IPSec established but no ping

alv84 · Mon May 30, 2022 11:01 am

dear techies, hi.
my goal is to have GRE over IPsec scenario between these two; ISR4331 as the hub and RB951Ui-2HnD as bespoke. first i decided to have a simple simple direct physical connection between the two. the GRE tunnel between them went ok; i could ping that never fails. the ipsec tunnel is also established. but the problem is i lost connectivity after ipsec established and ping didn't come back! i tried a couple of suggestions from the forum but no success! here is the mikrotik config:

# may/28/2022 09:37:56 by RouterOS 6.44.5
# software id = 0G7Y-54W3
#
# model = 951Ui-2HnD
# serial number = B8570BE4F3C7
/interface ethernet
set [ find default-name=ether1 ] name=ether1_toCisco
set [ find default-name=ether2 ] name=ether2_toLAN
set [ find default-name=ether4 ] name=ether4_toLaptop
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface gre
add !keepalive local-address=192.168.222.3 name=gre-tunnel1 remote-address=\
    192.168.222.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] src-address-list=0
/ip ipsec peer
add address=192.168.222.2/32 local-address=192.168.222.3 name=MYSET
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des hash-algorithm=\
    md5 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des lifetime=1d
/ip address
add address=192.168.222.3/30 interface=ether1_toCisco network=192.168.222.0
add address=192.168.0.2/30 interface=gre-tunnel1 network=192.168.0.0
add address=172.16.2.2/24 interface=ether2_toLAN network=172.16.2.0
/ip firewall address-list
add address=0.0.0.0/0 disabled=yes list=0
/ip firewall filter
add action=accept chain=input disabled=yes dst-address=192.168.222.3 \
    src-address=192.168.222.2
add action=accept chain=output disabled=yes dst-address=192.168.222.2 \
    src-address=192.168.222.3
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec identity
add mode-config=request-only peer=MYSET secret=1234@qwer
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.222.2/32 dst-port=500 protocol=gre sa-dst-address=\
    192.168.222.2 sa-src-address=192.168.222.3 src-address=192.168.222.3/32 \
    src-port=500 tunnel=yes
/ip route
add distance=1 gateway=192.168.222.1
/system clock
set time-zone-name=Asia/Tehran
/system clock manual
set dst-delta=+03:30 time-zone=+03:30

---------------------------------------------------------
and here is my cisco config:

!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!

!
crypto isakmp key 1234@qwer address 192.168.222.3
!


!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
 mode tunnel
! 

!
crypto map VPN 10 ipsec-isakmp
 set peer 192.168.222.3
 set transform-set MYSET
 set pfs group2
 match address GREIPSEC
!

!
interface Tunnel1
 ip address 192.168.0.1 255.255.255.252
 tunnel source GigabitEthernet0/0/1.2
 tunnel destination 192.168.222.3
!

!
ip access-list extended GREIPSEC
 permit ip 192.168.222.0 0.0.0.255 192.168.222.0 0.0.0.255
 permit gre host 192.168.222.3 host 192.168.222.2
!

---------------------------------------------------------
hints:
i see some errors in mikrotik and cisco logs which i think is key to my problem but i can't figure it out. here the log files:
mikrotik logs:

# may/28/2022  9: 1:14 by RouterOS 6.44.5
# software id = 0G7Y-54W3
#
08:10:31 system,error,critical router was rebooted without proper shutdown 
08:10:37 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
08:10:37 ipsec,error phase1 negotiation failed due to send error. 192.168.222.3[500]<=>192.168.222.2[500] ed6c73386871c010:0000000000000000 
08:10:40 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
08:10:40 ipsec,error phase1 negotiation failed due to send error. 192.168.222.3[500]<=>192.168.222.2[500] 709e266823f644a4:0000000000000000 
08:10:40 interface,info ether1_toCisco link up (speed 100M, full duplex) 
08:10:40 interface,info ether4_toLaptop link up (speed 100M, full duplex) 
08:10:41 interface,info gre-tunnel1 link up 
08:10:42 system,info,account user admin logged in from 20:89:84:2E:FD:D8 via winbox 
08:10:45 system,info,account user admin logged in via local 
08:10:50 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
08:10:50 ipsec,info ISAKMP-SA established 192.168.222.3[500]-192.168.222.2[500] spi:4e12103f105cc117:300e7acb589299c4 
08:11:15 system,info,account user admin logged in via local 
08:18:25 system,info,account user admin logged out via local 
08:35:15 system,info nat rule changed by admin 
08:43:20 system,info ipsec policy changed by admin 
08:44:52 ipsec,error 192.168.222.2 failed to pre-process ph2 packet. 
08:44:52 ipsec,info purging ISAKMP-SA 192.168.222.3[500]<=>192.168.222.2[500] spi=4e12103f105cc117:300e7acb589299c4. 
08:44:52 ipsec,info ISAKMP-SA deleted 192.168.222.3[500]-192.168.222.2[500] spi:4e12103f105cc117:300e7acb589299c4 rekey:1 
08:44:53 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
08:44:53 ipsec,info ISAKMP-SA established 192.168.222.3[500]-192.168.222.2[500] spi:cd4c63688f52b9f2:300e7acb5dbb27f4 
08:45:22 ipsec,error 192.168.222.2 failed to pre-process ph2 packet. 
08:45:22 ipsec,info purging ISAKMP-SA 192.168.222.3[500]<=>192.168.222.2[500] spi=cd4c63688f52b9f2:300e7acb5dbb27f4. 
08:45:22 ipsec,info ISAKMP-SA deleted 192.168.222.3[500]-192.168.222.2[500] spi:cd4c63688f52b9f2:300e7acb5dbb27f4 rekey:1 
08:45:23 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
08:45:23 ipsec,info ISAKMP-SA established 192.168.222.3[500]-192.168.222.2[500] spi:c56d6d2efdf9be5a:300e7acb38d772c1 
08:47:05 system,info,account user admin logged out via local 
08:50:55 ipsec,error 192.168.222.2 failed to pre-process ph2 packet. 
08:50:55 ipsec,info purging ISAKMP-SA 192.168.222.3[500]<=>192.168.222.2[500] spi=c56d6d2efdf9be5a:300e7acb38d772c1. 
08:50:55 ipsec,info ISAKMP-SA deleted 192.168.222.3[500]-192.168.222.2[500] spi:c56d6d2efdf9be5a:300e7acb38d772c1 rekey:1 
08:50:55 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
08:50:55 ipsec,info ISAKMP-SA established 192.168.222.3[500]-192.168.222.2[500] spi:91ccaa08d3df319f:300e7acb7d48d3e3 
08:51:25 ipsec,error 192.168.222.2 failed to pre-process ph2 packet. 
08:51:25 ipsec,info purging ISAKMP-SA 192.168.222.3[500]<=>192.168.222.2[500] spi=91ccaa08d3df319f:300e7acb7d48d3e3. 
08:51:25 ipsec,info ISAKMP-SA deleted 192.168.222.3[500]-192.168.222.2[500] spi:91ccaa08d3df319f:300e7acb7d48d3e3 rekey:1 
08:51:25 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
08:51:25 ipsec,info ISAKMP-SA established 192.168.222.3[500]-192.168.222.2[500] spi:a61437570093ed56:300e7acb7734e634 
09:01:01 system,info,account user admin logged in via local

---------------------------------------------------------
cisco logs:

RM: SIP1: cpp_cp: QFP:0.0 Thread:000 TS:00000616818854580331 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 192.168.222.2, src_addr= 192.168.222.3, prot= 1
*May 30 08:26:44.169: %IOSXE-3-PLATFORM: SIP1: cpp_cp: QFP:0.0 Thread:001 TS:00000616878950376727 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 192.168.222.2, src_addr= 192.168.222.3, prot= 1
*May 30 08:27:28.304: ISAKMP (13634): received packet from 192.168.222.3 dport 500 sport 500 Global (R) QM_IDLE
*May 30 08:27:28.304: ISAKMP:(13634):DPD/R_U_THERE received from peer 192.168.222.3, sequence 0x592
*May 30 08:27:28.305: ISAKMP:(13634): sending packet to 192.168.222.3 my_port 500 peer_port 500 (R) QM_IDLE
*May 30 08:27:44.781: %IOSXE-3-PLATFORM: SIP1: cpp_cp: QFP:0.0 Thread:000 TS:00000616939562219425 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 192.168.222.2, src_addr= 192.168.222.3, prot= 1

===================================================================================================
guys please help me this is a given project that means a life to me!

alv84 · Mon May 30, 2022 1:49 pm

knoc knoc! any body in this town?? somebody's in danger here!

JohnTRIVOLTA · Mon May 30, 2022 10:23 pm

At first lоок I do not see a rule for snat exception and there are no routing rules for the LANs in routerboard!

sindy · Mon May 30, 2022 10:26 pm

To understand what exactly the Mikrotik doesn't like about the Phase 2 offer from the Cisco, you have to activate a more detailed logging:

/system logging add topics=ipsec,!packet

Once you do that, disable the peer or identity, run /log print follow-only file=ipsec-start where topics~"ipsec", re-enable the peer or identity, wait 10 seconds and stop the /log print ..., download file ipsec-start.txt and read it.

A clear mistake I can see in the exported configuration is the local address 192.168.222.3/30 on the Mikrotik - it is a broadcast address. In a /30 network, .1 and .2 are host addresses, .3 is a broadcast one. But apparently neither the Cisco nor the Mikrotik care, i.e. it is not the cause of the Phase 2 failure.

alv84 · Tue May 31, 2022 4:29 pm

At first lоок I do not see a rule for snat exception and there are no routing rules for the LANs in routerboard!

thank you JohnTRIVOLTA. yes you are right but do i need them in this scenario? the two routers are connected directly using IPs in the same subnet. i'm not sure how routing rules would help while these two are in fact adjacent to each other. or am i wrong?

alv84 · Tue May 31, 2022 4:44 pm

To understand what exactly the Mikrotik doesn't like about the Phase 2 offer from the Cisco, you have to activate a more detailed logging:

/system logging add topics=ipsec,!packet

Once you do that, disable the peer or identity, run /log print follow-only file=ipsec-start where topics~"ipsec", re-enable the peer or identity, wait 10 seconds and stop the /log print ..., download file ipsec-start.txt and read it.

A clear mistake I can see in the exported configuration is the local address 192.168.222.3/30 on the Mikrotik - it is a broadcast address. In a /30 network, .1 and .2 are host addresses, .3 is a broadcast one. But apparently neither the Cisco nor the Mikrotik care, i.e. it is not the cause of the Phase 2 failure.

dear sindy, thanks. i will do this as soon as possible and will post the results.

alv84 · Wed Jun 01, 2022 8:12 am

To understand what exactly the Mikrotik doesn't like about the Phase 2 offer from the Cisco, you have to activate a more detailed logging:

/system logging add topics=ipsec,!packet

Once you do that, disable the peer or identity, run /log print follow-only file=ipsec-start where topics~"ipsec", re-enable the peer or identity, wait 10 seconds and stop the /log print ..., download file ipsec-start.txt and read it.

A clear mistake I can see in the exported configuration is the local address 192.168.222.3/30 on the Mikrotik - it is a broadcast address. In a /30 network, .1 and .2 are host addresses, .3 is a broadcast one. But apparently neither the Cisco nor the Mikrotik care, i.e. it is not the cause of the Phase 2 failure.
dear sindy, thanks. i will do this as soon as possible and will post the results.

dear sindy, hi.
here is the output to the ipsec-start.txt file:

