Re: Unable to create IKEv2 VPN using strongSwan to iked

R0me0 *** Mon, 20 Apr 2020 07:15:34 -0700

Ajust as your necessity *

( Don't forget to adjust your pf rules accordingly ) *




OpenBSD 6.X ( Works with IPHONE AND STRONGSWAN )

ikev2 "roadwarrior"  passive esp from 0.0.0.0/0 to 10.20.30.0/24 \
 local egress peer any  \
 ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \
 childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
 dstid r...@openbsd.org psk "psk_passphrase" config address 10.20.30.32



Iphone = just disable certificates and set psk


Interoperability with StrongSwan


# cat /etc/ipsec.conf

 ipsec.conf – strongSwan IPsec configuration file
# basic configuration

config setup

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!

conn strongswan
left=%any
leftfirewall=yes
leftsourceip=%config
right=REMOTE_PEER_IP
rightid=puffymagic.ikedvpn.com
rightsubnet=192.168.0.0/24,172.8.50.0/24 ( networks you want access on
other side ) ( behind magic puffer fish )
auto=add



# cat /etc/ipsec.secrets

# ipsec.secrets – strongSwan IPsec secrets file
: PSK “strongopeniked”



PS: Magic Puffer Fish Rock!

Em seg., 20 de abr. de 2020 às 09:49, Jona Joachim <j...@joachim.cc>
escreveu:

