Community discussions

MikroTik App
 
rhodri
just joined
Topic Author
Posts: 13
Joined: Wed Oct 08, 2014 4:18 pm

IPsec tunnels not coming up 7.3.1

Thu Jun 16, 2022 1:16 pm

bit of a weird issue going on we have a few sites setup with different forms of connections to the outside world. all the routers using pppoe as there connection there ipsec tunnels are up and working with no issues and we are using the IPsec L2TP via PPP because it just keeps everything simple and clean plus you get a interface you can monitor so on and so on..

But we have a 2 sites that will not allow PPP L2TP IPsec sessions in or out even after disabling all the firewall and nat rules they will not come up at all both sites are using a tile based proccessor units.
both sites are direct ip routed connections and both seem to be working fine on everything else even pptp works out of the box.

I wanted to avoid manually adding each site plus it's still don't fix why PPP L2TP/IPsec is not allowing connections at all even internally as a test it doesn't work where it did work before.

#
SITE1 CCR1009-7G-1C-1S+
#
/interface l2tp-server server
set default-profile=default enabled=yes use-ipsec=yes

/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
#
SITE2 2011UiAS-2HnD
#
/interface l2tp-client
add allow-fast-path=yes connect-to=SITE1 disabled=no ipsec-secret=\
    "IPSEC" name=SITE1 password=Password \
    profile=SITE1 use-ipsec=yes user=SITE2
    
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
#
Log Below
10:47:57 ipsec,debug ===== received 776 bytes from SITE2[500] to SITE1[500]
 10:47:57 ipsec,debug ===
 10:47:57 ipsec,info respond new phase 1 (Identity Protection): SITE1[500]<=>SITE2[500]
 10:47:57 ipsec,debug begin.
 10:47:57 ipsec,debug seen nptype=1(sa) len=488
 10:47:57 ipsec,debug seen nptype=13(vid) len=20
 10:47:57 ipsec,debug seen nptype=13(vid) len=20
 10:47:57 ipsec,debug seen nptype=13(vid) len=20
 10:47:57 ipsec,debug seen nptype=13(vid) len=20
 10:47:57 ipsec,debug seen nptype=13(vid) len=20
 10:47:57 ipsec,debug seen nptype=13(vid) len=20
 10:47:57 ipsec,debug seen nptype=13(vid) len=20
 10:47:57 ipsec,debug seen nptype=13(vid) len=20
 10:47:57 ipsec,debug seen nptype=13(vid) len=20
 10:47:57 ipsec,debug seen nptype=13(vid) len=20
 10:47:57 ipsec,debug seen nptype=13(vid) len=20
 10:47:57 ipsec,debug seen nptype=13(vid) len=20
 10:47:57 ipsec,debug seen nptype=13(vid) len=20
 10:47:57 ipsec,debug succeed.
