Hello misc@
Found. The ping request generated by the first client get a ping reply
routed by iked to the second host.
Reversing the flow selector in iked.conf do the job correctly.
inet from y.y.y.y/24 to 0.0.0.0/0, where y.y.y.y/24 is the range of the
internal LAN.
Thanks a lot for your help.
== find below the iked.conf which works
# cat /etc/iked.conf
ikev2 "XXX" quick passive esp \
inet from y.y.y.y/24 to 0.0.0.0/0 \
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group
modp2048 \
childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
local a.a.a.a peer any \
srcid b.b.b.b \
config address x.x.x.x/27
regards.
C.
On 07/14/2015 10:02 AM, Christophe Ternat wrote:
> Hello @misc
>
> I've set up a remote access with iked on OpenBSD 5.7-stable and several
> MS clients. When a second client connects the remote access, the flow of
> the first one is dropped (something like 1 packet of 100 comes to enc0).
> Clients are on windows 8.1 with the default VPN client.
>
> Any idea on how to troubleshoot this?
>
> suspect something around flow replacement (here is logs of iked):
> [...]
> ikev2_childsa_enable: loaded CHILD SA spi 0x9d5e19c4
> ikev2_childsa_enable: replaced old flow 0x8fe6dc86400 with 0x8fefa32ec00
> ikev2_childsa_enable: loaded flow 0x8fefa32ec00
> ikev2_childsa_enable: replaced old flow 0x8ff01226c00 with 0x8ff01223800
> ikev2_childsa_enable: loaded flow 0x8ff01223800
> [...]
>
> Please find below several configuration files and logs.
> ===
> # cat /etc/iked.conf
> ikev2 "XXX" quick passive esp \
> inet from 0.0.0.0/0 to x.x.x.x/24 \
> ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group
> modp2048 \
> childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
> local a.a.a.a peer any \
> srcid b.b.b.b \
> config address x.x.x.x/27
> ===
> cat /etc/pf.conf
> set block-policy drop
> set loginterface egress
> set state-policy if-bound
> set fingerprints "/etc/pf.os"
> set reassemble yes
> set skip on { lo, enc }
> match in all scrub (no-df random-id max-mss 1440)
>
> pass in quick on egress proto udp to egress port {isakmp, ipsec-nat-t}
> modulate state
> pass in quick on egress proto {ah, esp} to egress modulate state
> pass out quick on egress proto {icmp,tcp,udp} from x.x.x.x/24 modulate state
>
> block in log quick all
> block out log quick all
>
> ===
> # sysctl -a
> [...]
> net.inet.ip.forwarding=1
> net.inet.ipcomp.enable=1
> net.inet.esp.enable=1
> net.inet.ah.enable=1
> [...]
>
> ===
> # ipsecctl -sa
> FLOWS:
> flow esp in from x.x.x.x/24 to 0.0.0.0/0 peer c.c.c.c srcid IPV4/b.b.b.b
> type use
> flow esp out from 0.0.0.0/0 to x.x.x.x/24 peer c.c.c.c srcid
> IPV4/b.b.b.b type require
> flow esp out from ::/0 to ::/0 type deny
>
> SAD:
> esp tunnel from c.c.c.c to a.a.a.a spi 0x468a14be auth hmac-sha2-256 enc
> aes-256
> esp tunnel from a.a.a.a to c.c.c.c spi 0x9ddf6c16 auth hmac-sha2-256 enc
> aes-256
> esp tunnel from a.a.a.a to c.c.c.c spi 0xd5b9f060 auth hmac-sha2-256 enc
> aes-256
> esp tunnel from c.c.c.c to a.a.a.a spi 0xf4cdc4f2 auth hmac-sha2-256 enc
> aes-256
>
>
> ===
> # /sbin/iked -dvv
> /etc/iked.conf: loaded 1 configuration rules
> config_getpolicy: received policy
> ikev2 "XXXX" quick passive esp inet from 0.0.0.0/0 to x.x.x.x/24 local
> a.a.a.a peer any ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256
> group modp2048 childsa enc aes-256 auth hmac-sha2-256 group modp2048
> srcid b.b.b.b lifetime 10800 bytes 536870912 rsa config address x.x.x.x
> ca_reload: loaded ca file ca.crt
> config_getpfkey: received pfkey fd 3
> config_getcompile: compilation done
> config_getsocket: received socket fd 4
> config_getsocket: received socket fd 5
> ca_reload: loaded crl file ca.crl
> config_getsocket: received socket fd 7
> ca_reload:
> /C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=VPN
> CA/emailAddress=email
> config_getsocket: received socket fd 8
> ca_reload: loaded 1 ca certificate
> ca_reload: loaded cert file a.a.a.a.crt
> ca_reload: loaded cert file b.b.b.b.crt
