ccb 718d3bbe 38c91525 2a708480 
11:44:19 ipsec,debug => decrypted and trimmed payload (size 0x8) 
11:44:19 ipsec,debug 00000008 00000026 
11:44:19 ipsec,debug decrypted packet 
11:44:19 ipsec payload seen: NOTIFY (8 bytes) 
11:44:19 ipsec create child: initiator finish 
11:44:19 ipsec processing payloads: NOTIFY 
11:44:19 ipsec   notify: TS_UNACCEPTABLE 
11:44:19 ipsec got error: TS_UNACCEPTABLE 
11:44:24 ipsec ph2 possible after ph1 creation 
11:44:24 ipsec init child for policy: 192.168.89.0/24 <=> 192.168.90.0/24 
11:44:24 ipsec init child continue 
11:44:24 ipsec offering proto: 3 
11:44:24 ipsec  proposal #1 
11:44:24 ipsec   enc: aes256-cbc 
11:44:24 ipsec   auth: sha256 
11:44:24 ipsec   dh: modp1024 
11:44:24 ipsec adding payload: NONCE 
11:44:24 ipsec,debug => (size 0x1c) 
11:44:24 ipsec,debug 0000001c 74ade374 e2b2470e 6c4b5213 b7f8b9f2 55e2f4eb 581a316c 
11:44:24 ipsec adding payload: KE 
11:44:24 ipsec,debug => (size 0x88) 
11:44:24 ipsec,debug 00000088 00020000 daefddbc 078e3ee7 3aeb935f a8e54312 cbb9c594 13112187 
11:44:24 ipsec,debug 6fdbba1b 45b372e0 8b92b652 b01ce036 6f640332 b8f33bdd 86972ed9 24b12fbd 
11:44:24 ipsec,debug 722e5965 d146e0db 656ee1c2 a35b6036 59049757 3fe02175 d5303826 86c0bc40 
11:44:24 ipsec,debug f3442aaf fa4a879e f413fcba b0942f10 6fb3ffe1 66cbebaf cb8b8480 90d5d8d8 
11:44:24 ipsec,debug 1529ac44 1dd8c1f0 
11:44:24 ipsec adding payload: SA 
11:44:24 ipsec,debug => (size 0x34) 
11:44:24 ipsec,debug 00000034 00000030 01030404 0359d86d 0300000c 0100000c 800e0100 03000008 
11:44:24 ipsec,debug 0300000c 03000008 04000002 00000008 05000000 
11:44:24 ipsec initiator selector: 192.168.89.0/24  
11:44:24 ipsec adding payload: TS_I 
11:44:24 ipsec,debug => (size 0x18) 
11:44:24 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85900 c0a859ff 
11:44:24 ipsec responder selector: 192.168.90.0/24  
11:44:24 ipsec adding payload: TS_R 
11:44:24 ipsec,debug => (size 0x18) 
11:44:24 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85a00 c0a85aff 
11:44:24 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:7 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:24 ipsec,debug ===== sending 528 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:44:24 ipsec,debug 1 times of 532 bytes message will be sent to 2.2.2.2[4500] 
11:44:24 ipsec,debug ===== received 80 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:44:24 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:7 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:24 ipsec payload seen: ENC (52 bytes) 
11:44:24 ipsec processing payload: ENC 
11:44:24 ipsec,debug => iv (size 0x10) 
11:44:24 ipsec,debug 7be170d9 7b367dee 33590117 af05a6bc 
11:44:24 ipsec,debug => decrypted and trimmed payload (size 0x8) 
11:44:24 ipsec,debug 00000008 00000026 
11:44:24 ipsec,debug decrypted packet 
11:44:24 ipsec payload seen: NOTIFY (8 bytes) 
11:44:24 ipsec create child: initiator finish 
11:44:24 ipsec processing payloads: NOTIFY 
11:44:24 ipsec   notify: TS_UNACCEPTABLE 
11:44:24 ipsec got error: TS_UNACCEPTABLE 
11:44:29 ipsec ph2 possible after ph1 creation 
