Hello, i am a new forum user, i need help to do a VPN IPSec between Watchguard XTM330 and Mikrotik RB2011, i revised both configurations and seem corrects, but VPN is not up.
Last configuration is:
Mikrotik:
Peers
Address: remote ip public address
port: 500
Local Address: my public address
Method: pre shared key
Exchange Mode: main
My ID: auto
Proposel check: obey
Hash Algorithm: sha256 (i try with all others too)
Encrpyt Algorithm: aes-256 (same that anterior algorithm, i try with all others)
DH Group: modp 1024
Lifetime: 08:00:00
DPD interval: 60
DPD failures: 5
Proposals:
Auth. Algorithm: sha256 (i try with all others too)
Encr. Algorithm: aes-256 cbc and aes-256 ctr (i try with all others too)
Lifetime: 08:00:00
PFS Group: modp 1024.
and Watchguard is configured with same phase 1 and 2.
At Remote peers i see some connections between both public addresses, but VPN tunnel are down.
someone can help me.
thanks.
-
-
JoseLuis1977
just joined
- Posts: 5
- Joined:
Re: Problem to do a VPN Ipsec between Watchguard XTM330 and Mikrotik RB2011
Try to get useful logs by enabling ipsec logging:
/system logging add topics=ipsec
/system logging add topics=ipsec
Re: Problem to do a VPN Ipsec between Watchguard XTM330 and Mikrotik RB2011
did you add the firewall rules(filter and nat)?
Code: Select all
filter:
chain=input action=accept protocol=ipsec-esp
chain=input action=accept protocol=udp in-interface=pppoe-out1 dst-port=500
chain=forward action=accept src-address=(Local LAN) dst-address=(Remote LAN)
chain=forward action=accept src-address=(Remote LAN) dst-address=(Local LAN)
NAT
chain=srcnat action=accept src-address=(Local LAN) dst-address=(Remote LAN)-
-
JoseLuis1977
just joined
- Posts: 5
- Joined:
Re: Problem to do a VPN Ipsec between Watchguard XTM330 and Mikrotik RB2011
Ok thanks I try to configure this.
But I revised logs in Wachtguard and th issue is that ID Payload that send mikrotik is not recognized by watchguard. i put exchange mode in main, and auto, because i can't chose any other option that fdqn or user fdqn.
anyone can help me??
thanks.
But I revised logs in Wachtguard and th issue is that ID Payload that send mikrotik is not recognized by watchguard. i put exchange mode in main, and auto, because i can't chose any other option that fdqn or user fdqn.
anyone can help me??
thanks.
Re: Problem to do a VPN Ipsec between Watchguard XTM330 and Mikrotik RB2011
Can you provide an configuration example or config screenshots of your watchguard?
-
-
JoseLuis1977
just joined
- Posts: 5
- Joined:
Re: Problem to do a VPN Ipsec between Watchguard XTM330 and Mikrotik RB2011
Configuration of watchguard can you download with this link:
https://www.wetransfer.com/downloads/72 ... 008/0a842c
thanks.
https://www.wetransfer.com/downloads/72 ... 008/0a842c
thanks.
Re: Problem to do a VPN Ipsec between Watchguard XTM330 and Mikrotik RB2011
Can you provide log files of both sides?
-
-
JoseLuis1977
just joined
- Posts: 5
- Joined:
Re: Problem to do a VPN Ipsec between Watchguard XTM330 and Mikrotik RB2011
In watchguard logging appears that:
2015-07-24 12:37:18 iked (x.x.x.x<->y.y.y.y)WARNING: Mismatched ID settings at peer y.y.y.y:500 caused an authentication failure
In mikrotik logging appears that:
ipsec,error phase 1 negotiation failed due to time up y.y.y.y[500]<=>x.x.x.x[500] "numero hash"
in both logs address y.y.y.y must be the same, but missmatch, i need talk with administrator service provider cause i need he explain me so pppout address is not the same that public address.