> ca_validate_cert:
> /C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=a.a.a.a/emailAddress=email
> ok
> ca_validate_cert:
> /C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=b.b.b.b/emailAddress=email
> ok
> ca_reload: local cert type X509_CERT
> config_getocsp: ocsp_url none
> ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
> ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
> ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:61646 to
> a.a.a.a:4500 policy 'XXXX' id 6, 80 bytes
> ikev2_recv: ispi 0x6ad134a575f00a4d rspi 0x2e3cb2094bf70da2
> ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:61646 to
> a.a.a.a:4500 policy 'XXXX' id 6, 80 bytes
> ikev2_recv: ispi 0x6ad134a575f00a4d rspi 0x2e3cb2094bf70da2
> ikev2_recv: IKE_SA_INIT request from initiator c.c.c.c:50701 to
> a.a.a.a:500 policy 'XXXX' id 0, 536 bytes
> ikev2_recv: ispi 0xba258ebbe9a1f1cd rspi 0x0000000000000000
> ikev2_policy2id: srcid IPV4/b.b.b.b length 8
> ikev2_pld_parse: header ispi 0xba258ebbe9a1f1cd rspi 0x0000000000000000
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
> length 536 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE
> spisize 0 xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
> ikev2_pld_ke: dh group MODP_2048 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0xba258ebbe9a1f1cd 0x0000000000000000
> c.c.c.c:50701
> ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
> encapsulation
> ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0xba258ebbe9a1f1cd
> 0x0000000000000000 a.a.a.a:500
> ikev2_pld_notify: NAT_DETECTION_DESTINATION_IP detected NAT, enabling
> UDP encapsulation
> ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
> length 24
> ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
> length 20
> ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
> length 20
> ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24
> sa_state: INIT -> SA_INIT
> ikev2_sa_negotiate: score 4
> sa_stateok: SA_INIT flags 0x00, require 0x00
> sa_stateflags: 0x00 -> 0x10 sa (required 0x00 )
> ikev2_sa_keys: SKEYSEED with 32 bytes
> ikev2_sa_keys: S with 96 bytes
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: T5 with 32 bytes
> ikev2_prfplus: T6 with 32 bytes
> ikev2_prfplus: T7 with 32 bytes
> ikev2_prfplus: Tn with 224 bytes
> ikev2_sa_keys: SK_d with 32 bytes
> ikev2_sa_keys: SK_ai with 32 bytes
> ikev2_sa_keys: SK_ar with 32 bytes
> ikev2_sa_keys: SK_ei with 32 bytes
> ikev2_sa_keys: SK_er with 32 bytes
> ikev2_sa_keys: SK_pi with 32 bytes
> ikev2_sa_keys: SK_pr with 32 bytes
> ikev2_add_proposals: length 44
> ikev2_next_payload: length 48 nextpayload KE
> ikev2_next_payload: length 264 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0xba258ebbe9a1f1cd 0xa320d35dbe67c24b
> a.a.a.a:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0xba258ebbe9a1f1cd
> 0xa320d35dbe67c24b c.c.c.c:50701
> ikev2_next_payload: length 28 nextpayload CERTREQ
> ikev2_add_certreq: type X509_CERT length 21
> ikev2_next_payload: length 25 nextpayload NONE
> ikev2_pld_parse: header ispi 0xba258ebbe9a1f1cd rspi 0xa320d35dbe67c24b
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0
> length 457 response 1
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE
> spisize 0 xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
> ikev2_pld_ke: dh group MODP_2048 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
> ikev2_pld_certreq: type X509_CERT length 20
> ikev2_msg_send: IKE_SA_INIT response from a.a.a.a:500 to c.c.c.c:50701
> msgid 0, 457 bytes
> config_free_proposals: free 0x8fedb02a300
> ikev2_recv: IKE_AUTH request from initiator c.c.c.c:61646 to
> a.a.a.a:4500 policy 'XXXX' id 1, 1984 bytes
> ikev2_recv: ispi 0xba258ebbe9a1f1cd rspi 0xa320d35dbe67c24b
> ikev2_recv: updated SA to peer c.c.c.c:61646 local a.a.a.a:4500
> ikev2_pld_parse: header ispi 0xba258ebbe9a1f1cd rspi 0xa320d35dbe67c24b
> nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length
> 1984 response 0
> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1956
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 1920
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 1920/1920 padding 8
> ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00
> length 150
> ikev2_pld_id: id
> ASN1_DN//C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=w8/emailAddress=email
> length 146
> ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical
> 0x00 length 1016
> ikev2_pld_cert: type X509_CERT length 1011
> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical
> 0x00 length 265
> ikev2_pld_certreq: type X509_CERT length 260
> ikev2_policy2id: srcid IPV4/b.b.b.b length 8
> ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical
> 0x00 length 264
> ikev2_pld_auth: method RSA_SIG length 256
> sa_state: SA_INIT -> AUTH_REQUEST
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical
> 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
> ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00
> length 36
> ikev2_pld_cp: type REQUEST length 28
> ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
> ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
> ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
> ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0
> ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0
> ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0
> ikev2_pld_cp: INTERNAL_IP6_SERVER 0x5ba1 length 0
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
> length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP
> spisize 4 xforms 3 spi 0x65829f20
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
> length 64
> ikev2_pld_ts: count 2 length 56
> ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0
> endport 65535
> ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
> endport 65535
> ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
> length 64
> ikev2_pld_ts: count 2 length 56
> ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0
> endport 65535
> ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
> endport 65535
> ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
> ikev2_resp_recv: NAT-T message received, updated SA
> sa_stateok: SA_INIT flags 0x00, require 0x00
> policy_lookup: peerid
> '/C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=w8/emailAddress=email'
> ikev2_msg_auth: responder auth data length 537
> ca_setauth: auth length 537
> ikev2_msg_auth: initiator auth data length 600
> ikev2_msg_authverify: method RSA_SIG keylen 1011 type X509_CERT
> ikev2_msg_authverify: authentication successful
> sa_state: AUTH_REQUEST -> AUTH_SUCCESS
> sa_stateflags: 0x10 -> 0x18 authvalid,sa (required 0x1f
> cert,certvalid,auth,authvalid,sa)
> ikev2_sa_negotiate: score 4
> sa_stateflags: 0x18 -> 0x18 authvalid,sa (required 0x1f
> cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa
> sa_state: cannot switch: AUTH_SUCCESS -> VALID
> config_free_proposals: free 0x8ff4dd1e580
> ca_getreq: found CA
> /C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=VPN
> CA/emailAddress=email
> ca_x509_subjectaltname: IPV4/a.a.a.a
> ca_x509_subjectaltname_cmp: IPV4/a.a.a.a mismatched
> ca_x509_subjectaltname: IPV4/b.b.b.b
> ca_getreq: found local certificate
> /C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=b.b.b.b/emailAddress=email
> ca_setauth: auth length 256
> ca_validate_cert:
> /C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=w8/emailAddress=email
> ok
> ikev2_getimsgdata: imsg 18 rspi 0xa320d35dbe67c24b ispi
> 0xba258ebbe9a1f1cd initiator 0 sa valid type 4 data length 1025
> ikev2_dispatch_cert: cert type X509_CERT length 1025, ok
> sa_stateflags: 0x18 -> 0x19 cert,authvalid,sa (required 0x1f
> cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x19, require 0x1f cert,certvalid,auth,authvalid,sa
> sa_state: cannot switch: AUTH_SUCCESS -> VALID
> ikev2_getimsgdata: imsg 23 rspi 0xa320d35dbe67c24b ispi
> 0xba258ebbe9a1f1cd initiator 0 sa valid type 1 data length 256
