Hi,
I'm currently facing a problem establishing IKEv2 site-to-site VPN between
OpenBSD and a Juniper SRX firewall.
The tunnel can be sucessfully established if it is initiated by the Juniper SRX
firewall. If I configure OpenIKED to actively initiate the tunnel, the SRX
firewall complains about a syntax error.
OpenBSD version:
****************
root@openbsd:~# uname -a
OpenBSD openbsd.test.loc 5.8 GENERIC#1170 amd64
root@openbsd:~#
Juniper SRX version:
********************
{primary:node0}[edit]
superman@juniper_srx-node0# run show version
node0:
--------------------------------------------------------------------------
Hostname: juniper_srx-node0
Model: srx240h2
JUNOS Software Release [12.3X48-D20.4]
node1:
--------------------------------------------------------------------------
Hostname: juniper_srx-node1
Model: srx240h2
JUNOS Software Release [12.3X48-D20.4]
{primary:node0}[edit]
superman@juniper_srx-node0#
OpenIKED acting as initiator:
*****************************
OpenIKED configuration:
=======================
ikev2 vpn_corp active esp \
from 172.16.0.0/16 to 172.17.0.0/16 \
local 1.1.1.1 peer 2.2.2.2 \
ikesa auth hmac-sha2-256 enc aes-256 group modp2048 \
childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid 1.1.1.1 dstid 2.2.2.2 \
ikelifetime 28800 lifetime 3600 \
psk ********
OpenIKED log:
=============
ca_privkey_serialize: type RSA_KEY length 1190
ca_pubkey_serialize: type RSA_KEY length 270
/etc/iked.conf: loaded 1 configuration rules
config_getpolicy: received policy
ikev2 "vpn_corp" active esp inet from 172.16.0.0/16 to 172.17.0.0/16 local
1.1.1.1 peer 2.2.2.2 ikesa enc aes-256 prf hmac-sha2-256,hmac-sha1,hmac-md5
auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256 group
modp2048 srcid 1.1.1.1 dstid 2.2.2.2 ikelifetime 28800 lifetime 3600 bytes
536870912 psk 0x********************************************
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 7
config_getsocket: received socket fd 8
ca_reload: local cert type RSA_KEY
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
ikev2_init_ike_sa: initiating "vpn_corp"
ikev2_policy2id: srcid IPV4/1.1.1.1 length 8
ikev2_add_proposals: length 60
ikev2_next_payload: length 64 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x08e787c5d31f442f 0x0000000000000000
1.1.1.1:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x08e787c5d31f442f 0x0000000000000000
2.2.2.2:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0x08e787c5d31f442f rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 462
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 64
ikev2_pld_sa: more 0 reserved 0 length 60 proposal #1 protoid IKE spisize 0
xforms 6 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_MD5
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_msg_send: IKE_SA_INIT request from 1.1.1.1:500 to 2.2.2.2:500 msgid 0,
462 bytes
sa_state: INIT -> SA_INIT
ikev2_recv: IKE_SA_INIT response from responder 2.2.2.2:500 to 1.1.1.1:500
policy 'vpn_corp' id 0, 474 bytes
ikev2_recv: ispi 0x08e787c5d31f442f rspi 0x9d7d95f32328d0ac
ikev2_recv: updated SA to peer 2.2.2.2:500 local 1.1.1.1:500
ikev2_pld_parse: header ispi 0x08e787c5d31f442f rspi 0x9d7d95f32328d0ac
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 474
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x08e787c5d31f442f 0x9d7d95f32328d0ac
2.2.2.2:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x08e787c5d31f442f 0x9d7d95f32328d0ac
1.1.1.1:500
ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length 10
ikev2_pld_notify: protoid NONE spisize 0 type <UNKNOWN:40002>
ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 32
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x00, require 0x04 auth
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_msg_auth: initiator auth data length 526
sa_stateok: SA_INIT flags 0x04, require 0x04 auth
ikev2_next_payload: length 12 nextpayload AUTH
ikev2_next_payload: length 40 nextpayload SA
pfkey_sa_getspi: spi 0x54b417b8
pfkey_sa_init: new spi 0x54b417b8
ikev2_add_proposals: length 56
ikev2_next_payload: length 60 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 160
ikev2_msg_encrypt: padded length 176
ikev2_msg_encrypt: length 161, padding 15, output length 208
ikev2_next_payload: length 212 nextpayload IDi
ikev2_msg_integr: message length 240
