Page 1 of 1

Discovery of external IP address (Noip.com)

Posted: Fri Mar 19, 2021 11:56 pm
by ramirez
Is there a way to be able to find out the external IP when the MT is behind a modem and set a noip.com name, without involving entering your account details on the Modem?

When you don't have any access to the ISP modem and you just connect the MT on the modem (no firewall rules present on MT) is it possible to have the MT "tell" you what your external IP is ?

Basically doing what a modem does at the DDNS section to have the MT do it .

Re: Discovery of external IP address (Noip.com)

Posted: Sat Mar 20, 2021 5:53 am
by 2frogs
There is a built in DDNS under IP>Cloud.

If you have an update client running on a device in your network, you can enter your DDNS in IP>Firewall>Address List and it will resolve it to your IP.

Re: Discovery of external IP address (Noip.com)

Posted: Sat Mar 20, 2021 10:32 am
by ramirez
Thank you 2frogs, no unfortunately there will be no other device update client running on the network ...just a modem (to which I have no access) and the MT.

I was also under the impression that the DNS name in ip/cloud is not accessible when behind a NAT modem (and needs port forwarding) or are you saying that this MT dns name will me sufficient to enter it on the remote side MT and through this discovery be able to create a successful link?

Looking for ways for each device MT (A) and MT (B) to know each other's Internet address so an L2TP/Ipsec link can be established ...

Re: Discovery of external IP address (Noip.com)

Posted: Sat Mar 20, 2021 1:28 pm
by anav
If you have access to the MT router, enable ddns and look at IP Cloud it should tell you your public IP.

Re: Discovery of external IP address (Noip.com)

Posted: Sat Mar 20, 2021 4:12 pm
by 2frogs
You will have to have port forwarding available on at least one of the modems (No IP is just another DDNS services) or you will have to connect both to third device that has a public IP or the ability to forward ports. There is no magical way of connecting from one network to another directly without port forwarding when you are in a double NAT network (external IP without access or DMZ on modem and not MT.)

Re: Discovery of external IP address (Noip.com)

Posted: Sat Mar 20, 2021 5:15 pm
by ramirez
Indeed true ...

Here is what I did and it works, the (MT) DDNS is operating as expected to update the IP, I set it up to update every 5 minutes ...now to access from winbox a MT through "that name" indeed you need some changes/access to the modem . But! If you only need to be informed of the address so you can enter it to establish a connection (a link between the 2) it works without doing anything on the modem ...

Then if you have remote access to 1 location (that obviously is Winbox capable or in any other way) you can access the other MT through that location (through that cloud name) ...

Re: Discovery of external IP address (Noip.com)

Posted: Sat Mar 20, 2021 5:49 pm
by sindy
I was also under the impression that the DNS name in ip/cloud is not accessible when behind a NAT modem (and needs port forwarding) or are you saying that this MT dns name will me sufficient to enter it on the remote side MT and through this discovery be able to create a successful link?

Looking for ways for each device MT (A) and MT (B) to know each other's Internet address so an L2TP/Ipsec link can be established ...
As others have written: you don't need any special measures to learn the public address behind which your router is NATed, but knowing that address is not sufficient to make an L2TP server listening at your router accessible from the internet.

So one way to establish a VPN between two routers is to establish a VPN tunnel from both to a third router on a public IP.

Another way is to use an IKEv2 IPsec site-to-site tunnel where both routers act as initiators, but it is only possible if the NAT devices between each of your two routers and the internet keep the source UDP port unchanged whenever possible. See more here.

Re: Discovery of external IP address (Noip.com)

Posted: Sun Mar 21, 2021 11:16 am
by ramirez
I see...good to know , thank you!

Would you say that in transport mode if I have access to one site (Server side) but don't have access to the other side, would I be able to establish a link between the 2, by entering the static address (to call/connect to) on the client side?

E.g. if the the DDNS of the server is Server.ddns.net and the client's name is 123456789.sn.mynetname.net

In the L2TP/IPsec scenario I see the requirement in Interface/L2TP-out-1/Dial out/Connect to : , and in IP/IPsec/peers, to enter the DDNS name or address. By entering a name there respectively for each site, wouldn't that suffice to establish a link ? Assuming all the rest configurations are done on both...

Re: Discovery of external IP address (Noip.com)

Posted: Sun Mar 21, 2021 2:33 pm
by sindy
In a typical case, there may be multiple hosts with private IP (LAN devices) connected to the internet via a single device with a public IP (the WAN router).

If the first ever packet of a new connection comes from the LAN device for a destination accessible via the WAN interface, the WAN router replaces the source address of such packet before forwarding it to the destination, and for some time, it remembers its original source address, the new source address it has assigned to it, the destination addresses, IP protocol, and ports where applicable. So if a response packet arrives later on, it matches to all these values (with source and destination addresses and ports swapped of course), and the WAN router thus knows where to forward it. This process is called connection tracking, and Network Address Translation (NAT) is an optional part of its operation (connection tracking is used for other purposes as well). Since the five-tuple of (public local IP, public local port, remote IP, remote port, IP protocol) must be unique for each tracked connection, the NAT must sometimes assign a different public local port to a connection, if several LAN devices initiate a connection to the same remote IP and remote port from the same local port via the same public IP. Some devices assign random local ports to connections even if there is no such conflict, assuming it provides better security.

But if the first ever packet of some new connection arrives to the public IP of the WAN router, that router doesn't know automatically whether to process it as a packet for itself or forward it to some of the LAN devices, and if so, to which one in particular, because such packet doesn't match to any connection already tracked. So you must add a static rule on the WAN router to tell it to which LAN IP to forward the packet to. Such static rules match on the same packet header fields used to identify a tracked connection, as listed above. This is commonly called "port forwarding"; to be able to add such rules, you must be an administrator of the WAN router, or have a possibility to ask the administrator to do that for you.

Even if you've possibly got just a single LAN device behind the WAN router, you still have to configure the WAN router to forward the received initial packets to that LAN device's private address. If you don't do that, the WAN router itself attempts to process the contents of such initial packet, and if it cannot do that, it drops it.

The L2TP clearly defines the roles of a client and a server. Two clients cannot connect to each other, nor can two servers. The server only listens for incoming connection requests from the client, and only sends packet back to the client if an initial request from the client has arrived. So without port forwarding on the WAN router as explained above, the L2TP server will never receive the initial request from any client.

IPsec endpoints, on the contrary, are called "peers" to express their equality; both can send the initial request for a connection and both can respond to it. This feature would normally be useless when the IPsec is used to secure L2TP, so when the IPsec configuration at the L2TP server side is created dynamically, the peer is set to be "passive", i.e. to only expect incoming initial requests but not to send its own ones.

An IPsec peer normally uses the same port to send its own requests from and to expect the requests from the other peer at. It means that if the IPsec peer is a LAN device, and if the WAN router doesn't substitute the source port in the initial IPsec packet sent by the LAN device, if each peers sends its initial request towards the other ones' address and port, its WAN router will handle the other one's initial packet as a response to the initial request sent by the local one, and deliver it.

So to make that work, you have to confugure IPsec manually, according to the post I've linked earlier. Whether you then use L2TP or other type of tunnel, or instead use bare IPsec with policy matching, is another question we can come back to later once you confirm the basics do work.

Re: Discovery of external IP address (Noip.com)

Posted: Fri Mar 26, 2021 10:01 am
by ramirez
Thank you Sindy for the time spent and the input offered!

So how about this (based on) : “…Since the five-tuple of (public local IP, public local port, remote IP, remote port, IP protocol) must be unique for each tracked connection…”

Assuming that you have 2 clients connecting to a server over L2TP/Ipsec with the following characteristics:

Client (A) ISP address 200.200.200.1 => LAN address: 192.168.1.1
Client (B) ISP address 300.300.300.1 => LAN address: 192.168.1.1

In theory what I understand is that because the passwords, different DDNS, different passwords and the following settings:
PPP/Secrets : (Local address + remote address + routes) will be different, e.g. for Client (A): Local address: 192.168.100.1 / Remote address = 192.168.100.2 / Routes = 192.168.1.1 192.168.100.2
And respectively :
for client (B) ): Local address: 192.168.110.1 / Remote address = 192.168.110.2 / Routes = 192.168.1.1 192.168.110.2

How can you connect (e.g. from Winbox) when in Server’s location, to either clients? There will be unique characteristics for each connection, but each client’s LAN (and IP) will be the same (192.168.1.1)

Do you attempt to connect through the 192.168.100.2 for Client (A) and 192.168.110.2 for (B)?

I ask this because I may have in the future many clients to that server with a LAN of 192.168.1.x without being able to do anything about that.

As per you previous mentioned post, I understand bullets 1 and 2, 3-4-5 confuses me a little (but let me work with it and I will get back you) .

I have full access on Server MT and that ISP’s modem, but not any access on the modem of the client’s side. I can configure at my location the MT that will go behind the client’s side and ship it, but then will have no physical access to it. That’s why I am looking of ways to create a successful L2TP/Ipsec between the two without involving port forwarding and to be able to reach the client MT from (WinBox) when at server’s side (assuming there is a successful link between the two.

