Quantcast
Channel: MikroTik
Viewing all articles
Browse latest Browse all 19714

Announcements • Possible bug when handling fragmented IKE packets.

March 20, 2024, 12:53 pm
$
0
0
I'm trying to get Windows 10 native IKEv2 VPN working with RouterOS 14.1.

but it doesn't work. I have tried many times but unfortunately I'm always getting this 'invalid payload' and the log looks like this:
Code: 
22:00:03 ipsec -> ike2 request, exchange: SA_INIT:0 92.218.169.238[500] 5bf276184133cc0c:000000000000000022:00:03 ipsec ike2 respond22:00:03 ipsec payload seen: SA (48 bytes)22:00:03 ipsec payload seen: KE (136 bytes)22:00:03 ipsec payload seen: NONCE (52 bytes)22:00:03 ipsec payload seen: NOTIFY (8 bytes)22:00:03 ipsec payload seen: NOTIFY (28 bytes)22:00:03 ipsec payload seen: NOTIFY (28 bytes)22:00:03 ipsec payload seen: VID (24 bytes)22:00:03 ipsec,debug 1e2b516905991c7d7c96fcbfb587e4610000000922:00:03 ipsec payload seen: VID (20 bytes)22:00:03 ipsec,debug fb1de3cdf341b7ea16b7e5be0855f12022:00:03 ipsec payload seen: VID (20 bytes)22:00:03 ipsec,debug 26244d38eddb61b3172a36e3d0cfb81922:00:03 ipsec payload seen: VID (24 bytes)22:00:03 ipsec,debug 01528bbbc00696121849ab9a1c5b2a510000000222:00:03 ipsec processing payload: SA22:00:03 ipsec IKE Protocol: IKE22:00:03 ipsec  proposal #122:00:03 ipsec   enc: aes256-cbc22:00:03 ipsec   prf: hmac-sha25622:00:03 ipsec   auth: sha25622:00:03 ipsec   dh: modp102422:00:03 ipsec matched proposal:22:00:03 ipsec  proposal #122:00:03 ipsec   enc: aes256-cbc22:00:03 ipsec   prf: hmac-sha25622:00:03 ipsec   auth: sha25622:00:03 ipsec   dh: modp102422:00:03 ipsec processing payload: KE22:00:03 ipsec,debug => shared secret (size 0x80)22:00:03 ipsec,debug ed4db930 da48c382 16c8b6d0 0e7e3c96 3c0ed077 375c1ad9 c442a294 ae125bd6.... 22:00:03 ipsec ike2 respond finish: request, exchange: SA_INIT:0 92.218.169.238[500] 5bf276184133cc0c:000000000000000022:00:03 ipsec processing payload: NONCE22:00:03 ipsec adding payload: SA22:00:03 ipsec,debug => (size 0x30)22:00:03 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 0200000522:00:03 ipsec,debug 03000008 0300000c 00000008 0400000222:00:03 ipsec adding payload: KE22:00:03 ipsec,debug => (size 0x88)22:00:03 ipsec,debug 00000088 00020000 e871eec4 262ed58b d0daead4 fecf2e3b 631792de a3dea688....22:00:03 ipsec,debug 578bfb75 2be8d77722:00:03 ipsec adding payload: NONCE22:00:03 ipsec,debug => (size 0x1c)22:00:03 ipsec,debug 0000001c d43c330a de7696ba e63586d7 c7cb3fe8 c06e8cf5 c689751822:00:03 ipsec adding notify: NAT_DETECTION_SOURCE_IP22:00:03 ipsec,debug => (size 0x1c)22:00:03 ipsec,debug 0000001c 00004004 f26bd54c 523a1686 e779aa1d 81dec242 86a7355522:00:03 ipsec adding notify: NAT_DETECTION_DESTINATION_IP22:00:03 ipsec,debug => (size 0x1c)22:00:03 ipsec,debug 0000001c 00004005 44c34d90 2b8ce597 d5941902 a7fe024c d6d4469222:00:03 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED22:00:03 ipsec,debug => (size 0x8)22:00:03 ipsec,debug 00000008 0000402e22:00:03 ipsec adding payload: CERTREQ22:00:03 ipsec,debug => (size 0x5)22:00:03 ipsec,debug 00000005 0422:00:03 ipsec <- ike2 reply, exchange: SA_INIT:0 92.218.169.238[500] 5bf276184133cc0c:748693d32f3f7b7822:00:03 ipsec,debug ===== sending 309 bytes from 192.168.178.2[500] to 92.218.169.238[500]22:00:03 ipsec,debug 1 times of 309 bytes message will be sent to 92.218.169.238[500]22:00:03 ipsec,debug => skeyseed (size 0x20)22:00:03 ipsec,debug cc750a6b bb60a237 7639d7f0 17f9d42f 572c3fd9 c8140c79 16ae7350 0b6e4b8622:00:03 ipsec,debug => keymat (size 0x20)22:00:03 ipsec,debug 1d5bb68f e3a796ba 3a66245a 346f9ba8 9529ddda 103acf02 73489b6f e38ba76722:00:03 ipsec,debug => SK_ai (size 0x20)22:00:03 ipsec,debug ee762705 107e5f72 0acee098 05124f20 50949121 dbafd085 923f57eb 4de1e67722:00:03 ipsec,debug => SK_ar (size 0x20)22:00:03 ipsec,debug 90389239 c6ff6fab d763950b 1bacbe5d afbad831 06c71e9f f364ae21 4c2c147722:00:03 ipsec,debug => SK_ei (size 0x20)22:00:03 ipsec,debug 53a081d4 236c84b6 745bfca7 1d240545 30da4001 5d8a5cc1 7d1c0518 8567806d22:00:03 ipsec,debug => SK_er (size 0x20)22:00:03 ipsec,debug 496a502f 3980d2c3 e3844135 80c14ebf 0ef42c0f e2d67894 ed2e4d2e 9002f8a822:00:03 ipsec,debug => SK_pi (size 0x20)22:00:03 ipsec,debug f8a8a7a0 bd019204 8f50773b 39b4d2e5 ac6efe9a d31cb592 72740a88 8297722122:00:03 ipsec,debug => SK_pr (size 0x20)22:00:03 ipsec,debug b8e6de6d 63087a3d 850c06c3 d1e5ea8f 21f3440c 7ffe0a30 1dfb55de 940804d722:00:03 ipsec,info new ike2 SA (R): peer-ikev2 192.168.178.2[500]-92.218.169.238[500] spi:748693d32f3f7b78:5bf276184133cc0c22:00:03 ipsec processing payloads: VID22:00:03 ipsec peer is MS Windows (ISAKMPOAKLEY 9)22:00:03 ipsec processing payloads: NOTIFY22:00:03 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED22:00:03 ipsec   notify: NAT_DETECTION_SOURCE_IP22:00:03 ipsec   notify: NAT_DETECTION_DESTINATION_IP22:00:03 ipsec (NAT-T) REMOTE LOCAL22:00:03 ipsec KA list add: 192.168.178.2[4500]->92.218.169.238[4500]22:00:03 ipsec fragmentation negotiated22:00:03 ipsec,debug ===== received 580 bytes from 92.218.169.238[4500] to 192.168.178.2[4500]22:00:03 ipsec -> ike2 request, exchange: AUTH:1 92.218.169.238[4500] 5bf276184133cc0c:748693d32f3f7b7822:00:03 ipsec payload seen: SKF (552 bytes)22:00:03 ipsec processing payload: ENC (not found)22:00:03 ipsec processing payload: SKF22:00:03 ipsec => invalid payload (first 0x100 of 0x228)22:00:03 ipsec 23000228 00010015 6c54892a 2f32e614 c86353b2 116e9e12 93c7b5c8 1fb2f423........22:00:03 ipsec reply notify: INVALID_SYNTAX22:00:03 ipsec adding notify: INVALID_SYNTAX