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x08e787c5d31f442f rspi 0x9d7d95f32328d0ac
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 240
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 212
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 176
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 176/176 padding 15
ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length
12
ikev2_pld_id: id IPV4/1.1.1.1 length 8
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
40
ikev2_pld_auth: method SHARED_KEY_MIC length 32
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 60
ikev2_pld_sa: more 0 reserved 0 length 56 proposal #2 protoid ESP spisize 4
xforms 5 spi 0x54b417b8
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 172.16.0.0 end 172.16.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 172.17.0.0 end 172.17.255.255
ikev2_msg_send: IKE_AUTH request from 1.1.1.1:500 to 2.2.2.2:500 msgid 1, 240
bytes
config_free_proposals: free 0x16b5efa61e80
Juniper SRX configuration:
==========================
{primary:node0}[edit]
superman@juniper_srx-node0# show security ike
proposal ike-aes265-sha256-dh14-psk-28800 {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ikepol-vpn-corp {
mode main;
proposals ike-aes265-sha256-dh14-psk-28800;
pre-shared-key hexadecimal "*******************************************";
## SECRET-DATA
}
gateway gw-corp {
ike-policy ikepol-vpn-corp;
address 1.1.1.1;
external-interface reth0.1051;
local-address 2.2.2.2;
version v2-only;
}
{primary:node0}[edit]
superman@juniper_srx-node0# show security ipsec
proposal ipsec-aes256-sha256-3600 {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy ipsecpol-vpn-corp {
perfect-forward-secrecy {
keys group14;
}
proposals ipsec-aes256-sha256-3600;
}
vpn ipsec-vpn-corp {
bind-interface st0.0;
ike {
gateway gw-corp;
proxy-identity {
local 172.17.0.0/16;
remote 172.16.0.0/16;
}
ipsec-policy ipsecpol-vpn-corp;
}
establish-tunnels on-traffic;
}
{primary:node0}[edit]
superman@juniper_srx-node0#
Juniper SRX log:
================
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] P1 SA 8381945 start timer. timer
duration 30, reason 1.
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] ikev2_packet_st_forward:
[104a400/10b1800] R: IKE SA REFCNT: 1
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] ikev2_decode_packet: [104a400/10b1800]
Setting ed pkt ctx from VR id 65535 to VR id 0)
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_received - START
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_received:
Received Unauthenticated notification payload NAT detection source IP from
local:2.2.2.2 remote:1.1.1.1 IKEv2 for P1 SA 8381945
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_received - START
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_received:
Received Unauthenticated notification payload NAT detection destination IP from
local:2.2.2.2 remote:1.1.1.1 IKEv2 for P1 SA 8381945
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_received - START
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_received:
Received Unauthenticated notification payload unknown from local:2.2.2.2
remote:1.1.1.1 IKEv2 for P1 SA 8381945
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] Parsing notification payload for
local:2.2.2.2, remote:1.1.1.1 IKEv2
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16431
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16389
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16388
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] iked_pm_phase1_sa_cfg_lookup_by_addr:
Found SA-CFG ipsec-vpn-corp by ip address for local:2.2.2.2, remote:1.1.1.1
IKEv2 remote_port:500 ksa_cfg_remote_port=0
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] Peer's proposed IKE SA payload is
SA([0](id = 1) protocol = IKE (1), HMAC-SHA256-128, AES CBC key len = 256, 2048
bit MODP, HMAC-SHA256 PRF, HMAC-SHA1 PRF, HMAC-MD5 PRF; )
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] Configured proposal is SA([0](id = 1)
protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256-128, 2048 bit MODP,
HMAC-SHA256 PRF; )
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] ssh_ikev2_sa_select: SA_SELECT:
Selecting IKEv2 proposal.
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] ssh_ikev2_sa_select: SA_SELECT:
Considering policy proposal 1 and input proposal 1.