2015-07-24 12:37:18 iked (x.x.x.x<->y.y.y.y)WARNING: Mismatched ID settings at peer y.y.y.y:500 caused an authentication failure
In mikrotik logging appears that:
ipsec,error phase 1 negotiation failed due to time up y.y.y.y[500]<=>x.x.x.x[500] "numero hash"
in both logs address y.y.y.y must be the same, but missmatch, i need talk with administrator service provider cause i need he explain me so pppout address is not the same that public address.
-
-
JoseLuis1977
just joined
- Posts: 5
- Joined:
Re: Problem to do a VPN Ipsec between Watchguard XTM330 and Mikrotik RB2011
I printed configurations:
mikrotik:
[admin@MikroTik] <SAFE> ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=62.43.225.48/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="**************" generate-policy=no
policy-template-group=*FFFFFFFF exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=8h
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
[admin@MikroTik] <SAFE> ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=10m
pfs-group=modp1024
[admin@MikroTik] <SAFE>
In this log only appears "failed to pre-process ph2 packet"
watchguard:
*** WG Diagnostic Report for Gateway "gateway.1" ***
Created On: Tue Aug 4 17:07:45 2015
[Gateway Summary]
Gateway "gateway.1" contains "1" gateway endpoint(s).
Gateway Endpoint #1 (name "gateway.1") Enabled
Mode: Main PFS: Disabled AlwaysUP: Disabled
DPD: Disabled Keepalive: Disabled
Local ID<->Remote ID: {IP_ADDR(62.43.225.48) <-> IP_ADDR(81.34.7.82)}
Local GW_IP<->Remote GW_IP: {62.43.225.48 <-> 81.34.7.82}
Outgoing Interface: eth0 (ifIndex=4)
ifMark=0x10000
linkStatus=2 (0:unknown, 1:down, 2:up)
[Tunnel Summary]
"1" tunnel(s) are found using the previous gateway
Name: "tunnel.1" Enabled
PFS: "Enabled" DH-Group: "2"
Number of Proposals: "1"
Proposal "phase2_proposal.1"
ESP:
EncryptAlgo: "3DES"
AuthAlgo: "SHA"
LifeTime: "600(seconds)" LifeByte: "0(kbytes)"
Number of Tunnel Routes: "2"
#1
Direction: "BOTH"
"192.168.1.0/255.255.255.0<->192.168.88.0/255.255.255.0"
#2
Direction: "BOTH"
"192.168.1.1/32<->192.168.88.1/32"
[Run-time Info (gateway IKE_SA)]
Name: "gateway.1" (IfStatus: 0x80000002)
ISAKMP SAID: "0xe1df94e7" State: "SA Mature"
Created: Tue Aug 4 17:07:31 2015
My Address: 62.43.225.48:500 Peer Address: 81.34.7.82:500
InitCookie: "9d14d1dffbd562ec" RespCookie: "fce9b72e4c7f8134"
LifeTime: "28803(seconds)" LifeByte: "0(kbtyes)" DPD: "Disabled"
[Run-time Info (tunnel IPSEC_SA)]
[Run-time Info (tunnel IPSEC_SP)]
"2" IPSEC SP(s) are found
#1
Tunnel Endpoint: "62.43.225.48->81.34.7.82"
Tunnel Selector: 192.168.1.1/32 -> 192.168.88.1/32 Proto: ANY
Created On: Tue Aug 4 17:05:55 2015
Gateway Name: "gateway.1"
Tunnel Name: "tunnel.1"
#2
Tunnel Endpoint: "62.43.225.48->81.34.7.82"
Tunnel Selector: 192.168.1.0/24 -> 192.168.88.0/24 Proto: ANY
Created On: Tue Aug 4 17:05:55 2015
Gateway Name: "gateway.1"
Tunnel Name: "tunnel.1"
[Related Logs]
<158>Aug 4 17:06:47 iked[666]: (62.43.225.48<->81.34.7.82)Timeout: Resend to 81.34.7.82 quick mode message(id aceee0cc)
<158>Aug 4 17:06:51 iked[666]: (62.43.225.48<->81.34.7.82)Timeout: Resend to 81.34.7.82 quick mode message(id aceee0cc)
<156>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)Drop negotiation to peer 81.34.7.82 due to phase 2(id aceee0cc) retry timeout
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteQMState: try to delete QMState 0x1019f8d0 (ID aceee0cc) with IsakmpSA(0x10195ccc) Gateway(gateway.1)
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)SA Nego Fail: saHandle 0x0x104a63a0 InitMode 1, reason 2
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)SA Nego Fail: free saHandle
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)Cleanup all SAs to peer 81.34.7.82
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)(NATT)IkeFindIsakmpSABySPD: Matched IP and peer_udp_port=0 p1saId=0 : pIsakmpSA p1saID=e1df94e7 DestPort=500
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)OutDelete: DOI=1, ProtoId=1, SPISize=16, NumSPIs=1, SPI-1=0x028f5010
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)Sending inform delete message to 81.34.7.82:500
<155>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)delete Isakmp SA, reason=IKE_P1SA_LOCAL_EXPIRED (Gateway gateway.1)
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)ike_p1_status_chg: ikePcyName=gateway.1, status=DOWN
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)WAN-Failover: start "AlwaysUP" timer for ikePcy(gateway.1)
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: try to delete Isakmp SA 0x10195ccc for Gateway gateway.1
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)Totally 0 Pending P2 SA Requests Got Dropped.
