Hello @misc
I've set up a remote access with iked on OpenBSD 5.7-stable and several
MS clients. When a second client connects the remote access, the flow of
the first one is dropped (something like 1 packet of 100 comes to enc0).
Clients are on windows 8.1 with the default VPN client.
Any idea on how to troubleshoot this?
suspect something around flow replacement (here is logs of iked):
[...]
ikev2_childsa_enable: loaded CHILD SA spi 0x9d5e19c4
ikev2_childsa_enable: replaced old flow 0x8fe6dc86400 with 0x8fefa32ec00
ikev2_childsa_enable: loaded flow 0x8fefa32ec00
ikev2_childsa_enable: replaced old flow 0x8ff01226c00 with 0x8ff01223800
ikev2_childsa_enable: loaded flow 0x8ff01223800
[...]
Please find below several configuration files and logs.
===
# cat /etc/iked.conf
ikev2 "XXX" quick passive esp \
inet from 0.0.0.0/0 to x.x.x.x/24 \
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group
modp2048 \
childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
local a.a.a.a peer any \
srcid b.b.b.b \
config address x.x.x.x/27
===
cat /etc/pf.conf
set block-policy drop
set loginterface egress
set state-policy if-bound
set fingerprints "/etc/pf.os"
set reassemble yes
set skip on { lo, enc }
match in all scrub (no-df random-id max-mss 1440)
pass in quick on egress proto udp to egress port {isakmp, ipsec-nat-t}
modulate state
pass in quick on egress proto {ah, esp} to egress modulate state
pass out quick on egress proto {icmp,tcp,udp} from x.x.x.x/24 modulate state
block in log quick all
block out log quick all
===
# sysctl -a
[...]
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.inet.esp.enable=1
net.inet.ah.enable=1
[...]
===
# ipsecctl -sa
FLOWS:
flow esp in from x.x.x.x/24 to 0.0.0.0/0 peer c.c.c.c srcid IPV4/b.b.b.b
type use
flow esp out from 0.0.0.0/0 to x.x.x.x/24 peer c.c.c.c srcid
IPV4/b.b.b.b type require
flow esp out from ::/0 to ::/0 type deny
SAD:
esp tunnel from c.c.c.c to a.a.a.a spi 0x468a14be auth hmac-sha2-256 enc
aes-256
esp tunnel from a.a.a.a to c.c.c.c spi 0x9ddf6c16 auth hmac-sha2-256 enc
aes-256
esp tunnel from a.a.a.a to c.c.c.c spi 0xd5b9f060 auth hmac-sha2-256 enc
aes-256
esp tunnel from c.c.c.c to a.a.a.a spi 0xf4cdc4f2 auth hmac-sha2-256 enc
aes-256
===
# /sbin/iked -dvv
/etc/iked.conf: loaded 1 configuration rules
config_getpolicy: received policy
ikev2 "XXXX" quick passive esp inet from 0.0.0.0/0 to x.x.x.x/24 local
a.a.a.a peer any ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256
group modp2048 childsa enc aes-256 auth hmac-sha2-256 group modp2048
srcid b.b.b.b lifetime 10800 bytes 536870912 rsa config address x.x.x.x
ca_reload: loaded ca file ca.crt
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
ca_reload: loaded crl file ca.crl
config_getsocket: received socket fd 7
ca_reload:
/C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=VPN
CA/emailAddress=email
config_getsocket: received socket fd 8
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file a.a.a.a.crt
ca_reload: loaded cert file b.b.b.b.crt
ca_validate_cert:
/C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=a.a.a.a/emailAddress=email
ok
ca_validate_cert:
/C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=b.b.b.b/emailAddress=email
ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:61646 to
a.a.a.a:4500 policy 'XXXX' id 6, 80 bytes
ikev2_recv: ispi 0x6ad134a575f00a4d rspi 0x2e3cb2094bf70da2
ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:61646 to
a.a.a.a:4500 policy 'XXXX' id 6, 80 bytes
ikev2_recv: ispi 0x6ad134a575f00a4d rspi 0x2e3cb2094bf70da2
ikev2_recv: IKE_SA_INIT request from initiator c.c.c.c:50701 to
a.a.a.a:500 policy 'XXXX' id 0, 536 bytes
ikev2_recv: ispi 0xba258ebbe9a1f1cd rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/b.b.b.b length 8
ikev2_pld_parse: header ispi 0xba258ebbe9a1f1cd rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
length 536 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xba258ebbe9a1f1cd 0x0000000000000000
c.c.c.c:50701
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xba258ebbe9a1f1cd
0x0000000000000000 a.a.a.a:500
