Hi,
I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK with
macOS without issue. Changing to EAP MSCHAP for use with Windows results in the
following error:
"The network connection between your computer and the VPN server could not be
established because the remote server is not responding. The could be because
one of the network devices (e.g. firewalls, NAT, routers, etc.) between your
computer and the remote server is not configured to allow VPN connections."
I’ve worked through many examples online, but I’m not sure what's the next step
to troubleshoot this?
Thanks!
# uname -rsv
OpenBSD 6.8 GENERIC.MP#2
#
# iked.conf
#
ikev2 "vpn-psk" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local egress peer any \
srcid vpn.company.com \
eap "mschap-v2" \
config address 10.0.2.0/24 \
config netmask 255.255.0.0 \
config name-server 10.0.0.1 \
tag "$name-$id"
# Changing 'eap "mschap-v2"' to 'psk "password"' works just fine for macOS.
#
# Generate certificates
#
pkg_add zip
ikectl ca vpn create
ikectl ca vpn install
# CN should be same as srcid in iked.conf
ikectl ca vpn certificate vpn.company.com create
ikectl ca vpn certificate vpn.company.com install
# CN should be same as client ip address
ikectl ca vpn certificate 10.0.2.100 create
ikectl ca vpn certificate 10.0.2.100 export
#
# Windows config
#
- VPN device
- General tab
- Server: vpn.company.com
- Security tab
- VPN type: IKEv2
- Authentication: Use machine certificates
- Certs install
- ca.crt --> Certificates (Local Computer)/Trusted Root Certification
Authorities/Certificates
- 10.0.2.100 --> Certificates (Local Computer)/Personal/Certificates
#
# iked log
#
doas iked -dvv
create_ike: using signature for peer
ikev2 "vpn-eap" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 local
23.AAA.AAA.129 peer any ikesa enc aes-128-gcm,aes-256-gcm prf
hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group
curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 auth
hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group
curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
childsa enc aes-128-gcm,aes-256-gcm esn,noesn childsa enc
aes-256,aes-192,aes-128 auth
hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 esn,noesn srcid
vpn.ipaperbox.com lifetime 10800 bytes 536870912 eap "MSCHAP_V2" config address
10.0.2.0 config netmask 255.255.0.0 config name-server 10.0.0.1
/etc/iked.conf: loaded 2 configuration rules
ca_privkey_serialize: type RSA_KEY length 1192
ca_pubkey_serialize: type RSA_KEY length 270
config_new_user: inserting new user windows
user "windows" "password"
config_getpolicy: received policy
ca_privkey_to_method: type RSA_KEY method RSA_SIG
config_getpfkey: received pfkey fd 3
ca_getkey: received private key type RSA_KEY length 1192
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getstatic: dpd_check_interval 60
config_getstatic: no enforcesingleikesa
config_getstatic: no fragmentation
config_getstatic: mobike
config_getstatic: nattport 4500
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
ca_reload: loaded ca file ca.crt
ca_reload: loaded crl file ca.crl
ca_reload: /C=US/ST=State/L=City/O=Company Name/OU=Information
Systems/CN=vpn.company.com/emailAddress=t...@company.com
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file 10.0.0.1.crt
ca_validate_cert: /C=US/ST=State/L=City/O=Company Name/OU=Information
Systems/CN=vpn.company.com/emailAddress=t...@company.com subject issuer mismatch
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none tolerate 0 maxage -1
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
policy_lookup: setting policy 'vpn-eap'
spi=0x804dbcb818c0c11e: recv IKE_SA_INIT req 0 peer 166.BBB.BBB.161:56819 local
23.AAA.AAA.129:500, 624 bytes, policy 'vpn-eap'
ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/vpn.ipaperbox.com length 21
ikev2_pld_parse: header ispi 0x804dbcb818c0c11e rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 624
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #2 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #3 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #4 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #5 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #6 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x804dbcb818c0c11e 0x0000000000000000
166.70.94.161:56819
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT
ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x804dbcb818c0c11e 0x0000000000000000
23.30.51.129:500
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 24
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20
ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 41
proposals_negotiate: score 32
proposals_negotiate: score 29
proposals_negotiate: score 20
proposals_negotiate: score 33
proposals_negotiate: score 24
policy_lookup: setting policy 'vpn-eap'
spi=0x804dbcb818c0c11e: sa_state: INIT -> SA_INIT
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 41
proposals_negotiate: score 32
proposals_negotiate: score 29
proposals_negotiate: score 20
proposals_negotiate: score 33
proposals_negotiate: score 24
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
spi=0x804dbcb818c0c11e: ikev2_sa_keys: DHSECRET with 128 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
spi=0x804dbcb818c0c11e: ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x804dbcb818c0c11e 0x6f4965951700d887
23.AAA.AAA.129:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x804dbcb818c0c11e 0x6f4965951700d887
166.BBB.BBB.161:56819
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 329
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #4 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
spi=0x804dbcb818c0c11e: send IKE_SA_INIT res 0 peer 166.BBB.BBB.161:56819 local
23.AAA.AAA.129:500, 329 bytes
config_free_proposals: free 0x70869600
config_free_proposals: free 0x4db805c0