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: Stop Phase One Retry and Life Timer
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: Stop Phase One DPD Retry timer
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: (DELETING) Start Phase One Delay Deletion Timer for IsakmpSA(0x10195ccc) Gateway(gateway.1)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)******** RECV an IKE packet at 62.43.225.48:500(socket=11 ifIndex=4) from Peer 81.34.7.82:500 ********
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCreateIsakmpSA: init vpnDpdSequenceNum = 523076168(Isakmp SA 0x10187b48)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 started by peer with policy [gateway.1] from 81.34.7.82:500 main mode
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloads : Payload(SA) Len(56)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeProposalNtoH : Recv SPI(0000 0000 0000 0x24) SPI(0000 0000 0000 0000)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0xafcad713)
<155>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Rejected peer VPN DPD request: not configured
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeProposalHtoN : net order spi(0000 0000 0000 0000)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Sending main mode 2nd message with policy 'gateway.1' to 81.34.7.82:500
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)******** RECV an IKE packet at 62.43.225.48:500(socket=11 ifIndex=4) from Peer 81.34.7.82:500 ********
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Received main mode 3rd message with policy 'gateway.1' from 81.34.7.82:500
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(4) Len(132)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(10) Len(28)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Sending main mode 4th message with policy 'gateway.1' to 81.34.7.82:500
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)******** RECV an IKE packet at 62.43.225.48:500(socket=11 ifIndex=4) from Peer 81.34.7.82:500 ********
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Received main mode 5th message with policy 'gateway.1' from 81.34.7.82:500
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeMMProcessIDMsg : SAState.sState(7)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(5) Len(12)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Sending main mode 6th message with policy 'gateway.1' to 81.34.7.82:500
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)MainMode (RESP) Stop Nego LifeTimer! pIsakmpSA=0x10187b48
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)BOVPN phase-1 main mode completed successfully as responder for 'gateway.1' gateway endpoint. local-gw:62.43.225.48:500 remote-gw:81.34.7.82:500 SA ID:0xe1df94e7
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)main mode hash_alg=2 encr_alg=7 key_len=256 auth_alg=1 dh_group=2 seconds=28803 kbytes=0
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)(NATT): p1said=0xe1df94e7, sPort=500, dPort=500, natTNeg=0, natD=0
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)ike_p1_status_chg: ikePcyName=gateway.1, status=UP
<156>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)MainMode: cleanup old P1SA src 62.43.225.48 dst 81.34.7.82:500
