Community discussions

MikroTik App
 
karaYusuf
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 12, 2022 11:07 am

The concentrator is working but something is wrong in the Log

Thu Jan 12, 2023 4:29 pm

Hello,

I have a concentrator with multiple routers connected to it. Every router has the same subnetwork and are connected via IPsec to the concentrator. It is also possible to connect to the routers via vpn over the concentrator. Everything seems to be fine, but there is so much wrong in the log.

The first thing is that it just says "ipsec error no proposal choosen"
Image

Then I added the following logging rule:
Image

After that I got much more information but also more messages which I just do not understand:
15:17:41 ipsec IKE Protocol: ESP 
15:17:41 ipsec  proposal #1 
15:17:41 ipsec   enc: aes128-cbc 
15:17:41 ipsec   auth: sha256 
15:17:41 ipsec   dh: modp1024 
15:17:41 ipsec processing payload: TS_I 
15:17:41 ipsec 172.16.23.0/24 
15:17:41 ipsec processing payload: TS_R 
15:17:41 ipsec 172.16.0.0/16 
15:17:41 ipsec candidate selectors: 172.16.0.0/16 <=> 172.16.23.0/24 
15:17:41 ipsec searching for policy for selector: 172.16.0.0/16 <=> 172.16.23.0/24 
15:17:41 ipsec generating policy 
15:17:41 ipsec,error no proposal chosen 
15:17:41 ipsec,error no proposal chosen 
15:17:41 ipsec removing generated policy 
15:17:41 ipsec adding notify: NO_PROPOSAL_CHOSEN 
15:17:41 ipsec,debug => (size 0x8) 
15:17:41 ipsec,debug 00000008 0000000e 
15:17:41 ipsec <- ike2 reply, exchange: CREATE_CHILD_SA:231 149.238.52.12[10587] cb97d3097c9f9768:136c168c299313dd 
15:17:41 ipsec,debug ===== sending 288 bytes from 45.12.48.151[4500] to 149.238.52.12[10587] 
15:17:41 ipsec,debug 1 times of 292 bytes message will be sent to 149.238.52.12[10587] 
15:17:42 ipsec,debug ===== received 544 bytes from 149.238.52.12[10462] to 45.12.48.151[4500] 
15:17:42 ipsec -> ike2 request, exchange: CREATE_CHILD_SA:40 149.238.52.12[10462] f6417e4be95ea728:b483b4a625a4e307 
15:17:42 ipsec payload seen: ENC (516 bytes) 
15:17:42 ipsec processing payload: ENC 
15:17:42 ipsec,debug => iv (size 0x10) 
15:17:42 ipsec,debug 1f6829e9 7aad7ac5 12c9a335 9b5ae90c 
15:17:42 ipsec,debug => decrypted and trimmed payload (size 0x108) 
15:17:42 ipsec,debug 2200001c 0f901959 cab1e10f f228d8b8 4963661d 59503cde 8b4ad7bd 21000088 
15:17:42 ipsec,debug 00020000 605283e1 3c057f75 53841d9d 01477977 59c0f23e 91e6202b 2885cb0d 
15:17:42 ipsec,debug d6eb742d f998c779 96f02e8e ffce31d1 54ac05b8 c5bc0da6 e86dffb1 cac1ebc1 
15:17:42 ipsec,debug b3b507fb 4b53e3e6 96a1fef8 63731b78 aab5dfe7 f1f6fd2d 0e6445e7 3cd00317 
15:17:42 ipsec,debug d4fb35cd 7aca861d d13be95c e69c0c20 c0e961b4 c4ec45f2 3dfc698e bc80db93 
15:17:42 ipsec,debug 5fcc3736 2c000034 00000030 01030404 054205e2 0300000c 0100000c 800e0080 
15:17:42 ipsec,debug 03000008 0300000c 03000008 04000002 00000008 05000000 2d000018 01000000 
15:17:42 ipsec,debug 07000010 0000ffff ac101800 ac1018ff 00000018 01000000 07000010 0000ffff 
15:17:42 ipsec,debug 
15:17:42 ipsec,debug ac100000 ac10ffff 
15:17:42 ipsec,debug decrypted packet 
15:17:42 ipsec payload seen: NONCE (28 bytes) 
15:17:42 ipsec payload seen: KE (136 bytes) 
15:17:42 ipsec payload seen: SA (52 bytes) 
15:17:42 ipsec payload seen: TS_I (24 bytes) 
15:17:42 ipsec payload seen: TS_R (24 bytes) 
15:17:42 ipsec create child: respond 
15:17:42 ipsec processing payloads: NOTIFY (none found) 
15:17:42 ipsec processing payloads: NOTIFY (none found) 
15:17:42 ipsec peer wants tunnel mode 
15:17:42 ipsec processing payload: CONFIG (not found) 
15:17:42 ipsec processing payload: SA 
15:17:42 ipsec IKE Protocol: ESP 
