Zuerst wählt sich Client1(1.1.1.1) aus dem T-Mobile-Netz und danach Client2(2.2.2.2) vom Unitymedia-Kabel am Router(9.9.9.9) am Telekom DSL-Anschluss an. Vielleicht ist ein kompletter Trace hilfreicher.
USER1
Code: Alles auswählen
[VPN-Debug] 2020/01/18 14:18:14,167 Devicetime: 2020/01/18 14:18:13,348
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 544 bytes
Gateways: 9.9.9.9:500<--1.1.1.1:500
SPIs: 0x34541AA277DB85B50000000000000000, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), VENDOR, VENDOR, VENDOR, VENDOR
QUB-DATA: 9.9.9.9:500<---1.1.1.1:500 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86832, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 500, remote port: 500
+No IKE_SA found
[VPN-Status] 2020/01/18 14:18:14,167 Devicetime: 2020/01/18 14:18:13,348
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 544 bytes
Gateways: 9.9.9.9:500<--1.1.1.1:500
SPIs: 0x34541AA277DB85B50000000000000000, Message-ID 0
Peer identified: DEFAULT
IKEv2 COOKIE challenge is active
No NOTIFY(COOKIE) found
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0x34541AA277DB85B504E4043DB4E77B8F) entered to SADB
Received 3 notifications:
+IKEV2_FRAGMENTATION_SUPPORTED (STATUS)
+NAT_DETECTION_SOURCE_IP(0xFA38556867E290E8C81D053D03192816B4585793) (STATUS)
+NAT_DETECTION_DESTINATION_IP(0x9482D1F21269432556A99E6CD7FEA18D933D66AC) (STATUS)
[VPN-Debug] 2020/01/18 14:18:14,167 Devicetime: 2020/01/18 14:18:13,348
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 44 bytes (responder)
Gateways: 9.9.9.9:500-->1.1.1.1:500, tag 0 (UDP)
SPIs: 0x34541AA277DB85B50000000000000000, Message-ID 0
Payloads: NOTIFY(COOKIE)
[VPN-Status] 2020/01/18 14:18:14,167 Devicetime: 2020/01/18 14:18:13,348
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Adding COOKIE(0x153DDA3BE2BC5F82)
Sending an IKE_SA_INIT-RESPONSE of 44 bytes (responder)
Gateways: 9.9.9.9:500-->1.1.1.1:500, tag 0 (UDP)
SPIs: 0x34541AA277DB85B50000000000000000, Message-ID 0
[VPN-Debug] 2020/01/18 14:18:14,167 Devicetime: 2020/01/18 14:18:13,349
IKE-TRANSPORT freed
[VPN-Status] 2020/01/18 14:18:14,167 Devicetime: 2020/01/18 14:18:13,349
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0x34541AA277DB85B50000000000000000) removed from SADB
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0x34541AA277DB85B50000000000000000) freed
[VPN-Debug] 2020/01/18 14:18:14,214 Devicetime: 2020/01/18 14:18:13,453
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 560 bytes
Gateways: 9.9.9.9:500<--1.1.1.1:500
SPIs: 0x34541AA277DB85B50000000000000000, Message-ID 0
Payloads: NOTIFY(COOKIE), SA, KE, NONCE, NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), VENDOR, VENDOR, VENDOR, VENDOR
QUB-DATA: 9.9.9.9:500<---1.1.1.1:500 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 500, remote port: 500
+No IKE_SA found
Counting consumed licenses by active channels...
Consumed connected licenses : 0
Negotiating connections : 0
IKE negotiations : 0
MPPE connections : 0
Licenses in use : 0 < 25
+Passive connection request accepted (87 micro seconds)
Looking for payload VENDOR (43)...Found 4 payloads.
+Windows-8
+FB1DE3CDF341B7EA16B7E5BE0855F120
+26244D38EDDB61B3172A36E3D0CFB819
+01528BBBC00696121849AB9A1C5B2A5100000002
Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload.
+Computing SHA1(0x34541AA277DB85B50000000000000000|1.1.1.1:500)
+Computing SHA1(0x34541AA277DB85B5000000000000000050BB6A9001F4)
+Computed: 0x28B2EEE0286CCE1E7735BB681410E753437B25AD
+Received: 0xFA38556867E290E8C81D053D03192816B4585793
+Not equal => NAT-T enabled => switching on port 4500
Looking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload.
+Computing SHA1(0x34541AA277DB85B50000000000000000|9.9.9.9:500)
+Computing SHA1(0x34541AA277DB85B5000000000000000057BFB06501F4)
+Computed: 0x9482D1F21269432556A99E6CD7FEA18D933D66AC
+Received: 0x9482D1F21269432556A99E6CD7FEA18D933D66AC
+Equal => NAT-T is already enabled
Looking for payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41)...Found 1 payload.
Looking for payload IKE_SA (33)...Found 1 payload.
+Config ENCR transform(s): AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-384
+Received PRF transform(s): PRF-HMAC-SHA-384
+Best intersection: PRF-HMAC-SHA-384
+Config INTEG transform(s): HMAC-SHA-384
+Received INTEG transform(s): HMAC-SHA-384
+Best intersection: HMAC-SHA-384
+Config DH transform(s): 14
+Received DH transform(s): 14
+Best intersection: 14
Looking for payload NONCE (40)...Found 1 payload.
