Содержание
- Защита L2TP туннеля на Mikrotik
- Ipsec error failed to get valid proposal
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- Re: L2TP IPSec (no suit proposal found)
- mikrotik log code
- Re: L2TP IPSec (no suit proposal found)
- mikrotik log code
- Re: L2TP IPSec (no suit proposal found)
Защита L2TP туннеля на Mikrotik
Допустим, что у Вас есть несколько филиалов, связанных VPN (L2TP+IPSec) туннелями. Или без IPSec, всякое может быть. Или маршрутизатор стоит у родственника в Германии и Вы используете его для обхода блокировки сайтов. Буквально через сутки-двое после настройки, в логах начинают появляться записи вида:
04:41:13 ipsec,info respond new phase 1 (Identity Protection): xxx.xxx.xxx.xxx[500]
04:41:13 ipsec,error 217.25.18.110 failed to get valid proposal.
04:41:13 ipsec,error 217.25.18.110 failed to pre-process ph1 packet (side: 1, stat us 1). 04:41:13 ipsec,error 217.25.18.110 phase1 negotiation fail
Это значит, что какой-то бот, управляемый добрым дядюшкой Ляо или другими товарищами, пытается подключитсяподобрать парольвид авторизации. А может кто-то и вручную пытается расшатать дымоход вашего поместья Ваш VPN.
Я начал искать варианты защиты и наткнулся сначала на тему на официальном форуме, а в конце была ссылка на вот такой набор скриптов на Github.
Собственно, там все ясно, как белый день. Если кто не дружит с английским, то расскажу просто и быстро, как использовать их под свои нужды. Скачиваем правила для фаервола и 3 скрипта. Первые необходимо отредактировать, заменяем интерфейс ether1-WAN на свой и применяем в Mikrotik’е. Потом подымаем правила повыше в списке.
Далее редактируем скрипты, меняем alerts@mail.srv на свой ящик и в [:resolve mail.srv] изменяем mail.srv на свой smtp сервер. После добавляем скрипты в System — Scripts, а после этого и в планировщик — System — Scheduler.
Теперь осталось только проверить работоспособность, подключаемся к Mikrotik через Winbox, открываем логи и пытаемся подключиться к VPN серверу с некорректными учетными данными, должна появиться ошибка в логах. А после этого, когда отработает скрипт, IP будет занесен в список l2tp-brutforce в фаерволе и на почту придет сообщение.
Источник
Ipsec error failed to get valid proposal
Thu Jun 07, 2018 1:52 pm
I have setting up L2TP IPSec tunel (client-server type).
connecting form windows 10 PC. L2TP server , prifile, secret, settings I believe are ok.
Then i try to connect im getting error no good proposal found phase1 failing.
I did debug see attached picture.
Can someone explain what is wrong by the debug log, as as much i have tried various settings on the peer and proposal all the time getting the same on debug log.
your help is much appreciated
Re: L2TP IPSec (no suit proposal found)
Thu Jun 07, 2018 3:50 pm
Can you export your settings regardins l2tp configuration please?
Re: L2TP IPSec (no suit proposal found)
Thu Jun 07, 2018 3:51 pm
Use the «terminal» window of Winbox or WebFig, or a command line connection (ssh), and place the following command:
/log print where topics
Then download the file and use «find&replace» in text editor to systematically replace the public IP addresses by a distinctive pattern like my.public.ip.1
Also place here the output of
/ip ipsec export hide-sensitive
/ip ipsec peer print
/interface l2tp-server export hide-sensitive
(hide-sensitive removes passwords from the output but you have to replace the IP addresses the same way like above, and you also have to remove manually the secret=xxxx from the output of the print command).
I’ve tested Win10 native L2TP/IPsec client a few weeks ago and it was fine, so there is likely some issue in the peer proposal.
Re: L2TP IPSec (no suit proposal found)
Thu Jun 07, 2018 5:08 pm
Use the «terminal» window of Winbox or WebFig, or a command line connection (ssh), and place the following command:
/log print where topics
Then download the file and use «find&replace» in text editor to systematically replace the public IP addresses by a distinctive pattern like my.public.ip.1
Also place here the output of
/ip ipsec export hide-sensitive
/ip ipsec peer print
/interface l2tp-server export hide-sensitive
(hide-sensitive removes passwords from the output but you have to replace the IP addresses the same way like above, and you also have to remove manually the secret=xxxx from the output of the print command).
I’ve tested Win10 native L2TP/IPsec client a few weeks ago and it was fine, so there is likely some issue in the peer proposal.
Re: L2TP IPSec (no suit proposal found)
Thu Jun 07, 2018 5:45 pm
Use the «terminal» window of Winbox or WebFig, or a command line connection (ssh), and place the following command:
/log print where topics
Then download the file and use «find&replace» in text editor to systematically replace the public IP addresses by a distinctive pattern like my.public.ip.1
Also place here the output of
/ip ipsec export hide-sensitive
/ip ipsec peer print
/interface l2tp-server export hide-sensitive
(hide-sensitive removes passwords from the output but you have to replace the IP addresses the same way like above, and you also have to remove manually the secret=xxxx from the output of the print command).
I’ve tested Win10 native L2TP/IPsec client a few weeks ago and it was fine, so there is likely some issue in the peer proposal.
here is all you have asked, all mess
/ip ipsec mode-config
add address-pool=admin_dhcp name=IKE2 static-dns=x.x.x.x system-dns=no
/ip ipsec policy group
add name=LT2TP
add name=IKE2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add enc-algorithms=aes-128-cbc name=LFG pfs-group=none
add enc-algorithms=aes-128-cbc name=proposal1
add enc-algorithms=aes-256-cbc lifetime=0s name=L2TPVPN pfs-group=none
add enc-algorithms=aes-256-cbc lifetime=0s name=IKEA pfs-group=none
/ip ipsec peer
add address=x.x.x.x comment=LFH dh-group=modp1024 enc-algorithm=aes-128 nat-traversal=no
add address= x.x.x.x comment=»LFH Over VF Backup» dh-group=modp1024 disabled=yes enc-algorithm=aes-128 nat-traversal=no
add address=x.x.x.x comment=LFH dh-group=modp1024 disabled=yes nat-traversal=no
add address=x.x.x.x comment=LFH dh-group=modp1024 enc-algorithm=aes-128 nat-traversal=no
add address=x.x.x.x comment=AOC dh-group=modp1024 enc-algorithm=aes-128 nat-traversal=no
add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override
policy-template-group=LT2TP
add address=0.0.0.0/0 auth-method=rsa-signature comment=IKE2 dh-group=modp1024 enc-algorithm=3des exchange-mode=ike2 mode-config
IKE2 passive=yes policy-template-group=IKE2
/ip ipsec policy
set 0 disabled=yes
add comment=»VPN HQ — LFH» dst-address=x.x.x.x proposal=LFG sa-dst-address=x.x.x.x sa-src-address=x.x.x.x
src-address=x.x.x.x tunnel=yes
add comment=»VPN HQ — LFH Over LFH VF Backup» disabled=yes dst-address= x.x.x.x proposal=LFG sa-dst-address=x.x.x.x
sa-src-address=x.x.x.x src-address=x.x.x.x tunnel=yes
add comment=»VPN HQ — LFH IT» dst-address=x.x.x.x proposal=LFG sa-dst-address=x.x.x.x sa-src-address=x.x.x.x
src-address=x.x.x.x tunnel=yes
add comment=»VPN HQ — 69″ dst-address=x.x.x.x proposal=LFG sa-dst-address=x.x.x.x sa-src-address=x.x.x.x
src-address=x.x.x.x tunnel=yes
add comment=»VPN HQ — AOC» dst-address=x.x.x.x proposal=proposal1 sa-dst-address=x.x.x.x sa-src-address=
x.x.x.x src-address=x.x.x.x tunnel=yes
/ip ipsec peer print
> /ip ipsec peer print
Flags: X — disabled, D — dynamic, R — responder
0 ;;; LFH
address=x.x.x.x auth-method=pre-shared-key secret=»» generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
1 X ;;; LFH Over VF Backup
address=x.x.x.x auth-method=pre-shared-key secret=»» generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
2 X ;;; LFH
address=x.x.x.x auth-method=pre-shared-key secret=»» generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
3 ;;; LFH
address=x.x.x.x auth-method=pre-shared-key secret=»» generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
4 ;;; AOC
address=x.x.x.x auth-method=pre-shared-key secret=»» generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
5 R ;;; L2TP
address=0.0.0.0/0 auth-method=pre-shared-key secret=»» generate-policy=port-override policy-template-group=LT2TP
exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
6 R ;;; IKE2
address=0.0.0.0/0 passive=yes auth-method=rsa-signature certificate=*3 remote-certificate=*3 generate-policy=no
policy-template-group=IKE2 exchange-mode=ike2 mode-config=IKE2 send-initial-contact=yes hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=2m
/interface l2tp-server export hide-sensitive
/
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TPVPN enabled=yes keepalive-timeout=disabled
Re: L2TP IPSec (no suit proposal found)
Fri Jun 08, 2018 4:58 pm
Well, you haven’t pasted the log, but let’s try without if first.
The first issue is that you have two peers with (remote) address=0.0.0.0/0, the one for L2TP and another one for IKEv2. I’m not sure whether the fact that the L2TP one is declared first is sufficient to let incoming connections be matched to this peer. So as the first thing to try, disable the IKE2 one to be sure that it does not shadow the L2TP one. If it doesn’t, then the L2TP one shadows the IKE2 one. It’s simply not possible to have two IPsec peers open for 0.0.0.0/0 unless you bind them to different local addresses (which may not be possible if you only have a single public address) — the peer to use is only chosen up to the combination of local and remote address of the initial packet, not by any information carried inside the packet.
Next, you don’t use the automatically (dynamically) created IPsec peer for L2TP/IPsec; instead, you have created one manually. I can see that the peer (phase1) proposal only permits 3des encryption-algorithm; I’m not sure whether the Win10 client supports it too. So first try to permit all encryption-algorithms in the peer proposal; if that way the Phase 1 establishes, you can proceed by tuning the policy (Phase 2) proposal. Some more points are that
- in the automatically generated peer, passive is set to yes, which is not the case on your manually created peer (this affects Phase 1)
- proposal-check is set to strict while yours is obey (I’m not sure whether this affects Phase 1)
- generate-policy is set to port-strict while yours is port-override
Re: L2TP IPSec (no suit proposal found)
Fri Jun 08, 2018 5:46 pm
Well, you haven’t pasted the log, but let’s try without if first.
The first issue is that you have two peers with (remote) address=0.0.0.0/0, the one for L2TP and another one for IKEv2. I’m not sure whether the fact that the L2TP one is declared first is sufficient to let incoming connections be matched to this peer. So as the first thing to try, disable the IKE2 one to be sure that it does not shadow the L2TP one. If it doesn’t, then the L2TP one shadows the IKE2 one. It’s simply not possible to have two IPsec peers open for 0.0.0.0/0 unless you bind them to different local addresses (which may not be possible if you only have a single public address) — the peer to use is only chosen up to the combination of local and remote address of the initial packet, not by any information carried inside the packet.
Next, you don’t use the automatically (dynamically) created IPsec peer for L2TP/IPsec; instead, you have created one manually. I can see that the peer (phase1) proposal only permits 3des encryption-algorithm; I’m not sure whether the Win10 client supports it too. So first try to permit all encryption-algorithms in the peer proposal; if that way the Phase 1 establishes, you can proceed by tuning the policy (Phase 2) proposal. Some more points are that
- in the automatically generated peer, passive is set to yes, which is not the case on your manually created peer (this affects Phase 1)
- proposal-check is set to strict while yours is obey (I’m not sure whether this affects Phase 1)
- generate-policy is set to port-strict while yours is port-override
Re: L2TP IPSec (no suit proposal found)
Fri Jun 08, 2018 5:52 pm
Well, you haven’t pasted the log, but let’s try without if first.
The first issue is that you have two peers with (remote) address=0.0.0.0/0, the one for L2TP and another one for IKEv2. I’m not sure whether the fact that the L2TP one is declared first is sufficient to let incoming connections be matched to this peer. So as the first thing to try, disable the IKE2 one to be sure that it does not shadow the L2TP one. If it doesn’t, then the L2TP one shadows the IKE2 one. It’s simply not possible to have two IPsec peers open for 0.0.0.0/0 unless you bind them to different local addresses (which may not be possible if you only have a single public address) — the peer to use is only chosen up to the combination of local and remote address of the initial packet, not by any information carried inside the packet.
Next, you don’t use the automatically (dynamically) created IPsec peer for L2TP/IPsec; instead, you have created one manually. I can see that the peer (phase1) proposal only permits 3des encryption-algorithm; I’m not sure whether the Win10 client supports it too. So first try to permit all encryption-algorithms in the peer proposal; if that way the Phase 1 establishes, you can proceed by tuning the policy (Phase 2) proposal. Some more points are that
- in the automatically generated peer, passive is set to yes, which is not the case on your manually created peer (this affects Phase 1)
- proposal-check is set to strict while yours is obey (I’m not sure whether this affects Phase 1)
- generate-policy is set to port-strict while yours is port-override
Re: L2TP IPSec (no suit proposal found)
Fri Jun 08, 2018 5:59 pm
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 1:43 pm
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 2:35 pm
«ipsec» is much more useful than screenshots.
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 5:20 pm
«ipsec» is much more useful than screenshots.
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 5:25 pm
«ipsec» is much more useful than screenshots.
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 5:30 pm
Yes, there is a lot of «default» items and a complex structure of references/dependencies in the IPsec configuration. It needs some experience to realize all the relationships.
If the Mikrotik reports no error but the Windows client gives up, it suggests that IPsec is already fine and the issue is on l2tp layer. What does /ip firewall filter export show?
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 5:50 pm
Yes, there is a lot of «default» items and a complex structure of references/dependencies in the IPsec configuration. It needs some experience to realize all the relationships.
If the Mikrotik reports no error but the Windows client gives up, it suggests that IPsec is already fine and the issue is on l2tp layer. What does /ip firewall filter export show?
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 5:57 pm
Yes, there is a lot of «default» items and a complex structure of references/dependencies in the IPsec configuration. It needs some experience to realize all the relationships.
If the Mikrotik reports no error but the Windows client gives up, it suggests that IPsec is already fine and the issue is on l2tp layer. What does /ip firewall filter export show?
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 6:10 pm
OK. Let’s ignore for a while that your firewall is not safe because there is no «drop the rest» rule in input chain (i.e. you let in anything except known threats which is not a good idea), but the firewall is not the reason why the L2TP does not come up.
By default, only events with severity info and above are logged. So do the following:
/system logging add topics=l2tp
This will make the system log everything related to l2tp, including severity debug.
Then, start
/log print follow-only file=l2tp-log where topics
let it run, let the Windows client connection attempt to start and fail, and then stop the /log print by pressing Ctrl-C.
Then download the file, look what it says, and if it doesn’t clarify the issue, use find&replace to substitute real IP addresses with meaningful strings like mtik.public.ip, client’s.public.ip and post the result as text here.
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 6:40 pm
OK. Let’s ignore for a while that your firewall is not safe because there is no «drop the rest» rule in input chain (i.e. you let in anything except known threats which is not a good idea), but the firewall is not the reason why the L2TP does not come up.
By default, only events with severity info and above are logged. So do the following:
/system logging add topics=l2tp
This will make the system log everything related to l2tp, including severity debug.
Then, start
/log print follow-only file=l2tp-log where topics
let it run, let the Windows client connection attempt to start and fail, and then stop the /log print by pressing Ctrl-C.
