Hi, I am experimenting with the following setup, which allows me to establish a connection from OpenBSD client to OpenIKED server on OpenBSD. Both machines run OpenBSD-stable.
--- // Server config $ cat /etc/iked.conf ikev2 "vpnserver at aa.bb.cc.dd" passive esp \  from 0.0.0.0/0 to 0.0.0.0/0 \  peer any \  psk "mysecret" \  config address 192.168.1.7 \  config netmask 255.255.255.0 \  config dhcp-server 192.168.1.1 \  config name-server 192.168.1.1 // Client config $ cat /etc/iked.conf ikev2 "vpnclient" active esp \        from 0.0.0.0/0 to 0.0.0.0/0 \        peer aa.bb.cc.dd \  psk "mysecret"  --- I would like to use "config address 192.168.1.0/24" in server config, because I have multiple vpn clients. But in that case OpenBSD client is not establishing connection. See server+client logs for working and not working configuration below. (E.g. "VALID -> CLOSED" in the iked-server-error.log) Logs obtained using iked -dvv. iOS10 devices work fine in any case. I will be quite happy to test any suggestions/patches and provide any additional details at request. $ cat iked-server-error.log    ca_privkey_serialize: type RSA_KEY length 1193    ca_pubkey_serialize: type RSA_KEY length 270    ikev2 "vpnserver at aa.bb.cc.dd" passive esp from 0.0.0.0/0 to 0.0.0.0/0 local any peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x6d79736563726574 config address 192.168.1.0 config netmask 255.255.255.0 config dhcp-server 192.168.1.1 config name-server 192.168.1.1    /etc/iked.conf: loaded 1 configuration rules    ca_reload: loaded ca file ca.crt    ca_reload: loaded crl file ca.crl    ca_reload: /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=<aa.bb.cc.dd>/emailAddress=reyk@openbsd .org    ca_reload: loaded 1 ca certificate    ca_reload: local cert type X509_CERT    config_getocsp: ocsp_url none    ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20    ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20    config_getpolicy: received policy    config_getpfkey: received pfkey fd 3    config_getcompile: compilation done    config_getsocket: received socket fd 4    config_getsocket: received socket fd 5    config_getsocket: received socket fd 6    config_getsocket: received socket fd 7    ikev2_recv: IKE_SA_INIT request from initiator <client-ip>:500 to <aa.bb.cc.dd>:500 policy 'vpnserver at aa.bb.cc.dd' id 0, 518 bytes    ikev2_recv: ispi 0xc4ee0d4196ad15a3 rspi 0x0000000000000000    ikev2_policy2id: srcid FQDN/blank.my.domain length 19    ikev2_pld_parse: header ispi 0xc4ee0d4196ad15a3 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 518 response 0    ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 120    ikev2_pld_sa: more 0 reserved 0 length 116 proposal #1 protoid IKE spisize 0 xforms 12 spi 0    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4    ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES    ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256    ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96    ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256    ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048    ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536    ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024    ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264    ikev2_pld_ke: dh group MODP_2048_256 reserved 0    ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP    ikev2_nat_detection: peer source 0xc4ee0d4196ad15a3 0x0000000000000000 <client-ip>:500    ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP    ikev2_nat_detection: peer destination 0xc4ee0d4196ad15a3 0x0000000000000000 <aa.bb.cc.dd>:500    ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14    ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS    ikev2_pld_notify: signature hash SHA2_256 (2)    ikev2_pld_notify: signature hash SHA2_384 (3)    ikev2_pld_notify: signature hash SHA2_512 (4)    sa_state: INIT -> SA_INIT    ikev2_sa_negotiate: score 4    sa_stateok: SA_INIT flags 0x0000, require 0x0000    sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )    ikev2_sa_keys: SKEYSEED with 32 bytes    ikev2_sa_keys: S with 80 bytes    ikev2_prfplus: T1 with 32 bytes    ikev2_prfplus: T2 with 32 bytes    ikev2_prfplus: T3 with 32 bytes    ikev2_prfplus: T4 with 32 bytes    ikev2_prfplus: T5 with 32 bytes    ikev2_prfplus: T6 with 32 bytes    ikev2_prfplus: T7 with 32 bytes    ikev2_prfplus: Tn with 224 bytes    ikev2_sa_keys: SK_d with 32 bytes    ikev2_sa_keys: SK_ai with 32 bytes    ikev2_sa_keys: SK_ar with 32 bytes    ikev2_sa_keys: SK_ei with 32 bytes    ikev2_sa_keys: SK_er with 32 bytes    ikev2_sa_keys: SK_pi with 32 bytes    ikev2_sa_keys: SK_pr with 32 bytes    ikev2_add_proposals: length 44    ikev2_next_payload: length 48 nextpayload KE    ikev2_next_payload: length 264 nextpayload NONCE    ikev2_next_payload: length 36 nextpayload NOTIFY    ikev2_nat_detection: local source 0xc4ee0d4196ad15a3 0xf51ab8b4f8c59318 <aa.bb.cc.dd>:500    ikev2_next_payload: length 28 nextpayload NOTIFY    ikev2_nat_detection: local destination 0xc4ee0d4196ad15a3 0xf51ab8b4f8c59318 <client-ip>:500    ikev2_next_payload: length 28 nextpayload NOTIFY    ikev2_next_payload: length 14 nextpayload