 10:47:57 ipsec received Vendor ID: RFC 3947
 10:47:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
 10:47:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
 10:47:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
 10:47:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
 10:47:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
 10:47:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
 10:47:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
 10:47:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
 10:47:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
 10:47:57 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
 10:47:57 ipsec received Vendor ID: CISCO-UNITY
 10:47:57 ipsec received Vendor ID: DPD
 10:47:57 ipsec,debug remote supports DPD
 10:47:57 ipsec SITE2 Selected NAT-T version: RFC 3947
 10:47:57 ipsec,debug total SA len=484
 10:47:57 ipsec,debug 00000001 00000001 000001dc 0101000c 03000028 01010000 800b0001 000c0004
 10:47:57 ipsec,debug 00015180 80010007 800e0100 80030001 80020002 80040013 03000028 02010000
 10:47:57 ipsec,debug 800b0001 000c0004 00015180 80010007 800e0100 80030001 80020002 8004000e
 10:47:57 ipsec,debug 03000028 03010000 800b0001 000c0004 00015180 80010007 800e0100 80030001
 10:47:57 ipsec,debug 80020002 80040002 03000028 04010000 800b0001 000c0004 00015180 80010007
 10:47:57 ipsec,debug 800e00c0 80030001 80020002 80040013 03000028 05010000 800b0001 000c0004
 10:47:57 ipsec,debug 00015180 80010007 800e00c0 80030001 80020002 8004000e 03000028 06010000
 10:47:57 ipsec,debug 800b0001 000c0004 00015180 80010007 800e00c0 80030001 80020002 80040002
 10:47:57 ipsec,debug 03000028 07010000 800b0001 000c0004 00015180 80010007 800e0080 80030001
 10:47:57 ipsec,debug 80020002 80040013 03000028 08010000 800b0001 000c0004 00015180 80010007
 10:47:57 ipsec,debug 800e0080 80030001 80020002 8004000e 03000028 09010000 800b0001 000c0004
 10:47:57 ipsec,debug 00015180 80010007 800e0080 80030001 80020002 80040002 03000024 0a010000
 10:47:57 ipsec,debug 800b0001 000c0004 00015180 80010005 80030001 80020002 80040013 03000024
 10:47:57 ipsec,debug 0b010000 800b0001 000c0004 00015180 80010005 80030001 80020002 8004000e
 10:47:57 ipsec,debug 00000024 0c010000 800b0001 000c0004 00015180 80010005 80030001 80020002
 10:47:57 ipsec,debug 80040002
 10:47:57 ipsec,debug begin.
 10:47:57 ipsec,debug seen nptype=2(prop) len=476
 10:47:57 ipsec,debug succeed.
 10:47:57 ipsec,debug proposal #1 len=476
 10:47:57 ipsec,debug begin.
 10:47:57 ipsec,debug seen nptype=3(trns) len=40
 10:47:57 ipsec,debug seen nptype=3(trns) len=40
 10:47:57 ipsec,debug seen nptype=3(trns) len=40
 10:47:57 ipsec,debug seen nptype=3(trns) len=40
 10:47:57 ipsec,debug seen nptype=3(trns) len=40
 10:47:57 ipsec,debug seen nptype=3(trns) len=40
 10:47:57 ipsec,debug seen nptype=3(trns) len=40
 10:47:57 ipsec,debug seen nptype=3(trns) len=40
 10:47:57 ipsec,debug seen nptype=3(trns) len=40
 10:47:57 ipsec,debug seen nptype=3(trns) len=36
 10:47:57 ipsec,debug seen nptype=3(trns) len=36
 10:47:57 ipsec,debug seen nptype=3(trns) len=36
 10:47:57 ipsec,debug succeed.
 10:47:57 ipsec,debug transform #1 len=40
 10:47:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
 10:47:57 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
 10:47:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
 10:47:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256
 10:47:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
 10:47:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug type=Group Description, flag=0x8000, lorv=256-bit random ECP group
 10:47:57 ipsec,debug dh(ecp256)
 10:47:57 ipsec,debug transform #2 len=40
 10:47:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
 10:47:57 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
 10:47:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
 10:47:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256
 10:47:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
 10:47:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
 10:47:57 ipsec,debug dh(modp2048)
 10:47:57 ipsec,debug transform #3 len=40
 10:47:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
 10:47:57 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
 10:47:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
 10:47:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256
 10:47:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
 10:47:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