# may/28/2022 11: 8:49 by RouterOS 6.44.5
# software id = 0G7Y-54W3
#
11:09:18 ipsec,debug === 
11:09:18 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.3[500]<=>192.168.222.2[500] 
11:09:18 ipsec,debug new cookie: 
11:09:18 ipsec,debug 5968d1f7b726f016 
11:09:18 ipsec,debug add payload of len 52, next type 13 
11:09:18 ipsec,debug add payload of len 16, next type 13 
11:09:18 ipsec,debug add payload of len 16, next type 0 
11:09:18 ipsec,debug 124 bytes from 192.168.222.3[500] to 192.168.222.2[500] 
11:09:18 ipsec,debug 1 times of 124 bytes message will be sent to 192.168.222.2[500] 
11:09:18 ipsec sent phase1 packet 192.168.222.3[500]<=>192.168.222.2[500] 5968d1f7b726f016:0000000000000000 
11:09:18 ipsec,debug ===== received 84 bytes from 192.168.222.2[500] to 192.168.222.3[500] 
11:09:18 ipsec,debug begin. 
11:09:18 ipsec,debug seen nptype=1(sa) len=56 
11:09:18 ipsec,debug succeed. 
11:09:18 ipsec,debug total SA len=52 
11:09:18 ipsec,debug 00000001 00000001 0000002c 01010001 00000024 01010000 80010005 80020001 
11:09:18 ipsec,debug 80040002 80030001 800b0001 000c0004 00015180 
11:09:18 ipsec,debug begin. 
11:09:18 ipsec,debug seen nptype=2(prop) len=44 
11:09:18 ipsec,debug succeed. 
11:09:18 ipsec,debug proposal #1 len=44 
11:09:18 ipsec,debug begin. 
11:09:18 ipsec,debug seen nptype=3(trns) len=36 
11:09:18 ipsec,debug succeed. 
11:09:18 ipsec,debug transform #1 len=36 
11:09:18 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5 
11:09:18 ipsec,debug hash(md5) 
11:09:18 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
11:09:18 ipsec,debug dh(modp1024) 
11:09:18 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
11:09:18 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
11:09:18 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
11:09:18 ipsec,debug pair 1: 
11:09:18 ipsec,debug  0x497798: next=(nil) tnext=(nil) 
11:09:18 ipsec,debug proposal #1: 1 transform 
11:09:18 ipsec,debug -checking with pre-shared key auth- 
11:09:18 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1 
11:09:18 ipsec,debug trns#=1, trns-id=IKE 
11:09:18 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 
11:09:18 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5 
11:09:18 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
11:09:18 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
11:09:18 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
11:09:18 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
11:09:18 ipsec,debug -compare proposal #1: Local:Peer 
11:09:18 ipsec,debug (lifetime = 86400:86400) 
11:09:18 ipsec,debug (lifebyte = 0:0) 
11:09:18 ipsec,debug enctype = 3DES-CBC:3DES-CBC 
11:09:18 ipsec,debug (encklen = 0:0) 
11:09:18 ipsec,debug hashtype = MD5:MD5 
11:09:18 ipsec,debug authmethod = pre-shared key:pre-shared key 
11:09:18 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
11:09:18 ipsec,debug -an acceptable proposal found- 
11:09:18 ipsec,debug dh(modp1024) 
11:09:18 ipsec,debug -agreed on pre-shared key auth- 
11:09:18 ipsec,debug === 
11:09:18 ipsec,debug dh(modp1024) 
11:09:18 ipsec,debug compute DH's private. 
11:09:18 ipsec,debug 7ef4912d d8630b7a 98213303 7e84060d 19e25a8c 15b572b8 895bdeaf 77fbc647 
11:09:18 ipsec,debug 61261bed 52903819 3034d2cf 9d64470d 1a7a4eb5 fc0b1367 55b7dde5 d01b8582 
11:09:18 ipsec,debug 802a843c 6ccd14e5 df544735 1fb81568 d231f55d a9d7b3d0 f9494fb1 af529f43 
11:09:18 ipsec,debug ce6c1628 56530940 7372992a a6e729cc 30b5adb1 13b0dcc7 f813e56f 353aa338 
11:09:18 ipsec,debug compute DH's public. 
11:09:18 ipsec,debug e988acde d306f989 4ecaae35 c18c100a ecce6202 5a0d4e80 36b7c280 b69ebf7a 
11:09:18 ipsec,debug 15e17ed9 34c344e7 18e8e63d 043b853e 47fd4e5a 95efe861 f8cf75dd 50d3c756 
11:09:18 ipsec,debug 8ee26714 abbd6283 0d2558d6 e087b5c5 3daad5cc d54e7487 d3226052 2d9acfb2 
11:09:18 ipsec,debug 7d7b70fc 3f318fa3 dd4b52fe 64af5641 f1f6b79a a0d4040a 8d6d21bf 05cff167 
11:09:18 ipsec,debug add payload of len 128, next type 10 
11:09:18 ipsec,debug add payload of len 24, next type 0 
11:09:18 ipsec,debug 188 bytes from 192.168.222.3[500] to 192.168.222.2[500] 
11:09:18 ipsec,debug 1 times of 188 bytes message will be sent to 192.168.222.2[500] 
11:09:18 ipsec sent phase1 packet 192.168.222.3[500]<=>192.168.222.2[500] 5968d1f7b726f016:300e7acba22a38fb 
11:09:18 ipsec,debug ===== received 256 bytes from 192.168.222.2[500] to 192.168.222.3[500] 
11:09:18 ipsec,debug begin. 
11:09:18 ipsec,debug seen nptype=4(ke) len=132 
11:09:18 ipsec,debug seen nptype=10(nonce) len=24 
11:09:18 ipsec,debug seen nptype=13(vid) len=20 
11:09:18 ipsec,debug seen nptype=13(vid) len=20 
11:09:18 ipsec,debug seen nptype=13(vid) len=20 
11:09:18 ipsec,debug seen nptype=13(vid) len=12 
11:09:18 ipsec,debug succeed. 
11:09:18 ipsec received Vendor ID: CISCO-UNITY 
11:09:18 ipsec received Vendor ID: DPD 
11:09:18 ipsec,debug remote supports DPD 
11:09:18 ipsec,debug received unknown Vendor ID 
11:09:18 ipsec,debug c5c9ddd6 a22b38fb 6860cd6d 7e94dc65 
11:09:18 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
11:09:18 ipsec,debug === 
11:09:18 ipsec,debug dh(modp1024) 
11:09:18 ipsec,debug compute DH's shared. 
11:09:18 ipsec,debug 
11:09:18 ipsec,debug 3ff2376c d39da761 a018a082 97ad0fa7 04c469e2 285bfa93 560a2bb5 70b7151b 
11:09:18 ipsec,debug bf5bf3a5 a9728f86 00b2b890 2a24a466 833ae09b 51b2c655 f3ec6ee2 23cb255e 
11:09:18 ipsec,debug d2144e62 4eb2dede 3ed5f104 e968a272 2ab5e178 d9942ca2 0baa0d2a 3f73f536 
11:09:18 ipsec,debug 9f39626d 40884e02 0ceed870 b34e0758 fece2ec7 c3a3539f ab525228 cddbffad 
11:09:18 ipsec,debug nonce 1:  
11:09:18 ipsec,debug f87d3648 a3d22df2 4735d6af 89f709dc 23c709d6 9c40404d 
11:09:18 ipsec,debug nonce 2:  
11:09:18 ipsec,debug 46a5053a 70e02b12 784d8c69 0cb06495 bace2099 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug SKEYID computed: 
11:09:18 ipsec,debug f8a8425b efc2d3a0 9bd0d9fa 3a3ce87c 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug SKEYID_d computed: 
11:09:18 ipsec,debug 5e171706 eec3b3c0 f8283445 1890ab09 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug SKEYID_a computed: 
11:09:18 ipsec,debug a9717edf 3f9c173c 4b33a116 d2a7e0cd 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug SKEYID_e computed: 
11:09:18 ipsec,debug cac0c1c1 785ed85e b90707ef ef3cb480 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug hash(md5) 
11:09:18 ipsec,debug len(SKEYID_e) < len(Ka) (16 < 24), generating long key (Ka = K1 | K2 | ...) 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug compute intermediate encryption key K1 
11:09:18 ipsec,debug 00 
11:09:18 ipsec,debug 968b3e86 46a4e695 f14388f1 0f68ddc6 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug compute intermediate encryption key K2 
11:09:18 ipsec,debug 968b3e86 46a4e695 f14388f1 0f68ddc6 
11:09:18 ipsec,debug c5e919c1 86ba1879 b89c2c0e ca513f89 
11:09:18 ipsec,debug final encryption key computed: 
11:09:18 ipsec,debug 968b3e86 46a4e695 f14388f1 0f68ddc6 c5e919c1 86ba1879 
11:09:18 ipsec,debug hash(md5) 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug IV computed: 
11:09:18 ipsec,debug 2351072a 33ec5143 
11:09:18 ipsec,debug use ID type of IPv4_address 
11:09:18 ipsec,debug HASH with: 
11:09:18 ipsec,debug e988acde d306f989 4ecaae35 c18c100a ecce6202 5a0d4e80 36b7c280 b69ebf7a 
11:09:18 ipsec,debug 15e17ed9 34c344e7 18e8e63d 043b853e 47fd4e5a 95efe861 f8cf75dd 50d3c756 
11:09:18 ipsec,debug 8ee26714 abbd6283 0d2558d6 e087b5c5 3daad5cc d54e7487 d3226052 2d9acfb2 
11:09:18 ipsec,debug 7d7b70fc 3f318fa3 dd4b52fe 64af5641 f1f6b79a a0d4040a 8d6d21bf 05cff167 
11:09:18 ipsec,debug e93aada8 2112c47e e17ee091 9dc778ab 78bf3801 69fd1c37 dbcddfaf 85c4fd88 
11:09:18 ipsec,debug f236d234 8750132b b6a89e8c 07426a50 393de29c f74bd896 1e9491f9 e3ef9cbc 
11:09:18 ipsec,debug 227cc686 3d0a8080 483c2c61 6dd7f2e5 8123713b 468c9b36 621474df b4462280 
11:09:18 ipsec,debug 311f5144 8a5d4824 20de5c28 2f6e42c9 af198c41 9991e68a 0cb1c02f ead6d62d 
11:09:18 ipsec,debug 5968d1f7 b726f016 300e7acb a22a38fb 00000001 00000001 0000002c 01010001 
11:09:18 ipsec,debug 00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020001 
11:09:18 ipsec,debug 80040002 011101f4 c0a8de03 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug HASH computed: 
11:09:18 ipsec,debug 2e99a6d6 af92d3c6 68515997 6aafee4d 
11:09:18 ipsec,debug add payload of len 8, next type 8 
11:09:18 ipsec,debug add payload of len 16, next type 0 
11:09:18 ipsec,debug begin encryption. 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug pad length = 8 
11:09:18 ipsec,debug 0800000c 011101f4 c0a8de03 00000014 2e99a6d6 af92d3c6 68515997 6aafee4d 
11:09:18 ipsec,debug 8ea38a9f cc757407 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug with key: 
11:09:18 ipsec,debug 968b3e86 46a4e695 f14388f1 0f68ddc6 c5e919c1 86ba1879 
11:09:18 ipsec,debug encrypted payload by IV: 
11:09:18 ipsec,debug 2351072a 33ec5143 
11:09:18 ipsec,debug save IV for next: 
11:09:18 ipsec,debug 13d02418 39a93f59 
11:09:18 ipsec,debug encrypted. 
11:09:18 ipsec,debug 68 bytes from 192.168.222.3[500] to 192.168.222.2[500] 
11:09:18 ipsec,debug 1 times of 68 bytes message will be sent to 192.168.222.2[500] 
11:09:18 ipsec sent phase1 packet 192.168.222.3[500]<=>192.168.222.2[500] 5968d1f7b726f016:300e7acba22a38fb 
11:09:18 ipsec,debug ===== received 108 bytes from 192.168.222.2[500] to 192.168.222.3[500] 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug IV was saved for next processing: 
11:09:18 ipsec,debug 1ccc9d5f b7c3a957 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug with key: 
11:09:18 ipsec,debug 968b3e86 46a4e695 f14388f1 0f68ddc6 c5e919c1 86ba1879 
11:09:18 ipsec,debug decrypted payload by IV: 
11:09:18 ipsec,debug 13d02418 39a93f59 
11:09:18 ipsec,debug decrypted payload, but not trimed. 
11:09:18 ipsec,debug 0800000c 011101f4 c0a8de02 0b000014 16ae1ac6 0781cd33 703a3c01 8cbacca2 
11:09:18 ipsec,debug 00000028 00000001 01106000 5968d1f7 b726f016 300e7acb a22a38fb 800b0001 
11:09:18 ipsec,debug 000c0004 00015180 00000000 00000000 
11:09:18 ipsec,debug padding len=1 
11:09:18 ipsec,debug skip to trim padding. 
11:09:18 ipsec,debug decrypted. 
11:09:18 ipsec,debug 5968d1f7 b726f016 300e7acb a22a38fb 05100201 00000000 0000006c 0800000c 
11:09:18 ipsec,debug 011101f4 c0a8de02 0b000014 16ae1ac6 0781cd33 703a3c01 8cbacca2 00000028 
11:09:18 ipsec,debug 00000001 01106000 5968d1f7 b726f016 300e7acb a22a38fb 800b0001 000c0004 
11:09:18 ipsec,debug 00015180 00000000 00000000 
11:09:18 ipsec,debug begin. 
11:09:18 ipsec,debug seen nptype=5(id) len=12 
11:09:18 ipsec,debug seen nptype=8(hash) len=20 
11:09:18 ipsec,debug seen nptype=11(notify) len=40 
11:09:18 ipsec,debug succeed. 
11:09:18 ipsec,debug 192.168.222.2 Notify Message received 
11:09:18 ipsec 192.168.222.2 ignore RESPONDER-LIFETIME notification. 
11:09:18 ipsec,debug HASH received: 
11:09:18 ipsec,debug 16ae1ac6 0781cd33 703a3c01 8cbacca2 
11:09:18 ipsec,debug HASH with: 
11:09:18 ipsec,debug e93aada8 2112c47e e17ee091 9dc778ab 78bf3801 69fd1c37 dbcddfaf 85c4fd88 
11:09:18 ipsec,debug f236d234 8750132b b6a89e8c 07426a50 393de29c f74bd896 1e9491f9 e3ef9cbc 
11:09:18 ipsec,debug 227cc686 3d0a8080 483c2c61 6dd7f2e5 8123713b 468c9b36 621474df b4462280 
11:09:18 ipsec,debug 311f5144 8a5d4824 20de5c28 2f6e42c9 af198c41 9991e68a 0cb1c02f ead6d62d 
11:09:18 ipsec,debug e988acde d306f989 4ecaae35 c18c100a ecce6202 5a0d4e80 36b7c280 b69ebf7a 
11:09:18 ipsec,debug 15e17ed9 34c344e7 18e8e63d 043b853e 47fd4e5a 95efe861 f8cf75dd 50d3c756 
11:09:18 ipsec,debug 8ee26714 abbd6283 0d2558d6 e087b5c5 3daad5cc d54e7487 d3226052 2d9acfb2 
11:09:18 ipsec,debug 7d7b70fc 3f318fa3 dd4b52fe 64af5641 f1f6b79a a0d4040a 8d6d21bf 05cff167 
11:09:18 ipsec,debug 300e7acb a22a38fb 5968d1f7 b726f016 00000001 00000001 0000002c 01010001 
11:09:18 ipsec,debug 00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020001 
11:09:18 ipsec,debug 80040002 011101f4 c0a8de02 
11:09:18 ipsec,debug hmac(hmac_md5) 
11:09:18 ipsec,debug HASH computed: 
11:09:18 ipsec,debug 16ae1ac6 0781cd33 703a3c01 8cbacca2 
11:09:18 ipsec,debug HASH for PSK validated. 
11:09:18 ipsec,debug 192.168.222.2 peer's ID: 
11:09:18 ipsec,debug 011101f4 c0a8de02 
11:09:18 ipsec,debug === 
11:09:18 ipsec ph2 possible after ph1 creation 
11:09:18 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 
11:09:18 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-md5) 
11:09:18 ipsec,debug begin QUICK mode. 
11:09:18 ipsec,debug === 
11:09:18 ipsec,debug begin QUICK mode. 
11:09:18 ipsec initiate new phase 2 negotiation: 192.168.222.3[500]<=>192.168.222.2[500] 
11:09:18 ipsec,debug compute IV for phase2 
11:09:18 ipsec,debug phase1 last IV: 
11:09:18 ipsec,debug 1ccc9d5f b7c3a957 98c5c145 
11:09:18 ipsec,debug hash(md5) 
11:09:18 ipsec,debug encryption(3des) 
11:09:18 ipsec,debug phase2 IV computed: 
11:09:18 ipsec,debug 748bf612 f81d4c7c 
11:09:18 ipsec,debug call pfkey_send_getspi 5 
11:09:18 ipsec,debug pfkey GETSPI sent: ESP/Tunnel 192.168.222.2[500]->192.168.222.3[500]  
11:09:18 ipsec,debug pfkey getspi sent. 
11:09:18 ipsec,info ISAKMP-SA established 192.168.222.3[500]-192.168.222.2[500] spi:5968d1f7b726f016:300e7acba22a38fb 
11:09:18 ipsec,debug === 
11:09:18 ipsec,debug dh(modp1024) 
11:09:18 ipsec,debug dh(modp1024) 
11:09:18 ipsec,debug dh(modp1024) 
11:09:19 ipsec,debug compute DH's private. 
11:09:19 ipsec,debug 4031f515 b8ce70cf 3a668bf2 7859dcff 5611ea74 05a95cd2 128a39c5 e7b3d8e5 
11:09:19 ipsec,debug 4467a02d a291bf5c d08d13f6 10972181 f496b1ac 46473ec2 a04be575 e43e4cf6 
11:09:19 ipsec,debug e84bebdd 9489d576 a2637843 38ec3763 bddff2c4 52c88502 a60ea5d3 59df3774 
11:09:19 ipsec,debug 1646e58b 5ec8173c f69f767c 88018eeb b7aadcc8 9db60371 d70e2780 24658572 
11:09:19 ipsec,debug compute DH's public. 
11:09:19 ipsec,debug 53da0eaf c2184fdd 8fb125ae c36ca04c 375ac7e9 5bc9ee86 aa0700ff c7a66a4e 
11:09:19 ipsec,debug 57152dfe be347f36 4b892748 823cc2a6 17dc95f2 c0f698d8 e900acc1 0beb7aa9 
11:09:19 ipsec,debug 9a481e1b 6d08aa25 44f99979 ed19db36 e65def27 53ae5c67 6214a1cc 561796cb 
11:09:19 ipsec,debug 77363671 85964f16 656a5c6b 22aaf39c 5fc3caf9 2a8f77cc 21ff84fd b9725e43 
11:09:19 ipsec,debug use local ID type IPv4_subnet 
11:09:19 ipsec,debug use remote ID type IPv4_subnet 
11:09:19 ipsec,debug IDci: 
11:09:19 ipsec,debug 04000000 ac100200 ffffff00 
11:09:19 ipsec,debug IDcr: 
11:09:19 ipsec,debug 04000000 01010100 ffffff00 
11:09:19 ipsec,debug add payload of len 52, next type 10 
11:09:19 ipsec,debug add payload of len 24, next type 4 
11:09:19 ipsec,debug add payload of len 128, next type 5 
11:09:19 ipsec,debug add payload of len 12, next type 5 
11:09:19 ipsec,debug add payload of len 12, next type 0 
11:09:19 ipsec,debug HASH with: 
11:09:19 ipsec,debug 98c5c145 0a000038 00000001 00000001 0000002c 01030401 0bde7ef8 00000020 
11:09:19 ipsec,debug 01030000 80010001 00020004 00015180 80040001 80050001 80030002 0400001c 
11:09:19 ipsec,debug cf038d2c 5b9354cd f29f9e81 324fb845 34e7f69c 53c03468 05000084 53da0eaf 
11:09:19 ipsec,debug c2184fdd 8fb125ae c36ca04c 375ac7e9 5bc9ee86 aa0700ff c7a66a4e 57152dfe 
11:09:19 ipsec,debug be347f36 4b892748 823cc2a6 17dc95f2 c0f698d8 e900acc1 0beb7aa9 9a481e1b 
11:09:19 ipsec,debug 6d08aa25 44f99979 ed19db36 e65def27 53ae5c67 6214a1cc 561796cb 77363671 
11:09:19 ipsec,debug 85964f16 656a5c6b 22aaf39c 5fc3caf9 2a8f77cc 21ff84fd b9725e43 05000010 
11:09:19 ipsec,debug 04000000 ac100200 ffffff00 00000010 04000000 01010100 ffffff00 
11:09:19 ipsec,debug hmac(hmac_md5) 
11:09:19 ipsec,debug HASH computed: 
11:09:19 ipsec,debug 0abdcc3c 631ff1bd 153a0842 8ab8bd2c 
11:09:19 ipsec,debug add payload of len 16, next type 1 
11:09:19 ipsec,debug begin encryption. 
11:09:19 ipsec,debug encryption(3des) 
11:09:19 ipsec,debug pad length = 4 
11:09:19 ipsec,debug 01000014 0abdcc3c 631ff1bd 153a0842 8ab8bd2c 0a000038 00000001 00000001 
11:09:19 ipsec,debug 0000002c 01030401 0bde7ef8 00000020 01030000 80010001 00020004 00015180 
11:09:19 ipsec,debug 80040001 80050001 80030002 0400001c cf038d2c 5b9354cd f29f9e81 324fb845 
11:09:19 ipsec,debug 34e7f69c 53c03468 05000084 53da0eaf c2184fdd 8fb125ae c36ca04c 375ac7e9 
11:09:19 ipsec,debug 5bc9ee86 aa0700ff c7a66a4e 57152dfe be347f36 4b892748 823cc2a6 17dc95f2 
11:09:19 ipsec,debug c0f698d8 e900acc1 0beb7aa9 9a481e1b 6d08aa25 44f99979 ed19db36 e65def27 
11:09:19 ipsec,debug 53ae5c67 6214a1cc 561796cb 77363671 85964f16 656a5c6b 22aaf39c 5fc3caf9 
11:09:19 ipsec,debug 2a8f77cc 21ff84fd b9725e43 05000010 04000000 ac100200 ffffff00 00000010 
11:09:19 ipsec,debug 04000000 01010100 ffffff00 a5b81303 
11:09:19 ipsec,debug encryption(3des) 
11:09:19 ipsec,debug with key: 
11:09:19 ipsec,debug 968b3e86 46a4e695 f14388f1 0f68ddc6 c5e919c1 86ba1879 
11:09:19 ipsec,debug encrypted payload by IV: 
11:09:19 ipsec,debug 748bf612 f81d4c7c 
11:09:19 ipsec,debug save IV for next: 
11:09:19 ipsec,debug 107892cb 02d99be7 
11:09:19 ipsec,debug encrypted. 
11:09:19 ipsec,debug 300 bytes from 192.168.222.3[500] to 192.168.222.2[500] 
11:09:19 ipsec,debug 1 times of 300 bytes message will be sent to 192.168.222.2[500] 
11:09:19 ipsec sent phase2 packet 192.168.222.3[500]<=>192.168.222.2[500] 5968d1f7b726f016:300e7acba22a38fb:98c5c145 
11:09:19 ipsec,debug ===== received 84 bytes from 192.168.222.2[500] to 192.168.222.3[500] 
11:09:19 ipsec,debug receive Information. 
11:09:19 ipsec,debug compute IV for phase2 
11:09:19 ipsec,debug phase1 last IV: 
11:09:19 ipsec,debug 1ccc9d5f b7c3a957 b18c73a2 
11:09:19 ipsec,debug hash(md5) 
11:09:19 ipsec,debug encryption(3des) 
11:09:19 ipsec,debug phase2 IV computed: 
11:09:19 ipsec,debug 1a60920e e6e20093 
11:09:19 ipsec,debug encryption(3des) 
11:09:19 ipsec,debug IV was saved for next processing: 
11:09:19 ipsec,debug 5f6b8b8d a7e0b3bc 
11:09:19 ipsec,debug encryption(3des) 
11:09:19 ipsec,debug with key: 
11:09:19 ipsec,debug 968b3e86 46a4e695 f14388f1 0f68ddc6 c5e919c1 86ba1879 
11:09:19 ipsec,debug decrypted payload by IV: 
11:09:19 ipsec,debug 1a60920e e6e20093 
11:09:19 ipsec,debug decrypted payload, but not trimed. 
11:09:19 ipsec,debug 0b000014 d9023c31 4e15c9f8 66189d43 61c9c334 0000001c 00000001 0304000e 
11:09:19 ipsec,debug 0bde7ef8 0a000038 00000001 00000001 00000000 00000000 
11:09:19 ipsec,debug padding len=1 
11:09:19 ipsec,debug skip to trim padding. 
11:09:19 ipsec,debug decrypted. 
11:09:19 ipsec,debug 5968d1f7 b726f016 300e7acb a22a38fb 08100501 b18c73a2 00000054 0b000014 
11:09:19 ipsec,debug d9023c31 4e15c9f8 66189d43 61c9c334 0000001c 00000001 0304000e 0bde7ef8 
11:09:19 ipsec,debug 0a000038 00000001 00000001 00000000 00000000 
11:09:19 ipsec,debug HASH with: 
11:09:19 ipsec,debug b18c73a2 0000001c 00000001 0304000e 0bde7ef8 0a000038 00000001 00000001 
11:09:19 ipsec,debug hmac(hmac_md5) 
11:09:19 ipsec,debug HASH computed: 
11:09:19 ipsec,debug d9023c31 4e15c9f8 66189d43 61c9c334 
11:09:19 ipsec,debug hash validated. 
11:09:19 ipsec,debug begin. 
11:09:19 ipsec,debug seen nptype=8(hash) len=20 
11:09:19 ipsec,debug seen nptype=11(notify) len=28 
11:09:19 ipsec,debug succeed. 
11:09:19 ipsec,debug 192.168.222.2 notify: NO-PROPOSAL-CHOSEN 
11:09:19 ipsec 192.168.222.2 fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. 
11:09:19 ipsec,debug 192.168.222.2 notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0bde7ef8(size=4). 
11:09:19 ipsec 192.168.222.2 Message: '8 '. 
11:09:29 ipsec,debug 300 bytes from 192.168.222.3[500] to 192.168.222.2[500] 
11:09:29 ipsec,debug 1 times of 300 bytes message will be sent to 192.168.222.2[500] 
11:09:29 ipsec resent phase2 packet 192.168.222.3[500]<=>192.168.222.2[500] 5968d1f7b726f016:300e7acba22a38fb:98c5c145

regards.

alv84 · Wed Jun 01, 2022 9:19 am

the interesting point is that as far i shut down ipsec on both sides, gre tunnel comes back and since no keepalive is set, then gre seems not to go down. i thought this feedback might catch your eyes.

alv84 · Wed Jun 01, 2022 10:14 am

the interesting point is that as far i shut down ipsec on both sides, gre tunnel comes back and since no keepalive is set, then gre seems not to go down. i thought this feedback might catch your eyes.

i think this part of the captured log is key:

11:09:19 ipsec,debug 192.168.222.2 notify: NO-PROPOSAL-CHOSEN
11:09:19 ipsec 192.168.222.2 fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
11:09:19 ipsec,debug 192.168.222.2 notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0bde7ef8(size=4).

i googled this "NO-PROPOSAL-CHOSEN" exception and some people say it relates to wrong or bad encryption/hash/authentication algorithm selection. any ideas?
regards.

johnson73 · Wed Jun 01, 2022 11:05 am

I recommend that you use the default firewall rules for the traffic to work properly. The two rollers that are visible in your configuration are not enough.
Or use this suggestion - forum.mikrotik.com/viewtopic.php?t=180838

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

alv84 · Wed Jun 01, 2022 12:15 pm

I recommend that you use the default firewall rules for the traffic to work properly. The two rollers that are visible in your configuration are not enough.
Or use this suggestion - forum.mikrotik.com/viewtopic.php?t=180838

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

thank you johnson73 for your reply, but i'm wondering how could default firewall rules affect this scenario in which the routers are connected physically directly using IPs in the same subnet? let me clarify that as far as i shut down IPSec then GRE works perfectly without even a blink. after all, i'm not sure if i'm on the right track.
regards.

johnson73 · Wed Jun 01, 2022 1:10 pm

I have had a similar case where iPsec worked very unstable between devices. Until the microtik router changed the firewall to the default (of course, adding its own required rules) there was no stable operation. That's why I always use microtik in the router as a basis for "default rules", supplementing them with the ones I need. This is from my personal experience.

sindy · Wed Jun 01, 2022 1:24 pm

OK, so two points.

