Hmm, I tried your configuration and I get the same behaviour with strongswan. I don't have an iPhone to test. I tried playing around with the settings switching from x509 to PSK, changing strongswan knobs, always with the same result. I can connect to other strongswan responders using this same client. Do you have other special settings in other strongswan config files? Do you have any special pf rules? I run with pf disabled for these tests. I don't think running pf is required to establish a tunnel.
Best regards, Jona On Apr 20, 2020, 16:02, at 16:02, R0me0 *** <[email protected]> wrote: >Ajust as your necessity * > >( Don't forget to adjust your pf rules accordingly ) * > > > >OpenBSD 6.X ( Works with IPHONE AND STRONGSWAN ) > >ikev2 "roadwarrior" passive esp from 0.0.0.0/0 to 10.20.30.0/24 \ > local egress peer any \ > ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \ > childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ > dstid [email protected] psk "psk_passphrase" config address 10.20.30.32 > > > >Iphone = just disable certificates and set psk > > >Interoperability with StrongSwan > > ># cat /etc/ipsec.conf > > ipsec.conf – strongSwan IPsec configuration file ># basic configuration > >config setup > >conn %default >ikelifetime=60m >keylife=20m >rekeymargin=3m >keyingtries=1 >keyexchange=ikev2 >authby=secret >ike=aes256-sha256-modp2048! >esp=aes256-sha256-modp2048! > >conn strongswan >left=%any >leftfirewall=yes >leftsourceip=%config >right=REMOTE_PEER_IP >rightid=puffymagic.ikedvpn.com >rightsubnet=192.168.0.0/24,172.8.50.0/24 ( networks you want access on >other side ) ( behind magic puffer fish ) >auto=add > > > ># cat /etc/ipsec.secrets > ># ipsec.secrets – strongSwan IPsec secrets file >: PSK “strongopeniked” > > > >PS: Magic Puffer Fish Rock! > >Em seg., 20 de abr. de 2020 às 09:49, Jona Joachim <[email protected]> >escreveu: > >> Hi, >> >> I am trying to connect to iked running on OpenBSD 6.6 from a >strongSwan >> 5.7.2 initiator running on Ubuntu 19.10 (which is behind NAT). I am >> using x509 certificates generated by ikectl. >> >> The tunnel cannot be established. It is hard for me to see what's >going >> on. strongswan seems to be sending the same IKE_AUTH packet again and >> again and iked does not seem to respond even though it receives the >> packet and does not show an error. The only thing fishy I see in iked >> output is "sa_state: cannot switch: AUTH_SUCCESS -> VALID", not sure >why >> it "cannot switch". >> >> Does anybody have a working setup between iked and strongSwan or any >> insights? Config files and logs below. >> >> Thanks, >> >> Jona >> >> >> iked.conf: >> >> ikev2 passive esp \ >> from 0.0.0.0/0 to 10.201.201.0/24 \ >> from 192.168.0.0/16 to 10.244.244.0/24 \ >> from 10.244.244.0/24 to 192.168.0.0/16 \ >> local 1.2.3.4 peer any \ >> srcid vpn.example.com \ >> config address 10.201.201.0/24 \ >> config name-server 10.201.201.1 \ >> tag "IKED" >> >> >> ipsec.conf (strongSwan): >> >> config setup >> # strictcrlpolicy=yes >> # uniqueids = no >> >> conn puffvpn >> keyexchange=ikev2 >> dpddelay=5s >> dpdtimeout=60s >> dpdaction=restart >> >> left=%defaultroute >> leftcert=wookie.crt >> leftsubnet=192.168.0.0/16 >> leftfirewall=yes >> leftid="wookie" >> >> right=vpn.example.com >> rightsubnet=10.201.201.0/24 >> rightid="vpn.example.com" >> >> auto=start >> >> strongswan log: >> >> # ipsec up puffvpn >> initiating IKE_SA puffvpn[5] to 1.2.3.4 >> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] >> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (928 bytes) >> received packet: from 1.2.3.4[500] to 192.168.4.103[500] (38 bytes) >> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] >> peer didn't accept DH group ECP_256, it requested MODP_2048 >> initiating IKE_SA puffvpn[5] to 1.2.3.4 >> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] >> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) >> retransmit 1 of request with message ID 0 >> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) >> retransmit 2 of request with message ID 0 >> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) >> received packet: from 1.2.3.4[500] to 192.168.4.103[500] (471 bytes) >> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> CERTREQ N(HASH_ALG) ] >> selected proposal: >> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 >> local host is behind NAT, sending keep alives >> received 1 cert requests for an unknown ca >> sending cert request for "CN=35.180.187.116" >> sending cert request for "C=FR, ST=Ile-de-France, L=Paris, O=OpenBSD, >> OU=iked, CN=VPN CA, [email protected]" >> authentication of 'wookie' (myself) with RSA_EMSA_PKCS1_SHA2_256 >successful >> sending end entity cert "C=FR, ST=Ile-de-France, L=Paris, O=puffvpn, >> OU=iked, CN=wookie, [email protected]" >> establishing CHILD_SA puffvpn{7} >> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr >> AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) >N(MSG_ID_SYN_SUP) ] >> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 >bytes) >> retransmit 1 of request with message ID 1 >> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 >bytes) >> retransmit 2 