11:44:29 ipsec init child for policy: 192.168.89.0/24 <=> 192.168.90.0/24 
11:44:29 ipsec init child continue 
11:44:29 ipsec offering proto: 3 
11:44:29 ipsec  proposal #1 
11:44:29 ipsec   enc: aes256-cbc 
11:44:29 ipsec   auth: sha256 
11:44:29 ipsec   dh: modp1024 
11:44:29 ipsec adding payload: NONCE 
11:44:29 ipsec,debug => (size 0x1c) 
11:44:29 ipsec,debug 0000001c 035564e9 8d396d9c 1de81225 b3f641f9 322cbaa9 09f295ed 
11:44:29 ipsec adding payload: KE 
11:44:29 ipsec,debug => (size 0x88) 
11:44:29 ipsec,debug 00000088 00020000 cc7c8d27 3d13a6a8 6127ef27 9fb311a3 af18ac3f 3a327b0f 
11:44:29 ipsec,debug 9b749393 1b3357c0 aad7e61b 07585aed 4e79f094 4cf2cef4 bd1ce18d f3377255 
11:44:29 ipsec,debug 5ff72d4c f160bab0 c0e7fdfc 704cc73a 7263b246 5ba8c5c4 d9aa9142 f29a11a2 
11:44:29 ipsec,debug 2f35990a 489658ce 3998fdc2 0ed52a38 d35a06f0 b910b22b 78bb174b 94574d98 
11:44:29 ipsec,debug f01fb871 2749a1a2 
11:44:29 ipsec adding payload: SA 
11:44:29 ipsec,debug => (size 0x34) 
11:44:29 ipsec,debug 00000034 00000030 01030404 0a256d4d 0300000c 0100000c 800e0100 03000008 
11:44:29 ipsec,debug 0300000c 03000008 04000002 00000008 05000000 
11:44:29 ipsec initiator selector: 192.168.89.0/24  
11:44:29 ipsec adding payload: TS_I 
11:44:29 ipsec,debug => (size 0x18) 
11:44:29 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85900 c0a859ff 
11:44:29 ipsec responder selector: 192.168.90.0/24  
11:44:29 ipsec adding payload: TS_R 
11:44:29 ipsec,debug => (size 0x18) 
11:44:29 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85a00 c0a85aff 
11:44:29 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:8 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:29 ipsec,debug ===== sending 480 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:44:29 ipsec,debug 1 times of 484 bytes message will be sent to 2.2.2.2[4500] 
11:44:29 ipsec,debug ===== received 80 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:44:29 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:8 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:29 ipsec payload seen: ENC (52 bytes) 
11:44:29 ipsec processing payload: ENC 
11:44:29 ipsec,debug => iv (size 0x10) 
11:44:29 ipsec,debug f4d254ad 24d7c180 7e5d7637 d2ee2a01 
11:44:29 ipsec,debug => decrypted and trimmed payload (size 0x8) 
11:44:29 ipsec,debug 00000008 00000026 
11:44:29 ipsec,debug decrypted packet 
11:44:29 ipsec payload seen: NOTIFY (8 bytes) 
11:44:29 ipsec create child: initiator finish 
11:44:29 ipsec processing payloads: NOTIFY 
11:44:29 ipsec   notify: TS_UNACCEPTABLE 
11:44:29 ipsec got error: TS_UNACCEPTABLE 
11:44:34 ipsec ph2 possible after ph1 creation 
11:44:34 ipsec init child for policy: 192.168.89.0/24 <=> 192.168.90.0/24 
11:44:34 ipsec init child continue 
11:44:34 ipsec offering proto: 3 
11:44:34 ipsec  proposal #1 
11:44:34 ipsec   enc: aes256-cbc 
11:44:34 ipsec   auth: sha256 
11:44:34 ipsec   dh: modp1024 
11:44:34 ipsec adding payload: NONCE 
11:44:34 ipsec,debug => (size 0x1c) 
11:44:34 ipsec,debug 0000001c da4afad3 214aa905 a8c38c7d de5fd564 d973bef1 8544c7ea 