config_free_proposals: free 0x70869540
config_free_proposals: free 0x70869c80
config_free_proposals: free 0x4a03f800
config_free_proposals: free 0x4a03ff00
spi=0x804dbcb818c0c11e: recv IKE_AUTH req 1 peer 166.70.94.161:61645 local
23.AAA.AAA.129:4500, 2560 bytes, policy 'vpn-eap'
ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887
ikev2_recv: updated SA to peer 166.70.94.161:61645 local 23.AAA.AAA.129:4500
ikev2_pld_parse: header ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 2560
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 2532
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 2496
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 2496/2496 padding 9
ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length
184
ikev2_pld_id: id ASN1_DN//C=US/ST=State/L=City/O=Company/OU=Information
Systems/CN=10.0.2.100/emailAddress=t...@company.com length 180
ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00
length 1081
ikev2_pld_cert: type X509_CERT length 1076
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00
length 705
ikev2_pld_certreq: type X509_CERT length 700
ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical 0x00
length 264
ikev2_pld_auth: method RSA_SIG length 256
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length 36
ikev2_pld_cp: type REQUEST length 28
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0
ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0
ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0
ikev2_pld_cp: INTERNAL_IP6_SERVER 0x5ba1 length 0
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 80
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0x47a03160
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_sa: more 0 reserved 0 length 36 proposal #2 protoid ESP spisize 4
xforms 3 spi 0x47a03160
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
64
ikev2_pld_tss: count 2 length 56
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_tss: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport
65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
64
ikev2_pld_tss: count 2 length 56
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_tss: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport
65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_handle_notifies: mobike enabled
sa_stateok: SA_INIT flags 0x0000, require 0x0000
spi=0x804dbcb818c0c11e: sa_state: SA_INIT -> AUTH_REQUEST
policy_lookup: peerid '/C=US/ST=State/L=City/O=Company/OU=Information
Systems/CN=10.0.2.100/emailAddress=t...@company.com'
proposals_negotiate: score 0
proposals_negotiate: score 20
policy_lookup: setting policy 'vpn-eap'
ikev2_policy2id: srcid FQDN/vpn.company.com length 21
sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0079
cert,auth,authvalid,sa,eapvalid)
ikev2_msg_auth: responder auth data length 409
ca_setauth: switching SIG to RSA_SIG(*)
ca_setauth: auth length 409
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 13
proposals_negotiate: score 0
sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x0079
cert,auth,authvalid,sa,eapvalid)
config_free_proposals: free 0x4db80100
config_free_proposals: free 0x70869f40
ca_getreq: found CA /C=US/ST=State/L=City/O=Company/OU=Information
Systems/CN=vpn.company.com/emailAddress=t...@company.com
ca_x509_subjectaltname_do: did not find subjectAltName in certificate
ca_x509_subjectaltname_do: did not find subjectAltName in certificate
spi=0x804dbcb818c0c11e: ca_getreq: no valid local certificate found for
FQDN/vpn.company.com
spi=0x804dbcb818c0c11e: ca_getreq: issuer:
/C=US/ST=State/L=City/O=Company/OU=Information
Systems/CN=vpn.company.com/emailAddress=t...@company.com
spi=0x804dbcb818c0c11e: ca_getreq: serial: 01
spi=0x804dbcb818c0c11e: ca_getreq: subject:
/C=US/ST=State/L=City/O=Company/OU=Information
Systems/CN=vpn.company.com/emailAddress=t...@company.com
spi=0x804dbcb818c0c11e: ca_getreq: altname: IPV4/10.0.0.1
ca_x509_subjectaltname_do: did not find subjectAltName in certificate
spi=0x804dbcb818c0c11e: ca_getreq: using local public key of type RSA_KEY
ca_setauth: auth length 256
ikev2_getimsgdata: imsg 22 rspi 0x6f4965951700d887 ispi 0x804dbcb818c0c11e
initiator 0 sa valid type 11 data length 270
ikev2_dispatch_cert: cert type RSA_KEY length 270, ok
sa_stateflags: 0x0024 -> 0x0025 cert,certreq,sa (required 0x0079
cert,auth,authvalid,sa,eapvalid)
ikev2_getimsgdata: imsg 28 rspi 0x6f4965951700d887 ispi 0x804dbcb818c0c11e
initiator 0 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x0025 -> 0x002d cert,certreq,auth,sa (required 0x0079
cert,auth,authvalid,sa,eapvalid)
ca_validate_pubkey: unsupported public key type ASN1_DN
ca_validate_cert: /C=US/ST=State/L=City/O=Company/OU=Information
Systems/CN=10.0.2.100/emailAddress=t...@company.com ok
ikev2_getimsgdata: imsg 23 rspi 0x6f4965951700d887 ispi 0x804dbcb818c0c11e
initiator 0 sa valid type 4 data length 1076
ikev2_msg_auth: initiator auth data length 688
ikev2_msg_authverify: method RSA_SIG keylen 1076 type X509_CERT
ikev2_msg_authverify: authentication successful
spi=0x804dbcb818c0c11e: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x002d -> 0x003d cert,certreq,auth,authvalid,sa (required 0x0079
cert,auth,authvalid,sa,eapvalid)
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa
(required 0x0079 cert,auth,authvalid,sa,eapvalid)
sa_stateok: VALID flags 0x0039, require 0x0079 cert,auth,authvalid,sa,eapvalid
spi=0x804dbcb818c0c11e: sa_state: cannot switch: AUTH_SUCCESS -> VALID
spi=0x804dbcb818c0c11e: recv IKE_AUTH req 1 peer 166.BBB.BBB.161:61645 local
23.AAA.AAA.129:4500, 2560 bytes, policy 'vpn-eap'
ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887
spi=0x804dbcb818c0c11e: recv IKE_AUTH req 1 peer 166.BBB.BBB.161:61645 local
23.AAA.AAA.129:4500, 2560 bytes, policy 'vpn-eap'
ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887