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] ikev2_udp_window_update:
[104a400/10b1800] Stored packet into window fb3c80
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] ikev2_packet_allocate: Allocated packet
104a800 from freelist
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] ikev2_udp_window_update:
[104a800/10b1800] Stored packet into window fb3ce0
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] iked_dh_get_group: DH Group type dl-modp
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] iked_dh_get_group: DH Group size 2048
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] iked_dh_get_group: DH Group 14
[Mar 16 08:44:15][2.2.2.2 <-> 1.1.1.1] iked_dh_generate_sync: Requested DH
group 14
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] iked_dh_generate: Generated DH keys
using hardware for DH group 14
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1]
juniper_dlp_diffie_hellman_generate_async: DH Generate Secs [0] USecs [28061]
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1]
juniper_dlp_diffie_hellman_generate_async: Generated DH using hardware
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_request Parse
notification paylad in last received pkt
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] Parsing notification payload for
local:2.2.2.2, remote:1.1.1.1 IKEv2
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16431
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16389
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16388
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_request send
NHTB_SUPPORTED
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] ikev2_udp_send_packet: [104a800/0]
Sending packet using VR id 0
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] ikev2_packet_st_forward:
[104ac00/10b1800] R: IKE SA REFCNT: 1
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] ikev2_packet_done: [104a400/0]
Destroyed already. Thread completed. Freeing now.
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] ikev2_udp_window_update:
[104ac00/10b1800] Stored packet into window fb3c80
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] ikev2_decode_sa: [104ac00/10b1800]
Proposal number(2) should be 0
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] iked_pv_audit_callback: Empty SSH audit
event
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] ikev2_state_error: [104ac00/10b1800]
Negotiation failed because of error Invalid syntax (7)
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] IKE negotiation fail for local:2.2.2.2,
remote:1.1.1.1 IKEv2 with status: Invalid syntax
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] Inside iked_pm_ipsec_sa_done
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] IPSec negotiation failed for SA-CFG
ipsec-vpn-corp for local:2.2.2.2, remote:1.1.1.1 IKEv2. status: Invalid syntax
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] P2 ed info: flags 0x800, P2 error:
Error ok
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] ikev2_packet_done: [104ac00/10b1800]
Not destroyed; running to end state and terminating there.
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] ikev2_packet_done: [104a800/0] Not
destroyed; running to end state and terminating there.
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] IKE SA delete called for p1 sa 8381945
(ref cnt 1) local:2.2.2.2, remote:1.1.1.1, IKEv2
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] P1 SA 8381945 stop timer. timer
duration 30, reason 1.
[Mar 16 08:44:16][2.2.2.2 <-> 1.1.1.1] iked_pm_p1_sa_destroy: p1 sa 8381945
(ref cnt 0), waiting_for_del 0x0
SRX acting as initiator:
************************
OpenIKED configuration:
=======================
ikev2 vpn_corp passive esp \
from 172.16.0.0/16 to 172.17.0.0/16 \
local 1.1.1.1 peer 2.2.2.2 \
ikesa auth hmac-sha2-256 enc aes-256 group modp2048 \
childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid 1.1.1.1 dstid 2.2.2.2 \
ikelifetime 28800 lifetime 3600 \
psk ********
OpenIKED log:
=============
ca_privkey_serialize: type RSA_KEY length 1190
ca_pubkey_serialize: type RSA_KEY length 270
/etc/iked.conf: loaded 1 configuration rules
config_getpolicy: received policy
ikev2 "vpn_corp" passive esp inet from 172.16.0.0/16 to 172.17.0.0/16 local
1.1.1.1 peer 2.2.2.2 ikesa enc aes-256 prf hmac-sha2-256,hmac-sha1,hmac-md5
auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256 group