NONE    ikev2_pld_parse: header ispi 0xc4ee0d4196ad15a3 rspi 0xf51ab8b4f8c59318 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 446 response 1    ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48    ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4    ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128    ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048_256    ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264    ikev2_pld_ke: dh group MODP_2048_256 reserved 0    ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP    ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14    ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS    ikev2_msg_send: IKE_SA_INIT response from <aa.bb.cc.dd>:500 to <client-ip>:500 msgid 0, 446 bytes    config_free_proposals: free 0x1a1a42c1d00    ikev2_recv: IKE_AUTH request from initiator <client-ip>:4500 to <aa.bb.cc.dd>:4500 policy 'vpnserver at aa.bb.cc.dd' id 1, 272 bytes    ikev2_recv: ispi 0xc4ee0d4196ad15a3 rspi 0xf51ab8b4f8c59318    ikev2_recv: updated SA to peer <client-ip>:4500 local <aa.bb.cc.dd>:4500    ikev2_pld_parse: header ispi 0xc4ee0d4196ad15a3 rspi 0xf51ab8b4f8c59318 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 272 response 0    ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 244    ikev2_msg_decrypt: IV length 16    ikev2_msg_decrypt: encrypted payload length 208    ikev2_msg_decrypt: integrity checksum length 16    ikev2_msg_decrypt: integrity check succeeded    ikev2_msg_decrypt: decrypted payload length 208/208 padding 10    ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length 25    ikev2_pld_id: id FQDN/my.laptop length 21    ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40    ikev2_pld_auth: method SHARED_KEY_MIC length 32    sa_state: SA_INIT -> AUTH_REQUEST    ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84    ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4 xforms 7 spi 0xcc44c94d    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96    ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN    ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE    ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24    ikev2_pld_ts: count 1 length 16    ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535    ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255    ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24    ikev2_pld_ts: count 1 length 16    ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535    ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255    ikev2_resp_recv: NAT-T message received, updated SA    sa_stateok: SA_INIT flags 0x0000, require 0x0000    policy_lookup: peerid 'my.laptop'    ikev2_msg_auth: responder auth data length 510    ikev2_msg_auth: initiator auth data length 582    ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE    ikev2_msg_authverify: authentication successful    sa_state: AUTH_REQUEST -> AUTH_SUCCESS    sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0038 auth,authvalid,sa)    ikev2_sa_negotiate: score 3    sa_stateflags: 0x0038 -> 0x0038 auth,authvalid,sa (required 0x0038 auth,authvalid,sa)    sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa    sa_state: AUTH_SUCCESS -> VALID    sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa    ikev2_cp_setaddr: pool configured, but IKEV2_CP_REQUEST missing    ikev2_resp_recv: failed to send auth response    sa_state: VALID -> CLOSED from <client-ip>:4500 to <aa.bb.cc.dd>:4500 policy 'vpnserver at aa.bb.cc.dd'    ikev2_recv: closing SA    sa_free: ispi 0xc4ee0d4196ad15a3 rspi 0xf51ab8b4f8c59318    config_free_proposals: free 0x1a17846d180    config_free_proposals: free 0x1a0d0ddc900    config_free_proposals: free 0x1a1a42c1180    control exiting, pid 16650    ikev2 exiting, pid 63161    ca exiting, pid 40660    parent terminating $ cat iked-client-error.log    ca_privkey_serialize: type RSA_KEY length 1192    ca_pubkey_serialize: type RSA_KEY length 270    ikev2 "vpnclient" active esp inet from 0.0.0.0/0 to 0.0.0.0/0 local any peer <aa.bb.cc.dd> ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x6d79736563726574    /etc/iked.conf: loaded 1 configuration rules    config_getpolicy: received policy    ca_reload: loaded ca file ca.crt    config_getpfkey: received pfkey fd 3    config_getcompile: compilation done    config_getsocket: received socket fd 4    config_getsocket: received socket fd 5    config_getsocket: received socket fd 6    config_getsocket: received socket fd 7    ca_reload: loaded crl file ca.crl    ca_reload: /CN=VPN CA    ca_reload: loaded 1 ca certificate    ca_reload: loaded cert file iphone.crt    ca_validate_cert: /CN=iphone ok    ca_reload: local cert type X509_CERT    config_getocsp: ocsp_url none    ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20    ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20    ikev2_init_ike_sa: initiating "vpnclient"    ikev2_policy2id: srcid FQDN/my.laptop length 21    ikev2_add_proposals: length 116    ikev2_next_payload: length 120 nextpayload KE    ikev2_next_payload: length 264 nextpayload NONCE    ikev2_next_payload: length 36 nextpayload NOTIFY    ikev2_nat_detection: local source 0xc4ee0d4196ad15a3 