I have tried an older client (Windows 7) (IKEV2_FRAGMENTATION_SUPPORTED not supported)
In this case it works and the log looks like this:
Code: 
22:04:44 ipsec -> ike2 request, exchange: SA_INIT:0 92.218.169.238[500] 30662d9e3dd4f417:000000000000000022:04:44 ipsec ike2 respond22:04:44 ipsec payload seen: SA (256 bytes)22:04:44 ipsec payload seen: KE (136 bytes)22:04:44 ipsec payload seen: NONCE (52 bytes)22:04:44 ipsec payload seen: NOTIFY (28 bytes)22:04:44 ipsec payload seen: NOTIFY (28 bytes)22:04:44 ipsec processing payload: SA22:04:44 ipsec IKE Protocol: IKE22:04:44 ipsec  proposal #122:04:44 ipsec   enc: 3des-cbc22:04:44 ipsec   prf: hmac-sha122:04:44 ipsec   auth: sha122:04:44 ipsec   dh: modp1024....22:04:44 ipsec matched proposal:22:04:44 ipsec  proposal #422:04:44 ipsec   enc: aes256-cbc22:04:44 ipsec   prf: hmac-sha25622:04:44 ipsec   auth: sha25622:04:44 ipsec   dh: modp102422:04:44 ipsec processing payload: KE22:04:44 ipsec,debug => shared secret (size 0x80)22:04:44 ipsec,debug cacd86b3 2ac9f519 30f24759 918faec8 69eaf627 4e4f72ed 5b017fcf c93445ce....22:04:44 ipsec ike2 respond finish: request, exchange: SA_INIT:0 92.218.169.238[500] 30662d9e3dd4f417:000000000000000022:04:44 ipsec processing payload: NONCE22:04:44 ipsec adding payload: SA22:04:44 ipsec,debug => (size 0x30)22:04:44 ipsec,debug 00000030 0000002c 04010004 0300000c 0100000c 800e0100 03000008 0200000522:04:44 ipsec,debug 03000008 0300000c 00000008 0400000222:04:44 ipsec adding payload: KE22:04:44 ipsec,debug => (size 0x88)22:04:44 ipsec,debug 00000088 00020000 4a43fee7 2414d79d bd3871af 89962461 59c21fa2 b1cf8f3c....22:04:44 ipsec adding payload: NONCE22:04:44 ipsec,debug => (size 0x1c)22:04:44 ipsec,debug 0000001c 6ab6c036 5d00e7cf 8625e9b1 377ab58a 9ab47d9d 681c032022:04:44 ipsec adding notify: NAT_DETECTION_SOURCE_IP22:04:44 ipsec,debug => (size 0x1c)22:04:44 ipsec,debug 0000001c 00004004 0f3ee9df 28abb5ca b3583693 fcdf2cd9 e19b1d2622:04:44 ipsec adding notify: NAT_DETECTION_DESTINATION_IP22:04:44 ipsec,debug => (size 0x1c)22:04:44 ipsec,debug 0000001c 00004005 2e4de6b6 7ceca631 f9790f64 5eded1c3 2e17f43322:04:44 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED22:04:44 ipsec,debug => (size 0x8)22:04:44 ipsec,debug 00000008 0000402e22:04:44 ipsec adding payload: CERTREQ22:04:44 ipsec,debug => (size 0x5)22:04:44 ipsec,debug 00000005 0422:04:44 ipsec <- ike2 reply, exchange: SA_INIT:0 92.218.169.238[500] 30662d9e3dd4f417:c54b477ba08eff4322:04:44 ipsec,debug ===== sending 309 bytes from 192.168.178.2[500] to 92.218.169.238[500]22:04:44 ipsec,debug 1 times of 309 bytes message will be sent to 92.218.169.238[500]22:04:44 ipsec,debug => skeyseed (size 0x20)22:04:44 ipsec,debug fdab80a4 4c283ba7 65b2ef51 8261a6ae 64e87139 fe416bb8 9bddecc2 4050601c22:04:44 ipsec,debug => keymat (size 0x20)22:04:44 ipsec,debug eeb82b4b c0fee115 2944b6df 2fec55cb 0f772b7d 378117d5 d70c7d56 ae6fd1d022:04:44 ipsec,debug => SK_ai (size 0x20)22:04:44 ipsec,debug 02fca05c 95929c53 b80ddec7 42f14400 04889fff 43ef1b3a aac69eb0 8b89b8dd22:04:44 ipsec,debug => SK_ar (size 0x20)22:04:44 ipsec,debug c2f84726 ff8781a2 74bd8b45 6bf1dede 8f4ddeb4 ca1c58b6 b15c8c0f e33f21cf22:04:44 ipsec,debug => SK_ei (size 0x20)22:04:44 ipsec,debug 86a362eb 14bbbda7 cc6fe62b 26b3b1ef 80f1a019 0dacbb4e 8ec49d9c 23830b6622:04:44 ipsec,debug => SK_er (size 0x20)22:04:44 ipsec,debug 53e8890d 757e3f55 ea3e839d e1471a70 fc80758e fc567724 d1604a67 4943008d22:04:44 ipsec,debug => SK_pi (size 0x20)22:04:44 ipsec,debug 4e3039db 552a5d7c ece012c9 9d002bcf e8fa76d2 c77514af 80a29583 95fb78ed22:04:44 ipsec,debug => SK_pr (size 0x20)22:04:44 ipsec,debug c24a9936 582ade02 361b6684 71f84189 73de9413 a6c5265e c230570c 6212fa0122:04:44 ipsec,info new ike2 SA (R): peer-ikev2 192.168.178.2[500]-92.218.169.238[500] spi:c54b477ba08eff43:30662d9e3dd4f41722:04:44 ipsec processing payloads: VID (none found)22:04:44 ipsec processing payloads: NOTIFY22:04:44 ipsec   notify: NAT_DETECTION_SOURCE_IP22:04:44 ipsec   notify: NAT_DETECTION_DESTINATION_IP22:04:44 ipsec (NAT-T) REMOTE LOCAL22:04:44 ipsec KA list add: 192.168.178.2[4500]->92.218.169.238[4500]22:04:44 ipsec,debug ===== received 13488 bytes from 92.218.169.238[4500] to 192.168.178.2[4500]22:04:44 ipsec -> ike2 request, exchange: AUTH:1 92.218.169.238[4500] 30662d9e3dd4f417:c54b477ba08eff4322:04:44 ipsec payload seen: ENC (13460 bytes)22:04:44 ipsec processing payload: ENC22:04:44 ipsec,debug => iv (size 0x10)22:04:44 ipsec,debug 745a3ad3 ddf4c60f 93d6930c ed18863622:04:44 ipsec,debug decrypted packet22:04:44 ipsec payload seen: ID_I (12 bytes)22:04:44 ipsec payload seen: CERTREQ (13245 bytes)22:04:44 ipsec payload seen: NOTIFY (8 bytes)22:04:44 ipsec payload seen: CONFIG (24 bytes)22:04:44 ipsec payload seen: SA (80 bytes)22:04:44 ipsec payload seen: TS_I (24 bytes)22:04:44 ipsec payload seen: TS_R (24 bytes)22:04:44 ipsec processing payloads: NOTIFY22:04:44 ipsec   notify: MOBIKE_SUPPORTED22:04:44 ipsec ike auth: respond22:04:44 ipsec processing payload: ID_I22:04:44 ipsec ID_I (ADDR4): 192.168.2.14222:04:44 ipsec processing payload: ID_R (not found)22:04:44 ipsec processing payload: AUTH (not found)22:04:44 ipsec processing payloads: NOTIFY22:04:44 ipsec   notify: MOBIKE_SUPPORTED22:04:44 ipsec ID_R (DER DN): C=DE, S=NRW, O=Home, CN=MT-CA22:04:44 ipsec,debug => auth nonce (size 0x30)22:04:44 ipsec,debug 9667e8ce ad0ff9db ef4db673 50fb39cd 8d4bf6d0 74195765 64c63c34 e84b634122:04:44 ipsec,debug 77dd0d44 2c1eaa82 a3eb2176 438c2f4122:04:44 ipsec,debug => SK_p (size 0x20)22:04:44 ipsec,debug c24a9936 582ade02 361b6684 71f84189 73de9413 a6c5265e c230570c 6212fa0122:04:44 ipsec,debug => idhash (size 0x20)22:04:44 ipsec,debug e91e774a 46d3d002 0f5e3773 67b7dc15 2713334f 3c7d6c7f 86d738c2 a708c46022:04:44 ipsec,debug => my auth (size 0x100)22:04:44 ipsec,debug 28affb55 ca8d5b92 e75cafd9 ec796184 ce48c793 8e12b4fa 704abe06 e326609d...22:04:44 ipsec adding payload: ID_R22:04:44 ipsec,debug => (size 0x44)22:04:44 ipsec,debug 00000044 09000000 303a310b 30090603 55040613 02444531 0c300a06 0355040822:04:44 ipsec,debug 0c034e52 57310d30 0b060355 040a0c04 486f6d65 310e300c 06035504 030c054d22:04:44 ipsec,debug 542d434122:04:44 ipsec adding payload: AUTH22:04:44 ipsec,debug => (first 0x100 of 0x108)22:04:44 ipsec,debug 00000108 01000000 28affb55 ca8d5b92 e75cafd9 ec796184 ce48c793 8e12b4fa....22:04:44 ipsec Certificate:22:04:44 ipsec   serialNr:  ....22:04:44 ipsec   issuer:    ....22:04:44 ipsec   subject:   ...22:04:44 ipsec   notBefore: Mon Mar 18 16:19:20 202422:04:44 ipsec   notAfter:  Thu Mar 18 16:29:20 204922:04:44 ipsec   selfSigned:122:04:44 ipsec   extensions:22:04:44 ipsec     key usage: key-cert-sign, crl-sign22:04:44 ipsec     basic constraints: isCa: TRUE22:04:44 ipsec     subject key id:  ....22:04:44 ipsec   signed with: SHA256+RSA22:04:44 ipsec [RSA-PUBLIC]22:04:44 ipsec modulus: ....22:04:44 ipsec publicExponent: 1000122:04:44 ipsec adding payload: CERT22:04:44 ipsec,debug => (first 0x100 of 0x349)22:04:44 ipsec,debug 00000349 04308203 40308202 28a00302 01020210 6c4a2ae3 844cc08f 4c95037b....22:04:44 ipsec Certificate:22:04:44 ipsec   serialNr:  ....22:04:44 ipsec   issuer:    ....22:04:44 ipsec   subject:   ....22:04:44 ipsec   notBefore: Mon Mar 18 10:18:50 202422:04:44 ipsec   notAfter:  Thu Mar 18 10:18:50 204922:04:44 ipsec   selfSigned:022:04:44 ipsec   extensions:22:04:44 ipsec     key usage: digital-signature, key-encipherment, data-encipherment, key-agreement, key-cert-sign22:04:44 ipsec     extended key usage: tls-server, tls-client22:04:44 ipsec     subject key id:  ....22:04:44 ipsec     authority key id:....22:04:44 ipsec     subject alternative name: 22:04:44 ipsec       DNS: ....22:04:44 ipsec   signed with: SHA256+RSA22:04:44 ipsec [RSA-PUBLIC]22:04:44 ipsec modulus: ....22:04:44 ipsec adding payload: CERT22:04:44 ipsec,debug => (first 0x100 of 0x3ac)22:04:44 ipsec,debug 000003ac 04308203 a3308202 8ba00302 01020210 7a76d202 e82291a9 4d989fb2....22:04:44 ipsec adding payload: EAP22:04:44 ipsec,debug => (size 0x9)22:04:44 ipsec,debug 00000009 01000005 0122:04:44 ipsec <- ike2 reply, exchange: AUTH:1 92.218.169.238[4500] 30662d9e3dd4f417:c54b477ba08eff4322:04:44 ipsec,debug ===== sending 2304 bytes from 192.168.178.2[4500] to 92.218.169.238[4500]22:04:44 ipsec,debug 1 times of 2308 bytes message will be sent to 92.218.169.238[4500]22:05:03 ipsec,debug KA: 192.168.178.2[4500]->92.218.169.238[4500]22:05:03 ipsec,debug 1 times of 1 bytes message will be sent to 92.218.169.238[4500]....