Then download the file, look what it says, and if it doesn’t clarify the issue, use find&replace to substitute real IP addresses with meaningful strings like mtik.public.ip, client’s.public.ip and post the result as text here.
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 7:01 pm
The log shows that the Windows client doesn’t respond to some of our requests after the session got established; I’m not an L2TP specialist so I don’t know whether ignoring what you don’t understand is a legal behaviour or not.
So please post the output of the following:
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 7:17 pm
The log shows that the Windows client doesn’t respond to some of our requests after the session got established; I’m not an L2TP specialist so I don’t know whether ignoring what you don’t understand is a legal behaviour or not.
So please post the output of the following:
[. ] > /interface l2tp-server server export verbose hide-sensitive
# jun/09/2018 17:08:46 by RouterOS 6.42.3
# software > #
# model = 1100AHx2
# serial number = xxxxxxx
/interface l2tp-server server
set allow-fast-path=no authentication=mschap1,mschap2 caller-id-type=ip-address default-profile=L2TPVPN enabled=yes
keepalive-timeout=disabled max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no
use-ipsec=required
[. ] > /ppp secret export verbose hide-sensitive
# jun/09/2018 17:10:25 by RouterOS 6.42.3
# software > #
# model = 1100AHx2
# serial number = XXXXXXX
/ppp secret
add caller-id=»» disabled=no limit-bytes-in=0 limit-bytes-out=0 !local-address name=xxxxxx profile=L2TPVPN !remote-address
routes=»» service=l2tp
. ] > /ppp profile export verbose
# jun/09/2018 17:12:32 by RouterOS 6.42.3
# software > #
# model = 1100AHx2
# serial number = xxxxxxxx
/ppp profile
set *0 address-list=»» !bridge !bridge-horizon !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server
!idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default on-down=»» on-up=»»
only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout
use-compression=default use-encryption=default use-mpls=default use-upnp=default !wins-server
add address-list=»» !bridge !bridge-horizon !bridge-path-cost !bridge-port-priority change-tcp-mss=default dns-server=
x.x.x.x !idle-timeout !incoming-filter !insert-queue-before !interface-list local-address=x.x.x.x name=L2TPVPN
on-down=»» on-up=»» only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit remote-address=admin_dhcp
!session-timeout use-compression=default use-encryption=required use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list=»» !bridge !bridge-horizon !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server
!idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default-encryption on-down=»»
on-up=»» only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout
use-compression=default use-encryption=yes use-mpls=default use-upnp=default !wins-server
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 7:31 pm
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 8:03 pm
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 8:10 pm
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 8:16 pm
tunnel in IPsec is related to the way how plaintext packets are encapsulated into IPsec transport ones, and it is correct that for the L2TP the tunnel mode is not used.
As the establishment of L2TP session got that far, the ISP had nothing to do with the issue, as everything L2TP-related runs inside the IPsec encrypted UDP flow. So the ISP has no possibility to affect what happens at L2TP level, except if it would be dropping e.g. packets of particular size or something equally weird.
My Win10 once decided not to show me the list of wireless networks, it took me months to find that the remedy was to remove a VPN profile with a name in Cyrillic (the pop-up window shows various kinds of networks at a time and obviously if one of the items had problems the whole window was not showing up). Needless to say that after re-creating that profile, including the same name in Cyrillic, everything worked fine. Thank you, Microsoft.
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 8:23 pm
tunnel in IPsec is related to the way how plaintext packets are encapsulated into IPsec transport ones, and it is correct that for the L2TP the tunnel mode is not used.
As the establishment of L2TP session got that far, the ISP had nothing to do with the issue, as everything L2TP-related runs inside the IPsec encrypted UDP flow. So the ISP has no possibility to affect what happens at L2TP level, except if it would be dropping e.g. packets of particular size or something equally weird.
My Win10 once decided not to show me the list of wireless networks, it took me months to find that the remedy was to remove a VPN profile with a name in Cyrillic (the pop-up window shows various kinds of networks at a time and obviously if one of the items had problems the whole window was not showing up). Needless to say that after re-creating that profile, including the same name in Cyrillic, everything worked fine. Thank you, Microsoft.
Re: L2TP IPSec (no suit proposal found)
Sat Jun 09, 2018 8:32 pm
tunnel in IPsec is related to the way how plaintext packets are encapsulated into IPsec transport ones, and it is correct that for the L2TP the tunnel mode is not used.
As the establishment of L2TP session got that far, the ISP had nothing to do with the issue, as everything L2TP-related runs inside the IPsec encrypted UDP flow. So the ISP has no possibility to affect what happens at L2TP level, except if it would be dropping e.g. packets of particular size or something equally weird.
My Win10 once decided not to show me the list of wireless networks, it took me months to find that the remedy was to remove a VPN profile with a name in Cyrillic (the pop-up window shows various kinds of networks at a time and obviously if one of the items had problems the whole window was not showing up). Needless to say that after re-creating that profile, including the same name in Cyrillic, everything worked fine. Thank you, Microsoft.
Re: L2TP IPSec (no suit proposal found)
Mon Jun 11, 2018 11:00 am
tunnel in IPsec is related to the way how plaintext packets are encapsulated into IPsec transport ones, and it is correct that for the L2TP the tunnel mode is not used.
As the establishment of L2TP session got that far, the ISP had nothing to do with the issue, as everything L2TP-related runs inside the IPsec encrypted UDP flow. So the ISP has no possibility to affect what happens at L2TP level, except if it would be dropping e.g. packets of particular size or something equally weird.
My Win10 once decided not to show me the list of wireless networks, it took me months to find that the remedy was to remove a VPN profile with a name in Cyrillic (the pop-up window shows various kinds of networks at a time and obviously if one of the items had problems the whole window was not showing up). Needless to say that after re-creating that profile, including the same name in Cyrillic, everything worked fine. Thank you, Microsoft.
Re: L2TP IPSec (no suit proposal found)
Mon Jun 11, 2018 11:24 am
Re: L2TP IPSec (no suit proposal found)
Mon Jun 11, 2018 11:30 am
Re: L2TP IPSec (no suit proposal found)
Mon Jun 11, 2018 11:54 am
OK. So do the same what you did with l2tp:
/system logging add topics=ipsec
Then, start
/log print follow-only file=ipsec-log where topics
«ipsec»,
try to connect the VPN client, and when it fails, stop the /log print and download the file.
Then use find&replace to obfuscate the addresses (selectively, please, i.e. l.l.l.l for local address and r.r.r.r for remote address) and post the result.
Re: L2TP IPSec (no suit proposal found)
Mon Jun 11, 2018 12:29 pm
OK. So do the same what you did with l2tp:
/system logging add topics=ipsec
Then, start
/log print follow-only file=ipsec-log where topics
«ipsec»,
try to connect the VPN client, and when it fails, stop the /log print and download the file.
Then use find&replace to obfuscate the addresses (selectively, please, i.e. l.l.l.l for local address and r.r.r.r for remote address) and post the result.
Jun/11/2018 10:23:01 ipsec,error no suitable proposal found.
Jun/11/2018 10:23:01 ipsec,error x.x.x.x failed to get valid proposal.
Jun/11/2018 10:23:01 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
Jun/11/2018 10:23:01 ipsec,error x.x.x.x phase1 negotiation failed.
Jun/11/2018 10:23:02 ipsec,error no suitable proposal found.
Jun/11/2018 10:23:02 ipsec,error x.x.x.x failed to get valid proposal.
Jun/11/2018 10:23:02 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
Jun/11/2018 10:23:02 ipsec,error x.x.x.x phase1 negotiation failed.
Jun/11/2018 10:23:05 ipsec,error no suitable proposal found.
Jun/11/2018 10:23:05 ipsec,error x.x.x.x failed to get valid proposal.
Jun/11/2018 10:23:05 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
Jun/11/2018 10:23:05 ipsec,error x.x.x.x phase1 negotiation failed.
# jun/11/2018 10:22:41 by RouterOS 6.42.3
# software > #
10:23:00 ipsec,info respond new phase 1 (Identity Protection): x.x.x.x[500] x.x.x.x[7]
10:23:00 ipsec received long Microsoft ID: MS NT5 ISAKMPOAKLEY
10:23:00 ipsec received Vendor ID: RFC 3947
10:23:00 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
10:23:00 ipsec
10:23:00 ipsec received Vendor ID: FRAGMENTATION
10:23:00 ipsec Fragmentation enabled
10:23:00 ipsec x.x.x.x Selected NAT-T version: RFC 3947
10:23:00 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:384-bit random ECP group
10:23:00 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:256-bit random ECP group
10:23:00 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
10:23:00 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
10:23:00 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
10:23:00 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
10:23:00 ipsec,error no suitable proposal found.
10:23:00 ipsec,error no suitable proposal found.
10:23:00 ipsec,error x.x.x.x failed to get valid proposal.
10:23:00 ipsec,error x.x.x.x failed to get valid proposal.
10:23:00 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
10:23:00 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
10:23:00 ipsec,error x.x.x.x phase1 negotiation failed.
10:23:00 ipsec,error x.x.x.x phase1 negotiation failed.
10:23:01 ipsec,info respond new phase 1 (Identity Protection): x.x.x.x[500] x.x.x.x[7]
10:23:01 ipsec received long Microsoft ID: MS NT5 ISAKMPOAKLEY
10:23:01 ipsec received Vendor ID: RFC 3947
10:23:01 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
10:23:01 ipsec
10:23:01 ipsec received Vendor ID: FRAGMENTATION
10:23:01 ipsec Fragmentation enabled
10:23:01 ipsec x.x.x.x Selected NAT-T version: RFC 3947
10:23:01 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:384-bit random ECP group
10:23:01 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:256-bit random ECP group
10:23:01 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
10:23:01 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
10:23:01 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
10:23:01 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
10:23:01 ipsec,error no suitable proposal found.
10:23:01 ipsec,error no suitable proposal found.
10:23:01 ipsec,error x.x.x.x failed to get valid proposal.
10:23:01 ipsec,error x.x.x.x failed to get valid proposal.
10:23:01 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
10:23:01 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
10:23:01 ipsec,error x.x.x.x phase1 negotiation failed.
10:23:01 ipsec,error x.x.x.x phase1 negotiation failed.
10:23:02 ipsec,info respond new phase 1 (Identity Protection): x.x.x.x[500] x.x.x.x[7]
10:23:02 ipsec received long Microsoft ID: MS NT5 ISAKMPOAKLEY
10:23:02 ipsec received Vendor ID: RFC 3947
10:23:02 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
10:23:02 ipsec
10:23:02 ipsec received Vendor ID: FRAGMENTATION
10:23:02 ipsec Fragmentation enabled
10:23:02 ipsec x.x.x.x Selected NAT-T version: RFC 3947
10:23:02 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:384-bit random ECP group
10:23:02 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:256-bit random ECP group
10:23:02 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
10:23:02 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
10:23:02 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
10:23:02 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
10:23:02 ipsec,error no suitable proposal found.
10:23:02 ipsec,error no suitable proposal found.
10:23:02 ipsec,error x.x.x.x failed to get valid proposal.
10:23:02 ipsec,error x.x.x.x failed to get valid proposal.
10:23:02 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
10:23:02 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
10:23:02 ipsec,error x.x.x.x phase1 negotiation failed.
10:23:02 ipsec,error x.x.x.x phase1 negotiation failed.
10:23:05 ipsec,info respond new phase 1 (Identity Protection): x.x.x.x[500] x.x.x.x[7]
10:23:05 ipsec received long Microsoft ID: MS NT5 ISAKMPOAKLEY
10:23:05 ipsec received Vendor ID: RFC 3947
10:23:05 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
10:23:05 ipsec
10:23:05 ipsec received Vendor ID: FRAGMENTATION
10:23:05 ipsec Fragmentation enabled
10:23:05 ipsec x.x.x.x Selected NAT-T version: RFC 3947
10:23:05 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:384-bit random ECP group
10:23:05 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:256-bit random ECP group
10:23:05 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
10:23:05 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
10:23:05 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
10:23:05 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
10:23:05 ipsec,error no suitable proposal found.
10:23:05 ipsec,error no suitable proposal found.
10:23:05 ipsec,error x.x.x.x failed to get valid proposal.
10:23:05 ipsec,error x.x.x.x failed to get valid proposal.
10:23:05 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
10:23:05 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
10:23:05 ipsec,error x.x.x.x phase1 negotiation failed.
10:23:05 ipsec,error x.x.x.x phase1 negotiation failed.
Re: L2TP IPSec (no suit proposal found)
Mon Jun 11, 2018 1:30 pm
Re: L2TP IPSec (no suit proposal found)
Mon Jun 11, 2018 1:43 pm
Re: L2TP IPSec (no suit proposal found)
Mon Jun 11, 2018 2:21 pm
Re: L2TP IPSec (no suit proposal found)
Mon Jun 11, 2018 2:44 pm
Re: L2TP IPSec (no suit proposal found)
Mon Jun 11, 2018 2:59 pm
I mean, one reason why it works from home but doesn’t from the office is that the Windows client sends different proposals depending on the weather in Kyoto 73 days ago, another possibility is that the Mikrotik generates different phase1 proposals each time it dynamically creates the IPSec peer for L2TP use (depending on something equally unrelated at first glance).
So I’d recommend you to copy the peer dynamically created by the l2tp-server configuration to a static one (using /ip ipsec peer add copy-from=[find dynamic=yes exchange-mode=main-l2tp]) and then uncheck the «use IPsec» in the /interface l2tp-server server configuration. And then to make that new peer’s proposal match what the log shows that the Windows client proposes.
And also to compare this part of the log when trying now from the office and later from home, to see whether the proposal from the Windows client is the same or different in both cases.
Re: L2TP IPSec (no suit proposal found)
Mon Jun 11, 2018 8:17 pm
I mean, one reason why it works from home but doesn’t from the office is that the Windows client sends different proposals depending on the weather in Kyoto 73 days ago, another possibility is that the Mikrotik generates different phase1 proposals each time it dynamically creates the IPSec peer for L2TP use (depending on something equally unrelated at first glance).
So I’d recommend you to copy the peer dynamically created by the l2tp-server configuration to a static one (using /ip ipsec peer add copy-from=[find dynamic=yes exchange-mode=main-l2tp]) and then uncheck the «use IPsec» in the /interface l2tp-server server configuration. And then to make that new peer’s proposal match what the log shows that the Windows client proposes.
And also to compare this part of the log when trying now from the office and later from home, to see whether the proposal from the Windows client is the same or different in both cases.
Re: L2TP IPSec (no suit proposal found)
Tue Jun 12, 2018 11:35 am
I mean, one reason why it works from home but doesn’t from the office is that the Windows client sends different proposals depending on the weather in Kyoto 73 days ago, another possibility is that the Mikrotik generates different phase1 proposals each time it dynamically creates the IPSec peer for L2TP use (depending on something equally unrelated at first glance).
So I’d recommend you to copy the peer dynamically created by the l2tp-server configuration to a static one (using /ip ipsec peer add copy-from=[find dynamic=yes exchange-mode=main-l2tp]) and then uncheck the «use IPsec» in the /interface l2tp-server server configuration. And then to make that new peer’s proposal match what the log shows that the Windows client proposes.
And also to compare this part of the log when trying now from the office and later from home, to see whether the proposal from the Windows client is the same or different in both cases.
Re: L2TP IPSec (no suit proposal found)
Tue Jun 12, 2018 1:42 pm
As said, I would like to see the log from proposal comparison for the successful and unsuccessful cases, otherwise we won’t get anywhere.