First, NO_PROPOSAL_CHOSEN is indeed an indication that none of encryption and/or authentication algorithm combinations proposed by the peer receiving this message is supported or enabled at the peer sending this message.

And indeed, that is your case.
Cisco: crypto ipsec transform-set myset esp-3des esp-sha-hmac
Mikrotik: /ip ipsec proposal set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des lifetime=1d

So align the auth-algorithms (at Mikrotik side, it would be /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha1), and you should be good.

Second, the GRE being up when IPsec policy is disabled - that sounds strange to me, but I don't pretend I know everything. The GRE tunnel is indicated as being up in two cases

always if keepalive is disabled
as long as at least one transport packet from the GRE peer has been received during past keepalive interval

So with keepalive enabled, and IPsec policy disabled, the GRE packets are exchanged between the routers in plaintext and the interface is shown as up; once you configure the policy, the plaintext packets stop being delivered as the policy intercepts them even if no security association is currently available for it (this is by design and works in both directions). I don't know about any mechanism making the tunnel be reported as down when keepalive is disabled and an IPsec policy matching the transport packets is enabled, but it does not mean such mechanism does not exist.

alv84 · Sat Jun 04, 2022 10:58 pm

hey mates, sorry for the long absence.
i am clearly dissapointed on this topic! ain't know where the hell is the mismatch?? meanwhile i just followed what dear Sindy said but this time using a different IP plan having an internal LAN on both ends. so here is the output of the "ipsec-start.txt" file:

# jun/ 4/2022 22:25:46 by RouterOS 6.49.6
# software id = 0G7Y-54W3
#
22:25:53 ipsec,debug 192.168.222.2 DPD monitoring.... 
22:25:53 ipsec,debug hash(sha1) 
22:25:53 ipsec,debug 92 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:25:53 ipsec,debug 1 times of 92 bytes message will be sent to 192.168.222.2[500] 
22:25:53 ipsec,debug sendto Information notify. 
22:25:53 ipsec,debug 192.168.222.2 DPD R-U-There sent (0) 
22:25:53 ipsec,debug 192.168.222.2 rescheduling send_r_u (5). 
22:25:53 ipsec,debug ===== received 92 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
22:25:53 ipsec,debug receive Information. 
22:25:53 ipsec,debug hash(sha1) 
22:25:53 ipsec,debug hash validated. 
22:25:53 ipsec,debug begin. 
22:25:53 ipsec,debug seen nptype=8(hash) len=24 
22:25:53 ipsec,debug seen nptype=11(notify) len=32 
22:25:53 ipsec,debug succeed. 
22:25:53 ipsec,debug 192.168.222.2 notify: R_U_THERE_ACK 
22:25:53 ipsec,debug 192.168.222.2 DPD R-U-There-Ack received 
22:25:53 ipsec,debug received an R-U-THERE-ACK 
22:25:54 ipsec,debug Removing PH1... 
22:25:54 ipsec,debug Deleting a Ph2... 
22:25:54 ipsec,debug hash(sha1) 
22:25:54 ipsec,debug 76 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:25:54 ipsec,debug 1 times of 76 bytes message will be sent to 192.168.222.2[500] 
22:25:54 ipsec,debug sendto Information delete. 
22:25:54 ipsec purged IPsec-SA proto_id=ESP spi=0xdc2d768c 
22:25:54 ipsec purged IPsec-SA proto_id=ESP spi=0xfb7798a 
22:25:54 ipsec,debug hash(sha1) 
22:25:54 ipsec,debug 92 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:25:54 ipsec,debug 1 times of 92 bytes message will be sent to 192.168.222.2[500] 
22:25:54 ipsec,debug sendto Information delete. 
22:25:54 ipsec,info ISAKMP-SA deleted 192.168.222.5[500]-192.168.222.2[500] spi:b183c73d2d5f5853:fb8793123892143f rekey:1 
22:25:54 ipsec,debug ===== received 92 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
22:25:54 ipsec 192.168.222.2 unknown Informational exchange received. 
22:26:24 ipsec,debug === 
22:26:24 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.5[500]<=>192.168.222.2[500] 
22:26:24 ipsec,debug new cookie: 
22:26:24 ipsec,debug 593ad1bfbb7ee768 
22:26:24 ipsec,debug add payload of len 56, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 13 
22:26:24 ipsec,debug add payload of len 16, next type 0 
22:26:24 ipsec,debug 348 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:26:24 ipsec,debug 1 times of 348 bytes message will be sent to 192.168.222.2[500] 
22:26:24 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 593ad1bfbb7ee768:0000000000000000 
22:26:24 ipsec,debug ===== received 108 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
22:26:24 ipsec,debug begin. 
22:26:24 ipsec,debug seen nptype=1(sa) len=60 
22:26:24 ipsec,debug seen nptype=13(vid) len=20 
22:26:24 ipsec,debug succeed. 
22:26:24 ipsec received Vendor ID: RFC 3947 
22:26:24 ipsec 192.168.222.2 Selected NAT-T version: RFC 3947 
22:26:24 ipsec,debug total SA len=56 
22:26:24 ipsec,debug 00000001 00000001 00000030 01010001 00000028 01010000 80010007 800e0080 
22:26:24 ipsec,debug 80020002 80040002 80030001 800b0001 000c0004 00015180 
22:26:24 ipsec,debug begin. 
22:26:24 ipsec,debug seen nptype=2(prop) len=48 
22:26:24 ipsec,debug succeed. 
22:26:24 ipsec,debug proposal #1 len=48 
22:26:24 ipsec,debug begin. 
22:26:24 ipsec,debug seen nptype=3(trns) len=40 
22:26:24 ipsec,debug succeed. 
22:26:24 ipsec,debug transform #1 len=40 
22:26:24 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
22:26:24 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
22:26:24 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
22:26:24 ipsec,debug hash(sha1) 
22:26:24 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
22:26:24 ipsec,debug dh(modp1024) 
22:26:24 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
22:26:24 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
22:26:24 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
22:26:24 ipsec,debug pair 1: 
22:26:24 ipsec,debug  0x4a7218: next=(nil) tnext=(nil) 
22:26:24 ipsec,debug proposal #1: 1 transform 
22:26:24 ipsec,debug -checking with pre-shared key auth- 
22:26:24 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1 
22:26:24 ipsec,debug trns#=1, trns-id=IKE 
22:26:24 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
22:26:24 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
22:26:24 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
22:26:24 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
22:26:24 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
22:26:24 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
22:26:24 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
22:26:24 ipsec,debug -compare proposal #1: Local:Peer 
22:26:24 ipsec,debug (lifetime = 86400:86400) 
22:26:24 ipsec,debug (lifebyte = 0:0) 
22:26:24 ipsec,debug enctype = AES-CBC:AES-CBC 
22:26:24 ipsec,debug (encklen = 128:128) 
22:26:24 ipsec,debug hashtype = SHA:SHA 
22:26:24 ipsec,debug authmethod = pre-shared key:pre-shared key 
22:26:24 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
22:26:24 ipsec,debug -an acceptable proposal found- 
22:26:24 ipsec,debug dh(modp1024) 
22:26:24 ipsec,debug -agreed on pre-shared key auth- 
22:26:24 ipsec,debug === 
22:26:24 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug 192.168.222.2 Hashing 192.168.222.2[500] with algo #2  
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec,debug 192.168.222.5 Hashing 192.168.222.5[500] with algo #2  
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec Adding remote and local NAT-D payloads. 
22:26:25 ipsec,debug add payload of len 128, next type 10 
22:26:25 ipsec,debug add payload of len 24, next type 20 
22:26:25 ipsec,debug add payload of len 20, next type 20 
22:26:25 ipsec,debug add payload of len 20, next type 0 
22:26:25 ipsec,debug 236 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:26:25 ipsec,debug 1 times of 236 bytes message will be sent to 192.168.222.2[500] 
22:26:25 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 593ad1bfbb7ee768:fb8793125114c415 
22:26:25 ipsec,debug ===== received 304 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=4(ke) len=132 
22:26:25 ipsec,debug seen nptype=10(nonce) len=24 
22:26:25 ipsec,debug seen nptype=13(vid) len=20 
22:26:25 ipsec,debug seen nptype=13(vid) len=20 
22:26:25 ipsec,debug seen nptype=13(vid) len=20 
22:26:25 ipsec,debug seen nptype=13(vid) len=12 
22:26:25 ipsec,debug seen nptype=20(nat-d) len=24 
22:26:25 ipsec,debug seen nptype=20(nat-d) len=24 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec received Vendor ID: CISCO-UNITY 
22:26:25 ipsec received Vendor ID: DPD 
22:26:25 ipsec,debug remote supports DPD 
22:26:25 ipsec,debug received unknown Vendor ID 
22:26:25 ipsec,debug 0e40340f 5115c415 a2ce731f 31013ee8 
22:26:25 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
22:26:25 ipsec,debug 192.168.222.5 Hashing 192.168.222.5[500] with algo #2  
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec,debug NAT-D payload #0 verified 
22:26:25 ipsec,debug 192.168.222.2 Hashing 192.168.222.2[500] with algo #2  
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec,debug NAT-D payload #1 verified 
22:26:25 ipsec NAT not detected  
22:26:25 ipsec,debug === 
22:26:25 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug nonce 1:  
22:26:25 ipsec,debug f33353c0 3f35baa7 1ae1d3de 577d2fac 3a2b8ade 66e40211 
22:26:25 ipsec,debug nonce 2:  
22:26:25 ipsec,debug f9be140f a8e0e7c1 612cd196 11b64e7f 748af59b 
22:26:25 ipsec,debug SKEYID computed: 
22:26:25 ipsec,debug ec947c52 41ff8a59 2ebb4116 39193bac 7e9dd962 
22:26:25 ipsec,debug SKEYID_d computed: 
22:26:25 ipsec,debug 5a00703d 1f283b5c 9c644034 273b45e9 23efc46f 
22:26:25 ipsec,debug SKEYID_a computed: 
22:26:25 ipsec,debug cc87fcde 3681a5a2 d6f4b349 79b327eb e46b84f0 
22:26:25 ipsec,debug SKEYID_e computed: 
22:26:25 ipsec,debug 0c8c5868 3ebd40c4 f245499b 0b223ded 94cebe36 
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec,debug final encryption key computed: 
22:26:25 ipsec,debug 0c8c5868 3ebd40c4 f245499b 0b223ded 
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec,debug IV computed: 
22:26:25 ipsec,debug f012e9fb 407b5435 09ebf537 05a3f510 
22:26:25 ipsec,debug use ID type of IPv4_address 
22:26:25 ipsec,debug add payload of len 8, next type 8 
22:26:25 ipsec,debug add payload of len 20, next type 0 
22:26:25 ipsec,debug 76 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:26:25 ipsec,debug 1 times of 76 bytes message will be sent to 192.168.222.2[500] 
22:26:25 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 593ad1bfbb7ee768:fb8793125114c415 
22:26:25 ipsec,debug ===== received 76 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=5(id) len=12 
22:26:25 ipsec,debug seen nptype=8(hash) len=24 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec,debug HASH received: 
22:26:25 ipsec,debug 795155f9 6ece4e95 a3735aea 0d29f7ed 5282da13 
22:26:25 ipsec,debug HASH for PSK validated. 
22:26:25 ipsec,debug 192.168.222.2 peer's ID: 
22:26:25 ipsec,debug 011101f4 c0a8de02 
22:26:25 ipsec,debug === 
22:26:25 ipsec ph2 possible after ph1 creation 
22:26:25 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 
22:26:25 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
22:26:25 ipsec,debug begin QUICK mode. 
22:26:25 ipsec,debug === 
22:26:25 ipsec,debug begin QUICK mode. 
22:26:25 ipsec initiate new phase 2 negotiation: 192.168.222.5[500]<=>192.168.222.2[500] 
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec,debug call pfkey_send_getspi 35 
22:26:25 ipsec,debug pfkey GETSPI sent: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500]  
22:26:25 ipsec,debug pfkey getspi sent. 
22:26:25 ipsec,info ISAKMP-SA established 192.168.222.5[500]-192.168.222.2[500] spi:593ad1bfbb7ee768:fb8793125114c415 
22:26:25 ipsec,debug === 
22:26:25 ipsec,debug ===== received 108 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
22:26:25 ipsec,debug receive Information. 
22:26:25 ipsec,debug hash(sha1) 
22:26:25 ipsec,debug hash validated. 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=8(hash) len=24 
22:26:25 ipsec,debug seen nptype=11(notify) len=40 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec,debug 192.168.222.2 notify: RESPONDER-LIFETIME 
22:26:25 ipsec,debug 192.168.222.2 notification message 24576:RESPONDER-LIFETIME, doi=1 proto_id=1 spi=593ad1bfbb7ee768fb8793125114c415(size=16). 
22:26:25 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug use local ID type IPv4_subnet 
22:26:25 ipsec,debug use remote ID type IPv4_subnet 
22:26:25 ipsec,debug IDci: 
22:26:25 ipsec,debug 042f0000 ac100200 ffffff00 
22:26:25 ipsec,debug IDcr: 
22:26:25 ipsec,debug 042f0000 01010100 ffffff00 
22:26:25 ipsec,debug add payload of len 56, next type 10 
22:26:25 ipsec,debug add payload of len 24, next type 4 
22:26:25 ipsec,debug add payload of len 128, next type 5 
22:26:25 ipsec,debug add payload of len 12, next type 5 
22:26:25 ipsec,debug add payload of len 12, next type 0 
22:26:25 ipsec,debug add payload of len 20, next type 1 
22:26:25 ipsec,debug 316 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:26:25 ipsec,debug 1 times of 316 bytes message will be sent to 192.168.222.2[500] 
22:26:25 ipsec sent phase2 packet 192.168.222.5[500]<=>192.168.222.2[500] 593ad1bfbb7ee768:fb8793125114c415:c6b628b5 
22:26:25 ipsec,debug ===== received 348 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=8(hash) len=24 
22:26:25 ipsec,debug seen nptype=1(sa) len=60 
22:26:25 ipsec,debug seen nptype=10(nonce) len=24 
22:26:25 ipsec,debug seen nptype=4(ke) len=132 
22:26:25 ipsec,debug seen nptype=5(id) len=16 
22:26:25 ipsec,debug seen nptype=5(id) len=16 
22:26:25 ipsec,debug seen nptype=11(notify) len=40 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec,debug 192.168.222.2 Notify Message received 
22:26:25 ipsec 192.168.222.2 ignore RESPONDER-LIFETIME notification. 
22:26:25 ipsec,debug IDci matches proposal. 
22:26:25 ipsec,debug IDcr matches proposal. 
22:26:25 ipsec,debug HASH allocated:hbuf->l=344 actual:tlen=312 
22:26:25 ipsec,debug HASH(2) received: 
22:26:25 ipsec,debug 0e5d89c5 478b57bc e635942c 81b45a6c fa806184 
22:26:25 ipsec,debug total SA len=56 
22:26:25 ipsec,debug 00000001 00000001 00000030 01030401 06459dd2 00000024 010c0000 80010001 
22:26:25 ipsec,debug 00020004 00015180 80040001 80060080 80050002 80030002 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=2(prop) len=48 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec,debug proposal #1 len=48 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=3(trns) len=36 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec,debug transform #1 len=36 
22:26:25 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
22:26:25 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
22:26:25 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
22:26:25 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
22:26:25 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
22:26:25 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
22:26:25 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug pair 1: 
22:26:25 ipsec,debug  0x4a94f8: next=(nil) tnext=(nil) 
22:26:25 ipsec,debug proposal #1: 1 transform 
22:26:25 ipsec,debug total SA len=56 
22:26:25 ipsec,debug 00000001 00000001 00000030 01030401 2b3637c0 00000024 010c0000 80040001 
22:26:25 ipsec,debug 80010001 00020004 00015180 80050002 80060080 80030002 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=2(prop) len=48 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec,debug proposal #1 len=48 
22:26:25 ipsec,debug begin. 
22:26:25 ipsec,debug seen nptype=3(trns) len=36 
22:26:25 ipsec,debug succeed. 
22:26:25 ipsec,debug transform #1 len=36 
22:26:25 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
22:26:25 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
22:26:25 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
22:26:25 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
22:26:25 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
22:26:25 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
22:26:25 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug pair 1: 
22:26:25 ipsec,debug  0x4a9510: next=(nil) tnext=(nil) 
22:26:25 ipsec,debug proposal #1: 1 transform 
22:26:25 ipsec attribute has been modified. 
22:26:25 ipsec,debug begin compare proposals. 
22:26:25 ipsec,debug pair[1]: 0x4a9510 
22:26:25 ipsec,debug  0x4a9510: next=(nil) tnext=(nil) 
22:26:25 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=AES-CBC 
22:26:25 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
22:26:25 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
22:26:25 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
22:26:25 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
22:26:25 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
22:26:25 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
22:26:25 ipsec,debug peer's single bundle: 
22:26:25 ipsec,debug  (proto_id=ESP spisize=4 spi=2b3637c0 spi_p=00000000 encmode=Tunnel reqid=0:0) 
22:26:25 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
22:26:25 ipsec,debug my single bundle: 
22:26:25 ipsec,debug  (proto_id=ESP spisize=4 spi=06459dd2 spi_p=00000000 encmode=Tunnel reqid=0:0) 
22:26:25 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
22:26:25 ipsec,debug matched 
22:26:25 ipsec,debug === 
22:26:25 ipsec,debug HASH(3) generate 
22:26:25 ipsec,debug add payload of len 20, next type 0 
22:26:25 ipsec,debug 60 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
22:26:25 ipsec,debug 1 times of 60 bytes message will be sent to 192.168.222.2[500] 
22:26:25 ipsec,debug dh(modp1024) 
22:26:25 ipsec,debug encryption(aes-cbc) 
22:26:25 ipsec,debug hmac(sha1) 
22:26:25 ipsec,debug encklen=128 authklen=160 
22:26:25 ipsec,debug generating 480 bits of key (dupkeymat=3) 
22:26:25 ipsec,debug generating K1...K3 for KEYMAT. 
22:26:25 ipsec,debug 6de7b605 f30b640d 369a0dd7 a1ee0404 865d452c 835ccf0b 90b0ff4d 0012716e 
22:26:25 ipsec,debug 20d880e9 c2bafe54 57637907 2a2faa1f aba42202 e2a58929 b6f037cc 
22:26:25 ipsec,debug encryption(aes-cbc) 
22:26:25 ipsec,debug hmac(sha1) 
22:26:25 ipsec,debug encklen=128 authklen=160 
22:26:25 ipsec,debug generating 480 bits of key (dupkeymat=3) 
22:26:25 ipsec,debug generating K1...K3 for KEYMAT. 
22:26:25 ipsec,debug bc85d41f 31ca82ab 96048ac9 8e4ab705 8ba5fd70 d9278c28 e0ed4b9f 1e6f56d4 
22:26:25 ipsec,debug 51c440aa 14428599 4f32e146 81fe46e7 14660aa6 2e3d38ef f614388e 
22:26:25 ipsec,debug KEYMAT computed. 
22:26:25 ipsec,debug call pk_sendupdate 
22:26:25 ipsec,debug encryption(aes-cbc) 
22:26:25 ipsec,debug hmac(sha1) 
22:26:25 ipsec,debug call pfkey_send_update_nat 
22:26:25 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500] spi=0x6459dd2 
22:26:25 ipsec,debug pfkey update sent. 
22:26:25 ipsec,debug encryption(aes-cbc) 
22:26:25 ipsec,debug hmac(sha1) 
22:26:25 ipsec,debug call pfkey_send_add_nat 
22:26:25 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.5[500]->192.168.222.2[500] spi=0x2b3637c0 
22:26:25 ipsec,debug pfkey add sent.

let me post the new configs so perhaps you guys can see the mismatch:
cisco config:

Building configuration...