> Hi,
>
> I am trying to connect to iked running on OpenBSD 6.6 from a strongSwan
> 5.7.2 initiator running on Ubuntu 19.10 (which is behind NAT). I am
> using x509 certificates generated by ikectl.
>
> The tunnel cannot be established. It is hard for me to see what's going
> on. strongswan seems to be sending the same IKE_AUTH packet again and
> again and iked does not seem to respond even though it receives the
> packet and does not show an error. The only thing fishy I see in iked
> output is "sa_state: cannot switch: AUTH_SUCCESS -> VALID", not sure why
> it "cannot switch".
>
> Does anybody have a working setup between iked and strongSwan or any
> insights? Config files and logs below.
>
> Thanks,
>
> Jona
>
>
> iked.conf:
>
> ikev2 passive esp \
>          from 0.0.0.0/0 to 10.201.201.0/24 \
>          from 192.168.0.0/16 to 10.244.244.0/24 \
>          from 10.244.244.0/24 to 192.168.0.0/16 \
>          local 1.2.3.4 peer any \
>          srcid vpn.example.com \
> config address 10.201.201.0/24 \
> config name-server 10.201.201.1 \
>          tag "IKED"
>
>
> ipsec.conf (strongSwan):
>
> config setup
>      # strictcrlpolicy=yes
>      # uniqueids = no
>
> conn puffvpn
>      keyexchange=ikev2
>      dpddelay=5s
>      dpdtimeout=60s
>      dpdaction=restart
>
>      left=%defaultroute
>      leftcert=wookie.crt
>      leftsubnet=192.168.0.0/16
>      leftfirewall=yes
>      leftid="wookie"
>
>      right=vpn.example.com
>      rightsubnet=10.201.201.0/24
>      rightid="vpn.example.com"
>
>      auto=start
>
> strongswan log:
>
> # ipsec up puffvpn
> initiating IKE_SA puffvpn[5] to 1.2.3.4
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (928 bytes)
> received packet: from 1.2.3.4[500] to 192.168.4.103[500] (38 bytes)
> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> peer didn't accept DH group ECP_256, it requested MODP_2048
> initiating IKE_SA puffvpn[5] to 1.2.3.4
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes)
> retransmit 1 of request with message ID 0
> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes)
> retransmit 2 of request with message ID 0
> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes)
> received packet: from 1.2.3.4[500] to 192.168.4.103[500] (471 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(HASH_ALG) ]
> selected proposal:
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> local host is behind NAT, sending keep alives
> received 1 cert requests for an unknown ca
> sending cert request for "CN=35.180.187.116"
> sending cert request for "C=FR, ST=Ile-de-France, L=Paris, O=OpenBSD,
> OU=iked, CN=VPN CA, E=j...@joachim.cc"
> authentication of 'wookie' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
> sending end entity cert "C=FR, ST=Ile-de-France, L=Paris, O=puffvpn,
> OU=iked, CN=wookie, E=j...@joachim.cc"
> establishing CHILD_SA puffvpn{7}
> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
> AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
> retransmit 1 of request with message ID 1
> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
> retransmit 2 of request with message ID 1
> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
> retransmit 3 of request with message ID 1
> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
> sending keep alive to 1.2.3.4[4500]
> retransmit 4 of request with message ID 1
> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
> sending keep alive to 1.2.3.4[4500]
> sending keep alive to 1.2.3.4[4500]
> retransmit 5 of request with message ID 1
> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
> sending keep alive to 1.2.3.4[4500]
> sending keep alive to 1.2.3.4[4500]
> sending keep alive to 1.2.3.4[4500]
> giving up after 5 retransmits
> peer not responding, trying again (2/3)
> establishing connection 'puffvpn' failed
>
> iked log:
>
> # iked -dvv
> ikev2 "policy1" passive esp inet from 10.244.244.0/24 to 192.168.0.0/16
> from 0.0.0.0/0 to 10.201.201.0/24 from 192.168.0.0/16 to 10.244.244.0/24
> loc
> al 1.2.3.4 peer any ikesa enc aes-256,aes-192,aes-128,3des prf
> hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group
> modp2048,modp1536,modp
> 1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1
> srcid vpn.example.com lifetime 10800 bytes 536870912 signature config