One thing one could easily imagine is some packet size limitation on one of the paths, causing the proposal to be truncated, except that the recipient should notice that as the ISAKMP header contains the length of the payload, the proposal header contains the number of transforms etc., so it is quite unlikely to be the cause. Plus the packet carrying the proposal has just 450 bytes including the Ethernet headers so it is quite unlikely to get truncated.
So another thing I could imagine a bit easier but hesitate to believe it would be that something on the way between the client and server is tampering with the proposal contents.
If you don’t mind capturing the good and bad attempts using Wireshark, it would be interesting to see whether the Windows client is sending the same proposal in both cases or not. You can see below in the decoding of my Win10’s native client’s ISAKMP packet carrying the proposal that there is nothing sensitive in the proposal itself — anything sensitive is transmitted encrypted:
Re: L2TP IPSec (no suit proposal found)
Wed Jun 13, 2018 12:07 pm
As said, I would like to see the log from proposal comparison for the successful and unsuccessful cases, otherwise we won’t get anywhere.
One thing one could easily imagine is some packet size limitation on one of the paths, causing the proposal to be truncated, except that the recipient should notice that as the ISAKMP header contains the length of the payload, the proposal header contains the number of transforms etc., so it is quite unlikely to be the cause. Plus the packet carrying the proposal has just 450 bytes including the Ethernet headers so it is quite unlikely to get truncated.
So another thing I could imagine a bit easier but hesitate to believe it would be that something on the way between the client and server is tampering with the proposal contents.
If you don’t mind capturing the good and bad attempts using Wireshark, it would be interesting to see whether the Windows client is sending the same proposal in both cases or not. You can see below in the decoding of my Win10’s native client’s ISAKMP packet carrying the proposal that there is nothing sensitive in the proposal itself — anything sensitive is transmitted encrypted:
ok here i got successful log and failed log.
successful: from neighbor company
# jun/13/2018 9:40:34 by RouterOS 6.42.3
# software > #
09:40:49 ipsec,info respond new phase 1 (Identity Protection): x.x.x.x[500] x.x.x.x[500]
09:40:49 ipsec received long Microsoft ID: MS NT5 ISAKMPOAKLEY
09:40:49 ipsec received Vendor ID: RFC 3947
09:40:49 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
09:40:49 ipsec
09:40:49 ipsec received Vendor ID: FRAGMENTATION
09:40:49 ipsec Fragmentation enabled
09:40:49 ipsec x.x.x.x Selected NAT-T version: RFC 3947
09:40:49 ipsec sent phase1 packet x.x.x.x[500] x.x.x.x[500] sadr45f5yedy5y6y:ewr456gry56gref
09:40:49 ipsec x.x.x.x Hashing x.x.x.x[500] with algo #2
09:40:49 ipsec NAT-D payload #0 verified
09:40:49 ipsec x.x.x.x Hashing x.x.x.x[500] with algo #2
09:40:49 ipsec NAT-D payload #1 doesn’t match
09:40:49 ipsec NAT detected: PEER
09:40:49 ipsec x.x.x.x Hashing x.x.x.x[500] with algo #2
09:40:49 ipsec x.x.x.x Hashing x.x.x.x[500] with algo #2
09:40:49 ipsec Adding remote and local NAT-D payloads.
09:40:49 ipsec sent phase1 packet x.x.x.x[500] x.x.x.x[500] sadr45f5yedy5y6y:ewr456gry56gref
09:40:49 ipsec NAT-T: ports changed to: x.x.x.x[4500] x.x.x.x[4500]
09:40:49 ipsec KA list add: x.x.x.x[4500]->x.x.x.x[4500]
09:40:49 ipsec,info ISAKMP-SA established x.x.x.x[4500]-x.x.x.x[4500] spi:sadr45f5yedy5y6y:ewr456gry56gref
09:40:49 ipsec respond new phase 2 negotiation: x.x.x.x[4500] x.x.x.x[4500]
09:40:49 ipsec searching for policy for selector: x.x.x.x:1701 ip-proto:17 x.x.x.x:1701 ip-proto:17
09:40:49 ipsec generating policy
09:40:49 ipsec Adjusting my encmode UDP-Transport->Transport
09:40:49 ipsec Adjusting peer’s encmode UDP-Transport(4)->Transport(2)
09:40:49 ipsec sent phase2 packet x.x.x.x[4500] x.x.x.x[4500]sadr45f5yedy5y6y:ewr456gry56gref :00000001
09:40:49 ipsec IPsec-SA established: ESP/Transport x.x.x.x[4500]->x.x.x.x[4500] spi=0xef9af5c
09:40:49 ipsec IPsec-SA established: ESP/Transport x.x.x.x[4500]->x.x.x.x[4500] spi=0xcc78a626
failed connection from office
# jun/13/2018 9:35:21 by RouterOS 6.42.3
# software > #
09:35:35 ipsec,info respond new phase 1 (Identity Protection): x.x.x.x[500] x.x.x.x[1]
09:35:35 ipsec received long Microsoft ID: MS NT5 ISAKMPOAKLEY
09:35:35 ipsec received Vendor ID: RFC 3947
09:35:35 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
09:35:35 ipsec
09:35:35 ipsec received Vendor ID: FRAGMENTATION
09:35:35 ipsec Fragmentation enabled
09:35:35 ipsec x.x.x.x Selected NAT-T version: RFC 3947
09:35:35 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:384-bit random ECP group
09:35:35 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:256-bit random ECP group
09:35:35 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
09:35:35 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
09:35:35 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
09:35:35 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
09:35:35 ipsec,error no suitable proposal found.
09:35:35 ipsec,error no suitable proposal found.
09:35:35 ipsec,error x.x.x.x failed to get valid proposal.
09:35:35 ipsec,error x.x.x.x failed to get valid proposal.
09:35:35 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
09:35:35 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
09:35:35 ipsec,error x.x.x.x phase1 negotiation failed.
09:35:35 ipsec,error x.x.x.x phase1 negotiation failed.
09:35:36 ipsec,info respond new phase 1 (Identity Protection): x.x.x.x[500] x.x.x.x[1]
09:35:36 ipsec received long Microsoft ID: MS NT5 ISAKMPOAKLEY
09:35:36 ipsec received Vendor ID: RFC 3947
09:35:36 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
09:35:36 ipsec
09:35:36 ipsec received Vendor ID: FRAGMENTATION
09:35:36 ipsec Fragmentation enabled
09:35:36 ipsec x.x.x.x Selected NAT-T version: RFC 3947
09:35:36 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:384-bit random ECP group
09:35:36 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:256-bit random ECP group
09:35:36 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
09:35:36 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
09:35:36 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
09:35:36 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
09:35:36 ipsec,error no suitable proposal found.
09:35:36 ipsec,error no suitable proposal found.
09:35:36 ipsec,error x.x.x.x failed to get valid proposal.
09:35:36 ipsec,error x.x.x.x failed to get valid proposal.
09:35:36 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
09:35:36 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
09:35:36 ipsec,error x.x.x.x phase1 negotiation failed.
09:35:36 ipsec,error x.x.x.x phase1 negotiation failed.
09:35:37 ipsec,info respond new phase 1 (Identity Protection): x.x.x.x[500] x.x.x.x[1]
09:35:37 ipsec received long Microsoft ID: MS NT5 ISAKMPOAKLEY
09:35:37 ipsec received Vendor ID: RFC 3947
09:35:37 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
09:35:37 ipsec
09:35:37 ipsec received Vendor ID: FRAGMENTATION
09:35:37 ipsec Fragmentation enabled
09:35:37 ipsec x.x.x.x Selected NAT-T version: RFC 3947
09:35:37 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:384-bit random ECP group
09:35:37 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:256-bit random ECP group
09:35:37 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
09:35:37 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
09:35:37 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
09:35:37 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
09:35:37 ipsec,error no suitable proposal found.
09:35:37 ipsec,error no suitable proposal found.
09:35:37 ipsec,error x.x.x.x failed to get valid proposal.
09:35:37 ipsec,error x.x.x.x failed to get valid proposal.
09:35:37 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
09:35:37 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
09:35:37 ipsec,error x.x.x.x phase1 negotiation failed.
09:35:37 ipsec,error x.x.x.x phase1 negotiation failed.
09:35:40 ipsec,info respond new phase 1 (Identity Protection): x.x.x.x[500] x.x.x.x[1]
09:35:40 ipsec received long Microsoft ID: MS NT5 ISAKMPOAKLEY
09:35:40 ipsec received Vendor ID: RFC 3947
09:35:40 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
09:35:40 ipsec
09:35:40 ipsec received Vendor ID: FRAGMENTATION
09:35:40 ipsec Fragmentation enabled
09:35:40 ipsec x.x.x.x Selected NAT-T version: RFC 3947
09:35:40 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:384-bit random ECP group
09:35:40 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:256-bit random ECP group
09:35:40 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
09:35:40 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
09:35:40 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
09:35:40 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
09:35:40 ipsec,error no suitable proposal found.
09:35:40 ipsec,error no suitable proposal found.
09:35:40 ipsec,error x.x.x.x failed to get valid proposal.
09:35:40 ipsec,error x.x.x.x failed to get valid proposal.
09:35:40 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
09:35:40 ipsec,error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
09:35:40 ipsec,error x.x.x.x phase1 negotiation failed.
09:35:40 ipsec,error x.x.x.x phase1 negotiation failed.
Re: L2TP IPSec (no suit proposal found)
Wed Jun 13, 2018 1:03 pm
Re: L2TP IPSec (no suit proposal found)
Wed Jun 13, 2018 1:10 pm
Re: L2TP IPSec (no suit proposal found)
Wed Jun 13, 2018 1:14 pm
Re: L2TP IPSec (no suit proposal found)
Wed Jun 13, 2018 1:18 pm
Re: L2TP IPSec (no suit proposal found)
Wed Jun 13, 2018 1:39 pm
Re: L2TP IPSec (no suit proposal found)
Wed Jun 13, 2018 1:39 pm
Re: L2TP IPSec (no suit proposal found)
Wed Jun 13, 2018 1:40 pm
And I have debug messages in the log which show the proposal coming from the peer, see example below.
In your case, there are no debug messages. So something must be different, either your setup or the post-processing of the log.
mikrotik log code
Re: L2TP IPSec (no suit proposal found)
Wed Jun 13, 2018 2:09 pm
And I have debug messages in the log which show the proposal coming from the peer, see example below.
In your case, there are no debug messages. So something must be different, either your setup or the post-processing of the log.
mikrotik log code
ok this is from good connection
11:59:38 ipsec,debug ===== received 408 bytes from x.x.x.x[500] to x.x.x.x[500]
11:59:38 ipsec,debug,packet a59b7317 fae1c523 00000000 00000000 01100200 00000000 00000198 0d0000d4
11:59:38 ipsec,debug,packet 00000001 00000001 000000c8 01010005 03000028 01010000 80010007 800e0100
11:59:38 ipsec,debug,packet 80010007 800e0080 80020002 80040013 80030001 800b0001 000c0004 00007080
11:59:38 ipsec,debug,packet 03000028 03010000 80010007 800e0100 80020002 8004000e 80030001 800b0001
11:59:38 ipsec,debug,packet 800b0001 000c0004 00007080 00000024 05010000 80010005 80020002 80040002
11:59:38 ipsec,debug,packet 80030001 800b0001 000c0004 00007080 0d000018 01528bbb c0069612 1849ab9a
11:59:38 ipsec,debug,packet 1c5b2a51 00000001 0d000018 1e2b5169 05991c7d 7c96fcbf b587e461 00000009
11:59:38 ipsec,debug,packet 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 90cb8091 3ebb696e
11:59:38 ipsec,debug,packet 086381b5 ec427b1f 0d000014 4048b7d5 6ebce885 25e7de7f 00d6c2d3 0d000014
11:59:38 ipsec,debug,packet fb1de3cd f341b7ea 16b7e5be 0855f120 0d000014 26244d38 eddb61b3 172a36e3
11:59:38 ipsec,debug,packet d0cfb819 00000014 e3a5966a 76379fe7 07228231 e5ce8652
11:59:38 ipsec,debug ===
11:59:38 ipsec,info respond new phase 1 (Identity Protection): x.x.x.x[500] x.x.x.x[500]
11:59:38 ipsec,debug begin.
11:59:38 ipsec,debug seen nptype=1(sa) len=212
11:59:38 ipsec,debug seen nptype=13(vid) len=24
11:59:38 ipsec,debug seen nptype=13(vid) len=24
11:59:38 ipsec,debug seen nptype=13(vid) len=20
11:59:38 ipsec,debug seen nptype=13(vid) len=20
11:59:38 ipsec,debug seen nptype=13(vid) len=20
11:59:38 ipsec,debug seen nptype=13(vid) len=20
11:59:38 ipsec,debug seen nptype=13(vid) len=20
11:59:38 ipsec,debug seen nptype=13(vid) len=20
11:59:38 ipsec,debug succeed.
11:59:38 ipsec,debug received unknown Vendor ID
11:59:38 ipsec,debug 01528bbb c0069612 1849ab9a 1c5b2a51 00000001
11:59:38 ipsec received long Microsoft ID: MS NT5 ISAKMPOAKLEY
11:59:38 ipsec received Vendor ID: RFC 3947
11:59:38 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
11:59:38 ipsec
11:59:38 ipsec received Vendor ID: FRAGMENTATION
11:59:38 ipsec Fragmentation enabled
11:59:38 ipsec,debug received unknown Vendor ID
11:59:38 ipsec,debug fb1de3cd f341b7ea 16b7e5be 0855f120
11:59:38 ipsec,debug received unknown Vendor ID
11:59:38 ipsec,debug 26244d38 eddb61b3 172a36e3 d0cfb819
11:59:38 ipsec,debug received unknown Vendor ID
11:59:38 ipsec,debug e3a5966a 76379fe7 07228231 e5ce8652
11:59:38 ipsec x.x.x.x Selected NAT-T version: RFC 3947
11:59:38 ipsec,debug total SA len=208
11:59:38 ipsec,debug 00000001 00000001 000000c8 01010005 03000028 01010000 80010007 800e0100
11:59:38 ipsec,debug 80020002 80040014 80030001 800b0001 000c0004 00007080 03000028 02010000
11:59:38 ipsec,debug 000c0004 00007080 03000024 04010000 80010005 80020002 8004000e 80030001
11:59:38 ipsec,debug 800b0001 000c0004 00007080 00000024 05010000 80010005 80020002 80040002
11:59:38 ipsec,debug 80030001 800b0001 000c0004 00007080
11:59:38 ipsec,debug begin.
11:59:38 ipsec,debug seen nptype=2(prop) len=200
11:59:38 ipsec,debug succeed.
11:59:38 ipsec,debug proposal #1 len=200
11:59:38 ipsec,debug begin.
11:59:38 ipsec,debug seen nptype=3(trns) len=40
11:59:38 ipsec,debug seen nptype=3(trns) len=40
11:59:38 ipsec,debug seen nptype=3(trns) len=40
11:59:38 ipsec,debug seen nptype=3(trns) len=36
11:59:38 ipsec,debug seen nptype=3(trns) len=36
11:59:38 ipsec,debug succeed.