> ikev2_dispatch_cert: AUTH type 1 len 256
> sa_stateflags: 0x19 -> 0x1d cert,auth,authvalid,sa (required 0x1f
> cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x1d, require 0x1f cert,certvalid,auth,authvalid,sa
> sa_state: cannot switch: AUTH_SUCCESS -> VALID
> ikev2_dispatch_cert: peer certificate is valid
> sa_stateflags: 0x1d -> 0x1f cert,certvalid,auth,authvalid,sa (required
> 0x1f cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
> sa_state: AUTH_SUCCESS -> VALID
> sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
> ikev2_cp_setaddr: mask e0ffffff start 5 lower 1 host 5 upper 1f
> sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
> ikev2_sa_tag: IKED (4)
> ikev2_childsa_negotiate: proposal 1
> ikev2_childsa_negotiate: key material length 128
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: Tn with 128 bytes
> pfkey_sa_getspi: spi 0xdf4cbb16
> pfkey_sa_init: new spi 0xdf4cbb16
> sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
> ikev2_next_payload: length 12 nextpayload CERT
> ikev2_next_payload: length 1030 nextpayload AUTH
> ikev2_next_payload: length 264 nextpayload CP
> ikev2_next_payload: length 24 nextpayload SA
> ikev2_add_proposals: length 40
> ikev2_next_payload: length 44 nextpayload TSi
> ikev2_next_payload: length 24 nextpayload TSr
> ikev2_next_payload: length 24 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 1422
> ikev2_msg_encrypt: padded length 1424
> ikev2_msg_encrypt: length 1423, padding 1, output length 1456
> ikev2_next_payload: length 1460 nextpayload IDr
> ikev2_msg_integr: message length 1488
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xba258ebbe9a1f1cd rspi 0xa320d35dbe67c24b
> nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length
> 1488 response 1
> ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1460
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 1424
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 1424/1424 padding 1
> ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00
> length 12
> ikev2_pld_id: id IPV4/b.b.b.b length 8
> ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical
> 0x00 length 1030
> ikev2_pld_cert: type X509_CERT length 1025
> ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00
> length 264
> ikev2_pld_auth: method RSA_SIG length 256
> ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00
> length 24
> ikev2_pld_cp: type REPLY length 16
> ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
> ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
> length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP
> spisize 4 xforms 3 spi 0xdf4cbb16
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
> endport 65535
> ikev2_pld_ts: start x.x.x.x end x.x.x.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
> endport 65535
> ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
> ikev2_msg_send: IKE_AUTH response from a.a.a.a:4500 to c.c.c.c:61646
> msgid 1, 1488 bytes, NAT-T
> pfkey_sa_add: update spi 0xdf4cbb16
> pfkey_sa: udpencap port 61646
> ikev2_childsa_enable: loaded CHILD SA spi 0xdf4cbb16
> pfkey_sa_add: add spi 0x65829f20
> pfkey_sa: udpencap port 61646
> ikev2_childsa_enable: loaded CHILD SA spi 0x65829f20
> ikev2_childsa_enable: loaded flow 0x8fe6dc86400
> ikev2_childsa_enable: loaded flow 0x8ff01226c00
> sa_state: VALID -> ESTABLISHED from c.c.c.c:61646 to a.a.a.a:4500 policy
> 'XXXX'
> ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:61646 to
> a.a.a.a:4500 policy 'XXXX' id 6, 80 bytes
> ikev2_recv: ispi 0x6ad134a575f00a4d rspi 0x2e3cb2094bf70da2
> ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:58838 to
> a.a.a.a:4500 policy 'XXXX' id 4, 80 bytes
> ikev2_recv: ispi 0x51ce221bd9f537ca rspi 0x69dad45d8cc67c17
> ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:61646 to
> a.a.a.a:4500 policy 'XXXX' id 6, 80 bytes
> ikev2_recv: ispi 0x6ad134a575f00a4d rspi 0x2e3cb2094bf70da2
> ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:58838 to