Current configuration : 1955 bytes
!
! Last configuration change at 18:20:37 UTC Sat Jun 4 2022
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TunnelRouter
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9_ivs-mz.151-4.M.bin
boot-end-marker
!
!
enable secret 5 $1$BYTG$gM4Dh523JfjHCtbiU..T60
!
no aaa new-model
!
!
dot11 syslog
ip source-route

!
!
ip cef
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn FHK1413F35T
archive
 log config
  hidekeys
!
redundancy
!
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key Test1234 address 192.168.222.5 no-xauth
!
!
crypto ipsec transform-set myset1 esp-aes esp-sha-hmac
!
crypto map gremap 1 ipsec-isakmp
 set peer 192.168.222.5
 set pfs group2
 match address gretraffic
crypto map gremap 10 ipsec-isakmp
 set peer 192.168.222.5
 set transform-set myset1
 set pfs group2
 match address gretraffic
! 
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.0.1 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 192.168.222.5
!
interface FastEthernet0/0
 ip address 192.168.222.2 255.255.255.248
 duplex auto
 speed auto
 crypto map gremap
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip route 172.16.2.0 255.255.255.0 192.168.0.2
!
ip access-list extended gretraffic
 permit ip 172.16.2.0 0.0.0.255 1.1.1.0 0.0.0.255
 permit gre any any
!
logging esm config
!
!
!
!
!
!
control-plane

-------------------------------------------------------------------------------------------------
mikrotik config:

# jun/04/2022 22:30:26 by RouterOS 6.49.6
# software id = **********
#
# model = 951Ui-2HnD
# serial number = **********
/interface ethernet
set [ find default-name=ether1 ] name=ether1_toCisco
set [ find default-name=ether2 ] name=ether2_toLAN
set [ find default-name=ether4 ] name=ether4_toLaptop
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface gre
add allow-fast-path=no !keepalive local-address=192.168.222.5 name=\
    gre-tunnel1 remote-address=192.168.222.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=192.168.222.2/32 local-address=192.168.222.5 name=myset1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=profile1 \
    nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=1d
/ip pool
add name=dhcp_pool0 ranges=172.16.2.1,172.16.2.3-172.16.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2_toLAN name=dhcp1
/ip address
add address=192.168.222.5/29 interface=ether1_toCisco network=192.168.222.0
add address=192.168.0.2/30 interface=gre-tunnel1 network=192.168.0.0
add address=172.16.2.2/24 interface=ether2_toLAN network=172.16.2.0
/ip dhcp-server network
add address=172.16.2.0/24 gateway=172.16.2.2
/ip firewall filter
add action=accept chain=input dst-address=192.168.222.5 src-address=\
    192.168.222.2
add action=accept chain=output dst-address=192.168.222.2 src-address=\
    192.168.222.5
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall nat
add action=accept chain=srcnat dst-address=1.1.1.0/24 src-address=\
    172.16.2.0/24
add action=masquerade chain=srcnat
/ip ipsec identity
add peer=myset1 secret=Test1234
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=1.1.1.0/24 peer=myset1 protocol=gre src-address=\
    172.16.2.0/24 tunnel=yes
/ip route
add distance=1 dst-address=1.1.1.0/24 gateway=gre-tunnel1
add distance=1 dst-address=192.168.0.0/24 gateway=192.168.0.1
/system clock
set time-zone-name=Asia/Tehran
/system logging
add topics=ipsec,!packet

-------------------------------------------------------------------------------------------------
right now, all pings go timeout after ipsec phase2 is established; without ipsec all pings are ok.

on cisco side the following ogs are shown at the same time as mikrotik creating its log file:

*Jun  4 18:24:51.118: IPSEC(validate_proposal_request): proposal part #1
*Jun  4 18:24:51.118: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.222.2:0, remote= 192.168.222.5:0,
    local_proxy= 1.1.1.0/255.255.255.0/47/0 (type=4),
    remote_proxy= 172.16.2.0/255.255.255.0/47/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jun  4 18:24:51.118: Crypto mapdb : proxy_match
        src addr     : 1.1.1.0
        dst addr     : 172.16.2.0
        protocol     : 47
        src port     : 0
        dst port     : 0
*Jun  4 18:24:51.118: %CRYPTO-6-IPSEC_USING_DEFAULT: IPSec is using default transforms
*Jun  4 18:24:51.210: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun  4 18:24:51.210: Crypto mapdb : proxy_match
        src addr     : 1.1.1.0
        dst addr     : 172.16.2.0
        protocol     : 47
        src port     : 0
        dst port     : 0
*Jun  4 18:24:51.210: IPSEC(create_sibling_entry): Transport mode requested, but tunnel mode negotiated
*Jun  4 18:24:51.210: IPSEC(policy_db_add_ident): src 1.1.1.0, dest 172.16.2.0, dest_port 0

*Jun  4 18:24:51.210: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.222.2, sa_proto= 50,
    sa_spi= 0x2B3637C0(724973504),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2025
    sa_lifetime(k/sec)= (4544998/3600)
*Jun  4 18:24:51.210: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.222.5, sa_proto= 50,
    sa_spi= 0x6459DD2(105225682),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2026
    sa_lifetime(k/sec)= (4544998/3600)
*Jun  4 18:24:51.218: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun  4 18:24:51.218: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Jun  4 18:24:51.218: IPSEC(key_engine_enable_outbound): enable SA with spi 105225682/50
*Jun  4 18:24:51.218: IPSEC(update_current_outbound_sa): get enable SA peer 192.168.222.5 current outbound sa to SPI 6459DD2
*Jun  4 18:24:51.218: IPSEC(update_current_outbound_sa): updated peer 192.168.222.5 current outbound sa to SPI 6459DD2
*Jun  4 18:25:23.730: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.222.2, src_addr= 192.168.222.5, prot= 47
*Jun  4 18:25:32.682: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun  4 18:25:32.686: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Jun  4 18:25:32.686: IPSEC(key_engine_delete_sas): delete SA with spi 0x6459DD2 proto 50 for 192.168.222.5
*Jun  4 18:25:32.686: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 192.168.222.2, sa_proto= 50,
    sa_spi= 0x2B3637C0(724973504),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2025
    sa_lifetime(k/sec)= (4544998/3600),
  (identity) local= 192.168.222.2:0, remote= 192.168.222.5:0,
    local_proxy= 1.1.1.0/255.255.255.0/47/0 (type=4),
    remote_proxy= 172.16.2.0/255.255.255.0/47/0 (type=4)
*Jun  4 18:25:32.686: IPSEC(update_current_outbound_sa): updated peer 192.168.222.5 current outbound sa to SPI 0
*Jun  4 18:25:32.686: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 192.168.222.5, sa_proto= 50,
    sa_spi= 0x6459DD2(105225682),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2026
    sa_lifetime(k/sec)= (4544998/3600),
  (identity) local= 192.168.222.2:0, remote= 192.168.222.5:0,
    local_proxy= 1.1.1.0/255.255.255.0/47/0 (type=4),
    remote_proxy= 172.16.2.0/255.255.255.0/47/0 (type=4)

all in all, no ping yet.

sindy · Sat Jun 04, 2022 11:42 pm

At IPsec level, the log shows that Phase 1 and Phase 2 establish properly.

However, the export of the Mikrotik configuration doesn't match the one of the Cisco - on Mikrotik, both the default policy template and the single policy configured manually are shown as disabled, and the policy has protocol=gre whereas on Cisco, the extended access-list gretraffic matches on ip for the addresses matching the policy at Mikrotik. As you have clearly exported a different configuration than the one which was in place while you took the log, it is hard to say what exactly was wrong.

You also haven't written from where you ping and to which address; e.g. if you ping 1.1.1.x from the Mikrotik itself, the policy won't match on the pings because the gateway of the route to 1.1.1.0/24 is set to gre-tunnel1, so the pings to 1.1.1.x get a source address 192.168.0.2 (which is attached to gre-tunnel1), so they do not match the src-address of the policy.

So provide a consistent and complete set of information - log and exports matching together and details of the ping.

Off topic, the default behaviour of Mikrotik firewall chains is accept, so most of the firewall rules are effectively useless as what is not accepted explicitly by one off them is accepted anyway. by default.

alv84 · Sun Jun 05, 2022 12:29 am

At IPsec level, the log shows that Phase 1 and Phase 2 establish properly.

However, the export of the Mikrotik configuration doesn't match the one of the Cisco - on Mikrotik, both the default policy template and the single policy configured manually are shown as disabled, and the policy has protocol=gre whereas on Cisco, the extended access-list gretraffic matches on ip for the addresses matching the policy at Mikrotik. As you have clearly exported a different configuration than the one which was in place while you took the log, it is hard to say what exactly was wrong.

You also haven't written from where you ping and to which address; e.g. if you ping 1.1.1.x from the Mikrotik itself, the policy won't match on the pings because the gateway of the route to 1.1.1.0/24 is set to gre-tunnel1, so the pings to 1.1.1.x get a source address 192.168.0.2 (which is attached to gre-tunnel1), so they do not match the src-address of the policy.

So provide a consistent and complete set of information - log and exports matching together and details of the ping.

Off topic, the default behaviour of Mikrotik firewall chains is accept, so most of the firewall rules are effectively useless as what is not accepted explicitly by one off them is accepted anyway. by default.

thank you Sindy so much for your attention. YES you're right, this was a fault of mine. here is a more consistent cisco config with less clutter:

!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key Test1234 address 192.168.222.5 no-xauth
!
!
crypto ipsec transform-set myset1 esp-aes esp-sha-hmac
!
crypto map gremap 10 ipsec-isakmp
 set peer 192.168.222.5
 set transform-set myset1
 set pfs group2
 match address gretraffic
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.0.1 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 192.168.222.5
!
interface FastEthernet0/0
 ip address 192.168.222.2 255.255.255.248
 duplex auto
 speed auto
 crypto map gremap
!
!
ip route 172.16.2.0 255.255.255.0 192.168.0.2
!
ip access-list extended gretraffic
 permit gre any any
 permit ip 1.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255
!

about pinging, with this configuration i can ping the two ends of the tunnel from inside the two routers and also the two LAN IPs from other LAN sides. i mean i can ping 192.168.0.2 from inside cisco and 192.168.0.1 from inside mikrotik. then i can ping 1.1.1.1 from laptop connected to LAN of mikrotik and as well, ping 172.16.2.1 from 1.1.1.1 which is cisco's loopback0.
i hope it would be ok this time.
thanks,

alv84 · Sun Jun 05, 2022 12:46 am

and sequential to cisco config, here is better config of my routerboard:

...
/interface ethernet
set [ find default-name=ether1 ] name=ether1_toCisco
set [ find default-name=ether2 ] name=ether2_toLAN
set [ find default-name=ether4 ] name=ether4_toLaptop
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface gre
add allow-fast-path=no !keepalive local-address=192.168.222.5 mtu=1576 name=\
    gre-tunnel1 remote-address=192.168.222.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=192.168.222.2/32 local-address=192.168.222.5 name=myset1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=1d
/ip pool
add name=dhcp_pool0 ranges=172.16.2.1,172.16.2.3-172.16.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2_toLAN name=dhcp1
/ip address
add address=192.168.222.5/29 interface=ether1_toCisco network=192.168.222.0
add address=192.168.0.2/30 interface=gre-tunnel1 network=192.168.0.0
add address=172.16.2.2/24 interface=ether2_toLAN network=172.16.2.0
/ip dhcp-server network
add address=172.16.2.0/24 gateway=172.16.2.2
/ip firewall filter
add action=accept chain=input disabled=yes dst-address=192.168.222.5 \
    src-address=192.168.222.2
add action=accept chain=output disabled=yes dst-address=192.168.222.2 \
    src-address=192.168.222.5
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
/ip firewall nat
add action=accept chain=srcnat out-interface=gre-tunnel1
add action=masquerade chain=srcnat
/ip ipsec identity
add peer=myset1 secret=Test1234
/ip ipsec policy
set 0 disabled=yes
add dst-address=1.1.1.0/24 peer=myset1 protocol=gre src-address=172.16.2.0/24 \
    tunnel=yes
/ip route
add distance=1 dst-address=1.1.1.0/24 gateway=gre-tunnel1
add distance=1 dst-address=192.168.0.0/24 gateway=192.168.0.1
...

alv84 · Sun Jun 05, 2022 1:00 pm

dear Sindy, i was reading this reply of yours in a similar thread:
viewtopic.php?t=168179#p825277

is it possible that the problem in my scenario lies within my firewall rules? however, as i said earlier the pings of GRE two ends, i.e 192.168.0.1 & 192.168.0.2, as well as pings of the LAN sides, i.e 1.1.1.1 & 172.16.2.1, come back right after i disable ipsec peers on both devices.

sindy · Sun Jun 05, 2022 2:07 pm

is it possible that the problem in my scenario lies within my firewall rules? however, as i said earlier the pings of GRE two ends, i.e 192.168.0.1 & 192.168.0.2, as well as pings of the LAN sides, i.e 1.1.1.1 & 172.16.2.1, come back right after i disable ipsec peers on both devices.

Even the "correct" export contains an inconsistence between the log contents and the configuration:

/ip ipsec policy
...
add dst-address=1.1.1.0/24 peer=myset1 protocol=gre src-address=172.16.2.0/24 tunnel=yes

but

22:26:25 ipsec,debug use local ID type IPv4_subnet
22:26:25 ipsec,debug use remote ID type IPv4_subnet
22:26:25 ipsec,debug IDci:
22:26:25 ipsec,debug 042f0000 ac100200 ffffff00
22:26:25 ipsec,debug IDcr:
22:26:25 ipsec,debug 042f0000 01010100 ffffff00

You also ask whether the firewall may be an issue but the export shows all firewall rules to be disabled, which means everything is accepted.

So it is hard to be sure what is the actual configuration when you encouter the ping failures.For a proper analysis, I need a snapshot of both configurations taken in the state when the pings fail.

In general, you can use the IPsec

either to enrypt the GRE transport packets (which would require a tunnel mode policy with src-address equal to interface gre's local-address and dst-address equal to interface gre's remote-address (or it may even be a transport mode policy if the peers' addresses are the same like the GRE tunnel's ones).
or to directly encrypt the payload between 172.16.2.0/24 and 1.1.1.0/24 where the GRE tunnel is bypassed

The fact that enabling the peers causes the pings to fail suggests that you use the second way. When you disable a policy, or the peer it uses, the policy does nothing. If both the policy and its relevant peer are enabled, the policy intercepts matching packets no matter whether a corresponding security association exists or not, and also drops incoming packets that reverse-match it but did not arive via the corresponding security association. This is by design of the overall security model associated to the IPsec protocol.

So when you enable the peer (at least at Mikrotik side), the pings stop being sent via the GRE tunnel because they get intercepted by the policy just before reaching the tunnel. This suggests that the policy actually doesn't contain the protocol=gre part, otherwise it would ignore other packets than GRE transport ones.

Now two possible scenarios exist - either Phase 2 failed, so the packets intercepted by the policy are effectively dropped, or Phase 2 succeeded but something is wrong about the encryption, so the pings get encrypted and sent to the peer but the peer cannot decrypt them (or doesn't receive them, hard to say).

At Cisco side, the access list used by the crypto map says "anything between local 1.1.1.0/24 and remote 172.16.2.0/24 or GRE between any addresses", so I guess once you enable the crypto map, all GRE transport traffic gets intercepted and therefore stops getting through (at least because there is no matching policy at Mikrotik side), so even pings between the payload addresses attached to the endpoints of the GRE tunnel cannot pass through as the GRE transport packets carrying them cannot.