0x0000000000000000 0.0.0.0:500    ikev2_next_payload: length 28 nextpayload NOTIFY    ikev2_nat_detection: local destination 0xc4ee0d4196ad15a3 0x0000000000000000 <aa.bb.cc.dd>:500    ikev2_next_payload: length 28 nextpayload NOTIFY    ikev2_next_payload: length 14 nextpayload NONE    ikev2_pld_parse: header ispi 0xc4ee0d4196ad15a3 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 518 response 0    ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 120    ikev2_pld_sa: more 0 reserved 0 length 116 proposal #1 protoid IKE spisize 0 xforms 12 spi 0    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4    ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES    ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256    ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96    ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256    ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048    ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536    ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024    ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264    ikev2_pld_ke: dh group MODP_2048_256 reserved 0    ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP    ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14    ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS    ikev2_msg_send: IKE_SA_INIT request from 0.0.0.0:500 to <aa.bb.cc.dd>:500 msgid 0, 518 bytes    sa_state: INIT -> SA_INIT    ikev2_recv: IKE_SA_INIT response from responder <aa.bb.cc.dd>:500 to 192.168.155.20:500 policy 'vpnclient' id 0, 446 bytes    ikev2_recv: ispi 0xc4ee0d4196ad15a3 rspi 0xf51ab8b4f8c59318    ikev2_recv: updated SA to peer <aa.bb.cc.dd>:500 local 192.168.155.20:500    ikev2_pld_parse: header ispi 0xc4ee0d4196ad15a3 rspi 0xf51ab8b4f8c59318 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 446 response 1    ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48    ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4    ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128    ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048_256    ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264    ikev2_pld_ke: dh group MODP_2048_256 reserved 0    ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP    ikev2_nat_detection: peer source 0xc4ee0d4196ad15a3 0xf51ab8b4f8c59318 <aa.bb.cc.dd>:500    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP    ikev2_nat_detection: peer destination 0xc4ee0d4196ad15a3 0xf51ab8b4f8c59318 192.168.155.20:500    ikev2_pld_notify: NAT_DETECTION_DESTINATION_IP detected NAT, enabling UDP encapsulation    ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14    ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS    ikev2_pld_notify: signature hash SHA2_256 (2)    ikev2_pld_notify: signature hash SHA2_384 (3)    ikev2_pld_notify: signature hash SHA2_512 (4)    ikev2_init_recv: NAT detected, updated SA to peer <aa.bb.cc.dd>:4500 local 192.168.155.20:4500    ikev2_sa_negotiate: score 4    sa_stateok: SA_INIT flags 0x0000, require 0x0008 auth    ikev2_sa_keys: SKEYSEED with 32 bytes    ikev2_sa_keys: S with 80 bytes    ikev2_prfplus: T1 with 32 bytes    ikev2_prfplus: T2 with 32 bytes    ikev2_prfplus: T3 with 32 bytes    ikev2_prfplus: T4 with 32 bytes    ikev2_prfplus: T5 with 32 bytes    ikev2_prfplus: T6 with 32 bytes    ikev2_prfplus: T7 with 32 bytes    ikev2_prfplus: Tn with 224 bytes    ikev2_sa_keys: SK_d with 32 bytes    ikev2_sa_keys: SK_ai with 32 bytes    ikev2_sa_keys: SK_ar with 32 bytes    ikev2_sa_keys: SK_ei with 32 bytes    ikev2_sa_keys: SK_er with 32 bytes    ikev2_sa_keys: SK_pi with 32 bytes    ikev2_sa_keys: SK_pr with 32 bytes    ikev2_msg_auth: initiator auth data length 582    sa_stateok: SA_INIT flags 0x0008, require 0x0008 auth    ikev2_next_payload: length 25 nextpayload AUTH    ikev2_next_payload: length 40 nextpayload SA    pfkey_sa_getspi: spi 0xcc44c94d    pfkey_sa_init: new spi 0xcc44c94d    ikev2_add_proposals: length 80    ikev2_next_payload: length 84 nextpayload TSi    ikev2_next_payload: length 24 nextpayload TSr    ikev2_next_payload: length 24 nextpayload NONE    ikev2_msg_encrypt: decrypted length 197    ikev2_msg_encrypt: padded length 208    ikev2_msg_encrypt: length 198, padding 10, output length 240    ikev2_next_payload: length 244 nextpayload IDi    ikev2_msg_integr: message length 272    ikev2_msg_integr: integrity checksum length 16    ikev2_pld_parse: header ispi 0xc4ee0d4196ad15a3 rspi 0xf51ab8b4f8c59318 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 272 response 0    ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 244    ikev2_msg_decrypt: IV length 16    ikev2_msg_decrypt: encrypted payload length 208    ikev2_msg_decrypt: integrity checksum length 16    ikev2_msg_decrypt: integrity check succeeded    ikev2_msg_decrypt: decrypted payload length 208/208 padding 10    ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length 25    ikev2_pld_id: id FQDN/my.laptop length 21    ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40    ikev2_pld_auth: method SHARED_KEY_MIC length 32    ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84    ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4 xforms 7 spi 