Also I don't know if it is ROS 6.48.1 or me, but establishing links between locations L2TP/IPSEC has proven "difficult"...In three occasions involving 1 server and three clients: client (A) established the connection relatively easy (had to restart both routers), client (B) gave me trouble on the server's side not getting a source address (it said @ IP/IPsec/Policies Src. Address: 0.0.0.0) it took several router restarts, disabling peers and identities, re-enabling them etc. and in the end the link was established.

With client (C) the link refuses to establish no matter what! In the beginning it showed the same behavior as client (B), then I gave up after sever retries and efforts and disabled all settings on both sides...about an hour later I went back and re-enabled the related settings on both sides and the Server side had an IP address (instead of showing 0.0.0.0), now it shows an active connection (in Active peers) but don't see any installed SA's ! Logs say "no proposal chosen" !!! Well, I have chosen it and settings are the same on both sides ...I also disabled DPD to check but didn't do anything...

P.S. In client (B) case where the link is successful, I cannot connect to the server via DDNS (WinBox) e.g. DDNSserver.ddns.net:1234 , If I turn my phone's 4G I can connect to it via DDNS...

Any ideas ?

Re: Discovery of external IP address (Noip.com)

Posted: Fri Mar 26, 2021 10:44 am
by sindy
First, even a whole elephant can be eaten, but you have to chop it into small enough pieces.

So mixing together the issues of overlapping internal addresses of VPN clients with the issues of establishing tunnels between devices NATed behind dynamically changing public IPs will only create a mess.

Regarding establishing the tunnels: the suggestion I gave only makes sense where you need to establish a tunnel between two low-budget endpoints with no public IP at all, i.e. getting CGNAT WAN addresses from the ISPs.

If you talk about "many clients", such a solution is still applicable but may be even more complex to maintain, and given the number of clients, the per-client share of the price of hosting a virtual machine in one of the public housings should be negligible.

Regarding many clients using the same subnets internally, the key point here is whether you need to access only the client Routerboards themselves for management purposes, or whether you need to initiate connections to multiple addresses in their LANs from the central network, or even from one client's LAN to another client's LAN.

Regarding problems with clients A, B, C - what's the difference between them? Are they three different devices (Windows, Mikrotik, iOS) at the same site, i.e. NATed behind the same public IP, or are they three Mikrotiks at different sites, each NATed behing another public IP?

Re: Discovery of external IP address (Noip.com)

Posted: Fri Mar 26, 2021 12:15 pm
by ramirez
First, even a whole elephant can be eaten, but you have to chop it into small enough pieces.
Indeed, got carried away as I was typing, apologies ... I will try to keep as short as possible the answers .
Regarding many clients using the same subnets internally, the key point here is whether you need to access only the client Routerboards themselves for management purposes,
Yes
or whether you need to initiate connections to multiple addresses in their LANs from the central network, or even from one client's LAN to another client's LAN.
No
are they three Mikrotiks at different sites, each NATed behing another public IP?
Exactly (3 Map Lite Mt's, one at each site)

Re: Discovery of external IP address (Noip.com)

Posted: Fri Mar 26, 2021 12:41 pm
by sindy
To access only the client Routerboards themselves for management purposes, you just have to choose a pool of addresses to assign them that will not overlap with the LAN subnet(s) of any of the clients. This is normally a non-issue if you are the administrator; if you are not, it's more complex as each user is free to chose any LAN subnet from the RFC1918 ranges, and you probably don't have enough public IPs to give out for that purpose.

If the connection requests from each of the three L2TP/IPsec clients arrive to the server from distinct public IPs, I have no particular idea what may be wrong. I've seen cases where certificates were used for authentication and caused the packets of the initial IKE exchange to be fragmented, which prevented the IKE from establishing because the fragments got lost somewhere on the way, and I have seen recently an ISP to filter IPsec transport packets encapsulated into UDP.

But from what you wrote, it seems like an "overconfiguration" to me, as you say you had to disable and enable peers and identities.

There are two ways to configure the IPsec part for L2TP, either you set use-ipsec=yes (or required) and specify the ipsec-secret in the L2TP configuration, and RouterOS creates all the relevant IPsec objects dynamically, or you configure the whole IPsec part manually, and then you must keep set use-ipsec at no in the L2TP settings.

So show me the current configuration of both the problematic clients and of the server (as text export, not as a ton of screenshots, see my automatic signature below). And explain how you've made sure that the initial packets from the clients reach the server through the NAT device that stands between the server's WAN and the internet.

Re: Discovery of external IP address (Noip.com)

Posted: Tue Mar 30, 2021 1:43 pm
by ramirez
Thank you Sindy, for some reason I had left enabled the "use IP sec" in PPP/interface/dial-out (had manually configured IPSEC). After I disabled that, the link got established and is steady. All links between clients and Server are as expected.

3 questions if I may:

A) Why when connected to client1's WiFi, I cannot connect to the Server through DDNS (WinBox)? If I try from my phone's 4G I can. I understand that this happens because I am connected to that network, that has the L2TP link with the Server (and I can connect using server's 172.21.69.153) but cannot figure out why I am losing connection through DDNS.

B) If I unplug a client from power (say for 15 minutes) and then power it up again, the link does not get established. If I enter client's configuration and disable the peer and re-enable it the link is established. I thought that automatically this would happen (I mean the link being established after a power on). How can I have automaticaly the link established after a power outage (e.g. 2 hours)?

C) There is no need (at least for now) to access from client1 +> client 2, but should I need in the future, that would be a static route configuration between the three? Client1: 192.168.0.1 / Client2 192.168.1.1 / Server 172.21.69.153