> a.a.a.a:4500 policy 'XXXX' id 4, 80 bytes
> ikev2_recv: ispi 0x51ce221bd9f537ca rspi 0x69dad45d8cc67c17
> ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:58838 to
> a.a.a.a:4500 policy 'XXXX' id 4, 80 bytes
> ikev2_recv: ispi 0x51ce221bd9f537ca rspi 0x69dad45d8cc67c17
> ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:58838 to
> a.a.a.a:4500 policy 'XXXX' id 4, 80 bytes
> ikev2_recv: ispi 0x51ce221bd9f537ca rspi 0x69dad45d8cc67c17
> ikev2_recv: IKE_SA_INIT request from initiator c.c.c.c:59846 to
> a.a.a.a:500 policy 'XXXX' id 0, 536 bytes
> ikev2_recv: ispi 0x562d03e53c773ab6 rspi 0x0000000000000000
> ikev2_policy2id: srcid IPV4/b.b.b.b length 8
> ikev2_pld_parse: header ispi 0x562d03e53c773ab6 rspi 0x0000000000000000
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
> length 536 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE
> spisize 0 xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
> ikev2_pld_ke: dh group MODP_2048 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0x562d03e53c773ab6 0x0000000000000000
> c.c.c.c:59846
> ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
> encapsulation
> ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0x562d03e53c773ab6
> 0x0000000000000000 a.a.a.a:500
> ikev2_pld_notify: NAT_DETECTION_DESTINATION_IP detected NAT, enabling
> UDP encapsulation
> ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
> length 24
> ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
> length 20
> ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
> length 20
> ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24
> sa_state: INIT -> SA_INIT
> ikev2_sa_negotiate: score 4
> sa_stateok: SA_INIT flags 0x00, require 0x00
> sa_stateflags: 0x00 -> 0x10 sa (required 0x00 )
> ikev2_sa_keys: SKEYSEED with 32 bytes
> ikev2_sa_keys: S with 96 bytes
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: T5 with 32 bytes
> ikev2_prfplus: T6 with 32 bytes
> ikev2_prfplus: T7 with 32 bytes
> ikev2_prfplus: Tn with 224 bytes
> ikev2_sa_keys: SK_d with 32 bytes
> ikev2_sa_keys: SK_ai with 32 bytes
> ikev2_sa_keys: SK_ar with 32 bytes
> ikev2_sa_keys: SK_ei with 32 bytes
> ikev2_sa_keys: SK_er with 32 bytes
> ikev2_sa_keys: SK_pi with 32 bytes
> ikev2_sa_keys: SK_pr with 32 bytes
> ikev2_add_proposals: length 44
> ikev2_next_payload: length 48 nextpayload KE
> ikev2_next_payload: length 264 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0x562d03e53c773ab6 0xe05591f1cc45d3d7
> a.a.a.a:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0x562d03e53c773ab6
> 0xe05591f1cc45d3d7 c.c.c.c:59846
> ikev2_next_payload: length 28 nextpayload CERTREQ
> ikev2_add_certreq: type X509_CERT length 21
> ikev2_next_payload: length 25 nextpayload NONE
> ikev2_pld_parse: header ispi 0x562d03e53c773ab6 rspi 0xe05591f1cc45d3d7
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0
> length 457 response 1
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE
> spisize 0 xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
> ikev2_pld_ke: dh group MODP_2048 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
> ikev2_pld_certreq: type X509_CERT length 20
> ikev2_msg_send: IKE_SA_INIT response from a.a.a.a:500 to c.c.c.c:59846
> msgid 0, 457 bytes
> config_free_proposals: free 0x8fedb02a400
> ikev2_recv: IKE_AUTH request from initiator c.c.c.c:58838 to
> a.a.a.a:4500 policy 'XXXX' id 1, 1984 bytes
> ikev2_recv: ispi 0x562d03e53c773ab6 rspi 0xe05591f1cc45d3d7
> ikev2_recv: updated SA to peer c.c.c.c:58838 local a.a.a.a:4500
> ikev2_pld_parse: header ispi 0x562d03e53c773ab6 rspi 0xe05591f1cc45d3d7
> nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length
> 1984 response 0
> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1956
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 1920
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 1920/1920 padding 2
> ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00
> length 152
> ikev2_pld_id: id
> ASN1_DN//C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=w8-2/emailAddress=email