 10:47:57 ipsec,debug dh(modp1024)
 10:47:57 ipsec,debug transform #4 len=40
 10:47:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
 10:47:57 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
 10:47:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
 10:47:57 ipsec,debug type=Key Length, flag=0x8000, lorv=192
 10:47:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
 10:47:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug type=Group Description, flag=0x8000, lorv=256-bit random ECP group
 10:47:57 ipsec,debug dh(ecp256)
 10:47:57 ipsec,debug transform #5 len=40
 10:47:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
 10:47:57 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
 10:47:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
 10:47:57 ipsec,debug type=Key Length, flag=0x8000, lorv=192
 10:47:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
 10:47:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
 10:47:57 ipsec,debug dh(modp2048)
 10:47:57 ipsec,debug transform #6 len=40
 10:47:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
 10:47:57 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
 10:47:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
 10:47:57 ipsec,debug type=Key Length, flag=0x8000, lorv=192
 10:47:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
 10:47:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
 10:47:57 ipsec,debug dh(modp1024)
 10:47:57 ipsec,debug transform #7 len=40
 10:47:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
 10:47:57 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
 10:47:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
 10:47:57 ipsec,debug type=Key Length, flag=0x8000, lorv=128
 10:47:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
 10:47:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug type=Group Description, flag=0x8000, lorv=256-bit random ECP group
 10:47:57 ipsec,debug dh(ecp256)
 10:47:57 ipsec,debug transform #8 len=40
 10:47:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
 10:47:57 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
 10:47:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
 10:47:57 ipsec,debug type=Key Length, flag=0x8000, lorv=128
 10:47:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
 10:47:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
 10:47:57 ipsec,debug dh(modp2048)
 10:47:57 ipsec,debug transform #9 len=40
 10:47:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
 10:47:57 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
 10:47:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
 10:47:57 ipsec,debug type=Key Length, flag=0x8000, lorv=128
 10:47:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
 10:47:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
 10:47:57 ipsec,debug dh(modp1024)
 10:47:57 ipsec,debug transform #10 len=36
 10:47:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
 10:47:57 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
 10:47:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
 10:47:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
 10:47:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug type=Group Description, flag=0x8000, lorv=256-bit random ECP group
 10:47:57 ipsec,debug dh(ecp256)
 10:47:57 ipsec,debug transform #11 len=36
 10:47:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
 10:47:57 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
 10:47:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
 10:47:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
 10:47:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
 10:47:57 ipsec,debug dh(modp2048)
 10:47:57 ipsec,debug transform #12 len=36
 10:47:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
 10:47:57 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
 10:47:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
 10:47:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
 10:47:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
 10:47:57 ipsec,debug dh(modp1024)
 10:47:57 ipsec,debug pair 1:
 10:47:57 ipsec,debug  0x77ff9490: next=0 tnext=0x77ffd9b0
 10:47:57 ipsec,debug   0x77ffd9b0: next=0 tnext=0x77ff7b80
 10:47:57 ipsec,debug    0x77ff7b80: next=0 tnext=0x77ff9ee0
 10:47:57 ipsec,debug     0x77ff9ee0: next=0 tnext=0x77ff3b70
 10:47:57 ipsec,debug      0x77ff3b70: next=0 tnext=0x77ff77c0
 10:47:57 ipsec,debug       0x77ff77c0: next=0 tnext=0x77ffb730