 [admin@Server L2TP-IPsec] > /export hide-sensitive
# mar/30/2021 05:46:24 by RouterOS 6.48.1
# software id =
#
# model = RBmAPL-2nD
# serial number = 
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=zdns.ddns.net exchange-mode=ike2 name=Ch
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-128 prf-algorithm=\
    sha1
add dh-group=modp2048 enc-algorithm=aes-128 name=Tz prf-algorithm=sha1
add dh-group=modp2048 enc-algorithm=aes-128 name=Art prf-algorithm=sha1
/ip ipsec peer
add address=1234.sn.mynetname.net exchange-mode=ike2 name=Art \
    profile=Art
add address=4567.sn.mynetname.net exchange-mode=ike2 name=Tz \
    profile=Tz
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc pfs-group=modp2048
add enc-algorithms=aes-128-cbc name=proposal1Tz pfs-group=modp2048
add enc-algorithms=aes-128-cbc name=ArtProposal pfs-group=modp2048
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes keepalive-timeout=60 max-mru=1400 max-mtu=1400
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=WAN
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
/ip ipsec identity
add peer=Tz
add peer=Ch
add peer=Art
/ip ipsec policy
set 0 disabled=yes
add dst-address=190.190.190.96/32 peer=Ch src-address=172.21.69.153/32
add dst-address=170.170.170.59/32 peer=Tz proposal=proposal1Tz \
    src-address=172.21.69.153/32
add dst-address=191.191.191.96/32 peer=Art proposal=ArtProposal \
    src-address=172.21.69.153/32
/ip route
add distance=1 dst-address=192.168.200.2/32 gateway=192.168.91.2
/ip service
set telnet disabled=yes
/ppp secret
add local-address=192.168.90.1 name=Ch profile=default-encryption \
    remote-address=192.168.90.2 routes="192.168.0.0/24 192.168.90.2" service=\
    l2tp
add local-address=192.168.91.1 name=Tz profile=default-encryption \
    remote-address=192.168.91.2 routes="192.168.20.0/24 192.168.91.2" service=\
    l2tp
add local-address=192.168.92.1 name=Art profile=default-encryption \
    remote-address=192.168.92.2 routes="192.168.1.0/24 192.168.92.2" service=\
    l2tp
/system clock
set time-zone-name=
/system identity
set name="Server L2TP-IPsec"
/system logging
add disabled=yes topics=ipsec
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@Server L2TP-IPsec] > 
 [admin@Client1] > /export hide-sensitive
# mar/28/2021 10:36:46 by RouterOS 6.48
# software id = 
#
# model = 493G
# serial number = 
/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] mtu=1492 name=1-ADSL speed=100Mbps
set [ find default-name=ether2 ] name=2-LAN speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] disabled=yes mac-address=\
    12:34:45:67:4F:C0 speed=100Mbps
/interface l2tp-client
add connect-to=dnsln.ddns.net disabled=no max-mru=1400 \
    max-mtu=1400 name=l2tp-out1 user=Ch
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys name=profile1 supplicant-identity=\
    "" unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g country=greece \
    disabled=no distance=indoors frequency=2412 hw-retries=15 \
    installation=indoor max-station-count=12 mode=ap-bridge name=\
    WiFiG security-profile=profile1 ssid=G station-roaming=\
    enabled wireless-protocol=802.11 wmm-support=enabled
set [ find default-name=wlan1 ] band=5ghz-a/n country=greece \
    distance=indoors frequency=5200 ht-basic-mcs=mcs-0 hw-retries=15 \
    installation=indoor max-station-count=12 mode=ap-bridge name=\
    WiFiN rx-chains=0,1 security-profile=profile1 ssid=N \
    station-roaming=enabled tx-chains=0,1 wireless-protocol=802.11 \
    wmm-support=enabled
/interface wireless nstreme
set WiFiG enable-nstreme=yes
set WiFiN enable-nstreme=yes
/ip ipsec peer
add address=dnsln.ddns.net exchange-mode=ike2 name=Ch
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-128 \
    prf-algorithm=sha1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc pfs-group=\
    modp2048
/ip pool
add name=dhcp_pool1 ranges=192.168.0.21-192.168.0.50
add name=dhcp_pool2 ranges=192.168.0.34-192.168.0.46
add name=dhcp_pool3 ranges=192.168.0.66-192.168.0.78
add name=dhcp_pool6 ranges=192.168.0.21-192.168.0.50
add name=OVPN-POOL ranges=192.168.2.20-192.168.2.30
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 lease-time=\
    1d name=server1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*12 mac-protocol=ipv6
# no interface
add action=drop chain=forward in-interface=*12 mac-protocol=ipv6
# no interface
add action=drop chain=forward in-interface=*12 mac-protocol=ipv6
# no interface
add action=drop chain=forward in-interface=*12 mac-protocol=ipv6
/interface bridge port
add bridge=bridge1 hw=no interface=1-ADSL
add bridge=bridge1 hw=no interface=2-LAN
add bridge=bridge1 interface=WiFiG
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set keepalive-timeout=60 use-ipsec=required
/interface list member
add interface=1-ADSL list=WAN
add interface=2-LAN list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=WiFiN list=LAN
add interface=WiFiG list=LAN
/interface ovpn-server server
set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 \
    max-mtu=1400 port=2500 require-client-certificate=yes
/interface sstp-server server
set enabled=yes verify-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0
add address=192.168.0.65/28 disabled=yes interface=WiFiN network=\
    192.168.0.64
add address=192.168.0.33/28 disabled=yes interface=WiFiG network=\
    192.168.0.32
add address=192.168.0.1/24 disabled=yes interface=2-LAN network=\
    192.168.0.0
/ip cloud
set ddns-update-interval=5m
/ip dhcp-server lease
add address=192.168.0.10 mac-address=12:34:45:56:24:6B server=server1
add address=192.168.0.20 client-id=1:12:34:45:56:24:6B lease-time=1d \
    mac-address=12:34:45:56:24:6B server=server1
add address=192.168.0.13 client-id=1:12:34:45:56:24:6B lease-time=1d \
    mac-address=12:34:45:56:24:6B server=server1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=8.8.8.8 disabled=yes list="GOOGLE DNS"
add address=8.8.4.4 disabled=yes list="GOOGLE DNS"
add address=208.67.222.222 disabled=yes list="GOOGLE DNS"
add address=209.244.0.3 disabled=yes list="GOOGLE DNS"
add address=10.0.0.0/8 list="Local subnet"
add address=172.16.0.0/12 list="Local subnet"
add address=192.168.0.0/16 list="Local subnet"
/ip firewall filter
add action=accept chain=input connection-state=established,related \
    disabled=yes
add action=accept chain=input disabled=yes dst-port=500,1701,4500 \
    in-interface=bridge1 protocol=udp
add action=accept chain=input disabled=yes protocol=ipsec-esp
add action=accept chain=forward disabled=yes
add action=accept chain=forward connection-state=established,related \
    disabled=yes
add action=accept chain=output connection-state=established,related \
    disabled=yes
add action=accept chain=input disabled=yes dst-port=2500 protocol=tcp
add action=accept chain=input disabled=yes dst-address=192.168.0.254 \
    dst-port=8291 protocol=tcp
add action=accept chain=input disabled=yes protocol=icmp
add action=drop chain=input connection-state=invalid disabled=yes
add action=drop chain=forward connection-state=invalid disabled=yes
add action=drop chain=output connection-state=invalid disabled=yes
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=Traffiv_For_Vpn passthrough=yes \
    src-address=192.168.0.25
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=Traffiv_For_Vpn passthrough=yes \
    src-address=192.168.0.36
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=Traffiv_For_Vpn passthrough=yes \
    src-address=192.168.0.28
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=Traffiv_For_Vpn passthrough=yes \
    src-address=192.168.0.21
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=Traffiv_For_Vpn passthrough=yes \
    src-address=192.168.0.34
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=Traffiv_For_Vpn passthrough=yes \
    src-address=192.168.0.35
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=Traffiv_For_Vpn passthrough=yes \
    src-address=192.168.0.26
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=Traffiv_For_Vpn passthrough=yes \
    src-address=192.168.0.31
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1
add action=dst-nat chain=dstnat dst-port=--- protocol=tcp \
    to-addresses=192.168.0.20 to-ports=---
add action=dst-nat chain=dstnat dst-port=--- protocol=tcp \
    to-addresses=192.168.0.150 to-ports=---
add action=dst-nat chain=dstnat dst-port=--- protocol=tcp \
    to-addresses=192.168.11.10 to-ports=---
add action=dst-nat chain=dstnat dst-port=--- protocol=tcp \
    to-addresses=192.168.0.10 to-ports=--
add action=dst-nat chain=dstnat dst-port=--- protocol=tcp \
    to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-port=--- protocol=tcp \
    to-addresses=192.168.0.254 to-ports=--
add action=dst-nat chain=dstnat dst-address=192.168.0.1 dst-port=--- \
    protocol=tcp to-addresses=192.168.0.10 to-ports=--
add action=dst-nat chain=dstnat dst-address=192.168.0.1 dst-port=--- \
    protocol=tcp to-addresses=192.168.0.36
add action=dst-nat chain=dstnat dst-address=192.168.0.1 dst-port=--- \
    protocol=tcp to-addresses=192.168.0.35
add action=dst-nat chain=dstnat dst-port=--- protocol=tcp \
    to-addresses=192.168.0.150 to-ports=---
/ip ipsec identity
add peer=Ch
/ip ipsec policy
set 0 disabled=yes
add dst-address=12.34.56.789/32 peer=Ch src-address=\
    192.168.0.1/32
/ip route
add distance=1 gateway=192.168.90.1 routing-mark=Traffiv_For_Vpn
add distance=2 gateway=192.168.0.254
add distance=1 dst-address=172.21.69.0/24 gateway=192.168.90.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl address=0.0.0.0/0
set winbox address=0.0.0.0/0
/ip smb
set allow-guests=no domain=workgroup enabled=yes
/ip ssh
set forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=1-ADSL type=external
add interface=bridge1 type=internal
/system clock
set time-zone-name=Europe
/system identity
set name=Client1
/system logging
add disabled=yes topics=ipsec
/system ntp client
set enabled=yes primary-ntp=123.456.789.44 secondary-ntp=\
    123.456.888.172
/system routerboard settings
set boot-delay=3s
/system watchdog
set watchdog-timer=no
/tool graphing
set store-every=24hours
/tool graphing interface
add allow-address=192.168.0.0/24
/tool sniffer
set filter-ip-address=192.168.0.24/32 filter-ip-protocol=udp \
    filter-port=dns 