What about RouterOS 6.47.8? (does not support IKEV2_FRAGMENTATION_SUPPORTED)
It plays nicely with Windows 10:
Code: 
15:43:36 ipsec,debug ===== received 416 bytes from 89.1.175.13[61155] to 192.168.178.3[500] 15:43:36 ipsec -> ike2 request, exchange: SA_INIT:0 89.1.175.13[61155] 83537d7b19796f4b:0000000000000000 15:43:36 ipsec ike2 respond 15:43:36 ipsec payload seen: SA (48 bytes) 15:43:36 ipsec payload seen: KE (136 bytes) 15:43:36 ipsec payload seen: NONCE (52 bytes) 15:43:36 ipsec payload seen: NOTIFY (8 bytes) 15:43:36 ipsec payload seen: NOTIFY (28 bytes) 15:43:36 ipsec payload seen: NOTIFY (28 bytes) 15:43:36 ipsec payload seen: VID (24 bytes) 15:43:36 ipsec,debug 1e2b516905991c7d7c96fcbfb587e46100000009 15:43:36 ipsec payload seen: VID (20 bytes) 15:43:36 ipsec,debug fb1de3cdf341b7ea16b7e5be0855f120 15:43:36 ipsec payload seen: VID (20 bytes) 15:43:36 ipsec,debug 26244d38eddb61b3172a36e3d0cfb819 15:43:36 ipsec payload seen: VID (24 bytes) 15:43:36 ipsec,debug 01528bbbc00696121849ab9a1c5b2a5100000002 15:43:36 ipsec processing payload: NONCE 15:43:36 ipsec processing payload: SA 15:43:36 ipsec IKE Protocol: IKE 15:43:36 ipsec  proposal #1 15:43:36 ipsec   enc: aes256-cbc 15:43:36 ipsec   prf: hmac-sha256 15:43:36 ipsec   auth: sha256 15:43:36 ipsec   dh: modp1024 15:43:36 ipsec matched proposal: 15:43:36 ipsec  proposal #1 15:43:36 ipsec   enc: aes256-cbc 15:43:36 ipsec   prf: hmac-sha256 15:43:36 ipsec   auth: sha256 15:43:36 ipsec   dh: modp1024 15:43:36 ipsec processing payload: KE 15:43:36 ipsec,debug => shared secret (size 0x80) 15:43:36 ipsec,debug fccf5856 459b96fb 4797ef3e 8bf19677 01adb24a e561073a 6d7ab22a af09df6b ....15:43:36 ipsec adding payload: SA 15:43:36 ipsec,debug => (size 0x30) 15:43:36 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 15:43:36 ipsec,debug 03000008 0300000c 00000008 04000002 15:43:36 ipsec adding payload: KE 15:43:36 ipsec,debug => (size 0x88) 15:43:36 ipsec,debug 00000088 00020000 31549f63 d9dd7561 71fbe128 79163a4b 0c1b50ce 7abea09a ....15:43:36 ipsec,debug 84467320 5ceae650 15:43:36 ipsec adding payload: NONCE 15:43:36 ipsec,debug => (size 0x1c) 15:43:36 ipsec,debug 0000001c a6f931ed db6c9502 aa239977 ca4c202d 3a3b852e b8fb1252 15:43:36 ipsec adding notify: NAT_DETECTION_SOURCE_IP 15:43:36 ipsec,debug => (size 0x1c) 15:43:36 ipsec,debug 0000001c 00004004 eaac1121 3800363d 26dccd35 486f3f34 01599949 15:43:36 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 15:43:36 ipsec,debug => (size 0x1c) 15:43:36 ipsec,debug 0000001c 00004005 7b215569 b5fc2583 33839f2a bbca7514 e5d613eb 15:43:36 ipsec adding payload: CERTREQ 15:43:36 ipsec,debug => (size 0x5) 15:43:36 ipsec,debug 00000005 04 15:43:36 ipsec <- ike2 reply, exchange: SA_INIT:0 89.1.175.13[61155] 83537d7b19796f4b:d2793fca2b643b58 15:43:36 ipsec,debug ===== sending 301 bytes from 192.168.178.3[500] to 89.1.175.13[61155] 15:43:36 ipsec,debug 1 times of 301 bytes message will be sent to 89.1.175.13[61155] 15:43:36 ipsec,debug => skeyseed (size 0x20) 15:43:36 ipsec,debug d22e3f74 ccfe9600 badc7cec 4bf8e56d a656561b 2a1b4c89 8aed5aff 76508741 15:43:36 ipsec,debug => keymat (size 0x20) 15:43:36 ipsec,debug 2750a0f1 22c4b3b0 5e2e735f b7fd8695 8f04e9f2 c44c56fd 031b167a 4937450d 15:43:36 ipsec,debug => SK_ai (size 0x20) 15:43:36 ipsec,debug c750b975 65b188f2 31f277ac b732c672 473c9d26 0877eac5 3becfd9b a733d96f 15:43:36 ipsec,debug => SK_ar (size 0x20) 15:43:36 ipsec,debug eb152a64 ae927d46 d4ce54e7 5ac38d20 32521893 7eb70591 a5b06118 1aa942d8 15:43:36 ipsec,debug => SK_ei (size 0x20) 15:43:36 ipsec,debug 039dd29f 370a4ec5 4c20695f 4c0b573b cd3a121d 4a24c696 82a3101b cf041a19 15:43:36 ipsec,debug => SK_er (size 0x20) 15:43:36 ipsec,debug afe9bed8 defb1d4d f3072d05 6af3fd02 ac6d1b09 192fde62 e266bd17 6021e5a4 15:43:36 ipsec,debug => SK_pi (size 0x20) 15:43:36 ipsec,debug 1d5d5da3 7626d4df a53d6db2 2b4d9c0c b3ea61fa 71ca4a8d 36b89879 031a7809 15:43:36 ipsec,debug => SK_pr (size 0x20) 15:43:36 ipsec,debug 24fb3220 68c34ca9 75edf830 da97f3bd f2d5adb0 19d61e4c 72c3ba96 39c6faf4 15:43:36 ipsec,info new ike2 SA (R): 192.168.178.3[500]-89.1.175.13[61155] spi:d2793fca2b643b58:83537d7b19796f4b 15:43:36 ipsec processing payloads: VID 15:43:36 ipsec peer is MS Windows (ISAKMPOAKLEY 9) 15:43:36 ipsec processing payloads: NOTIFY 15:43:36 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED 15:43:36 ipsec   notify: NAT_DETECTION_SOURCE_IP 15:43:36 ipsec   notify: NAT_DETECTION_DESTINATION_IP 15:43:36 ipsec (NAT-T) REMOTE LOCAL 15:43:36 ipsec KA list add: 192.168.178.3[4500]->89.1.175.13[61155] 15:43:36 ipsec,debug ===== received 10208 bytes from 89.1.175.13[61156] to 192.168.178.3[4500] 15:43:36 ipsec -> ike2 request, exchange: AUTH:1 89.1.175.13[61156] 83537d7b19796f4b:d2793fca2b643b58 15:43:36 ipsec peer ports changed: 61155 -> 61156 15:43:36 ipsec KA remove: 192.168.178.3[4500]->89.1.175.13[61155] 15:43:36 ipsec,debug KA tree dump: 192.168.178.3[4500]->89.1.175.13[61155] (in_use=1) 15:43:36 ipsec,debug KA removing this one... 15:43:36 ipsec KA list add: 192.168.178.3[4500]->89.1.175.13[61156] 15:43:36 ipsec payload seen: ENC (10180 bytes) 15:43:36 ipsec processing payload: ENC 15:43:36 ipsec,debug => iv (size 0x10) 15:43:36 ipsec,debug 28dd69e2 50c75f22 c46c67fd 1f4312c1 15:43:36 ipsec,debug => plain payload (trimmed) (first 0x100 of 0x279d) 15:43:36 ipsec,debug 2600000c 01000000 c0a8b2c5 290026c5 04121a24 b7518bf7 9ce2597b 396d2143 ....15:43:36 ipsec,debug decrypted 15:43:36 ipsec payload seen: ID_I (12 bytes) 15:43:36 ipsec payload seen: CERTREQ (9925 bytes) 15:43:36 ipsec payload seen: NOTIFY (8 bytes) 15:43:36 ipsec payload seen: CONFIG (24 bytes) 15:43:36 ipsec payload seen: SA (44 bytes) 15:43:36 ipsec payload seen: TS_I (64 bytes) 15:43:36 ipsec payload seen: TS_R (64 bytes) 15:43:36 