Am Wed, Jan 13, 2021 at 01:12:09AM -0700 schrieb Ian Timothy: > Hi, > > I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK with > macOS without issue. Changing to EAP MSCHAP for use with Windows results in > the following error: > > "The network connection between your computer and the VPN server could not be > established because the remote server is not responding. The could be because > one of the network devices (e.g. firewalls, NAT, routers, etc.) between your > computer and the remote server is not configured to allow VPN connections." > > I’ve worked through many examples online, but I’m not sure what's the next > step to troubleshoot this? > > Thanks! > > > > # uname -rsv > OpenBSD 6.8 GENERIC.MP#2 > > > # > # iked.conf > # > > ikev2 "vpn-psk" passive esp \ > from 0.0.0.0/0 to 0.0.0.0/0 \
Hi, if you're using config address (as in giving peers a tunnel IP), you need to configure from 0.0.0.0/0 to 0.0.0.0 \ The "to" becomes a /32, a /0 is wrong. This is because of internal semantics. Anyway, this confusing bit has been changed in -current, as you can read here: https://www.openbsd.org/faq/current.html But unless you're using current, you still need the line above. But since you're complaining about EAP MSCHAP, I don't know what's the issue there. Maybe tobhe@ or sthen@ have an idea. Patrick > local egress peer any \ > srcid vpn.company.com \ > eap "mschap-v2" \ > config address 10.0.2.0/24 \ > config netmask 255.255.0.0 \ > config name-server 10.0.0.1 \ > tag "$name-$id" > > # Changing 'eap "mschap-v2"' to 'psk "password"' works just fine for macOS. > > > # > # Generate certificates > # > > pkg_add zip > > ikectl ca vpn create > ikectl ca vpn install > > # CN should be same as srcid in iked.conf > ikectl ca vpn certificate vpn.company.com create > ikectl ca vpn certificate vpn.company.com install > > # CN should be same as client ip address > ikectl ca vpn certificate 10.0.2.100 create > ikectl ca vpn certificate 10.0.2.100 export > > > # > # Windows config > # > > - VPN device > - General tab > - Server: vpn.company.com > - Security tab > - VPN type: IKEv2 > - Authentication: Use machine certificates > > - Certs install > - ca.crt --> Certificates (Local Computer)/Trusted Root Certification > Authorities/Certificates > - 10.0.2.100 --> Certificates (Local Computer)/Personal/Certificates > > > # > # iked log > # > > doas iked -dvv > create_ike: using signature for peer > ikev2 "vpn-eap" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 local > 23.AAA.AAA.129 peer any ikesa enc aes-128-gcm,aes-256-gcm prf > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group > curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 > ikesa enc aes-256,aes-192,aes-128,3des prf > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 auth > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group > curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 > childsa enc aes-128-gcm,aes-256-gcm esn,noesn childsa enc > aes-256,aes-192,aes-128 auth > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 esn,noesn srcid > vpn.ipaperbox.com lifetime 10800 bytes 536870912 eap "MSCHAP_V2" config > address 10.0.2.0 config netmask 255.255.0.0 config name-server 10.0.0.1 > /etc/iked.conf: loaded 2 configuration rules > ca_privkey_serialize: type RSA_KEY length 1192 > ca_pubkey_serialize: type RSA_KEY length 270 > config_new_user: inserting new user windows > user "windows" "password" > config_getpolicy: received policy > ca_privkey_to_method: type RSA_KEY method RSA_SIG > config_getpfkey: received pfkey fd 3 > ca_getkey: received private key type RSA_KEY length 1192 > config_getcompile: compilation done > config_getsocket: received socket fd 4 > config_getsocket: received socket fd 5 > config_getsocket: received socket fd 6 > config_getsocket: received socket fd 7 > config_getstatic: dpd_check_interval 60 > config_getstatic: no enforcesingleikesa > config_getstatic: no fragmentation > config_getstatic: mobike > config_getstatic: nattport 4500 > ca_getkey: received public key type RSA_KEY length 270 > ca_dispatch_parent: config reset > ca_reload: loaded ca file ca.crt > ca_reload: loaded crl file ca.crl > ca_reload: /C=US/ST=State/L=City/O=Company Name/OU=Information > Systems/CN=vpn.company.com/emailAddress=t...