 [admin@Client2] > /export hide-sensitive
# mar/30/2021 12:56:46 by RouterOS 6.48.1
# software id = 
#
# model = 
# serial number = 
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface l2tp-client
add connect-to=dnsln.ddns.net disabled=no max-mru=1400 max-mtu=\
    1400 name=l2tp-out1 user=Art
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-ciphers=tkip,aes-ccm management-protection=allowed mode=\
    dynamic-keys name=profile1 supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 country=no_country_set \
    disabled=no distance=indoors frequency=auto frequency-mode=\
    manual-txpower max-station-count=20 mode=ap-bridge name=Wlan1 \
    rate-set=configured security-profile=profile1 ssid=GAM \
    station-roaming=enabled wireless-protocol=802.11
/interface wireless nstreme
set Wlan1 enable-nstreme=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256 prf-algorithm=sha256
add dh-group=modp2048 enc-algorithm=aes-128 name="ArtProfile " \
    prf-algorithm=sha1
/ip ipsec peer
add address=dnsln.ddns.net exchange-mode=ike2 name=Art \
    profile="ArtProfile "
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=\
    aes-256-cbc pfs-group=modp2048
add enc-algorithms=aes-128-cbc name=ArtProposal pfs-group=modp2048
/ip pool
add name=pool1 ranges=192.168.1.5-192.168.1.55
/ip dhcp-server
add address-pool=pool1 disabled=no interface=bridge1 lease-time=1d \
    name=server1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,win\
    box,password,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 hw=no interface=ether1
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 interface=Wlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=mschap2 max-mru=1460 max-mtu=1460 use-ipsec=\
    required
/interface ovpn-server server
set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 port=\
    4569 require-client-certificate=yes
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-server lease
add address=192.168.1.4 comment="IP" lease-time=1d \
    mac-address=12:34:45:0F:13:14 server=server1
add address=192.168.1.27 allow-dual-stack-queue=no client-id=\
    1:12:34:45:e0:d:9c comment="TV" mac-address=\
    12:34:45:E0:0D:9C server=server1
add address=192.168.1.62 allow-dual-stack-queue=no comment=\
    "AC" mac-address=12:34:45:82:AC:CB server=server1
add address=192.168.1.60 allow-dual-stack-queue=no comment="AC" \
    lease-time=1h mac-address=12:34:45:82:E2:05 server=server1
add address=192.168.1.61 allow-dual-stack-queue=no comment="AC" \
    mac-address=12:34:45:1A:BA:13 server=server1
add address=192.168.1.28 allow-dual-stack-queue=no client-id=\
    1:12:34:45:59:b2:4c comment="TV" mac-address=\
    12:34:45:59:B2:4C server=server1
add address=192.168.1.13 client-id=1:12:34:45:9e:92:d5 lease-time=1d \
    mac-address=12:34:45:9E:92:D5 server=server1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=8.8.8.8 disabled=yes list=GOOGLEDNS
add address=8.8.4.4 disabled=yes list=GOOGLEDNS
add address=208.67.222.222 disabled=yes list=GOOGLEDNS
add address=209.244.0.3 disabled=yes list=GOOGLEDNS
add address=10.0.0.0/8 list="Local subnet"
add address=172.16.0.0/12 list="Local subnet"
add address=192.168.0.0/16 list="Local subnet"
/ip firewall filter
add action=accept chain=input connection-state=established,related \
    disabled=yes
add action=accept chain=input disabled=yes dst-port=500,1701,4500 \
    protocol=udp
add action=accept chain=input disabled=yes protocol=ipsec-esp
add action=accept chain=forward connection-state=established,related \
    disabled=yes
add action=accept chain=output connection-state=established,related \
    disabled=yes
add action=accept chain=input disabled=yes dst-port=2345 protocol=tcp
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=input disabled=yes dst-port=1234 protocol=tcp
add action=accept chain=input disabled=yes dst-port=3456 protocol=tcp
add action=accept chain=input disabled=yes protocol=icmp
add action=drop chain=input connection-state=invalid disabled=yes
add action=drop chain=forward connection-state=invalid disabled=yes
add action=drop chain=output connection-state=invalid disabled=yes
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=TrafficForVpn passthrough=yes \
    src-address=192.168.1.27
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=TrafficForVpn passthrough=yes \
    src-address=192.168.1.28
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=TrafficForVpn passthrough=yes \
    src-address=192.168.1.11
add action=mark-routing chain=prerouting disabled=yes \
    dst-address-list="!Local subnet" new-routing-mark=TrafficForVpn \
    passthrough=yes src-address=192.168.1.14
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=TrafficForVpn passthrough=yes \
    src-address=192.168.1.15
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=TrafficForVpn passthrough=yes \
    src-address=192.168.1.6
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=TrafficForVpn passthrough=yes \
    src-address=192.168.1.10
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=TrafficForVpn passthrough=yes \
    src-address=192.168.1.12
add action=mark-routing chain=prerouting dst-address-list=\
    "!Local subnet" new-routing-mark=TrafficForVpn passthrough=yes \
    src-address=192.168.1.55
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1
add action=dst-nat chain=dstnat dst-port=3480 protocol=tcp \
    to-addresses=192.168.1.1 to-ports=8291
add action=dst-nat chain=dstnat comment=Resp dst-port=7896 \
    protocol=tcp to-addresses=192.168.1.13 to-ports=22
add action=dst-nat chain=dstnat comment="VD" dst-port=4545 \
    protocol=tcp to-addresses=192.168.1.254 to-ports=80
/ip ipsec identity
add peer=Art
/ip ipsec policy
set 0 disabled=yes
add dst-address=12.34.56.789/32 peer=Art proposal=ArtProposal \
    src-address=192.168.1.1/32
/ip route
add disabled=yes distance=1 gateway=192.168.224.2 routing-mark=\
    TrafficForVpn
add distance=2 gateway=192.168.1.254
add distance=1 dst-address=172.21.69.0/24 gateway=192.168.92.1
add disabled=yes distance=1 dst-address=172.21.69.0/24 gateway=\
    192.168.224.2
add disabled=yes distance=1 dst-address=192.168.0.0/24 gateway=\
    192.168.100.2
add disabled=yes distance=1 dst-address=192.168.100.0/24 gateway=*B
/ip service
set www-ssl address=0.0.0.0/0
set winbox address=0.0.0.0/0
/ip ssh
set forwarding-enabled=remote
/system clock
set time-zone-name=Europe
/system identity
set name=Client2
/system logging
add disabled=yes topics=ipsec
[admin@Client2] > 

Re: Discovery of external IP address (Noip.com)

Posted: Tue Mar 30, 2021 2:15 pm
by anav
Have fun with that Sindy, so many errors dont know where to begin......
I will point out that the wan port is on the bridge and he has ethernet2 on the bridge but both the bridge and ethernet2 have IP addresses.
Why all the partial nets of 192.168.0. - just use vlans so much cleaner.

Re: Discovery of external IP address (Noip.com)

Posted: Tue Mar 30, 2021 2:40 pm
by ramirez
Hi Anav, there is only one IP address 192.168.0.1 and that is of the bridge . Indeed all Ethernet ports are on that bridge.

Re: Discovery of external IP address (Noip.com)

Posted: Tue Mar 30, 2021 11:01 pm
by sindy
A) Why when connected to client1's WiFi, I cannot connect to the Server through DDNS (WinBox)? If I try from my phone's 4G I can. I understand that this happens because I am connected to that network, that has the L2TP link with the Server (and I can connect using server's 172.21.69.153) but cannot figure out why I am losing connection through DDNS.
The only thing to come to my mind is that you forward another TCP port than 8291 at the NAT device between the internet and the L2TP-server (mAP Lite) to port 8291 at the mAP Lite's own IP.

When you connect from the LAN subnet of Client 1 to the public IP of the L2TP server site, the connection gets src-nated (masqueraded) to own IP of the Client 1 (493G), which makes it match the IPsec policy you've created to carry the L2TP traffic, and is thus sent via the transport-mode SA associated to the policy. The transport mode SA works as a src-nat and dst-nat, so at the mAP Lite, the packet coming through it is seen as coming from the public IP of the 493G to the private IP of the mAP Lite. Which is still fine, and the response would take the reverse path. But packets coming via the SA bypass the port forwarding rule at the router before the mAP Lite, so if you connect to another port than 8291 when connecting to the public IP of mAP Lite, the request arrives to the mAP Lite with that destination port unchanged.

If this is the case, it should be enough to restrict the IPsec policies at both the client and the server: at client, add protocol=udp dst-port=1701, and at server, add protocol=udp src-port=1701.

B) If I unplug a client from power (say for 15 minutes) and then power it up again, the link does not get established. If I enter client's configuration and disable the peer and re-enable it the link is established. I thought that automatically this would happen (I mean the link being established after a power on). How can I have automaticaly the link established after a power outage (e.g. 2 hours)?
I can only imagine this to be related to the IKE session being established too early after boot.

So please show me the output of /ip firewall connection print detail where protocol=udp dst-address~"public.ip.of.server" at the client when it doesn't work and when it does. There should be two to three connections, to port 500 and/or 4500 and to port 1701, and there should be a difference between the two results.

C) There is no need (at least for now) to access from client1 +> client 2, but should I need in the future, that would be a static route configuration between the three? Client1: 192.168.0.1 / Client2 192.168.1.1 / Server 172.21.69.153
With the L3 tunnels between the clients and the server, the only thing you need to add are routes to other clients' LAN subnets at the clients themselves, with the tunnel interface name or the remote address of the tunnel as gateway. The routes added at the server according to the routes parameters on the /ppp secret rows will take care about the rest.

But you've said before that you don't plan any traffic between clients' LAN subnets. Since you don't exclude this for future any more, you have think about the IP address planning already now, so that no subnet is used twice in your whole private network.

Re: Discovery of external IP address (Noip.com)

Posted: Fri Apr 02, 2021 4:16 pm
by ramirez
A) Why when connected to client1's WiFi, I cannot connect to the Server through DDNS (WinBox)? If I try from my phone's 4G I can. I understand that this happens because I am connected to that network, that has the L2TP link with the Server (and I can connect using server's 172.21.69.153) but cannot figure out why I am losing connection through DDNS.

The only thing to come to my mind is that you forward another TCP port than 8291 at the NAT device between the internet and the L2TP-server (mAP Lite) to port 8291 at the mAP Lite's own IP.

When you connect from the LAN subnet of Client 1 to the public IP of the L2TP server site, the connection gets src-nated (masqueraded) to own IP of the Client 1 (493G), which makes it match the IPsec policy you've created to carry the L2TP traffic, and is thus sent via the transport-mode SA associated to the policy. The transport mode SA works as a src-nat and dst-nat, so at the mAP Lite, the packet coming through it is seen as coming from the public IP of the 493G to the private IP of the mAP Lite. Which is still fine, and the response would take the reverse path. But packets coming via the SA bypass the port forwarding rule at the router before the mAP Lite, so if you connect to another port than 8291 when connecting to the public IP of mAP Lite, the request arrives to the mAP Lite with that destination port unchanged.

The public port (that I forward from-Modem-to-MT is e.g. 7777), and added @ 172.21.69.153: chain=dstnat action=dst-nat to-addresses=172.21.69.153 to-ports=8291 protocol=tcp dst-port=7777 log=no log-prefix="" . And chain=input action=accept protocol=udp src-port=1701 log=no log-prefix="" , respectively with the same rule but with dst-port=1701 @ client1 and haven't been able to access server MT through DDNS (Winbox) when the L2TP link is up. I can see packets received and transmitted via port 1701.
B) If I unplug a client from power (say for 15 minutes) and then power it up again, the link does not get established. If I enter client's configuration and disable the peer and re-enable it the link is established. I thought that automatically this would happen (I mean the link being established after a power on). How can I have automatically the link established after a power outage (e.g. 2 hours)?