+Nonce length=48 bytes
+Nonce=0xF0AC424437016E9DD2864BC6E832C537386CC858276A559A5580297195E1C89B140501B25DAFA0740E19FF92C88CDDC5
+SA-DATA-Ni=0xF0AC424437016E9DD2864BC6E832C537386CC858276A559A5580297195E1C89B140501B25DAFA0740E19FF92C88CDDC5
[VPN-Status] 2020/01/18 14:18:14,214 Devicetime: 2020/01/18 14:18:13,453
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 560 bytes
Gateways: 9.9.9.9:500<--1.1.1.1:500
SPIs: 0x34541AA277DB85B50000000000000000, Message-ID 0
Peer identified: DEFAULT
IKEv2 COOKIE challenge is active
+Received COOKIE is valid
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0x34541AA277DB85B5CE3452DEE1EDFD68) entered to SADB
Received 4 notifications:
+COOKIE(0x153DDA3BE2BC5F82) (STATUS)
+IKEV2_FRAGMENTATION_SUPPORTED (STATUS)
+NAT_DETECTION_SOURCE_IP(0xFA38556867E290E8C81D053D03192816B4585793) (STATUS)
+NAT_DETECTION_DESTINATION_IP(0x9482D1F21269432556A99E6CD7FEA18D933D66AC) (STATUS)
Peer (initiator) is behind a NAT
NAT-T enabled => switching on port 4500
We (responder) are not behind a NAT. NAT-T is already enabled
+IKE-SA:
IKE-Proposal-1 (4 transforms)
ENCR : AES-CBC-256
PRF : PRF-HMAC-SHA-384
INTEG: HMAC-SHA-384
DH : 14
+Received KE-DH-Group 14 (2048 bits)
[VPN-Debug] 2020/01/18 14:18:14,323 Devicetime: 2020/01/18 14:18:13,500
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Constructing payload NONCE (40):
+Nonce length=32 bytes
+Nonce=0x4081445F8AAEBD5C26DCEC80DFB9F84F718088CB922105E21CB6C294148D58C1
+SA-DATA-Nr=0x4081445F8AAEBD5C26DCEC80DFB9F84F718088CB922105E21CB6C294148D58C1
Constructing payload NOTIFY(DETECTION_SOURCE_IP) (41):
+Computing SHA1(0x34541AA277DB85B5CE3452DEE1EDFD68|9.9.9.9:500)
+Computing SHA1(0x34541AA277DB85B5CE3452DEE1EDFD6857BFB06501F4)
+0xAA01E685AA5D8763B13CFB948F4DCB6EC5B07BCF
Constructing payload NOTIFY(DETECTION_DESTINATION_IP) (41):
+Computing SHA1(0x34541AA277DB85B5CE3452DEE1EDFD68|1.1.1.1:500)
+Computing SHA1(0x34541AA277DB85B5CE3452DEE1EDFD6850BB6A9001F4)
+0x19A0A4C720F51CDF81A01CDD57B04F732ED17D30
Constructing payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41):
Constructing payload CERTREQ (38):
+0x0000000000000000000000000000000000000000
Constructing payload VENDOR(FRAGMENTATION) (43):
Constructing payload VENDOR(FRAGMENTATION(C0000000)) (43):
Constructing payload VENDOR(ikev2 config payload: Do not narrow my traffic selector) (43):
Constructing payload VENDOR(activate lancom-systems notification private range) (43):
Constructing payload NOTIFY(DEVICE-ID) (41):
+Peer does not support private notifications -> ignore
+Shared secret derived in 43637 micro seconds
IKE_SA(0x34541AA277DB85B5CE3452DEE1EDFD68).EXPECTED-MSG-ID raised to 1
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 489 bytes (responder)
Gateways: 9.9.9.9:4500-->1.1.1.1:4500, tag 0 (UDP)
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), CERTREQ, VENDOR(activate lancom-systems notification private range)
[VPN-Status] 2020/01/18 14:18:14,323 Devicetime: 2020/01/18 14:18:13,500
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+IKE-SA:
IKE-Proposal-1 (4 transforms)
ENCR : AES-CBC-256
PRF : PRF-HMAC-SHA-384
INTEG: HMAC-SHA-384
DH : 14
+KE-DH-Group 14 (2048 bits)
Switching to port pair 4500 ( NAT-T keep-alive is off)
IKE_SA_INIT [responder] for peer DEFAULT initiator id <no ipsec id>, responder id <no ipsec id>
initiator cookie: 0x34541AA277DB85B5, responder cookie: 0xCE3452DEE1EDFD68
NAT-T enabled. We are not behind a nat, the remote side is behind a nat
SA ISAKMP for peer DEFAULT Encryption AES-CBC-256 Integrity AUTH-HMAC-SHA-384 IKE-DH-Group 14 PRF-HMAC-SHA-384
life time soft 01/19/2020 11:54:13 (in 77760 sec) / 1800000 kb
life time hard 01/19/2020 14:18:13 (in 86400 sec) / 2000000 kb
DPD: NONE
Negotiated: IKEV2_FRAGMENTATION
Sending an IKE_SA_INIT-RESPONSE of 489 bytes (responder)
Gateways: 9.9.9.9:4500-->1.1.1.1:4500, tag 0 (UDP)
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 0
[VPN-Debug] 2020/01/18 14:18:14,370 Devicetime: 2020/01/18 14:18:13,627
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:22505 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
[VPN-Status] 2020/01/18 14:18:14,370 Devicetime: 2020/01/18 14:18:13,628
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Ikev2 Fragment Number/Total: 1/7
[VPN-Debug] 2020/01/18 14:18:14,370 Devicetime: 2020/01/18 14:18:13,628
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:22505 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
[VPN-Status] 2020/01/18 14:18:14,370 Devicetime: 2020/01/18 14:18:13,628
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Ikev2 Fragment Number/Total: 2/7
[VPN-Debug] 2020/01/18 14:18:14,370 Devicetime: 2020/01/18 14:18:13,630
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:22505 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
[VPN-Status] 2020/01/18 14:18:14,370 Devicetime: 2020/01/18 14:18:13,630
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Ikev2 Fragment Number/Total: 3/7
[VPN-Debug] 2020/01/18 14:18:14,370 Devicetime: 2020/01/18 14:18:13,631
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:22505 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
[VPN-Status] 2020/01/18 14:18:14,370 Devicetime: 2020/01/18 14:18:13,631
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Ikev2 Fragment Number/Total: 4/7
[VPN-Debug] 2020/01/18 14:18:14,370 Devicetime: 2020/01/18 14:18:13,633
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:22505 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
[VPN-Status] 2020/01/18 14:18:14,370 Devicetime: 2020/01/18 14:18:13,633
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Ikev2 Fragment Number/Total: 5/7
[VPN-Debug] 2020/01/18 14:18:14,370 Devicetime: 2020/01/18 14:18:13,634
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:22505 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
[VPN-Status] 2020/01/18 14:18:14,370 Devicetime: 2020/01/18 14:18:13,634
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Ikev2 Fragment Number/Total: 6/7
[VPN-Debug] 2020/01/18 14:18:14,370 Devicetime: 2020/01/18 14:18:13,636
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 300 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:22505 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
IKEv2-Fragment 1/7 decrypted successfully
IKEv2-Fragment 2/7 decrypted successfully
IKEv2-Fragment 3/7 decrypted successfully
IKEv2-Fragment 4/7 decrypted successfully
IKEv2-Fragment 5/7 decrypted successfully
IKEv2-Fragment 6/7 decrypted successfully
IKEv2-Fragment 7/7 decrypted successfully
[VPN-Status] 2020/01/18 14:18:14,370 Devicetime: 2020/01/18 14:18:13,636
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 300 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Ikev2 Fragment Number/Total: 7/7
[VPN-Debug] 2020/01/18 14:18:14,480 Devicetime: 2020/01/18 14:18:13,647
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 3221 bytes
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: IDI, CERT(X509), CERTREQ, AUTH(RSA:SHA1), NOTIFY(STATUS_MOBIKE_SUPPORTED), CP(REQUEST), SA, TSI, TSR
+IKE_SA found and assigned
+Exchange created (flags: 0x00000050)
VPN_NATEL: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===1.1.1.1---0.0.0.0/32 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) INBOUND ESP 0.0.0.0/32 port(0) protocol(0)---1.1.1.1===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
Looking for payload IDI (35)...Found 1 payload.