> address 1
> 0.201.201.0 config name-server 10.201.201.1 tag "IKED"
> /etc/iked.conf: loaded 1 configuration rules
> ca_privkey_serialize: type RSA_KEY length 1192
> ca_pubkey_serialize: type RSA_KEY length 270
> ca_privkey_to_method: type RSA_KEY method RSA_SIG
> ca_getkey: received private key type RSA_KEY length 1192
> ca_getkey: received public key type RSA_KEY length 270
> ca_dispatch_parent: config reset
> ca_reload: loaded ca file ca.crt
> ca_reload: loaded crl file ca.crl
> ca_reload:
>
> /C=FR/ST=Ile-de-France/L=Paris/O=puffvpn/OU=iked/CN=IKECA/emailAddress=j...@joachim.cc
> ca_reload: loaded 1 ca certificate
> ca_reload: loaded cert file vpn.example.com.crt
> ca_reload: loaded cert file wookie.crt
> ca_validate_cert:
> /C=FR/ST=Ile-de-France/L=Paris/O=puffvpn/OU=iked/CN=
> vpn.example.com/emailAddress=j...@joachim.cc
> ok
> ca_validate_cert:
>
> /C=FR/ST=Ile-de-France/L=Paris/O=puffvpn/OU=iked/CN=wookie/emailAddress=j...@joachim.cc
> ok
> ca_reload: local cert type X509_CERT
> config_getocsp: ocsp_url none
> ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
> ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
> config_getpolicy: received policy
> config_getpfkey: received pfkey fd 3
> config_getcompile: compilation done
> config_getsocket: received socket fd 4
> config_getsocket: received socket fd 5
> config_getsocket: received socket fd 6
> config_getsocket: received socket fd 7
> config_getmobike: mobike
> config_getfragmentation: no fragmentation
> spi=0x35fb3f73a0a70b49: recv IKE_SA_INIT req 0 peer 5.6.7.8:52409 local
> 1.2.3.4:500, 928 bytes, policy 'policy1'
> ikev2_recv: ispi 0x35fb3f73a0a70b49 rspi 0x0000000000000000
> ikev2_policy2id: srcid FQDN/vpn.example.com length 18
> ikev2_pld_parse: header ispi 0x35fb3f73a0a70b49 rspi 0x0000000000000000
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
> 9
> 28 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 704
> ikev2_pld_sa: more 2 reserved 0 length 324 proposal #1 protoid IKE
> spisize 0 xforms 35 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_512_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_XCBC_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_CMAC_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32>
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_sa: more 0 reserved 0 length 376 proposal #2 protoid IKE
> spisize 0 xforms 37 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32>
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
> ikev2_pld_ke: dh group ECP_256 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length
> 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0x35fb3f73a0a70b49 0x0000000000000000
> 5.6.7.8:52409
> ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0x35fb3f73a0a70b49
> 0x0000000000000000 1.2.3.4:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 8
> ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
> ikev2_pld_notify: fragmentation disabled
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 16
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> ikev2_pld_notify: signature hash <UNKNOWN:5> (5)
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
> sa_state: INIT -> SA_INIT
> ikev2_sa_negotiate: score 4
> ikev2_sa_negotiate: score 0
> sa_stateok: SA_INIT flags 0x0000, require 0x0000
> sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
> spi=0x35fb3f73a0a70b49: ikev2_sa_responder_dh: want dh MODP_2048, KE has
> ECP_256
> spi=0x35fb3f73a0a70b49: ikev2_resp_recv: failed to negotiate IKE SA
> spi=0x35fb3f73a0a70b49: ikev2_add_error: INVALID_KE_PAYLOAD
> ikev2_add_error: done
> ikev2_next_payload: length 10 nextpayload NONE
> ikev2_pld_parse: header ispi 0x35fb3f73a0a70b49 rspi 0x56bdae3b5afb6def
> nextpayload NOTIFY version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0
> leng
> th 38 response 1
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 10
> ikev2_pld_notify: protoid NONE spisize 0 type INVALID_KE_PAYLOAD
> spi=0x35fb3f73a0a70b49: send IKE_SA_INIT res 0 peer 5.6.7.8:52409 local
> 1.2.3.4:500, 38 bytes
> spi=0x35fb3f73a0a70b49: sa_state: SA_INIT -> CLOSED from any to any
> policy 'policy1'
> config_free_proposals: free 0x29c15330b80
> config_free_proposals: free 0x29bd54c0d00