I can only imagine this to be related to the IKE session being established too early after boot.

So please show me the output of /ip firewall connection print detail where protocol=udp dst-address~"public.ip.of.server" at the client when it doesn't work and when it does. There should be two to three connections, to port 500 and/or 4500 and to port 1701, and there should be a difference between the two results.

When NOT working (entered command /ip firewall connection print detail) 3 times every few seconds after powering on :
 
[admin@Client3] > /ip firewall connection print detail
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, 
F - fasttrack, s - srcnat, d - dstnat 
 0  SAC     protocol=udp src-address=ISP ADDRESS:4500 
            dst-address=192.168.20.3:4500 reply-src-address=192.168.20.3:4500 
            reply-dst-address=ISP ADDRESS:4500 timeout=2m58s orig-packets=13 
            orig-bytes=4 027 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=14 repl-bytes=4 342 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=3.5kbps repl-rate=0bps 


[admin@Client3] > /ip firewall connection print detail
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, 
F - fasttrack, s - srcnat, d - dstnat 
 0  SAC     protocol=udp src-address=ISP ADDRESS:4500 
            dst-address=192.168.20.3:4500 reply-src-address=192.168.20.3:4500 
            reply-dst-address=ISP ADDRESS:4500 timeout=2m59s orig-packets=20 
            orig-bytes=5 989 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=22 repl-bytes=6 897 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=232bps 

[admin@Client3] > /ip firewall connection print detail
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, 
F - fasttrack, s - srcnat, d - dstnat 
 0  SAC     protocol=udp src-address=ISP ADDRESS:4500 
            dst-address=192.168.20.3:4500 reply-src-address=192.168.20.3:4500 
            reply-dst-address=ISP ADDRESS:4500 timeout=2m58s orig-packets=33 
            orig-bytes=9 788 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=34 repl-bytes=10 102 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=2.0kbps repl-rate=0bps

When link established, after disabling on server the peer and re-enabling it :

[admin@Client1] > /ip firewall connection print detail
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, 
F - fasttrack, s - srcnat, d - dstnat 
 0  SAC     protocol=udp src-address=ISP ADDRESS:4500 
            dst-address=192.168.20.3:4500 reply-src-address=192.168.20.3:4500 
            reply-dst-address=ISP ADDRESS:4500 timeout=2m58s orig-packets=83 
            orig-bytes=22 802 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=85 repl-bytes=21 288 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=1408bps repl-rate=0bps 
            
With the L3 tunnels between the clients and the server, the only thing you need to add are routes to other clients' LAN subnets at the clients themselves, with the tunnel interface name or the remote address of the tunnel as gateway. The routes added at the server according to the routes parameters on the /ppp secret rows will take care about the rest.
Yes there is no need like initially mentioned (but working it in my mind, there might be one in the future - only to access the MT's, e.g. from client1 => client2 . I also thought to enter the static routes at each client and to test I entered a static route @ client1 dst address = 192.168.1.1 gateway: L2tp-out (couldn't access client2) , I then entered 192.168.1.1 gateway: 192.168.90.1 (couldn't access client2) and obviously I couldn't ping it...so my guess is that the static routes on the server side are not taking take the "between"

Re: Discovery of external IP address (Noip.com)

Posted: Fri Apr 02, 2021 7:13 pm
by sindy
A) The way you describe it, you've opted to use a dst-nat rule rather than to restrict the IPsec policy to carry only the L2TP transport packets. Nothing wrong about that. However, it then cannot be a matter of a bypassed dst-nat any more, but there may still be an MTU issue. I'd suggest to run /tool sniffer port=7777,8291 at both the client and the server and see what's going on.


B) First you wrote that you have to disable and re-enable the peer at client, and now you wrote you had to disable and re-enable the peer at the server. Does either approach make it work?

Another point, I was expecting to see a connection towards port 1701 at the server IP at least in the case where it works, but you've only shown connections to/from port 4500.

If you only disable and re-enable the peer but don't touch the /interface l2tp-client, what does the /ip ipsec active-peers print show while it doesn't work?

If there is nothing in the active-peers list, or you keep getting some other STATE than established, you'll have to create a large enough log buffer at the client, something like
/system logging action add name=ipsec-files target=disk disk-file-name=ipsec-start disk-lines-per-file=5000 disk-file-count=10
then, direct IPsec logging into that buffer:
system logging add topics=ipsec,!packet action=ipsec-files
and then switch the client off, switch it on again after 15 minutes, let it run for, say, another 2 minutes, then disable the /system logging item for IPsec and download the log files ipsec-start-xx.txt for analysis what is wrong about them

I was expecting to see some stuck NAT, but it doesn't seem to be the case.


C) I haven't checked your firewall rules. Again, sniffing is your best friend here, it will show you how far the packets get. If a packet arrives to some intermediate router but doesn't leave it, that router may not have a route for it, a firewall rule in chain forwardon that router may block it, or an IPsec policy may divert it into an SA; if a packet arrives to the destination router but there is no response to it, a firewall rule in chain input may block the request packet, an IPsec policy may reverse-match it (which means the packet is dropped if it doesn't arrive via the SA associated to that policy), a route may be missing for the response, or the process expected to receive that request doesn't listen (maybe because there is a restriction on addresses from which the requests are accepted).

Re: Discovery of external IP address (Noip.com)