+Received-ID CN=USER1:DER_ASN1_DN matches the Expected-ID CN=USER1:DER_ASN1_DN
+Config ENCR transform(s): AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-384
+Received PRF transform(s): PRF-HMAC-SHA-384
+Best intersection: PRF-HMAC-SHA-384
+Config INTEG transform(s): HMAC-SHA-384
+Received INTEG transform(s): HMAC-SHA-384
+Best intersection: HMAC-SHA-384
+Config DH transform(s): 14
+Received DH transform(s): 14
+Best intersection: 14
Looking for payload CERT(X509) (37)...Found 1 payload.
Subject: CN=USER1
Issuer : CN=LANCOM CA,O=LANCOM,C=DE
VPN_NATEL: DELETE MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===1.1.1.1---0.0.0.0/32 port(0) protocol(0)
VPN_NATEL: DELETE MODE(7) INBOUND ESP 0.0.0.0/32 port(0) protocol(0)---1.1.1.1===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===1.1.1.1---192.168.10.114/32 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---1.1.1.1===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
Looking for payload TSI (44)...Found 1 payload.
Looking for a connection...
Trying connection 0: ipsec-0-VPN_NATEL-pr0-l0-r0
Determining best intersection for TSi
Expected TS :( 0, 0-65535, 192.168.10.114-192.168.10.114 )
Received TS :( 0, 0-65535, 0.0.0.0-255.255.255.255)
Intersection:( 0, 0-65535, 192.168.10.114-192.168.10.114 )
Determining best intersection for TSi
Expected TS :( 0, 0-65535, 192.168.10.114-192.168.10.114 )
Received TS :( 0, 0-65535, ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
-No intersection
Best :( 0, 0-65535, 192.168.10.114-192.168.10.114 )
+Valid intersection found
TSi: ( 0, 0-65535, 192.168.10.114-192.168.10.114 )
TSr: ( 0, 0-65535, 0.0.0.0-255.255.255.255)
+TSi OK.
Looking for payload TSR (45)...Found 1 payload.
Determining best intersection for TSr
Expected TS :( 0, 0-65535, 0.0.0.0-255.255.255.255)
Received TS :( 0, 0-65535, 0.0.0.0-255.255.255.255)
Intersection:( 0, 0-65535, 0.0.0.0-255.255.255.255)
Determining best intersection for TSr
Expected TS :( 0, 0-65535, 0.0.0.0-255.255.255.255)
Received TS :( 0, 0-65535, ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
-No intersection
Best :( 0, 0-65535, 0.0.0.0-255.255.255.255)
+TSr OK.
Looking for payload CHILD_SA (33)...Found 1 payload.
+Config ENCR transform(s): AES-GCM-16-256
+Received ENCR transform(s): AES-GCM-16-256
+Best intersection: AES-GCM-16-256
+Config ESN transform(s): NONE
+Received ESN transform(s): NONE
+Best intersection: NONE
[VPN-Status] 2020/01/18 14:18:14,480 Devicetime: 2020/01/18 14:18:13,647
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 3221 bytes
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
CHILD_SA (UNKNOWN, 'UNKNOWN' ) entered to SADB
Updating remote port to 22505
Received 1 notification:
+MOBIKE_SUPPORTED (STATUS)
+Received-ID CN=USER1:DER_ASN1_DN matches the Expected-ID CN=USER1:DER_ASN1_DN
+Peer identified: VPN_NATEL
+Peer uses AUTH(RSA:SHA1)
+Authentication successful
Request attributes:
INTERNAL_IP4_ADDRESS()
INTERNAL_IP4_DNS()
INTERNAL_IP4_NBNS()
INTERNAL_IP4_SERVER()
Assigned IPv4 config parameters:
IP: 192.168.10.114
DNS: 192.168.10.1, 192.168.200.254
Assigned IPv6 config parameters:
DNS: ::
TSi: ( 0, 0-65535, 192.168.10.114-192.168.10.114 )
TSr: ( 0, 0-65535, 0.0.0.0-255.255.255.255)
+CHILD-SA:
ESP-Proposal-1 Peer-SPI: 0x7D16E9E6 (2 transforms)
ENCR : AES-GCM-16-256
ESN : NONE
[VPN-Debug] 2020/01/18 14:18:14,714 Devicetime: 2020/01/18 14:18:13,920
Peer VPN_NATEL: Constructing an IKE_AUTH-RESPONSE for send
Constructing payload CP(REPLY) (47):
+INTERNAL_IP4_DNS(192.168.10.1)
+INTERNAL_IP4_DNS(192.168.200.254)
+INTERNAL_IP4_ADDRESS(192.168.10.114)
Constructing payload NOTIFY(STATUS_INITIAL_CONTACT) (41):
KEY-PARSE: Received SADB_GETSPI/SADB_SATYPE_ESP
KEY-GETSPI: Peer VPN_NATEL SPI 0x8F39BC6F
KEY-NEWSA: SA successfully created and inserted into SADB:
State LARVAL Protocol ESP PID 0 refcnt 1 Hard-Timeout in 30 sec (larval_timeout)
IPSEC-SEND-UP
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
IKE_SA(0x34541AA277DB85B5CE3452DEE1EDFD68).EXPECTED-MSG-ID raised to 2
KEY-PARSE: Received SADB_ADD/SADB_SATYPE_ESP
KEY-NEWSA: SA successfully created and inserted into SADB:
State LARVAL Protocol ESP PID 0 refcnt 1 Hard-Timeout in 14400 sec (key_hard_event) Soft-Timeout in 12960 sec
KEY-SA-STATE-CHANGE: LARVAL->MATURE
KEY-ADD: Peer VPN_NATEL handle 61 outgoing UDP-SPI 0x7D16E9E6 NAT-T 0.0.0.0/0---9.9.9.9:4500===1.1.1.1:22505---192.168.10.114/32 Hard-Timeout in 14400 sec (key_hard_event) Soft-Timeout in 12960 sec
IPSEC-SEND-UP
KEY-PARSE: Received SADB_UPDATE/SADB_SATYPE_ESP
KEY-SA-STATE-CHANGE: LARVAL->MATURE