ikev2_pld_notify: NAT_DETECTION_DESTINATION_IP detected NAT, enabling
UDP encapsulation
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
length 24
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
length 20
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
length 20
ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x00, require 0x00
sa_stateflags: 0x00 -> 0x10 sa (required 0x00 )
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xba258ebbe9a1f1cd 0xa320d35dbe67c24b
a.a.a.a:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xba258ebbe9a1f1cd
0xa320d35dbe67c24b c.c.c.c:50701
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0xba258ebbe9a1f1cd rspi 0xa320d35dbe67c24b
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0
length 457 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_msg_send: IKE_SA_INIT response from a.a.a.a:500 to c.c.c.c:50701
msgid 0, 457 bytes
config_free_proposals: free 0x8fedb02a300
ikev2_recv: IKE_AUTH request from initiator c.c.c.c:61646 to
a.a.a.a:4500 policy 'XXXX' id 1, 1984 bytes
ikev2_recv: ispi 0xba258ebbe9a1f1cd rspi 0xa320d35dbe67c24b
ikev2_recv: updated SA to peer c.c.c.c:61646 local a.a.a.a:4500
ikev2_pld_parse: header ispi 0xba258ebbe9a1f1cd rspi 0xa320d35dbe67c24b
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length
1984 response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1956
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1920
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1920/1920 padding 8
ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00
length 150
ikev2_pld_id: id
ASN1_DN//C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=w8/emailAddress=email
length 146
ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical
0x00 length 1016
ikev2_pld_cert: type X509_CERT length 1011
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical
0x00 length 265
ikev2_pld_certreq: type X509_CERT length 260
ikev2_policy2id: srcid IPV4/b.b.b.b length 8
ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical
0x00 length 264
ikev2_pld_auth: method RSA_SIG length 256
sa_state: SA_INIT -> AUTH_REQUEST
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical
0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00
length 36
ikev2_pld_cp: type REQUEST length 28
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0
ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0
ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0
ikev2_pld_cp: INTERNAL_IP6_SERVER 0x5ba1 length 0
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP
spisize 4 xforms 3 spi 0x65829f20
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0
endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0
endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_resp_recv: NAT-T message received, updated SA
sa_stateok: SA_INIT flags 0x00, require 0x00
policy_lookup: peerid
'/C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=w8/emailAddress=email'
ikev2_msg_auth: responder auth data length 537
ca_setauth: auth length 537
ikev2_msg_auth: initiator auth data length 600
ikev2_msg_authverify: method RSA_SIG keylen 1011 type X509_CERT
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x10 -> 0x18 authvalid,sa (required 0x1f
cert,certvalid,auth,authvalid,sa)
ikev2_sa_negotiate: score 4
sa_stateflags: 0x18 -> 0x18 authvalid,sa (required 0x1f
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
config_free_proposals: free 0x8ff4dd1e580
ca_getreq: found CA
/C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=VPN
CA/emailAddress=email
ca_x509_subjectaltname: IPV4/a.a.a.a
ca_x509_subjectaltname_cmp: IPV4/a.a.a.a mismatched
ca_x509_subjectaltname: IPV4/b.b.b.b
ca_getreq: found local certificate
/C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=b.b.b.b/emailAddress=email
ca_setauth: auth length 256
ca_validate_cert:
/C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=w8/emailAddress=email
ok
ikev2_getimsgdata: imsg 18 rspi 0xa320d35dbe67c24b ispi
0xba258ebbe9a1f1cd initiator 0 sa valid type 4 data length 1025
ikev2_dispatch_cert: cert type X509_CERT length 1025, ok