@company.com > ca_reload: loaded 1 ca certificate > ca_reload: loaded cert file 10.0.0.1.crt > ca_validate_cert: /C=US/ST=State/L=City/O=Company Name/OU=Information > Systems/CN=vpn.company.com/emailAddress=t...@company.com subject issuer > mismatch > ca_reload: local cert type X509_CERT > config_getocsp: ocsp_url none tolerate 0 maxage -1 > ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 > ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 > > policy_lookup: setting policy 'vpn-eap' > spi=0x804dbcb818c0c11e: recv IKE_SA_INIT req 0 peer 166.BBB.BBB.161:56819 > local 23.AAA.AAA.129:500, 624 bytes, policy 'vpn-eap' > ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x0000000000000000 > ikev2_policy2id: srcid FQDN/vpn.ipaperbox.com length 21 > ikev2_pld_parse: header ispi 0x804dbcb818c0c11e rspi 0x0000000000000000 > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length > 624 response 0 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256 > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 > xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > ikev2_pld_sa: more 2 reserved 0 length 44 proposal #2 protoid IKE spisize 0 > xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #3 protoid IKE spisize 0 > xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > ikev2_pld_sa: more 2 reserved 0 length 44 proposal #4 protoid IKE spisize 0 > xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #5 protoid IKE spisize 0 > xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > ikev2_pld_sa: more 0 reserved 0 length 44 proposal #6 protoid IKE spisize 0 > xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 > ikev2_pld_ke: dh group MODP_1024 reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8 > ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_nat_detection: peer source 0x804dbcb818c0c11e 0x0000000000000000 > 166.70.94.161:56819 > ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT > ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > ikev2_nat_detection: peer destination 0x804dbcb818c0c11e 0x0000000000000000 > 23.30.51.129:500 > ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 24 > ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20 > ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20 > ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 41 > proposals_negotiate: score 32 > proposals_negotiate: score 29 > proposals_negotiate: score 20 > proposals_negotiate: score 33 > proposals_negotiate: score 24 > policy_lookup: setting policy 'vpn-eap' > spi=0x804dbcb818c0c11e: sa_state: INIT -> SA_INIT > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 41 > proposals_negotiate: score 32 > proposals_negotiate: score 29 > proposals_negotiate: score 20 > proposals_negotiate: score 33 > proposals_negotiate: score 24 > sa_stateok: SA_INIT flags 0x0000, require 0x0000 > sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) > spi=0x804dbcb818c0c11e: ikev2_sa_keys: DHSECRET with 128 bytes > ikev2_sa_keys: SKEYSEED with 32 bytes > spi=0x804dbcb818c0c11e: ikev2_sa_keys: S with 96 bytes > ikev2_prfplus: T1 with 32 bytes > ikev2_prfplus: T2 with 32 bytes > ikev2_prfplus: T3 with 32 bytes > ikev2_prfplus: T4 with 32 bytes > ikev2_prfplus: T5 with 32 bytes > ikev2_prfplus: T6 with 32 bytes > ikev2_prfplus: T7 with 32 bytes > ikev2_prfplus: Tn with 224 bytes > ikev2_sa_keys: SK_d with 32 bytes > ikev2_sa_keys: SK_ai with 32 bytes > ikev2_sa_keys: SK_ar with 32 bytes > ikev2_sa_keys: SK_ei with 32 bytes > ikev2_sa_keys: SK_er with 32 bytes > ikev2_sa_keys: SK_pi with 32 bytes > ikev2_sa_keys: SK_pr with 32 bytes > ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation > ikev2_add_proposals: length 44 > ikev2_next_payload: length 48 nextpayload