SA-STORE: refcnt 2
KEY-UPDATE: Peer VPN_NATEL handle 61 incoming UDP-SPI 0x8F39BC6F NAT-T 192.168.10.114/32---1.1.1.1:22505===9.9.9.9:4500---0.0.0.0/0 Hard-Timeout in 14400 sec (key_hard_event) Soft-Timeout in 12960 sec
IPSEC-SEND-UP
VPN_NATEL: UPDATE MODE(1) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===1.1.1.1---192.168.10.114/32 port(0) protocol(0)
KEY-PARSE: Received SADB_X_SPDUPDATE/SADB_SATYPE_UNSPEC
KEY-SPDUPDATE: VPN_NATEL OUTBOUND PROTOCOL_ANY 0.0.0.0/0<->192.168.10.114/32
IPSEC-SEND-UP
VPN_NATEL: UPDATE MODE(1) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---1.1.1.1===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
KEY-PARSE: Received SADB_X_SPDUPDATE/SADB_SATYPE_UNSPEC
KEY-SPDUPDATE: VPN_NATEL INBOUND PROTOCOL_ANY 192.168.10.114/32<->0.0.0.0/0
IPSEC-SEND-UP
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 2086 bytes (responder)
Gateways: 9.9.9.9:4500-->1.1.1.1:22505, tag 0 (UDP)
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Sending 4 ikev2 fragment(s) of 588 bytes and last fragment of size 92 bytes
Payloads: IDR, CERT(X509), AUTH(RSA:SHA1), CP(REPLY), TSI, TSR, NOTIFY(STATUS_INITIAL_CONTACT), SA
[VPN-Status] 2020/01/18 14:18:14,714 Devicetime: 2020/01/18 14:18:13,920
Peer VPN_NATEL: Constructing an IKE_AUTH-RESPONSE for send
+Local-ID CN=gw.test.com:DER_ASN1_DN
+Peer does not support Digital-Signature Authentication (RFC-7427).
+Fallback from RSAEncryption on RSA Digital Signature (1)
+I use AUTH(RSA:SHA1)
+Signature of length 512 bytes (4096 bits) computed
IKE_SA_INIT [responder] for peer VPN_NATEL initiator id CN=USER1, responder id CN=gw.test.com
initiator cookie: 0x34541AA277DB85B5, responder cookie: 0xCE3452DEE1EDFD68
NAT-T enabled. We are not behind a nat, the remote side is behind a nat
SA ISAKMP for peer VPN_NATEL Encryption AES-CBC-256 Integrity AUTH-HMAC-SHA-384 IKE-DH-Group 14 PRF-HMAC-SHA-384
life time soft 01/19/2020 11:54:13 (in 77760 sec) / 1800000 kb
life time hard 01/19/2020 14:18:13 (in 86400 sec) / 2000000 kb
DPD: 30 sec
Negotiated: IKEV2_FRAGMENTATION
Reply attributes:
INTERNAL_IP4_DNS(192.168.10.1)
INTERNAL_IP4_DNS(192.168.200.254)
INTERNAL_IP4_ADDRESS(192.168.10.114)
+TSi 0: ( 0, 0-65535, 192.168.10.114-192.168.10.114 )
+TSr 0: ( 0, 0-65535, 0.0.0.0-255.255.255.255)
+CHILD-SA:
ESP-Proposal-1 My-SPI: 0x8F39BC6F (2 transforms)
ENCR : AES-GCM-16-256
ESN : NONE
Encrypted message is too big (2136 bytes) -> should be ikev2 fragmented (MTU 588)
CHILD_SA [responder] done with 2 SAS for peer VPN_NATEL rule IPSEC-0-VPN_NATEL-PR0-L0-R0
9.9.9.9:4500-->1.1.1.1:22505, Routing tag 0, Com-channel 61
rule:' ipsec 0.0.0.0/0 <-> 192.168.10.114/32
outgoing SA ESP [0x7D16E9E6] Authenticated-Encryption AES-GCM-16-256 PFS-DH-Group None ESN None
incoming SA ESP [0x8F39BC6F] Authenticated-Encryption AES-GCM-16-256 PFS-DH-Group None ESN None
life time soft 01/18/2020 17:54:13 (in 12960 sec) / 1800000 kb
life time hard 01/18/2020 18:18:13 (in 14400 sec) / 2000000 kb
tunnel between src: 9.9.9.9 dst: 1.1.1.1
Sending an IKE_AUTH-RESPONSE of 2086 bytes (responder)
Gateways: 9.9.9.9:4500-->1.1.1.1:22505, tag 0 (UDP)
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Sending 4 ikev2 fragment(s) of 588 bytes and last fragment of size 92 bytes
[VPN-Debug] 2020/01/18 14:18:14,714 Devicetime: 2020/01/18 14:18:13,920
Peer VPN_NATEL: Trigger next pended request to establish an exchange
Current request is none
IKE_SA is not REPLACED
There are 0 pending requests
[VPN-Status] 2020/01/18 14:18:14,714 Devicetime: 2020/01/18 14:18:13,920
set_ip_transport for VPN_NATEL: [id: 86836, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0]
[VPN-Status] 2020/01/18 14:18:14,714 Devicetime: 2020/01/18 14:18:13,920
VPN: WAN state changed to WanCalled for VPN_NATEL (1.1.1.1), called by: 01f48f28
[VPN-Status] 2020/01/18 14:18:14,714 Devicetime: 2020/01/18 14:18:13,921
vpn-maps[61], remote: VPN_NATEL, nego, static-name, connected-by-name
[VPN-Status] 2020/01/18 14:18:14,714 Devicetime: 2020/01/18 14:18:13,921
VPN: wait for IKE negotiation from VPN_NATEL (1.1.1.1)
[VPN-Status] 2020/01/18 14:18:14,714 Devicetime: 2020/01/18 14:18:13,921
VPN: WAN state changed to WanProtocol for VPN_NATEL (1.1.1.1), called by: 01f48f28
[VPN-Debug] 2020/01/18 14:18:14,808 Devicetime: 2020/01/18 14:18:14,106
cryptaccess register nr:13
[VPN-Status] 2020/01/18 14:18:15,643 Devicetime: 2020/01/18 14:18:14,928
VPN: VPN_NATEL connected
[VPN-Status] 2020/01/18 14:18:15,643 Devicetime: 2020/01/18 14:18:14,928
VPN: WAN state changed to WanConnect for VPN_NATEL (1.1.1.1), called by: 01f48f28