sa_stateflags: 0x18 -> 0x19 cert,authvalid,sa (required 0x1f
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x19, require 0x1f cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_getimsgdata: imsg 23 rspi 0xa320d35dbe67c24b ispi
0xba258ebbe9a1f1cd initiator 0 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x19 -> 0x1d cert,auth,authvalid,sa (required 0x1f
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x1d, require 0x1f cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x1d -> 0x1f cert,certvalid,auth,authvalid,sa (required
0x1f cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
ikev2_cp_setaddr: mask e0ffffff start 5 lower 1 host 5 upper 1f
sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
ikev2_sa_tag: IKED (4)
ikev2_childsa_negotiate: proposal 1
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_getspi: spi 0xdf4cbb16
pfkey_sa_init: new spi 0xdf4cbb16
sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
ikev2_next_payload: length 12 nextpayload CERT
ikev2_next_payload: length 1030 nextpayload AUTH
ikev2_next_payload: length 264 nextpayload CP
ikev2_next_payload: length 24 nextpayload SA
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 1422
ikev2_msg_encrypt: padded length 1424
ikev2_msg_encrypt: length 1423, padding 1, output length 1456
ikev2_next_payload: length 1460 nextpayload IDr
ikev2_msg_integr: message length 1488
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xba258ebbe9a1f1cd rspi 0xa320d35dbe67c24b
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length
1488 response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1460
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1424
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1424/1424 padding 1
ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00
length 12
ikev2_pld_id: id IPV4/b.b.b.b length 8
ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical
0x00 length 1030
ikev2_pld_cert: type X509_CERT length 1025
ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00
length 264
ikev2_pld_auth: method RSA_SIG length 256
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00
length 24
ikev2_pld_cp: type REPLY length 16
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP
spisize 4 xforms 3 spi 0xdf4cbb16
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start x.x.x.x end x.x.x.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_msg_send: IKE_AUTH response from a.a.a.a:4500 to c.c.c.c:61646
msgid 1, 1488 bytes, NAT-T
pfkey_sa_add: update spi 0xdf4cbb16
pfkey_sa: udpencap port 61646
ikev2_childsa_enable: loaded CHILD SA spi 0xdf4cbb16
pfkey_sa_add: add spi 0x65829f20
pfkey_sa: udpencap port 61646
ikev2_childsa_enable: loaded CHILD SA spi 0x65829f20
ikev2_childsa_enable: loaded flow 0x8fe6dc86400
ikev2_childsa_enable: loaded flow 0x8ff01226c00
sa_state: VALID -> ESTABLISHED from c.c.c.c:61646 to a.a.a.a:4500 policy
'XXXX'
ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:61646 to
a.a.a.a:4500 policy 'XXXX' id 6, 80 bytes
ikev2_recv: ispi 0x6ad134a575f00a4d rspi 0x2e3cb2094bf70da2
ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:58838 to
a.a.a.a:4500 policy 'XXXX' id 4, 80 bytes
ikev2_recv: ispi 0x51ce221bd9f537ca rspi 0x69dad45d8cc67c17
ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:61646 to
a.a.a.a:4500 policy 'XXXX' id 6, 80 bytes
ikev2_recv: ispi 0x6ad134a575f00a4d rspi 0x2e3cb2094bf70da2
ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:58838 to
a.a.a.a:4500 policy 'XXXX' id 4, 80 bytes
ikev2_recv: ispi 0x51ce221bd9f537ca rspi 0x69dad45d8cc67c17
ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:58838 to
a.a.a.a:4500 policy 'XXXX' id 4, 80 bytes
ikev2_recv: ispi 0x51ce221bd9f537ca rspi 0x69dad45d8cc67c17
ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:58838 to
a.a.a.a:4500 policy 'XXXX' id 4, 80 bytes
ikev2_recv: ispi 0x51ce221bd9f537ca rspi 0x69dad45d8cc67c17
ikev2_recv: IKE_SA_INIT request from initiator c.c.c.c:59846 to
a.a.a.a:500 policy 'XXXX' id 0, 536 bytes
ikev2_recv: ispi 0x562d03e53c773ab6 rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/b.b.b.b length 8