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: try to delete Isakmp SA 0x10195ccc for Gateway gateway.1
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: (DELETING) Isakmp SA 0x10195ccc peer 81.34.7.82 local 62.43.225.48
<158>Aug 4 17:07:05 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 IkeRetryTimeout:: Retrying 1st phase..(Gateway gateway.1 to 81.34.7.82:500)
<158>Aug 4 17:07:09 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 IkeRetryTimeout:: Retrying 1st phase..(Gateway gateway.1 to 81.34.7.82:500)
<158>Aug 4 17:07:13 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 IkeRetryTimeout:: Retrying 1st phase..(Gateway gateway.1 to 81.34.7.82:500)
<158>Aug 4 17:07:14 iked[666]: (62.43.225.48<->81.34.7.82)*******recv IPSEC_ACQUIRE message, trying to trigger the tunnel negotiation for gateway(gateway.1), tunnel(tunnel.1) (4/0)
<158>Aug 4 17:07:14 iked[666]: (62.43.225.48<->81.34.7.82)(NATT)IkeFindIsakmpSABySPD: Matched IP and peer_udp_port=0 p1saId=0 : pIsakmpSA p1saID=e1df94e7 DestPort=500
<158>Aug 4 17:07:14 iked[666]: (62.43.225.48<->81.34.7.82)(NATT)IkeFindIsakmpSABySPD: Matched IP and peer_udp_port=0 p1saId=0 : pIsakmpSA p1saID=e1df94e7 DestPort=500
<158>Aug 4 17:07:14 iked[666]: (62.43.225.48<->81.34.7.82)IkeProposalHtoN : net order spi(0xa2 0x1f 0xea 0x2f)
<158>Aug 4 17:07:14 iked[666]: (62.43.225.48<->81.34.7.82)Starting phase 2 to 81.34.7.82:500 quick mode message(id e6096ed3)
<158>Aug 4 17:07:17 iked[666]: (62.43.225.48<->81.34.7.82)Timeout: Resend to 81.34.7.82 quick mode message(id e6096ed3)
<158>Aug 4 17:07:22 iked[666]: (62.43.225.48<->81.34.7.82)Timeout: Resend to 81.34.7.82 quick mode message(id e6096ed3)
<158>Aug 4 17:07:25 iked[666]: (62.43.225.48<->81.34.7.82)Timeout: Resend to 81.34.7.82 quick mode message(id e6096ed3)
<156>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)Drop negotiation to peer 81.34.7.82 due to phase 2(id e6096ed3) retry timeout
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteQMState: try to delete QMState 0x101a5d88 (ID e6096ed3) with IsakmpSA(0x10187b48) Gateway(gateway.1)
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)SA Nego Fail: saHandle 0x0x104a63a0 InitMode 1, reason 2
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)SA Nego Fail: free saHandle
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)Cleanup all SAs to peer 81.34.7.82
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)(NATT)IkeFindIsakmpSABySPD: Matched IP and peer_udp_port=0 p1saId=0 : pIsakmpSA p1saID=e1df94e7 DestPort=500
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)OutDelete: DOI=1, ProtoId=1, SPISize=16, NumSPIs=1, SPI-1=0xba4937fa
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)Sending inform delete message to 81.34.7.82:500
<155>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)delete Isakmp SA, reason=IKE_P1SA_LOCAL_EXPIRED (Gateway gateway.1)
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)ike_p1_status_chg: ikePcyName=gateway.1, status=DOWN
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)WAN-Failover: start "AlwaysUP" timer for ikePcy(gateway.1)
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: try to delete Isakmp SA 0x10187b48 for Gateway gateway.1
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)Totally 0 Pending P2 SA Requests Got Dropped.