[VPN-Status] 2020/01/18 14:18:15,643 Devicetime: 2020/01/18 14:18:14,928
vpn-maps[61], remote: VPN_NATEL, connected, static-name, connected-by-name
Code: Alles auswählen
[VPN-Debug] 2020/01/18 14:18:25,374 Devicetime: 2020/01/18 14:18:24,610
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 544 bytes
Gateways: 9.9.9.9:500<--2.2.2.2:65024
SPIs: 0xA4291BFF05C17E280000000000000000, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), VENDOR, VENDOR, VENDOR, VENDOR
QUB-DATA: 9.9.9.9:500<---2.2.2.2:65024 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86840, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 500, remote port: 65024
+No IKE_SA found
[VPN-Status] 2020/01/18 14:18:25,374 Devicetime: 2020/01/18 14:18:24,610
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 544 bytes
Gateways: 9.9.9.9:500<--2.2.2.2:65024
SPIs: 0xA4291BFF05C17E280000000000000000, Message-ID 0
Peer identified: DEFAULT
IKEv2 COOKIE challenge is active
No NOTIFY(COOKIE) found
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0xA4291BFF05C17E281BAD0BC88CA5079E) entered to SADB
Received 3 notifications:
+IKEV2_FRAGMENTATION_SUPPORTED (STATUS)
+NAT_DETECTION_SOURCE_IP(0xB508BB875F4BFAA9980B61AC3EF9F88E1D503689) (STATUS)
+NAT_DETECTION_DESTINATION_IP(0x7A6026CE384969A2F2088E5B686521260EEF088F) (STATUS)
[VPN-Debug] 2020/01/18 14:18:25,374 Devicetime: 2020/01/18 14:18:24,611
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 44 bytes (responder)
Gateways: 9.9.9.9:500-->2.2.2.2:65024, tag 0 (UDP)
SPIs: 0xA4291BFF05C17E280000000000000000, Message-ID 0
Payloads: NOTIFY(COOKIE)
[VPN-Status] 2020/01/18 14:18:25,374 Devicetime: 2020/01/18 14:18:24,611
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Adding COOKIE(0x1501EA49A95C3098)
Sending an IKE_SA_INIT-RESPONSE of 44 bytes (responder)
Gateways: 9.9.9.9:500-->2.2.2.2:65024, tag 0 (UDP)
SPIs: 0xA4291BFF05C17E280000000000000000, Message-ID 0
[VPN-Debug] 2020/01/18 14:18:25,374 Devicetime: 2020/01/18 14:18:24,611
IKE-TRANSPORT freed
[VPN-Status] 2020/01/18 14:18:25,374 Devicetime: 2020/01/18 14:18:24,611
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0xA4291BFF05C17E280000000000000000) removed from SADB
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0xA4291BFF05C17E280000000000000000) freed
[VPN-Debug] 2020/01/18 14:18:25,421 Devicetime: 2020/01/18 14:18:24,661
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 560 bytes
Gateways: 9.9.9.9:500<--2.2.2.2:65024
SPIs: 0xA4291BFF05C17E280000000000000000, Message-ID 0
Payloads: NOTIFY(COOKIE), SA, KE, NONCE, NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), VENDOR, VENDOR, VENDOR, VENDOR
QUB-DATA: 9.9.9.9:500<---2.2.2.2:65024 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86841, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 500, remote port: 65024
+No IKE_SA found
Counting consumed licenses by active channels...
1: (VPN_NATEL , 1.1.1.1 , ikev2) : no DEVICE-ID -> 1
Consumed connected licenses : 1
Negotiating connections : 0
IKE negotiations : 0
MPPE connections : 0
Licenses in use : 1 < 25
+Passive connection request accepted (99 micro seconds)
Looking for payload VENDOR (43)...Found 4 payloads.
+Windows-8
+FB1DE3CDF341B7EA16B7E5BE0855F120
+26244D38EDDB61B3172A36E3D0CFB819
+01528BBBC00696121849AB9A1C5B2A5100000002
Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload.
+Computing SHA1(0xA4291BFF05C17E280000000000000000|2.2.2.2:65024)
+Computing SHA1(0xA4291BFF05C17E28000000000000000025C92EBFFE00)
+Computed: 0x9848BDBE764FDB97DDD5E7FADE286ADB2FA387D5
+Received: 0xB508BB875F4BFAA9980B61AC3EF9F88E1D503689
+Not equal => NAT-T enabled => switching on port 4500
Looking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload.
+Computing SHA1(0xA4291BFF05C17E280000000000000000|9.9.9.9:500)
+Computing SHA1(0xA4291BFF05C17E28000000000000000057BFB06501F4)
+Computed: 0x7A6026CE384969A2F2088E5B686521260EEF088F
+Received: 0x7A6026CE384969A2F2088E5B686521260EEF088F
+Equal => NAT-T is already enabled
Looking for payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41)...Found 1 payload.
Looking for payload IKE_SA (33)...Found 1 payload.
+Config ENCR transform(s): AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-384
+Received PRF transform(s): PRF-HMAC-SHA-384
+Best intersection: PRF-HMAC-SHA-384
+Config INTEG transform(s): HMAC-SHA-384
+Received INTEG transform(s): HMAC-SHA-384
+Best intersection: HMAC-SHA-384
+Config DH transform(s): 14
+Received DH transform(s): 14
+Best intersection: 14
Looking for payload NONCE (40)...Found 1 payload.
