Hi, > What I see is that the initial message is received but ignored, so this > side here probably runs into some kind of error. > To find out what exactly causes this, a more verbose log would help. > You could manually start iked with -dvv and share the log for an > incoming IKE_SA_INIT request from 72.83.103.147:500 (best without the > grep because the following lines may contain the actual error messages).
gateway# iked -dvv set_policy_auth_method: using rsa for peer /etc/iked/pubkeys/ipv4/66.63.5.250 set_policy: found pubkey for /etc/iked/pubkeys/ipv4/66.63.5.250 ikev2 "VPN" active tunnel esp inet from 72.83.103.147 to 66.63.5.250 local 72.83.103.147 peer 66.63.5.250 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn lifetime 10800 bytes 536870912 rsa set_policy_auth_method: using rsa for peer /etc/iked/pubkeys/ipv4/66.63.5.250 set_policy: found pubkey for /etc/iked/pubkeys/ipv4/66.63.5.250 ikev2 "Flow" active tunnel esp inet from 66.63.44.66 to 0.0.0.0/0 from 66.63.44.90 to 0.0.0.0/0 from 66.63.44.96/28 to 0.0.0.0/0 from 66.63.44.67 to 66.63.0.0/18 from 66.63.44.79 to 45.7.36.0/22 from 66.63.44.79 to 185.40.64.0/22 from 66.63.44.79 to 43.229.64.0/22 from 66.63.44.79 to 162.249.72.0/21 from 66.63.44.79 to 104.160.128.0/19 from 66.63.44.79 to 192.64.168.0/21 from 66.63.44.79 to 103.240.224.0/22 from 66.63.44.65 to 66.63.5.245 from 66.63.44.65 to 66.63.5.250 local any peer 66.63.5.250 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn lifetime 10800 bytes 536870912 rsa /etc/iked.conf: loaded 2 configuration rules ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 ca_privkey_to_method: type RSA_KEY method RSA_SIG ca_getkey: received private key type RSA_KEY length 1191 ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset config_getpolicy: received policy ca_reload: local cert type RSA_KEY config_getocsp: ocsp_url none config_getpolicy: received policy ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0 config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 config_getmobike: mobike config_getfragmentation: no fragmentation config_getnattport: nattport 4500 ikev2_init_ike_sa: initiating "VPN" ikev2_policy2id: srcid FQDN/gateway.ouellet.us length 22 ikev2_add_proposals: length 156 ikev2_next_payload: length 160 nextpayload KE ikev2_next_payload: length 40 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0xe6b00a86abde210d 0x0000000000000000 72.83.103.147:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0xe6b00a86abde210d 0x0000000000000000 66.63.5.250:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_next_payload: length 14 nextpayload NONE ikev2_pld_parse: header ispi 0xe6b00a86abde210d rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 334 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 160 ikev2_pld_sa: more 0 reserved 0 length 156 proposal #1 protoid IKE spisize 0 xforms 17 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 40 ikev2_pld_ke: dh group CURVE25519 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS spi=0xe6b00a86abde210d: send IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 334 bytes spi=0xe6b00a86abde210d: sa_state: INIT -> SA_INIT ikev2_init_ike_sa: initiating "Flow" ikev2_policy2id: srcid FQDN/gateway.ouellet.us length 22 ikev2_add_proposals: length 156 ikev2_next_payload: length 160 nextpayload KE ikev2_next_payload: length 40 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0xdc7db92c1d646cad 0x0000000000000000 0.0.0.0:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0xdc7db92c1d646cad 0x0000000000000000 66.63.5.250:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_next_payload: length 14 nextpayload NONE ikev2_pld_parse: header ispi 0xdc7db92c1d646cad rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 334 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 160 ikev2_pld_sa: more 0 reserved 0 length 156 proposal #1 protoid IKE spisize 0 xforms 17 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 40 ikev2_pld_ke: dh group CURVE25519 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS spi=0xdc7db92c1d646cad: send IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500, 334 bytes spi=0xdc7db92c1d646cad: sa_state: INIT -> SA_INIT spi=0xe6b00a86abde210d: retransmit 1 IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500 spi=0xdc7db92c1d646cad: retransmit 1 IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500 spi=0xe6b00a86abde210d: retransmit 2 IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500 spi=0xdc7db92c1d646cad: retransmit 2 IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500 spi=0xe6b00a86abde210d: retransmit 3 IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500 spi=0xdc7db92c1d646cad: retransmit 3 IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500 spi=0xe6b00a86abde210d: retransmit 4 IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500 spi=0xdc7db92c1d646cad: retransmit 4 IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500 ikev2_init_ike_sa: "VPN" is already active ikev2_init_ike_sa: "Flow" is already active spi=0xdc7db92c1d646cad: retransmit 5 IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500 spi=0xe6b00a86abde210d: retransmit 5 IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500 ^Cca exiting, pid 583 ikev2 exiting, pid 54 control exiting, pid 16821 parent terminating gateway# > Another thing i notice is that this log seems to be from an older iked > version. > Could you give me a hint what iked version we're looking at so i can try > to reproduce the problem? And yes, the local (gateway name) is running 6.6 well and 6.7 no avail. The remote one at 66.63.5.250 is running a very old one as so far I haven't been able to shut it down to upgrade it. To many users on that one. But it is running 5.6. I know it's old. Never the less it's been very reliable and yes it does need to be upgraded too. Daniel.