of request with message ID 1 >> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 >bytes) >> retransmit 3 of request with message ID 1 >> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 >bytes) >> sending keep alive to 1.2.3.4[4500] >> retransmit 4 of request with message ID 1 >> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 >bytes) >> sending keep alive to 1.2.3.4[4500] >> sending keep alive to 1.2.3.4[4500] >> retransmit 5 of request with message ID 1 >> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 >bytes) >> sending keep alive to 1.2.3.4[4500] >> sending keep alive to 1.2.3.4[4500] >> sending keep alive to 1.2.3.4[4500] >> giving up after 5 retransmits >> peer not responding, trying again (2/3) >> establishing connection 'puffvpn' failed >> >> iked log: >> >> # iked -dvv >> ikev2 "policy1" passive esp inet from 10.244.244.0/24 to >192.168.0.0/16 >> from 0.0.0.0/0 to 10.201.201.0/24 from 192.168.0.0/16 to >10.244.244.0/24 >> loc >> al 1.2.3.4 peer any ikesa enc aes-256,aes-192,aes-128,3des prf >> hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group >> modp2048,modp1536,modp >> 1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 >> srcid vpn.example.com lifetime 10800 bytes 536870912 signature config >> address 1 >> 0.201.201.0 config name-server 10.201.201.1 tag "IKED" >> /etc/iked.conf: loaded 1 configuration rules >> ca_privkey_serialize: type RSA_KEY length 1192 >> ca_pubkey_serialize: type RSA_KEY length 270 >> ca_privkey_to_method: type RSA_KEY method RSA_SIG >> ca_getkey: received private key type RSA_KEY length 1192 >> ca_getkey: received public key type RSA_KEY length 270 >> ca_dispatch_parent: config reset >> ca_reload: loaded ca file ca.crt >> ca_reload: loaded crl file ca.crl >> ca_reload: >> >> >/C=FR/ST=Ile-de-France/L=Paris/O=puffvpn/OU=iked/CN=IKECA/[email protected] >> ca_reload: loaded 1 ca certificate >> ca_reload: loaded cert file vpn.example.com.crt >> ca_reload: loaded cert file wookie.crt >> ca_validate_cert: >> /C=FR/ST=Ile-de-France/L=Paris/O=puffvpn/OU=iked/CN= >> vpn.example.com/[email protected] >> ok >> ca_validate_cert: >> >> >/C=FR/ST=Ile-de-France/L=Paris/O=puffvpn/OU=iked/CN=wookie/[email protected] >> ok >> ca_reload: local cert type X509_CERT >> config_getocsp: ocsp_url none >> ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 >> ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 >> config_getpolicy: received policy >> config_getpfkey: received pfkey fd 3 >> config_getcompile: compilation done >> config_getsocket: received socket fd 4 >> config_getsocket: received socket fd 5 >> config_getsocket: received socket fd 6 >> config_getsocket: received socket fd 7 >> config_getmobike: mobike >> config_getfragmentation: no fragmentation >> spi=0x35fb3f73a0a70b49: recv IKE_SA_INIT req 0 peer 5.6.7.8:52409 >local >> 1.2.3.4:500, 928 bytes, policy 'policy1' >> ikev2_recv: ispi 0x35fb3f73a0a70b49 rspi 0x0000000000000000 >> ikev2_policy2id: srcid FQDN/vpn.example.com length 18 >> ikev2_pld_parse: header ispi 0x35fb3f73a0a70b49 rspi >0x0000000000000000 >> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 >length >> 9 >> 28 response 0 >> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length >704 >> ikev2_pld_sa: more 2 reserved 0 length 324 proposal #1 protoid IKE >> spisize 0 xforms 35 spi 0 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id >CAMELLIA_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id >CAMELLIA_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id >CAMELLIA_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_256_128 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_384_192 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_512_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >AES_XCBC_96 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >AES_CMAC_96 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >HMAC_SHA1_96 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P256R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P384R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P512R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32> >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192 >> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 >> ikev2_pld_sa: more 0 reserved 0 length 376 proposal #2 protoid IKE >> spisize 0 xforms 37 spi 0 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P256R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P384R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P512R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32> >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192 >> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 >> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length >72 >> ikev2_pld_ke: dh group ECP_256 reserved 0 >> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 >length >> 36 >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >> length 28 >> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP >> ikev2_nat_detection: peer source 0x35fb3f73a0a70b49 >0x0000000000000000 >> 5.6.7.8:52409 >> ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >> length 28 >> ikev2_pld_notify: protoid NONE spisize 0 type >NAT_DETECTION_DESTINATION_IP >> ikev2_nat_detection: peer destination 0x35fb3f73a0a70b49 >> 0x0000000000000000 1.2.3.4:500 >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >length >> 8 >> ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED >> ikev2_pld_notify: fragmentation disabled >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >> length 16 >> ikev2_pld_notify: protoid NONE spisize 0 type >SIGNATURE_HASH_ALGORITHMS >> ikev2_pld_notify: signature hash SHA2_256 (2) >> ikev2_pld_notify: signature hash SHA2_384 (3) >> ikev2_pld_notify: signature hash SHA2_512 (4) >> ikev2_pld_notify: signature hash <UNKNOWN:5> (5) >> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 >length 8 >> ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED >> sa_state: INIT -> SA_INIT >> ikev2_sa_negotiate: score 4 >> ikev2_sa_negotiate: score 0 >> sa_stateok: SA_INIT flags 0x0000, require 0x0000 >> sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) >> spi=0x35fb3f73a0a70b49: ikev2_sa_responder_dh: want dh MODP_2048, KE >has >> ECP_256 >> spi=0x35fb3f73a0a70b49: ikev2_resp_recv: failed to negotiate IKE SA >> spi=0x35fb3f73a0a70b49: ikev2_add_error: INVALID_KE_PAYLOAD >> ikev2_add_error: done >> ikev2_next_payload: length 10 nextpayload NONE >> ikev2_pld_parse: header ispi 0x35fb3f73a0a70b49 rspi >0x56bdae3b5afb6def >> nextpayload NOTIFY version 0x20 exchange IKE_SA_INIT flags 0x20 msgid >0 >> leng >> th 38 response 1 >> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 >length 10 >> ikev2_pld_notify: protoid NONE spisize 0 type INVALID_KE_PAYLOAD >> spi=0x35fb3f73a0a70b49: send IKE_SA_INIT res 0 peer 5.6.7.8:52409 >local >> 1.2.3.4:500, 38 bytes >> spi=0x35fb3f73a0a70b49: sa_state: SA_INIT -> CLOSED from any to any >> policy 'policy1' >> config_free_proposals: free 0x29c15330b80 >> config_free_proposals: free 0x29bd54c0d00 >> spi=0x35fb3f73a0a70b49: recv IKE_SA_INIT req 0 peer 5.6.7.8:52409 >local >> 1.2.3.4:500, 1120 bytes, policy 'policy1' >> ikev2_recv: ispi 0x35fb3f73a0a70b49 rspi 0x0000000000000000 >> sa_free: ispi 0x35fb3f73a0a70b49 rspi 0x56bdae3b5afb6def >> config_free_proposals: free 0x29bff353800 >> ikev2_policy2id: srcid FQDN/vpn.example.com length 18 >> ikev2_pld_parse: header ispi 0x35fb3f73a0a70b49 rspi >0x0000000000000000 >> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 >length >> 1 >> 120 response 0 >> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length >704 >> ikev2_pld_sa: more 2 reserved 0 length 324 proposal #1 protoid IKE >> spisize 0 xforms 35 spi 0 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id >CAMELLIA_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id >CAMELLIA_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id >CAMELLIA_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_256_128 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_384_192 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_512_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >AES_XCBC_96 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >AES_CMAC_96 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >HMAC_SHA1_96 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P256R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P384R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P512R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32> >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144 >> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_8192 >> ikev2_pld_sa: more 0 reserved 0 length 376 proposal #2 protoid IKE >> spisize 0 xforms 37 spi 0 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P256R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P384R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P512R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32> >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144 >> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_8192 >> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length >264 >> ikev2_pld_ke: dh group MODP_2048 reserved 0 >> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 >length >> 36 >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >> length 28 >> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP >> ikev2_nat_detection: peer source 0x35fb3f73a0a70b49 >0x0000000000000000 >> 5.6.7.8:52409 >> ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >> length 28 >> ikev2_pld_notify: protoid NONE spisize 0 type >NAT_DETECTION_DESTINATION_IP >> ikev2_nat_detection: peer destination 0x35fb3f73a0a70b49 >> 0x0000000000000000 1.2.3.4:500 >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >length >> 8 >> ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED >> ikev2_pld_notify: fragmentation disabled >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >> length 16 >> ikev2_pld_notify: protoid NONE spisize 0 type >SIGNATURE_HASH_ALGORITHMS >> ikev2_pld_notify: signature hash SHA2_256 (2) >> ikev2_pld_notify: signature hash SHA2_384 (3) >> ikev2_pld_notify: signature hash SHA2_512 (4) >> ikev2_pld_notify: signature hash <UNKNOWN:5> (5) >> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 >length 