 10:47:57 ipsec,debug        0x77ffb730: next=0 tnext=0x77ff6260
 10:47:57 ipsec,debug         0x77ff6260: next=0 tnext=0x77ffa880
 10:47:57 ipsec,debug          0x77ffa880: next=0 tnext=0x77ffb6f0
 10:47:57 ipsec,debug           0x77ffb6f0: next=0 tnext=0x77ffbd80
 10:47:57 ipsec,debug            0x77ffbd80: next=0 tnext=0x77ffafd0
 10:47:57 ipsec,debug             0x77ffafd0: next=0 tnext=0
 10:47:57 ipsec,debug proposal #1: 12 transform
 10:47:57 ipsec,debug -checking with pre-shared key auth-
 10:47:57 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=12
 10:47:57 ipsec,debug trns#=1, trns-id=IKE
 10:47:57 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
 10:47:57 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
 10:47:57 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
 10:47:57 ipsec,debug type=Key Length, flag=0x8000, lorv=256
 10:47:57 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
 10:47:57 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
 10:47:57 ipsec,debug type=Group Description, flag=0x8000, lorv=256-bit random ECP group
 10:47:57 ipsec,debug -compare proposal #1: Local:Peer
 10:47:57 ipsec,debug (lifetime = 86400:86400)
 10:47:57 ipsec,debug (lifebyte = 0:0)
 10:47:57 ipsec,debug enctype = AES-CBC:AES-CBC
 10:47:57 ipsec,debug (encklen = 256:256)
 10:47:57 ipsec,debug hashtype = SHA:SHA
 10:47:57 ipsec,debug authmethod = pre-shared key:pre-shared key
 10:47:57 ipsec,debug dh_group = 256-bit random ECP group:256-bit random ECP group
 10:47:57 ipsec,debug -an acceptable proposal found-
 10:47:57 ipsec,debug dh(ecp256)
 10:47:57 ipsec,debug -agreed on pre-shared key auth-
 10:47:57 ipsec,debug ===
 10:47:57 ipsec,debug new cookie:
 10:47:57 ipsec,debug 6481ca54a7b6e6fb@^FFw
 10:47:57 ipsec,debug add payload of len 56, next type 13
 10:47:57 ipsec,debug add payload of len 16, next type 13
 10:47:57 ipsec,debug add payload of len 16, next type 13
 10:47:57 ipsec,debug add payload of len 16, next type 0
 10:47:57 ipsec,debug 148 bytes from SITE1[500] to SITE2[500]
 10:47:57 ipsec,debug 1 times of 148 bytes message will be sent to SITE2[500]
 10:47:57 ipsec sent phase1 packet SITE1[500]<=>SITE2[500] 0c947dc3dceaf76c:6481ca54a7b6e6fb
 10:47:57 ipsec,debug ===== received 172 bytes from SITE2[500] to SITE1[500]
 10:47:57 ipsec,debug begin.
 10:47:57 ipsec,debug seen nptype=4(ke) len=68
 10:47:57 ipsec,debug seen nptype=10(nonce) len=28
 10:47:57 ipsec,debug seen nptype=20(nat-d) len=24
 10:47:57 ipsec,debug seen nptype=20(nat-d) len=24
 10:47:57 ipsec,debug succeed.
 10:47:57 ipsec,debug SITE1 Hashing SITE1[500] with algo #2 
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug NAT-D payload #0 verified
 10:47:57 ipsec,debug SITE2 Hashing SITE2[500] with algo #2 
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug NAT-D payload #1 doesn't match
 10:47:57 ipsec NAT detected: PEER
 10:47:57 ipsec,debug ===
 10:47:57 ipsec,debug dh(ecp256)
 10:47:57 ipsec,debug SITE2 Hashing SITE2[500] with algo #2 
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug SITE1 Hashing SITE1[500] with algo #2 
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec Adding remote and local NAT-D payloads.
 10:47:57 ipsec,debug add payload of len 64, next type 10
 10:47:57 ipsec,debug add payload of len 24, next type 20
 10:47:57 ipsec,debug add payload of len 20, next type 20
 10:47:57 ipsec,debug add payload of len 20, next type 0
 10:47:57 ipsec,debug 172 bytes from SITE1[500] to SITE2[500]
 10:47:57 ipsec,debug 1 times of 172 bytes message will be sent to SITE2[500]
 10:47:57 ipsec sent phase1 packet SITE1[500]<=>SITE2[500] 0c947dc3dceaf76c:6481ca54a7b6e6fb
 10:47:57 ipsec,debug dh(ecp256)
 10:47:57 ipsec,debug nonce 1: 
 10:47:57 ipsec,debug e2475ae4 08289702 025cf208 776d5969 b9827d7c 18184940
 10:47:57 ipsec,debug nonce 2: 
 10:47:57 ipsec,debug bed5ac8c 0f4a0843 d76c2cb3 c93e9654 d8176df6 a9494825
 10:47:57 ipsec,debug SKEYID computed:
 10:47:57 ipsec,debug 2dcfa034 fe6b5d69 6511f1b0 e1a8018a e2e9b55c
 10:47:57 ipsec,debug SKEYID_d computed:
 10:47:57 ipsec,debug b27f4bd7 44dc7465 cde91e64 de9c64d5 bb09ab65
 10:47:57 ipsec,debug SKEYID_a computed:
 10:47:57 ipsec,debug d6731886 a79b3eed 2905c30d 9fbc7012 55c246f4
 10:47:57 ipsec,debug SKEYID_e computed:
 10:47:57 ipsec,debug 167d40b4 fc6f6561 712b43fe dce8678b 61418dbc
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug len(SKEYID_e) < len(Ka) (20 < 32), generating long key (Ka = K1 | K2 | ...)