So let me cite (well, I'm afraid it is actually a paraphrase as I've never read that particular book in the English original) Sir Terry Pratchett: "whenever I see the poster saying 'Dead or Alive', it seems to me they f-ing cannot make their mind". Choose one way (encrypted GRE) or the other (direct encryption of the payload), clean up the configuration to match only the chosen way, and let's debug that.

alv84 · Sun Jun 05, 2022 4:54 pm

dear sindy, the configs that i posted in the previous reply are exactly the configs at the time of ping fail. therefore, looking at the last posted configs, if and only if i halt ipsec on booth ends (ex. by disabling peers) pings will come back. i guess this is a sign for a working gre tunnel between the two as if i see counting packets in mikrotik gre interface hile pinging. am right?
about the gre types ... yes i am exactly trying "encrypted gre" which i guess is known as "gre over ipsec". i think the other method where the gre is in transport mode is called "ipsec over gre". anyway, i loved your explanations, i highly appreciate the distinction you made; great for a beginner like me

about the inconsistence of logs, yes you're right. so i tried to re-enable logging at the time when ping fails that is, when ipsec is applied to gre tunnel. here is the content of "ipsec-start.txt" file:

# jan/ 2/1970  0:16:11 by RouterOS 6.49.6
# software id = 0G7Y-54W3
#
00:17:01 ipsec,debug 192.168.222.2 DPD monitoring.... 
00:17:01 ipsec,debug hash(sha1) 
00:17:01 ipsec,debug 92 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:01 ipsec,debug 1 times of 92 bytes message will be sent to 192.168.222.2[500] 
00:17:01 ipsec,debug sendto Information notify. 
00:17:01 ipsec,debug 192.168.222.2 DPD R-U-There sent (0) 
00:17:01 ipsec,debug 192.168.222.2 rescheduling send_r_u (5). 
00:17:01 ipsec,debug ===== received 92 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:01 ipsec,debug receive Information. 
00:17:01 ipsec,debug hash(sha1) 
00:17:01 ipsec,debug hash validated. 
00:17:01 ipsec,debug begin. 
00:17:01 ipsec,debug seen nptype=8(hash) len=24 
00:17:01 ipsec,debug seen nptype=11(notify) len=32 
00:17:01 ipsec,debug succeed. 
00:17:01 ipsec,debug 192.168.222.2 notify: R_U_THERE_ACK 
00:17:01 ipsec,debug 192.168.222.2 DPD R-U-There-Ack received 
00:17:01 ipsec,debug received an R-U-THERE-ACK 
00:17:07 ipsec,debug ===== received 316 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:07 ipsec,debug hash(sha1) 
00:17:07 ipsec,debug === 
00:17:07 ipsec respond new phase 2 negotiation: 192.168.222.5[500]<=>192.168.222.2[500] 
00:17:07 ipsec,debug begin. 
00:17:07 ipsec,debug seen nptype=8(hash) len=24 
00:17:07 ipsec,debug seen nptype=1(sa) len=68 
00:17:07 ipsec,debug seen nptype=10(nonce) len=24 
00:17:07 ipsec,debug seen nptype=4(ke) len=132 
00:17:07 ipsec,debug seen nptype=5(id) len=16 
00:17:07 ipsec,debug seen nptype=5(id) len=16 
00:17:07 ipsec,debug succeed. 
00:17:07 ipsec,debug received IDci2: 
00:17:07 ipsec,debug 042f0000 00000000 00000000 
00:17:07 ipsec,debug received IDcr2: 
00:17:07 ipsec,debug 042f0000 00000000 00000000 
00:17:07 ipsec,debug HASH(1) validate: 
00:17:07 ipsec,debug 3c3cdbdf c0ad8564 8da891a6 1b66b3af b1c01759 
00:17:07 ipsec,debug total SA len=64 
00:17:07 ipsec,debug 00000001 00000001 00000038 01030401 a8a09e6d 0000002c 010c0000 80040001 
00:17:07 ipsec,debug 80010001 80020e10 80010002 00020004 00465000 80050002 80060080 80030002 
00:17:07 ipsec,debug begin. 
00:17:07 ipsec,debug seen nptype=2(prop) len=56 
00:17:07 ipsec,debug succeed. 
00:17:07 ipsec,debug proposal #1 len=56 
00:17:07 ipsec,debug begin. 
00:17:07 ipsec,debug seen nptype=3(trns) len=44 
00:17:07 ipsec,debug succeed. 
00:17:07 ipsec,debug transform #1 len=44 
00:17:07 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:07 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:07 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
00:17:07 ipsec,debug life duration was in TLV. 
00:17:07 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes 
00:17:07 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:07 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:07 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:07 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:07 ipsec,debug dh(modp1024) 
00:17:07 ipsec,debug pair 1: 
00:17:07 ipsec,debug  0x4a3808: next=(nil) tnext=(nil) 
00:17:07 ipsec,debug proposal #1: 1 transform 
00:17:07 ipsec,debug got the local address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47 
00:17:07 ipsec,debug got the peer address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47 
00:17:07 ipsec searching for policy for selector: 0.0.0.0/0 ip-proto:47 <=> 0.0.0.0/0 ip-proto:47 
00:17:07 ipsec policy not found 
00:17:07 ipsec failed to get proposal for responder. 
00:17:07 ipsec,error 192.168.222.2 failed to pre-process ph2 packet. 
00:17:07 ipsec,debug hash(sha1) 
00:17:07 ipsec,debug 76 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:07 ipsec,debug 1 times of 76 bytes message will be sent to 192.168.222.2[500] 
00:17:07 ipsec,debug sendto Information notify. 
00:17:07 ipsec,debug ===== received 92 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:07 ipsec,debug receive Information. 
00:17:07 ipsec,debug hash(sha1) 
00:17:07 ipsec,debug hash validated. 
00:17:07 ipsec,debug begin. 
00:17:07 ipsec,debug seen nptype=8(hash) len=24 
00:17:07 ipsec,debug seen nptype=12(delete) len=28 
00:17:07 ipsec,debug succeed. 
00:17:07 ipsec,debug 192.168.222.2 delete payload for protocol ISAKMP 
00:17:07 ipsec,info purging ISAKMP-SA 192.168.222.5[500]<=>192.168.222.2[500] spi=9d29a0e1abfb7d44:3fc807dfdf888ad4. 
00:17:07 ipsec purged IPsec-SA proto_id=ESP spi=0xfc67a2c2 
00:17:07 ipsec purged IPsec-SA proto_id=ESP spi=0x13b403c 
00:17:07 ipsec purged ISAKMP-SA 192.168.222.5[500]<=>192.168.222.2[500] spi=9d29a0e1abfb7d44:3fc807dfdf888ad4. 
00:17:07 ipsec,debug purged SAs. 
00:17:07 ipsec,info ISAKMP-SA deleted 192.168.222.5[500]-192.168.222.2[500] spi:9d29a0e1abfb7d44:3fc807dfdf888ad4 rekey:1 
00:17:11 ipsec,debug === 
00:17:11 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.5[500]<=>192.168.222.2[500] 
00:17:11 ipsec,debug new cookie: 
00:17:11 ipsec,debug 71ffcbce1a50cb0e 
00:17:11 ipsec,debug add payload of len 56, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 13 
00:17:11 ipsec,debug add payload of len 16, next type 0 
00:17:11 ipsec,debug 348 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:11 ipsec,debug 1 times of 348 bytes message will be sent to 192.168.222.2[500] 
00:17:11 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 71ffcbce1a50cb0e:0000000000000000 
00:17:11 ipsec,debug ===== received 108 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=1(sa) len=60 
00:17:11 ipsec,debug seen nptype=13(vid) len=20 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec received Vendor ID: RFC 3947 
00:17:11 ipsec 192.168.222.2 Selected NAT-T version: RFC 3947 
00:17:11 ipsec,debug total SA len=56 
00:17:11 ipsec,debug 00000001 00000001 00000030 01010001 00000028 01010000 80010007 800e0080 
00:17:11 ipsec,debug 80020002 80040002 80030001 800b0001 000c0004 00015180 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=2(prop) len=48 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug proposal #1 len=48 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=3(trns) len=40 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug transform #1 len=40 
00:17:11 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
00:17:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:11 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
00:17:11 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
00:17:11 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
00:17:11 ipsec,debug pair 1: 
00:17:11 ipsec,debug  0x4a9908: next=(nil) tnext=(nil) 
00:17:11 ipsec,debug proposal #1: 1 transform 
00:17:11 ipsec,debug -checking with pre-shared key auth- 
00:17:11 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1 
00:17:11 ipsec,debug trns#=1, trns-id=IKE 
00:17:11 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
00:17:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:11 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
00:17:11 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
00:17:11 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
00:17:11 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
00:17:11 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
00:17:11 ipsec,debug -compare proposal #1: Local:Peer 
00:17:11 ipsec,debug (lifetime = 86400:86400) 
00:17:11 ipsec,debug (lifebyte = 0:0) 
00:17:11 ipsec,debug enctype = AES-CBC:AES-CBC 
00:17:11 ipsec,debug (encklen = 128:128) 
00:17:11 ipsec,debug hashtype = SHA:SHA 
00:17:11 ipsec,debug authmethod = pre-shared key:pre-shared key 
00:17:11 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
00:17:11 ipsec,debug -an acceptable proposal found- 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug -agreed on pre-shared key auth- 
00:17:11 ipsec,debug === 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug 192.168.222.2 Hashing 192.168.222.2[500] with algo #2  
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug 192.168.222.5 Hashing 192.168.222.5[500] with algo #2  
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec Adding remote and local NAT-D payloads. 
00:17:11 ipsec,debug add payload of len 128, next type 10 
00:17:11 ipsec,debug add payload of len 24, next type 20 
00:17:11 ipsec,debug add payload of len 20, next type 20 
00:17:11 ipsec,debug add payload of len 20, next type 0 
00:17:11 ipsec,debug 236 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:11 ipsec,debug 1 times of 236 bytes message will be sent to 192.168.222.2[500] 
00:17:11 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 71ffcbce1a50cb0e:3fc807df1dc73e73 
00:17:11 ipsec,debug ===== received 304 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=4(ke) len=132 
00:17:11 ipsec,debug seen nptype=10(nonce) len=24 
00:17:11 ipsec,debug seen nptype=13(vid) len=20 
00:17:11 ipsec,debug seen nptype=13(vid) len=20 
00:17:11 ipsec,debug seen nptype=13(vid) len=20 
00:17:11 ipsec,debug seen nptype=13(vid) len=12 
00:17:11 ipsec,debug seen nptype=20(nat-d) len=24 
00:17:11 ipsec,debug seen nptype=20(nat-d) len=24 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec received Vendor ID: CISCO-UNITY 
00:17:11 ipsec received Vendor ID: DPD 
00:17:11 ipsec,debug remote supports DPD 
00:17:11 ipsec,debug received unknown Vendor ID 
00:17:11 ipsec,debug ca0fa0c2 1dc63e73 78abcb9a f94a523b 
00:17:11 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
00:17:11 ipsec,debug 192.168.222.5 Hashing 192.168.222.5[500] with algo #2  
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug NAT-D payload #0 verified 
00:17:11 ipsec,debug 192.168.222.2 Hashing 192.168.222.2[500] with algo #2  
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug NAT-D payload #1 verified 
00:17:11 ipsec NAT not detected  
00:17:11 ipsec,debug === 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug nonce 1:  
00:17:11 ipsec,debug 9daa4075 f5892b90 99e02a51 7fd37b46 19722727 5c81e14c 
00:17:11 ipsec,debug nonce 2:  
00:17:11 ipsec,debug 666bc150 1bb004a6 9f5795b4 f919cf63 5684108e 
00:17:11 ipsec,debug SKEYID computed: 
00:17:11 ipsec,debug 8d80fc4c 87d45b59 f8279d33 4c37100f b491e060 
00:17:11 ipsec,debug SKEYID_d computed: 
00:17:11 ipsec,debug 5c929e91 ca102cc2 b59a2b0b ea16e0ad 8cb06001 
00:17:11 ipsec,debug SKEYID_a computed: 
00:17:11 ipsec,debug bda8c1d3 2d599ed9 d98317c6 362a55a1 c39eea7b 
00:17:11 ipsec,debug SKEYID_e computed: 
00:17:11 ipsec,debug b7b0fd46 13f18fcb bd614fea 29b30877 e105d7ff 
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug final encryption key computed: 
00:17:11 ipsec,debug b7b0fd46 13f18fcb bd614fea 29b30877 
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug IV computed: 
00:17:11 ipsec,debug aa4ef65c 0ed7ab01 55a9d3d2 7707dacd 
00:17:11 ipsec,debug use ID type of IPv4_address 
00:17:11 ipsec,debug add payload of len 8, next type 8 
00:17:11 ipsec,debug add payload of len 20, next type 0 
00:17:11 ipsec,debug 76 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:11 ipsec,debug 1 times of 76 bytes message will be sent to 192.168.222.2[500] 
00:17:11 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 71ffcbce1a50cb0e:3fc807df1dc73e73 
00:17:11 ipsec,debug ===== received 76 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=5(id) len=12 
00:17:11 ipsec,debug seen nptype=8(hash) len=24 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug HASH received: 
00:17:11 ipsec,debug d20117da e9dc5bcb fd5bfe45 869a2978 10063dec 
00:17:11 ipsec,debug HASH for PSK validated. 
00:17:11 ipsec,debug 192.168.222.2 peer's ID: 
00:17:11 ipsec,debug 011101f4 c0a8de02 
00:17:11 ipsec,debug === 
00:17:11 ipsec ph2 possible after ph1 creation 
00:17:11 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:17:11 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:17:11 ipsec,debug begin QUICK mode. 
00:17:11 ipsec,debug === 
00:17:11 ipsec,debug begin QUICK mode. 
00:17:11 ipsec initiate new phase 2 negotiation: 192.168.222.5[500]<=>192.168.222.2[500] 
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug call pfkey_send_getspi 6 
00:17:11 ipsec,debug pfkey GETSPI sent: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500]  
00:17:11 ipsec,debug pfkey getspi sent. 
00:17:11 ipsec,info ISAKMP-SA established 192.168.222.5[500]-192.168.222.2[500] spi:71ffcbce1a50cb0e:3fc807df1dc73e73 
00:17:11 ipsec,debug === 
00:17:11 ipsec,debug ===== received 108 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:11 ipsec,debug receive Information. 
00:17:11 ipsec,debug hash(sha1) 
00:17:11 ipsec,debug hash validated. 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=8(hash) len=24 
00:17:11 ipsec,debug seen nptype=11(notify) len=40 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug 192.168.222.2 notify: RESPONDER-LIFETIME 
00:17:11 ipsec,debug 192.168.222.2 notification message 24576:RESPONDER-LIFETIME, doi=1 proto_id=1 spi=71ffcbce1a50cb0e3fc807df1dc73e73(size=16). 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug use local ID type IPv4_subnet 
00:17:11 ipsec,debug use remote ID type IPv4_subnet 
00:17:11 ipsec,debug IDci: 
00:17:11 ipsec,debug 042f0000 ac100200 ffffff00 
00:17:11 ipsec,debug IDcr: 
00:17:11 ipsec,debug 042f0000 01010100 ffffff00 
00:17:11 ipsec,debug add payload of len 56, next type 10 
00:17:11 ipsec,debug add payload of len 24, next type 4 
00:17:11 ipsec,debug add payload of len 128, next type 5 
00:17:11 ipsec,debug add payload of len 12, next type 5 
00:17:11 ipsec,debug add payload of len 12, next type 0 
00:17:11 ipsec,debug add payload of len 20, next type 1 
00:17:11 ipsec,debug 316 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:11 ipsec,debug 1 times of 316 bytes message will be sent to 192.168.222.2[500] 
00:17:11 ipsec sent phase2 packet 192.168.222.5[500]<=>192.168.222.2[500] 71ffcbce1a50cb0e:3fc807df1dc73e73:b2a57df5 
00:17:11 ipsec,debug ===== received 348 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=8(hash) len=24 
00:17:11 ipsec,debug seen nptype=1(sa) len=60 
00:17:11 ipsec,debug seen nptype=10(nonce) len=24 
00:17:11 ipsec,debug seen nptype=4(ke) len=132 
00:17:11 ipsec,debug seen nptype=5(id) len=16 
00:17:11 ipsec,debug seen nptype=5(id) len=16 
00:17:11 ipsec,debug seen nptype=11(notify) len=40 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug 192.168.222.2 Notify Message received 
00:17:11 ipsec 192.168.222.2 ignore RESPONDER-LIFETIME notification. 
00:17:11 ipsec,debug IDci matches proposal. 
00:17:11 ipsec,debug IDcr matches proposal. 
00:17:11 ipsec,debug HASH allocated:hbuf->l=344 actual:tlen=312 
00:17:11 ipsec,debug HASH(2) received: 
00:17:11 ipsec,debug 8d0ecf44 0a115c6a 57b520a4 195c8409 c9928c46 
00:17:11 ipsec,debug total SA len=56 
00:17:11 ipsec,debug 00000001 00000001 00000030 01030401 0d41992d 00000024 010c0000 80010001 
00:17:11 ipsec,debug 00020004 00015180 80040001 80060080 80050002 80030002 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=2(prop) len=48 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug proposal #1 len=48 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=3(trns) len=36 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug transform #1 len=36 
00:17:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:11 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:11 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:11 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:11 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug pair 1: 
00:17:11 ipsec,debug  0x4aa290: next=(nil) tnext=(nil) 
00:17:11 ipsec,debug proposal #1: 1 transform 
00:17:11 ipsec,debug total SA len=56 
00:17:11 ipsec,debug 00000001 00000001 00000030 01030401 16e169e8 00000024 010c0000 80040001 
00:17:11 ipsec,debug 80010001 00020004 00015180 80050002 80060080 80030002 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=2(prop) len=48 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug proposal #1 len=48 
00:17:11 ipsec,debug begin. 
00:17:11 ipsec,debug seen nptype=3(trns) len=36 
00:17:11 ipsec,debug succeed. 
00:17:11 ipsec,debug transform #1 len=36 
00:17:11 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:11 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:11 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:11 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug pair 1: 
00:17:11 ipsec,debug  0x4aa4b8: next=(nil) tnext=(nil) 
00:17:11 ipsec,debug proposal #1: 1 transform 
00:17:11 ipsec attribute has been modified. 
00:17:11 ipsec,debug begin compare proposals. 
00:17:11 ipsec,debug pair[1]: 0x4aa4b8 
00:17:11 ipsec,debug  0x4aa4b8: next=(nil) tnext=(nil) 
00:17:11 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=AES-CBC 
00:17:11 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:11 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:11 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:11 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:11 ipsec,debug peer's single bundle: 
00:17:11 ipsec,debug  (proto_id=ESP spisize=4 spi=16e169e8 spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:17:11 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:17:11 ipsec,debug my single bundle: 
00:17:11 ipsec,debug  (proto_id=ESP spisize=4 spi=0d41992d spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:17:11 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:17:11 ipsec,debug matched 
00:17:11 ipsec,debug === 
00:17:11 ipsec,debug HASH(3) generate 
00:17:11 ipsec,debug add payload of len 20, next type 0 
00:17:11 ipsec,debug 60 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:11 ipsec,debug 1 times of 60 bytes message will be sent to 192.168.222.2[500] 
00:17:11 ipsec,debug dh(modp1024) 
00:17:11 ipsec,debug encryption(aes-cbc) 
00:17:11 ipsec,debug hmac(sha1) 
00:17:11 ipsec,debug encklen=128 authklen=160 
00:17:11 ipsec,debug generating 480 bits of key (dupkeymat=3) 
00:17:11 ipsec,debug generating K1...K3 for KEYMAT. 
00:17:11 ipsec,debug 9f14e177 32f04649 cb7fd47a 10723391 d8bea395 3ccc465c cef04c88 7122db55 
00:17:11 ipsec,debug 192a0736 0cac4512 5257853d 5890b327 4dbb74ba 3a9a2cc3 ad38954e 
00:17:11 ipsec,debug encryption(aes-cbc) 
00:17:11 ipsec,debug hmac(sha1) 
00:17:11 ipsec,debug encklen=128 authklen=160 
00:17:11 ipsec,debug generating 480 bits of key (dupkeymat=3) 
00:17:11 ipsec,debug generating K1...K3 for KEYMAT. 
00:17:11 ipsec,debug 51b1da8f 4bc1ced0 6f3256e5 adb8dab4 f43b40ae 212cb2eb 2f1c4080 71a7244d 
00:17:11 ipsec,debug 931476a6 f36af815 25fddfba 743e4454 02a2ba1c f42f4ec2 de1446ee 
00:17:11 ipsec,debug KEYMAT computed. 
00:17:11 ipsec,debug call pk_sendupdate 
00:17:11 ipsec,debug encryption(aes-cbc) 
00:17:11 ipsec,debug hmac(sha1) 
00:17:11 ipsec,debug call pfkey_send_update_nat 
00:17:11 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500] spi=0xd41992d 
00:17:11 ipsec,debug pfkey update sent. 
00:17:11 ipsec,debug encryption(aes-cbc) 
00:17:11 ipsec,debug hmac(sha1) 
00:17:11 ipsec,debug call pfkey_send_add_nat 
00:17:11 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.5[500]->192.168.222.2[500] spi=0x16e169e8 
00:17:11 ipsec,debug pfkey add sent. 
00:17:37 ipsec,debug ===== received 316 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:37 ipsec,debug hash(sha1) 
00:17:37 ipsec,debug === 
00:17:37 ipsec respond new phase 2 negotiation: 192.168.222.5[500]<=>192.168.222.2[500] 
00:17:37 ipsec,debug begin. 
00:17:37 ipsec,debug seen nptype=8(hash) len=24 
00:17:37 ipsec,debug seen nptype=1(sa) len=68 
00:17:37 ipsec,debug seen nptype=10(nonce) len=24 
00:17:37 ipsec,debug seen nptype=4(ke) len=132 
00:17:37 ipsec,debug seen nptype=5(id) len=16 
00:17:37 ipsec,debug seen nptype=5(id) len=16 
00:17:37 ipsec,debug succeed. 
00:17:37 ipsec,debug received IDci2: 
00:17:37 ipsec,debug 042f0000 00000000 00000000 
00:17:37 ipsec,debug received IDcr2: 
00:17:37 ipsec,debug 042f0000 00000000 00000000 
00:17:37 ipsec,debug HASH(1) validate: 
00:17:37 ipsec,debug 1e86a402 22ffbd5c 8036935d 402734be 5063aa8a 
00:17:37 ipsec,debug total SA len=64 
00:17:37 ipsec,debug 00000001 00000001 00000038 01030401 ef8079ea 0000002c 010c0000 80040001 
00:17:37 ipsec,debug 80010001 80020e10 80010002 00020004 00465000 80050002 80060080 80030002 
00:17:37 ipsec,debug begin. 
00:17:37 ipsec,debug seen nptype=2(prop) len=56 
00:17:37 ipsec,debug succeed. 
00:17:37 ipsec,debug proposal #1 len=56 
00:17:37 ipsec,debug begin. 
00:17:37 ipsec,debug seen nptype=3(trns) len=44 
00:17:37 ipsec,debug succeed. 
00:17:37 ipsec,debug transform #1 len=44 
00:17:37 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:37 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:37 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
00:17:37 ipsec,debug life duration was in TLV. 
00:17:37 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes 
00:17:37 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:37 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:37 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:37 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:37 ipsec,debug dh(modp1024) 
00:17:37 ipsec,debug pair 1: 
00:17:37 ipsec,debug  0x4aab08: next=(nil) tnext=(nil) 
00:17:37 ipsec,debug proposal #1: 1 transform 
00:17:37 ipsec,debug got the local address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47 
00:17:37 ipsec,debug got the peer address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47 
00:17:37 ipsec searching for policy for selector: 0.0.0.0/0 ip-proto:47 <=> 0.0.0.0/0 ip-proto:47 
00:17:37 ipsec policy not found 
00:17:37 ipsec failed to get proposal for responder. 
00:17:37 ipsec,error 192.168.222.2 failed to pre-process ph2 packet. 
00:17:37 ipsec,debug hash(sha1) 
00:17:37 ipsec,debug 76 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:37 ipsec,debug 1 times of 76 bytes message will be sent to 192.168.222.2[500] 
00:17:37 ipsec,debug sendto Information notify. 
00:17:37 ipsec,debug ===== received 92 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:37 ipsec,debug receive Information. 
00:17:37 ipsec,debug hash(sha1) 
00:17:37 ipsec,debug hash validated. 
00:17:37 ipsec,debug begin. 
00:17:37 ipsec,debug seen nptype=8(hash) len=24 
00:17:37 ipsec,debug seen nptype=12(delete) len=28 
00:17:37 ipsec,debug succeed. 
00:17:37 ipsec,debug 192.168.222.2 delete payload for protocol ISAKMP 
00:17:37 ipsec,info purging ISAKMP-SA 192.168.222.5[500]<=>192.168.222.2[500] spi=71ffcbce1a50cb0e:3fc807df1dc73e73. 
00:17:37 ipsec purged IPsec-SA proto_id=ESP spi=0x16e169e8 
00:17:37 ipsec purged IPsec-SA proto_id=ESP spi=0xd41992d 
00:17:37 ipsec purged ISAKMP-SA 192.168.222.5[500]<=>192.168.222.2[500] spi=71ffcbce1a50cb0e:3fc807df1dc73e73. 
00:17:37 ipsec,debug purged SAs. 
00:17:37 ipsec,info ISAKMP-SA deleted 192.168.222.5[500]-192.168.222.2[500] spi:71ffcbce1a50cb0e:3fc807df1dc73e73 rekey:1 
00:17:41 ipsec,debug === 