ikev2_pld_parse: header ispi 0x562d03e53c773ab6 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
length 536 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x562d03e53c773ab6 0x0000000000000000
c.c.c.c:59846
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x562d03e53c773ab6
0x0000000000000000 a.a.a.a:500
ikev2_pld_notify: NAT_DETECTION_DESTINATION_IP detected NAT, enabling
UDP encapsulation
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
length 24
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
length 20
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
length 20
ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x00, require 0x00
sa_stateflags: 0x00 -> 0x10 sa (required 0x00 )
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x562d03e53c773ab6 0xe05591f1cc45d3d7
a.a.a.a:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x562d03e53c773ab6
0xe05591f1cc45d3d7 c.c.c.c:59846
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0x562d03e53c773ab6 rspi 0xe05591f1cc45d3d7
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0
length 457 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_msg_send: IKE_SA_INIT response from a.a.a.a:500 to c.c.c.c:59846
msgid 0, 457 bytes
config_free_proposals: free 0x8fedb02a400
ikev2_recv: IKE_AUTH request from initiator c.c.c.c:58838 to
a.a.a.a:4500 policy 'XXXX' id 1, 1984 bytes
ikev2_recv: ispi 0x562d03e53c773ab6 rspi 0xe05591f1cc45d3d7
ikev2_recv: updated SA to peer c.c.c.c:58838 local a.a.a.a:4500
ikev2_pld_parse: header ispi 0x562d03e53c773ab6 rspi 0xe05591f1cc45d3d7
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length
1984 response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1956
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1920
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1920/1920 padding 2
ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00
length 152
ikev2_pld_id: id
ASN1_DN//C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=w8-2/emailAddress=email
length 148
ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical
0x00 length 1020
ikev2_pld_cert: type X509_CERT length 1015
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical
0x00 length 265
ikev2_pld_certreq: type X509_CERT length 260
ikev2_policy2id: srcid IPV4/b.b.b.b length 8
ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical
0x00 length 264
ikev2_pld_auth: method RSA_SIG length 256
sa_state: SA_INIT -> AUTH_REQUEST
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical
0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00
length 36
ikev2_pld_cp: type REQUEST length 28
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0
ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0
ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0
ikev2_pld_cp: INTERNAL_IP6_SERVER 0x5ba1 length 0
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP
spisize 4 xforms 3 spi 0x9d5e19c4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0
endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0
endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_resp_recv: NAT-T message received, updated SA
sa_stateok: SA_INIT flags 0x00, require 0x00
policy_lookup: peerid
'/C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=w8-2/emailAddress=email'
ikev2_msg_auth: responder auth data length 537
ca_setauth: auth length 537
ikev2_msg_auth: initiator auth data length 600
ikev2_msg_authverify: method RSA_SIG keylen 1015 type X509_CERT
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x10 -> 0x18 authvalid,sa (required 0x1f
cert,certvalid,auth,authvalid,sa)
ikev2_sa_negotiate: score 4
sa_stateflags: 0x18 -> 0x18 authvalid,sa (required 0x1f
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
config_free_proposals: free 0x8ff4dd1e400
ca_getreq: found CA
/C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=VPN
CA/emailAddress=email
ca_x509_subjectaltname: IPV4/a.a.a.a
ca_x509_subjectaltname_cmp: IPV4/a.a.a.a mismatched
ca_x509_subjectaltname: IPV4/b.b.b.b
ca_getreq: found local certificate
/C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=b.b.b.b/emailAddress=email