 10:47:57 ipsec,debug compute intermediate encryption key K1
 10:47:57 ipsec,debug 00
 10:47:57 ipsec,debug c4b088bc b184053e fab6b500 c7b642d5 bd332abf
 10:47:57 ipsec,debug compute intermediate encryption key K2
 10:47:57 ipsec,debug c4b088bc b184053e fab6b500 c7b642d5 bd332abf
 10:47:57 ipsec,debug 020ef056 76d229e4 40d8351c bc916e2b caca52df
 10:47:57 ipsec,debug final encryption key computed:
 10:47:57 ipsec,debug c4b088bc b184053e fab6b500 c7b642d5 bd332abf 020ef056 76d229e4 40d8351c
 10:47:57 ipsec,debug hash(sha1)
 10:47:57 ipsec,debug IV computed:
 10:47:57 ipsec,debug 40293589 244e2b0a 11698567 858acf01
 10:47:57 ipsec,debug ===== received 76 bytes from SITE2[4500] to SITE1[4500]
 10:47:57 ipsec NAT-T: ports changed to: SITE2[4500]<=>SITE1[4500]
 10:47:57 ipsec KA list add: SITE1[4500]->SITE2[4500]
 10:47:57 ipsec,debug begin.
 10:47:57 ipsec,debug seen nptype=5(id) len=12
 10:47:57 ipsec,debug seen nptype=8(hash) len=24
 10:47:57 ipsec,debug succeed.
 10:47:57 ipsec,debug HASH received:
 10:47:57 ipsec,debug aa846082 d730adf5 3087f687 76c5ad23 ead03a00
 10:47:57 ipsec,debug HASH for PSK validated.
 10:47:57 ipsec,debug SITE2 peer's ID
 10:47:57 ipsec,debug 011101f4 c0a86402
 10:47:57 ipsec,debug ===
 10:47:57 ipsec,debug use ID type of IPv4_address
 10:47:57 ipsec,debug generate HASH_R
 10:47:57 ipsec,debug add payload of len 8, next type 8
 10:47:57 ipsec,debug add payload of len 20, next type 0
 10:47:57 ipsec,debug 76 bytes from SITE1[4500] to SITE2[4500]
 10:47:57 ipsec,debug 1 times of 80 bytes message will be sent to SITE2[4500]
 10:47:57 ipsec,info ISAKMP-SA established SITE1[4500]-SITE2[4500] spi:0c947dc3dceaf76c:6481ca54a7b6e6fb
 10:47:57 ipsec,debug ===
 10:47:58 ipsec,debug ===== received 188 bytes from SITE2[4500] to SITE1[4500]
 10:47:58 ipsec,debug hash(sha1)
 10:47:58 ipsec,debug ===
 10:47:58 ipsec respond new phase 2 negotiation: SITE1[4500]<=>SITE2[4500]
 10:47:58 ipsec,debug begin.
 10:47:58 ipsec,debug seen nptype=8(hash) len=24
 10:47:58 ipsec,debug seen nptype=1(sa) len=48
 10:47:58 ipsec,debug seen nptype=10(nonce) len=28
 10:47:58 ipsec,debug seen nptype=5(id) len=12
 10:47:58 ipsec,debug seen nptype=5(id) len=12
 10:47:58 ipsec,debug seen nptype=21(nat-oa) len=12
 10:47:58 ipsec,debug seen nptype=21(nat-oa) len=12
 10:47:58 ipsec,debug succeed.