00:17:41 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.5[500]<=>192.168.222.2[500] 
00:17:41 ipsec,debug new cookie: 
00:17:41 ipsec,debug 0e8ff9c25a73fec3 
00:17:41 ipsec,debug add payload of len 56, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 13 
00:17:41 ipsec,debug add payload of len 16, next type 0 
00:17:41 ipsec,debug 348 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:41 ipsec,debug 1 times of 348 bytes message will be sent to 192.168.222.2[500] 
00:17:41 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 0e8ff9c25a73fec3:0000000000000000 
00:17:41 ipsec,debug ===== received 108 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=1(sa) len=60 
00:17:41 ipsec,debug seen nptype=13(vid) len=20 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec received Vendor ID: RFC 3947 
00:17:41 ipsec 192.168.222.2 Selected NAT-T version: RFC 3947 
00:17:41 ipsec,debug total SA len=56 
00:17:41 ipsec,debug 00000001 00000001 00000030 01010001 00000028 01010000 80010007 800e0080 
00:17:41 ipsec,debug 80020002 80040002 80030001 800b0001 000c0004 00015180 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=2(prop) len=48 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug proposal #1 len=48 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=3(trns) len=40 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug transform #1 len=40 
00:17:41 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
00:17:41 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:41 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
00:17:41 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
00:17:41 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
00:17:41 ipsec,debug pair 1: 
00:17:41 ipsec,debug  0x4a4188: next=(nil) tnext=(nil) 
00:17:41 ipsec,debug proposal #1: 1 transform 
00:17:41 ipsec,debug -checking with pre-shared key auth- 
00:17:41 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1 
00:17:41 ipsec,debug trns#=1, trns-id=IKE 
00:17:41 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
00:17:41 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:41 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
00:17:41 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
00:17:41 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
00:17:41 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
00:17:41 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
00:17:41 ipsec,debug -compare proposal #1: Local:Peer 
00:17:41 ipsec,debug (lifetime = 86400:86400) 
00:17:41 ipsec,debug (lifebyte = 0:0) 
00:17:41 ipsec,debug enctype = AES-CBC:AES-CBC 
00:17:41 ipsec,debug (encklen = 128:128) 
00:17:41 ipsec,debug hashtype = SHA:SHA 
00:17:41 ipsec,debug authmethod = pre-shared key:pre-shared key 
00:17:41 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group 
00:17:41 ipsec,debug -an acceptable proposal found- 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug -agreed on pre-shared key auth- 
00:17:41 ipsec,debug === 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug 192.168.222.2 Hashing 192.168.222.2[500] with algo #2  
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug 192.168.222.5 Hashing 192.168.222.5[500] with algo #2  
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec Adding remote and local NAT-D payloads. 
00:17:41 ipsec,debug add payload of len 128, next type 10 
00:17:41 ipsec,debug add payload of len 24, next type 20 
00:17:41 ipsec,debug add payload of len 20, next type 20 
00:17:41 ipsec,debug add payload of len 20, next type 0 
00:17:41 ipsec,debug 236 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:41 ipsec,debug 1 times of 236 bytes message will be sent to 192.168.222.2[500] 
00:17:41 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 0e8ff9c25a73fec3:3fc807dfe1cb3d86 
00:17:41 ipsec,debug ===== received 304 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=4(ke) len=132 
00:17:41 ipsec,debug seen nptype=10(nonce) len=24 
00:17:41 ipsec,debug seen nptype=13(vid) len=20 
00:17:41 ipsec,debug seen nptype=13(vid) len=20 
00:17:41 ipsec,debug seen nptype=13(vid) len=20 
00:17:41 ipsec,debug seen nptype=13(vid) len=12 
00:17:41 ipsec,debug seen nptype=20(nat-d) len=24 
00:17:41 ipsec,debug seen nptype=20(nat-d) len=24 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec received Vendor ID: CISCO-UNITY 
00:17:41 ipsec received Vendor ID: DPD 
00:17:41 ipsec,debug remote supports DPD 
00:17:41 ipsec,debug received unknown Vendor ID 
00:17:41 ipsec,debug ca0fa0c2 e1ca3d86 47ec367c 0004b25d 
00:17:41 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
00:17:41 ipsec,debug 192.168.222.5 Hashing 192.168.222.5[500] with algo #2  
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug NAT-D payload #0 verified 
00:17:41 ipsec,debug 192.168.222.2 Hashing 192.168.222.2[500] with algo #2  
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug NAT-D payload #1 verified 
00:17:41 ipsec NAT not detected  
00:17:41 ipsec,debug === 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug nonce 1:  
00:17:41 ipsec,debug a4a83f35 bff57990 18a9563c c623a779 da3d10b7 138b49b7 
00:17:41 ipsec,debug nonce 2:  
00:17:41 ipsec,debug bd64b1ef b16656df c0a53228 a176986e 1d3b302a 
00:17:41 ipsec,debug SKEYID computed: 
00:17:41 ipsec,debug 6a78919f a968d9d0 822d8cdc b9791b94 66b45345 
00:17:41 ipsec,debug SKEYID_d computed: 
00:17:41 ipsec,debug f55fe712 4c677562 485a55d2 d92a599e 0f4b9576 
00:17:41 ipsec,debug SKEYID_a computed: 
00:17:41 ipsec,debug 57f6c670 f2d49fc7 1451ed00 c0feac9f af10a06f 
00:17:41 ipsec,debug SKEYID_e computed: 
00:17:41 ipsec,debug 94d6e246 493672e5 69286eef 59fdc3b9 ac8ee21f 
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug final encryption key computed: 
00:17:41 ipsec,debug 94d6e246 493672e5 69286eef 59fdc3b9 
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug IV computed: 
00:17:41 ipsec,debug a7c3b93f f16e6177 2831fae1 7489ab4f 
00:17:41 ipsec,debug use ID type of IPv4_address 
00:17:41 ipsec,debug add payload of len 8, next type 8 
00:17:41 ipsec,debug add payload of len 20, next type 0 
00:17:41 ipsec,debug 76 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:41 ipsec,debug 1 times of 76 bytes message will be sent to 192.168.222.2[500] 
00:17:41 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 0e8ff9c25a73fec3:3fc807dfe1cb3d86 
00:17:41 ipsec,debug ===== received 76 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=5(id) len=12 
00:17:41 ipsec,debug seen nptype=8(hash) len=24 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug HASH received: 
00:17:41 ipsec,debug dfc5e2b3 5495722f c3d2e6de d23af136 05cdb95e 
00:17:41 ipsec,debug HASH for PSK validated. 
00:17:41 ipsec,debug 192.168.222.2 peer's ID: 
00:17:41 ipsec,debug 011101f4 c0a8de02 
00:17:41 ipsec,debug === 
00:17:41 ipsec ph2 possible after ph1 creation 
00:17:41 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:17:41 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:17:41 ipsec,debug begin QUICK mode. 
00:17:41 ipsec,debug === 
00:17:41 ipsec,debug begin QUICK mode. 
00:17:41 ipsec initiate new phase 2 negotiation: 192.168.222.5[500]<=>192.168.222.2[500] 
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug call pfkey_send_getspi 9 
00:17:41 ipsec,debug pfkey GETSPI sent: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500]  
00:17:41 ipsec,debug pfkey getspi sent. 
00:17:41 ipsec,info ISAKMP-SA established 192.168.222.5[500]-192.168.222.2[500] spi:0e8ff9c25a73fec3:3fc807dfe1cb3d86 
00:17:41 ipsec,debug === 
00:17:41 ipsec,debug ===== received 108 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:41 ipsec,debug receive Information. 
00:17:41 ipsec,debug hash(sha1) 
00:17:41 ipsec,debug hash validated. 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=8(hash) len=24 
00:17:41 ipsec,debug seen nptype=11(notify) len=40 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug 192.168.222.2 notify: RESPONDER-LIFETIME 
00:17:41 ipsec,debug 192.168.222.2 notification message 24576:RESPONDER-LIFETIME, doi=1 proto_id=1 spi=0e8ff9c25a73fec33fc807dfe1cb3d86(size=16). 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug use local ID type IPv4_subnet 
00:17:41 ipsec,debug use remote ID type IPv4_subnet 
00:17:41 ipsec,debug IDci: 
00:17:41 ipsec,debug 042f0000 ac100200 ffffff00 
00:17:41 ipsec,debug IDcr: 
00:17:41 ipsec,debug 042f0000 01010100 ffffff00 
00:17:41 ipsec,debug add payload of len 56, next type 10 
00:17:41 ipsec,debug add payload of len 24, next type 4 
00:17:41 ipsec,debug add payload of len 128, next type 5 
00:17:41 ipsec,debug add payload of len 12, next type 5 
00:17:41 ipsec,debug add payload of len 12, next type 0 
00:17:41 ipsec,debug add payload of len 20, next type 1 
00:17:41 ipsec,debug 316 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:41 ipsec,debug 1 times of 316 bytes message will be sent to 192.168.222.2[500] 
00:17:41 ipsec sent phase2 packet 192.168.222.5[500]<=>192.168.222.2[500] 0e8ff9c25a73fec3:3fc807dfe1cb3d86:bb09d946 
00:17:41 ipsec,debug ===== received 348 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=8(hash) len=24 
00:17:41 ipsec,debug seen nptype=1(sa) len=60 
00:17:41 ipsec,debug seen nptype=10(nonce) len=24 
00:17:41 ipsec,debug seen nptype=4(ke) len=132 
00:17:41 ipsec,debug seen nptype=5(id) len=16 
00:17:41 ipsec,debug seen nptype=5(id) len=16 
00:17:41 ipsec,debug seen nptype=11(notify) len=40 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug 192.168.222.2 Notify Message received 
00:17:41 ipsec 192.168.222.2 ignore RESPONDER-LIFETIME notification. 
00:17:41 ipsec,debug IDci matches proposal. 
00:17:41 ipsec,debug IDcr matches proposal. 
00:17:41 ipsec,debug HASH allocated:hbuf->l=344 actual:tlen=312 
00:17:41 ipsec,debug HASH(2) received: 
00:17:41 ipsec,debug cd647641 bd1a5995 6c331634 502fe38c b59fa1c8 
00:17:41 ipsec,debug total SA len=56 
00:17:41 ipsec,debug 00000001 00000001 00000030 01030401 04022cc5 00000024 010c0000 80010001 
00:17:41 ipsec,debug 00020004 00015180 80040001 80060080 80050002 80030002 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=2(prop) len=48 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug proposal #1 len=48 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=3(trns) len=36 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug transform #1 len=36 
00:17:41 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:41 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:41 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:41 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:41 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:41 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug pair 1: 
00:17:41 ipsec,debug  0x4a9a10: next=(nil) tnext=(nil) 
00:17:41 ipsec,debug proposal #1: 1 transform 
00:17:41 ipsec,debug total SA len=56 
00:17:41 ipsec,debug 00000001 00000001 00000030 01030401 50fc8dd1 00000024 010c0000 80040001 
00:17:41 ipsec,debug 80010001 00020004 00015180 80050002 80060080 80030002 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=2(prop) len=48 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug proposal #1 len=48 
00:17:41 ipsec,debug begin. 
00:17:41 ipsec,debug seen nptype=3(trns) len=36 
00:17:41 ipsec,debug succeed. 
00:17:41 ipsec,debug transform #1 len=36 
00:17:41 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:41 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:41 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:41 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:41 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:41 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug pair 1: 
00:17:41 ipsec,debug  0x4aae88: next=(nil) tnext=(nil) 
00:17:41 ipsec,debug proposal #1: 1 transform 
00:17:41 ipsec attribute has been modified. 
00:17:41 ipsec,debug begin compare proposals. 
00:17:41 ipsec,debug pair[1]: 0x4aae88 
00:17:41 ipsec,debug  0x4aae88: next=(nil) tnext=(nil) 
00:17:41 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=AES-CBC 
00:17:41 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:17:41 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:17:41 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:17:41 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:17:41 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:17:41 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:17:41 ipsec,debug peer's single bundle: 
00:17:41 ipsec,debug  (proto_id=ESP spisize=4 spi=50fc8dd1 spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:17:41 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:17:41 ipsec,debug my single bundle: 
00:17:41 ipsec,debug  (proto_id=ESP spisize=4 spi=04022cc5 spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:17:41 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:17:41 ipsec,debug matched 
00:17:41 ipsec,debug === 
00:17:41 ipsec,debug HASH(3) generate 
00:17:41 ipsec,debug add payload of len 20, next type 0 
00:17:41 ipsec,debug 60 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:17:41 ipsec,debug 1 times of 60 bytes message will be sent to 192.168.222.2[500] 
00:17:41 ipsec,debug dh(modp1024) 
00:17:41 ipsec,debug encryption(aes-cbc) 
00:17:41 ipsec,debug hmac(sha1) 
00:17:41 ipsec,debug encklen=128 authklen=160 
00:17:41 ipsec,debug generating 480 bits of key (dupkeymat=3) 
00:17:41 ipsec,debug generating K1...K3 for KEYMAT. 
00:17:41 ipsec,debug feea0b12 f2ec21d0 59028591 0a17a902 62bf1099 f25b4723 cd84a39c 809f495a 
00:17:41 ipsec,debug b773dc67 2b79f19d 2e2c9477 eb615496 0f86d989 37581cd5 ed37ceef 
00:17:41 ipsec,debug encryption(aes-cbc) 
00:17:41 ipsec,debug hmac(sha1) 
00:17:41 ipsec,debug encklen=128 authklen=160 
00:17:41 ipsec,debug generating 480 bits of key (dupkeymat=3) 
00:17:41 ipsec,debug generating K1...K3 for KEYMAT. 
00:17:41 ipsec,debug fe719e9d cbe9e275 c1679ba4 8708e008 7eefb819 d8f755c6 1748b7b7 eeba0945 
00:17:41 ipsec,debug 301d9e1e 426b509b 6ca47e22 7ad1c123 c4ab805c 64b28270 9d9d770a 
00:17:41 ipsec,debug KEYMAT computed. 
00:17:41 ipsec,debug call pk_sendupdate 
00:17:41 ipsec,debug encryption(aes-cbc) 
00:17:41 ipsec,debug hmac(sha1) 
00:17:41 ipsec,debug call pfkey_send_update_nat 
00:17:41 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500] spi=0x4022cc5 
00:17:41 ipsec,debug pfkey update sent. 
00:17:41 ipsec,debug encryption(aes-cbc) 
00:17:41 ipsec,debug hmac(sha1) 
00:17:41 ipsec,debug call pfkey_send_add_nat 
00:17:41 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.5[500]->192.168.222.2[500] spi=0x50fc8dd1 
00:17:41 ipsec,debug pfkey add sent. 
00:18:06 ipsec,debug ===== received 76 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:18:06 ipsec,debug receive Information. 
00:18:06 ipsec,debug hash(sha1) 
00:18:06 ipsec,debug hash validated. 
00:18:06 ipsec,debug begin. 
00:18:06 ipsec,debug seen nptype=8(hash) len=24 
00:18:06 ipsec,debug seen nptype=12(delete) len=16 
00:18:06 ipsec,debug succeed. 
00:18:06 ipsec,debug 192.168.222.2 delete payload for protocol ESP 
00:18:06 ipsec,debug purged SAs. 
00:18:06 ipsec,debug ===== received 76 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:18:06 ipsec,debug receive Information. 
00:18:06 ipsec,debug hash(sha1) 
00:18:06 ipsec,debug hash validated. 
00:18:06 ipsec,debug begin. 
00:18:06 ipsec,debug seen nptype=8(hash) len=24 
00:18:06 ipsec,debug seen nptype=12(delete) len=16 
00:18:06 ipsec,debug succeed. 
00:18:06 ipsec,debug 192.168.222.2 delete payload for protocol ESP 
00:18:06 ipsec,debug purged SAs. 
00:18:11 ipsec,debug ===== received 316 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:18:11 ipsec,debug hash(sha1) 
00:18:11 ipsec,debug === 
00:18:11 ipsec respond new phase 2 negotiation: 192.168.222.5[500]<=>192.168.222.2[500] 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=8(hash) len=24 
00:18:11 ipsec,debug seen nptype=1(sa) len=68 
00:18:11 ipsec,debug seen nptype=10(nonce) len=24 
00:18:11 ipsec,debug seen nptype=4(ke) len=132 
00:18:11 ipsec,debug seen nptype=5(id) len=16 
00:18:11 ipsec,debug seen nptype=5(id) len=16 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug received IDci2: 
00:18:11 ipsec,debug 042f0000 01010100 ffffff00 
00:18:11 ipsec,debug received IDcr2: 
00:18:11 ipsec,debug 042f0000 ac100200 ffffff00 
00:18:11 ipsec,debug HASH(1) validate: 
00:18:11 ipsec,debug 2f4b408c 00cce621 8c00155c 3d04680d 0d8e1063 
00:18:11 ipsec,debug total SA len=64 
00:18:11 ipsec,debug 00000001 00000001 00000038 01030401 07ff298f 0000002c 010c0000 80040001 
00:18:11 ipsec,debug 80010001 80020e10 80010002 00020004 00465000 80050002 80060080 80030002 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=2(prop) len=56 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug proposal #1 len=56 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=3(trns) len=44 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug transform #1 len=44 
00:18:11 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:18:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:18:11 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
00:18:11 ipsec,debug life duration was in TLV. 
00:18:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes 
00:18:11 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:18:11 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:18:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:18:11 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:18:11 ipsec,debug dh(modp1024) 
00:18:11 ipsec,debug pair 1: 
00:18:11 ipsec,debug  0x4ab7d8: next=(nil) tnext=(nil) 
00:18:11 ipsec,debug proposal #1: 1 transform 
00:18:11 ipsec,debug got the local address from ID payload 172.16.2.0[0] prefixlen=24 ul_proto=47 
00:18:11 ipsec,debug got the peer address from ID payload 1.1.1.0[0] prefixlen=24 ul_proto=47 
00:18:11 ipsec searching for policy for selector: 172.16.2.0/24 ip-proto:47 <=> 1.1.1.0/24 ip-proto:47 
00:18:11 ipsec using strict match: 172.16.2.0/24 <=> 1.1.1.0/24 ip-proto:47 
00:18:11 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:18:11 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:18:11 ipsec,debug begin compare proposals. 
00:18:11 ipsec,debug pair[1]: 0x4ab7d8 
00:18:11 ipsec,debug  0x4ab7d8: next=(nil) tnext=(nil) 
00:18:11 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=AES-CBC 
00:18:11 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:18:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:18:11 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
00:18:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes 
00:18:11 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:18:11 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:18:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:18:11 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:18:11 ipsec,debug peer's single bundle: 
00:18:11 ipsec,debug  (proto_id=ESP spisize=4 spi=07ff298f spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:18:11 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:18:11 ipsec,debug my single bundle: 
00:18:11 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 
00:18:11 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
00:18:11 ipsec,debug matched 
00:18:11 ipsec,debug === 
00:18:11 ipsec,debug call pfkey_send_getspi a 
00:18:11 ipsec,debug pfkey GETSPI sent: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500]  
00:18:11 ipsec,debug pfkey getspi sent. 
00:18:11 ipsec,debug ===== received 76 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:18:11 ipsec,debug receive Information. 
00:18:11 ipsec,debug hash(sha1) 
00:18:11 ipsec,debug hash validated. 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=8(hash) len=24 
00:18:11 ipsec,debug seen nptype=12(delete) len=16 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug 192.168.222.2 delete payload for protocol ESP 
00:18:11 ipsec,debug purged SAs. 
00:18:11 ipsec,debug total SA len=64 
00:18:11 ipsec,debug 00000001 00000001 00000038 01030401 00000000 0000002c 010c0000 80040001 
00:18:11 ipsec,debug 80010001 80020e10 80010002 00020004 00465000 80050002 80060080 80030002 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=2(prop) len=56 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug proposal #1 len=56 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=3(trns) len=44 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug transform #1 len=44 
00:18:11 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Tunnel 
00:18:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
00:18:11 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
00:18:11 ipsec,debug life duration was in TLV. 
00:18:11 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes 
00:18:11 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4 
00:18:11 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
00:18:11 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
00:18:11 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
00:18:11 ipsec,debug dh(modp1024) 
00:18:11 ipsec,debug pair 1: 
00:18:11 ipsec,debug  0x4ab808: next=(nil) tnext=(nil) 
00:18:11 ipsec,debug proposal #1: 1 transform 
00:18:11 ipsec,debug dh(modp1024) 
00:18:11 ipsec,debug add payload of len 64, next type 10 
00:18:11 ipsec,debug add payload of len 24, next type 4 
00:18:11 ipsec,debug add payload of len 128, next type 5 
00:18:11 ipsec,debug add payload of len 12, next type 5 
00:18:11 ipsec,debug add payload of len 12, next type 0 
00:18:11 ipsec,debug add payload of len 20, next type 1 
00:18:11 ipsec,debug 316 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
00:18:11 ipsec,debug 1 times of 316 bytes message will be sent to 192.168.222.2[500] 
00:18:11 ipsec sent phase2 packet 192.168.222.5[500]<=>192.168.222.2[500] 0e8ff9c25a73fec3:3fc807dfe1cb3d86:606f293d 
00:18:11 ipsec,debug ===== received 76 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:18:11 ipsec,debug receive Information. 
00:18:11 ipsec,debug hash(sha1) 
00:18:11 ipsec,debug hash validated. 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=8(hash) len=24 
00:18:11 ipsec,debug seen nptype=12(delete) len=16 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug 192.168.222.2 delete payload for protocol ESP 
00:18:11 ipsec purged IPsec-SA proto_id=ESP spi=0x50fc8dd1 
00:18:11 ipsec purged IPsec-SA proto_id=ESP spi=0x4022cc5 
00:18:11 ipsec,debug purged SAs. 
00:18:11 ipsec,debug ===== received 60 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
00:18:11 ipsec,debug begin. 
00:18:11 ipsec,debug seen nptype=8(hash) len=24 
00:18:11 ipsec,debug succeed. 
00:18:11 ipsec,debug HASH(3) validate: 
00:18:11 ipsec,debug a0cf7e31 11a4a211 aa4b3876 d4382240 f0e601d7 
00:18:11 ipsec,debug === 
00:18:11 ipsec,debug dh(modp1024) 
00:18:12 ipsec,debug encryption(aes-cbc) 
00:18:12 ipsec,debug hmac(sha1) 
00:18:12 ipsec,debug encklen=128 authklen=160 
00:18:12 ipsec,debug generating 480 bits of key (dupkeymat=3) 
00:18:12 ipsec,debug generating K1...K3 for KEYMAT. 
00:18:12 ipsec,debug d5e37685 5851e424 db1d218d 39b67298 630880af 83b64055 3b592daf cbcc28be 
00:18:12 ipsec,debug d046c5c0 0106ef44 f04625d8 47209c43 5420cbf2 6bfacd2c 7302f32a 
00:18:12 ipsec,debug encryption(aes-cbc) 
00:18:12 ipsec,debug hmac(sha1) 
00:18:12 ipsec,debug encklen=128 authklen=160 
00:18:12 ipsec,debug generating 480 bits of key (dupkeymat=3) 
00:18:12 ipsec,debug generating K1...K3 for KEYMAT. 
00:18:12 ipsec,debug 986d244e 11974aac 6ddc1217 6a980409 329f6f2c b953f9a0 9ca3a045 461b9c25 
00:18:12 ipsec,debug 367ca0fa be92017f db3eec22 e3375b62 aaca1161 c7c31376 7b632dac 
00:18:12 ipsec,debug KEYMAT computed. 
00:18:12 ipsec,debug call pk_sendupdate 
00:18:12 ipsec,debug encryption(aes-cbc) 
00:18:12 ipsec,debug hmac(sha1) 
00:18:12 ipsec,debug call pfkey_send_update_nat 
00:18:12 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.2[500]->192.168.222.5[500] spi=0x889d24a 
00:18:12 ipsec,debug pfkey update sent. 
00:18:12 ipsec,debug encryption(aes-cbc) 
00:18:12 ipsec,debug hmac(sha1) 
00:18:12 ipsec,debug call pfkey_send_add_nat 
00:18:12 ipsec IPsec-SA established: ESP/Tunnel 192.168.222.5[500]->192.168.222.2[500] spi=0x7ff298f 
00:18:12 ipsec,debug pfkey add sent.