modp2048 srcid 1.1.1.1 dstid 2.2.2.2 ikelifetime 28800 lifetime 3600 bytes
536870912 psk 0x********************************************
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 7
config_getsocket: received socket fd 8
ca_reload: local cert type RSA_KEY
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
ikev2_recv: IKE_SA_INIT request from initiator 2.2.2.2:500 to 1.1.1.1:500
policy 'vpn_corp' id 0, 474 bytes
ikev2_recv: ispi 0x4f2c7380eaddd91b rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/1.1.1.1 length 8
ikev2_pld_parse: header ispi 0x4f2c7380eaddd91b rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 474
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x4f2c7380eaddd91b 0x0000000000000000
2.2.2.2:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x4f2c7380eaddd91b 0x0000000000000000
1.1.1.1:500
ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length 10
ikev2_pld_notify: protoid NONE spisize 0 type <UNKNOWN:40002>
ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 32
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x00, require 0x00
sa_stateflags: 0x00 -> 0x10 sa (required 0x00 )
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x4f2c7380eaddd91b 0x3018825632b6f34b
1.1.1.1:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x4f2c7380eaddd91b 0x3018825632b6f34b
2.2.2.2:500
ikev2_next_payload: length 28 nextpayload NONE
ikev2_pld_parse: header ispi 0x4f2c7380eaddd91b rspi 0x3018825632b6f34b
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 432
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_msg_send: IKE_SA_INIT response from 1.1.1.1:500 to 2.2.2.2:500 msgid 0,
432 bytes
config_free_proposals: free 0xd0bbfa23480
ikev2_recv: IKE_AUTH request from initiator 2.2.2.2:500 to 1.1.1.1:500 policy
'vpn_corp' id 1, 256 bytes
ikev2_recv: ispi 0x4f2c7380eaddd91b rspi 0x3018825632b6f34b
ikev2_recv: updated SA to peer 2.2.2.2:500 local 1.1.1.1:500
ikev2_pld_parse: header ispi 0x4f2c7380eaddd91b rspi 0x3018825632b6f34b
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 256
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 228
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 192
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 192/192 padding 15
ikev2_pld_payloads: decrypted payload IDi nextpayload IDr critical 0x00 length
12
ikev2_pld_id: id IPV4/2.2.2.2 length 8
ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length
12
ikev2_pld_id: id IPV4/1.1.1.1 length 8
ikev2_pld_id: unexpected id payload
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
40
ikev2_pld_auth: method SHARED_KEY_MIC length 32
sa_state: SA_INIT -> AUTH_REQUEST
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0x436645cd
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 172.17.0.0 end 172.17.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 172.16.0.0 end 172.16.255.255
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00
length 12
ikev2_pld_notify: protoid NONE spisize 0 type SET_WINDOW_SIZE
sa_stateok: SA_INIT flags 0x00, require 0x00
policy_lookup: peerid '2.2.2.2'
ikev2_msg_auth: responder auth data length 496
ikev2_msg_auth: initiator auth data length 538
ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x14 -> 0x1c auth,authvalid,sa (required 0x1c auth,authvalid,sa)
ikev2_sa_negotiate: score 4
sa_stateflags: 0x1c -> 0x1c auth,authvalid,sa (required 0x1c auth,authvalid,sa)
sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa
sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa
sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 1
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_getspi: spi 0xd67849f9
pfkey_sa_init: new spi 0xd67849f9
sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa
ikev2_next_payload: length 12 nextpayload AUTH
ikev2_next_payload: length 40 nextpayload SA
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 144
ikev2_msg_encrypt: padded length 160
ikev2_msg_encrypt: length 145, padding 15, output length 192
ikev2_next_payload: length 196 nextpayload IDr
ikev2_msg_integr: message length 224
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x4f2c7380eaddd91b rspi 0x3018825632b6f34b
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 224
response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 196
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 160
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 160/160 padding 15
ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length
12
ikev2_pld_id: id IPV4/1.1.1.1 length 8
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
40
ikev2_pld_auth: method SHARED_KEY_MIC length 32
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0xd67849f9
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 172.17.0.0 end 172.17.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 172.16.0.0 end 172.16.255.255
ikev2_msg_send: IKE_AUTH response from 1.1.1.1:500 to 2.2.2.2:500 msgid 1, 224
bytes
pfkey_sa_add: update spi 0xd67849f9
ikev2_childsa_enable: loaded CHILD SA spi 0xd67849f9
pfkey_sa_add: add spi 0x436645cd
ikev2_childsa_enable: loaded CHILD SA spi 0x436645cd
ikev2_childsa_enable: loaded flow 0xd0b2fd22800
ikev2_childsa_enable: loaded flow 0xd0b2fd22c00
sa_state: VALID -> ESTABLISHED from 2.2.2.2:500 to 1.1.1.1:500 policy 'vpn_corp'
config_free_proposals: free 0xd0b17405c00
ca exiting, pid 32477
ikev1 exiting, pid 16823
ikev2 exiting, pid 30323
parent terminating
Juniper SRX configuration:
==========================
{primary:node0}[edit]
superman@juniper_srx-node0# show security ike
proposal ike-aes265-sha256-dh14-psk-28800 {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ikepol-vpn-corp {
mode main;
proposals ike-aes265-sha256-dh14-psk-28800;
pre-shared-key hexadecimal "*******************************************";
## SECRET-DATA
}
gateway gw-corp {
ike-policy ikepol-vpn-corp;
address 1.1.1.1;
external-interface reth0.1051;
local-address 2.2.2.2;
version v2-only;
}
{primary:node0}[edit]
superman@juniper_srx-node0# show security ipsec
proposal ipsec-aes256-sha256-3600 {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy ipsecpol-vpn-corp {
perfect-forward-secrecy {
keys group14;
}
proposals ipsec-aes256-sha256-3600;
}
vpn ipsec-vpn-corp {
bind-interface st0.0;
ike {
gateway gw-corp;
proxy-identity {
local 172.17.0.0/16;
remote 172.16.0.0/16;
}
ipsec-policy ipsecpol-vpn-corp;
}
establish-tunnels immediately;
}
{primary:node0}[edit]
superman@juniper_srx-node0#
Juniper SRX log:
================
Mar 16 08:49:59 juniper_srx-node0 clear-log[18132]: logfile cleared
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_config_process_sa_cfg Find action
on ipsec-vpn-corp
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_config_process_sa_cfg action=1
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Found existing config for SA
ipsec-vpn-corp
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] kmd_ipsec_apply_sacfg: Resetting VPN
Monitoring parameters
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] sa_cfg = ipsec-vpn-corp and gateway =
gw-corp are linked, sa_cfg local addrss is: 2.2.2.2
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] S2S dist_id(0) gw_id(0) copied from
gateway to sa_cfg
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_config_stage_update_and_activate
update_required for sa_cfg = ipsec-vpn-corp
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1]
iked_sa_cfg_get_parent_sa_cfg_child_sas_count No parent for sa_cfg
ipsec-vpn-corp count is 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_deactivate_bind_interface: No more
NHTB entries are active for st0.0. Bringing down the interface
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] kmd_update_tunnel_interface:
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_update_tunnel_interface_by_ifname:
update ifl st0.0 status DOWN
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_stop_vpnm_timer: processing SA
ipsec-vpn-corp
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Triggering negotiation for
ipsec-vpn-corp config block
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_trigger_callback: lookup peer
entry for gateway gw-corp, local_port=500, remote_port=500
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_create_peer_entry: Created peer
entry 0x10c5e00 for local 2.2.2.2:500 remote 1.1.1.1:500
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_fetch_or_create_peer_entry: Create
peer entry 0x10c5e00 for local 2.2.2.2:500 remote 1.1.1.1:500. gw gw-corp, VR
id 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_trigger_callback: FOUND peer
entry for gateway gw-corp
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Initiating new P1 SA for gateway gw-corp
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] P1 SA 8381946 start timer. timer
duration 30, reason 1.