 10:47:58 ipsec,debug received IDci2:
 10:47:58 ipsec,debug 011106a5 c0a86402
 10:47:58 ipsec,debug received IDcr2:
 10:47:58 ipsec,debug 011106a5 3ee8750a
 10:47:58 ipsec,debug HASH(1) validate:
 10:47:58 ipsec,debug fd1bdbef e619e862 db5957a6 0fb2d72c 5131ccf1
 10:47:58 ipsec,debug total SA len=44
 10:47:58 ipsec,debug 00000001 00000001 00000024 01030401 05e5633f 00000018 01030000 80010001
 10:47:58 ipsec,debug 80020708 80040004 80050002
 10:47:58 ipsec,debug begin.
 10:47:58 ipsec,debug seen nptype=2(prop) len=36
 10:47:58 ipsec,debug succeed.
 10:47:58 ipsec,debug proposal #1 len=36
 10:47:58 ipsec,debug begin.
 10:47:58 ipsec,debug seen nptype=3(trns) len=24
 10:47:58 ipsec,debug succeed.
 10:47:58 ipsec,debug transform #1 len=24
 10:47:58 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds
 10:47:58 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=1800
 10:47:58 ipsec,debug life duration was in TLV.
 10:47:58 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=UDP-Transport
 10:47:58 ipsec,debug UDP encapsulation requested
 10:47:58 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1
 10:47:58 ipsec,debug pair 1:
 10:47:58 ipsec,debug  0x77ffee20: next=0 tnext=0
 10:47:58 ipsec,debug proposal #1: 1 transform
 10:47:58 ipsec,debug got the local address from ID payload SITE1[1701] prefixlen=32 ul_proto=17
 10:47:58 ipsec,debug got the peer address from ID payload 192.168.100.2[1701] prefixlen=32 ul_proto=17
 10:47:58 ipsec,debug updating policy address because of NAT in transport mode
 10:47:58 ipsec,debug new peer address SITE2[1701]
 10:47:58 ipsec searching for policy for selector: SITE1:1701 ip-proto:17 <=> SITE2:1701 ip-proto:17
 10:47:58 ipsec generating policy
 10:47:58 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=UDP-Transport reqid=102:102)
 10:47:58 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-sha1)
 10:47:58 ipsec,debug begin compare proposals.
 10:47:58 ipsec,debug pair[1]: 0x77ffee20
 10:47:58 ipsec,debug  0x77ffee20: next=0 tnext=0
 10:47:58 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=3DES
 10:47:58 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds
 10:47:58 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=1800
 10:47:58 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=UDP-Transport
 10:47:58 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1
 10:47:58 ipsec,debug peer's single bundle:
 10:47:58 ipsec,debug  (proto_id=ESP spisize=4 spi=05e5633f spi_p=00000000 encmode=UDP-Transport reqid=0:0)
 10:47:58 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-sha1)
 10:47:58 ipsec,debug my single bundle:
 10:47:58 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=UDP-Transport reqid=102:102)
 10:47:58 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-sha1)
 10:47:58 ipsec Adjusting my encmode UDP-Transport->Transport
 10:47:58 ipsec Adjusting peer's encmode UDP-Transport(4)->Transport(2)
 10:47:58 ipsec,debug matched
 10:47:58 ipsec,debug ===
 10:47:58 ipsec,debug call pfkey_send_getspi 5f
 10:47:58 ipsec,debug pfkey GETSPI sent: ESP/Transport SITE2[4500]->SITE1[4500] 
 10:47:58 ipsec,debug pfkey getspi sent.