11:59:38 ipsec,debug transform #1 len=40
11:59:38 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
11:59:38 ipsec,debug encryption(aes)
11:59:38 ipsec,debug type=Key Length, flag=0x8000, lorv=256
11:59:38 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
11:59:38 ipsec,debug hash(sha1)
11:59:38 ipsec,debug type=Group Description, flag=0x8000, lorv=384-bit random ECP group
11:59:38 ipsec,debug dh(ecp384)
11:59:38 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
11:59:38 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
11:59:38 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
11:59:38 ipsec,debug transform #2 len=40
11:59:38 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
11:59:38 ipsec,debug encryption(aes)
11:59:38 ipsec,debug type=Key Length, flag=0x8000, lorv=128
11:59:38 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
11:59:38 ipsec,debug hash(sha1)
11:59:38 ipsec,debug type=Group Description, flag=0x8000, lorv=256-bit random ECP group
11:59:38 ipsec,debug dh(ecp256)
11:59:38 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
11:59:38 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
11:59:38 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
11:59:38 ipsec,debug transform #3 len=40
11:59:38 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
11:59:38 ipsec,debug encryption(aes)
11:59:38 ipsec,debug type=Key Length, flag=0x8000, lorv=256
11:59:38 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
11:59:38 ipsec,debug hash(sha1)
11:59:38 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
11:59:38 ipsec,debug dh(modp2048)
11:59:38 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
11:59:38 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
11:59:38 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
11:59:38 ipsec,debug transform #4 len=36
11:59:38 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
11:59:38 ipsec,debug encryption(3des)
11:59:38 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
11:59:38 ipsec,debug hash(sha1)
11:59:38 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
11:59:38 ipsec,debug dh(modp2048)
11:59:38 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
11:59:38 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
11:59:38 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
11:59:38 ipsec,debug transform #5 len=36
11:59:38 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
11:59:38 ipsec,debug encryption(3des)
11:59:38 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
11:59:38 ipsec,debug hash(sha1)
11:59:38 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
11:59:38 ipsec,debug dh(modp1024)
11:59:38 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
11:59:38 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
11:59:38 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
11:59:38 ipsec,debug pair 1:
11:59:38 ipsec,debug 0x10087798: next=(nil) tnext=0x10085650
11:59:38 ipsec,debug 0x10085650: next=(nil) tnext=0x10089478
11:59:38 ipsec,debug 0x10089478: next=(nil) tnext=0x1008dc88
11:59:38 ipsec,debug 0x1008dc88: next=(nil) tnext=0x10087810
11:59:38 ipsec,debug 0x10087810: next=(nil) tnext=(nil)
11:59:38 ipsec,debug proposal #1: 5 transform
11:59:38 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
11:59:38 ipsec,debug trns#=1, trns-id=IKE
11:59:38 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
11:59:38 ipsec,debug type=Key Length, flag=0x8000, lorv=256
11:59:38 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
11:59:38 ipsec,debug type=Group Description, flag=0x8000, lorv=384-bit random ECP group
11:59:38 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
11:59:38 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
11:59:38 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
11:59:38 ipsec,debug Compared: Local:Peer
11:59:38 ipsec,debug (lifetime = 86400:28800)
11:59:38 ipsec,debug (lifebyte = 0:0)
11:59:38 ipsec,debug enctype = AES-CBC:AES-CBC
11:59:38 ipsec,debug (encklen = 128:256)
11:59:38 ipsec,debug hashtype = SHA:SHA
11:59:38 ipsec,debug authmethod = pre-shared key:pre-shared key
11:59:38 ipsec,debug dh_group = 2048-bit MODP group:384-bit random ECP group
11:59:38 ipsec,debug Compared: Local:Peer
11:59:38 ipsec,debug (lifetime = 86400:28800)
11:59:38 ipsec,debug (lifebyte = 0:0)
11:59:38 ipsec,debug enctype = 3DES-CBC:AES-CBC
11:59:38 ipsec,debug (encklen = 0:256)
11:59:38 ipsec,debug hashtype = SHA:SHA
11:59:38 ipsec,debug authmethod = pre-shared key:pre-shared key
11:59:38 ipsec,debug dh_group = 2048-bit MODP group:384-bit random ECP group
11:59:38 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
11:59:38 ipsec,debug trns#=2, trns-id=IKE
11:59:38 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
11:59:38 ipsec,debug type=Key Length, flag=0x8000, lorv=128
11:59:38 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
11:59:38 ipsec,debug type=Group Description, flag=0x8000, lorv=256-bit random ECP group
11:59:38 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
11:59:38 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
11:59:38 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
11:59:38 ipsec,debug Compared: Local:Peer
11:59:38 ipsec,debug (lifetime = 86400:28800)
11:59:38 ipsec,debug (lifebyte = 0:0)
11:59:38 ipsec,debug enctype = AES-CBC:AES-CBC
11:59:38 ipsec,debug (encklen = 128:128)
11:59:38 ipsec,debug hashtype = SHA:SHA
11:59:38 ipsec,debug authmethod = pre-shared key:pre-shared key
11:59:38 ipsec,debug dh_group = 2048-bit MODP group:256-bit random ECP group
11:59:38 ipsec,debug Compared: Local:Peer
11:59:38 ipsec,debug (lifetime = 86400:28800)
11:59:38 ipsec,debug (lifebyte = 0:0)
11:59:38 ipsec,debug enctype = 3DES-CBC:AES-CBC
11:59:38 ipsec,debug (encklen = 0:128)
11:59:38 ipsec,debug hashtype = SHA:SHA
11:59:38 ipsec,debug authmethod = pre-shared key:pre-shared key
11:59:38 ipsec,debug dh_group = 2048-bit MODP group:256-bit random ECP group
11:59:38 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
11:59:38 ipsec,debug trns#=3, trns-id=IKE
11:59:38 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
11:59:38 ipsec,debug type=Key Length, flag=0x8000, lorv=256
11:59:38 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
11:59:38 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
11:59:38 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
11:59:38 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
11:59:38 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
11:59:38 ipsec,debug Compared: Local:Peer
11:59:38 ipsec,debug (lifetime = 86400:28800)
11:59:38 ipsec,debug (lifebyte = 0:0)
11:59:38 ipsec,debug enctype = AES-CBC:AES-CBC
11:59:38 ipsec,debug (encklen = 128:256)
11:59:38 ipsec,debug hashtype = SHA:SHA
11:59:38 ipsec,debug authmethod = pre-shared key:pre-shared key
11:59:38 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group
11:59:38 ipsec,debug Compared: Local:Peer
11:59:38 ipsec,debug (lifetime = 86400:28800)
11:59:38 ipsec,debug (lifebyte = 0:0)
11:59:38 ipsec,debug enctype = 3DES-CBC:AES-CBC
11:59:38 ipsec,debug (encklen = 0:256)
11:59:38 ipsec,debug hashtype = SHA:SHA
11:59:38 ipsec,debug authmethod = pre-shared key:pre-shared key
11:59:38 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group
11:59:38 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
11:59:38 ipsec,debug trns#=4, trns-id=IKE
11:59:38 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
11:59:38 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
11:59:38 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
11:59:38 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
11:59:38 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
11:59:38 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
11:59:38 ipsec,debug Compared: Local:Peer
11:59:38 ipsec,debug (lifetime = 86400:28800)
11:59:38 ipsec,debug (lifebyte = 0:0)
11:59:38 ipsec,debug enctype = AES-CBC:3DES-CBC
11:59:38 ipsec,debug (encklen = 128:0)
11:59:38 ipsec,debug hashtype = SHA:SHA
11:59:38 ipsec,debug authmethod = pre-shared key:pre-shared key
11:59:38 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group
11:59:38 ipsec,debug Compared: Local:Peer
11:59:38 ipsec,debug (lifetime = 86400:28800)
11:59:38 ipsec,debug (lifebyte = 0:0)
11:59:38 ipsec,debug enctype = 3DES-CBC:3DES-CBC
11:59:38 ipsec,debug (encklen = 0:0)
11:59:38 ipsec,debug hashtype = SHA:SHA
11:59:38 ipsec,debug authmethod = pre-shared key:pre-shared key
11:59:38 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group
11:59:38 ipsec,debug an acceptable proposal found.
11:59:38 ipsec,debug dh(modp2048)
11:59:38 ipsec,debug agreed on pre-shared key auth.
11:59:38 ipsec,debug ===
11:59:38 ipsec,debug new cookie:
11:59:38 ipsec,debug 22043d55e2a3925b
11:59:38 ipsec,debug add payload of len 52, next type 13
11:59:38 ipsec,debug add payload of len 16, next type 13
11:59:38 ipsec,debug add payload of len 16, next type 13
11:59:38 ipsec,debug add payload of len 20, next type 0
11:59:38 ipsec,debug 148 bytes from x.x.x.x[500] to x.x.x.x[500]
11:59:38 ipsec,debug 1 times of 148 bytes message will be sent to x.x.x.x[500]
11:59:38 ipsec,debug,packet a59b7317 fae1c523 22043d55 e2a3925b 01100200 00000000 00000094 0d000038
11:59:38 ipsec,debug,packet 8004000e 80030001 800b0001 000c0004 00007080 0d000014 4a131c81 07035845
11:59:38 ipsec,debug,packet 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000
11:59:38 ipsec sent phase1 packet x.x.x.x[500] x.x.x.x[500] a59b7317fae1c523:22043d55e2a3925b
11:59:38 ipsec,debug ===== received 388 bytes from x.x.x.x[500] to x.x.x.x[500]
11:59:38 ipsec,debug,packet a59b7317 fae1c523 22043d55 e2a3925b 04100200 00000000 00000184 0a000104
11:59:38 ipsec,debug,packet 64c5e3e9 20c0a7f8 8641a0c2 8cf61553 75edb910 e258f23f 44a93a76 cdb2c4ef
11:59:38 ipsec,debug,packet f728db5d 25812186 9c23417f 79a8b650 66def131 70c59d91 0bd5d1c1 e8893b1c
11:59:38 ipsec,debug,packet e043f316 cffd0251 19d1a5a7 c06a64ee e1c1d567 cd7edae1 d175bba9 8c1fff81
11:59:38 ipsec,debug,packet 14000034 72289750 eaf0eb97 ac2e88da 3867ae04 37715cb5 f74dee58 84ae9bb1
11:59:38 ipsec,debug,packet ea0aeeb1 e047b824 30f1ebf9 5cb654b0 49381c5a 14000018 830ba2ba dab02d51
11:59:38 ipsec,debug,packet 054ba47e 1e071eba a735b777 00000018 4ed05bda 5337dafd da143280 0a519a61
11:59:38 ipsec,debug,packet cfe7a4bf
11:59:38 ipsec,debug begin.
11:59:38 ipsec,debug seen nptype=4(ke) len=260
11:59:38 ipsec,debug seen nptype=10(nonce) len=52
11:59:38 ipsec,debug seen nptype=20(nat-d) len=24
11:59:38 ipsec,debug seen nptype=20(nat-d) len=24
11:59:38 ipsec,debug succeed.
11:59:38 ipsec x.x.x.x Hashing x.x.x.x[500] with algo #2
11:59:38 ipsec,debug hash(sha1)
11:59:38 ipsec NAT-D payload #0 verified
11:59:38 ipsec x.x.x.x Hashing x.x.x.x[500] with algo #2
11:59:38 ipsec,debug hash(sha1)
11:59:38 ipsec NAT-D payload #1 doesn’t match
11:59:38 ipsec NAT detected: PEER
11:59:38 ipsec,debug ===
11:59:38 ipsec,debug dh(modp2048)
11:59:38 ipsec,debug compute DH’s private.
11:59:38 ipsec,debug 456a8cc7 699e6554 b1650092 975d469b 236ea832 48cb0a58 e7bc8eeb 87a71889
11:59:38 ipsec,debug 6269b4d1 41f34bdd 08085924 c43ab369 1eeed67c b69f2742 6b05261d a8a9a0a7
11:59:38 ipsec,debug 3502bfaf 149bbd7b 51ebdd4d 9bc6bb07 99970035 4e82e9fe d76a6cc6 09d27d11
11:59:38 ipsec,debug d188ec86 e1ae7221 55cdfd12 236f3322 850b82dc 2ebaadb5 8505017f dcc8fd5a
11:59:38 ipsec,debug compute DH’s public.
11:59:38 ipsec,debug 28c52a78 e45e7a15 a4a275e2 e26fd07e 7a36d853 1bbbb7b0 9c45dfb2 26025202
11:59:38 ipsec,debug 78d3633c d28cd325 cb6f8dcc 81186b6d d60ccb61 b654802d d2d79314 ea6bbce3
11:59:38 ipsec,debug 7f7cb85a 7c05dc08 67ac08bb 15bff072 dcfab032 254722a4 1013a8e8 45bcbb16
11:59:38 ipsec,debug be9e87ef b9ab2ed2 bb6de405 72417cba 0f19c824 d14dc8f8 8bfa4a64 4a90b705
11:59:38 ipsec x.x.x.x Hashing x.x.x.x[500] with algo #2
11:59:38 ipsec,debug hash(sha1)
11:59:38 ipsec x.x.x.x Hashing x.x.x.x[500] with algo #2
11:59:38 ipsec,debug hash(sha1)
11:59:38 ipsec Adding remote and local NAT-D payloads.
11:59:38 ipsec,debug add payload of len 256, next type 10
11:59:38 ipsec,debug add payload of len 24, next type 20
11:59:38 ipsec,debug add payload of len 20, next type 20
11:59:38 ipsec,debug add payload of len 20, next type 0
11:59:38 ipsec,debug 364 bytes from x.x.x.x[500] to x.x.x.x[500]
11:59:38 ipsec,debug 1 times of 364 bytes message will be sent to x.x.x.x[500]
11:59:38 ipsec,debug,packet a59b7317 fae1c523 22043d55 e2a3925b 04100200 00000000 0000016c 0a000104
11:59:38 ipsec,debug,packet 28c52a78 e45e7a15 a4a275e2 e26fd07e 7a36d853 1bbbb7b0 9c45dfb2 26025202
11:59:38 ipsec,debug,packet c98cf0e3 5d1515c4 7d242b8c eac68ae0 49887a37 ae8658b6 bb08ebf4 889e6a03
11:59:38 ipsec,debug,packet be9e87ef b9ab2ed2 bb6de405 72417cba 0f19c824 d14dc8f8 8bfa4a64 4a90b705
11:59:38 ipsec,debug,packet 1400001c b4c02c15 60a4659c e207807d 18134a12 3dc89fbe a46e2ed1 14000018
11:59:38 ipsec,debug,packet e9c157ba 55460f4c c70b9471 fac000da ec1bf383 00000018 830ba2ba dab02d51
11:59:38 ipsec,debug,packet 054ba47e 1e071eba a735b777
11:59:38 ipsec sent phase1 packet x.x.x.x[500] x.x.x.x[500] a59b7317fae1c523:22043d55e2a3925b
11:59:38 ipsec,debug dh(modp2048)
11:59:39 ipsec,debug compute DH’s shared.