> length 148
> ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical
> 0x00 length 1020
> ikev2_pld_cert: type X509_CERT length 1015
> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical
> 0x00 length 265
> ikev2_pld_certreq: type X509_CERT length 260
> ikev2_policy2id: srcid IPV4/b.b.b.b length 8
> ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical
> 0x00 length 264
> ikev2_pld_auth: method RSA_SIG length 256
> sa_state: SA_INIT -> AUTH_REQUEST
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical
> 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
> ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00
> length 36
> ikev2_pld_cp: type REQUEST length 28
> ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
> ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
> ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
> ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0
> ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0
> ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0
> ikev2_pld_cp: INTERNAL_IP6_SERVER 0x5ba1 length 0
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
> length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP
> spisize 4 xforms 3 spi 0x9d5e19c4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
> length 64
> ikev2_pld_ts: count 2 length 56
> ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0
> endport 65535
> ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
> endport 65535
> ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
> length 64
> ikev2_pld_ts: count 2 length 56
> ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0
> endport 65535
> ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
> endport 65535
> ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
> ikev2_resp_recv: NAT-T message received, updated SA
> sa_stateok: SA_INIT flags 0x00, require 0x00
> policy_lookup: peerid
> '/C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=w8-2/emailAddress=email'
> ikev2_msg_auth: responder auth data length 537
> ca_setauth: auth length 537
> ikev2_msg_auth: initiator auth data length 600
> ikev2_msg_authverify: method RSA_SIG keylen 1015 type X509_CERT
> ikev2_msg_authverify: authentication successful
> sa_state: AUTH_REQUEST -> AUTH_SUCCESS
> sa_stateflags: 0x10 -> 0x18 authvalid,sa (required 0x1f
> cert,certvalid,auth,authvalid,sa)
> ikev2_sa_negotiate: score 4
> sa_stateflags: 0x18 -> 0x18 authvalid,sa (required 0x1f
> cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa
> sa_state: cannot switch: AUTH_SUCCESS -> VALID
> config_free_proposals: free 0x8ff4dd1e400
> ca_getreq: found CA
> /C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=VPN
> CA/emailAddress=email
> ca_x509_subjectaltname: IPV4/a.a.a.a
> ca_x509_subjectaltname_cmp: IPV4/a.a.a.a mismatched
> ca_x509_subjectaltname: IPV4/b.b.b.b
> ca_getreq: found local certificate
> /C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=b.b.b.b/emailAddress=email
> ca_setauth: auth length 256
> ca_validate_cert:
> /C=FR/ST=somewhere/L=somewhere/O=something/OU=something/CN=w8-2/emailAddress=email
> ok
> ikev2_getimsgdata: imsg 18 rspi 0xe05591f1cc45d3d7 ispi
> 0x562d03e53c773ab6 initiator 0 sa valid type 4 data length 1025
> ikev2_dispatch_cert: cert type X509_CERT length 1025, ok
> sa_stateflags: 0x18 -> 0x19 cert,authvalid,sa (required 0x1f
> cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x19, require 0x1f cert,certvalid,auth,authvalid,sa
> sa_state: cannot switch: AUTH_SUCCESS -> VALID
> ikev2_getimsgdata: imsg 23 rspi 0xe05591f1cc45d3d7 ispi
> 0x562d03e53c773ab6 initiator 0 sa valid type 1 data length 256
> ikev2_dispatch_cert: AUTH type 1 len 256
> sa_stateflags: 0x19 -> 0x1d cert,auth,authvalid,sa (required 0x1f
> cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x1d, require 0x1f cert,certvalid,auth,authvalid,sa
> sa_state: cannot switch: AUTH_SUCCESS -> VALID
> ikev2_dispatch_cert: peer certificate is valid