ca_setauth: auth length 256
ca_validate_cert:
/C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=w8-2/emailAddress=email
ok
ikev2_getimsgdata: imsg 18 rspi 0xe05591f1cc45d3d7 ispi
0x562d03e53c773ab6 initiator 0 sa valid type 4 data length 1025
ikev2_dispatch_cert: cert type X509_CERT length 1025, ok
sa_stateflags: 0x18 -> 0x19 cert,authvalid,sa (required 0x1f
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x19, require 0x1f cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_getimsgdata: imsg 23 rspi 0xe05591f1cc45d3d7 ispi
0x562d03e53c773ab6 initiator 0 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x19 -> 0x1d cert,auth,authvalid,sa (required 0x1f
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x1d, require 0x1f cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x1d -> 0x1f cert,certvalid,auth,authvalid,sa (required
0x1f cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
ikev2_cp_setaddr: mask e0ffffff start 4 lower 1 host 4 upper 1f
sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
ikev2_sa_tag: IKED (4)
ikev2_childsa_negotiate: proposal 1
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_getspi: spi 0x5e371164
pfkey_sa_init: new spi 0x5e371164
sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
ikev2_next_payload: length 12 nextpayload CERT
ikev2_next_payload: length 1030 nextpayload AUTH
ikev2_next_payload: length 264 nextpayload CP
ikev2_next_payload: length 24 nextpayload SA
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 1422
ikev2_msg_encrypt: padded length 1424
ikev2_msg_encrypt: length 1423, padding 1, output length 1456
ikev2_next_payload: length 1460 nextpayload IDr
ikev2_msg_integr: message length 1488
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x562d03e53c773ab6 rspi 0xe05591f1cc45d3d7
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length
1488 response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1460
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1424
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1424/1424 padding 1
ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00
length 12
ikev2_pld_id: id IPV4/b.b.b.b length 8
ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical
0x00 length 1030
ikev2_pld_cert: type X509_CERT length 1025
ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00
length 264
ikev2_pld_auth: method RSA_SIG length 256
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00
length 24
ikev2_pld_cp: type REPLY length 16
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP
spisize 4 xforms 3 spi 0x5e371164
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start x.x.x.x end x.x.x.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_msg_send: IKE_AUTH response from a.a.a.a:4500 to c.c.c.c:58838
msgid 1, 1488 bytes, NAT-T
pfkey_sa_add: update spi 0x5e371164
pfkey_sa: udpencap port 58838
ikev2_childsa_enable: loaded CHILD SA spi 0x5e371164
pfkey_sa_add: add spi 0x9d5e19c4
pfkey_sa: udpencap port 58838
ikev2_childsa_enable: loaded CHILD SA spi 0x9d5e19c4
ikev2_childsa_enable: replaced old flow 0x8fe6dc86400 with 0x8fefa32ec00
ikev2_childsa_enable: loaded flow 0x8fefa32ec00
ikev2_childsa_enable: replaced old flow 0x8ff01226c00 with 0x8ff01223800
ikev2_childsa_enable: loaded flow 0x8ff01223800
sa_state: VALID -> ESTABLISHED from c.c.c.c:58838 to a.a.a.a:4500 policy
'XXXX'
ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:61646 to
a.a.a.a:4500 policy 'XXXX' id 6, 80 bytes
ikev2_recv: ispi 0x6ad134a575f00a4d rspi 0x2e3cb2094bf70da2
ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:58838 to
a.a.a.a:4500 policy 'XXXX' id 4, 80 bytes
ikev2_recv: ispi 0x51ce221bd9f537ca rspi 0x69dad45d8cc67c17
ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:61646 to
a.a.a.a:4500 policy 'XXXX' id 6, 80 bytes
ikev2_recv: ispi 0x6ad134a575f00a4d rspi 0x2e3cb2094bf70da2
ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:58838 to
a.a.a.a:4500 policy 'XXXX' id 4, 80 bytes
ikev2_recv: ispi 0x51ce221bd9f537ca rspi 0x69dad45d8cc67c17
any help appreciated.
Regards,
C.