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: Stop Phase One Retry and Life Timer
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: Stop Phase One DPD Retry timer
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: (DELETING) Start Phase One Delay Deletion Timer for IsakmpSA(0x10187b48) Gateway(gateway.1)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)******** RECV an IKE packet at 62.43.225.48:500(socket=11 ifIndex=4) from Peer 81.34.7.82:500 ********
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCreateIsakmpSA: init vpnDpdSequenceNum = 211187200(Isakmp SA 0x1018537c)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 started by peer with policy [gateway.1] from 81.34.7.82:500 main mode
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloads : Payload(SA) Len(56)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeProposalNtoH : Recv SPI(0000 0000 0000 0x24) SPI(0000 0000 0000 0000)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0xafcad713)
<155>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Rejected peer VPN DPD request: not configured
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeProposalHtoN : net order spi(0000 0000 0000 0000)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Sending main mode 2nd message with policy 'gateway.1' to 81.34.7.82:500
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)******** RECV an IKE packet at 62.43.225.48:500(socket=11 ifIndex=4) from Peer 81.34.7.82:500 ********
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Received main mode 3rd message with policy 'gateway.1' from 81.34.7.82:500
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(4) Len(132)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(10) Len(28)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Sending main mode 4th message with policy 'gateway.1' to 81.34.7.82:500
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)******** RECV an IKE packet at 62.43.225.48:500(socket=11 ifIndex=4) from Peer 81.34.7.82:500 ********
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Received main mode 5th message with policy 'gateway.1' from 81.34.7.82:500
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeMMProcessIDMsg : SAState.sState(7)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(5) Len(12)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Sending main mode 6th message with policy 'gateway.1' to 81.34.7.82:500
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)MainMode (RESP) Stop Nego LifeTimer! pIsakmpSA=0x1018537c
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)BOVPN phase-1 main mode completed successfully as responder for 'gateway.1' gateway endpoint. local-gw:62.43.225.48:500 remote-gw:81.34.7.82:500 SA ID:0xe1df94e7
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)main mode hash_alg=2 encr_alg=7 key_len=256 auth_alg=1 dh_group=2 seconds=28803 kbytes=0
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)(NATT): p1said=0xe1df94e7, sPort=500, dPort=500, natTNeg=0, natD=0
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)ike_p1_status_chg: ikePcyName=gateway.1, status=UP
<156>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)MainMode: cleanup old P1SA src 62.43.225.48 dst 81.34.7.82:500
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: try to delete Isakmp SA 0x10187b48 for Gateway gateway.1
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: (DELETING) Isakmp SA 0x10187b48 peer 81.34.7.82 local 62.43.225.48
<158>Aug 4 17:07:35 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 IkeRetryTimeout:: Retrying 1st phase..(Gateway gateway.1 to 81.34.7.82:500)
<158>Aug 4 17:07:39 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 IkeRetryTimeout:: Retrying 1st phase..(Gateway gateway.1 to 81.34.7.82:500)
<158>Aug 4 17:07:43 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 IkeRetryTimeout:: Retrying 1st phase..(Gateway gateway.1 to 81.34.7.82:500)
mikrotik:
[admin@MikroTik] <SAFE> ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=62.43.225.48/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="**************" generate-policy=no
policy-template-group=*FFFFFFFF exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=8h
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
[admin@MikroTik] <SAFE> ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=10m
pfs-group=modp1024
[admin@MikroTik] <SAFE>
In this log only appears "failed to pre-process ph2 packet"
watchguard:
*** WG Diagnostic Report for Gateway "gateway.1" ***
Created On: Tue Aug 4 17:07:45 2015
[Gateway Summary]
Gateway "gateway.1" contains "1" gateway endpoint(s).
Gateway Endpoint #1 (name "gateway.1") Enabled
Mode: Main PFS: Disabled AlwaysUP: Disabled
DPD: Disabled Keepalive: Disabled
Local ID<->Remote ID: {IP_ADDR(62.43.225.48) <-> IP_ADDR(81.34.7.82)}
Local GW_IP<->Remote GW_IP: {62.43.225.48 <-> 81.34.7.82}