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_trigger_negotiation Set p2_ed
in sa_cfg=ipsec-vpn-corp
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_peer_insert_p1sa_entry: Insert p1
sa 8381946 in peer entry 0x10c5e00
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_trigger_negotiation Convert
traffic selectors from V1 format to V2 format for narrowing/matching selectors
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_packet_allocate: Allocated packet
104b000 from freelist
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_udp_window_update:
[104b000/10b1800] Stored packet into window fb3cc0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ssh_ikev2_ipsec_send: Started IPsec SA
creation 1.1.1.1;500
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] IKE SA fill called for negotiation of
local:2.2.2.2, remote:1.1.1.1 IKEv2
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_dh_get_group: DH Group type dl-modp
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_dh_get_group: DH Group size 2048
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_dh_get_group: DH Group 14
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_dh_generate_sync: Requested DH
group 14
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_dh_generate: Generated DH keys
using hardware for DH group 14
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1]
juniper_dlp_diffie_hellman_generate_async: DH Generate Secs [0] USecs [44146]
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1]
juniper_dlp_diffie_hellman_generate_async: Generated DH using hardware
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_request Parse
notification paylad in last received pkt
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Parsing notification payload for
local:2.2.2.2, remote:1.1.1.1 IKEv2
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_request send
NHTB_SUPPORTED
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_udp_send_packet:
[104b000/10b1800] Sending packet using VR id 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_packet_st_send: Registering
timeout at 10000 (10.0)
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_packet_st_forward:
[104b400/10b1800] R: IKE SA REFCNT: 3
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_received - START
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_received:
Received Unauthenticated notification payload NAT detection source IP from
local:2.2.2.2 remote:1.1.1.1 IKEv2 for P1 SA 8381946
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_received - START
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_received:
Received Unauthenticated notification payload NAT detection destination IP from
local:2.2.2.2 remote:1.1.1.1 IKEv2 for P1 SA 8381946
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_decode_packet: [104b400/10b1800]
Updating responder IKE SPI to IKE SA 10b1800 I 4f2c7380 eaddd91b R 30188256
32b6f34b
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_udp_window_update:
[104b400/10b1800] STOP-RETRANSMIT: Response to request 104b000 with m-id 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_udp_window_update:
[104b400/10b1800] Stored packet into window fb3d20
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_packet_allocate: Allocated packet
104b800 from freelist
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_udp_window_update:
[104b800/10b1800] Stored packet into window fb3cc0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_dh_get_group: DH Group type dl-modp
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_dh_get_group: DH Group size 2048
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_dh_get_group: DH Group 14
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_dh_compute_synch: Requested DH
group 14
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Peer public key has length 256
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] juniper_dlp_diffie_hellman_final_async:
DH Compute Secs [0] USecs [30689]
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] juniper_dlp_diffie_hellman_final_async:
Computed DH using hardware
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ipsec_spi_allocate:
local:2.2.2.2, remote:1.1.1.1 IKEv2
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Added (spi=0x436645cd, protocol=0)
entry to the spi table
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Parsing notification payload for
local:2.2.2.2, remote:1.1.1.1 IKEv2
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16389
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16388
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_conf_request: SA-CFG
ipsec-vpn-corp not configured for config payload. Skipping...
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_request Parse
notification paylad in last received pkt
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Parsing notification payload for
local:2.2.2.2, remote:1.1.1.1 IKEv2
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16389
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16388
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_spd_notify_request: Sending
Initial contact
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Sending IKE window size notification
for IKE SA of size 1
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Construction NHTB payload for
local:2.2.2.2, remote:1.1.1.1 IKEv2 P1 SA index 8381946 sa-cfg ipsec-vpn-corp
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Peer router vendor is not Juniper. Not
sending NHTB payload for sa-cfg ipsec-vpn-corp, p1_sa=8381946
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_udp_send_packet:
[104b800/10b1800] Sending packet using VR id 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_packet_st_send: Registering
timeout at 10000 (10.0)
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_packet_st_forward:
[104bc00/10b1800] R: IKE SA REFCNT: 3
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_packet_done: [104b400/0]
Destroyed already. Thread completed. Freeing now.
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_udp_window_update:
[104bc00/10b1800] STOP-RETRANSMIT: Response to request 104b800 with m-id 1
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_udp_window_update:
[104bc00/10b1800] Stored packet into window fb3d20
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ipsec_sa_install:
local:2.2.2.2, remote:1.1.1.1 IKEv2 for SA-CFG ipsec-vpn-corp, rekey-ikev2:no
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Parsing notification payload for
local:2.2.2.2, remote:1.1.1.1 IKEv2
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16389
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16388
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_update_sa_cfg_port
sa_cfg(ipsec-vpn-corp) local_port(0) and remote_port(500)
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Setting lifetime 3600 and lifesize 0
for IPSec SA
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ipsec_sa_create: encr key len
32, auth key len: 32, salt len: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Creating a SA spi=0x436645cd, proto=ESP
pair_index = 1
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Added (spi=0x436645cd, protocol=ESP
dst=2.2.2.2) entry to the peer hash table
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_peer_insert_sa_cfg_entry: insert
sa_cfg tunnel_id entry 131073 into peer entry 0x10c5e00