11:59:39 ipsec,debug
11:59:39 ipsec,debug b859821e f51f55b5 9adc130a cca84e66 82d926d6 6dcbcf91 770c1db8 792cc4c4
11:59:39 ipsec,debug 12906231 8796dad8 4d08b43e c1b1991b 9aab8374 a65692cc 3afce926 56fe823a
11:59:39 ipsec,debug 3031a0f0 087ea8ff 20aca4ad a04d9950 913362c2 fea84ef7 bcf64bff 0764df7b
11:59:39 ipsec,debug 50e92550 ef932be3 916ea183 a67fc7b9 e06d4d17 9c3a768e af45f941 ee696762
11:59:39 ipsec,debug nonce 1:
11:59:39 ipsec,debug 72289750 eaf0eb97 ac2e88da 3867ae04 37715cb5 f74dee58 84ae9bb1 ea0aeeb1
11:59:39 ipsec,debug e047b824 30f1ebf9 5cb654b0 49381c5a
11:59:39 ipsec,debug nonce 2:
11:59:39 ipsec,debug b4c02c15 60a4659c e207807d 18134a12 3dc89fbe a46e2ed1
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug SKEYID computed:
11:59:39 ipsec,debug a0fe091f 76d8cea3 dffd92a9 dfb4c2df 71de50d1
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug SKEYID_d computed:
11:59:39 ipsec,debug 17a0429f 5185591e 9b1bd259 aca4318d 40794552
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug SKEYID_a computed:
11:59:39 ipsec,debug affe3c05 2d6ef3eb 9f5bc6c2 f5982c72 e63de07e
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug SKEYID_e computed:
11:59:39 ipsec,debug 36946a5f 20360645 2040a6a9 09fc3178 31baf45e
11:59:39 ipsec,debug encryption(3des)
11:59:39 ipsec,debug hash(sha1)
11:59:39 ipsec,debug len(SKEYID_e) x.x.x.x[4500]
11:59:39 ipsec KA list add: x.x.x.x[4500]->x.x.x.x[4500]
11:59:39 ipsec,debug encryption(3des)
11:59:39 ipsec,debug IV was saved for next processing:
11:59:39 ipsec,debug 396339ac c51ce1c9
11:59:39 ipsec,debug encryption(3des)
11:59:39 ipsec,debug with key:
11:59:39 ipsec,debug 993d782a 32cb9854 94e6dacd a81f3467 737113d5 a63099d8
11:59:39 ipsec,debug decrypted payload by IV:
11:59:39 ipsec,debug f6b3353b fa0a5c09
11:59:39 ipsec,debug decrypted payload, but not trimed.
11:59:39 ipsec,debug 0800000c 01000000 c0a80139 00000018 a640df62 9e91fefa 6c3a4992 c8d7984e
11:59:39 ipsec,debug 151b2afe 00000000
11:59:39 ipsec,debug padding len=1
11:59:39 ipsec,debug skip to trim padding.
11:59:39 ipsec,debug decrypted.
11:59:39 ipsec,debug a59b7317 fae1c523 22043d55 e2a3925b 05100201 00000000 00000044 0800000c
11:59:39 ipsec,debug 01000000 c0a80139 00000018 a640df62 9e91fefa 6c3a4992 c8d7984e 151b2afe
11:59:39 ipsec,debug 00000000
11:59:39 ipsec,debug begin.
11:59:39 ipsec,debug seen nptype=5(id) len=12
11:59:39 ipsec,debug seen nptype=8(hash) len=24
11:59:39 ipsec,debug succeed.
11:59:39 ipsec,debug HASH received:
11:59:39 ipsec,debug a640df62 9e91fefa 6c3a4992 c8d7984e 151b2afe
11:59:39 ipsec,debug HASH with:
11:59:39 ipsec,debug 64c5e3e9 20c0a7f8 8641a0c2 8cf61553 75edb910 e258f23f 44a93a76 cdb2c4ef
11:59:39 ipsec,debug f728db5d 25812186 9c23417f 79a8b650 66def131 70c59d91 0bd5d1c1 e8893b1c
11:59:39 ipsec,debug 80020002 8004000e 80030001 800b0001 000c0004 00007080 03000024 04010000
11:59:39 ipsec,debug 80010005 80020002 8004000e 80030001 800b0001 000c0004 00007080 00000024
11:59:39 ipsec,debug 05010000 80010005 80020002 80040002 80030001 800b0001 000c0004 00007080
11:59:39 ipsec,debug 01000000 c0a80139
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug HASH computed:
11:59:39 ipsec,debug a640df62 9e91fefa 6c3a4992 c8d7984e 151b2afe
11:59:39 ipsec,debug HASH for PSK validated.
11:59:39 ipsec,debug x.x.x.x peer’s ID
11:59:39 ipsec,debug 01000000 c0a80139
11:59:39 ipsec,debug ===
11:59:39 ipsec,debug use ID type of IPv4_address
11:59:39 ipsec,debug generate HASH_R
11:59:39 ipsec,debug HASH with:
11:59:39 ipsec,debug 28c52a78 e45e7a15 a4a275e2 e26fd07e 7a36d853 1bbbb7b0 9c45dfb2 26025202
11:59:39 ipsec,debug c98cf0e3 5d1515c4 7d242b8c eac68ae0 49887a37 ae8658b6 bb08ebf4 889e6a03
11:59:39 ipsec,debug 4d11cc06 77e69870 2c31fb14 af2e8919 0090a73c c8b1f6b1 d95f7b22 1ad7c78b
11:59:39 ipsec,debug 8d074a0f 15f3451f 8e769c95 6bda1957 02eafcb9 53573539 a27eace6 aa6a4290
11:59:39 ipsec,debug 9d75e915 bf2a4c20 ec05945a 8d7d0830 35c7716f ae822ff2 7f8ff7f7 93d31286
11:59:39 ipsec,debug 80030001 800b0001 000c0004 00007080 03000028 03010000 80010007 800e0100
11:59:39 ipsec,debug 80020002 8004000e 80030001 800b0001 000c0004 00007080 03000024 04010000
11:59:39 ipsec,debug 80010005 80020002 8004000e 80030001 800b0001 000c0004 00007080 00000024
11:59:39 ipsec,debug 05010000 80010005 80020002 80040002 80030001 800b0001 000c0004 00007080
11:59:39 ipsec,debug 011101f4 5965da26
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug HASH computed:
11:59:39 ipsec,debug fc884b28 168243a0 ec11293c cf2d6816 58092fda
11:59:39 ipsec,debug add payload of len 8, next type 8
11:59:39 ipsec,debug add payload of len 20, next type 0
11:59:39 ipsec,debug begin encryption.
11:59:39 ipsec,debug encryption(3des)
11:59:39 ipsec,debug pad length = 4
11:59:39 ipsec,debug 0800000c 011101f4 5965da26 00000018 fc884b28 168243a0 ec11293c cf2d6816
11:59:39 ipsec,debug 58092fda f5387303
11:59:39 ipsec,debug encryption(3des)
11:59:39 ipsec,debug with key:
11:59:39 ipsec,debug 993d782a 32cb9854 94e6dacd a81f3467 737113d5 a63099d8
11:59:39 ipsec,debug encrypted payload by IV:
11:59:39 ipsec,debug 396339ac c51ce1c9
11:59:39 ipsec,debug save IV for next:
11:59:39 ipsec,debug 632874e3 713ae537
11:59:39 ipsec,debug encrypted.
11:59:39 ipsec,debug 68 bytes from x.x.x.x[4500] to x.x.x.x[4500]
11:59:39 ipsec,debug 1 times of 72 bytes message will be sent to x.x.x.x[4500]
11:59:39 ipsec,debug,packet a59b7317 fae1c523 22043d55 e2a3925b 05100201 00000000 00000044 cdb9706b
11:59:39 ipsec,debug,packet 0a995c07 0e1e01a2 d764fb8c 04486d5d 62fb7df6 4dbce71f 7f679c4a 632874e3
11:59:39 ipsec,debug,packet 713ae537
11:59:39 ipsec,info ISAKMP-SA established x.x.x.x[4500]-x.x.x.x[4500] spi:a59b7317fae1c523:22043d55e2a3925b
11:59:39 ipsec,debug ===
11:59:39 ipsec,debug ===== received 436 bytes from x.x.x.x[4500] to x.x.x.x[4500]
11:59:39 ipsec,debug,packet a59b7317 fae1c523 22043d55 e2a3925b 08102001 00000001 000001b4 ad8be9ce
11:59:39 ipsec,debug,packet 8d8a0306 98b979b1 8a0f8178 bc8848ae e46936b0 c989fae2 cebcf86f f5cf39fd
11:59:39 ipsec,debug,packet 5a54ca86 9aeb72f6 fd885041 c7ab6bc1 83364e1c 4f20acdd 420b6078 2de65b62
11:59:39 ipsec,debug,packet aebc86af ebededc3 40b6fa4d d3e5954e e80dd69c 703d708e 1718fe24 04cde76d
11:59:39 ipsec,debug,packet 36ad2f33 7e53e469 594060b6 326bae0f 7920d859 87bf3cb3 f4c0a59c 9964ce6d
11:59:39 ipsec,debug,packet fa4e27e2 f08efe9b cfa3c894 5ac01b01 6d91ffed
11:59:39 ipsec,debug compute IV for phase2
11:59:39 ipsec,debug phase1 last IV:
11:59:39 ipsec,debug 632874e3 713ae537 00000001
11:59:39 ipsec,debug hash(sha1)
11:59:39 ipsec,debug encryption(3des)
11:59:39 ipsec,debug phase2 IV computed:
11:59:39 ipsec,debug 9be5b36f 8a7fc4e8
11:59:39 ipsec,debug ===
11:59:39 ipsec respond new phase 2 negotiation: x.x.x.x[4500] x.x.x.x[4500]
11:59:39 ipsec,debug encryption(3des)
11:59:39 ipsec,debug IV was saved for next processing:
11:59:39 ipsec,debug 5ac01b01 6d91ffed
11:59:39 ipsec,debug encryption(3des)
11:59:39 ipsec,debug with key:
11:59:39 ipsec,debug 993d782a 32cb9854 94e6dacd a81f3467 737113d5 a63099d8
11:59:39 ipsec,debug decrypted payload by IV:
11:59:39 ipsec,debug 9be5b36f 8a7fc4e8
11:59:39 ipsec,debug decrypted payload, but not trimed.
11:59:39 ipsec,debug 01000018 3c24b9ec d9a18495 7ff1c11e 9038c156 651153f0 0a000118 00000001
11:59:39 ipsec,debug 00000e10 80010002 00020004 0003d090 05000034 29dff407 58ec906a 5b003f20
11:59:39 ipsec,debug 815c0e34 36f264f2 10bbc574 0ffc1bf7 55857dff 65d4fd94 e2cc41d9 93b5069d
11:59:39 ipsec,debug 3fbe0b25 0500000c 011106a5 c0a80139 1500000c 011106a5 5965da26 1500000c
11:59:39 ipsec,debug 01000000 c0a80139 0000000c 01000000 5965da26 00000000
11:59:39 ipsec,debug padding len=1
11:59:39 ipsec,debug skip to trim padding.
11:59:39 ipsec,debug decrypted.
11:59:39 ipsec,debug a59b7317 fae1c523 22043d55 e2a3925b 08102001 00000001 000001b4 01000018
11:59:39 ipsec,debug 3c24b9ec d9a18495 7ff1c11e 9038c156 651153f0 0a000118 00000001 00000001
11:59:39 ipsec,debug 02000038 01030401 1c2f0a3e 0000002c 010c0000 80040004 80060100 80050002
11:59:39 ipsec,debug 1c2f0a3e 00000028 010b0000 80040004 80050002 80010001 00020004 00000e10
11:59:39 ipsec,debug 80010002 00020004 0003d090 05000034 29dff407 58ec906a 5b003f20 815c0e34
11:59:39 ipsec,debug 36f264f2 10bbc574 0ffc1bf7 55857dff 65d4fd94 e2cc41d9 93b5069d 3fbe0b25
11:59:39 ipsec,debug 0500000c 011106a5 c0a80139 1500000c 011106a5 5965da26 1500000c 01000000
11:59:39 ipsec,debug c0a80139 0000000c 01000000 5965da26 00000000
11:59:39 ipsec,debug begin.
11:59:39 ipsec,debug seen nptype=8(hash) len=24
11:59:39 ipsec,debug seen nptype=1(sa) len=280
11:59:39 ipsec,debug seen nptype=10(nonce) len=52
11:59:39 ipsec,debug seen nptype=5(id) len=12
11:59:39 ipsec,debug seen nptype=5(id) len=12
11:59:39 ipsec,debug seen nptype=21(nat-oa) len=12
11:59:39 ipsec,debug seen nptype=21(nat-oa) len=12
11:59:39 ipsec,debug succeed.
11:59:39 ipsec,debug received IDci2:
11:59:39 ipsec,debug 011106a5 c0a80139
11:59:39 ipsec,debug received IDcr2:
11:59:39 ipsec,debug 011106a5 5965da26
11:59:39 ipsec,debug HASH(1) validate:
11:59:39 ipsec,debug 3c24b9ec d9a18495 7ff1c11e 9038c156 651153f0
11:59:39 ipsec,debug HASH with:
11:59:39 ipsec,debug 00000001 0a000118 00000001 00000001 02000038 01030401 1c2f0a3e 0000002c
11:59:39 ipsec,debug 80050002 80010001 00020004 00000e10 80010002 00020004 0003d090 05000034
11:59:39 ipsec,debug 29dff407 58ec906a 5b003f20 815c0e34 36f264f2 10bbc574 0ffc1bf7 55857dff
11:59:39 ipsec,debug 65d4fd94 e2cc41d9 93b5069d 3fbe0b25 0500000c 011106a5 c0a80139 1500000c
11:59:39 ipsec,debug 011106a5 5965da26 1500000c 01000000 c0a80139 0000000c 01000000 5965da26
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug HASH computed:
11:59:39 ipsec,debug 3c24b9ec d9a18495 7ff1c11e 9038c156 651153f0
11:59:39 ipsec,debug total SA len=276
11:59:39 ipsec,debug 00000001 00000001 02000038 01030401 1c2f0a3e 0000002c 010c0000 80040004
11:59:39 ipsec,debug 80040004 80050002 80010001 00020004 00000e10 80010002 00020004 0003d090
11:59:39 ipsec,debug 00000034 05030401 1c2f0a3e 00000028 010b0000 80040004 80050002 80010001
11:59:39 ipsec,debug 00020004 00000e10 80010002 00020004 0003d090
11:59:39 ipsec,debug begin.
11:59:39 ipsec,debug seen nptype=2(prop) len=56
11:59:39 ipsec,debug seen nptype=2(prop) len=56
11:59:39 ipsec,debug seen nptype=2(prop) len=52
11:59:39 ipsec,debug seen nptype=2(prop) len=52
11:59:39 ipsec,debug seen nptype=2(prop) len=52
11:59:39 ipsec,debug succeed.
11:59:39 ipsec,debug proposal #1 len=56
11:59:39 ipsec,debug begin.
11:59:39 ipsec,debug seen nptype=3(trns) len=44
11:59:39 ipsec,debug succeed.
11:59:39 ipsec,debug transform #1 len=44
11:59:39 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=UDP-Transport
11:59:39 ipsec,debug UDP encapsulation requested
11:59:39 ipsec,debug type=Key Length, flag=0x8000, lorv=256
11:59:39 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1
11:59:39 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds
11:59:39 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4
11:59:39 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes
11:59:39 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4
11:59:39 ipsec,debug proposal #2 len=56
11:59:39 ipsec,debug begin.
11:59:39 ipsec,debug seen nptype=3(trns) len=44
11:59:39 ipsec,debug succeed.
11:59:39 ipsec,debug transform #1 len=44
11:59:39 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=UDP-Transport
11:59:39 ipsec,debug UDP encapsulation requested
11:59:39 ipsec,debug type=Key Length, flag=0x8000, lorv=128
11:59:39 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1
11:59:39 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds
11:59:39 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4
11:59:39 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes
11:59:39 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4
11:59:39 ipsec,debug proposal #3 len=52
11:59:39 ipsec,debug begin.
11:59:39 ipsec,debug seen nptype=3(trns) len=40
11:59:39 ipsec,debug succeed.