0xcc44c94d    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96    ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN    ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE    ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24    ikev2_pld_ts: count 1 length 16    ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535    ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255    ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24    ikev2_pld_ts: count 1 length 16    ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535    ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255    ikev2_msg_send: IKE_AUTH request from 192.168.155.20:4500 to <aa.bb.cc.dd>:4500 msgid 1, 272 bytes, NAT-T    config_free_proposals: free 0x83578ae0600    ikev2 exiting, pid 58969    ca exiting, pid 22195    control exiting, pid 15176    parent terminating $ cat iked-server-success.log    ca_privkey_serialize: type RSA_KEY length 1193    ca_pubkey_serialize: type RSA_KEY length 270    ikev2 "vpnserver at aa.bb.cc.dd" passive esp from 0.0.0.0/0 to 0.0.0.0/0 local any peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x6d79736563726574 config address 192.168.1.7 config netmask 255.255.255.0 config dhcp-server 192.168.1.1 config name-server 192.168.1.1    /etc/iked.conf: loaded 1 configuration rules    ca_reload: loaded ca file ca.crt    ca_reload: loaded crl file ca.crl    ca_reload: /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=<aa.bb.cc.dd>/emailAddress=reyk@openbsd .org    ca_reload: loaded 1 ca certificate    ca_reload: local cert type X509_CERT    config_getocsp: ocsp_url none    ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20    ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20    config_getpolicy: received policy    config_getpfkey: received pfkey fd 3    config_getcompile: compilation done    config_getsocket: received socket fd 4    config_getsocket: received socket fd 5    config_getsocket: received socket fd 6    config_getsocket: received socket fd 7    ikev2_recv: IKE_SA_INIT request from initiator <client-ip>:500 to <aa.bb.cc.dd>:500 policy 'vpnserver at aa.bb.cc.dd' id 0, 518 bytes    ikev2_recv: ispi 0xc6dc6f255eed6532 rspi 0x0000000000000000    ikev2_policy2id: srcid FQDN/blank.my.domain length 19    ikev2_pld_parse: header ispi 0xc6dc6f255eed6532 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 518 response 0    ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 120    ikev2_pld_sa: more 0 reserved 0 length 116 proposal #1 protoid IKE spisize 0 xforms 12 spi 0    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4    ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES    ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256    ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96    ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256    ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048    ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536    ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024    ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264    ikev2_pld_ke: dh group MODP_2048_256 reserved 0    ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP    ikev2_nat_detection: peer source 0xc6dc6f255eed6532 0x0000000000000000 <client-ip>:500    ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP    ikev2_nat_detection: peer destination 0xc6dc6f255eed6532 0x0000000000000000 <aa.bb.cc.dd>:500    ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14    ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS    ikev2_pld_notify: signature hash SHA2_256 (2)    ikev2_pld_notify: signature hash SHA2_384 (3)    ikev2_pld_notify: signature hash SHA2_512 (4)    sa_state: INIT -> SA_INIT    ikev2_sa_negotiate: score 4    sa_stateok: SA_INIT flags 0x0000, require 0x0000    sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )    ikev2_sa_keys: SKEYSEED with 32 bytes    ikev2_sa_keys: S with 80 bytes    ikev2_prfplus: T1 with 32 bytes    ikev2_prfplus: T2 with 32 bytes    ikev2_prfplus: T3 with 32 bytes    ikev2_prfplus: T4 with 32 bytes    ikev2_prfplus: T5 with 32 bytes    ikev2_prfplus: T6 with 32 bytes    ikev2_prfplus: T7 with 32 bytes    ikev2_prfplus: Tn with 224 bytes    ikev2_sa_keys: SK_d with 32 bytes    ikev2_sa_keys: SK_ai with 32 bytes    ikev2_sa_keys: SK_ar with 32 bytes    ikev2_sa_keys: SK_ei with 32 bytes    ikev2_sa_keys: SK_er with 32 bytes    ikev2_sa_keys: SK_pi with 32 bytes    ikev2_sa_keys: SK_pr with 32 bytes    ikev2_add_proposals: length 44    ikev2_next_payload: length 48 nextpayload KE    ikev2_next_payload: length 264 nextpayload NONCE    ikev2_next_payload: length 36 nextpayload NOTIFY    ikev2_nat_detection: local source 0xc6dc6f255eed6532 0x364469831ec2954c <aa.bb.cc.dd>:500    ikev2_next_payload: length 28 nextpayload NOTIFY    ikev2_nat_detection: local destination 0xc6dc6f255eed6532 0x364469831ec2954c <client-ip>:500    ikev2_next_payload: length 28 nextpayload NOTIFY    ikev2_next_payload: length 14 nextpayload NONE    ikev2_pld_parse: header ispi 0xc6dc6f255eed6532 rspi 0x364469831ec2954c nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 446 response 1    ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48    ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4    ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128    ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048_256    ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264    ikev2_pld_ke: dh group MODP_2048_256 reserved 0    ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP    ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14    ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS    ikev2_msg_send: IKE_SA_INIT response from <aa.bb.cc.dd>:500 to <client-ip>:500 msgid 0, 446 bytes    config_free_proposals: free 0x16f1d056580    ikev2_recv: IKE_AUTH request from initiator <client-ip>:61180 to <aa.bb.cc.dd>:4500 policy 'vpnserver at aa.bb.cc.dd' id 1, 272 bytes    ikev2_recv: ispi 0xc6dc6f255eed6532 rspi 0x364469831ec2954c    ikev2_recv: updated SA to peer <client-ip>:61180 local <aa.bb.cc.dd>:4500    ikev2_pld_parse: header ispi 0xc6dc6f255eed6532 rspi 0x364469831ec2954c nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 272 response 0    ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 244    ikev2_msg_decrypt: IV length 16    ikev2_msg_decrypt: encrypted payload length 208    ikev2_msg_decrypt: integrity checksum length 16    ikev2_msg_decrypt: integrity check succeeded    ikev2_msg_decrypt: decrypted payload length 208/208 padding 10    ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length 25    ikev2_pld_id: id FQDN/my.laptop length 21    ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40    ikev2_pld_auth: method SHARED_KEY_MIC length 32    sa_state: SA_INIT -> AUTH_REQUEST    ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84    ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4 xforms 7 spi 0x2edc41c6    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96    ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN    ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE    ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24    ikev2_pld_ts: count 1 length 16    ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535    ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255    ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24    ikev2_pld_ts: count 1 length 16    ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535    ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255    ikev2_resp_recv: NAT-T message received, updated SA    sa_stateok: SA_INIT flags 0x0000, require 0x0000    policy_lookup: peerid 'my.laptop'    ikev2_msg_auth: responder auth data length 510    ikev2_msg_auth: initiator auth data length 582    ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE    ikev2_msg_authverify: authentication successful    sa_state: AUTH_REQUEST -> AUTH_SUCCESS    sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0038 auth,authvalid,sa)    ikev2_sa_negotiate: score 3    sa_stateflags: 0x0038 -> 0x0038 auth,authvalid,sa (required 0x0038 auth,authvalid,sa)    sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa    sa_state: AUTH_SUCCESS -> VALID    sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa    sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa    ikev2_sa_tag: (0)    ikev2_childsa_negotiate: proposal 2    ikev2_childsa_negotiate: key material length 128    ikev2_prfplus: T1 with 32 bytes    ikev2_prfplus: T2 with 32 bytes    ikev2_prfplus: T3 with 32 bytes    ikev2_prfplus: T4 with 32 bytes    ikev2_prfplus: Tn with 128 bytes    pfkey_sa_getspi: spi 0x560c49a8    pfkey_sa_init: new spi 0x560c49a8    sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa    ikev2_next_payload: length 23 nextpayload AUTH    ikev2_next_payload: length 40 nextpayload SA    ikev2_add_proposals: length 40    ikev2_next_payload: length 44 nextpayload TSi    ikev2_next_payload: length 24 nextpayload TSr    ikev2_next_payload: length 24 nextpayload NONE    ikev2_msg_encrypt: decrypted length 155    ikev2_msg_encrypt: padded length 160    ikev2_msg_encrypt: length 156, padding 4, output length 192    ikev2_next_payload: length 196 nextpayload IDr    ikev2_msg_integr: message length 224    ikev2_msg_integr: integrity checksum length 16    ikev2_pld_parse: header ispi 0xc6dc6f255eed6532 rspi 0x364469831ec2954c nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 224 response 1    ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 196    ikev2_msg_decrypt: IV length 16    ikev2_msg_decrypt: encrypted payload length 160    ikev2_msg_decrypt: integrity checksum length 16    ikev2_msg_decrypt: integrity check succeeded    ikev2_msg_decrypt: decrypted payload length 160/160 padding 4    ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length 23    ikev2_pld_id: id FQDN/blank.my.domain length 19    ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40    ikev2_pld_auth: method SHARED_KEY_MIC length 32    ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44    ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4 xforms 3 spi 0x560c49a8    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128    ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN    ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24    ikev2_pld_ts: count 1 length 16    ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535    ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255    ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24    ikev2_pld_ts: count 1 length 16    ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535    ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255    ikev2_msg_send: IKE_AUTH response from <aa.bb.cc.dd>:4500 to <client-ip>:61180 msgid 1, 224 bytes, NAT-T    pfkey_sa_add: update spi 0x560c49a8    pfkey_sa: udpencap port 61180    ikev2_childsa_enable: loaded CHILD SA spi 0x560c49a8    pfkey_sa_add: add spi 0x2edc41c6    pfkey_sa: udpencap port 61180    ikev2_childsa_enable: loaded CHILD SA spi 0x2edc41c6    ikev2_childsa_enable: loaded flow 0x16f2d967000    ikev2_childsa_enable: loaded flow 0x16ea40e6000    sa_state: VALID -> ESTABLISHED from <client-ip>:61180 to <aa.bb.cc.dd>:4500 policy 'vpnserver at aa.bb.cc.dd'    config_free_proposals: free 0x16f1d056900    pfkey_sa_last_used: last_used 1484654472    ikev2_ike_sa_alive: incoming CHILD SA spi 0x560c49a8 last used 28 second(s) ago    pfkey_sa_last_used: last_used 1484654472    ikev2_ike_sa_alive: incoming CHILD SA spi 0x560c49a8 last used 88 second(s) ago    pfkey_sa_last_used: last_used 1484654559    ikev2_ike_sa_alive: outgoing CHILD SA spi 0x2edc41c6 last used 1 second(s) ago    ikev2_ike_sa_alive: sending alive check    ikev2_msg_encrypt: decrypted length 4    ikev2_msg_encrypt: padded length 16    ikev2_msg_encrypt: length 5, padding 11, output length 48    ikev2_next_payload: length 52 nextpayload NONE    ikev2_msg_integr: message length 80    ikev2_msg_integr: integrity checksum length 16    ikev2_pld_parse: header ispi 0xc6dc6f255eed6532 rspi 0x364469831ec2954c nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 0 length 80 response 0    ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52    ikev2_msg_decrypt: IV length 16    ikev2_msg_decrypt: encrypted payload length 16    ikev2_msg_decrypt: integrity checksum length 16    ikev2_msg_decrypt: integrity check succeeded    ikev2_msg_decrypt: decrypted payload length 16/16 padding 11    ikev2_msg_send: INFORMATIONAL request from <aa.bb.cc.dd>:4500 to <client-ip>:61180 msgid 0, 80 bytes, NAT-T    pfkey_sa_last_used: last_used 1484654472    ikev2_ike_sa_alive: incoming CHILD SA spi 0x560c49a8 last used 148 second(s) ago    pfkey_sa_last_used: last_used 1484654604    ikev2_ike_sa_alive: outgoing CHILD SA spi 0x2edc41c6 last used 16 second(s) ago    ikev2_ike_sa_alive: sending alive check    ikev2_msg_encrypt: decrypted length 4    ikev2_msg_encrypt: padded length 16    ikev2_msg_encrypt: length 5, padding 11, output length 48    ikev2_next_payload: length 52 nextpayload NONE    ikev2_msg_integr: message length 80    ikev2_msg_integr: integrity checksum length 16    ikev2_pld_parse: header ispi 0xc6dc6f255eed6532 rspi 0x364469831ec2954c nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 1 length 80 response 0    ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52    ikev2_msg_decrypt: IV length 16    ikev2_msg_decrypt: encrypted payload length 16    ikev2_msg_decrypt: integrity checksum length 16    ikev2_msg_decrypt: integrity check succeeded    ikev2_msg_decrypt: decrypted payload length 16/16 padding 11    ikev2_msg_send: INFORMATIONAL request from <aa.bb.cc.dd>:4500 to <client-ip>:61180 msgid 1, 80 bytes, NAT-T    pfkey_sa_last_used: last_used 1484654472    ikev2_ike_sa_alive: incoming CHILD SA spi 0x560c49a8 last used 208 second(s) ago    pfkey_sa_last_used: last_used 1484654640    ikev2_ike_sa_alive: outgoing CHILD SA spi 0x2edc41c6 last used 40 second(s) ago    ikev2_ike_sa_alive: sending alive check    ikev2_msg_encrypt: decrypted length 4    ikev2_msg_encrypt: padded length 16    ikev2_msg_encrypt: length 5, padding 11, output length 48    ikev2_next_payload: length 52 nextpayload NONE    ikev2_msg_integr: message length 80    ikev2_msg_integr: integrity checksum length 16    ikev2_pld_parse: header ispi 0xc6dc6f255eed6532 rspi 0x364469831ec2954c nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 2 length 80 response 0    ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52    ikev2_msg_decrypt: IV length 16    ikev2_msg_decrypt: encrypted payload length 16    ikev2_msg_decrypt: integrity checksum length 16    ikev2_msg_decrypt: integrity check succeeded    ikev2_msg_decrypt: decrypted payload length 16/16 padding 11    ikev2_msg_send: INFORMATIONAL request from <aa.bb.cc.dd>:4500 to <client-ip>:61180 msgid 2, 80 bytes, NAT-T    ikev2_msg_retransmit_timeout: retransmit limit reached for msgid 0    sa_free: ispi 0xc6dc6f255eed6532 rspi 0x364469831ec2954c    config_free_proposals: free 0x16f58fffb00    config_free_proposals: free 0x16eb25bfc00    config_free_childsas: free 0x16eb25bd000    config_free_childsas: free 0x16e71351600    sa_free_flows: free 0x16f2d967000    sa_free_flows: free 0x16ea40e6000    control exiting, pid 98080    ikev2 exiting, pid 48554    ca exiting, pid 43719    parent terminating $ cat iked-client-success.log    ca_privkey_serialize: type RSA_KEY length 1192    ca_pubkey_serialize: type RSA_KEY length 270    ikev2 "vpnclient" active esp inet from 0.0.0.0/0 to 0.0.0.0/0 local any peer <aa.bb.cc.dd> ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x6d79736563726574    /etc/iked.conf: loaded 1 configuration rules    config_getpolicy: received policy    config_getpfkey: received pfkey fd 3    ca_reload: loaded ca file ca.crt    config_getcompile: compilation done    config_getsocket: received socket fd 4    config_getsocket: received socket fd 5    config_getsocket: received socket fd 6    config_getsocket: received socket fd 7    ca_reload: loaded crl file ca.crl    ca_reload: /CN=VPN CA    ca_reload: loaded 1 ca certificate    ca_reload: loaded cert file iphone.crt    ca_validate_cert: /CN=iphone ok    ca_reload: local cert type X509_CERT    config_getocsp: ocsp_url none    ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20    ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20    ikev2_init_ike_sa: initiating "vpnclient"    ikev2_policy2id: srcid FQDN/my.laptop length 21    ikev2_add_proposals: length 116    ikev2_next_payload: length 120 nextpayload KE    ikev2_next_payload: length 264 nextpayload NONCE    ikev2_next_payload: length 36 nextpayload NOTIFY    ikev2_nat_detection: local source 0xc6dc6f255eed6532 0x0000000000000000 0.0.0.0:500    ikev2_next_payload: length 28 nextpayload NOTIFY    ikev2_nat_detection: local destination 0xc6dc6f255eed6532 0x0000000000000000 <aa.bb.cc.dd>:500    ikev2_next_payload: length 28 nextpayload NOTIFY    ikev2_next_payload: length 14 nextpayload NONE    ikev2_pld_parse: header ispi 0xc6dc6f255eed6532 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 518 response 0    ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 120    ikev2_pld_sa: more 0 reserved 0 length 116 proposal #1 protoid IKE spisize 0 xforms 12 spi 0    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4    ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES    ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256    ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96    ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256    ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048    ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536    ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024    ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264    ikev2_pld_ke: dh group MODP_2048_256 reserved 0    ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP    ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14    ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS    ikev2_msg_send: IKE_SA_INIT request from 0.0.0.0:500 to <aa.bb.cc.dd>:500 msgid 0, 518 bytes    sa_state: INIT -> SA_INIT    ikev2_recv: IKE_SA_INIT response from responder <aa.bb.cc.dd>:500 to 192.168.155.20:500 policy 'vpnclient' id 0, 446 bytes    ikev2_recv: ispi 0xc6dc6f255eed6532 rspi 0x364469831ec2954c    ikev2_recv: updated SA to peer <aa.bb.cc.dd>:500 local 192.168.155.20:500    ikev2_pld_parse: header ispi 0xc6dc6f255eed6532 rspi 0x364469831ec2954c nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 446 response 1    ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48    ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4    ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128    ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048_256    ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264    ikev2_pld_ke: dh group MODP_2048_256 reserved 0    ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP    ikev2_nat_detection: peer source 0xc6dc6f255eed6532 0x364469831ec2954c <aa.bb.cc.dd>:500    ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28    ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP    ikev2_nat_detection: peer destination 0xc6dc6f255eed6532 0x364469831ec2954c 192.168.155.20:500    ikev2_pld_notify: NAT_DETECTION_DESTINATION_IP detected NAT, enabling UDP encapsulation    ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14    ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS    ikev2_pld_notify: signature hash SHA2_256 (2)    ikev2_pld_notify: signature hash SHA2_384 (3)    ikev2_pld_notify: signature hash SHA2_512 (4)    ikev2_init_recv: NAT detected, updated SA to peer <aa.bb.cc.dd>:4500 local 192.168.155.20:4500    ikev2_sa_negotiate: score 4    sa_stateok: SA_INIT flags 0x0000, require 0x0008 auth    ikev2_sa_keys: SKEYSEED with 32 bytes    ikev2_sa_keys: S with 80 bytes    ikev2_prfplus: T1 with 32 bytes    ikev2_prfplus: T2 with 32 bytes    ikev2_prfplus: T3 with 32 bytes    ikev2_prfplus: T4 with 32 bytes    ikev2_prfplus: T5 with 32 bytes    ikev2_prfplus: T6 with 32 bytes    ikev2_prfplus: T7 with 32 bytes    ikev2_prfplus: Tn with 224 bytes    ikev2_sa_keys: SK_d with 32 bytes    ikev2_sa_keys: SK_ai with 32 bytes    ikev2_sa_keys: SK_ar with 32 bytes    ikev2_sa_keys: SK_ei with 32 bytes    ikev2_sa_keys: SK_er with 32 bytes    ikev2_sa_keys: SK_pi with 32 bytes    ikev2_sa_keys: SK_pr with 32 bytes    ikev2_msg_auth: initiator auth data length 582    sa_stateok: SA_INIT flags 0x0008, require 0x0008 auth    ikev2_next_payload: length 25 nextpayload AUTH    ikev2_next_payload: length 40 nextpayload SA    pfkey_sa_getspi: spi 0x2edc41c6    pfkey_sa_init: new spi 0x2edc41c6    ikev2_add_proposals: length 80    ikev2_next_payload: length 84 nextpayload TSi    ikev2_next_payload: length 24 nextpayload TSr    ikev2_next_payload: length 24 nextpayload NONE    ikev2_msg_encrypt: decrypted length 197    ikev2_msg_encrypt: padded length 208    ikev2_msg_encrypt: length 198, padding 10, output length 240    ikev2_next_payload: length 244 nextpayload IDi    ikev2_msg_integr: message length 272    ikev2_msg_integr: integrity checksum length 16    ikev2_pld_parse: header ispi 0xc6dc6f255eed6532 rspi 0x364469831ec2954c nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 272 response 0    ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 244    ikev2_msg_decrypt: IV length 16    ikev2_msg_decrypt: encrypted payload length 208    ikev2_msg_decrypt: integrity checksum length 16    ikev2_msg_decrypt: integrity check succeeded    ikev2_msg_decrypt: decrypted payload length 208/208 padding 10    ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length 25    ikev2_pld_id: id FQDN/my.laptop length 21    ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40    ikev2_pld_auth: method SHARED_KEY_MIC length 32    ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84    ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4 xforms 7 spi 0x2edc41c6    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96    ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN    ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE    ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24    ikev2_pld_ts: count 1 length 16    ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535    ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255    ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24    ikev2_pld_ts: count 1 length 16    ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535    ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255    ikev2_msg_send: IKE_AUTH request from 192.168.155.20:4500 to <aa.bb.cc.dd>:4500 msgid 1, 272 bytes, NAT-T    config_free_proposals: free 0x2abbf9cef00    ikev2_recv: IKE_AUTH response from responder <aa.bb.cc.dd>:4500 to 192.168.155.20:4500 policy 'vpnclient' id 1, 224 bytes    ikev2_recv: ispi 0xc6dc6f255eed6532 rspi 0x364469831ec2954c    ikev2_recv: updated SA to peer <aa.bb.cc.dd>:4500 local 192.168.155.20:4500    ikev2_pld_parse: header ispi 0xc6dc6f255eed6532 rspi 0x364469831ec2954c nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 224 response 1    ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 196    ikev2_msg_decrypt: IV length 16    ikev2_msg_decrypt: encrypted payload length 160    ikev2_msg_decrypt: integrity checksum length 16    ikev2_msg_decrypt: integrity check succeeded    ikev2_msg_decrypt: decrypted payload length 160/160 padding 4    ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length 23    ikev2_pld_id: id FQDN/blank.my.domain length 19    ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40    ikev2_pld_auth: method SHARED_KEY_MIC length 32    sa_state: SA_INIT -> AUTH_REQUEST    ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44    ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4 xforms 3 spi 0x560c49a8    ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC    ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4    ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128    ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN    ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24    ikev2_pld_ts: count 1 length 16    ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535    ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255    ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24    ikev2_pld_ts: count 1 length 16    ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535    ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255    ikev2_msg_auth: responder auth data length 510    ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE    ikev2_msg_authverify: authentication successful    sa_state: AUTH_REQUEST -> AUTH_SUCCESS    sa_stateflags: 0x0008 -> 0x0018 auth,authvalid (required 0x0030 authvalid,sa)    ikev2_sa_negotiate: score 3    sa_stateflags: 0x0018 -> 0x0038 auth,authvalid,sa (required 0x0030 authvalid,sa)    sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa    sa_state: AUTH_SUCCESS -> VALID    sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa    sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa    ikev2_sa_tag: (0)    ikev2_childsa_negotiate: proposal 2    ikev2_childsa_negotiate: key material length 128    ikev2_prfplus: T1 with 32 bytes    ikev2_prfplus: T2 with 32 bytes    ikev2_prfplus: T3 with 32 bytes    ikev2_prfplus: T4 with 32 bytes    ikev2_prfplus: Tn with 128 bytes    pfkey_sa_add: add spi 0x560c49a8    pfkey_sa: udpencap port 4500    ikev2_childsa_enable: loaded CHILD SA spi 0x560c49a8    pfkey_sa_add: update spi 0x2edc41c6    pfkey_sa: udpencap port 4500    ikev2_childsa_enable: loaded CHILD SA spi 0x2edc41c6    ikev2_childsa_enable: loaded flow 0x2ab76b27c00    ikev2_childsa_enable: loaded flow 0x2ab661bcc00    sa_state: VALID -> ESTABLISHED from <aa.bb.cc.dd>:4500 to 192.168.155.20:4500 policy 'vpnclient'    config_free_proposals: free 0x2ab661bdf00    ca exiting, pid 281    ikev2 exiting, pid 1400    control exiting, pid 68723    parent terminating