Posted: Wed Apr 07, 2021 3:38 pm
by ramirez
Thank you Sindy for your continuous efforts to assist (and teach) !
A) The way you describe it, you've opted to use a dst-nat rule rather than to restrict the IPsec policy to carry only the L2TP transport packets. Nothing wrong about that. However, it then cannot be a matter of a bypassed dst-nat any more, but there may still be an MTU issue. I'd suggest to run /tool sniffer port=7777,8291 at both the client and the server and see what's going on.
I don't see any connections nor packets involving the above mentioned ports ...hmmmm
B) First you wrote that you have to disable and re-enable the peer at client, and now you wrote you had to disable and re-enable the peer at the server. Does either approach make it work?
Yes, that is correct...and then on purpose I decided to disable and re-enable on the server side to see whether the link be established or not. It did. So the result is the same on either.
Another point, I was expecting to see a connection towards port 1701 at the server IP at least in the case where it works, but you've only shown connections to/from port 4500.
I understand, This is the only connection showing regarding the link when : /ip firewall connection print detail where protocol=udp dst-address~"public.ip.of.server"
If you only disable and re-enable the peer but don't touch the /interface l2tp-client, what does the /ip ipsec active-peers print show while it doesn't work?
The connection from Active peers disappears. I checked this one through WinBox, so I assume that nothing would show when: /ip ipsec active-peers print
If there is nothing in the active-peers list, or you keep getting some other STATE than established, you'll have to create a large enough log buffer at the client, something like
/system logging action add name=ipsec-files target=disk disk-file-name=ipsec-start disk-lines-per-file=5000 disk-file-count=10
then, direct IPsec logging into that buffer:
system logging add topics=ipsec,!packet action=ipsec-files
and then switch the client off, switch it on again after 15 minutes, let it run for, say, another 2 minutes, then disable the /system logging item for IPsec and download the log files ipsec-start-xx.txt for analysis what is wrong about them
This is what the file shows:
Apr/07/2021 08:51:44 ipsec,debug 0.0.0.0[500] used as isakmp port (fd=25)
Apr/07/2021 08:51:44 ipsec,debug 0.0.0.0[4500] used as isakmp port with NAT-T (fd=27)
Apr/07/2021 08:51:47 ipsec,debug failed to bind to ::[500] Bad file descriptor
Apr/07/2021 08:51:53 ipsec,debug ===== received 432 bytes from ISP ADDRESS[4500] to 192.168.20.3[4500]
Apr/07/2021 08:51:53 ipsec -> ike2 request, exchange: SA_INIT:0 ISP ADDRESS[4500] cf2388996ec53c8a:0000000000000000
Apr/07/2021 08:51:53 ipsec ike2 respond
Apr/07/2021 08:51:53 ipsec payload seen: NOTIFY (8 bytes)
Apr/07/2021 08:51:53 ipsec payload seen: NOTIFY (28 bytes)
Apr/07/2021 08:51:53 ipsec payload seen: NOTIFY (28 bytes)
Apr/07/2021 08:51:53 ipsec payload seen: NONCE (28 bytes)
Apr/07/2021 08:51:53 ipsec payload seen: KE (264 bytes)
Apr/07/2021 08:51:53 ipsec payload seen: SA (48 bytes)
Apr/07/2021 08:51:53 ipsec processing payload: NONCE
Apr/07/2021 08:51:53 ipsec processing payload: SA
Apr/07/2021 08:51:53 ipsec IKE Protocol: IKE
Apr/07/2021 08:51:53 ipsec  proposal #1
Apr/07/2021 08:51:53 ipsec   enc: aes128-cbc
Apr/07/2021 08:51:53 ipsec   prf: hmac-sha1
Apr/07/2021 08:51:53 ipsec   auth: sha1
Apr/07/2021 08:51:53 ipsec   dh: modp2048
Apr/07/2021 08:51:53 ipsec matched proposal:
Apr/07/2021 08:51:53 ipsec  proposal #1
Apr/07/2021 08:51:53 ipsec   enc: aes128-cbc
Apr/07/2021 08:51:53 ipsec   prf: hmac-sha1
Apr/07/2021 08:51:53 ipsec   auth: sha1
Apr/07/2021 08:51:53 ipsec   dh: modp2048
Apr/07/2021 08:51:53 ipsec processing payload: KE
Apr/07/2021 08:51:54 ipsec,debug => shared secret (size 0x100)
Apr/07/2021 08:51:54 ipsec,debug fbbea5c3 690598f7 7b22bc7f db80fd84 40b6008b 42c1a953 63dcb7de de3dd2d3
Apr/07/2021 08:51:54 ipsec,debug 7475407a b232454a b6e45604 f680ba4a e4ad8bbe adb595fc 80edb70d 5773c98c
Apr/07/2021 08:51:54 ipsec,debug 46c9c706 f5419f22 c6605a84 7be44e89 6f239cd5 d5043c28 1e664eef a163c165
Apr/07/2021 08:51:54 ipsec,debug 9c756800 8912e03c ebe32d5b e371f3be caed00fe c2491e63 898f10d9 39252e24
Apr/07/2021 08:51:54 ipsec,debug e8e9eabf 3bf567b6 09b78a1d 70d62cdb ea22a14f 50efdce7 2af23131 4d336963
Apr/07/2021 08:51:54 ipsec,debug 35453ef9 b6619ce3 89713f0b 79ddf274 8ab3414c 6d1d8ca8 731dc68b 53253057
Apr/07/2021 08:51:54 ipsec,debug 22b9ebcc a607703f 81d05fb5 5cedf087 887f317b 7382ac0b 5579b029 dadd4fb6
Apr/07/2021 08:51:54 ipsec,debug f7dabf25 8b865ed4 183094d3 ba561cec 52f103fc 89ae2db4 83a18074 557a2bd0
Apr/07/2021 08:51:54 ipsec adding payload: SA
Apr/07/2021 08:51:54 ipsec,debug => (size 0x30)
Apr/07/2021 08:51:54 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0080 03000008 02000002
Apr/07/2021 08:51:54 ipsec,debug 03000008 03000002 00000008 0400000e
Apr/07/2021 08:51:54 ipsec adding payload: KE
Apr/07/2021 08:51:54 ipsec,debug => (first 0x100 of 0x108)
Apr/07/2021 08:51:54 ipsec,debug 00000108 000e0000 99ab7b83 028ba162 58adde7a d63bec0a 59ac5ea5 b4a2b2c4
Apr/07/2021 08:51:54 ipsec,debug e6c56d97 e4df19fc 35c8d338 46d34d7e d25ee21b aa01e252 048524f0 e84c456c
Apr/07/2021 08:51:54 ipsec,debug 3bf055d4 bdd425dc b31348a0 fdade619 fe6c409a 910bd0c5 303148df 4b0143e4
Apr/07/2021 08:51:54 ipsec,debug 7beae54f 1b0f48af 6b748ee2 17d1370e 134424d9 11866520 22b07c99 e32f7eb3
Apr/07/2021 08:51:54 ipsec,debug a260ca57 55e49888 de92b6fa 1bcb2f0e 71b7c26e 2275400e 3fc999e5 9cdfed1b
Apr/07/2021 08:51:54 ipsec,debug 21cde07c 4e893cb3 cf4f5359 50539d34 d17749d9 02b12cd2 e471572a ecf13d4f
Apr/07/2021 08:51:54 ipsec,debug da6f13f3 13aca002 fedf46cb 242b614e ac102de3 b80dc179 48a08a10 5de9f5c1
Apr/07/2021 08:51:54 ipsec,debug 9b3ea54c d8a09b99 1f2e2c57 9fbedd1d a1f23d65 a4fa9ad7 d3849873 991f24b6
Apr/07/2021 08:51:54 ipsec adding payload: NONCE
Apr/07/2021 08:51:54 ipsec,debug => (size 0x1c)
Apr/07/2021 08:51:54 ipsec,debug 0000001c c108e3c9 7fa42d45 684f6214 4acd454d cb06d295 1dfa74e5
Apr/07/2021 08:51:54 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Apr/07/2021 08:51:54 ipsec,debug => (size 0x1c)
Apr/07/2021 08:51:54 ipsec,debug 0000001c 00004004 f0fb450b 3aa989bc 742164df 7ed913f1 c1f4da36
Apr/07/2021 08:51:54 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Apr/07/2021 08:51:54 ipsec,debug => (size 0x1c)
Apr/07/2021 08:51:54 ipsec,debug 0000001c 00004005 3a1fa3a4 ca13bd17 62af7251 d4d674df 6bbc7a09
Apr/07/2021 08:51:54 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
Apr/07/2021 08:51:54 ipsec,debug => (size 0x8)
Apr/07/2021 08:51:54 ipsec,debug 00000008 0000402e
Apr/07/2021 08:51:54 ipsec adding payload: CERTREQ
Apr/07/2021 08:51:54 ipsec,debug => (size 0x5)
Apr/07/2021 08:51:54 ipsec,debug 00000005 04
Apr/07/2021 08:51:54 ipsec <- ike2 reply, exchange: SA_INIT:0 ISP ADDRESS[4500] cf2388996ec53c8a:4f23346ef367ea12
Apr/07/2021 08:51:54 ipsec,debug ===== sending 437 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 08:51:54 ipsec,debug 1 times of 441 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 08:51:54 ipsec,debug => skeyseed (size 0x14)