11:59:39 ipsec,debug transform #1 len=40
11:59:39 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=UDP-Transport
11:59:39 ipsec,debug UDP encapsulation requested
11:59:39 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1
11:59:39 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds
11:59:39 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4
11:59:39 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes
11:59:39 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4
11:59:39 ipsec,debug proposal #4 len=52
11:59:39 ipsec,debug begin.
11:59:39 ipsec,debug seen nptype=3(trns) len=40
11:59:39 ipsec,debug succeed.
11:59:39 ipsec,debug transform #1 len=40
11:59:39 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=UDP-Transport
11:59:39 ipsec,debug UDP encapsulation requested
11:59:39 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1
11:59:39 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds
11:59:39 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4
11:59:39 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes
11:59:39 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4
11:59:39 ipsec,debug proposal #5 len=52
11:59:39 ipsec,debug begin.
11:59:39 ipsec,debug seen nptype=3(trns) len=40
11:59:39 ipsec,debug succeed.
11:59:39 ipsec,debug transform #1 len=40
11:59:39 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=UDP-Transport
11:59:39 ipsec,debug UDP encapsulation requested
11:59:39 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1
11:59:39 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds
11:59:39 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4
11:59:39 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes
11:59:39 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4
11:59:39 ipsec,debug pair 1:
11:59:39 ipsec,debug 0x1008b5f0: next=(nil) tnext=(nil)
11:59:39 ipsec,debug proposal #1: 1 transform
11:59:39 ipsec,debug pair 2:
11:59:39 ipsec,debug 0x1008b608: next=(nil) tnext=(nil)
11:59:39 ipsec,debug proposal #2: 1 transform
11:59:39 ipsec,debug pair 3:
11:59:39 ipsec,debug 0x1008baf8: next=(nil) tnext=(nil)
11:59:39 ipsec,debug proposal #3: 1 transform
11:59:39 ipsec,debug pair 4:
11:59:39 ipsec,debug 0x1008bb10: next=(nil) tnext=(nil)
11:59:39 ipsec,debug proposal #4: 1 transform
11:59:39 ipsec,debug pair 5:
11:59:39 ipsec,debug 0x1008cee8: next=(nil) tnext=(nil)
11:59:39 ipsec,debug proposal #5: 1 transform
11:59:39 ipsec,debug got the local address from ID payload x.x.x.x[1701] prefixlen=32 ul_proto=17
11:59:39 ipsec,debug got the peer address from ID payload 192.168.1.57[1701] prefixlen=32 ul_proto=17
11:59:39 ipsec,debug updating policy address because of NAT in transport mode
11:59:39 ipsec,debug new peer address x.x.x.x[1701]
11:59:39 ipsec searching for policy for selector: x.x.x.x:1701 ip-proto:17 x.x.x.x:1701 ip-proto:17
11:59:39 ipsec generating policy
11:59:39 ipsec,debug (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=UDP-Transport reqid=19:19)
11:59:39 ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-sha1)
11:59:39 ipsec,debug (trns_id=AES-CBC encklen=128 authtype=hmac-sha1)
11:59:39 ipsec,debug (trns_id=3DES encklen=0 authtype=hmac-sha1)
11:59:39 ipsec,debug begin compare proposals.
11:59:39 ipsec,debug pair[1]: 0x1008b5f0
11:59:39 ipsec,debug 0x1008b5f0: next=(nil) tnext=(nil)
11:59:39 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=AES-CBC
11:59:39 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=UDP-Transport
11:59:39 ipsec,debug type=Key Length, flag=0x8000, lorv=256
11:59:39 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1
11:59:39 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds
11:59:39 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4
11:59:39 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes
11:59:39 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4
11:59:39 ipsec,debug peer’s single bundle:
11:59:39 ipsec,debug (proto_id=ESP spisize=4 spi=1c2f0a3e spi_p=00000000 encmode=UDP-Transport reqid=0:0)
11:59:39 ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-sha1)
11:59:39 ipsec,debug my single bundle:
11:59:39 ipsec,debug (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=UDP-Transport reqid=19:19)
11:59:39 ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-sha1)
11:59:39 ipsec,debug (trns_id=AES-CBC encklen=128 authtype=hmac-sha1)
11:59:39 ipsec,debug (trns_id=3DES encklen=0 authtype=hmac-sha1)
11:59:39 ipsec Adjusting my encmode UDP-Transport->Transport
11:59:39 ipsec Adjusting peer’s encmode UDP-Transport(4)->Transport(2)
11:59:39 ipsec,debug matched
11:59:39 ipsec,debug ===
11:59:39 ipsec,debug call pfkey_send_getspi 48c
11:59:39 ipsec,debug pfkey GETSPI sent: ESP/Transport x.x.x.x[4500]->x.x.x.x[4500]
11:59:39 ipsec,debug pfkey getspi sent.
11:59:39 ipsec,debug total SA len=64
11:59:39 ipsec,debug 00000001 00000001 00000038 01030401 00000000 0000002c 010c0000 80040004
11:59:39 ipsec,debug 80060100 80050002 80010001 00020004 00000e10 80010002 00020004 0003d090
11:59:39 ipsec,debug begin.
11:59:39 ipsec,debug seen nptype=2(prop) len=56
11:59:39 ipsec,debug succeed.
11:59:39 ipsec,debug proposal #1 len=56
11:59:39 ipsec,debug begin.
11:59:39 ipsec,debug seen nptype=3(trns) len=44
11:59:39 ipsec,debug succeed.
11:59:39 ipsec,debug transform #1 len=44
11:59:39 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=UDP-Transport
11:59:39 ipsec,debug UDP encapsulation requested
11:59:39 ipsec,debug type=Key Length, flag=0x8000, lorv=256
11:59:39 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1
11:59:39 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds
11:59:39 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4
11:59:39 ipsec,debug type=SA Life Type, flag=0x8000, lorv=kilobytes
11:59:39 ipsec,debug type=SA Life Duration, flag=0x0000, lorv=4
11:59:39 ipsec,debug pair 1:
11:59:39 ipsec,debug 0x10087008: next=(nil) tnext=(nil)
11:59:39 ipsec,debug proposal #1: 1 transform
11:59:39 ipsec,debug NAT-OAi:
11:59:39 ipsec,debug 01001194 528dea19
11:59:39 ipsec,debug NAT-OAr:
11:59:39 ipsec,debug 01001194 5965da26
11:59:39 ipsec,debug add payload of len 64, next type 10
11:59:39 ipsec,debug add payload of len 24, next type 5
11:59:39 ipsec,debug add payload of len 8, next type 5
11:59:39 ipsec,debug add payload of len 8, next type 21
11:59:39 ipsec,debug add payload of len 8, next type 21
11:59:39 ipsec,debug add payload of len 8, next type 0
11:59:39 ipsec,debug HASH with:
11:59:39 ipsec,debug 00000001 29dff407 58ec906a 5b003f20 815c0e34 36f264f2 10bbc574 0ffc1bf7
11:59:39 ipsec,debug b0be1b06 5b411cfe 66ea240f 40befc70 def9c59d 0500000c 011106a5 c0a80139
11:59:39 ipsec,debug 1500000c 011106a5 5965da26 1500000c 01001194 528dea19 0000000c 01001194
11:59:39 ipsec,debug 5965da26
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug HASH computed:
11:59:39 ipsec,debug 5c4add62 eaa51dfc 288c6760 4bb77dd0 b9bf0617
11:59:39 ipsec,debug add payload of len 20, next type 1
11:59:39 ipsec,debug begin encryption.
11:59:39 ipsec,debug encryption(3des)
11:59:39 ipsec,debug pad length = 8
11:59:39 ipsec,debug 01000018 5c4add62 eaa51dfc 288c6760 4bb77dd0 b9bf0617 0a000044 00000001
11:59:39 ipsec,debug 9d0d3c42 b0be1b06 5b411cfe 66ea240f 40befc70 def9c59d 0500000c 011106a5
11:59:39 ipsec,debug c0a80139 1500000c 011106a5 5965da26 1500000c 01001194 528dea19 0000000c
11:59:39 ipsec,debug 01001194 5965da26 143e9aea 71c2e707
11:59:39 ipsec,debug encryption(3des)
11:59:39 ipsec,debug with key:
11:59:39 ipsec,debug 993d782a 32cb9854 94e6dacd a81f3467 737113d5 a63099d8
11:59:39 ipsec,debug encrypted payload by IV:
11:59:39 ipsec,debug 5ac01b01 6d91ffed
11:59:39 ipsec,debug save IV for next:
11:59:39 ipsec,debug b26af122 76af5bd8
11:59:39 ipsec,debug encrypted.
11:59:39 ipsec,debug 204 bytes from x.x.x.x[4500] to x.x.x.x[4500]
11:59:39 ipsec,debug 1 times of 208 bytes message will be sent to x.x.x.x[4500]
11:59:39 ipsec,debug,packet a59b7317 fae1c523 22043d55 e2a3925b 08102001 00000001 000000cc 3b325c69
11:59:39 ipsec,debug,packet a5a57fd4 6a124c3c b083aca5 7a998151 ea8fc18b 3fbc7531 a91a5600 afde0e6d
11:59:39 ipsec,debug,packet 34b6c000 b26af122 76af5bd8
11:59:39 ipsec sent phase2 packet x.x.x.x[4500] x.x.x.x[4500] a59b7317fae1c523:22043d55e2a3925b:00000001
11:59:39 ipsec,debug ===== received 60 bytes from x.x.x.x[4500] to x.x.x.x[4500]
11:59:39 ipsec,debug,packet a59b7317 fae1c523 22043d55 e2a3925b 08102001 00000001 0000003c 145cb7a2
11:59:39 ipsec,debug,packet 54e58732 9e5d9700 aff6a2fa 17f648a8 1c2b727a ebbd0ad5 8872c0a2
11:59:39 ipsec,debug encryption(3des)
11:59:39 ipsec,debug IV was saved for next processing:
11:59:39 ipsec,debug ebbd0ad5 8872c0a2
11:59:39 ipsec,debug encryption(3des)
11:59:39 ipsec,debug with key:
11:59:39 ipsec,debug 993d782a 32cb9854 94e6dacd a81f3467 737113d5 a63099d8
11:59:39 ipsec,debug decrypted payload by IV:
11:59:39 ipsec,debug b26af122 76af5bd8
11:59:39 ipsec,debug decrypted payload, but not trimed.
11:59:39 ipsec,debug 00000018 d7511734 296fa749 f7afd40a 54fd6004 92a36898 00000000 00000000
11:59:39 ipsec,debug padding len=1
11:59:39 ipsec,debug skip to trim padding.
11:59:39 ipsec,debug decrypted.
11:59:39 ipsec,debug a59b7317 fae1c523 22043d55 e2a3925b 08102001 00000001 0000003c 00000018
11:59:39 ipsec,debug d7511734 296fa749 f7afd40a 54fd6004 92a36898 00000000 00000000
11:59:39 ipsec,debug begin.
11:59:39 ipsec,debug seen nptype=8(hash) len=24
11:59:39 ipsec,debug succeed.
11:59:39 ipsec,debug HASH(3) validate:
11:59:39 ipsec,debug d7511734 296fa749 f7afd40a 54fd6004 92a36898
11:59:39 ipsec,debug HASH with:
11:59:39 ipsec,debug 00000000 0129dff4 0758ec90 6a5b003f 20815c0e 3436f264 f210bbc5 740ffc1b
11:59:39 ipsec,debug f755857d ff65d4fd 94e2cc41 d993b506 9d3fbe0b 259d0d3c 42b0be1b 065b411c
11:59:39 ipsec,debug fe66ea24 0f40befc 70def9c5 9d
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug HASH computed:
11:59:39 ipsec,debug d7511734 296fa749 f7afd40a 54fd6004 92a36898
11:59:39 ipsec,debug ===
11:59:39 ipsec,debug KEYMAT compute with
11:59:39 ipsec,debug 030e9102 4f29dff4 0758ec90 6a5b003f 20815c0e 3436f264 f210bbc5 740ffc1b
11:59:39 ipsec,debug f755857d ff65d4fd 94e2cc41 d993b506 9d3fbe0b 259d0d3c 42b0be1b 065b411c
11:59:39 ipsec,debug fe66ea24 0f40befc 70def9c5 9d
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug encryption(aes-cbc)
11:59:39 ipsec,debug hmac(sha1)
11:59:39 ipsec,debug encklen=256 authklen=160
11:59:39 ipsec,debug generating 640 bits of key (dupkeymat=4)
11:59:39 ipsec,debug generating K1. K4 for KEYMAT.
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug 63388f4b fc970061 da618e6c d2419b58 9214d155 65ef6985 81a5783c 56a22c9d
11:59:39 ipsec,debug 2659384a 34d92d92 32030746 656cff96
11:59:39 ipsec,debug KEYMAT compute with
11:59:39 ipsec,debug f755857d ff65d4fd 94e2cc41 d993b506 9d3fbe0b 259d0d3c 42b0be1b 065b411c
11:59:39 ipsec,debug fe66ea24 0f40befc 70def9c5 9d
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug encryption(aes-cbc)
11:59:39 ipsec,debug hmac(sha1)
11:59:39 ipsec,debug encklen=256 authklen=160
11:59:39 ipsec,debug generating 640 bits of key (dupkeymat=4)
11:59:39 ipsec,debug generating K1. K4 for KEYMAT.
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug hmac(hmac_sha1)
11:59:39 ipsec,debug b00fb234 af17d8bf 9ee09e12 ca94dcf5 b6fc890d 3ca10ae8 ddc0ff70 91b9c09c
11:59:39 ipsec,debug 1e2d071d 51a04e3b d31b33db f2b892da
11:59:39 ipsec,debug KEYMAT computed.
11:59:39 ipsec,debug call pk_sendupdate
11:59:39 ipsec,debug encryption(aes-cbc)
11:59:39 ipsec,debug hmac(sha1)
11:59:39 ipsec,debug call pfkey_send_update_nat
11:59:39 ipsec IPsec-SA established: ESP/Transport x.x.x.x[4500]->x.x.x.x[4500] spi=0xe91024f
11:59:39 ipsec,debug pfkey update sent.
11:59:39 ipsec,debug encryption(aes-cbc)
11:59:39 ipsec,debug hmac(sha1)
11:59:39 ipsec,debug call pfkey_send_add_nat
11:59:39 ipsec IPsec-SA established: ESP/Transport x.x.x.x[4500]->x.x.x.x[4500] spi=0x1c2f0a3e
11:59:39 ipsec,debug pfkey add sent.
11:59:46 ipsec,debug KA: x.x.x.x[4500]->x.x.x.x[4500]
11:59:46 ipsec,debug 1 times of 1 bytes message will be sent to x.x.x.x[4500]
11:59:46 ipsec,debug,packet ff
— Ctrl-C to quit. Space prints separator. New entries will appear at bottom.
[andrius@LF_Head-Office] >
Re: L2TP IPSec (no suit proposal found)
Wed Jun 13, 2018 2:20 pm
And I have debug messages in the log which show the proposal coming from the peer, see example below.
In your case, there are no debug messages. So something must be different, either your setup or the post-processing of the log.