KE > ikev2_next_payload: length 136 nextpayload NONCE > ikev2_next_payload: length 36 nextpayload NOTIFY > ikev2_nat_detection: local source 0x804dbcb818c0c11e 0x6f4965951700d887 > 23.AAA.AAA.129:500 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_nat_detection: local destination 0x804dbcb818c0c11e 0x6f4965951700d887 > 166.BBB.BBB.161:56819 > ikev2_next_payload: length 28 nextpayload CERTREQ > ikev2_add_certreq: type X509_CERT length 21 > ikev2_next_payload: length 25 nextpayload NONE > ikev2_pld_parse: header ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887 > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length > 329 response 1 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 > ikev2_pld_sa: more 0 reserved 0 length 44 proposal #4 protoid IKE spisize 0 > xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 > ikev2_pld_ke: dh group MODP_1024 reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25 > ikev2_pld_certreq: type X509_CERT length 20 > spi=0x804dbcb818c0c11e: send IKE_SA_INIT res 0 peer 166.BBB.BBB.161:56819 > local 23.AAA.AAA.129:500, 329 bytes > config_free_proposals: free 0x70869600 > config_free_proposals: free 0x4db805c0 > config_free_proposals: free 0x70869540 > config_free_proposals: free 0x70869c80 > config_free_proposals: free 0x4a03f800 > config_free_proposals: free 0x4a03ff00 > spi=0x804dbcb818c0c11e: recv IKE_AUTH req 1 peer 166.70.94.161:61645 local > 23.AAA.AAA.129:4500, 2560 bytes, policy 'vpn-eap' > ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887 > ikev2_recv: updated SA to peer 166.70.94.161:61645 local 23.AAA.AAA.129:4500 > ikev2_pld_parse: header ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887 > nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 2560 > response 0 > ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 2532 > ikev2_msg_decrypt: IV length 16 > ikev2_msg_decrypt: encrypted payload length 2496 > ikev2_msg_decrypt: integrity checksum length 16 > ikev2_msg_decrypt: integrity check succeeded > ikev2_msg_decrypt: decrypted payload length 2496/2496 padding 9 > ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 > length 184 > ikev2_pld_id: id ASN1_DN//C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=10.0.2.100/emailAddress=t...@company.com length 180 > ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 > length 1081 > ikev2_pld_cert: type X509_CERT length 1076 > ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 > length 705 > ikev2_pld_certreq: type X509_CERT length 700 > ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical 0x00 > length 264 > ikev2_pld_auth: method RSA_SIG length 256 > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical 0x00 > length 8 > ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED > ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length > 36 > ikev2_pld_cp: type REQUEST length 28 > ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0 > ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0 > ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0 > ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0 > ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0 > ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0 > ikev2_pld_cp: INTERNAL_IP6_SERVER 0x5ba1 length 0 > ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length > 80 > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP spisize 4 > xforms 3 spi 0x47a03160 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_sa: more 0 reserved 0 length 36 proposal #2 protoid ESP spisize 4 > xforms 3 spi 0x47a03160 > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 > length 64 > ikev2_pld_tss: count 2 length 56 > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport > 65535 > ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 > ikev2_pld_tss: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport > 65535 > ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 > length 64 > ikev2_pld_tss: count 2 length 56 > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport > 65535 > ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 > ikev2_pld_tss: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport > 65535 > ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > ikev2_handle_notifies: mobike enabled > sa_stateok: SA_INIT flags 0x0000, require 0x0000 > spi=0x804dbcb818c0c11e: sa_state: SA_INIT -> AUTH_REQUEST > policy_lookup: peerid '/C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=10.0.2.100/emailAddress=t...