ipsec processing payloads: NOTIFY 15:43:36 ipsec   notify: MOBIKE_SUPPORTED 15:43:36 ipsec ike auth: respond 15:43:36 ipsec processing payload: ID_I 15:43:36 ipsec ID_I (ADDR4): 192.168.178.197 15:43:36 ipsec processing payload: ID_R (not found) 15:43:36 ipsec processing payload: AUTH (not found) 15:43:36 ipsec processing payloads: NOTIFY 15:43:36 ipsec   notify: MOBIKE_SUPPORTED 15:43:36 ipsec ID_R (FQDN): xxxxxxx.xxxxx.xx15:43:36 ipsec adding payload: ID_R 15:43:36 ipsec,debug => (size 0x18) 15:43:36 ipsec,debug 00000018 02000000 70656472 6f66622e 7370646e 732e6575 15:43:36 ipsec cert: CN=xxxxxxx.xxxxx.xx.eu,C=DE,ST=NRW,L=,O=Home,OU=,SN= 15:43:36 ipsec adding payload: CERT 15:43:36 ipsec,debug => (first 0x100 of 0x3ac) 15:43:36 ipsec,debug 000003ac 04308203 a3308202 8ba00302 01020210 7a76d202 e82291a9 4d989fb2 ....15:43:36 ipsec processing payload: NONCE 15:43:36 ipsec,debug => auth nonce (size 0x30) 15:43:36 ipsec,debug ab05427f 0c8fbeb2 decd96d6 3da2b3ec f6b9841d c847cddc 3bf9f056 c6847a6b 15:43:36 ipsec,debug 5570c140 c5fb833d fe6bf318 a019bfd4 15:43:36 ipsec,debug => SK_p (size 0x20) 15:43:36 ipsec,debug 24fb3220 68c34ca9 75edf830 da97f3bd f2d5adb0 19d61e4c 72c3ba96 39c6faf4 15:43:36 ipsec,debug => idhash (size 0x20) 15:43:36 ipsec,debug 79788e54 7ba9e0ca 99e3ddf7 504c9d47 ea36e95c 37e23a97 8ca5a5ff 19114741 15:43:36 ipsec,debug => my auth (size 0x100) 15:43:36 ipsec,debug 942d7114 54a2c241 bc5c4423 5f11553a a0f24776 892ccba5 997aad16 fc5a0afd .... 15:43:36 ipsec adding payload: AUTH 15:43:36 ipsec,debug => (first 0x100 of 0x108) 15:43:36 ipsec,debug 00000108 01000000 942d7114 54a2c241 bc5c4423 5f11553a a0f24776 892ccba5 .... 15:43:36 ipsec adding payload: EAP 15:43:36 ipsec,debug => (size 0x9) 15:43:36 ipsec,debug 00000009 01000005 01 15:43:36 ipsec <- ike2 reply, exchange: AUTH:1 89.1.175.13[61156] 83537d7b19796f4b:d2793fca2b643b58 15:43:36 ipsec,debug ===== sending 1520 bytes from 192.168.178.3[4500] to 89.1.175.13[61156] 15:43:36 ipsec,debug 1 times of 1524 bytes message will be sent to 89.1.175.13[61156] 15:43:36 ipsec,debug ===== received 80 bytes from 89.1.175.13[61156] to 192.168.178.3[4500] 15:43:36 ipsec -> ike2 request, exchange: AUTH:2 89.1.175.13[61156] 83537d7b19796f4b:d2793fca2b643b58 15:43:36 ipsec payload seen: ENC (52 bytes) 15:43:36 ipsec processing payload: ENC 15:43:36 ipsec,debug => iv (size 0x10) 15:43:36 ipsec,debug 0c84d24c 8dc179f8 00253e3a 078ffb7b 15:43:36 ipsec,debug => plain payload (trimmed) (size 0xe) 15:43:36 ipsec,debug 0000000e 0200000a 0161646d 696e 15:43:36 ipsec,debug decrypted 15:43:36 ipsec payload seen: EAP (14 bytes) 15:43:36 ipsec processing payloads: NOTIFY (none found) 15:43:36 ipsec processing payload: EAP 15:43:36 ipsec update peer's identity: 192.168.178.197 -> admin 15:43:36 radius,debug new request 55:41 code=Access-Request service=ipsec called-id=192.168.178.3 15:43:36 radius,debug sending 55:41 to 192.168.178.2:1812 15:43:36 radius,debug,packet sending Access-Request with id 27 to 192.168.178.2:1812 15:43:36 radius,debug,packet     Signature = 0xdf0716b589f1a4f880c3267b04a44bb4 15:43:36 radius,debug,packet     User-Name = "admin" 15:43:36 radius,debug,packet     Called-Station-Id = "192.168.178.3" 15:43:36 radius,debug,packet     Calling-Station-Id = "89.1.175.13" 15:43:36 radius,debug,packet     NAS-Port-Id = 0x0000000a 15:43:36 radius,debug,packet     NAS-Port-Type = 5 15:43:36 radius,debug,packet     Service-Type = 2 15:43:36 radius,debug,packet     Event-Timestamp = 1710945816 15:43:36 radius,debug,packet     Framed-MTU = 1400 15:43:36 radius,debug,packet     EAP-Message = 0x0200000a0161646d696e 15:43:36 radius,debug,packet     Message-Authenticator = 0x99a41153a662788660d61d83f6f38759 15:43:36 radius,debug,packet     NAS-Identifier = "MikroTik" 15:43:36 radius,debug,packet     NAS-IP-Address = 192.168.178.3 15:43:36 radius,debug,packet received Access-Challenge with id 27 from 192.168.178.2:1812 15:43:36 radius,debug,packet     Signature = 0xdd590399c4590ce9a53e035d997fe99c 15:43:36 radius,debug,packet     EAP-Message = 0x0101001b1a01010016103cfe103150bf 15:43:36 radius,debug,packet       d2e32cdd36442552b79a20 15:43:36 radius,debug,packet     State = 0xed3b5c31ccdc32d6b2e5c7801b908a30 15:43:36 radius,debug,packet     Message-Authenticator = 0x8e0f9d8c8cd864233f38c6cfa95fbd1e 15:43:36 radius,debug received reply for 55:41 15:43:36 ipsec adding payload: EAP 15:43:36 ipsec,debug => (size 0x1f) 15:43:36 ipsec,debug 0000001f 0101001b 1a010100 16103cfe 103150bf d2e32cdd 36442552 b79a20 15:43:36 ipsec <- ike2 reply, exchange: AUTH:2 89.1.175.13[61156] 83537d7b19796f4b:d2793fca2b643b58 15:43:36 ipsec,debug ===== sending 128 bytes from 192.168.178.3[4500] to 89.1.175.13[61156] 15:43:36 ipsec,debug 1 times of 132 bytes message will be sent to 89.1.175.13[61156] 15:43:36 ipsec,debug ===== received 144 bytes from 89.1.175.13[61156] to 192.168.178.3[4500] 15:43:36 ipsec -> ike2 request, exchange: AUTH:3 89.1.175.13[61156] 83537d7b19796f4b:d2793fca2b643b58 15:43:36 ipsec payload seen: ENC (116 bytes) 15:43:36 ipsec processing payload: ENC 15:43:36 ipsec,debug => iv (size 0x10) 15:43:36 ipsec,debug 368dae72 34a1f57e ca0c5ee7 682b8bd2 15:43:36 ipsec,debug => plain payload (trimmed) (size 0x44) 15:43:36 ipsec,debug 00000044 02010040 1a020100 3b31e910 4d4030fc 62262036 ca54051b 532b0000 ....15:43:36 ipsec,debug 646d696e 15:43:36 ipsec,debug decrypted 15:43:36 ipsec payload seen: EAP (68 bytes) 15:43:36 ipsec processing payloads: NOTIFY (none found) 15:43:36 ipsec processing payload: EAP 15:43:36 radius,debug new request 55:42 code=Access-Request service=ipsec called-id=192.168.178.3 15:43:36 radius,debug sending 55:42 to 192.168.178.2:1812 15:43:36 radius,debug,packet sending Access-Request with id 28 to 192.168.178.2:1812 