8 >> ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED >> sa_state: INIT -> SA_INIT >> ikev2_sa_negotiate: score 4 >> ikev2_sa_negotiate: score 0 >> sa_stateok: SA_INIT flags 0x0000, require 0x0000 >> sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) >> spi=0x35fb3f73a0a70b49: ikev2_sa_keys: DHSECRET with 256 bytes >> ikev2_sa_keys: SKEYSEED with 32 bytes >> spi=0x35fb3f73a0a70b49: ikev2_sa_keys: S with 80 bytes >> ikev2_prfplus: T1 with 32 bytes >> ikev2_prfplus: T2 with 32 bytes >> ikev2_prfplus: T3 with 32 bytes >> ikev2_prfplus: T4 with 32 bytes >> ikev2_prfplus: T5 with 32 bytes >> ikev2_prfplus: T6 with 32 bytes >> ikev2_prfplus: T7 with 32 bytes >> ikev2_prfplus: Tn with 224 bytes >> ikev2_sa_keys: SK_d with 32 bytes >> ikev2_sa_keys: SK_ai with 32 bytes >> ikev2_sa_keys: SK_ar with 32 bytes >> ikev2_sa_keys: SK_ei with 32 bytes >> ikev2_sa_keys: SK_er with 32 bytes >> ikev2_sa_keys: SK_pi with 32 bytes >> ikev2_sa_keys: SK_pr with 32 bytes >> ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation >> ikev2_add_proposals: length 44 >> ikev2_next_payload: length 48 nextpayload KE >> ikev2_next_payload: length 264 nextpayload NONCE >> ikev2_next_payload: length 36 nextpayload NOTIFY >> ikev2_nat_detection: local source 0x35fb3f73a0a70b49 >0x5537f74b17c41bce >> 1.2.3.4:500 >> ikev2_next_payload: length 28 nextpayload NOTIFY >> ikev2_nat_detection: local destination 0x35fb3f73a0a70b49 >> 0x5537f74b17c41bce 5.6.7.8:52409 >> ikev2_next_payload: length 28 nextpayload CERTREQ >> ikev2_add_certreq: type X509_CERT length 21 >> ikev2_next_payload: length 25 nextpayload NOTIFY >> ikev2_next_payload: length 14 nextpayload NONE >> ikev2_pld_parse: header ispi 0x35fb3f73a0a70b49 rspi >0x5537f74b17c41bce >> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 >length >> 4 >> 71 response 1 >> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 >> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE >> spisize 0 xforms 4 spi 0 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_256_128 >> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 >> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length >264 >> ikev2_pld_ke: dh group MODP_2048 reserved 0 >> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 >length >> 36 >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >> length 28 >> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP >> ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 >> length 28 >> ikev2_pld_notify: protoid NONE spisize 0 type >NAT_DETECTION_DESTINATION_IP >> ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 >> length 25 >> ikev2_pld_certreq: type X509_CERT length 20 >> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 >length 14 >> ikev2_pld_notify: protoid NONE spisize 0 type >SIGNATURE_HASH_ALGORITHMS >> spi=0x35fb3f73a0a70b49: send IKE_SA_INIT res 0 peer 5.6.7.8:52409 >local >> 1.2.3.4:500, 471 bytes >> config_free_proposals: free 0x29c15330200 >> config_free_proposals: free 0x29bd54c0d80 >> spi=0x35fb3f73a0a70b49: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local >> 1.2.3.4:4500, 1568 bytes, policy 'policy1' >> ikev2_recv: ispi 0x35fb3f73a0a70b49 rspi 0x5537f74b17c41bce >> ikev2_recv: updated SA to peer 5.6.7.8:51315 local 1.2.3.4:4500 >> ikev2_pld_parse: header ispi 0x35fb3f73a0a70b49 rspi >0x5537f74b17c41bce >> nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 >length >> 1568 >> response 0 >> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length >1540 >> ikev2_msg_decrypt: IV length 16 >> ikev2_msg_decrypt: encrypted payload length 1504 >> ikev2_msg_decrypt: integrity checksum length 16 >> ikev2_msg_decrypt: integrity check succeeded >> ikev2_msg_decrypt: decrypted payload length 1504/1504 padding 7 >> ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical >0x00 >> length 14 >> ikev2_pld_id: id FQDN/wookie length 10 >> ikev2_pld_payloads: decrypted payload CERT nextpayload NOTIFY >critical >> 0x00 length 999 >> ikev2_pld_cert: type X509_CERT length 994 >> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CERTREQ >> critical 0x00 length 8 >> ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT >> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload IDr >critical >> 0x00 length 45 >> ikev2_pld_certreq: type X509_CERT length 40 >> ikev2_policy2id: srcid FQDN/vpn.example.com length 18 >> sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 ) >> ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical >0x00 >> length 22 >> ikev2_pld_id: id FQDN/vpn.example.com length 18 >> ikev2_pld_id: unexpected id payload >> ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical >0x00 >> length 280 >> ikev2_pld_auth: method SIG length 272 >> sa_state: SA_INIT -> AUTH_REQUEST >> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical >0x00 >> length 44 >> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP >> spisize 4 xforms 3 spi 0xc7402502 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_256_128 >> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE >> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical >0x00 >> length 24 >> ikev2_pld_ts: count 1 length 16 >> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 >> endport 65535 >> ikev2_pld_ts: start 192.168.0.0 end 192.168.255.255 >> ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical >> 0x00 length 24 >> ikev2_pld_ts: count 1 length 16 >> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 >> endport 65535 >> ikev2_pld_ts: start 10.201.201.0 end 10.201.201.255 >> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY >critical >> 0x00 length 8 >> ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED >> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY >critical >> 0x00 length 12 >> ikev2_pld_notify: protoid NONE spisize 0 type ADDITIONAL_IP4_ADDRESS >> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY >critical >> 0x00 length 8 >> ikev2_pld_notify: protoid NONE spisize 0 type EAP_ONLY_AUTHENTICATION >> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE >critical >> 0x00 length 8 >> ikev2_pld_notify: protoid NONE spisize 0 type >> IKEV2_MESSAGE_ID_SYNC_SUPPORTED >> sa_stateok: SA_INIT flags 0x0000, require 0x0000 >> policy_lookup: peerid 'wookie' >> ikev2_msg_auth: responder auth data length 535 >> ca_setauth: auth length 535 >> ikev2_msg_auth: initiator auth data length 1184 >> ikev2_msg_authverify: method SIG keylen 994 type X509_CERT >> _dsa_verify_init: signature scheme 0 selected >> ikev2_msg_authverify: authentication successful >> sa_state: AUTH_REQUEST -> AUTH_SUCCESS >> sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b >> cert,certvalid,auth,authvalid,sa) >> ikev2_sa_negotiate: score 4 >> sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b >> cert,certvalid,auth,authvalid,sa) >> sa_stateok: VALID flags 0x0030, require 0x003b >> cert,certvalid,auth,authvalid,sa >> spi=0x35fb3f73a0a70b49: sa_state: cannot switch: AUTH_SUCCESS -> >VALID >> config_free_proposals: free 0x29c15330100 >> ca_getreq: no valid local certificate found >> ca_setauth: auth length 256 >> ca_validate_pubkey: public key does not match pubkeys/fqdn/wookie >> ca_x509_subjectaltname: FQDN/wookie >> ca_validate_cert: >> >> >/C=FR/ST=Ile-de-France/L=Paris/O=puffvpn/OU=iked/CN=wookie/[email protected] >> ok >> ikev2_getimsgdata: imsg 21 rspi 0x5537f74b17c41bce ispi >> 0x35fb3f73a0a70b49 initiator 0 sa valid type 0 data length 0 >> ikev2_dispatch_cert: cert type NONE length 0, ignored >> ikev2_getimsgdata: imsg 26 rspi 0x5537f74b17c41bce ispi >> 0x35fb3f73a0a70b49 initiator 0 sa valid type 1 data length 256 >> ikev2_dispatch_cert: AUTH type 1 len 256 >> sa_stateflags: 0x0034 -> 0x003c certreq,auth,authvalid,sa (required >> 0x003b cert,certvalid,auth,authvalid,sa) >> sa_stateok: VALID flags 0x0038, require 0x003b >> cert,certvalid,auth,authvalid,sa >> spi=0x35fb3f73a0a70b49: sa_state: cannot switch: AUTH_SUCCESS -> >VALID >> ikev2_dispatch_cert: peer certificate is valid >> sa_stateflags: 0x003c -> 0x003e certvalid,certreq,auth,authvalid,sa >> (required 0x003b cert,certvalid,auth,authvalid,sa) >> sa_stateok: VALID flags 0x003a, require 0x003b >> cert,certvalid,auth,authvalid,sa >> spi=0x35fb3f73a0a70b49: sa_state: cannot switch: AUTH_SUCCESS -> >VALID >> spi=0x35fb3f73a0a70b49: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local >> 1.2.3.4:4500, 1568 bytes, policy 'policy1' >> ikev2_recv: ispi 0x35fb3f73a0a70b49 rspi 0x5537f74b17c41bce >> spi=0x35fb3f73a0a70b49: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local >> 1.2.3.4:4500, 1568 bytes, policy 'policy1' >> ikev2_recv: ispi 0x35fb3f73a0a70b49 rspi 0x5537f74b17c41bce >> spi=0x35fb3f73a0a70b49: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local >> 1.2.3.4:4500, 1568 bytes, policy 'policy1' >> ikev2_recv: ispi 0x35fb3f73a0a70b49 rspi 0x5537f74b17c41bce >> spi=0x35fb3f73a0a70b49: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local >> 1.2.3.4:4500, 1568 bytes, policy 'policy1' >> ikev2_recv: ispi 0x35fb3f73a0a70b49 rspi 0x5537f74b17c41bce >> spi=0x9d3467359e3543b4: recv IKE_SA_INIT req 0 peer 5.6.7.8:56436 >local >> 1.2.3.4:500, 928 bytes, policy 'policy1' >> ikev2_recv: ispi 0x9d3467359e3543b4 rspi 0x0000000000000000 >> ikev2_policy2id: srcid FQDN/vpn.example.com length 18 >> ikev2_pld_parse: header ispi 0x9d3467359e3543b4 rspi >0x0000000000000000 >> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 >length >> 9 >> 28 response 0 >> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length >704 >> ikev2_pld_sa: more 2 reserved 0 length 324 proposal #1 protoid IKE >> spisize 0 xforms 35 spi 0 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id >CAMELLIA_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id >CAMELLIA_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id >CAMELLIA_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_256_128 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_384_192 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_512_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >AES_XCBC_96 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >AES_CMAC_96 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >HMAC_SHA1_96 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P256R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P384R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P512R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32> >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192 >> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 >> ikev2_pld_sa: more 0 reserved 0 length 376 proposal #2 protoid IKE >> spisize 0 xforms 37 spi 0 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P256R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P384R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P512R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32> >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192 >> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 >> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length >72 >> ikev2_pld_ke: dh group ECP_256 reserved 0 >> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 >length >> 36 >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >> length 28 >> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP >> ikev2_nat_detection: peer source 0x9d3467359e3543b4 >0x0000000000000000 >> 5.6.7.8:56436 >> ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >> length 28 >> ikev2_pld_notify: protoid NONE spisize 0 type >NAT_DETECTION_DESTINATION_IP >> ikev2_nat_detection: peer destination 0x9d3467359e3543b4 >> 0x0000000000000000 1.2.3.4:500 >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >length >> 8 >> ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED >> ikev2_pld_notify: fragmentation disabled >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >> length 16 >> ikev2_pld_notify: protoid NONE spisize 0 type >SIGNATURE_HASH_ALGORITHMS >> ikev2_pld_notify: signature hash SHA2_256 (2) >> ikev2_pld_notify: signature hash SHA2_384 (3) >> ikev2_pld_notify: signature hash SHA2_512 (4) >> ikev2_pld_notify: signature hash <UNKNOWN:5> (5) >> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 >length 8 >> ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED >> sa_state: INIT -> SA_INIT >> ikev2_sa_negotiate: score 4 >> ikev2_sa_negotiate: score 0 >> sa_stateok: SA_INIT flags 0x0000, require 0x0000 >> sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) >> spi=0x9d3467359e3543b4: ikev2_sa_responder_dh: want dh MODP_2048, KE >has >> ECP_256 >> spi=0x9d3467359e3543b4: ikev2_resp_recv: failed to negotiate IKE SA >> spi=0x9d3467359e3543b4: ikev2_add_error: INVALID_KE_PAYLOAD >> ikev2_add_error: done >> ikev2_next_payload: length 10 nextpayload NONE >> ikev2_pld_parse: header ispi 0x9d3467359e3543b4 rspi >0x1ee80c5b6e666ae6 >> nextpayload NOTIFY version 0x20 exchange IKE_SA_INIT flags 0x20 msgid >0 >> leng >> th 38 response 1 >> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 >length 10 >> ikev2_pld_notify: protoid NONE spisize 0 type INVALID_KE_PAYLOAD >> spi=0x9d3467359e3543b4: send IKE_SA_INIT res 0 peer 5.6.7.8:56436 >local >> 1.2.3.4:500, 38 bytes >> spi=0x9d3467359e3543b4: sa_state: SA_INIT -> CLOSED from any to any >> policy 'policy1' >> config_free_proposals: free 0x29bff353600 >> config_free_proposals: free 0x29c15330380 >> spi=0x9d3467359e3543b4: recv IKE_SA_INIT req 0 peer 5.6.7.8:56436 >local >> 1.2.3.4:500, 1120 bytes, policy 'policy1' >> ikev2_recv: ispi 0x9d3467359e3543b4 rspi 0x0000000000000000 >> sa_free: ispi 0x9d3467359e3543b4 rspi 0x1ee80c5b6e666ae6 >> config_free_proposals: free 0x29c15330f00 >> ikev2_policy2id: srcid FQDN/vpn.example.com length 18 >> ikev2_pld_parse: header ispi 0x9d3467359e3543b4 rspi >0x0000000000000000 >> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 >length >> 1 >> 120 response 0 >> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length >704 >> ikev2_pld_sa: more 2 reserved 0 length 324 proposal #1 protoid IKE >> spisize 0 xforms 35 spi 0 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id >CAMELLIA_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id >CAMELLIA_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id >CAMELLIA_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_256_128 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_384_192 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_512_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >AES_XCBC_96 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >AES_CMAC_96 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >HMAC_SHA1_96 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P256R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P384R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P512R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32> >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144 >> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_8192 >> ikev2_pld_sa: more 0 reserved 0 length 376 proposal #2 protoid IKE >> spisize 0 xforms 37 spi 0 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P256R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P384R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id >BRAINPOOL_P512R1 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32> >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096 >> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144 >> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_8192 >> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length >264 >> ikev2_pld_ke: dh group MODP_2048 reserved 0 >> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 >length >> 36 >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >> length 28 >> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP >> ikev2_nat_detection: peer source 0x9d3467359e3543b4 >0x0000000000000000 >> 5.6.7.8:56436 >> ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >> length 28 >> ikev2_pld_notify: protoid NONE spisize 0 type >NAT_DETECTION_DESTINATION_IP >> ikev2_nat_detection: peer destination 0x9d3467359e3543b4 >> 0x0000000000000000 1.2.3.4:500 >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >length >> 8 >> ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED >> ikev2_pld_notify: fragmentation disabled >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >> length 16 >> ikev2_pld_notify: protoid NONE spisize 0 type >SIGNATURE_HASH_ALGORITHMS >> ikev2_pld_notify: signature hash SHA2_256 (2) >> ikev2_pld_notify: signature hash SHA2_384 (3) >> ikev2_pld_notify: signature hash SHA2_512 (4) >> ikev2_pld_notify: signature hash <UNKNOWN:5> (5) >> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 >length 8 >> ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED >> sa_state: INIT -> SA_INIT >> ikev2_sa_negotiate: score 4 >> ikev2_sa_negotiate: score 0 >> sa_stateok: SA_INIT flags 0x0000, require 0x0000 >> sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) >> spi=0x9d3467359e3543b4: ikev2_sa_keys: DHSECRET with 256 bytes >> ikev2_sa_keys: SKEYSEED with 32 bytes >> spi=0x9d3467359e3543b4: ikev2_sa_keys: S with 80 bytes >> ikev2_prfplus: T1 with 32 bytes >> ikev2_prfplus: T2 with 32 bytes >> ikev2_prfplus: T3 with 32 bytes >> ikev2_prfplus: T4 with 32 bytes >> ikev2_prfplus: T5 with 32 bytes >> ikev2_prfplus: T6 with 32 bytes >> ikev2_prfplus: T7 with 32 bytes >> ikev2_prfplus: Tn with 224 bytes >> ikev2_sa_keys: SK_d with 32 bytes >> ikev2_sa_keys: SK_ai with 32 bytes >> ikev2_sa_keys: SK_ar with 32 bytes >> ikev2_sa_keys: SK_ei with 32 bytes >> ikev2_sa_keys: SK_er with 32 bytes >> ikev2_sa_keys: SK_pi with 32 bytes >> ikev2_sa_keys: SK_pr with 32 bytes >> ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation >> ikev2_add_proposals: length 44 >> ikev2_next_payload: length 48 nextpayload KE >> ikev2_next_payload: length 264 nextpayload NONCE >> ikev2_next_payload: length 36 nextpayload NOTIFY >> ikev2_nat_detection: local source 0x9d3467359e3543b4 >0xe5fa736e6c7143e4 >> 1.2.3.4:500 >> ikev2_next_payload: length 28 nextpayload NOTIFY >> ikev2_nat_detection: local destination 0x9d3467359e3543b4 >> 0xe5fa736e6c7143e4 5.6.7.8:56436 >> ikev2_next_payload: length 28 nextpayload CERTREQ >> ikev2_add_certreq: type X509_CERT length 21 >> ikev2_next_payload: length 25 nextpayload NOTIFY >> ikev2_next_payload: length 14 nextpayload NONE >> ikev2_pld_parse: header ispi 0x9d3467359e3543b4 rspi >0xe5fa736e6c7143e4 >> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 >length >> 4 >> 71 response 1 >> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 >> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE >> spisize 0 xforms 4 spi 0 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_256_128 >> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 >> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length >264 >> ikev2_pld_ke: dh group MODP_2048 reserved 0 >> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 >length >> 36 >> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 >> length 28 >> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP >> ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 >> length 28 >> ikev2_pld_notify: protoid NONE spisize 0 type >NAT_DETECTION_DESTINATION_IP >> ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 >> length 25 >> ikev2_pld_certreq: type X509_CERT length 20 >> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 >length 14 >> ikev2_pld_notify: protoid NONE spisize 0 type >SIGNATURE_HASH_ALGORITHMS >> spi=0x9d3467359e3543b4: send IKE_SA_INIT res 0 peer 5.6.7.8:56436 >local >> 1.2.3.4:500, 471 bytes >> config_free_proposals: free 0x29c15330800 >> config_free_proposals: free 0x29bff353c80 >> spi=0x9d3467359e3543b4: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local >> 1.2.3.4:4500, 1568 bytes, policy 'policy1' >> ikev2_recv: ispi 0x9d3467359e3543b4 rspi 0xe5fa736e6c7143e4 >> ikev2_recv: updated SA to peer 5.6.7.8:51315 local 1.2.3.4:4500 >> ikev2_pld_parse: header ispi 0x9d3467359e3543b4 rspi >0xe5fa736e6c7143e4 >> nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 >length >> 1568 >> response 0 >> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length >1540 >> ikev2_msg_decrypt: IV length 16 >> ikev2_msg_decrypt: encrypted payload length 1504 >> ikev2_msg_decrypt: integrity checksum length 16 >> ikev2_msg_decrypt: integrity check succeeded >> ikev2_msg_decrypt: decrypted payload length 1504/1504 padding 7 >> ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical >0x00 >> length 14 >> ikev2_pld_id: id FQDN/wookie length 10 >> ikev2_pld_payloads: decrypted payload CERT nextpayload NOTIFY >critical >> 0x00 length 999 >> ikev2_pld_cert: type