 10:47:58 ipsec,debug total SA len=44
 10:47:58 ipsec,debug 00000001 00000001 00000024 01030401 00000000 00000018 01030000 80010001
 10:47:58 ipsec,debug 80020708 80040004 80050002
 10:47:58 ipsec,debug begin.
 10:47:58 ipsec,debug seen nptype=2(prop) len=36
 10:47:58 ipsec,debug succeed.
 10:47:58 ipsec,debug proposal #1 len=36
 10:47:58 ipsec,debug begin.
 10:47:58 ipsec,debug seen nptype=3(trns) len=24
 10:47:58 ipsec,debug succeed.
 10:47:58 ipsec,debug transform #1 len=24
 10:47:58 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds
 10:47:58 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=1800
 10:47:58 ipsec,debug life duration was in TLV.
 10:47:58 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=UDP-Transport
 10:47:58 ipsec,debug UDP encapsulation requested
 10:47:58 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1
 10:47:58 ipsec,debug pair 1:
 10:47:58 ipsec,debug  0x77ff90f0: next=0 tnext=0
 10:47:58 ipsec,debug proposal #1: 1 transform
 10:47:58 ipsec,debug NAT-OAi:
 10:47:58 ipsec,debug 01000000 2e08a8f6
 10:47:58 ipsec,debug NAT-OAr:
 10:47:58 ipsec,debug 01000000 3ee8750a
 10:47:58 ipsec,debug add payload of len 44, next type 10
 10:47:58 ipsec,debug add payload of len 24, next type 5
 10:47:58 ipsec,debug add payload of len 8, next type 5
 10:47:58 ipsec,debug add payload of len 8, next type 21
 10:47:58 ipsec,debug add payload of len 8, next type 21
 10:47:58 ipsec,debug add payload of len 8, next type 0
 10:47:58 ipsec,debug add payload of len 20, next type 1
 10:47:58 ipsec,debug 188 bytes from SITE1[4500] to SITE2[4500]
 10:47:58 ipsec,debug 1 times of 192 bytes message will be sent to SITE2[4500]
 10:47:58 ipsec sent phase2 packet SITE1[4500]<=>SITE2[4500] 0c947dc3dceaf76c:6481ca54a7b6e6fb:000080de
 10:47:58 ipsec,debug ===== received 60 bytes from SITE2[4500] to SITE1[4500]
 10:47:58 ipsec,debug begin.
 10:47:58 ipsec,debug seen nptype=8(hash) len=24
 10:47:58 ipsec,debug succeed.
 10:47:58 ipsec,debug HASH(3) validate:
 10:47:58 ipsec,debug e629fa60 a0f6fe2b 7ac2aedf 638d3cbf d5ed5cec
 10:47:58 ipsec,debug ===
 10:47:58 ipsec,debug encryption(3des)
 10:47:58 ipsec,debug hmac(sha1)
 10:47:58 ipsec,debug encklen=192 authklen=160
 10:47:58 ipsec,debug generating 640 bits of key (dupkeymat=4)
 10:47:58 ipsec,debug generating K1...K4 for KEYMAT.
 10:47:58 ipsec,debug f7da2b6f 3395296d 6501b516 b813dbd5 ef7d7a5c fe3b6cb9 4508df06 11c1c29e
 10:47:58 ipsec,debug 1803dbf0 806d77fd cb1d6120 93702c88 b17893cd 6de5b204 f21d1104 2bf29946
 10:47:58 ipsec,debug 3c255d48 a586527e 1a87746d 9c33e7b5
 10:47:58 ipsec,debug encryption(3des)
 10:47:58 ipsec,debug hmac(sha1)
 10:47:58 ipsec,debug encklen=192 authklen=160
 10:47:58 ipsec,debug generating 640 bits of key (dupkeymat=4)
 10:47:58 ipsec,debug generating K1...K4 for KEYMAT.