15:43:36 radius,debug,packet     Signature = 0x7290ad9698232cb00a29392a912e9452 15:43:36 radius,debug,packet     User-Name = "admin" 15:43:36 radius,debug,packet     Called-Station-Id = "192.168.178.3" 15:43:36 radius,debug,packet     Calling-Station-Id = "89.1.175.13" 15:43:36 radius,debug,packet     NAS-Port-Id = 0x0000000a 15:43:36 radius,debug,packet     NAS-Port-Type = 5 15:43:36 radius,debug,packet     Service-Type = 2 15:43:36 radius,debug,packet     Event-Timestamp = 1710945816 15:43:36 radius,debug,packet     Framed-MTU = 1400 15:43:36 radius,debug,packet     State = 0xed3b5c31ccdc32d6b2e5c7801b908a30 15:43:36 radius,debug,packet     EAP-Message = 0x020100401a0201003b31e9104d4030fc 15:43:36 radius,debug,packet       62262036ca54051b532b000000000000 15:43:36 radius,debug,packet       0000a4af1d3d69c31195ff47e7b8d48c 15:43:36 radius,debug,packet       2dcd9d6a6e86f7b4b6870061646d696e 15:43:36 radius,debug,packet     Message-Authenticator = 0x328dc4060f481438a2c8810fb308b613 15:43:36 radius,debug,packet     NAS-Identifier = "MikroTik" 15:43:36 radius,debug,packet     NAS-IP-Address = 192.168.178.3 15:43:36 radius,debug,packet received Access-Challenge with id 28 from 192.168.178.2:1812 15:43:36 radius,debug,packet     Signature = 0xdf1a57e9789b1af0a0522703a69e89c8 15:43:36 radius,debug,packet     EAP-Message = 0x010200331a0301002e533d3138463334 15:43:36 radius,debug,packet       34344537304635384439383737323245 15:43:36 radius,debug,packet       46324131333945324134443139463936 15:43:36 radius,debug,packet       303741 15:43:36 radius,debug,packet     State = 0xed3b5c31ccdc32d6b2e5c7801b908a30 15:43:36 radius,debug,packet     Message-Authenticator = 0xc93b0dfa560754af46e195207cfc0096 15:43:36 radius,debug received reply for 55:42 15:43:36 ipsec adding payload: EAP 15:43:36 ipsec,debug => (size 0x37) 15:43:36 ipsec,debug 00000037 01020033 1a030100 2e533d31 38463334 34344537 30463538 44393837 15:43:36 ipsec,debug 37323245 46324131 33394532 41344431 39463936 303741 15:43:36 ipsec <- ike2 reply, exchange: AUTH:3 89.1.175.13[61156] 83537d7b19796f4b:d2793fca2b643b58 15:43:36 ipsec,debug ===== sending 256 bytes from 192.168.178.3[4500] to 89.1.175.13[61156] 15:43:36 ipsec,debug 1 times of 260 bytes message will be sent to 89.1.175.13[61156] 15:43:36 ipsec,debug ===== received 80 bytes from 89.1.175.13[61156] to 192.168.178.3[4500] 15:43:36 ipsec -> ike2 request, exchange: AUTH:4 89.1.175.13[61156] 83537d7b19796f4b:d2793fca2b643b58 15:43:36 ipsec payload seen: ENC (52 bytes) 15:43:36 ipsec processing payload: ENC 15:43:36 ipsec,debug => iv (size 0x10) 15:43:36 ipsec,debug 088d4831 fe9107a9 6a09a6ca bcfb73dc 15:43:36 ipsec,debug => plain payload (trimmed) (size 0xa) 15:43:36 ipsec,debug 0000000a 02020006 1a03 15:43:36 ipsec,debug decrypted 15:43:36 ipsec payload seen: EAP (10 bytes) 15:43:36 ipsec processing payloads: NOTIFY (none found) 15:43:36 ipsec processing payload: EAP 15:43:36 radius,debug new request 55:43 code=Access-Request service=ipsec called-id=192.168.178.3 15:43:36 radius,debug sending 55:43 to 192.168.178.2:1812 15:43:36 radius,debug,packet sending Access-Request with id 29 to 192.168.178.2:1812 15:43:36 radius,debug,packet     Signature = 0x3bbedf88ed2148156ef154b11bba926e 15:43:36 radius,debug,packet     User-Name = "admin" 15:43:36 radius,debug,packet     Called-Station-Id = "192.168.178.3" 15:43:36 radius,debug,packet     Calling-Station-Id = "89.1.175.13" 15:43:36 radius,debug,packet     NAS-Port-Id = 0x0000000a 15:43:36 radius,debug,packet     NAS-Port-Type = 5 15:43:36 radius,debug,packet     Service-Type = 2 15:43:36 radius,debug,packet     Event-Timestamp = 1710945816 15:43:36 radius,debug,packet     Framed-MTU = 1400 15:43:36 radius,debug,packet     State = 0xed3b5c31ccdc32d6b2e5c7801b908a30 15:43:36 radius,debug,packet     EAP-Message = 0x020200061a03 15:43:36 radius,debug,packet     Message-Authenticator = 0x3ca52bf120318c6643a0e45cbb9b04b9 15:43:36 radius,debug,packet     NAS-Identifier = "MikroTik" 15:43:36 radius,debug,packet     NAS-IP-Address = 192.168.178.3 15:43:36 radius,debug,packet received Access-Accept with id 29 from 192.168.178.2:1812 15:43:36 radius,debug,packet     Signature = 0x14560b54e470efa876b03c29d7b41f03 15:43:36 radius,debug,packet     EAP-Message = 0x03020004 15:43:36 radius,debug,packet     MS-MPPE-Recv-Key = 0xa0e08a7a898fa0cbc4a689a757c00067 15:43:36 radius,debug,packet       db5c87c71f86d6d8132d16abe4ac82c7 15:43:36 radius,debug,packet       4aeb 15:43:36 radius,debug,packet     MS-MPPE-Send-Key = 0xc02bc16a210705d53b209143f0f45c4f 15:43:36 radius,debug,packet       e32c727fbe30dd280b6e3a7809876d4c 15:43:36 radius,debug,packet       c147 15:43:36 radius,debug,packet     Class = 0xc782769ce84e504f 15:43:36 radius,debug,packet     Message-Authenticator = 0x7d66467dc3273b4d2759f63a179bdfc0 15:43:36 radius,debug received reply for 55:43 15:43:36 ipsec,debug => EAP MSK (size 0x20) 15:43:36 ipsec,debug cfcbde44 44148e41 4d45abef b02b5f7b 8ce9bb75 202411be fd32a395 60101fde 15:43:36 ipsec adding payload: EAP 15:43:36 ipsec,debug => (size 0x8) 15:43:36 ipsec,debug 00000008 03020004 15:43:36 ipsec <- ike2 reply, exchange: AUTH:4 89.1.175.13[61156] 83537d7b19796f4b:d2793fca2b643b58 15:43:36 ipsec,debug ===== sending 272 bytes from 192.168.178.3[4500] to 89.1.175.13[61156] 15:43:36 ipsec,debug 1 times of 276 bytes message will be sent to 89.1.175.13[61156] 15:43:36 ipsec,debug ===== received 112 bytes from 89.1.175.13[61156] to 192.168.178.3[4500] 15:43:36 ipsec -> ike2 request, exchange: AUTH:5 89.1.175.13[61156] 83537d7b19796f4b:d2793fca2b643b58 15:43:36 ipsec payload seen: ENC (84 bytes) 15:43:36 ipsec processing payload: ENC 15:43:36 ipsec,debug => iv (size 0x10) 15:43:36 ipsec,debug 6682a308 a77dbe4f 4f1f16cf 3872d434 15:43:36 