11:44:34 ipsec adding payload: KE 
11:44:34 ipsec,debug => (size 0x88) 
11:44:34 ipsec,debug 00000088 00020000 1f455f2d e0f4c5d7 a4353b6e ca397e99 63ab492f 32488934 
11:44:34 ipsec,debug 7bbb6492 8c4bd903 04af3db4 67e83f0d 4e1282cd 4cd2e30e f827c14c 7c223f7f 
11:44:34 ipsec,debug 41feba53 1be4f10a 18295b2c bb9d6d3d b7e3ed55 f343429c 32668072 0ab39634 
11:44:34 ipsec,debug 47eb6ad0 2758936b a13ff146 1f2c4d4e 74631173 d1c2cd3d 0d27cb23 c013d93d 
11:44:34 ipsec,debug 2ff1d3c3 0dae1e42 
11:44:34 ipsec adding payload: SA 
11:44:34 ipsec,debug => (size 0x34) 
11:44:34 ipsec,debug 00000034 00000030 01030404 0de66230 0300000c 0100000c 800e0100 03000008 
11:44:34 ipsec,debug 0300000c 03000008 04000002 00000008 05000000 
11:44:34 ipsec initiator selector: 192.168.89.0/24  
11:44:34 ipsec adding payload: TS_I 
11:44:34 ipsec,debug => (size 0x18) 
11:44:34 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85900 c0a859ff 
11:44:34 ipsec responder selector: 192.168.90.0/24  
11:44:34 ipsec adding payload: TS_R 
11:44:34 ipsec,debug => (size 0x18) 
11:44:34 ipsec,debug 00000018 01000000 07000010 0000ffff c0a85a00 c0a85aff 
11:44:34 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:9 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:34 ipsec,debug ===== sending 480 bytes from 1.1.1.1[4500] to 2.2.2.2[4500] 
11:44:34 ipsec,debug 1 times of 484 bytes message will be sent to 2.2.2.2[4500] 
11:44:34 ipsec,debug ===== received 80 bytes from 2.2.2.2[4500] to 1.1.1.1[4500] 
11:44:34 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:9 2.2.2.2[4500] e2e703323db3da4d:4f935b6f4c636af3 
11:44:34 ipsec payload seen: ENC (52 bytes) 
11:44:34 ipsec processing payload: ENC 
11:44:34 ipsec,debug => iv (size 0x10) 
11:44:34 ipsec,debug 397712ea 516e8aa2 c2dd0247 0742aba1 
11:44:34 ipsec,debug => decrypted and trimmed payload (size 0x8) 
11:44:34 ipsec,debug 00000008 00000026 
11:44:34 ipsec,debug decrypted packet 
11:44:34 ipsec payload seen: NOTIFY (8 bytes) 
11:44:34 ipsec create child: initiator finish 
11:44:34 ipsec processing payloads: NOTIFY 
11:44:34 ipsec   notify: TS_UNACCEPTABLE 
11:44:34 ipsec got error: TS_UNACCEPTABLE
Top
 
TheCat12
Member Candidate
Member Candidate
Posts: 189
Joined: Fri Dec 31, 2021 9:13 pm

Re: IPSEC Phase 2 not establishing  [SOLVED]

Mon Apr 15, 2024 11:36 pm

The IPsec addresses should be from the same subnet assumingly analogous to the GRE tunnel
Top
 
amazen
just joined
Topic Author
Posts: 2
Joined: Mon Apr 15, 2024 2:56 pm

Re: IPSEC Phase 2 not establishing

Tue Apr 16, 2024 6:14 pm

Hi All, please disregard my question, I'm able to make the phase 2 established now.
The fix is I created a new IPSEC transform set with lower value sha1, aes128 and no PRF, applied it on the policy and the phase 2 immediately established. However after that I used again my original IPSEC transform set sha256, aes256 and dh14 and the phase 2 still works.
I'm not really sure why I need to do that and how it resolves the issue :lol:
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], snowflake, taramid and 34 guests
  4. RouterOS
  5. General