 10:47:58 ipsec,debug 5ead766c 84fe1a2d dbd863db 406bf4ed 71381e69 5e815947 05627ea3 7c952139
 10:47:58 ipsec,debug 9c4c177f 9f9cdbe5 75fda237 76ff9846 d05f0a35 001f4d66 e3853047 c91e2da3
 10:47:58 ipsec,debug 15d8fe2e 04b0441d 0828eb36 d7df9ebe
 10:47:58 ipsec,debug KEYMAT computed.
 10:47:58 ipsec,debug call pk_sendupdate
 10:47:58 ipsec,debug encryption(3des)
 10:47:58 ipsec,debug hmac(sha1)
 10:47:58 ipsec,debug call pfkey_send_update_nat
 10:47:58 ipsec IPsec-SA established: ESP/Transport SITE2[4500]->SITE1[4500] spi=0xbf8e0bc
 10:47:58 ipsec,debug pfkey update sent.
 10:47:58 ipsec,debug encryption(3des)
 10:47:58 ipsec,debug hmac(sha1)
 10:47:58 ipsec,debug call pfkey_send_add_nat
 10:47:58 ipsec IPsec-SA established: ESP/Transport SITE1[4500]->SITE2[4500] spi=0x5e5633f
 10:47:58 ipsec,debug pfkey add sent.
 10:48:08 ipsec,debug KA: SITE1[4500]->SITE2[4500]
 10:48:08 ipsec,debug 1 times of 1 bytes message will be sent to SITE2[4500]
 10:48:22 ipsec,debug ===== received 76 bytes from SITE2[4500] to SITE1[4500]
 10:48:22 ipsec,debug receive Information.
 10:48:22 ipsec,debug hash(sha1)
 10:48:22 ipsec,debug hash validated.
 10:48:22 ipsec,debug begin.
 10:48:22 ipsec,debug seen nptype=8(hash) len=24
 10:48:22 ipsec,debug seen nptype=12(delete) len=16
 10:48:22 ipsec,debug succeed.
 10:48:22 ipsec,debug SITE2 delete payload for protocol ESP
 10:48:22 ipsec purged IPsec-SA proto_id=ESP spi=0x5e5633f
 10:48:22 ipsec purged IPsec-SA proto_id=ESP spi=0xbf8e0bc
 10:48:22 ipsec removing generated policy
 10:48:22 ipsec,debug purged SAs.
 10:48:22 ipsec,debug ===== received 92 bytes from SITE2[4500] to SITE1[4500]
 10:48:22 ipsec,debug receive Information.
 10:48:22 ipsec,debug hash(sha1)
 10:48:22 ipsec,debug hash validated.
 10:48:22 ipsec,debug begin.
 10:48:22 ipsec,debug seen nptype=8(hash) len=24
 10:48:22 ipsec,debug seen nptype=12(delete) len=28
 10:48:22 ipsec,debug succeed.
 10:48:22 ipsec,debug SITE2 delete payload for protocol ISAKMP
 10:48:22 ipsec,info purging ISAKMP-SA SITE1[4500]<=>SITE2[4500] spi=0c947dc3dceaf76c:6481ca54a7b6e6fb.
 10:48:22 ipsec purged ISAKMP-SA SITE1[4500]<=>SITE2[4500] spi=0c947dc3dceaf76c:6481ca54a7b6e6fb.
 10:48:22 ipsec,debug purged SAs.
 10:48:22 ipsec,info ISAKMP-SA deleted SITE1[4500]-SITE2[4500] spi:0c947dc3dceaf76c:6481ca54a7b6e6fb rekey:1
 10:48:22 ipsec KA remove: SITE1[4500]->SITE2[4500]
 10:48:22 ipsec,debug KA tree dump: SITE1[4500]->SITE2[4500] (in_use=1)
 10:48:22 ipsec,debug KA removing this one...

Now this is where it gets weird, I have another site where they are connected via PPP L2TP IPsec exactly the same bar they are using PPPoE connections to the outside world and are working perfectly fine..

Who is online

Users browsing this forum: No registered users and 65 guests