ipsec,debug => plain payload (trimmed) (size 0x28) 15:43:36 ipsec,debug 00000028 02000000 5fbce3ed 3fa0d8c6 b9c0ed59 cecb2c37 085669c1 6b57200a 15:43:36 ipsec,debug 18b6f38a 2251fd82 15:43:36 ipsec,debug decrypted 15:43:36 ipsec payload seen: AUTH (40 bytes) 15:43:36 ipsec processing payloads: NOTIFY (none found) 15:43:36 ipsec processing payload: AUTH 15:43:36 ipsec requested auth method: SKEY 15:43:36 ipsec,debug => peer's auth (size 0x20) 15:43:36 ipsec,debug 5fbce3ed 3fa0d8c6 b9c0ed59 cecb2c37 085669c1 6b57200a 18b6f38a 2251fd82 15:43:36 ipsec,debug => auth nonce (size 0x18) 15:43:36 ipsec,debug a6f931ed db6c9502 aa239977 ca4c202d 3a3b852e b8fb1252 15:43:36 ipsec,debug => SK_p (size 0x20) 15:43:36 ipsec,debug 1d5d5da3 7626d4df a53d6db2 2b4d9c0c b3ea61fa 71ca4a8d 36b89879 031a7809 15:43:36 ipsec,debug => idhash (size 0x20) 15:43:36 ipsec,debug 56563c47 8425dee8 4cc5b536 e89e3928 48e096ee e30eaba3 6987887b 458188df 15:43:36 ipsec,debug => calculated peer's AUTH (size 0x20) 15:43:36 ipsec,debug 5fbce3ed 3fa0d8c6 b9c0ed59 cecb2c37 085669c1 6b57200a 18b6f38a 2251fd82 15:43:36 ipsec,info,account peer authorized: 192.168.178.3[4500]-89.1.175.13[61156] spi:d2793fca2b643b58:83537d7b19796f4b 15:43:36 ipsec processing payloads: NOTIFY 15:43:36 ipsec   notify: MOBIKE_SUPPORTED 15:43:36 ipsec peer wants tunnel mode 15:43:36 ipsec processing payload: CONFIG 15:43:36 ipsec   attribute: internal IPv4 address 15:43:36 ipsec   attribute: internal IPv4 DNS 15:43:36 ipsec   attribute: internal IPv4 NBNS 15:43:36 ipsec   attribute: MS internal IPv4 server 15:43:36 ipsec,info acquired 192.168.9.254 address for 89.1.175.13, admin 15:43:36 ipsec processing payload: TS_I 15:43:36 ipsec 0.0.0.0/0 15:43:36 ipsec [::/0] 15:43:36 ipsec processing payload: TS_R 15:43:36 ipsec 0.0.0.0/0 15:43:36 ipsec [::/0] 15:43:36 ipsec TSi in tunnel mode replaced with config address: 192.168.9.254 15:43:36 ipsec canditate selectors: 0.0.0.0/0 <=> 192.168.9.254 15:43:36 ipsec canditate selectors: [::/0] <=> [::/0] 15:43:36 ipsec processing payload: SA 15:43:36 ipsec IKE Protocol: ESP 15:43:36 ipsec  proposal #1 15:43:36 ipsec   enc: aes256-cbc 15:43:36 ipsec   auth: sha256 15:43:36 ipsec searching for policy for selector: 0.0.0.0/0 <=> 192.168.9.254 15:43:36 ipsec generating policy 15:43:36 ipsec matched proposal: 15:43:36 ipsec  proposal #1 15:43:36 ipsec   enc: aes256-cbc 15:43:36 ipsec   auth: sha256 15:43:36 ipsec ike auth: finish 15:43:36 ipsec ID_R (FQDN): xxxxxxx.xxxxx.xx15:43:36 ipsec processing payload: NONCE 15:43:36 ipsec,debug => auth nonce (size 0x30) 15:43:36 ipsec,debug ab05427f 0c8fbeb2 decd96d6 3da2b3ec f6b9841d c847cddc 3bf9f056 c6847a6b 15:43:36 ipsec,debug 5570c140 c5fb833d fe6bf318 a019bfd4 15:43:36 ipsec,debug => SK_p (size 0x20) 15:43:36 ipsec,debug 24fb3220 68c34ca9 75edf830 da97f3bd f2d5adb0 19d61e4c 72c3ba96 39c6faf4 15:43:36 ipsec,debug => idhash (size 0x20) 15:43:36 ipsec,debug 79788e54 7ba9e0ca 99e3ddf7 504c9d47 ea36e95c 37e23a97 8ca5a5ff 19114741 15:43:36 ipsec,debug => my auth (size 0x20) 15:43:36 ipsec,debug 0d5903a7 455633b1 6368e02a 447fab19 e2ce3dd7 03f4097f 666b893a d07b51ca 15:43:36 ipsec cert: CN=xxxxxxx.xxxxx.xx,C=DE,ST=NRW,L=,O=Home,OU=,SN= 15:43:36 ipsec adding payload: CERT 15:43:36 ipsec,debug => (first 0x100 of 0x3ac) 15:43:36 ipsec,debug 000003ac 04308203 a3308202 8ba00302 01020210 7a76d202 e82291a9 4d989fb2 ....15:43:36 ipsec adding payload: ID_R 15:43:36 ipsec,debug => (size 0x18) 15:43:36 ipsec,debug 00000018 02000000 70656472 6f66622e 7370646e 732e6575 15:43:36 ipsec adding payload: AUTH 15:43:36 ipsec,debug => (size 0x28) 15:43:36 ipsec,debug 00000028 02000000 0d5903a7 455633b1 6368e02a 447fab19 e2ce3dd7 03f4097f 15:43:36 ipsec,debug 666b893a d07b51ca 15:43:36 ipsec adding notify: INITIAL_CONTACT 15:43:36 ipsec,debug => (size 0x8) 15:43:36 ipsec,debug 00000008 00004000 15:43:36 ipsec preparing internal IPv4 address 15:43:36 ipsec preparing internal IPv4 netmask 15:43:36 ipsec preparing internal IPv6 subnet 15:43:36 ipsec preparing internal IPv4 DNS 15:43:36 ipsec adding payload: CONFIG 15:43:36 ipsec,debug => (size 0x2c) 15:43:36 ipsec,debug 0000002c 02000000 00010004 c0a809fe 00020004 ffffffff 000d0008 00000000 15:43:36 ipsec,debug 00000000 00030004 c0a80901 15:43:36 ipsec initiator selector: 192.168.9.254 15:43:36 ipsec adding payload: TS_I 15:43:36 ipsec,debug => (size 0x18) 15:43:36 ipsec,debug 00000018 01000000 07000010 0000ffff c0a809fe c0a809fe 15:43:36 ipsec responder selector: 0.0.0.0/0 15:43:36 ipsec adding payload: TS_R 15:43:36 ipsec,debug => (size 0x18) 15:43:36 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff 15:43:36 ipsec adding payload: SA 15:43:36 ipsec,debug => (size 0x2c) 15:43:36 ipsec,debug 0000002c 00000028 01030403 079f8ec2 0300000c 0100000c 800e0100 03000008 15:43:36 ipsec,debug 0300000c 00000008 05000000 15:43:36 ipsec <- ike2 reply, exchange: AUTH:5 89.1.175.13[61156] 83537d7b19796f4b:d2793fca2b643b58 15:43:36 ipsec,debug ===== sending 1360 bytes from 192.168.178.3[4500] to 89.1.175.13[61156] 15:43:36 ipsec,debug 1 times of 1364 bytes message will be sent to 89.1.175.13[61156] 15:43:36 ipsec,debug => child keymat (size 0x80) 15:43:36 ipsec,debug bd44af42 53740c4b 0615b4f1 82a1516b 19db63ee a8f18c68 8a9c45be 3a3c4e56 .... 15:43:36 ipsec IPsec-SA established: 89.1.175.13[61156]->192.168.178.3[4500] spi=0x79f8ec2 15:43:36 ipsec IPsec-SA established: 192.168.178.3[4500]->89.1.175.13[61156] spi=0xe631bbce 15:43:36 ipsec,debug recv DHCP inform from 192.168.9.254 15:43:36 ipsec,debug sending DHCP reply 15:43:36 ipsec,debug 1 times of 300 bytes message will be sent to 192.168.9.254[68] 15:43:36 ipsec,debug KA: 192.168.178.3[4500]->89.1.175.13[61156] 15:43:36 ipsec,debug 1 times of 1 bytes message will be sent to 89.1.175.13[61156] ....