15:17:42 ipsec  proposal #1 
15:17:42 ipsec   enc: aes128-cbc 
15:17:42 ipsec   auth: sha256 
15:17:42 ipsec   dh: modp1024 
15:17:42 ipsec processing payload: TS_I 
15:17:42 ipsec 172.16.24.0/24 
15:17:42 ipsec processing payload: TS_R 
15:17:42 ipsec 172.16.0.0/16 
15:17:42 ipsec candidate selectors: 172.16.0.0/16 <=> 172.16.24.0/24 
15:17:42 ipsec searching for policy for selector: 172.16.0.0/16 <=> 172.16.24.0/24 
15:17:42 ipsec generating policy 
15:17:42 ipsec,error no proposal chosen 
15:17:42 ipsec,error no proposal chosen 
15:17:42 ipsec removing generated policy 
15:17:42 ipsec adding notify: NO_PROPOSAL_CHOSEN 
15:17:42 ipsec,debug => (size 0x8) 
15:17:42 ipsec,debug 00000008 0000000e 
15:17:42 ipsec <- ike2 reply, exchange: CREATE_CHILD_SA:40 149.238.52.12[10462] f6417e4be95ea728:b483b4a625a4e307 
15:17:42 ipsec,debug ===== sending 224 bytes from 45.12.48.151[4500] to 149.238.52.12[10462] 
15:17:42 ipsec,debug 1 times of 228 bytes message will be sent to 149.238.52.12[10462] 
15:17:42 ipsec,debug ===== received 528 bytes from 149.238.52.12[10400] to 45.12.48.151[4500] 
15:17:42 ipsec -> ike2 request, exchange: CREATE_CHILD_SA:31 149.238.52.12[10400] a8be4d2e575ee749:ee63710ed346be32 
15:17:42 ipsec payload seen: ENC (500 bytes) 
15:17:42 ipsec processing payload: ENC 
15:17:42 ipsec,debug => iv (size 0x10) 
15:17:42 ipsec,debug d34d3739 36904767 aa219b11 bea9b78e 
15:17:42 ipsec,debug => decrypted and trimmed payload (size 0x108) 
15:17:42 ipsec,debug 2200001c 35d4f6e0 93f2a126 007e0d97 6a406d1b d4f94cb6 80d57cf7 21000088 
15:17:42 ipsec,debug 00020000 18ad5dc7 4c05d04c 22f5c677 c21612b7 fdb89811 a5cb189d 33525ec7 
15:17:42 ipsec,debug 3a05b559 0bea578f 6c0ad918 b2904239 2a7ce0b5 165441bc 03acd84e 9ee4b270 
15:17:42 ipsec,debug 6581bd1f eb4fb4a4 80597ebd 57ba2f87 63e69bc8 54a52409 c83a0b29 475f816b 
15:17:42 ipsec,debug 9e69125b 1ac9ff9b 39ff03c2 3f015ee8 f0b7b101 d4fe131c ad1d2c37 50893b1c 
15:17:42 ipsec,debug af001a59 2c000034 00000030 01030404 0d24b1f7 0300000c 0100000c 800e0080 
15:17:42 ipsec,debug 03000008 0300000c 03000008 04000002 00000008 05000000 2d000018 01000000 
15:17:42 ipsec,debug 07000010 0000ffff ac101500 ac1015ff 00000018 01000000 07000010 0000ffff 
15:17:42 ipsec,debug 
15:17:42 ipsec,debug ac100000 ac10ffff 
15:17:42 ipsec,debug decrypted packet 
15:17:42 ipsec payload seen: NONCE (28 bytes) 
15:17:42 ipsec payload seen: KE (136 bytes) 
15:17:42 ipsec payload seen: SA (52 bytes) 
15:17:42 ipsec payload seen: TS_I (24 bytes) 
15:17:42 ipsec payload seen: TS_R (24 bytes) 
15:17:42 ipsec create child: respond 
15:17:42 ipsec processing payloads: NOTIFY (none found) 
15:17:42 ipsec processing payloads: NOTIFY (none found) 
15:17:42 ipsec peer wants tunnel mode 
15:17:42 ipsec processing payload: CONFIG (not found) 
15:17:42 ipsec processing payload: SA 
15:17:42 ipsec IKE Protocol: ESP 
15:17:42 ipsec  proposal #1 
15:17:42 ipsec   enc: aes128-cbc 
15:17:42 ipsec   auth: sha256 
15:17:42 ipsec   dh: modp1024 
15:17:42 ipsec processing payload: TS_I 
15:17:42 ipsec 172.16.21.0/24 
15:17:42 ipsec processing payload: TS_R 
15:17:42 ipsec 172.16.0.0/16 
15:17:42 ipsec candidate selectors: 172.16.0.0/16 <=> 172.16.21.0/24 
15:17:42 ipsec searching for policy for selector: 172.16.0.0/16 <=> 172.16.21.0/24 
15:17:42 ipsec generating policy 
15:17:42 ipsec,error no proposal chosen 
15:17:42 ipsec,error no proposal chosen 
15:17:42 ipsec removing generated policy 
15:17:42 ipsec adding notify: NO_PROPOSAL_CHOSEN 
15:17:42 ipsec,debug => (size 0x8) 
15:17:42 ipsec,debug 00000008 0000000e 