+Nonce length=48 bytes
+Nonce=0x10C4B0302F464C9630FA1D5A48B94D67068097FFBAE20783985E2A402BCA7D0E79995A1DFDF4A7F508CBD0CD4AB83257
+SA-DATA-Ni=0x10C4B0302F464C9630FA1D5A48B94D67068097FFBAE20783985E2A402BCA7D0E79995A1DFDF4A7F508CBD0CD4AB83257
[VPN-Status] 2020/01/18 14:18:25,421 Devicetime: 2020/01/18 14:18:24,661
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 560 bytes
Gateways: 9.9.9.9:500<--2.2.2.2:65024
SPIs: 0xA4291BFF05C17E280000000000000000, Message-ID 0
Peer identified: DEFAULT
IKEv2 COOKIE challenge is active
+Received COOKIE is valid
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0xA4291BFF05C17E28DA0375CABD5748C6) entered to SADB
Received 4 notifications:
+COOKIE(0x1501EA49A95C3098) (STATUS)
+IKEV2_FRAGMENTATION_SUPPORTED (STATUS)
+NAT_DETECTION_SOURCE_IP(0xB508BB875F4BFAA9980B61AC3EF9F88E1D503689) (STATUS)
+NAT_DETECTION_DESTINATION_IP(0x7A6026CE384969A2F2088E5B686521260EEF088F) (STATUS)
Peer (initiator) is behind a NAT
NAT-T enabled => switching on port 4500
We (responder) are not behind a NAT. NAT-T is already enabled
+IKE-SA:
IKE-Proposal-1 (4 transforms)
ENCR : AES-CBC-256
PRF : PRF-HMAC-SHA-384
INTEG: HMAC-SHA-384
DH : 14
+Received KE-DH-Group 14 (2048 bits)
[VPN-Debug] 2020/01/18 14:18:25,484 Devicetime: 2020/01/18 14:18:24,709
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Constructing payload NONCE (40):
+Nonce length=32 bytes
+Nonce=0x4213E8F9CA4E14D28AE4E0A50930E63B4497F7F87561C4C070AD7DD35F98D1E5
+SA-DATA-Nr=0x4213E8F9CA4E14D28AE4E0A50930E63B4497F7F87561C4C070AD7DD35F98D1E5
Constructing payload NOTIFY(DETECTION_SOURCE_IP) (41):
+Computing SHA1(0xA4291BFF05C17E28DA0375CABD5748C6|9.9.9.9:500)
+Computing SHA1(0xA4291BFF05C17E28DA0375CABD5748C657BFB06501F4)
+0x4A6089BA085C6202A42A3881149888056CFE26A4
Constructing payload NOTIFY(DETECTION_DESTINATION_IP) (41):
+Computing SHA1(0xA4291BFF05C17E28DA0375CABD5748C6|2.2.2.2:65024)
+Computing SHA1(0xA4291BFF05C17E28DA0375CABD5748C625C92EBFFE00)
+0xA4D8A37C6EA3FA803F7F32069B67BAB1B0022CA7
Constructing payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41):
Constructing payload CERTREQ (38):
+0x0000000000000000000000000000000000000000
Constructing payload VENDOR(FRAGMENTATION) (43):
Constructing payload VENDOR(FRAGMENTATION(C0000000)) (43):
Constructing payload VENDOR(ikev2 config payload: Do not narrow my traffic selector) (43):
Constructing payload VENDOR(activate lancom-systems notification private range) (43):
Constructing payload NOTIFY(DEVICE-ID) (41):
+Peer does not support private notifications -> ignore
+Shared secret derived in 43636 micro seconds
IKE_SA(0xA4291BFF05C17E28DA0375CABD5748C6).EXPECTED-MSG-ID raised to 1
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 489 bytes (responder)
Gateways: 9.9.9.9:4500-->2.2.2.2:4500, tag 0 (UDP)
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), CERTREQ, VENDOR(activate lancom-systems notification private range)
[VPN-Status] 2020/01/18 14:18:25,484 Devicetime: 2020/01/18 14:18:24,709
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+IKE-SA:
IKE-Proposal-1 (4 transforms)
ENCR : AES-CBC-256
PRF : PRF-HMAC-SHA-384
INTEG: HMAC-SHA-384
DH : 14
+KE-DH-Group 14 (2048 bits)
Switching to port pair 4500 ( NAT-T keep-alive is off)
IKE_SA_INIT [responder] for peer DEFAULT initiator id <no ipsec id>, responder id <no ipsec id>
initiator cookie: 0xA4291BFF05C17E28, responder cookie: 0xDA0375CABD5748C6
NAT-T enabled. We are not behind a nat, the remote side is behind a nat
SA ISAKMP for peer DEFAULT Encryption AES-CBC-256 Integrity AUTH-HMAC-SHA-384 IKE-DH-Group 14 PRF-HMAC-SHA-384
life time soft 01/19/2020 11:54:24 (in 77760 sec) / 1800000 kb
life time hard 01/19/2020 14:18:24 (in 86400 sec) / 2000000 kb
DPD: NONE
Negotiated: IKEV2_FRAGMENTATION
Sending an IKE_SA_INIT-RESPONSE of 489 bytes (responder)
Gateways: 9.9.9.9:4500-->2.2.2.2:4500, tag 0 (UDP)
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 0
[VPN-Debug] 2020/01/18 14:18:25,531 Devicetime: 2020/01/18 14:18:24,786
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---2.2.2.2:65021 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86841, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
[VPN-Status] 2020/01/18 14:18:25,531 Devicetime: 2020/01/18 14:18:24,786
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Ikev2 Fragment Number/Total: 1/6
[VPN-Debug] 2020/01/18 14:18:25,531 Devicetime: 2020/01/18 14:18:24,787
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---2.2.2.2:65021 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86841, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
[VPN-Status] 2020/01/18 14:18:25,531 Devicetime: 2020/01/18 14:18:24,787
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Ikev2 Fragment Number/Total: 2/6
[VPN-Debug] 2020/01/18 14:18:25,531 Devicetime: 2020/01/18 14:18:24,788
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---2.2.2.2:65021 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86841, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
[VPN-Status] 2020/01/18 14:18:25,531 Devicetime: 2020/01/18 14:18:24,788
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Ikev2 Fragment Number/Total: 3/6
[VPN-Debug] 2020/01/18 14:18:25,531 Devicetime: 2020/01/18 14:18:24,789
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---2.2.2.2:65021 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86841, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
[VPN-Status] 2020/01/18 14:18:25,531 Devicetime: 2020/01/18 14:18:24,789
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Ikev2 Fragment Number/Total: 4/6
[VPN-Debug] 2020/01/18 14:18:25,531 Devicetime: 2020/01/18 14:18:24,790
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---2.2.2.2:65021 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86841, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
[VPN-Status] 2020/01/18 14:18:25,531 Devicetime: 2020/01/18 14:18:24,790
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Ikev2 Fragment Number/Total: 5/6
[VPN-Debug] 2020/01/18 14:18:25,531 Devicetime: 2020/01/18 14:18:24,791
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---2.2.2.2:65021 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86841, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
IKEv2-Fragment 1/6 decrypted successfully
IKEv2-Fragment 2/6 decrypted successfully
IKEv2-Fragment 3/6 decrypted successfully
IKEv2-Fragment 4/6 decrypted successfully
IKEv2-Fragment 5/6 decrypted successfully
IKEv2-Fragment 6/6 decrypted successfully
[VPN-Status] 2020/01/18 14:18:25,531 Devicetime: 2020/01/18 14:18:24,791
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Ikev2 Fragment Number/Total: 6/6
[VPN-Debug] 2020/01/18 14:18:25,593 Devicetime: 2020/01/18 14:18:24,803
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 3003 bytes
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: IDI, CERT(X509), CERTREQ, AUTH(RSA:SHA1), NOTIFY(STATUS_MOBIKE_SUPPORTED), CP(REQUEST), SA, TSI, TSR
+IKE_SA found and assigned
+Exchange created (flags: 0x00000050)
VPN_NATEL: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===2.2.2.2---192.168.10.114/32 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---2.2.2.2===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
Looking for payload IDI (35)...Found 1 payload.