Apr/07/2021 08:51:54 ipsec,debug d5caaea5 e5123d5f 6d0aa187 a90ef54b 64bc1243
Apr/07/2021 08:51:54 ipsec,debug => keymat (size 0x14)
Apr/07/2021 08:51:54 ipsec,debug 3527ab70 7f4aac35 15cfd421 c9494925 d4ee14c2
Apr/07/2021 08:51:54 ipsec,debug => SK_ai (size 0x14)
Apr/07/2021 08:51:54 ipsec,debug e3a956ef c3cbd1f3 e9ac07a1 3d68fdf4 60c616d5
Apr/07/2021 08:51:54 ipsec,debug => SK_ar (size 0x14)
Apr/07/2021 08:51:54 ipsec,debug 90e8a49f 19c5fa3e dad22b1b 529e9890 33890c3f
Apr/07/2021 08:51:54 ipsec,debug => SK_ei (size 0x10)
Apr/07/2021 08:51:54 ipsec,debug 334f3e83 9e65ce19 bbeaf8b9 ef2d11f3
Apr/07/2021 08:51:54 ipsec,debug => SK_er (size 0x10)
Apr/07/2021 08:51:54 ipsec,debug 5b33286d 97c0c74b f55f8171 7eb11c39
Apr/07/2021 08:51:54 ipsec,debug => SK_pi (size 0x14)
Apr/07/2021 08:51:54 ipsec,debug c490e27a d8a73b03 2f2dac58 e48aa689 2cac87a8
Apr/07/2021 08:51:54 ipsec,debug => SK_pr (size 0x14)
Apr/07/2021 08:51:54 ipsec,debug d72e128e 7aee6ec2 88f83ee8 503d01e6 886443c6
Apr/07/2021 08:51:54 ipsec,info new ike2 SA (R): 192.168.20.3[4500]-ISP ADDRESS[4500] spi:4f23346ef367ea12:cf2388996ec53c8a
Apr/07/2021 08:51:54 ipsec processing payloads: VID (none found)
Apr/07/2021 08:51:54 ipsec processing payloads: NOTIFY
Apr/07/2021 08:51:54 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
Apr/07/2021 08:51:54 ipsec   notify: NAT_DETECTION_DESTINATION_IP
Apr/07/2021 08:51:54 ipsec   notify: NAT_DETECTION_SOURCE_IP
Apr/07/2021 08:51:54 ipsec (NAT-T) REMOTE LOCAL
Apr/07/2021 08:51:54 ipsec KA list add: 192.168.20.3[4500]->ISP ADDRESS[4500]
Apr/07/2021 08:51:54 ipsec fragmentation negotiated
Apr/07/2021 08:51:55 ipsec,debug ===== received 428 bytes from ISP ADDRESS[4500] to 192.168.20.3[4500]
Apr/07/2021 08:51:55 ipsec -> ike2 request, exchange: AUTH:1 ISP ADDRESS[4500] cf2388996ec53c8a:4f23346ef367ea12
Apr/07/2021 08:51:55 ipsec payload seen: ENC (400 bytes)
Apr/07/2021 08:51:55 ipsec processing payload: ENC
Apr/07/2021 08:51:55 ipsec,debug => iv (size 0x10)
Apr/07/2021 08:51:55 ipsec,debug eefb701a 8f2434cb 46c5e449 c8a702ab
Apr/07/2021 08:51:55 ipsec,debug => decrypted and trimmed payload (size 0x94)
Apr/07/2021 08:51:55 ipsec,debug 2700000c 01000000 ac154599 2900001c 02000000 59dca605 554d9a83 f3e8d4dd
Apr/07/2021 08:51:55 ipsec,debug 2f449459 8c72e73f 21000008 00004000 2c00002c 00000028 01030403 03d0d156
Apr/07/2021 08:51:55 ipsec,debug 0300000c 0100000c 800e0080 03000008 03000002 00000008 05000000 2d000018
Apr/07/2021 08:51:55 ipsec,debug 01000000 07000010 0000ffff 00000000 ffffffff 29000018 01000000 07000010
Apr/07/2021 08:51:55 ipsec,debug 0000ffff b05ca33b b05ca33b 00000008 00004007
Apr/07/2021 08:51:55 ipsec,debug decrypted packet
Apr/07/2021 08:51:55 ipsec payload seen: ID_I (12 bytes)
Apr/07/2021 08:51:55 ipsec payload seen: AUTH (28 bytes)
Apr/07/2021 08:51:55 ipsec payload seen: NOTIFY (8 bytes)
Apr/07/2021 08:51:55 ipsec payload seen: SA (44 bytes)
Apr/07/2021 08:51:55 ipsec payload seen: TS_I (24 bytes)
Apr/07/2021 08:51:55 ipsec payload seen: TS_R (24 bytes)
Apr/07/2021 08:51:55 ipsec payload seen: NOTIFY (8 bytes)
Apr/07/2021 08:51:55 ipsec processing payloads: NOTIFY
Apr/07/2021 08:51:55 ipsec   notify: INITIAL_CONTACT
Apr/07/2021 08:51:55 ipsec   notify: USE_TRANSPORT_MODE
Apr/07/2021 08:51:55 ipsec ike auth: respond
Apr/07/2021 08:51:55 ipsec processing payload: ID_I
Apr/07/2021 08:51:55 ipsec ID_I (ADDR4): ISP CLIENT IP ADDRESS
Apr/07/2021 08:51:55 ipsec processing payload: ID_R (not found)
Apr/07/2021 08:51:55 ipsec processing payload: AUTH
Apr/07/2021 08:51:55 ipsec processing payloads: NOTIFY
Apr/07/2021 08:51:55 ipsec   notify: INITIAL_CONTACT
Apr/07/2021 08:51:55 ipsec   notify: USE_TRANSPORT_MODE
Apr/07/2021 08:51:55 ipsec processing payload: AUTH
Apr/07/2021 08:51:55 ipsec requested auth method: SKEY
Apr/07/2021 08:51:55 ipsec,debug => peer's auth (size 0x14)
Apr/07/2021 08:51:55 ipsec,debug 59dca605 554d9a83 f3e8d4dd 2f449459 8c72e73f
Apr/07/2021 08:51:55 ipsec,debug => auth nonce (size 0x18)
Apr/07/2021 08:51:55 ipsec,debug c108e3c9 7fa42d45 684f6214 4acd454d cb06d295 1dfa74e5
Apr/07/2021 08:51:55 ipsec,debug => SK_p (size 0x14)
Apr/07/2021 08:51:55 ipsec,debug c490e27a d8a73b03 2f2dac58 e48aa689 2cac87a8
Apr/07/2021 08:51:55 ipsec,debug => idhash (size 0x14)
Apr/07/2021 08:51:55 ipsec,debug b4924738 9ce41d89 262ffa90 28219cfc eb0832cd
Apr/07/2021 08:51:55 ipsec,debug => calculated peer's AUTH (size 0x14)
Apr/07/2021 08:51:55 ipsec,debug 59dca605 554d9a83 f3e8d4dd 2f449459 8c72e73f
Apr/07/2021 08:51:55 ipsec,info,account peer authorized: 192.168.20.3[4500]-ISP ADDRESS[4500] spi:4f23346ef367ea12:cf2388996ec53c8a
Apr/07/2021 08:51:55 ipsec initial contact
Apr/07/2021 08:51:55 ipsec processing payloads: NOTIFY
Apr/07/2021 08:51:55 ipsec   notify: INITIAL_CONTACT
Apr/07/2021 08:51:55 ipsec   notify: USE_TRANSPORT_MODE
Apr/07/2021 08:51:55 ipsec peer wants transport mode
Apr/07/2021 08:51:55 ipsec processing payload: CONFIG (not found)
Apr/07/2021 08:51:55 ipsec processing payload: SA
Apr/07/2021 08:51:55 ipsec IKE Protocol: ESP
Apr/07/2021 08:51:55 ipsec  proposal #1
Apr/07/2021 08:51:55 ipsec   enc: aes128-cbc
Apr/07/2021 08:51:55 ipsec   auth: sha1
Apr/07/2021 08:51:55 ipsec processing payload: TS_I
Apr/07/2021 08:51:55 ipsec 0.0.0.0/0
Apr/07/2021 08:51:55 ipsec processing payload: TS_R
Apr/07/2021 08:51:55 ipsec ISP CLIENT IP ADDRESS
Apr/07/2021 08:51:55 ipsec skipping not specific selector in transport mode with NAT
Apr/07/2021 08:51:55 ipsec ID_R (ADDR4): 192.168.20.3
Apr/07/2021 08:51:55 ipsec,debug => auth nonce (size 0x18)
Apr/07/2021 08:51:55 ipsec,debug 6199a078 3b4739e6 992655c7 8fb2fd13 f3838df5 f5d4d1c9
Apr/07/2021 08:51:55 ipsec,debug => SK_p (size 0x14)
Apr/07/2021 08:51:55 ipsec,debug d72e128e 7aee6ec2 88f83ee8 503d01e6 886443c6
Apr/07/2021 08:51:55 ipsec,debug => idhash (size 0x14)
Apr/07/2021 08:51:55 ipsec,debug b883b197 28e81329 ed2725b2 6aa80e56 aba9accd
Apr/07/2021 08:51:55 ipsec,debug => my auth (size 0x14)
Apr/07/2021 08:51:55 ipsec,debug ac966e06 1f8a5992 53358c55 187e1399 e476e693
Apr/07/2021 08:51:55 ipsec adding payload: ID_R
Apr/07/2021 08:51:55 ipsec,debug => (size 0xc)
Apr/07/2021 08:51:55 ipsec,debug 0000000c 01000000 c0a81403
Apr/07/2021 08:51:55 ipsec adding payload: AUTH
Apr/07/2021 08:51:55 ipsec,debug => (size 0x1c)
Apr/07/2021 08:51:55 ipsec,debug 0000001c 02000000 ac966e06 1f8a5992 53358c55 187e1399 e476e693
Apr/07/2021 08:51:55 ipsec adding notify: TS_UNACCEPTABLE
Apr/07/2021 08:51:55 ipsec,debug => (size 0x8)
Apr/07/2021 08:51:55 ipsec,debug 00000008 00000026
Apr/07/2021 08:51:55 ipsec <- ike2 reply, exchange: AUTH:1 ISP ADDRESS[4500] cf2388996ec53c8a:4f23346ef367ea12
Apr/07/2021 08:51:55 ipsec,debug ===== sending 140 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 08:51:55 ipsec,debug 1 times of 144 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 08:51:56 ipsec acquire for policy: 192.168.20.3 <=> ISP ADDRESS
Apr/07/2021 08:51:56 ipsec connection found for peer: ISP ADDRESS[4500]
Apr/07/2021 08:51:56 ipsec init child for policy: 192.168.20.3 <=> ISP ADDRESS
Apr/07/2021 08:51:56 ipsec init child continue
Apr/07/2021 08:51:56 ipsec offering proto: 3
Apr/07/2021 08:51:56 ipsec  proposal #1
Apr/07/2021 08:51:56 ipsec   enc: aes128-cbc