please let me know if there still exists any ambiguity or inconsisence.

sindy · Sun Jun 05, 2022 7:02 pm

if and only if i halt ipsec on booth ends (ex. by disabling peers) pings will come back. i guess this is a sign for a working gre tunnel between the two as if i see counting packets in mikrotik gre interface hile pinging. am right?

Correct - in this state, with policies at both ends disabled by configuration, the routes send traffic between 1.1.1.0/24 and 172.16.2.0/24 via the GRE tunnel, and no IPsec policy, that would divert the GRE payload traffic or the GRE transport traffic, is engaged at either end.

i think the other method where the gre is in transport mode is called "ipsec over gre"

IPsec over GRE can be done but it is none of the cases I've described before. And the distinction between "transport mode" and "tunnel mode" is only meaningful as a distinguisher of what part of the payload packet is encapsulated into the IPsec transport packet - in tunnel mode, also the IP header is encapsulated, whereas in transport mode, it is not. GRE uses no encryption, so transport mode makes no sense for it - the transport packet always carries the complete payload one, including its IP headers (to be precise, that's when we talk about IP over GRE, as GRE can encapsulate different types of payload).

please let me know if there still exists any ambiguity or inconsisence.

In this log, you can see the Cisco tried to establish Phase 2 three times:

00:17:07 ipsec,debug got the local address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47
00:17:07 ipsec,debug got the peer address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47
00:17:07 ipsec searching for policy for selector: 0.0.0.0/0 ip-proto:47 <=> 0.0.0.0/0 ip-proto:47
00:17:07 ipsec policy not found
00:17:07 ipsec failed to get proposal for responder.
00:17:07 ipsec,error 192.168.222.2 failed to pre-process ph2 packet.

00:17:37 ipsec,debug got the local address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47
00:17:37 ipsec,debug got the peer address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47
00:17:37 ipsec searching for policy for selector: 0.0.0.0/0 ip-proto:47 <=> 0.0.0.0/0 ip-proto:47
00:17:37 ipsec policy not found
00:17:37 ipsec failed to get proposal for responder.
00:17:37 ipsec,error 192.168.222.2 failed to pre-process ph2 packet.

00:18:11 ipsec,debug got the local address from ID payload 172.16.2.0[0] prefixlen=24 ul_proto=47
00:18:11 ipsec,debug got the peer address from ID payload 1.1.1.0[0] prefixlen=24 ul_proto=47
00:18:11 ipsec searching for policy for selector: 172.16.2.0/24 ip-proto:47 <=> 1.1.1.0/24 ip-proto:47
00:18:11 ipsec using strict match: 172.16.2.0/24 <=> 1.1.1.0/24 ip-proto:47
00:18:11 ipsec,debug (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
00:18:11 ipsec,debug (trns_id=AES-CBC encklen=128 authtype=hmac-sha1)
00:18:11 ipsec,debug begin compare proposals.

Only the third one has succeeded, but that doesn't mean that Cisco doesn't divert all GRE packets to the IPSec SA as the access-list is still the same. However, since the SA has only been actually negotiated for GRE between 172.16.2.0/24 and 1.1.1.0/24, the GRE packets from 192.168.222.2 to 192.168.222.5 are not sent through that SA, nor are other-than-GRE packets from 1.1.1.0/24 to 172.16.2.0/24.

yes i am exactly trying "encrypted gre" which i guess is known as "gre over ipsec"

OK, so modify the configuration as follows:

from
ip access-list extended gretraffic
permit gre any any
permit ip 1.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255
!

to
ip access-list extended gretraffic
permit gre 192.168.222.2 0.0.0.0 192.168.222.5 0.0.0.0
!

and from
/ip ipsec policy
...
add dst-address=1.1.1.0/24 peer=myset1 protocol=gre src-address=172.16.2.0/24 tunnel=yes

to
/ip ipsec policy
...
add dst-address=192.168.222.2/32 peer=myset1 protocol=gre src-address=192.168.222.5 tunnel=yes

This will make the IPsec policies at both peers only handle GRE packets between the enpoint addresses of the GRE tunnel and ignore the rest.

alv84 · Sun Jun 05, 2022 8:55 pm

if and only if i halt ipsec on booth ends (ex. by disabling peers) pings will come back. i guess this is a sign for a working gre tunnel between the two as if i see counting packets in mikrotik gre interface hile pinging. am right?
Correct - in this state, with policies at both ends disabled by configuration, the routes send traffic between 1.1.1.0/24 and 172.16.2.0/24 via the GRE tunnel, and no IPsec policy, that would divert the GRE payload traffic or the GRE transport traffic, is engaged at either end.

i think the other method where the gre is in transport mode is called "ipsec over gre"
IPsec over GRE can be done but it is none of the cases I've described before. And the distinction between "transport mode" and "tunnel mode" is only meaningful as a distinguisher of what part of the payload packet is encapsulated into the IPsec transport packet - in tunnel mode, also the IP header is encapsulated, whereas in transport mode, it is not. GRE uses no encryption, so transport mode makes no sense for it - the transport packet always carries the complete payload one, including its IP headers (to be precise, that's when we talk about IP over GRE, as GRE can encapsulate different types of payload).

please let me know if there still exists any ambiguity or inconsisence.
In this log, you can see the Cisco tried to establish Phase 2 three times:

00:17:07 ipsec,debug got the local address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47
00:17:07 ipsec,debug got the peer address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47
00:17:07 ipsec searching for policy for selector: 0.0.0.0/0 ip-proto:47 <=> 0.0.0.0/0 ip-proto:47
00:17:07 ipsec policy not found
00:17:07 ipsec failed to get proposal for responder.
00:17:07 ipsec,error 192.168.222.2 failed to pre-process ph2 packet.

00:17:37 ipsec,debug got the local address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47
00:17:37 ipsec,debug got the peer address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=47
00:17:37 ipsec searching for policy for selector: 0.0.0.0/0 ip-proto:47 <=> 0.0.0.0/0 ip-proto:47
00:17:37 ipsec policy not found
00:17:37 ipsec failed to get proposal for responder.
00:17:37 ipsec,error 192.168.222.2 failed to pre-process ph2 packet.

00:18:11 ipsec,debug got the local address from ID payload 172.16.2.0[0] prefixlen=24 ul_proto=47
00:18:11 ipsec,debug got the peer address from ID payload 1.1.1.0[0] prefixlen=24 ul_proto=47
00:18:11 ipsec searching for policy for selector: 172.16.2.0/24 ip-proto:47 <=> 1.1.1.0/24 ip-proto:47
00:18:11 ipsec using strict match: 172.16.2.0/24 <=> 1.1.1.0/24 ip-proto:47
00:18:11 ipsec,debug (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
00:18:11 ipsec,debug (trns_id=AES-CBC encklen=128 authtype=hmac-sha1)
00:18:11 ipsec,debug begin compare proposals.

Only the third one has succeeded, but that doesn't mean that Cisco doesn't divert all GRE packets to the IPSec SA as the access-list is still the same. However, since the SA has only been actually negotiated for GRE between 172.16.2.0/24 and 1.1.1.0/24, the GRE packets from 192.168.222.2 to 192.168.222.5 are not sent through that SA, nor are other-than-GRE packets from 1.1.1.0/24 to 172.16.2.0/24.

yes i am exactly trying "encrypted gre" which i guess is known as "gre over ipsec"
OK, so modify the configuration as follows:

from
ip access-list extended gretraffic
permit gre any any
permit ip 1.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255
!

to
ip access-list extended gretraffic
permit gre 192.168.222.2 0.0.0.0 192.168.222.5 0.0.0.0
!

and from
/ip ipsec policy
...
add dst-address=1.1.1.0/24 peer=myset1 protocol=gre src-address=172.16.2.0/24 tunnel=yes

to
/ip ipsec policy
...
add dst-address=192.168.222.2/32 peer=myset1 protocol=gre src-address=192.168.222.5 tunnel=yes

This will make the IPsec policies at both peers only handle GRE packets between the enpoint addresses of the GRE tunnel and ignore the rest.