Outgoing Interface: eth0 (ifIndex=4)
ifMark=0x10000
linkStatus=2 (0:unknown, 1:down, 2:up)
[Tunnel Summary]
"1" tunnel(s) are found using the previous gateway
Name: "tunnel.1" Enabled
PFS: "Enabled" DH-Group: "2"
Number of Proposals: "1"
Proposal "phase2_proposal.1"
ESP:
EncryptAlgo: "3DES"
AuthAlgo: "SHA"
LifeTime: "600(seconds)" LifeByte: "0(kbytes)"
Number of Tunnel Routes: "2"
#1
Direction: "BOTH"
"192.168.1.0/255.255.255.0<->192.168.88.0/255.255.255.0"
#2
Direction: "BOTH"
"192.168.1.1/32<->192.168.88.1/32"
[Run-time Info (gateway IKE_SA)]
Name: "gateway.1" (IfStatus: 0x80000002)
ISAKMP SAID: "0xe1df94e7" State: "SA Mature"
Created: Tue Aug 4 17:07:31 2015
My Address: 62.43.225.48:500 Peer Address: 81.34.7.82:500
InitCookie: "9d14d1dffbd562ec" RespCookie: "fce9b72e4c7f8134"
LifeTime: "28803(seconds)" LifeByte: "0(kbtyes)" DPD: "Disabled"
[Run-time Info (tunnel IPSEC_SA)]
[Run-time Info (tunnel IPSEC_SP)]
"2" IPSEC SP(s) are found
#1
Tunnel Endpoint: "62.43.225.48->81.34.7.82"
Tunnel Selector: 192.168.1.1/32 -> 192.168.88.1/32 Proto: ANY
Created On: Tue Aug 4 17:05:55 2015
Gateway Name: "gateway.1"
Tunnel Name: "tunnel.1"
#2
Tunnel Endpoint: "62.43.225.48->81.34.7.82"
Tunnel Selector: 192.168.1.0/24 -> 192.168.88.0/24 Proto: ANY
Created On: Tue Aug 4 17:05:55 2015
Gateway Name: "gateway.1"
Tunnel Name: "tunnel.1"
[Related Logs]
<158>Aug 4 17:06:47 iked[666]: (62.43.225.48<->81.34.7.82)Timeout: Resend to 81.34.7.82 quick mode message(id aceee0cc)
<158>Aug 4 17:06:51 iked[666]: (62.43.225.48<->81.34.7.82)Timeout: Resend to 81.34.7.82 quick mode message(id aceee0cc)
<156>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)Drop negotiation to peer 81.34.7.82 due to phase 2(id aceee0cc) retry timeout
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteQMState: try to delete QMState 0x1019f8d0 (ID aceee0cc) with IsakmpSA(0x10195ccc) Gateway(gateway.1)
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)SA Nego Fail: saHandle 0x0x104a63a0 InitMode 1, reason 2
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)SA Nego Fail: free saHandle
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)Cleanup all SAs to peer 81.34.7.82
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)(NATT)IkeFindIsakmpSABySPD: Matched IP and peer_udp_port=0 p1saId=0 : pIsakmpSA p1saID=e1df94e7 DestPort=500
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)OutDelete: DOI=1, ProtoId=1, SPISize=16, NumSPIs=1, SPI-1=0x028f5010
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)Sending inform delete message to 81.34.7.82:500
<155>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)delete Isakmp SA, reason=IKE_P1SA_LOCAL_EXPIRED (Gateway gateway.1)
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)ike_p1_status_chg: ikePcyName=gateway.1, status=DOWN
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)WAN-Failover: start "AlwaysUP" timer for ikePcy(gateway.1)
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: try to delete Isakmp SA 0x10195ccc for Gateway gateway.1
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)Totally 0 Pending P2 SA Requests Got Dropped.
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: Stop Phase One Retry and Life Timer
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: Stop Phase One DPD Retry timer
<158>Aug 4 17:06:55 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: (DELETING) Start Phase One Delay Deletion Timer for IsakmpSA(0x10195ccc) Gateway(gateway.1)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)******** RECV an IKE packet at 62.43.225.48:500(socket=11 ifIndex=4) from Peer 81.34.7.82:500 ********
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCreateIsakmpSA: init vpnDpdSequenceNum = 523076168(Isakmp SA 0x10187b48)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 started by peer with policy [gateway.1] from 81.34.7.82:500 main mode
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloads : Payload(SA) Len(56)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeProposalNtoH : Recv SPI(0000 0000 0000 0x24) SPI(0000 0000 0000 0000)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0xafcad713)
<155>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Rejected peer VPN DPD request: not configured
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeProposalHtoN : net order spi(0000 0000 0000 0000)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Sending main mode 2nd message with policy 'gateway.1' to 81.34.7.82:500
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)******** RECV an IKE packet at 62.43.225.48:500(socket=11 ifIndex=4) from Peer 81.34.7.82:500 ********
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Received main mode 3rd message with policy 'gateway.1' from 81.34.7.82:500