@company.com' > proposals_negotiate: score 0 > proposals_negotiate: score 20 > policy_lookup: setting policy 'vpn-eap' > ikev2_policy2id: srcid FQDN/vpn.company.com length 21 > sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0079 > cert,auth,authvalid,sa,eapvalid) > ikev2_msg_auth: responder auth data length 409 > ca_setauth: switching SIG to RSA_SIG(*) > ca_setauth: auth length 409 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 13 > proposals_negotiate: score 0 > sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x0079 > cert,auth,authvalid,sa,eapvalid) > config_free_proposals: free 0x4db80100 > config_free_proposals: free 0x70869f40 > ca_getreq: found CA /C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=vpn.company.com/emailAddress=t...@company.com > ca_x509_subjectaltname_do: did not find subjectAltName in certificate > ca_x509_subjectaltname_do: did not find subjectAltName in certificate > spi=0x804dbcb818c0c11e: ca_getreq: no valid local certificate found for > FQDN/vpn.company.com > spi=0x804dbcb818c0c11e: ca_getreq: issuer: > /C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=vpn.company.com/emailAddress=t...@company.com > spi=0x804dbcb818c0c11e: ca_getreq: serial: 01 > spi=0x804dbcb818c0c11e: ca_getreq: subject: > /C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=vpn.company.com/emailAddress=t...@company.com > spi=0x804dbcb818c0c11e: ca_getreq: altname: IPV4/10.0.0.1 > ca_x509_subjectaltname_do: did not find subjectAltName in certificate > spi=0x804dbcb818c0c11e: ca_getreq: using local public key of type RSA_KEY > ca_setauth: auth length 256 > ikev2_getimsgdata: imsg 22 rspi 0x6f4965951700d887 ispi 0x804dbcb818c0c11e > initiator 0 sa valid type 11 data length 270 > ikev2_dispatch_cert: cert type RSA_KEY length 270, ok > sa_stateflags: 0x0024 -> 0x0025 cert,certreq,sa (required 0x0079 > cert,auth,authvalid,sa,eapvalid) > ikev2_getimsgdata: imsg 28 rspi 0x6f4965951700d887 ispi 0x804dbcb818c0c11e > initiator 0 sa valid type 1 data length 256 > ikev2_dispatch_cert: AUTH type 1 len 256 > sa_stateflags: 0x0025 -> 0x002d cert,certreq,auth,sa (required 0x0079 > cert,auth,authvalid,sa,eapvalid) > ca_validate_pubkey: unsupported public key type ASN1_DN > ca_validate_cert: /C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=10.0.2.100/emailAddress=t...@company.com ok > ikev2_getimsgdata: imsg 23 rspi 0x6f4965951700d887 ispi 0x804dbcb818c0c11e > initiator 0 sa valid type 4 data length 1076 > ikev2_msg_auth: initiator auth data length 688 > ikev2_msg_authverify: method RSA_SIG keylen 1076 type X509_CERT > ikev2_msg_authverify: authentication successful > spi=0x804dbcb818c0c11e: sa_state: AUTH_REQUEST -> AUTH_SUCCESS > sa_stateflags: 0x002d -> 0x003d cert,certreq,auth,authvalid,sa (required > 0x0079 cert,auth,authvalid,sa,eapvalid) > ikev2_dispatch_cert: peer certificate is valid > sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa > (required 0x0079 cert,auth,authvalid,sa,eapvalid) > sa_stateok: VALID flags 0x0039, require 0x0079 cert,auth,authvalid,sa,eapvalid > spi=0x804dbcb818c0c11e: sa_state: cannot switch: AUTH_SUCCESS -> VALID > spi=0x804dbcb818c0c11e: recv IKE_AUTH req 1 peer 166.BBB.BBB.161:61645 local > 23.AAA.AAA.129:4500, 2560 bytes, policy 'vpn-eap' > ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887 > spi=0x804dbcb818c0c11e: recv IKE_AUTH req 1 peer 166.BBB.BBB.161:61645 local > 23.AAA.AAA.129:4500, 2560 bytes, policy 'vpn-eap' > ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887 >