> sa_stateflags: 0x1d -> 0x1f cert,certvalid,auth,authvalid,sa (required
> 0x1f cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
> sa_state: AUTH_SUCCESS -> VALID
> sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
> ikev2_cp_setaddr: mask e0ffffff start 4 lower 1 host 4 upper 1f
> sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
> ikev2_sa_tag: IKED (4)
> ikev2_childsa_negotiate: proposal 1
> ikev2_childsa_negotiate: key material length 128
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: Tn with 128 bytes
> pfkey_sa_getspi: spi 0x5e371164
> pfkey_sa_init: new spi 0x5e371164
> sa_stateok: VALID flags 0x1f, require 0x1f cert,certvalid,auth,authvalid,sa
> ikev2_next_payload: length 12 nextpayload CERT
> ikev2_next_payload: length 1030 nextpayload AUTH
> ikev2_next_payload: length 264 nextpayload CP
> ikev2_next_payload: length 24 nextpayload SA
> ikev2_add_proposals: length 40
> ikev2_next_payload: length 44 nextpayload TSi
> ikev2_next_payload: length 24 nextpayload TSr
> ikev2_next_payload: length 24 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 1422
> ikev2_msg_encrypt: padded length 1424
> ikev2_msg_encrypt: length 1423, padding 1, output length 1456
> ikev2_next_payload: length 1460 nextpayload IDr
> ikev2_msg_integr: message length 1488
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0x562d03e53c773ab6 rspi 0xe05591f1cc45d3d7
> nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length
> 1488 response 1
> ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1460
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 1424
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 1424/1424 padding 1
> ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00
> length 12
> ikev2_pld_id: id IPV4/b.b.b.b length 8
> ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical
> 0x00 length 1030
> ikev2_pld_cert: type X509_CERT length 1025
> ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00
> length 264
> ikev2_pld_auth: method RSA_SIG length 256
> ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00
> length 24
> ikev2_pld_cp: type REPLY length 16
> ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
> ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
> length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP
> spisize 4 xforms 3 spi 0x5e371164
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
> endport 65535
> ikev2_pld_ts: start x.x.x.x end x.x.x.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
> endport 65535
> ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
> ikev2_msg_send: IKE_AUTH response from a.a.a.a:4500 to c.c.c.c:58838
> msgid 1, 1488 bytes, NAT-T
> pfkey_sa_add: update spi 0x5e371164
> pfkey_sa: udpencap port 58838
> ikev2_childsa_enable: loaded CHILD SA spi 0x5e371164
> pfkey_sa_add: add spi 0x9d5e19c4
> pfkey_sa: udpencap port 58838
> ikev2_childsa_enable: loaded CHILD SA spi 0x9d5e19c4
> ikev2_childsa_enable: replaced old flow 0x8fe6dc86400 with 0x8fefa32ec00
> ikev2_childsa_enable: loaded flow 0x8fefa32ec00
> ikev2_childsa_enable: replaced old flow 0x8ff01226c00 with 0x8ff01223800
> ikev2_childsa_enable: loaded flow 0x8ff01223800
> sa_state: VALID -> ESTABLISHED from c.c.c.c:58838 to a.a.a.a:4500 policy
> 'XXXX'
> ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:61646 to
> a.a.a.a:4500 policy 'XXXX' id 6, 80 bytes
> ikev2_recv: ispi 0x6ad134a575f00a4d rspi 0x2e3cb2094bf70da2
> ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:58838 to
> a.a.a.a:4500 policy 'XXXX' id 4, 80 bytes
> ikev2_recv: ispi 0x51ce221bd9f537ca rspi 0x69dad45d8cc67c17
> ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:61646 to
> a.a.a.a:4500 policy 'XXXX' id 6, 80 bytes
> ikev2_recv: ispi 0x6ad134a575f00a4d rspi 0x2e3cb2094bf70da2
> ikev2_recv: INFORMATIONAL request from initiator c.c.c.c:58838 to
> a.a.a.a:4500 policy 'XXXX' id 4, 80 bytes
> ikev2_recv: ispi 0x51ce221bd9f537ca rspi 0x69dad45d8cc67c17
>
> any help appreciated.
>
> Regards,
> C.