15:17:42 ipsec <- ike2 reply, exchange: CREATE_CHILD_SA:31 149.238.52.12[10400] a8be4d2e575ee749:ee63710ed346be32 
15:17:42 ipsec,debug ===== sending 240 bytes from 45.12.48.151[4500] to 149.238.52.12[10400] 
15:17:42 ipsec,debug 1 times of 244 bytes message will be sent to 149.238.52.12[10400] 
15:17:42 ipsec,debug ===== received 544 bytes from 149.238.52.12[10589] to 45.12.48.151[4500] 
15:17:42 ipsec -> ike2 request, exchange: CREATE_CHILD_SA:119 149.238.52.12[10589] 38b7c6f4141b442a:4e3249d4e6ea9898 
15:17:42 ipsec payload seen: ENC (516 bytes) 
15:17:42 ipsec processing payload: ENC 
15:17:42 ipsec,debug => iv (size 0x10) 
15:17:42 ipsec,debug cc44e4c0 a3627964 c2383977 1799f0c6 
15:17:42 ipsec,debug => decrypted and trimmed payload (size 0x108) 
15:17:42 ipsec,debug 2200001c 2d8177ab 31b684e5 a26b52cd f57431d5 f987010f 224247c9 21000088 
15:17:42 ipsec,debug 00020000 9cf68b77 b752c042 d903a06c 6928f3f9 dbd995ef 84007342 23d47c33 
15:17:42 ipsec,debug 8152d345 4b8fb1b3 d1aa9ed4 f57db184 41557628 df511dbd c57c85b0 633cdf72 
15:17:42 ipsec,debug 2c453285 322dcff2 fa8363e0 2d805eca 39cc942c 96920591 696e1d20 519eee8d 
15:17:42 ipsec,debug edfc5b26 cc76c466 8677fd07 e5c71716 d5f7b70d 9f244863 9428b768 90fa378f 
15:17:42 ipsec,debug 494653ad 2c000034 00000030 01030404 051f0693 0300000c 0100000c 800e0080 
15:17:42 ipsec,debug 03000008 0300000c 03000008 04000002 00000008 05000000 2d000018 01000000 
15:17:42 ipsec,debug 07000010 0000ffff ac108200 ac1082ff 00000018 01000000 07000010 0000ffff 
15:17:42 ipsec,debug 
15:17:42 ipsec,debug ac100000 ac10ffff 
15:17:42 ipsec,debug decrypted packet 
15:17:42 ipsec payload seen: NONCE (28 bytes) 
15:17:42 ipsec payload seen: KE (136 bytes) 
15:17:42 ipsec payload seen: SA (52 bytes) 
15:17:42 ipsec payload seen: TS_I (24 bytes) 
15:17:42 ipsec payload seen: TS_R (24 bytes) 
15:17:42 ipsec create child: respond 
15:17:42 ipsec processing payloads: NOTIFY (none found) 
15:17:42 ipsec processing payloads: NOTIFY (none found) 
15:17:42 ipsec peer wants tunnel mode 
15:17:42 ipsec processing payload: CONFIG (not found) 
15:17:42 ipsec processing payload: SA 
15:17:42 ipsec IKE Protocol: ESP 
15:17:42 ipsec  proposal #1 
15:17:42 ipsec   enc: aes128-cbc 
15:17:42 ipsec   auth: sha256 
15:17:42 ipsec   dh: modp1024 
15:17:42 ipsec processing payload: TS_I 
15:17:42 ipsec 172.16.130.0/24 
15:17:42 ipsec processing payload: TS_R 
15:17:42 ipsec 172.16.0.0/16 
15:17:42 ipsec candidate selectors: 172.16.0.0/16 <=> 172.16.130.0/24 
15:17:42 ipsec searching for policy for selector: 172.16.0.0/16 <=> 172.16.130.0/24 
15:17:42 ipsec generating policy 
15:17:42 ipsec,error no proposal chosen 
15:17:42 ipsec,error no proposal chosen 
15:17:42 ipsec removing generated policy 
15:17:42 ipsec adding notify: NO_PROPOSAL_CHOSEN 
15:17:42 ipsec,debug => (size 0x8) 
15:17:42 ipsec,debug 00000008 0000000e 
15:17:42 ipsec <- ike2 reply, exchange: CREATE_CHILD_SA:119 149.238.52.12[10589] 38b7c6f4141b442a:4e3249d4e6ea9898 
15:17:42 ipsec,debug ===== sending 240 bytes from 45.12.48.151[4500] to 149.238.52.12[10589] 
15:17:42 ipsec,debug 1 times of 244 bytes message will be sent to 149.238.52.12[10589] 
I found in the log something like "no proposal choosen" in different ways or like peer wants tunnel mode. Also there is something like "ipsec removing policy".
I just do not understand why all of this is happening while everything seems to be fine in the configurations.
Could someone tell me what could be possibly wrong and what does the error mean?
Any help or information about this topic would be appreciated.

Who is online

Users browsing this forum: infabo, Omerik and 37 guests