> spi=0x35fb3f73a0a70b49: recv IKE_SA_INIT req 0 peer 5.6.7.8:52409 local
> 1.2.3.4:500, 1120 bytes, policy 'policy1'
> ikev2_recv: ispi 0x35fb3f73a0a70b49 rspi 0x0000000000000000
> sa_free: ispi 0x35fb3f73a0a70b49 rspi 0x56bdae3b5afb6def
> config_free_proposals: free 0x29bff353800
> ikev2_policy2id: srcid FQDN/vpn.example.com length 18
> ikev2_pld_parse: header ispi 0x35fb3f73a0a70b49 rspi 0x0000000000000000
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
> 1
> 120 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 704
> ikev2_pld_sa: more 2 reserved 0 length 324 proposal #1 protoid IKE
> spisize 0 xforms 35 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_512_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_XCBC_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_CMAC_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32>
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_8192
> ikev2_pld_sa: more 0 reserved 0 length 376 proposal #2 protoid IKE
> spisize 0 xforms 37 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32>
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_8192
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
> ikev2_pld_ke: dh group MODP_2048 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length
> 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0x35fb3f73a0a70b49 0x0000000000000000
> 5.6.7.8:52409
> ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0x35fb3f73a0a70b49
> 0x0000000000000000 1.2.3.4:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 8
> ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
> ikev2_pld_notify: fragmentation disabled
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 16
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> ikev2_pld_notify: signature hash <UNKNOWN:5> (5)
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
> sa_state: INIT -> SA_INIT
> ikev2_sa_negotiate: score 4
> ikev2_sa_negotiate: score 0
> sa_stateok: SA_INIT flags 0x0000, require 0x0000
> sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
> spi=0x35fb3f73a0a70b49: ikev2_sa_keys: DHSECRET with 256 bytes
> ikev2_sa_keys: SKEYSEED with 32 bytes
> spi=0x35fb3f73a0a70b49: ikev2_sa_keys: S with 80 bytes
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: T5 with 32 bytes
> ikev2_prfplus: T6 with 32 bytes
> ikev2_prfplus: T7 with 32 bytes
> ikev2_prfplus: Tn with 224 bytes
> ikev2_sa_keys: SK_d with 32 bytes
> ikev2_sa_keys: SK_ai with 32 bytes
> ikev2_sa_keys: SK_ar with 32 bytes
> ikev2_sa_keys: SK_ei with 32 bytes
> ikev2_sa_keys: SK_er with 32 bytes
> ikev2_sa_keys: SK_pi with 32 bytes
> ikev2_sa_keys: SK_pr with 32 bytes
> ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation
> ikev2_add_proposals: length 44
> ikev2_next_payload: length 48 nextpayload KE
> ikev2_next_payload: length 264 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0x35fb3f73a0a70b49 0x5537f74b17c41bce
> 1.2.3.4:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0x35fb3f73a0a70b49
> 0x5537f74b17c41bce 5.6.7.8:52409
> ikev2_next_payload: length 28 nextpayload CERTREQ
> ikev2_add_certreq: type X509_CERT length 21
> ikev2_next_payload: length 25 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0x35fb3f73a0a70b49 rspi 0x5537f74b17c41bce
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length
> 4
> 71 response 1
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE
> spisize 0 xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
> ikev2_pld_ke: dh group MODP_2048 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length
> 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00
> length 25
> ikev2_pld_certreq: type X509_CERT length 20
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> spi=0x35fb3f73a0a70b49: send IKE_SA_INIT res 0 peer 5.6.7.8:52409 local
> 1.2.3.4:500, 471 bytes
> config_free_proposals: free 0x29c15330200
> config_free_proposals: free 0x29bd54c0d80
> spi=0x35fb3f73a0a70b49: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local
> 1.2.3.4:4500, 1568 bytes, policy 'policy1'
> ikev2_recv: ispi 0x35fb3f73a0a70b49 rspi 0x5537f74b17c41bce
> ikev2_recv: updated SA to peer 5.6.7.8:51315 local 1.2.3.4:4500
> ikev2_pld_parse: header ispi 0x35fb3f73a0a70b49 rspi 0x5537f74b17c41bce
> nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length
> 1568
>   response 0
> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1540
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 1504
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 1504/1504 padding 7
> ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00
> length 14
> ikev2_pld_id: id FQDN/wookie length 10
> ikev2_pld_payloads: decrypted payload CERT nextpayload NOTIFY critical
> 0x00 length 999
> ikev2_pld_cert: type X509_CERT length 994
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CERTREQ
> critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT
> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload IDr critical
> 0x00 length 45
> ikev2_pld_certreq: type X509_CERT length 40
> ikev2_policy2id: srcid FQDN/vpn.example.com length 18
> sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 )
> ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00
> length 22
> ikev2_pld_id: id FQDN/vpn.example.com length 18
> ikev2_pld_id: unexpected id payload
> ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00
> length 280
> ikev2_pld_auth: method SIG length 272
> sa_state: SA_INIT -> AUTH_REQUEST
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
> length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP
> spisize 4 xforms 3 spi 0xc7402502
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
> endport 65535
> ikev2_pld_ts: start 192.168.0.0 end 192.168.255.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical
> 0x00 length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
> endport 65535
> ikev2_pld_ts: start 10.201.201.0 end 10.201.201.255
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
> 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
> 0x00 length 12
> ikev2_pld_notify: protoid NONE spisize 0 type ADDITIONAL_IP4_ADDRESS
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
> 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type EAP_ONLY_AUTHENTICATION
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical
> 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type
> IKEV2_MESSAGE_ID_SYNC_SUPPORTED
> sa_stateok: SA_INIT flags 0x0000, require 0x0000
> policy_lookup: peerid 'wookie'
> ikev2_msg_auth: responder auth data length 535
> ca_setauth: auth length 535
> ikev2_msg_auth: initiator auth data length 1184
> ikev2_msg_authverify: method SIG keylen 994 type X509_CERT
> _dsa_verify_init: signature scheme 0 selected
> ikev2_msg_authverify: authentication successful
> sa_state: AUTH_REQUEST -> AUTH_SUCCESS
> sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b
> cert,certvalid,auth,authvalid,sa)
> ikev2_sa_negotiate: score 4
> sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b
> cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x0030, require 0x003b
> cert,certvalid,auth,authvalid,sa
> spi=0x35fb3f73a0a70b49: sa_state: cannot switch: AUTH_SUCCESS -> VALID
> config_free_proposals: free 0x29c15330100
> ca_getreq: no valid local certificate found
> ca_setauth: auth length 256
> ca_validate_pubkey: public key does not match pubkeys/fqdn/wookie
> ca_x509_subjectaltname: FQDN/wookie
> ca_validate_cert:
>
> /C=FR/ST=Ile-de-France/L=Paris/O=puffvpn/OU=iked/CN=wookie/emailAddress=j...@joachim.cc
> ok
> ikev2_getimsgdata: imsg 21 rspi 0x5537f74b17c41bce ispi
> 0x35fb3f73a0a70b49 initiator 0 sa valid type 0 data length 0
> ikev2_dispatch_cert: cert type NONE length 0, ignored
> ikev2_getimsgdata: imsg 26 rspi 0x5537f74b17c41bce ispi
> 0x35fb3f73a0a70b49 initiator 0 sa valid type 1 data length 256
> ikev2_dispatch_cert: AUTH type 1 len 256
> sa_stateflags: 0x0034 -> 0x003c certreq,auth,authvalid,sa (required
> 0x003b cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x0038, require 0x003b
> cert,certvalid,auth,authvalid,sa
> spi=0x35fb3f73a0a70b49: sa_state: cannot switch: AUTH_SUCCESS -> VALID
> ikev2_dispatch_cert: peer certificate is valid
> sa_stateflags: 0x003c -> 0x003e certvalid,certreq,auth,authvalid,sa
> (required 0x003b cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x003a, require 0x003b
> cert,certvalid,auth,authvalid,sa
> spi=0x35fb3f73a0a70b49: sa_state: cannot switch: AUTH_SUCCESS -> VALID