Next, i updated RouterOS to version 6.49.13 (IKEV2_FRAGMENTATION_SUPPORTED supported).
It doesn't work, exactly the same behavior as actual ROS. Here the log:
Code: 
16:30:59 ipsec -> ike2 request, exchange: SA_INIT:0 89.1.175.13[61157] e832f37d5a1a84a9:0000000000000000 16:30:59 ipsec ike2 respond 16:30:59 ipsec payload seen: SA (48 bytes) 16:30:59 ipsec payload seen: KE (136 bytes) 16:30:59 ipsec payload seen: NONCE (52 bytes) 16:30:59 ipsec payload seen: NOTIFY (8 bytes) 16:30:59 ipsec payload seen: NOTIFY (28 bytes) 16:30:59 ipsec payload seen: NOTIFY (28 bytes) 16:30:59 ipsec payload seen: VID (24 bytes) 16:30:59 ipsec,debug 1e2b516905991c7d7c96fcbfb587e46100000009 16:30:59 ipsec payload seen: VID (20 bytes) 16:30:59 ipsec,debug fb1de3cdf341b7ea16b7e5be0855f120 16:30:59 ipsec payload seen: VID (20 bytes) 16:30:59 ipsec,debug 26244d38eddb61b3172a36e3d0cfb819 16:30:59 ipsec payload seen: VID (24 bytes) 16:30:59 ipsec,debug 01528bbbc00696121849ab9a1c5b2a5100000002 16:30:59 ipsec processing payload: NONCE 16:30:59 ipsec processing payload: SA 16:30:59 ipsec IKE Protocol: IKE 16:30:59 ipsec  proposal #1 16:30:59 ipsec   enc: aes256-cbc 16:30:59 ipsec   prf: hmac-sha256 16:30:59 ipsec   auth: sha256 16:30:59 ipsec   dh: modp1024 16:30:59 ipsec matched proposal: 16:30:59 ipsec  proposal #1 16:30:59 ipsec   enc: aes256-cbc 16:30:59 ipsec   prf: hmac-sha256 16:30:59 ipsec   auth: sha256 16:30:59 ipsec   dh: modp1024 16:30:59 ipsec processing payload: KE 16:30:59 ipsec,debug => shared secret (size 0x80) 16:30:59 ipsec,debug 620660f4 d5b45fcf e620ce7d acdec84b 226e7127 e31385fa 0bff5a6b b499cab7 ....16:30:59 ipsec adding payload: SA 16:30:59 ipsec,debug => (size 0x30) 16:30:59 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 16:30:59 ipsec,debug 03000008 0300000c 00000008 04000002 16:30:59 ipsec adding payload: KE 16:30:59 ipsec,debug => (size 0x88) 16:30:59 ipsec,debug 00000088 00020000 b2cb043c 78648ad8 cb3b5408 13992ea0 a4303b53 e6b3090a ....16:30:59 ipsec,debug 4d9d4b70 a6f8f7dc 16:30:59 ipsec adding payload: NONCE 16:30:59 ipsec,debug => (size 0x1c) 16:30:59 ipsec,debug 0000001c fe55002c 02c86d21 49b3d595 0e8e0c9c aef9f35e 79808ca3 16:30:59 ipsec adding notify: NAT_DETECTION_SOURCE_IP 16:30:59 ipsec,debug => (size 0x1c) 16:30:59 ipsec,debug 0000001c 00004004 7baeb0ca 3e017b0e 1a076a25 52f96443 8189c9e8 16:30:59 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 16:30:59 ipsec,debug => (size 0x1c) 16:30:59 ipsec,debug 0000001c 00004005 7639864c 3fc2990f d6450142 62b314d8 bac1aaa4 16:30:59 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED 16:30:59 ipsec,debug => (size 0x8) 16:30:59 ipsec,debug 00000008 0000402e 16:30:59 ipsec adding payload: CERTREQ 16:30:59 ipsec,debug => (size 0x5) 16:30:59 ipsec,debug 00000005 04 16:30:59 ipsec <- ike2 reply, exchange: SA_INIT:0 89.1.175.13[61157] e832f37d5a1a84a9:a8d753933f764b81 16:30:59 ipsec,debug ===== sending 309 bytes from 192.168.178.3[500] to 89.1.175.13[61157] 16:30:59 ipsec,debug 1 times of 309 bytes message will be sent to 89.1.175.13[61157] 16:30:59 ipsec,debug => skeyseed (size 0x20) 16:30:59 ipsec,debug 77829c02 abc9f543 7d5f6aab 9883de37 c3e1d14b fa487175 e6e8235c bd6bee92 16:30:59 ipsec,debug => keymat (size 0x20) 16:30:59 ipsec,debug 9d7d8d28 70f1e50b 4289e28c 9aebf425 2f1a2619 892ac0d9 93990cd9 429230d1 16:30:59 ipsec,debug => SK_ai (size 0x20) 16:30:59 ipsec,debug cee1ca6d cffa6e61 5bb682dd 6c51ba2a c571ba28 0a289619 a224e847 57dac787 16:30:59 ipsec,debug => SK_ar (size 0x20) 16:30:59 ipsec,debug 818001bb 402fb660 811d04f5 cc7fcf09 4afc6483 e56b8d6d 5f9bd748 fadeb21c 16:30:59 ipsec,debug => SK_ei (size 0x20) 16:30:59 ipsec,debug d186c701 74f05689 56ad7798 fac87f4b 1ce7f1ce d54fed03 8e1c98db 5ecb3d7e 16:30:59 ipsec,debug => SK_er (size 0x20) 16:30:59 ipsec,debug d0b8fa6c 6fc67c05 6b5b527c b2b771db ce5070bd f4c9cfda c335eccd 949e8fd3 16:30:59 ipsec,debug => SK_pi (size 0x20) 16:30:59 ipsec,debug 1e7e50e3 4d3a9b61 3b59b309 8d7ef298 8ef77013 f602438f 2f1a90f8 2c43a546 16:30:59 ipsec,debug => SK_pr (size 0x20) 16:30:59 ipsec,debug da50cd40 90c98787 c3aee0f4 7b615b90 091a3f8c b7b81ba3 ae4de9bc 7c89d0c5 16:30:59 ipsec,info new ike2 SA (R): peer-ikev2 192.168.178.3[500]-89.1.175.13[61157] spi:a8d753933f764b81:e832f37d5a1a84a9 16:30:59 ipsec processing payloads: VID 16:30:59 ipsec peer is MS Windows (ISAKMPOAKLEY 9) 16:30:59 ipsec processing payloads: NOTIFY 16:30:59 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED 16:30:59 ipsec   notify: NAT_DETECTION_SOURCE_IP 16:30:59 ipsec   notify: NAT_DETECTION_DESTINATION_IP 16:30:59 ipsec (NAT-T) REMOTE LOCAL 16:30:59 ipsec KA list add: 192.168.178.3[4500]->89.1.175.13[61157] 16:30:59 ipsec fragmentation negotiated 16:30:59 ipsec,debug ===== received 580 bytes from 89.1.175.13[61158] to 192.168.178.3[4500] 16:30:59 ipsec -> ike2 request, exchange: AUTH:1 89.1.175.13[61158] e832f37d5a1a84a9:a8d753933f764b81 16:30:59 ipsec peer ports changed: 61157 -> 61158 16:30:59 ipsec KA remove: 192.168.178.3[4500]->89.1.175.13[61157] 16:30:59 ipsec,debug KA tree dump: 192.168.178.3[4500]->89.1.175.13[61157] (in_use=1) 16:30:59 ipsec,debug KA removing this one... 16:30:59 ipsec KA list add: 192.168.178.3[4500]->89.1.175.13[61158] 16:30:59 ipsec payload seen: SKF (552 bytes) 16:30:59 ipsec processing payload: ENC (not found) 16:30:59 ipsec processing payload: SKF 16:30:59 ipsec => invalid payload (first 0x100 of 0x228) 16:30:59 ipsec 23000228 00010015 97fbc6d8 10f936cb 6ec07f5e 9dbd06ce 45294b31 5c92c706 .... 16:30:59 ipsec reply notify: INVALID_SYNTAX 16:30:59 ipsec adding notify: INVALID_SYNTAX ....