Источник
Должны совпадать настройки на 2х концах для 2х фаз
/system logging
add topics=ipsec,!packet
Вот что шлет андроид,
22:33:29 ipsec IKE Protocol: IKE
22:33:29 ipsec proposal #1
22:33:29 ipsec enc: aes128-cbc
22:33:29 ipsec enc: aes192-cbc
22:33:29 ipsec enc: aes256-cbc
22:33:29 ipsec enc: 3des-cbc
22:33:29 ipsec prf: hmac-sha256
22:33:29 ipsec prf: hmac-sha384
22:33:29 ipsec prf: hmac-sha512
22:33:29 ipsec prf: unknown
22:33:29 ipsec prf: hmac-sha1
22:33:29 ipsec auth: sha256
22:33:29 ipsec auth: sha384
22:33:29 ipsec auth: sha512
22:33:29 ipsec auth: sha1
22:33:29 ipsec auth: unknown
22:33:29 ipsec dh: ecp521
22:33:29 ipsec dh: ecp256
22:33:29 ipsec dh: ecp384
22:33:29 ipsec dh: unknown
22:33:29 ipsec dh: unknown
22:33:29 ipsec dh: unknown
22:33:29 ipsec dh: unknown
22:33:29 ipsec dh: modp3072
22:33:29 ipsec dh: modp4096
22:33:29 ipsec dh: modp6144
22:33:29 ipsec dh: modp8192
22:33:29 ipsec dh: modp2048
22:33:29 ipsec proposal #2
22:33:29 ipsec enc: aes128-gcm
22:33:29 ipsec enc: aes192-gcm
22:33:29 ipsec enc: aes256-gcm
22:33:29 ipsec enc: unknown
22:33:29 ipsec enc: unknown
22:33:29 ipsec enc: unknown
22:33:29 ipsec enc: unknown
22:33:29 ipsec enc: unknown
22:33:29 ipsec enc: unknown
22:33:29 ipsec enc: unknown
22:33:29 ipsec prf: hmac-sha256
22:33:29 ipsec prf: hmac-sha384
22:33:29 ipsec prf: hmac-sha512
22:33:29 ipsec prf: unknown
22:33:29 ipsec prf: hmac-sha1
22:33:29 ipsec dh: ecp521
22:33:29 ipsec dh: ecp256
22:33:29 ipsec dh: ecp384
22:33:29 ipsec dh: unknown
22:33:29 ipsec dh: unknown
22:33:29 ipsec dh: unknown
22:33:29 ipsec dh: unknown
22:33:29 ipsec dh: modp3072
22:33:29 ipsec dh: modp4096
22:33:29 ipsec dh: modp6144
22:33:29 ipsec dh: modp8192
22:33:29 ipsec dh: modp2048
т.е. для него, например, могу выбрать конфиг для 1 фазы (вкладка profiles) enc: aes256-cbc auth: sha256 prf: hmac-sha256 (либо авто оставить) dh: modp2048
Для фазы 2 (вкладка Proposals) enc: aes256-cbc auth: sha256
22:33:31 ipsec IKE Protocol: ESP
22:33:31 ipsec proposal #1
22:33:31 ipsec enc: aes256-gcm
22:33:31 ipsec enc: aes128-gcm
22:33:31 ipsec enc: unknown
22:33:31 ipsec proposal #2
22:33:31 ipsec enc: aes256-cbc
22:33:31 ipsec enc: aes192-cbc
22:33:31 ipsec enc: aes128-cbc
22:33:31 ipsec auth: sha384
22:33:31 ipsec auth: sha256
22:33:31 ipsec auth: sha512
22:33:31 ipsec auth: sha1
-
evgeniy7676
- Сообщения: 58
- Зарегистрирован: 19 май 2016, 14:52
Задача настроить MikroTik для подключения IOS
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,3des
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.10.1 name=
ipsec use-encryption=yes
/interface l2tp-server server
set authentication=mschap2 default-profile=ipsec enabled=yes ipsec-secret=
12345678 max-mru=1460 max-mtu=1460 use-ipsec=yes
/ip ipsec peer
add address=0.0.0.0/0 compatibility-options=skip-peer-id-validation dh-group=
modp1024 dpd-interval=2s enc-algorithm=aes-256,aes-128,3des
exchange-mode=main-l2tp generate-policy=port-override secret=12345678
/ppp secret
add name=evgeniy password=evgeniy profile=ipsec remote-address=192.168.10.16
service=l2tp
Не подключается логи
18:28:35 ipsec,info respond new phase 1 (Identity Protection): 31.41.111.111[500]<=>46.211.149.111[33916]
18:28:35 ipsec,error no suitable proposal found.
18:28:35 ipsec,error 46.211.149.111 failed to get valid proposal.
18:28:35 ipsec,error 46.211.149.111 failed to pre-process ph1 packet (side: 1, status 1).
18:28:35 ipsec,error 46.211.149.111 phase1 negotiation failed.
Как настроить
-
Chupaka
- Сообщения: 3631
- Зарегистрирован: 29 фев 2016, 15:26
- Откуда: Минск
- Контактная информация:
-
evgeniy7676
- Сообщения: 58
- Зарегистрирован: 19 май 2016, 14:52
Re: Задача настроить MikroTik для подключения IOS
Сообщение
evgeniy7676 » 01 дек 2017, 11:43
/ip ipsec policy group
add name=group1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
lifetime=8h pfs-group=none
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes ipsec-secret=
12345678 max-mru=1460 max-mtu=1460 use-ipsec=yes
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=
aes-256,aes-192,aes-128,3des exchange-mode=main-l2tp generate-policy=
port-override passive=yes policy-template-group=group1 secret=12345678
/ip ipsec policy
set 0 group=group1
/ppp secret
add local-address=172.16.0.1 name=evgeniy password=evgeniy profile=
default-encryption remote-address=172.16.0.2 service=l2tp
add local-address=172.16.0.1 name=evgeniy1 password=evgeniy1 profile=
default-encryption remote-address=172.16.0.3 service=l2tp
add local-address=172.16.0.1 name=2 password=2 profile=default-encryption
remote-address=172.16.0.4 service=l2tp
-
Chupaka
- Сообщения: 3631
- Зарегистрирован: 29 фев 2016, 15:26
- Откуда: Минск
- Контактная информация:
-
Chupaka
- Сообщения: 3631
- Зарегистрирован: 29 фев 2016, 15:26
- Откуда: Минск
-
Контактная информация:
Допустим, что у Вас есть несколько филиалов, связанных VPN (L2TP+IPSec) туннелями. Или без IPSec, всякое может быть. Или маршрутизатор стоит у родственника в Германии и Вы используете его для обхода блокировки сайтов. Буквально через сутки-двое после настройки, в логах начинают появляться записи вида:
04:41:13 ipsec,info respond new phase 1 (Identity Protection): xxx.xxx.xxx.xxx[500]<=217.25.18.110[500] 04:41:13 ipsec,error no suitable proposal found.
04:41:13 ipsec,error 217.25.18.110 failed to get valid proposal.
04:41:13 ipsec,error 217.25.18.110 failed to pre-process ph1 packet (side: 1, stat us 1). 04:41:13 ipsec,error 217.25.18.110 phase1 negotiation fail
Это значит, что какой-то бот, управляемый добрым дядюшкой Ляо или другими товарищами, пытается подключитсяподобрать парольвид авторизации. А может кто-то и вручную пытается расшатать дымоход вашего поместья Ваш VPN.
Я начал искать варианты защиты и наткнулся сначала на тему на официальном форуме, а в конце была ссылка на вот такой набор скриптов на Github.
Собственно, там все ясно, как белый день. Если кто не дружит с английским, то расскажу просто и быстро, как использовать их под свои нужды. Скачиваем правила для фаервола и 3 скрипта. Первые необходимо отредактировать, заменяем интерфейс ether1-WAN на свой и применяем в Mikrotik’е. Потом подымаем правила повыше в списке.
Далее редактируем скрипты, меняем alerts@mail.srv на свой ящик и в [:resolve mail.srv] изменяем mail.srv на свой smtp сервер. После добавляем скрипты в System — Scripts, а после этого и в планировщик — System — Scheduler.
Теперь осталось только проверить работоспособность, подключаемся к Mikrotik через Winbox, открываем логи и пытаемся подключиться к VPN серверу с некорректными учетными данными, должна появиться ошибка в логах. А после этого, когда отработает скрипт, IP будет занесен в список l2tp-brutforce в фаерволе и на почту придет сообщение.
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
https://forum.mikrotik.com/viewtopic.php?t=58585
https://github.com/Onoro/Mikrotik
It’s difficult to imagine the IT world without virtual private networks (VPNs). Many inexpensive small home and office (SOHO) routers allow you to set up a VPN server with just a few clicks and support hardware acceleration for encryption algorithms. But if you’ve ever configured an Internet Protocol Security (IPsec)-based VPN, you know how much trouble configuring consistent encryption algorithms can bring. Generally, there shouldn’t be a problem if you configure both the VPN client and the server to use the same software versions.
[ Get the guide to installing applications on Linux. ]
This article demonstrates some troubleshooting steps for VPN misconfigurations using RouterOS as the example platform. While RouterOS v7 with WireGuard is still actively developed, many network devices don’t support WireGuard as an industry standard.
IPsec will remain relevant for a long time, and it’s important to be able to troubleshoot it.
A common VPN misconfiguration
Consider one of the most common cases. There’s a router configured with a VPN server, and the latest update has been released. The update might fix a critical CVE, add new features, or improve performance. But even a planned update can become a nightmare if you’re not prepared.
The example described in this article uses MikroTik’s RouterOS v7.х. with Fedora 35 as the client. Other clients can have similar problems, which are solved by configuring the server because many clients are unconfigurable.
In Fedora 35, two RPM packages implement IPsec. One is Libreswan, installed in the base system. The other is Strongswan, which can be substituted for Libreswan. Libreswan doesn’t have modp1024/DH2 support, so updating it (or installing the operating system with the default Libreswan client) will likely result in an inoperative VPN client.
This problem can be solved by replacing the Libreswan packages with Strongswan. This workaround helps until the next update.
Set up your environment
Before you can work through this tutorial, you need to configure the server and client.
Configure the server
For this demonstration, I intentionally configured the server to be inoperable because Fedora and RouterOS vendors use a fixed configuration on the latest software version by default.
/interface l2tp-server export show-sensitive
/interface l2tp-server server set default-profile=default enabled=yes ipsec-secret=12345678900987654321 use-ipsec=yes
/ppp export show-sensitive
/ppp secret add name=test1 password=test1
/ppp profile set *0 local-address=192.168.88.1 remote-address=default-dhcp
/ip ipsec export show-sensitive
/ip ipsec profile set [ find default=yes ] dh-group=modp1024 dpd-maximum-failures=10 enc-algorithm=aes-256,aes-192,aes-128
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256 pfs-group=none
/system logging add topics=debug Configure the client
This example uses Fedora 35 running a 5.16.9 kernel and Libreswan version 4.6-1.
First, activate verbose logging in SELinux for IPsec:
$ semanage permissive -a ipsec_t[ Improve your skills managing and using SELinux. ]
Next, create a connection:
$ nmcli c add con-name test1 type vpn
vpn-type l2tp vpn.data 'gateway = 192.168.88.1,
ipsec-enabled = yes, machine-auth-type = psk,
user = test1, user-auth-type = password'Start troubleshooting
After the environment is ready, you can start to solve problems.
First, activate the connection:
$ nmcli c up test1 --askAfter entering the password and pre-shared key (PSK), the connection completes with a res=failed error. View the logs with journalctl:
$ journalctl -af _TRANSPORT=audit
...
CRYPTO_IKE_SA pid=8392 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 msg='op=start direction=initiator conn-name="dde76c3a-87c4-4ca9-b628-63e88dceca52" connstate=3 ike-version=1 auth=PRESHARED_KEY cipher=none ksize=0 integ=none prf=none pfs=none raddr=192.168.88.1 exe="/usr/libexec/ipsec/pluto" hostname=? addr=192.168.88.207 terminal=? res=failed'
[...]Executing journalctl -u ipsec shows the supported encryption algorithms, hash algorithms, Platform Firmware Resilience (PFR) technology, and so on:
$ journalctl -u ipsec
loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
...
ike (phase1) algorithm values: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA1-DH20, AES_CBC_128-HMAC_SHA1-DH19, 3DES_CBC-HMAC_SHA1-MODP2048
from whack: got --esp=aes256-sha1,aes128-sha1,3des-sha1
ESP/AH string values: AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA1_96
...There are two phases to create a connection between two peers:
- Phase 1 is the Internet Key Exchange (IKEv1/IKEv2).
- Phase 2 is the Authentication Header (AH) or Encapsulating Security Payload (ESP).
AH is deprecated, so it’s necessary to use ESP.
[ Cheat sheet: Get a list of Linux utilities and commands for managing servers and networks. ]
What happens in Phase 1?
Phase 1 creates a secure tunnel that can be used in Phase 2. During Phase 1, two hosts negotiate the identification method, encryption algorithms, hash algorithms, and Diffie-Hellman (DH) groups. Also, they identify each other.
Phase 1 can work in two modes: aggressive and main. The first mode can successfully be completed after an exchange of three unencrypted packets. The second one occurs after six. Initially, the sender and the receiver negotiate parameters for setting up IKE Security Association (SA). Then they establish a secret key using DH key exchange. Finally, they exchange identity information and authenticate each other.
The key negotiated in Phase 1 allows IKE peers to communicate securely in Phase 2. The Internet Security Association and Key Management Protocol (ISAKMP) is the negotiation protocol that lets two hosts agree on building an IPsec SA. When Phase 1 completes successfully, Phase 2 begins.
What happens in Phase 2?
In Phase 2, the participants negotiate the IPsec SAs for encrypting and authenticating the ensuing exchanges of user data. Each peer performs key computing and generates keys for IPsec SA encryption and authentication. That’s why each IPsec SA is guaranteed to use a unique key for subsequent data transfer encryption and authentication. In this phase, the message is encrypted by an encryption algorithm negotiated in Phase 1. This is also called Quick Mode.
Phase 2 can complete only after Phase 1 because all packets are encrypted. This complicates debugging at this stage. If Phase 2 completes successfully, an IPsec tunnel is created.
[ Network getting out of control? Check out Network automation for everyone, a complimentary book from Red Hat. ]
Check the server logs
In the previous logs, you can see a list of some encryption algorithms, hash algorithms, and DHs in Phase 1. They weren’t set anywhere during server and client configuration.
In Phase 2, it’s proposed to use _HMAC_SHA1_96 hashes (such as AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA1_96, and 3DES_CBC-HMAC_SHA1_96).
They have not been configured anywhere, either. This is significant because when the client and server establish a connection, they try to negotiate some parameters supported by each side. If they can’t negotiate them, the VPN connection won’t be established.
If you look at the server logs, you can see the following entries:
...
ipsec,debug proposal #0 len=256
ipsec,debug begin.
...
ipsec,debug transform #0 len=36
ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
ipsec,debug type=Life Duration, flag=0x8000, lorv=28800
ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
ipsec,debug,packet encryption(aes)
ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=4
ipsec,debug hash(sha2_256)
ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
ipsec,debug dh(modp2048)
...According to the algorithms list, the client proposed this to the server during the IKE stage. The next Local (server-side) server looks for an appropriate option from the following list:
[...]
ipsec,debug -compare proposal #1: Local:Peer
ipsec,debug (lifetime = 86400:28800)
ipsec,debug (lifebyte = 0:0)
ipsec,debug enctype = AES-CBC:AES-CBC
ipsec,debug (encklen = 256:256)
ipsec,debug hashtype = SHA:4
ipsec,debug authmethod = pre-shared key:pre-shared key
ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group
[...]This continues until all options have been compared.
If you prefer to provision resources using the cloud provider’s default GUI (also known as ClickOps), you’ll have to wait longer for a successful connection because comparing all the suggested Peer options with all Local options takes some time.