> spi=0x35fb3f73a0a70b49: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local
> 1.2.3.4:4500, 1568 bytes, policy 'policy1'
> ikev2_recv: ispi 0x35fb3f73a0a70b49 rspi 0x5537f74b17c41bce
> spi=0x35fb3f73a0a70b49: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local
> 1.2.3.4:4500, 1568 bytes, policy 'policy1'
> ikev2_recv: ispi 0x35fb3f73a0a70b49 rspi 0x5537f74b17c41bce
> spi=0x35fb3f73a0a70b49: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local
> 1.2.3.4:4500, 1568 bytes, policy 'policy1'
> ikev2_recv: ispi 0x35fb3f73a0a70b49 rspi 0x5537f74b17c41bce
> spi=0x35fb3f73a0a70b49: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local
> 1.2.3.4:4500, 1568 bytes, policy 'policy1'
> ikev2_recv: ispi 0x35fb3f73a0a70b49 rspi 0x5537f74b17c41bce
> spi=0x9d3467359e3543b4: recv IKE_SA_INIT req 0 peer 5.6.7.8:56436 local
> 1.2.3.4:500, 928 bytes, policy 'policy1'
> ikev2_recv: ispi 0x9d3467359e3543b4 rspi 0x0000000000000000
> ikev2_policy2id: srcid FQDN/vpn.example.com length 18
> ikev2_pld_parse: header ispi 0x9d3467359e3543b4 rspi 0x0000000000000000
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
> 9
> 28 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 704
> ikev2_pld_sa: more 2 reserved 0 length 324 proposal #1 protoid IKE
> spisize 0 xforms 35 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_512_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_XCBC_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_CMAC_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32>
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_sa: more 0 reserved 0 length 376 proposal #2 protoid IKE
> spisize 0 xforms 37 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32>
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
> ikev2_pld_ke: dh group ECP_256 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length
> 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0x9d3467359e3543b4 0x0000000000000000
> 5.6.7.8:56436
> ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0x9d3467359e3543b4
> 0x0000000000000000 1.2.3.4:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 8
> ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
> ikev2_pld_notify: fragmentation disabled
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 16
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> ikev2_pld_notify: signature hash <UNKNOWN:5> (5)
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
> sa_state: INIT -> SA_INIT
> ikev2_sa_negotiate: score 4
> ikev2_sa_negotiate: score 0
> sa_stateok: SA_INIT flags 0x0000, require 0x0000
> sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
> spi=0x9d3467359e3543b4: ikev2_sa_responder_dh: want dh MODP_2048, KE has
> ECP_256
> spi=0x9d3467359e3543b4: ikev2_resp_recv: failed to negotiate IKE SA
> spi=0x9d3467359e3543b4: ikev2_add_error: INVALID_KE_PAYLOAD
> ikev2_add_error: done
> ikev2_next_payload: length 10 nextpayload NONE
> ikev2_pld_parse: header ispi 0x9d3467359e3543b4 rspi 0x1ee80c5b6e666ae6
> nextpayload NOTIFY version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0
> leng
> th 38 response 1
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 10
> ikev2_pld_notify: protoid NONE spisize 0 type INVALID_KE_PAYLOAD
> spi=0x9d3467359e3543b4: send IKE_SA_INIT res 0 peer 5.6.7.8:56436 local
> 1.2.3.4:500, 38 bytes
> spi=0x9d3467359e3543b4: sa_state: SA_INIT -> CLOSED from any to any
> policy 'policy1'
> config_free_proposals: free 0x29bff353600
> config_free_proposals: free 0x29c15330380
> spi=0x9d3467359e3543b4: recv IKE_SA_INIT req 0 peer 5.6.7.8:56436 local
> 1.2.3.4:500, 1120 bytes, policy 'policy1'
> ikev2_recv: ispi 0x9d3467359e3543b4 rspi 0x0000000000000000
> sa_free: ispi 0x9d3467359e3543b4 rspi 0x1ee80c5b6e666ae6
> config_free_proposals: free 0x29c15330f00
> ikev2_policy2id: srcid FQDN/vpn.example.com length 18
> ikev2_pld_parse: header ispi 0x9d3467359e3543b4 rspi 0x0000000000000000
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
> 1
> 120 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 704
> ikev2_pld_sa: more 2 reserved 0 length 324 proposal #1 protoid IKE
> spisize 0 xforms 35 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_512_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_XCBC_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_CMAC_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32>
