Hi,

> What I see is that the initial message is received but ignored, so this
> side here probably runs into some kind of error.
> To find out what exactly causes this, a more verbose log would help.
> You could manually start iked with -dvv and share the log for an
> incoming IKE_SA_INIT request from 72.83.103.147:500 (best without the
> grep because the following lines may contain the actual error messages).

gateway# iked -dvv
set_policy_auth_method: using rsa for peer
/etc/iked/pubkeys/ipv4/66.63.5.250
set_policy: found pubkey for /etc/iked/pubkeys/ipv4/66.63.5.250
ikev2 "VPN" active tunnel esp inet from 72.83.103.147 to 66.63.5.250
local 72.83.103.147 peer 66.63.5.250 ikesa enc
aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth
hmac-sha2-256,hmac-sha1 group
curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1
esn,noesn lifetime 10800 bytes 536870912 rsa
set_policy_auth_method: using rsa for peer
/etc/iked/pubkeys/ipv4/66.63.5.250
set_policy: found pubkey for /etc/iked/pubkeys/ipv4/66.63.5.250
ikev2 "Flow" active tunnel esp inet from 66.63.44.66 to 0.0.0.0/0 from
66.63.44.90 to 0.0.0.0/0 from 66.63.44.96/28 to 0.0.0.0/0 from
66.63.44.67 to 66.63.0.0/18 from 66.63.44.79 to 45.7.36.0/22 from
66.63.44.79 to 185.40.64.0/22 from 66.63.44.79 to 43.229.64.0/22 from
66.63.44.79 to 162.249.72.0/21 from 66.63.44.79 to 104.160.128.0/19 from
66.63.44.79 to 192.64.168.0/21 from 66.63.44.79 to 103.240.224.0/22 from
66.63.44.65 to 66.63.5.245 from 66.63.44.65 to 66.63.5.250 local any
peer 66.63.5.250 ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group
curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1
esn,noesn lifetime 10800 bytes 536870912 rsa
/etc/iked.conf: loaded 2 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1191
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpolicy: received policy
ca_reload: local cert type RSA_KEY
config_getocsp: ocsp_url none
config_getpolicy: received policy
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: mobike
config_getfragmentation: no fragmentation
config_getnattport: nattport 4500
ikev2_init_ike_sa: initiating "VPN"
ikev2_policy2id: srcid FQDN/gateway.ouellet.us length 22
ikev2_add_proposals: length 156
ikev2_next_payload: length 160 nextpayload KE
ikev2_next_payload: length 40 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xe6b00a86abde210d 0x0000000000000000
72.83.103.147:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xe6b00a86abde210d
0x0000000000000000 66.63.5.250:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0xe6b00a86abde210d rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
length 334 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 160
ikev2_pld_sa: more 0 reserved 0 length 156 proposal #1 protoid IKE
spisize 0 xforms 17 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 40
ikev2_pld_ke: dh group CURVE25519 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
spi=0xe6b00a86abde210d: send IKE_SA_INIT req 0 peer 66.63.5.250:500
local 72.83.103.147:500, 334 bytes
spi=0xe6b00a86abde210d: sa_state: INIT -> SA_INIT
ikev2_init_ike_sa: initiating "Flow"
ikev2_policy2id: srcid FQDN/gateway.ouellet.us length 22
ikev2_add_proposals: length 156
ikev2_next_payload: length 160 nextpayload KE
ikev2_next_payload: length 40 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xdc7db92c1d646cad 0x0000000000000000
0.0.0.0:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xdc7db92c1d646cad
0x0000000000000000 66.63.5.250:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0xdc7db92c1d646cad rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
length 334 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 160
ikev2_pld_sa: more 0 reserved 0 length 156 proposal #1 protoid IKE
spisize 0 xforms 17 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 40
ikev2_pld_ke: dh group CURVE25519 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
spi=0xdc7db92c1d646cad: send IKE_SA_INIT req 0 peer 66.63.5.250:500
local 0.0.0.0:500, 334 bytes
spi=0xdc7db92c1d646cad: sa_state: INIT -> SA_INIT
spi=0xe6b00a86abde210d: retransmit 1 IKE_SA_INIT req 0 peer
66.63.5.250:500 local 72.83.103.147:500
spi=0xdc7db92c1d646cad: retransmit 1 IKE_SA_INIT req 0 peer
66.63.5.250:500 local 0.0.0.0:500
spi=0xe6b00a86abde210d: retransmit 2 IKE_SA_INIT req 0 peer
66.63.5.250:500 local 72.83.103.147:500
spi=0xdc7db92c1d646cad: retransmit 2 IKE_SA_INIT req 0 peer
66.63.5.250:500 local 0.0.0.0:500
spi=0xe6b00a86abde210d: retransmit 3 IKE_SA_INIT req 0 peer
66.63.5.250:500 local 72.83.103.147:500
spi=0xdc7db92c1d646cad: retransmit 3 IKE_SA_INIT req 0 peer
66.63.5.250:500 local 0.0.0.0:500
spi=0xe6b00a86abde210d: retransmit 4 IKE_SA_INIT req 0 peer
66.63.5.250:500 local 72.83.103.147:500
spi=0xdc7db92c1d646cad: retransmit 4 IKE_SA_INIT req 0 peer
66.63.5.250:500 local 0.0.0.0:500
ikev2_init_ike_sa: "VPN" is already active
ikev2_init_ike_sa: "Flow" is already active
spi=0xdc7db92c1d646cad: retransmit 5 IKE_SA_INIT req 0 peer
66.63.5.250:500 local 0.0.0.0:500
spi=0xe6b00a86abde210d: retransmit 5 IKE_SA_INIT req 0 peer
66.63.5.250:500 local 72.83.103.147:500
^Cca exiting, pid 583
ikev2 exiting, pid 54
control exiting, pid 16821
parent terminating
gateway#

> Another thing i notice is that this log seems to be from an older iked 
> version.
> Could you give me a hint what iked version we're looking at so i can try
> to reproduce the problem?

And yes, the local (gateway name) is running 6.6 well and 6.7 no avail.

The remote one at 66.63.5.250 is running a very old one as so far I
haven't been able to shut it down to upgrade it. To many users on that
one. But it is running 5.6. I know it's old. Never the less it's been
very reliable and yes it does need to be upgraded too.

Daniel.

Reply via email to