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Creating a SA spi=0xd67849f9, proto=ESP
pair_index = 1
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Added (spi=0xd67849f9, protocol=ESP
dst=1.1.1.1) entry to the peer hash table
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_nhtb_update_on_sa_create:
Interface st0.0 is P2P for sa_cfg ipsec-vpn-corp. Thus ignoring NHTB
notification message
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ipsec_sa_install: NHTB add
passed for sa-cfg ipsec-vpn-corp
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Hardlife timer started for inbound
ipsec-vpn-corp with 3600 seconds/0 kilobytes
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Softlife timer started for inbound
ipsec-vpn-corp with 2967 seconds/0 kilobytes
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] In iked_fill_sa_bundle
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ipsec-vpn-corp : VPN Monitor
Interval=0(0) Optimized=0(0)
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_fill_sa_bundle : DPD Interval=0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] SA bundle remote gateway: IP 1.1.1.1
chosen
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] SA bundle local gateway: IP 2.2.2.2
chosen
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] In iked_fill_ipsec_ipc_sa_pair
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] In iked_fill_ipc_sa_keys
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] In iked_fill_ipc_sa_keys
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] In iked_fill_ipc_sa_keys
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] In iked_fill_ipc_sa_keys
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ----------------Voyager ipsec SA
BUNDLE-------------------
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] SA pair update request for:
Tunnel index: 131073
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Local Gateway address: 2.2.2.2
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Primary remote Gateway address:
1.1.1.1
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Backup remote Gateway State: Active
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Anti replay: counter-based enabled
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Window_size: 64
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Server Time: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Peer : Static
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Mode : Tunnel
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] VPN Type : route-based
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Tunnel mtu: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] DF bit: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] local-if ifl idx: 74
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] tunnel-if ifl idx: 92
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Tunnel mtu: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] DPD interval: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] policy id: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] NATT enabled: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] NATT version: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] NAT position: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] SA Idle time: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] SA Outbound install delay time: 1
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] IKED ID: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] DIST ID: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Keepalive interval: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] VPN monitoring interval: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] VPN monitoring optimized: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Respond-bad-SPI: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] seq_out: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Local port: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Remote port: 500
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] SA CFG name: ipsec-vpn-corp
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Dial-up IKE ID:
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] RG ID: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Group template tunnel ID: 0
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ----------------Incoming SA
-------------------
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] SPI: 0x436645cd Protocol: 2
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Algorithm: 516 Auth key.
length: 32
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Encr key. length; 32
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ----------------Outgoing SA
-------------------
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] SPI: 0xd67849f9 Protocol: 2
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Algorithm: 516 Auth key.
length: 32
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Encr key. length; 32
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] In iked_ipsec_sa_pair_add Adding GENCFG
msg with key; Tunnel = 131073;SPI-In = 0x436645cd
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Added dependency on SA config blob with
tunnelid = 131073
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Successfully added ipsec SA PAIR
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Adding Phase2 Blob for Tunnel Id:
131073 SPI: 1130776013
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] kmd_update_tunnel_interface:
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_update_tunnel_interface_by_ifname:
update ifl st0.0 status UP
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_sa_done: local:2.2.2.2,
remote:1.1.1.1 IKEv2
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] IKE negotiation done for local:2.2.2.2,
remote:1.1.1.1 IKEv2 with status: Error ok
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Parsing notification payload for
local:2.2.2.2, remote:1.1.1.1 IKEv2
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16389
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16388
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_sa_done: Success to create
or find peer_entry for local:2.2.2.2:500, remote:1.1.1.1:500 in ike sa done
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] P1 SA 8381946 stop timer. timer
duration 30, reason 1.
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] P1 SA 8381946 start timer. timer
duration 28800, reason 2.
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] lifetime timers started for p1_sa index
8381946 (hard 28800, soft 28221 secs)
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Preparing phase1 HA blob for p1-sa
8381946
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_prepare_phase1_ha_blob: P1 SA
8381946, phase1_blob->lifetime 28800, p1_sa->lifetime 28800
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Adding Phase 1 HA blob for P1 SA 8381946
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Inside iked_pm_ipsec_sa_done
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] IPSec negotiation done successfully
for SA-CFG ipsec-vpn-corp for local:2.2.2.2, remote:1.1.1.1 IKEv2
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] IPSec SA done callback. ed 10c4028.
status: Error ok
[Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_packet_destroy: F: IKE SA REFCNT:
1
Regards,
Bernd