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_8192
> ikev2_pld_sa: more 0 reserved 0 length 376 proposal #2 protoid IKE
> spisize 0 xforms 37 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:32>
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_8192
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
> ikev2_pld_ke: dh group MODP_2048 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length
> 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0x9d3467359e3543b4 0x0000000000000000
> 5.6.7.8:56436
> ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0x9d3467359e3543b4
> 0x0000000000000000 1.2.3.4:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 8
> ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
> ikev2_pld_notify: fragmentation disabled
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 16
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> ikev2_pld_notify: signature hash <UNKNOWN:5> (5)
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
> sa_state: INIT -> SA_INIT
> ikev2_sa_negotiate: score 4
> ikev2_sa_negotiate: score 0
> sa_stateok: SA_INIT flags 0x0000, require 0x0000
> sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
> spi=0x9d3467359e3543b4: ikev2_sa_keys: DHSECRET with 256 bytes
> ikev2_sa_keys: SKEYSEED with 32 bytes
> spi=0x9d3467359e3543b4: ikev2_sa_keys: S with 80 bytes
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: T5 with 32 bytes
> ikev2_prfplus: T6 with 32 bytes
> ikev2_prfplus: T7 with 32 bytes
> ikev2_prfplus: Tn with 224 bytes
> ikev2_sa_keys: SK_d with 32 bytes
> ikev2_sa_keys: SK_ai with 32 bytes
> ikev2_sa_keys: SK_ar with 32 bytes
> ikev2_sa_keys: SK_ei with 32 bytes
> ikev2_sa_keys: SK_er with 32 bytes
> ikev2_sa_keys: SK_pi with 32 bytes
> ikev2_sa_keys: SK_pr with 32 bytes
> ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation
> ikev2_add_proposals: length 44
> ikev2_next_payload: length 48 nextpayload KE
> ikev2_next_payload: length 264 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0x9d3467359e3543b4 0xe5fa736e6c7143e4
> 1.2.3.4:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0x9d3467359e3543b4
> 0xe5fa736e6c7143e4 5.6.7.8:56436
> ikev2_next_payload: length 28 nextpayload CERTREQ
> ikev2_add_certreq: type X509_CERT length 21
> ikev2_next_payload: length 25 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0x9d3467359e3543b4 rspi 0xe5fa736e6c7143e4
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length
> 4
> 71 response 1
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE
> spisize 0 xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
> ikev2_pld_ke: dh group MODP_2048 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length
> 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00
> length 25
> ikev2_pld_certreq: type X509_CERT length 20
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> spi=0x9d3467359e3543b4: send IKE_SA_INIT res 0 peer 5.6.7.8:56436 local
> 1.2.3.4:500, 471 bytes
> config_free_proposals: free 0x29c15330800
> config_free_proposals: free 0x29bff353c80
> spi=0x9d3467359e3543b4: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local
> 1.2.3.4:4500, 1568 bytes, policy 'policy1'
> ikev2_recv: ispi 0x9d3467359e3543b4 rspi 0xe5fa736e6c7143e4
> ikev2_recv: updated SA to peer 5.6.7.8:51315 local 1.2.3.4:4500
> ikev2_pld_parse: header ispi 0x9d3467359e3543b4 rspi 0xe5fa736e6c7143e4
> nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length
> 1568
>   response 0
> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1540
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 1504
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 1504/1504 padding 7
> ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00
> length 14
> ikev2_pld_id: id FQDN/wookie length 10
> ikev2_pld_payloads: decrypted payload CERT nextpayload NOTIFY critical
> 0x00 length 999
> ikev2_pld_cert: type X509_CERT length 994
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CERTREQ
> critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT
> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload IDr critical
> 0x00 length 45
> ikev2_pld_certreq: type X509_CERT length 40