X509_CERT length 994 >> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CERTREQ >> critical 0x00 length 8 >> ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT >> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload IDr >critical >> 0x00 length 45 >> ikev2_pld_certreq: type X509_CERT length 40 >> ikev2_policy2id: srcid FQDN/vpn.example.com length 18 >> sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 ) >> ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical >0x00 >> length 22 >> ikev2_pld_id: id FQDN/vpn.example.com length 18 >> ikev2_pld_id: unexpected id payload >> ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical >0x00 >> length 280 >> ikev2_pld_auth: method SIG length 272 >> sa_state: SA_INIT -> AUTH_REQUEST >> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical >0x00 >> length 44 >> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP >> spisize 4 xforms 3 spi 0xc46c24f0 >> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC >> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 >> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id >> HMAC_SHA2_256_128 >> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE >> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical >0x00 >> length 24 >> ikev2_pld_ts: count 1 length 16 >> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 >> endport 65535 >> ikev2_pld_ts: start 192.168.0.0 end 192.168.255.255 >> ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical >> 0x00 length 24 >> ikev2_pld_ts: count 1 length 16 >> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 >> endport 65535 >> ikev2_pld_ts: start 10.201.201.0 end 10.201.201.255 >> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY >critical >> 0x00 length 8 >> ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED >> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY >critical >> 0x00 length 12 >> ikev2_pld_notify: protoid NONE spisize 0 type ADDITIONAL_IP4_ADDRESS >> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY >critical >> 0x00 length 8 >> ikev2_pld_notify: protoid NONE spisize 0 type EAP_ONLY_AUTHENTICATION >> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE >critical >> 0x00 length 8 >> ikev2_pld_notify: protoid NONE spisize 0 type >> IKEV2_MESSAGE_ID_SYNC_SUPPORTED >> sa_stateok: SA_INIT flags 0x0000, require 0x0000 >> policy_lookup: peerid 'wookie' >> ikev2_msg_auth: responder auth data length 535 >> ca_setauth: auth length 535 >> ikev2_msg_auth: initiator auth data length 1184 >> ikev2_msg_authverify: method SIG keylen 994 type X509_CERT >> _dsa_verify_init: signature scheme 0 selected >> ikev2_msg_authverify: authentication successful >> sa_state: AUTH_REQUEST -> AUTH_SUCCESS >> sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b >> cert,certvalid,auth,authvalid,sa) >> ikev2_sa_negotiate: score 4 >> sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b >> cert,certvalid,auth,authvalid,sa) >> sa_stateok: VALID flags 0x0030, require 0x003b >> cert,certvalid,auth,authvalid,sa >> spi=0x9d3467359e3543b4: sa_state: cannot switch: AUTH_SUCCESS -> >VALID >> config_free_proposals: free 0x29bd54c0080 >> ca_getreq: no valid local certificate found >> ca_setauth: auth length 256 >> ca_validate_pubkey: public key does not match pubkeys/fqdn/wookie >> ca_x509_subjectaltname: FQDN/wookie >> ca_validate_cert: >> >> >/C=FR/ST=Ile-de-France/L=Paris/O=puffvpn/OU=iked/CN=wookie/[email protected] >> ok >> ikev2_getimsgdata: imsg 21 rspi 0xe5fa736e6c7143e4 ispi >> 0x9d3467359e3543b4 initiator 0 sa valid type 0 data length 0 >> ikev2_dispatch_cert: cert type NONE length 0, ignored >> ikev2_getimsgdata: imsg 26 rspi 0xe5fa736e6c7143e4 ispi >> 0x9d3467359e3543b4 initiator 0 sa valid type 1 data length 256 >> ikev2_dispatch_cert: AUTH type 1 len 256 >> sa_stateflags: 0x0034 -> 0x003c certreq,auth,authvalid,sa (required >> 0x003b cert,certvalid,auth,authvalid,sa) >> sa_stateok: VALID flags 0x0038, require 0x003b >> cert,certvalid,auth,authvalid,sa >> spi=0x9d3467359e3543b4: sa_state: cannot switch: AUTH_SUCCESS -> >VALID >> ikev2_dispatch_cert: peer certificate is valid >> sa_stateflags: 0x003c -> 0x003e certvalid,certreq,auth,authvalid,sa >> (required 0x003b cert,certvalid,auth,authvalid,sa) >> sa_stateok: VALID flags 0x003a, require 0x003b >> cert,certvalid,auth,authvalid,sa >> spi=0x9d3467359e3543b4: sa_state: cannot switch: AUTH_SUCCESS -> >VALID >> spi=0x9d3467359e3543b4: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local >> 1.2.3.4:4500, 1568 bytes, policy 'policy1' >> ikev2_recv: ispi 0x9d3467359e3543b4 rspi 0xe5fa736e6c7143e4 >> spi=0x9d3467359e3543b4: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local >> 1.2.3.4:4500, 1568 bytes, policy 'policy1' >> ikev2_recv: ispi 0x9d3467359e3543b4 rspi 0xe5fa736e6c7143e4 >> spi=0x9d3467359e3543b4: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local >> 1.2.3.4:4500, 1568 bytes, policy 'policy1' >> ikev2_recv: ispi 0x9d3467359e3543b4 rspi 0xe5fa736e6c7143e4 >> spi=0x9d3467359e3543b4: recv IKE_AUTH req 1 peer 5.6.7.8:55315 local >> 1.2.3.4:4500, 1568 bytes, policy 'policy1' >> ikev2_recv: ispi 0x9d3467359e3543b4 rspi 0xe5fa736e6c7143e4 >> >> >>