Thank you dear Sindy! now seems that the two ends are seeing and talking to each other. you saved my life

but sindy please don't go. now that i have the tunnel up and running:
1) how can i make it stable? i have seen a lot of instability issues regarding gre over ipsec in the forum, many answered and treated by you. topics like keepalive, mtu/mss, etc. are among many questions.
2) how can i see and assure the traffic between the two ends are really encrypted? i mean how can i be sure that ipsec is encrypting gre traffic now?
sorry for opening these questions. if a new thread would be better please do not hesitate to mention it.
best regards.

sindy · Sun Jun 05, 2022 9:15 pm

1) how can i make it stable? i have seen a lot of instability issues regarding gre over ipsec in the forum, many answered and treated by you. topics like keepalive, mtu/mss, etc. are among many questions.

Well, "stability" and "functionality" are different categories. The tunnel will be "stable" if the network between the peers is stable; regarding functionality, you have to make sure that MTU information will be consistent all the way so that you wouldn't end up with the MTU of the GRE tunnel being larger than what can be actually be transported, as this would lead to loss of packets of certain size. Here, you have to take into account the overhead of GRE itself and the overhead of IPsec; the latter depends on the encryption and authentication algorithms used and encapsulation type (transport or tunnel, bare or UDP-encapsulated ESP).

MSS is unrelated to GRE - it is a TCP property that does not exist in GRE or UDP. Manipulating MSS is only a workaround for path mtu discovery broken by incompetent ISPs blocking all ICMP, and it is not 100% reliable, I have seen TCP servers in the wild that ignored the MSS value and relied on the PMTUD to work.

How GRE keepalives work and how that interworks with firewall settings has been explained in multiple other topics.

You should perfectly understand how a firewall works before setting up any VPN outside a lab environment.

2) how can i see and assure the traffic between the two ends are really encrypted? i mean how can i be sure that ipsec is encrypting gre traffic now?

/tool sniffer is your friend here. If you sniff on the uplink interface into a file, and then open the file using Wireshark, you'll see that the traffic towards the Cisco does not contain plaintext GRE packets; the traffic from Cisco will show both the ESP packets carrying the encrypted GRE and the plaintext GRE packets after decryption, but that's due to how the sniffer works. You should see the plaintext GRE packets to have no source and destination MAC address.

alv84 · Sun Jun 05, 2022 9:40 pm

thank you so so much dear Sindy, i am looking at the esp packets flowing through cisco uplink to the mikrotik side when i hit ping from cisco's loopback. so i guess it's working now.
about MTU, i will read your words couple of times as well as your other words since i believe you're so deep in networking concepts and truly know what you say and paraphrase.
my next milestone would be implementing the same scenario on real public routers with the aim of removing a resident MPLS solution. i guess NAT is gonna come into the field. any ideas, suggestions, warnings, etc. is highly appreciated.
very kind regards.

sindy · Sun Jun 05, 2022 10:00 pm

Before going to the public network, spend even more time in the lab checking various real life scenarios, maybe pour in more routers to the setup to imitate the internet (CHRs running in any kind of virtualization envronment are great, and for this purpose the free license with 1 Mbit/s limitation of outgoing traffic per interface is sufficient).

When using IPsec only to encrypt the transport packets of another tunnel, I'd recommend to switch to transport mode of the IPsec SA because it saves some packet space, but I don't know what to change in the Cisco configuration for that; I'd also recommend using IPIP (ipencap) instead of GRE because it also saves some packet space - GRE is intended to carry different types of payload but Mikrotik doesn't make use of the capabilities so the header bytes used for the purpose are effectively just wasted. I'm just not sure whether Cisco uses the same keepalive concept for IPIP like for GRE.

At Cisco, I was unable to find out how to make it adjust to dynamically changing address of the IPsec peer.

If you want to completely avoid MTU issues, L2TP with MLPPP enabled is great; the price to pay is that the rate of transport packets almost doubles.

alv84 · Mon Jun 06, 2022 11:11 am

thank you sindy so much for your kind advice, i'll take your words. i believe in you. in fact i am in a lab environment but not using emulation soft, just real physical devices with testing internet without specific traffic. so don't worry i won't break things up

but sindy, something weird happened. i replaced the original cisco 2800 with an ISR4331. on this second router, i.e isr4331, we lack physical interface, so i set ip address on its sub-interface, say gig0/0/1.2 and as you know, dot1q encapsulation is set for it (trunk).
then applied all the required ipsec configuration to this sub-interface gig0/0/1.2. the original mikrotik device is not changed. now, not even phase1 is established throwing this error: "phase1 negotiation failed due to send error. 192.168.222.5[500]<=>192.168.222.2[500] xxxxxxxxx". here is the output to the "ipsec-start.txt" file:

...
02:50:52 ipsec,debug === 
02:50:52 ipsec,info initiate new phase 1 (Identity Protection): 192.168.222.5[500]<=>192.168.222.2[500] 
02:50:52 ipsec,debug new cookie: 
02:50:52 ipsec,debug 9c082df0bc154aef 
02:50:52 ipsec,debug add payload of len 56, next type 13 
02:50:52 ipsec,debug add payload of len 16, next type 13 
02:50:52 ipsec,debug add payload of len 16, next type 0 
02:50:52 ipsec,debug 128 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
02:50:52 ipsec,debug 1 times of 128 bytes message will be sent to 192.168.222.2[500] 
02:50:52 ipsec sent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 9c082df0bc154aef:0000000000000000 
02:50:52 ipsec,debug ===== received 100 bytes from 192.168.222.2[500] to 192.168.222.5[500] 
02:50:52 ipsec,debug receive Information. 
02:50:52 ipsec,debug begin. 
02:50:52 ipsec,debug seen nptype=11(notify) len=72 
02:50:52 ipsec,debug succeed. 
02:50:52 ipsec,debug 192.168.222.2 notify: NO-PROPOSAL-CHOSEN 
02:50:52 ipsec 192.168.222.2 fatal NO-PROPOSAL-CHOSEN notify messsage, delete phase1 handle. 
02:50:59 ipsec 192.168.222.2 phase2 negotiation failed due to time up waiting for phase1. AH 192.168.222.2[0]->192.168.222.5[0]  
02:50:59 ipsec delete phase 2 handler. 
02:51:01 ipsec acquire for policy: 192.168.222.5 <=> 192.168.222.2 ip-proto:47 
02:51:01 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 
02:51:01 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
02:51:01 ipsec 192.168.222.2 request for establishing IPsec-SA was queued due to no phase1 found. 
02:51:02 ipsec,debug 128 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
02:51:02 ipsec,debug 1 times of 128 bytes message will be sent to 192.168.222.2[500] 
02:51:02 ipsec resent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 9c082df0bc154aef:0000000000000000 
02:51:12 ipsec,debug 128 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
02:51:12 ipsec,debug 1 times of 128 bytes message will be sent to 192.168.222.2[500] 
02:51:12 ipsec resent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 9c082df0bc154aef:0000000000000000 
02:51:22 ipsec,debug 128 bytes from 192.168.222.5[500] to 192.168.222.2[500] 
02:51:22 ipsec,debug 1 times of 128 bytes message will be sent to 192.168.222.2[500] 
02:51:22 ipsec resent phase1 packet 192.168.222.5[500]<=>192.168.222.2[500] 9c082df0bc154aef:0000000000000000

----------------------------------------------------------------------------------------------------------------------------------------------------------------
here is the ISR4331 config:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp key Test1234 address 192.165.222.5   no-xauth
!
crypto ipsec transform-set greset esp-aes esp-sha-hmac
 mode tunnel
! 
crypto map gremap 10 ipsec-isakmp
 set peer 192.168.222.5
 set transform-set greset
 match address gretraffic
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.252
!
interface Tunnel1
 ip address 192.168.0.1 255.255.255.252
 tunnel source GigabitEthernet0/0/1.2
 tunnel destination 192.168.222.5
!
interface GigabitEthernet0/0/1.2
 encapsulation dot1Q 222
 ip address 192.168.222.2 255.255.255.248
 crypto map gremap
!
ip route 172.16.2.0 255.255.255.0 192.168.0.2
!
ip access-list extended gretraffic
 permit gre host 192.168.222.2 host 192.168.222.5
!

----------------------------------------------------------------------------------------------------------------------------------------------------------------
here is the mikrotik config:

...
/interface ethernet
set [ find default-name=ether1 ] name=ether1_toCisco
set [ find default-name=ether2 ] name=ether2_toLAN
set [ find default-name=ether4 ] name=ether4_toLaptop
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface gre
add allow-fast-path=no !keepalive local-address=192.168.222.5 name=\
    gre-tunnel1 remote-address=192.168.222.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=192.168.222.2/32 local-address=192.168.222.5 name=greset
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128 \
    nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=1d pfs-group=\
    none
add enc-algorithms=aes-128-cbc lifetime=1d name=proposal1 pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=172.16.2.1,172.16.2.3-172.16.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2_toLAN name=dhcp1
/ip address
add address=192.168.222.5/29 interface=ether1_toCisco network=192.168.222.0
add address=192.168.0.2/30 interface=gre-tunnel1 network=192.168.0.0
add address=172.16.2.2/24 interface=ether2_toLAN network=172.16.2.0
/ip dhcp-server network
add address=172.16.2.0/24 gateway=172.16.2.2
/ip firewall nat
add action=accept chain=srcnat out-interface=gre-tunnel1
add action=masquerade chain=srcnat
/ip ipsec identity
add peer=greset secret=Test1234
/ip ipsec policy
add dst-address=192.168.222.2/32 peer=greset proposal=proposal1 protocol=gre \
    src-address=192.168.222.5/32 tunnel=yes
set 1 disabled=yes
/ip route
add distance=1 dst-address=1.1.1.0/24 gateway=gre-tunnel1
add distance=1 dst-address=192.168.0.0/24 gateway=192.168.0.1
...

what am i missing this time?

sindy · Mon Jun 06, 2022 10:38 pm

i am in a lab environment but not using emulation soft, just real physical devices with testing internet without specific traffic. so don't worry i won't break things up

Breaking things was not my concern - the reason why I suggest inserting additional gear into the path between the peers is that doing so will allow you to imitate various types of internet connections you may encounter in practical deployment (one of the peers running on a private/CGNAT address, one or both peers running on public but dynamically changing addresses etc.)

on this second router, i.e isr4331, we lack physical interface, so i set ip address on its sub-interface, say gig0/0/1.2 and as you know, dot1q encapsulation is set for it (trunk).

So I assume there is a switch somewhere between the ISR and the Tik, which has an access port for VLAN 2.

now, not even phase1 is established throwing this error: "phase1 negotiation failed due to send error. 192.168.222.5[500]<=>192.168.222.2[500] xxxxxxxxx". here is the output to the "ipsec-start.txt" file:

I cannot see the message you quote in the log, but there's the
02:50:52 ipsec 192.168.222.2 fatal NO-PROPOSAL-CHOSEN notify messsage, delete phase1 handle.
line which indicates that the ISR did not like the Mikrotik's Phase 1 proposal or something else about the Phase 1 initial packet.

And when looking at your ISR configuration, there is a typo:
crypto isakmp key Test1234 address 192.165.222.5 no-xauth

So the NO-PROPOSAL-CHOSEN likely indicates "source address unknown" in the absence of any better notification cause in the standard.

alv84 · Wed Jun 08, 2022 7:35 am

hi sindy, many thanks for the reply.

And when looking at your ISR configuration, there is a typo:
crypto isakmp key Test1234 address 192.165.222.5 no-xauth

exactly! this was actually the problem.

So the NO-PROPOSAL-CHOSEN likely indicates "source address unknown" in the absence of any better notification cause in the standard.

indeed. the destination address used to be incorrect.

So I assume there is a switch somewhere between the ISR and the Tik, which has an access port for VLAN 2.

truely said. this is managed in the core switch. i googled to find how one can setup ipsec tunneling on vlan interface, i guess vlan tagging should be in place, but didn't find sufficient meaningful scenarios. one thing that cisco supports is Virtual Tunnel Interface (VTI) in which you don’t have to use any pesky access-lists and a crypto-map anymore to define what traffic to encrypt. i donno whether Tiks support that or as if it depends on ROS version.
regards.

sindy · Wed Jun 08, 2022 8:12 am

i googled to find how one can setup ipsec tunneling on vlan interface, i guess vlan tagging should be in place, but didn't find sufficient meaningful scenarios.

I don't think one can always google a complete setup for every possible scenario. For an IPsec setup, it doesn't matter what type of L3 interface it uses; for a VLAN subinterface on a router, it doesn't matter what type of application uses it. So the howtos explain each of them independently.

one thing that cisco supports is Virtual Tunnel Interface (VTI) in which you don’t have to use any pesky access-lists and a crypto-map anymore to define what traffic to encrypt. i donno whether Tiks support that or as if it depends on ROS version.

Welcome to the party: viewtopic.php?p=392991#p392991

My personal understanding is that VTI contradicts the overall security model specified by the IPsec RFCs. And since an IPIP (ipencap) tunnel secured by IPsec in transport mode uses the same amount of overhead bytes like a VTI, and since it can be configured even on Cisco, Mikrotik probably feels no urge to implement VTI as such. You can not, though, configure a VTI at one peer and an IPIP over IPsec at the other, as VTI uses tunnel mode of the SA whereas IPIP over IPsec uses a transport mode, so they wouldn't agree on a traffic selector in Phase 2.

alv84 · Wed Jun 08, 2022 12:20 pm

I don't think one can always google a complete setup for every possible scenario. For an IPsec setup, it doesn't matter what type of L3 interface it uses; for a VLAN subinterface on a router, it doesn't matter what type of application uses it. So the howtos explain each of them independently.

yes you're right. i need to read the details.

Welcome to the party: viewtopic.php?p=392991#p392991

oh now i see. i just gavea +100 to VTI! thanks.

My personal understanding is that VTI contradicts the overall security model specified by the IPsec RFCs. And since an IPIP (ipencap) tunnel secured by IPsec in transport mode uses the same amount of overhead bytes like a VTI, and since it can be configured even on Cisco, Mikrotik probably feels no urge to implement VTI as such. You can not, though, configure a VTI at one peer and an IPIP over IPsec at the other, as VTI uses tunnel mode of the SA whereas IPIP over IPsec uses a transport mode, so they wouldn't agree on a traffic selector in Phase 2.

no idea regarding this until i understand VTI with details. but again, good to have your perception regarding the topic.

bye the way, dear sindy. i am now trying to setup gre over ipsec between the isr4k router and a 951 tik. the isr4k has a public valid ip set to one its interfaces and can be directly pinged. but the tik is online using a pppoe connection residing in an adsl modem connected to it. so on the tik side, the public ip is set in the adsl modem not the tik. therefore, the tik has an ip in the range of the adsl modem to be online. now, the two routers ping each others' public ip address from inside them, but the gre tunnel set on top their public ips cannot be pinged and the associated route is marked as "unreachable" in the tik. can you help in this please? what am i missing?
https://drive.google.com/file/d/1uhBSTm ... sp=sharing
https://drive.google.com/file/d/1yI7Ek3 ... sp=sharing
regards.

alv84 · Wed Jun 08, 2022 12:57 pm

i see that the tunnel state does not goes into 'running' at all:
https://drive.google.com/file/d/1ys1ULK ... sp=sharing
what am i missing?

alv84 · Wed Jun 08, 2022 1:04 pm

well i could bring the gre tunnel into running state by removing the 'local address' value. but again, i can't ping the other side of the tunnel, i.e cisco isr4k.

sindy · Wed Jun 08, 2022 1:42 pm

There are multiple issues related, and I am not a Cisco expert so I cannot give you a precise instruction you how to solve them.

There are multiple types of the identifier that IPsec peers use to indicate who they are to each other. Unless you explicitly specify which type to use and what is the value, Mikrotik chooses one of them automatically, and in most cases it is a local IP address of the peer. When the Mikrotik is behind a NAT, the private IP used as identifier does not match the public IP from which the packets come to the Cisco, so you have to configure "something" on the Cisco to expect and accept a different identity value, or maybe it is enough to set the identity at Mikrotik side to the public IP on the ADSL modem (/ip ipsec identity set [find where peer=greset] my-id=address:public.ip.of.modem)

If the public IP is dynamic at the Mikrotik end, that's the case I've warned about before - the best Cisco experts out of those I am allowed to talk to were unable to set the ISR in such a way that it would auto-update the public IP of the peer each time the peer connects from a new address. So Cisco supports VTI and Mikrotik doesn't, but apparently Cisco is unable to accommodate to a changing peer address which is a standard functionality of Mikrotik. What you may try (it is nothing more than my assumption) is to use some randomly created fqdn as the peer address in the Cisco configuration; if it doesn't complain, use Mikrotik's "cloud" service, i.e. a DDNS where the router updates a dynamic record for xxxxxxxx.sn.mynetname.net, which is unique for each Mikrotik device (xxxxxxxx is the serial number of the device) and set that as the peer address at the ISR. And you'd probably have to set the my-id to fqdn:xxxxxxxx.sn.mynetname.net on the /ip ipsec identity row.

alv84 · Wed Jun 08, 2022 1:58 pm

thank you sindy, but you know here in this last case i have NOT yet established any ipsec between the peers. the problem is yet in gre connectivity you know. so, the only thing between peers right now is the internet and a gre tunnel. i can ping two peers' public IPs but not gre. the only difference in this new scenario is that:
1) internet is handled on the adsl modem and mikrotik is connected to it using an ip in the range of adsl modem ip.
2) ipsec not yet establish; for now, just gre
regards.

sindy · Wed Jun 08, 2022 2:09 pm

GRE is a stone age protocol that has no notion of "ports"; therefore, most NATs either cannot handle it at all or can only handle a single tunnel endpoint at the private side. There is an optional ID field in the GRE header that could be used to distinguish connections from one another, but it would be complicated and unreliable, so I haven't seen any NAT to actually use this so far. Plus Mikrotik doesn't use this field anyway (except for EoIP which is another can of worms).

So start from establishing the IPsec, which encapsulates the GRE into ESP and the ESP into UDP if there is NAT between the peers (ESP also has no notion of ports because IPsec was designed for IPv6 which should have never needed any NAT), and only then you can put up the GRE part.

I'd also recommend you to learn how to move from tunnel mode to transport mode for Phase 2 to save some bytes, and to move from GRE to IPIP (ipencap) for the same purpose. But IPIP is also a stone age protocol with no notion of ports, so it also cannot work across NAT alone, it has to be encapsulated the same way like GRE.

alv84 · Wed Jun 08, 2022 6:27 pm

so this gre burden by its nature implies that we have to either switch to other tunneling methods or set public IP directly on mikrotik using a pppoe client having taken the adsl modem into bridge mode. this is easily achievable for us at the time. but in the future, we have to settle a more efficient yet afordable solution.

sindy · Wed Jun 08, 2022 7:26 pm

Well, the topic title says IPsec, so somehow it did not come to my mind that you would consider use of plaintext tunnels.

Out of all plaintext tunnels over IP, only L2TP can deal with NAT. PPTP is an application atop GRE, and for all other tunneling protocols, encryption is part of the bundle - OpenVPN, Wireguard, SSTP.

To be precise, there is VXLAN, which also uses UDP as transport, but I'm afraid it cannot run across NAT either as the UDP flows are not symmetric and the tunnel is stateless, i.e. there is no "connection establishment" phase.

IPSec established but no ping [SOLVED]

IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping

Re: IPSec established but no ping [SOLVED]

Who is online