> ikev2_policy2id: srcid FQDN/vpn.example.com length 18
> sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 )
> ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00
> length 22
> ikev2_pld_id: id FQDN/vpn.example.com length 18
> ikev2_pld_id: unexpected id payload
> ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00
> length 280
> ikev2_pld_auth: method SIG length 272
> sa_state: SA_INIT -> AUTH_REQUEST
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
> length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP
> spisize 4 xforms 3 spi 0xc46c24f0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
> endport 65535
> ikev2_pld_ts: start 192.168.0.0 end 192.168.255.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical
> 0x00 length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
> endport 65535
> ikev2_pld_ts: start 10.201.201.0 end 10.201.201.255
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
> 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
> 0x00 length 12
> ikev2_pld_notify: protoid NONE spisize 0 type ADDITIONAL_IP4_ADDRESS
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
> 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type EAP_ONLY_AUTHENTICATION
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical
> 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type
> IKEV2_MESSAGE_ID_SYNC_SUPPORTED
> sa_stateok: SA_INIT flags 0x0000, require 0x0000
> policy_lookup: peerid 'wookie'
> ikev2_msg_auth: responder auth data length 535
> ca_setauth: auth length 535
> ikev2_msg_auth: initiator auth data length 1184
> ikev2_msg_authverify: method SIG keylen 994 type X509_CERT
> _dsa_verify_init: signature scheme 0 selected
> ikev2_msg_authverify: authentication successful
> sa_state: AUTH_REQUEST -> AUTH_SUCCESS
> sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b
> cert,certvalid,auth,authvalid,sa)
> ikev2_sa_negotiate: score 4
> sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b
> cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x0030, require 0x003b
> cert,certvalid,auth,authvalid,sa
> spi=0x9d3467359e3543b4: sa_state: cannot switch: AUTH_SUCCESS -> VALID
> config_free_proposals: free 0x29bd54c0080
> ca_getreq: no valid local certificate found
> ca_setauth: auth length 256
> ca_validate_pubkey: public key does not match pubkeys/fqdn/wookie
> ca_x509_subjectaltname: FQDN/wookie
> ca_validate_cert:
>
> /C=FR/ST=Ile-de-France/L=Paris/O=puffvpn/OU=iked/CN=wookie/emailAddress=j...@joachim.cc
> ok
> ikev2_getimsgdata: imsg 21 rspi 0xe5fa736e6c7143e4 ispi
> 0x9d3467359e3543b4 initiator 0 sa valid type 0 data length 0
> ikev2_dispatch_cert: cert type NONE length 0, ignored
> ikev2_getimsgdata: imsg 26 rspi 0xe5fa736e6c7143e4 ispi
> 0x9d3467359e3543b4 initiator 0 sa valid type 1 data length 256
> ikev2_dispatch_cert: AUTH type 1 len 256
> sa_stateflags: 0x0034 -> 0x003c certreq,auth,authvalid,sa (required
> 0x003b cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x0038, require 0x003b
> cert,certvalid,auth,authvalid,sa
> spi=0x9d3467359e3543b4: sa_state: cannot switch: AUTH_SUCCESS -> VALID
> ikev2_dispatch_cert: peer certificate is valid
> sa_stateflags: 0x003c -> 0x003e certvalid,certreq,auth,authvalid,sa
> (required 0x003b cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x003a, require 0x003b
> cert,certvalid,auth,authvalid,sa
> spi=0x9d3467359e3543b4: sa_state: cannot switch: AUTH_SUCCESS -> VALID
> spi=0x9d3467359e3543b4: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local
> 1.2.3.4:4500, 1568 bytes, policy 'policy1'
> ikev2_recv: ispi 0x9d3467359e3543b4 rspi 0xe5fa736e6c7143e4
> spi=0x9d3467359e3543b4: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local
> 1.2.3.4:4500, 1568 bytes, policy 'policy1'
> ikev2_recv: ispi 0x9d3467359e3543b4 rspi 0xe5fa736e6c7143e4
> spi=0x9d3467359e3543b4: recv IKE_AUTH req 1 peer 5.6.7.8:51315 local
> 1.2.3.4:4500, 1568 bytes, policy 'policy1'
> ikev2_recv: ispi 0x9d3467359e3543b4 rspi 0xe5fa736e6c7143e4
> spi=0x9d3467359e3543b4: recv IKE_AUTH req 1 peer 5.6.7.8:55315 local
> 1.2.3.4:4500, 1568 bytes, policy 'policy1'
> ikev2_recv: ispi 0x9d3467359e3543b4 rspi 0xe5fa736e6c7143e4
>
>
>

Re: Unable to create IKEv2 VPN using strongSwan to iked

Reply via email to