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(4) Len(132)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(10) Len(28)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Sending main mode 4th message with policy 'gateway.1' to 81.34.7.82:500
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)******** RECV an IKE packet at 62.43.225.48:500(socket=11 ifIndex=4) from Peer 81.34.7.82:500 ********
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Received main mode 5th message with policy 'gateway.1' from 81.34.7.82:500
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeMMProcessIDMsg : SAState.sState(7)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(5) Len(12)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)Sending main mode 6th message with policy 'gateway.1' to 81.34.7.82:500
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)MainMode (RESP) Stop Nego LifeTimer! pIsakmpSA=0x10187b48
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)BOVPN phase-1 main mode completed successfully as responder for 'gateway.1' gateway endpoint. local-gw:62.43.225.48:500 remote-gw:81.34.7.82:500 SA ID:0xe1df94e7
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)main mode hash_alg=2 encr_alg=7 key_len=256 auth_alg=1 dh_group=2 seconds=28803 kbytes=0
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)(NATT): p1said=0xe1df94e7, sPort=500, dPort=500, natTNeg=0, natD=0
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)ike_p1_status_chg: ikePcyName=gateway.1, status=UP
<156>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)MainMode: cleanup old P1SA src 62.43.225.48 dst 81.34.7.82:500
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: try to delete Isakmp SA 0x10195ccc for Gateway gateway.1
<158>Aug 4 17:07:01 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: (DELETING) Isakmp SA 0x10195ccc peer 81.34.7.82 local 62.43.225.48
<158>Aug 4 17:07:05 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 IkeRetryTimeout:: Retrying 1st phase..(Gateway gateway.1 to 81.34.7.82:500)
<158>Aug 4 17:07:09 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 IkeRetryTimeout:: Retrying 1st phase..(Gateway gateway.1 to 81.34.7.82:500)
<158>Aug 4 17:07:13 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 IkeRetryTimeout:: Retrying 1st phase..(Gateway gateway.1 to 81.34.7.82:500)
<158>Aug 4 17:07:14 iked[666]: (62.43.225.48<->81.34.7.82)*******recv IPSEC_ACQUIRE message, trying to trigger the tunnel negotiation for gateway(gateway.1), tunnel(tunnel.1) (4/0)
<158>Aug 4 17:07:14 iked[666]: (62.43.225.48<->81.34.7.82)(NATT)IkeFindIsakmpSABySPD: Matched IP and peer_udp_port=0 p1saId=0 : pIsakmpSA p1saID=e1df94e7 DestPort=500
<158>Aug 4 17:07:14 iked[666]: (62.43.225.48<->81.34.7.82)(NATT)IkeFindIsakmpSABySPD: Matched IP and peer_udp_port=0 p1saId=0 : pIsakmpSA p1saID=e1df94e7 DestPort=500
<158>Aug 4 17:07:14 iked[666]: (62.43.225.48<->81.34.7.82)IkeProposalHtoN : net order spi(0xa2 0x1f 0xea 0x2f)
<158>Aug 4 17:07:14 iked[666]: (62.43.225.48<->81.34.7.82)Starting phase 2 to 81.34.7.82:500 quick mode message(id e6096ed3)
<158>Aug 4 17:07:17 iked[666]: (62.43.225.48<->81.34.7.82)Timeout: Resend to 81.34.7.82 quick mode message(id e6096ed3)
<158>Aug 4 17:07:22 iked[666]: (62.43.225.48<->81.34.7.82)Timeout: Resend to 81.34.7.82 quick mode message(id e6096ed3)
<158>Aug 4 17:07:25 iked[666]: (62.43.225.48<->81.34.7.82)Timeout: Resend to 81.34.7.82 quick mode message(id e6096ed3)
<156>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)Drop negotiation to peer 81.34.7.82 due to phase 2(id e6096ed3) retry timeout
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteQMState: try to delete QMState 0x101a5d88 (ID e6096ed3) with IsakmpSA(0x10187b48) Gateway(gateway.1)
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)SA Nego Fail: saHandle 0x0x104a63a0 InitMode 1, reason 2
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)SA Nego Fail: free saHandle
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)Cleanup all SAs to peer 81.34.7.82
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)(NATT)IkeFindIsakmpSABySPD: Matched IP and peer_udp_port=0 p1saId=0 : pIsakmpSA p1saID=e1df94e7 DestPort=500
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)OutDelete: DOI=1, ProtoId=1, SPISize=16, NumSPIs=1, SPI-1=0xba4937fa
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)Sending inform delete message to 81.34.7.82:500
<155>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)delete Isakmp SA, reason=IKE_P1SA_LOCAL_EXPIRED (Gateway gateway.1)
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)ike_p1_status_chg: ikePcyName=gateway.1, status=DOWN
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)WAN-Failover: start "AlwaysUP" timer for ikePcy(gateway.1)
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: try to delete Isakmp SA 0x10187b48 for Gateway gateway.1
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)Totally 0 Pending P2 SA Requests Got Dropped.