I suspect that the problem starts after version 6.47.8 when IKEV2_FRAGMENTATION_SUPPORTED was implemented,
especially since the Windows 10 native client works as axpected with other vendors
and fragmentation enabled on both endpoints.

Statistics: Posted by pedkoschi — Wed Mar 20, 2024 9:53 pm

Search
Viewing all articles
Browse latest Browse all 19714

Trending Articles

Bath man appears in court charged with attempted murder of a man...

March 16, 2015, 7:37 am

MACLEAN, Allan

July 30, 2019, 6:00 am

Black Angus Grilled Artichokes

July 16, 2016, 4:37 pm

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

Police blotter for Jan. 12

January 12, 2018, 3:30 am

99 God Status for Whatsapp, Facebook

June 5, 2016, 11:46 pm

Rajasthan Board 12th Science Result 2018 name wise- RBSE 12th commerce result...

May 26, 2018, 9:35 pm

Notorious Naushad of Ippa gang nabbed

July 19, 2019, 6:37 am

Child Kidnapping: Amy McNeil was kidnapped on her way to school by 5 adults;...

February 5, 2017, 10:40 am

Sonible Smartlimit v1.1.5-R2R

April 16, 2024, 7:10 am

NCERT Solutions for Class 9th Sanskrit Chapter 3 पाथेयम्

December 22, 2016, 3:50 am

मतलबी दोस्त स्टेट्स | Matlabi Dost Status in Hindi – Selfish Friends Status

February 13, 2020, 3:12 am

Arrow Flash 2 – Sinhala Dubbed – Episode 23 – 20th March 2016

March 20, 2016, 9:39 am

[GET] AI Traffic Goldmine

July 6, 2025, 4:23 am

[E² Plugin] HDF-Radio

January 26, 2025, 9:02 am

Universal Multi-Patch v1.3 By RADIXX11

January 29, 2018, 2:45 pm

IWAN – Thanks and Praise ( Throw Back Thursday )

March 9, 2016, 11:43 pm

RONALD P SONDERGAARD Arrested by Miami-Dade County Corrections on Mar 03, 2017

March 3, 2017, 6:25 am

मुख मैथुन से उठाएं सेक्स का भरपूर मज़ा, जानें क्या है इसका सही तरीकामुख मैथुन...

May 17, 2020, 2:04 pm

HSSC Excise & Taxation Inspector Result 2017 Scorecard/ Category Wise Merit List

July 29, 2017, 2:44 am
Search