Compare: -Received-ID CN=USER2:DER_ASN1_DN != Expected-ID CN=USER1:DER_ASN1_DN
Compare: -Received-ID CN=USER2:DER_ASN1_DN != Expected-ID CN=USER1:DER_ASN1_DN
+Received-ID CN=USER2:DER_ASN1_DN matches the Expected-ID CN=USER2:DER_ASN1_DN
+Config ENCR transform(s): AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-384
+Received PRF transform(s): PRF-HMAC-SHA-384
+Best intersection: PRF-HMAC-SHA-384
+Config INTEG transform(s): HMAC-SHA-384
+Received INTEG transform(s): HMAC-SHA-384
+Best intersection: HMAC-SHA-384
+Config DH transform(s): 14
+Received DH transform(s): 14
+Best intersection: 14
Looking for payload CERT(X509) (37)...Found 1 payload.
Subject: CN=USER2
Issuer : CN=LANCOM CA,O=LANCOM,C=DE
VPN_NATEL: DELETE MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===2.2.2.2---192.168.10.114/32 port(0) protocol(0)
VPN_NATEL: DELETE MODE(7) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---2.2.2.2===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===2.2.2.2---192.168.10.114/32 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---2.2.2.2===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
Looking for payload TSI (44)...Found 1 payload.
Looking for a connection...
Trying connection 0: ipsec-0-VPN_NATEL-pr0-l0-r0
Determining best intersection for TSi
Expected TS :( 0, 0-65535, 192.168.10.114-192.168.10.114 )
Received TS :( 0, 0-65535, 0.0.0.0-255.255.255.255)
Intersection:( 0, 0-65535, 192.168.10.114-192.168.10.114 )
Determining best intersection for TSi
Expected TS :( 0, 0-65535, 192.168.10.114-192.168.10.114 )
Received TS :( 0, 0-65535, ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
-No intersection
Best :( 0, 0-65535, 192.168.10.114-192.168.10.114 )
+Valid intersection found
TSi: ( 0, 0-65535, 192.168.10.114-192.168.10.114 )
TSr: ( 0, 0-65535, 0.0.0.0-255.255.255.255)
+TSi OK.
Looking for payload TSR (45)...Found 1 payload.
Determining best intersection for TSr
Expected TS :( 0, 0-65535, 0.0.0.0-255.255.255.255)
Received TS :( 0, 0-65535, 0.0.0.0-255.255.255.255)
Intersection:( 0, 0-65535, 0.0.0.0-255.255.255.255)
Determining best intersection for TSr
Expected TS :( 0, 0-65535, 0.0.0.0-255.255.255.255)
Received TS :( 0, 0-65535, ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
-No intersection
Best :( 0, 0-65535, 0.0.0.0-255.255.255.255)
+TSr OK.
Looking for payload CHILD_SA (33)...Found 1 payload.
+Config ENCR transform(s): AES-GCM-16-256
+Received ENCR transform(s): AES-GCM-16-256
+Best intersection: AES-GCM-16-256
+Config ESN transform(s): NONE
+Received ESN transform(s): NONE
+Best intersection: NONE
[VPN-Status] 2020/01/18 14:18:25,593 Devicetime: 2020/01/18 14:18:24,803
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 3003 bytes
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
CHILD_SA (UNKNOWN, 'UNKNOWN' ) entered to SADB
Updating remote port to 65021
Received 1 notification:
+MOBIKE_SUPPORTED (STATUS)
+Received-ID CN=USER2:DER_ASN1_DN matches the Expected-ID CN=USER2:DER_ASN1_DN
+Peer identified: VPN_NATEL
+Peer uses AUTH(RSA:SHA1)
+Authentication successful
Request attributes:
INTERNAL_IP4_ADDRESS()
INTERNAL_IP4_DNS()
INTERNAL_IP4_NBNS()
INTERNAL_IP4_SERVER()
Assigned IPv4 config parameters:
IP: 192.168.10.114
DNS: 192.168.10.1, 192.168.10.1
Assigned IPv6 config parameters:
DNS: ::
TSi: ( 0, 0-65535, 192.168.10.114-192.168.10.114 )
TSr: ( 0, 0-65535, 0.0.0.0-255.255.255.255)
+CHILD-SA:
ESP-Proposal-1 Peer-SPI: 0xEA2D17AA (2 transforms)
ENCR : AES-GCM-16-256
ESN : NONE
[VPN-Debug] 2020/01/18 14:18:25,890 Devicetime: 2020/01/18 14:18:25,074
Peer VPN_NATEL: Constructing an IKE_AUTH-RESPONSE for send
Constructing payload CP(REPLY) (47):
+INTERNAL_IP4_DNS(192.168.10.1)
+INTERNAL_IP4_DNS(192.168.10.1)
+INTERNAL_IP4_ADDRESS(192.168.10.114)
Constructing payload NOTIFY(STATUS_INITIAL_CONTACT) (41):
KEY-PARSE: Received SADB_GETSPI/SADB_SATYPE_ESP
KEY-GETSPI: Peer VPN_NATEL SPI 0xD0D8C533
KEY-NEWSA: SA successfully created and inserted into SADB:
State LARVAL Protocol ESP PID 0 refcnt 1 Hard-Timeout in 30 sec (larval_timeout)
IPSEC-SEND-UP
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
IKE_SA(0xA4291BFF05C17E28DA0375CABD5748C6).EXPECTED-MSG-ID raised to 2
KEY-PARSE: Received SADB_ADD/SADB_SATYPE_ESP