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: Stop Phase One Retry and Life Timer
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: Stop Phase One DPD Retry timer
<158>Aug 4 17:07:29 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: (DELETING) Start Phase One Delay Deletion Timer for IsakmpSA(0x10187b48) Gateway(gateway.1)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)******** RECV an IKE packet at 62.43.225.48:500(socket=11 ifIndex=4) from Peer 81.34.7.82:500 ********
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCreateIsakmpSA: init vpnDpdSequenceNum = 211187200(Isakmp SA 0x1018537c)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 started by peer with policy [gateway.1] from 81.34.7.82:500 main mode
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloads : Payload(SA) Len(56)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeProposalNtoH : Recv SPI(0000 0000 0000 0x24) SPI(0000 0000 0000 0000)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0xafcad713)
<155>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Rejected peer VPN DPD request: not configured
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeProposalHtoN : net order spi(0000 0000 0000 0000)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Sending main mode 2nd message with policy 'gateway.1' to 81.34.7.82:500
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)******** RECV an IKE packet at 62.43.225.48:500(socket=11 ifIndex=4) from Peer 81.34.7.82:500 ********
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Received main mode 3rd message with policy 'gateway.1' from 81.34.7.82:500
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(4) Len(132)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(10) Len(28)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Sending main mode 4th message with policy 'gateway.1' to 81.34.7.82:500
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)******** RECV an IKE packet at 62.43.225.48:500(socket=11 ifIndex=4) from Peer 81.34.7.82:500 ********
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Received main mode 5th message with policy 'gateway.1' from 81.34.7.82:500
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeMMProcessIDMsg : SAState.sState(7)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(5) Len(12)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)Sending main mode 6th message with policy 'gateway.1' to 81.34.7.82:500
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)MainMode (RESP) Stop Nego LifeTimer! pIsakmpSA=0x1018537c
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)BOVPN phase-1 main mode completed successfully as responder for 'gateway.1' gateway endpoint. local-gw:62.43.225.48:500 remote-gw:81.34.7.82:500 SA ID:0xe1df94e7
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)main mode hash_alg=2 encr_alg=7 key_len=256 auth_alg=1 dh_group=2 seconds=28803 kbytes=0
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)(NATT): p1said=0xe1df94e7, sPort=500, dPort=500, natTNeg=0, natD=0
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)ike_p1_status_chg: ikePcyName=gateway.1, status=UP
<156>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)MainMode: cleanup old P1SA src 62.43.225.48 dst 81.34.7.82:500
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: try to delete Isakmp SA 0x10187b48 for Gateway gateway.1
<158>Aug 4 17:07:31 iked[666]: (62.43.225.48<->81.34.7.82)IkeDeleteIsakmpSA: (DELETING) Isakmp SA 0x10187b48 peer 81.34.7.82 local 62.43.225.48
<158>Aug 4 17:07:35 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 IkeRetryTimeout:: Retrying 1st phase..(Gateway gateway.1 to 81.34.7.82:500)
<158>Aug 4 17:07:39 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 IkeRetryTimeout:: Retrying 1st phase..(Gateway gateway.1 to 81.34.7.82:500)
<158>Aug 4 17:07:43 iked[666]: (62.43.225.48<->81.34.7.82)Phase 1 IkeRetryTimeout:: Retrying 1st phase..(Gateway gateway.1 to 81.34.7.82:500)