The logs on the server side confirm the negotiation failed:
[...]
ipsec,error no suitable proposal found.
ipsec,error 192.168.88.207 failed to get valid proposal.
ipsec,error 192.168.88.207 phase1 negotiation failed.
[...]This failure suggests a problem:
- In the latest versions, Libreswan deprecated modp1024/DH2, but this DH group was once used in RouterOS by default.
- If a client is used as is, then the IKE/ESP values might be incorrect by default.
This is why ESP fails without IKE.
Fix the problem
The first thing to do is to add or replace a supported DH group on both peers. The MikroTik wiki’s section about configuring Proposal shows some potential confusion:
Proposal information that will be sent by IKE daemons to establish SAs for certain policy.
Without knowing how the IPsec protocol works, the Proposal tab can be confused with the Profile tab. The first one refers to ESP (Phase 2), and the other one to IKE (Phase 1):
/ip ipsec profile set default dh-group=modp1024,modp2048Reconnect and look at the client logs:
#1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP2048}
DPD: dpd_init() called on ISAKMP SA
IKE SA stage was completed successfully. Algorithms and DH are negotiated. Audit log informs about it additionally:
CRYPTO_IKE_SA pid=13619 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 msg='op=start direction=initiator conn-name="63d57ce1-1e4c-459e-8851-e693c6ae7a17" connstate=1 ike-version=1 auth=PRESHARED_KEY cipher=aes ksize=256 integ=sha1 prf=sha1 pfs=MODP2048 raddr=192.168.88.1 exe="/usr/libexec/ipsec/pluto" hostname=? addr=192.168.88.207 terminal=? res=success'
...Now, cipher, ksize, integ, prf, and pfs have been defined, unlike in the logs at the beginning of debugging. On the server side, IKE SA completed successfully:
...
ipsec,debug authmethod = pre-shared key:pre-shared key
ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group
ipsec,debug -an acceptable proposal found-
ipsec,debug dh(modp2048)
ipsec,debug -agreed on pre-shared key auth-
...
ipsec,info ISAKMP-SA established 192.168.88.1[500]-192.168.88.207[500] spi:054565abedbe9592:584e50c6c2b1db04
...Phase 2 follows Phase 1:
...
child state #2: UNDEFINED(ignore) => QUICK_I1(established CHILD SA)
#2: initiating Quick Mode IKEv1+PSK+ENCRYPT+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES {using isakmp#1 msgid:ea5eec40 proposal=AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA1_96 pfsgroup=MODP2048}
...
#2: sent Quick Mode request
...
#1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12
...In Phase 2, Quick Mode completes with a message log NO_PROPOSAL_CHOSEN.
After initiating Quick Mode you can see that Peer (client-side) proposes algorithms and the PFS group that was declined by Local:
...
ipsec,debug peer's single bundle:
ipsec,debug (proto_id=ESP spisize=4 spi=021b8170 spi_p=00000000 encmode=Transport reqid=0:0)
ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-sha1)
ipsec,debug (trns_id=AES-CBC encklen=128 authtype=hmac-sha1)
ipsec,debug (trns_id=3DES encklen=0 authtype=hmac-sha1)
ipsec,debug my single bundle:
ipsec,debug (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=96:96)
ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-sha256)
ipsec,debug (trns_id=AES-CBC encklen=192 authtype=hmac-sha256)
ipsec,debug (trns_id=AES-CBC encklen=128 authtype=hmac-sha256)
ipsec,debug not matched
ipsec,error no suitable proposal found.
ipsec,error 192.168.88.207 failed to pre-process ph2 packet.
...In the logs, the ESP hash algorithms did not match. If SHA1 is added to the Proposal section on the server side, all the phases will complete successfully.
From Libreswan’s IPsec configuration and connections documentation:
ike: IKE encryption/authentication algorithm to be used for the connection (phase 1 aka ISAKMP SA). The format is «cipher-hash;modpgroup, cipher-hash;modpgroup, …» Any left out option will be filled in with all allowed default options.Multiple proposals are separated by a comma.
esp: Specifies the algorithms that will be offered/accepted for a Child SA negotiation. If not specified, a secure set of defaults will be used. Sets are separated using commas and pluses.
If some of the options in the section are not defined, Libreswan will use the Diffie-Hellman group values by default. However, you should check the configuration files:
$ sudo grep -E 'include|esp|ike' /etc/ipsec.conf
ikev2=insist
include /etc/crypto-policies/back-ends/libreswan.config
include /etc/ipsec.d/*.conf
$ sudo grep -E 'include|esp|ike' /etc/crypto-policies/back-ends/libreswan.config
...
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18
esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256At first glance, it seems that the settings were found. But if you compare them with the Local and Peer logs in Phase 1, there will be no match. There are settings for more secure connections proposed in configuration files. The value for option IKEv2 implies the use of the second version of the protocol.
That is why the settings from the configuration files can be replaced at each stage.
[Cheat sheet: Old Linux commands and their modern replacements ]
The NetworkManage-l2tp plugin is the next component participating in the process of establishing a connection. The configuration files are generated in /var/run/nm-l2tp-ID-CONNECTION/:
$ sudo grep -E 'include|esp|ike' /var/run/nm-l2tp-a7e327a8-8f5c-4a2f-b116-bb695fd9e760/
ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-ecp_384,aes128-sha1-ecp_256,3des-sha1-modp2048 esp=aes256-sha1,aes128-sha1,3des-sha1
ikev2=noNow you have everything you need. If you look at the IPsec IKEv1 weak legacy algorithms and backward compatibility documentation for the nm-l2tp plugin, you can find which algorithms are used by default. Also, the logs confirm this. The plugins’ configuration files have priority.
To establish a connection, it is necessary to add the ipsec-esp option to the connection setting:
$ nmcli c modify test1 vpn.data ipsec-esp=aes256-sha256,gateway=192.168.88.1,ipsec-enabled=yes,machine-auth-type=psk,user=test1,user-auth-type=password
$ nmcli c up test1The connection has been established successfully, and IPsec audit logs have the success status:
audit[11793]: CRYPTO_IPSEC_SA pid=11793 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 msg='op=start conn-name="63d57ce1-1e4c-459e-8851-e693c6ae7a17" connstate=2, satype=ipsec-esp samode=transport cipher=AES ksize=256 integ=HMAC_SHA2_256 in-spi=19716967(0x19716967) out-spi=105637207(0x105637207) in-ipcomp=0(0x00000000) out-ipcomp=0(0x0000000... exe="/usr/libexec/ipsec/pluto" hostname=? addr=192.168.88.207 terminal=? res=success'
...ESP settings are different from the default ones:
...
from whack: got --esp=aes256-sha256
ESP/AH string values: AES_CBC_256-HMAC_SHA2_256_128Quick Mode completes successfully:
...
#2: initiating Quick Mode IKEv1+PSK+ENCRYPT+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES {using isakmp#1 msgid:f7f0d4cd proposal=AES_CBC_256-HMAC_SHA2_256_128 pfsgroup=MODP2048}
...
#2: sent Quick Mode request
...
#2: IPsec SA established transport mode {ESP=>0x0af7d490 <0x1ef38071 xfrm=AES_CBC_256-HMAC_SHA2_256_128 DPD=passive}
...In the logs on the server side, Phase 2 completes with matched status:
...
ipsec,debug peer's single bundle:
ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-sha256)
ipsec,debug my single bundle:
ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-sha256)
ipsec,debug (trns_id=AES-CBC encklen=192 authtype=hmac-sha256)
ipsec,debug (trns_id=AES-CBC encklen=128 authtype=hmac-sha256)
ipsec,debug matched
...[ Want to test your sysadmin skills? Take a skills assessment today. ]
Key takeaways
Although many users choose OpenVPN and WireGuard, IPsec still takes the lead in the world of tunnel building. However, its debugging can be problematic, especially if you don’t know all the details.
This article shows a few problems VPN users and administrators can face. I hope this article will help make IPsec debugging easier.
0
1
Удаленная железка usg60 186.37.112.232 (за ней сеть 192.168.237.0/24)
не подключается к racoon 19.124.100.5 (за ним сеть 192.168.206.0/24)
/etc/racoon/racoon.conf
log debug;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 186.37.112.232 {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy off;
}
sainfo address 192.168.206.0/24[any] any address 192.168.237.0/24[any] any {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
/etc/ipsec-tools.conf
/etc/racoon/psk.txt
186.37.112.232 345346535467546
Aug 3 13:53:17 debro racoon: DEBUG: ===
Aug 3 13:53:17 debro racoon: DEBUG: 398 bytes message received from 186.37.112.232[500] to 19.124.100.5[500]
Aug 3 13:53:17 debro racoon: DEBUG: #012b4218a9b ed305e7a 00000000 00000000 01100200 00000000 0000018e 0d000038#01200000001 00000001 0000002c 00010001 00000024 00010000 80010001 80020001#01280030001 80040001 800b0001 000c0004 00015180 0d000014 f758f226 8b2b3520#012240880e4 3354895b b963c13a 4b95f58c 461f68a6 2e5ec2a5 46abd94c 95499191#012bb841687 86734168 9ef2c95e fea36d69 85365dd5 3d387684 11efb795 1ab2eb01#01236ea47ee c4975e5a f16a2c26 766eea7a 6693e2eb 27373395 1c5ea48e ad60e5be#012fc4b90bb d00a9c44 3f872706 ae40
Aug 3 13:53:17 debro racoon: DEBUG: ===
Aug 3 13:53:17 debro racoon: INFO: respond new phase 1 negotiation: 19.124.100.5[500]<=>186.37.112.232[500]
Aug 3 13:53:17 debro racoon: INFO: begin Identity Protection mode.
Aug 3 13:53:17 debro racoon: DEBUG: begin.
Aug 3 13:53:17 debro racoon: DEBUG: seen nptype=1(sa)
Aug 3 13:53:17 debro racoon: DEBUG: seen nptype=13(vid)
Aug 3 13:53:17 debro racoon: DEBUG: seen nptype=13(vid)
Aug 3 13:53:17 debro racoon: DEBUG: seen nptype=13(vid)
Aug 3 13:53:17 debro racoon: DEBUG: seen nptype=13(vid)
Aug 3 13:53:17 debro racoon: DEBUG: seen nptype=13(vid)
Aug 3 13:53:17 debro racoon: DEBUG: seen nptype=13(vid)
Aug 3 13:53:17 debro racoon: DEBUG: seen nptype=13(vid)
Aug 3 13:53:17 debro racoon: DEBUG: seen nptype=13(vid)
Aug 3 13:53:17 debro racoon: DEBUG: seen nptype=13(vid)
Aug 3 13:53:17 debro racoon: DEBUG: seen nptype=13(vid)
Aug 3 13:53:17 debro racoon: DEBUG: succeed.
Aug 3 13:53:17 debro racoon: DEBUG: received unknown Vendor ID
Aug 3 13:53:17 debro racoon: DEBUG: #012f758f226 68750f03 b08df6eb e1d00403
Aug 3 13:53:17 debro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Aug 3 13:53:17 debro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012
Aug 3 13:53:17 debro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Aug 3 13:53:17 debro racoon: INFO: received Vendor ID: RFC 3947
Aug 3 13:53:17 debro racoon: INFO: received Vendor ID: DPD
Aug 3 13:53:17 debro racoon: DEBUG: remote supports DPD
Aug 3 13:53:17 debro racoon: DEBUG: received unknown Vendor ID
Aug 3 13:53:17 debro racoon: DEBUG: #012afcad713 68a1f1c9 6b8696fc 7757
Aug 3 13:53:17 debro racoon: DEBUG: received unknown Vendor ID
Aug 3 13:53:17 debro racoon: DEBUG: #012c44fedc7 49f9e6ae 5b04ec96 9cb25d69
Aug 3 13:53:17 debro racoon: DEBUG: received unknown Vendor ID
Aug 3 13:53:17 debro racoon: DEBUG: #012f9196df8 6b812fb0 f68026d8 876dcb7b 00042500
Aug 3 13:53:17 debro racoon: DEBUG: received unknown Vendor ID
Aug 3 13:53:17 debro racoon: DEBUG: #012ac40f8c4 389927c6 e8ac2453 1bb78b2b 35202408 2c26766e#012ea7a6693 e2eb2737 33951c5e a48ead60 e5befc4b 90bbd00a 9c443f87 2706ae40
Aug 3 13:53:17 debro racoon: DEBUG: total SA len=52
Aug 3 13:53:17 debro racoon: DEBUG: #01200000001 00000001 0000002c 00010001 00000024 00010000 80010001 80020001#01280030001 80040001 800b0001 000c0004 00015180
Aug 3 13:53:17 debro racoon: DEBUG: begin.
Aug 3 13:53:17 debro racoon: DEBUG: seen nptype=2(prop)
Aug 3 13:53:17 debro racoon: DEBUG: succeed.
Aug 3 13:53:17 debro racoon: DEBUG: proposal #0 len=44
Aug 3 13:53:17 debro racoon: DEBUG: begin.
Aug 3 13:53:17 debro racoon: DEBUG: seen nptype=3(trns)
Aug 3 13:53:17 debro racoon: DEBUG: succeed.
Aug 3 13:53:17 debro racoon: DEBUG: transform #0 len=36
Aug 3 13:53:17 debro racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
Aug 3 13:53:17 debro racoon: DEBUG: encryption(des)
Aug 3 13:53:17 debro racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
Aug 3 13:53:17 debro racoon: DEBUG: hash(md5)
Aug 3 13:53:17 debro racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Aug 3 13:53:17 debro racoon: DEBUG: type=Group Description, flag=0x8000, lorv=768-bit MODP group
Aug 3 13:53:17 debro racoon: DEBUG: hmac(modp768)
Aug 3 13:53:17 debro racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Aug 3 13:53:17 debro racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Aug 3 13:53:17 debro racoon: DEBUG: pair 0:
Aug 3 13:53:17 debro racoon: DEBUG: 0x7f149e7919e0: next=(nil) tnext=(nil)
Aug 3 13:53:17 debro racoon: DEBUG: proposal #0: 1 transform
Aug 3 13:53:17 debro racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
Aug 3 13:53:17 debro racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
Aug 3 13:53:17 debro racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Aug 3 13:53:17 debro racoon: DEBUG: type=Group Description, flag=0x8000, lorv=768-bit MODP group
Aug 3 13:53:17 debro racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Aug 3 13:53:17 debro racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Aug 3 13:53:17 debro racoon: DEBUG: prop#=0, prot-id=ISAKMP, spi-size=0, #trns=1
Aug 3 13:53:17 debro racoon: DEBUG: trns#=0, trns-id=IKE
Aug 3 13:53:17 debro racoon: DEBUG: lifetime = 86400
Aug 3 13:53:17 debro racoon: DEBUG: lifebyte = 0
Aug 3 13:53:17 debro racoon: DEBUG: enctype = DES-CBC
Aug 3 13:53:17 debro racoon: DEBUG: encklen = 0
Aug 3 13:53:17 debro racoon: DEBUG: hashtype = MD5
Aug 3 13:53:17 debro racoon: DEBUG: authmethod = pre-shared key
Aug 3 13:53:17 debro racoon: DEBUG: dh_group = 768-bit MODP group
Aug 3 13:53:17 debro racoon: ERROR: no suitable proposal found.
Aug 3 13:53:17 debro racoon: [186.37.112.232] ERROR: failed to get valid proposal.
Aug 3 13:53:17 debro racoon: [186.37.112.232] ERROR: failed to pre-process ph1 packet (side: 1, status 1).
Aug 3 13:53:17 debro racoon: [186.37.112.232] ERROR: phase1 negotiation failed
Прошу подсказку.