KEY-NEWSA: SA successfully created and inserted into SADB:
State LARVAL Protocol ESP PID 0 refcnt 1 Hard-Timeout in 14400 sec (key_hard_event) Soft-Timeout in 12960 sec
KEY-SA-STATE-CHANGE: LARVAL->MATURE
KEY-ADD: Peer VPN_NATEL handle 61 outgoing UDP-SPI 0xEA2D17AA NAT-T 0.0.0.0/0---9.9.9.9:4500===2.2.2.2:65021---192.168.10.114/32 Hard-Timeout in 14400 sec (key_hard_event) Soft-Timeout in 12960 sec
IPSEC-SEND-UP
KEY-PARSE: Received SADB_UPDATE/SADB_SATYPE_ESP
KEY-SA-STATE-CHANGE: LARVAL->MATURE
SA-STORE: refcnt 2
KEY-UPDATE: Peer VPN_NATEL handle 61 incoming UDP-SPI 0xD0D8C533 NAT-T 192.168.10.114/32---2.2.2.2:65021===9.9.9.9:4500---0.0.0.0/0 Hard-Timeout in 14400 sec (key_hard_event) Soft-Timeout in 12960 sec
IPSEC-SEND-UP
VPN_NATEL: UPDATE MODE(1) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===2.2.2.2---192.168.10.114/32 port(0) protocol(0)
KEY-PARSE: Received SADB_X_SPDUPDATE/SADB_SATYPE_UNSPEC
KEY-SPDUPDATE: VPN_NATEL OUTBOUND PROTOCOL_ANY 0.0.0.0/0<->192.168.10.114/32
IPSEC-SEND-UP
VPN_NATEL: UPDATE MODE(1) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---2.2.2.2===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
KEY-PARSE: Received SADB_X_SPDUPDATE/SADB_SATYPE_UNSPEC
KEY-SPDUPDATE: VPN_NATEL INBOUND PROTOCOL_ANY 192.168.10.114/32<->0.0.0.0/0
IPSEC-SEND-UP
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 2086 bytes (responder)
Gateways: 9.9.9.9:4500-->2.2.2.2:65021, tag 0 (UDP)
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Sending 4 ikev2 fragment(s) of 588 bytes and last fragment of size 92 bytes
Payloads: IDR, CERT(X509), AUTH(RSA:SHA1), CP(REPLY), TSI, TSR, NOTIFY(STATUS_INITIAL_CONTACT), SA
[VPN-Status] 2020/01/18 14:18:25,890 Devicetime: 2020/01/18 14:18:25,074
Peer VPN_NATEL: Constructing an IKE_AUTH-RESPONSE for send
+Local-ID CN=gw.test.com:DER_ASN1_DN
+Peer does not support Digital-Signature Authentication (RFC-7427).
+Fallback from RSAEncryption on RSA Digital Signature (1)
+I use AUTH(RSA:SHA1)
+Signature of length 512 bytes (4096 bits) computed
IKE_SA_INIT [responder] for peer VPN_NATEL initiator id CN=USER2, responder id CN=gw.test.com
initiator cookie: 0xA4291BFF05C17E28, responder cookie: 0xDA0375CABD5748C6
NAT-T enabled. We are not behind a nat, the remote side is behind a nat
SA ISAKMP for peer VPN_NATEL Encryption AES-CBC-256 Integrity AUTH-HMAC-SHA-384 IKE-DH-Group 14 PRF-HMAC-SHA-384
life time soft 01/19/2020 11:54:25 (in 77760 sec) / 1800000 kb
life time hard 01/19/2020 14:18:25 (in 86400 sec) / 2000000 kb
DPD: 30 sec
Negotiated: IKEV2_FRAGMENTATION
Reply attributes:
INTERNAL_IP4_DNS(192.168.10.1)
INTERNAL_IP4_DNS(192.168.10.1)
INTERNAL_IP4_ADDRESS(192.168.10.114)
+TSi 0: ( 0, 0-65535, 192.168.10.114-192.168.10.114 )
+TSr 0: ( 0, 0-65535, 0.0.0.0-255.255.255.255)
+CHILD-SA:
ESP-Proposal-1 My-SPI: 0xD0D8C533 (2 transforms)
ENCR : AES-GCM-16-256
ESN : NONE
Encrypted message is too big (2136 bytes) -> should be ikev2 fragmented (MTU 588)
CHILD_SA [responder] done with 2 SAS for peer VPN_NATEL rule IPSEC-0-VPN_NATEL-PR0-L0-R0
9.9.9.9:4500-->2.2.2.2:65021, Routing tag 0, Com-channel 61
rule:' ipsec 0.0.0.0/0 <-> 192.168.10.114/32
outgoing SA ESP [0xEA2D17AA] Authenticated-Encryption AES-GCM-16-256 PFS-DH-Group None ESN None
incoming SA ESP [0xD0D8C533] Authenticated-Encryption AES-GCM-16-256 PFS-DH-Group None ESN None
life time soft 01/18/2020 17:54:25 (in 12960 sec) / 1800000 kb
life time hard 01/18/2020 18:18:25 (in 14400 sec) / 2000000 kb
tunnel between src: 9.9.9.9 dst: 2.2.2.2
Sending an IKE_AUTH-RESPONSE of 2086 bytes (responder)
Gateways: 9.9.9.9:4500-->2.2.2.2:65021, tag 0 (UDP)
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Sending 4 ikev2 fragment(s) of 588 bytes and last fragment of size 92 bytes
[VPN-Debug] 2020/01/18 14:18:25,890 Devicetime: 2020/01/18 14:18:25,074
Peer VPN_NATEL: Trigger next pended request to establish an exchange
Current request is none
IKE_SA is not REPLACED
There are 0 pending requests
[VPN-Status] 2020/01/18 14:18:25,890 Devicetime: 2020/01/18 14:18:25,074
set_ip_transport for VPN_NATEL: [id: 86843, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0]
[VPN-Debug] 2020/01/18 14:18:25,968 Devicetime: 2020/01/18 14:18:25,174
cryptaccess register nr:1