Apr/07/2021 08:51:56 ipsec   auth: sha1
Apr/07/2021 08:51:56 ipsec   dh: modp2048
Apr/07/2021 08:51:57 ipsec adding payload: NONCE
Apr/07/2021 08:51:57 ipsec,debug => (size 0x1c)
Apr/07/2021 08:51:57 ipsec,debug 0000001c 17ce54f7 365e65fc b91e4144 8770920a 427c05ee 72c9cc99
Apr/07/2021 08:51:57 ipsec adding payload: KE
Apr/07/2021 08:51:57 ipsec,debug => (first 0x100 of 0x108)
Apr/07/2021 08:51:57 ipsec,debug 00000108 000e0000 20c61f2f e08f497c 54aa87ae 1ec6f462 3fc4e4b3 3cbb3a83
Apr/07/2021 08:51:57 ipsec,debug 98fca45a 764b8b67 04d3ff25 219f5b12 0a1b2e96 9f1b9ba4 28223354 823a5376
Apr/07/2021 08:51:57 ipsec,debug 027d7e59 6b4b2383 d1aaa817 5c110836 a2653084 fd591b9e efdd81b3 125f3509
Apr/07/2021 08:51:57 ipsec,debug ce4a13f9 07ccf2df b7c83028 ea683ee0 a157de3a 144d8f82 2f1c8e71 b02345c0
Apr/07/2021 08:51:57 ipsec,debug 9e6406f0 9365441c c67b3852 5e6c666c d4a38099 9c60b75b c170eb46 aa0d362c
Apr/07/2021 08:51:57 ipsec,debug 99ec6f9f fdc325f3 43ae9fb5 790ba927 c27225bb e145d9f6 5b68f6eb c24abded
Apr/07/2021 08:51:57 ipsec,debug cd4004c7 d7515c4a 8a1875ee 77d71888 01556e81 d20b2453 7f94d9af a0248588
Apr/07/2021 08:51:57 ipsec,debug 9eefa418 f19eabc8 eb06a972 51471800 e02f8f27 2715cb70 fce18333 0bb08f04
Apr/07/2021 08:51:57 ipsec adding payload: SA
Apr/07/2021 08:51:57 ipsec,debug => (size 0x34)
Apr/07/2021 08:51:57 ipsec,debug 00000034 00000030 01030404 04a9f5d4 0300000c 0100000c 800e0080 03000008
Apr/07/2021 08:51:57 ipsec,debug 03000002 03000008 0400000e 00000008 05000000
Apr/07/2021 08:51:57 ipsec initiator selector: 192.168.20.3 
Apr/07/2021 08:51:57 ipsec adding payload: TS_I
Apr/07/2021 08:51:57 ipsec,debug => (size 0x18)
Apr/07/2021 08:51:57 ipsec,debug 00000018 01000000 07000010 0000ffff c0a81403 c0a81403
Apr/07/2021 08:51:57 ipsec responder selector: ISP ADDRESS 
Apr/07/2021 08:51:57 ipsec adding payload: TS_R
Apr/07/2021 08:51:57 ipsec,debug => (size 0x18)
Apr/07/2021 08:51:57 ipsec,debug 00000018 01000000 07000010 0000ffff 4845becf 4845becf
Apr/07/2021 08:51:57 ipsec adding notify: USE_TRANSPORT_MODE
Apr/07/2021 08:51:57 ipsec,debug => (size 0x8)
Apr/07/2021 08:51:57 ipsec,debug 00000008 00004007
Apr/07/2021 08:51:57 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:0 ISP ADDRESS[4500] cf2388996ec53c8a:4f23346ef367ea12
Apr/07/2021 08:51:57 ipsec,debug ===== sending 620 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 08:51:57 ipsec,debug 1 times of 624 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 08:51:58 ipsec,debug ===== received 620 bytes from ISP ADDRESS[4500] to 192.168.20.3[4500]
Apr/07/2021 08:51:58 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:0 ISP ADDRESS[4500] cf2388996ec53c8a:4f23346ef367ea12
Apr/07/2021 08:51:58 ipsec payload seen: ENC (592 bytes)
Apr/07/2021 08:51:58 ipsec processing payload: ENC
Apr/07/2021 08:51:58 ipsec,debug => iv (size 0x10)
Apr/07/2021 08:51:58 ipsec,debug 08e95fe6 e45aef3d ed1b976f 6c7b117c
Apr/07/2021 08:51:58 ipsec,debug => decrypted and trimmed payload (size 0x190)
Apr/07/2021 08:51:58 ipsec,debug 2200001c 991a33c1 ab6d10da 37ad2ada 7f8adad8 8da883bd 40a930d1 2c000108
Apr/07/2021 08:51:58 ipsec,debug 000e0000 2887e944 802653e7 4fb05d02 f8f7e30f 2296cf4a 99bde1be d0812ed9
Apr/07/2021 08:51:58 ipsec,debug fb4ca7ec 9d1a3b2c 4b00a22f 399e86f3 2922b5fb c3869ed1 afa44c48 8afcdc48
Apr/07/2021 08:51:58 ipsec,debug b16cb129 e68e17f5 29f0f77b 790618b3 944fec09 f56a6b3d 609b74fc 9ca1422f
Apr/07/2021 08:51:58 ipsec,debug 2725b189 52e5389b a8f4d303 d56dec4a 5e91b45a 67a88b58 29f01c81 86659d89
Apr/07/2021 08:51:58 ipsec,debug 698e5022 9c7104d8 34331e00 dc7ff1ca 3b2ccc3e b74b90b9 88bb3b85 c8cc69fa
Apr/07/2021 08:51:58 ipsec,debug 2fbeb007 2a1c1d0b b4e7403b 3a630b2a 5b28f93b 47b975f6 d67d3917 956d14cf
Apr/07/2021 08:51:58 ipsec,debug 86b3b10a f3601aaf 63196eeb a0729b39 5f6e9582 797e1464 d6cdaa94 fcc2cf02
Apr/07/2021 08:51:58 ipsec,debug 
Apr/07/2021 08:51:58 ipsec,debug fa8b9bbb 2d7c5c9b 9bb99d55 2e2fde30 e680b2d8 bafa6739 abae2b45 29159905
Apr/07/2021 08:51:58 ipsec,debug 3bdb073c 2d000018 01000000 07000010 0000ffff b05ca33b b05ca33b 21000018
Apr/07/2021 08:51:58 ipsec,debug 01000000 07000010 0000ffff ac154599 ac154599 29000034 00000030 01030404
Apr/07/2021 08:51:58 ipsec,debug 01365d7f 0300000c 0100000c 800e0080 03000008 03000002 03000008 0400000e
Apr/07/2021 08:51:58 ipsec,debug 00000008 05000000 00000008 00004007
Apr/07/2021 08:51:58 ipsec,debug decrypted packet
Apr/07/2021 08:51:58 ipsec payload seen: NONCE (28 bytes)
Apr/07/2021 08:51:58 ipsec payload seen: KE (264 bytes)
Apr/07/2021 08:51:58 ipsec payload seen: TS_I (24 bytes)
Apr/07/2021 08:51:58 ipsec payload seen: TS_R (24 bytes)
Apr/07/2021 08:51:58 ipsec payload seen: SA (52 bytes)
Apr/07/2021 08:51:58 ipsec payload seen: NOTIFY (8 bytes)
Apr/07/2021 08:51:58 ipsec create child: initiator finish
Apr/07/2021 08:51:58 ipsec processing payloads: NOTIFY
Apr/07/2021 08:51:58 ipsec   notify: USE_TRANSPORT_MODE
Apr/07/2021 08:51:58 ipsec peer selected transport mode
Apr/07/2021 08:51:58 ipsec processing payload: SA
Apr/07/2021 08:51:58 ipsec IKE Protocol: ESP
Apr/07/2021 08:51:58 ipsec  proposal #1
Apr/07/2021 08:51:58 ipsec   enc: aes128-cbc
Apr/07/2021 08:51:58 ipsec   auth: sha1
Apr/07/2021 08:51:58 ipsec   dh: modp2048
Apr/07/2021 08:51:58 ipsec can't agree on proposal
Apr/07/2021 08:51:58 ipsec send notify: NO_PROPOSAL_CHOSEN
Apr/07/2021 08:51:58 ipsec adding notify: NO_PROPOSAL_CHOSEN
Apr/07/2021 08:51:58 ipsec,debug => (size 0x8)
Apr/07/2021 08:51:58 ipsec,debug 00000008 0000000e
Apr/07/2021 08:51:58 ipsec <- ike2 request, exchange: INFORMATIONAL:1 ISP ADDRESS[4500] cf2388996ec53c8a:4f23346ef367ea12
Apr/07/2021 08:51:58 ipsec,debug ===== sending 236 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 08:51:58 ipsec,debug 1 times of 240 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 08:51:58 ipsec,info killing ike2 SA: 192.168.20.3[4500]-ISP ADDRESS[4500] spi:4f23346ef367ea12:cf2388996ec53c8a
Apr/07/2021 08:51:58 ipsec adding payload: DELETE
Apr/07/2021 08:51:58 ipsec,debug => (size 0x8)
Apr/07/2021 08:51:58 ipsec,debug 00000008 01000000
Apr/07/2021 08:51:58 ipsec <- ike2 request, exchange: INFORMATIONAL:2 ISP ADDRESS[4500] cf2388996ec53c8a:4f23346ef367ea12
Apr/07/2021 08:51:58 ipsec,debug ===== sending 220 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 08:51:58 ipsec,debug 1 times of 224 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 08:51:58 ipsec KA remove: 192.168.20.3[4500]->ISP ADDRESS[4500]
Apr/07/2021 08:51:58 ipsec,debug KA tree dump: 192.168.20.3[4500]->ISP ADDRESS[4500] (in_use=1)
Apr/07/2021 08:51:58 ipsec,debug KA removing this one...
Apr/07/2021 08:51:58 ipsec,debug ===== received 140 bytes from ISP ADDRESS[4500] to 192.168.20.3[4500]
Apr/07/2021 08:51:58 ipsec -> ike2 reply, exchange: INFORMATIONAL:1 ISP ADDRESS[4500] cf2388996ec53c8a:4f23346ef367ea12
Apr/07/2021 08:51:58 ipsec SPI 4f23346ef367ea12 not registered for ISP ADDRESS[4500]
Apr/07/2021 08:51:58 ipsec,debug ===== received 92 bytes from ISP ADDRESS[4500] to 192.168.20.3[4500]
Apr/07/2021 08:51:58 ipsec -> ike2 reply, exchange: INFORMATIONAL:2 ISP ADDRESS[4500] cf2388996ec53c8a:4f23346ef367ea12
Apr/07/2021 08:51:58 ipsec SPI 4f23346ef367ea12 not registered for ISP ADDRESS[4500]
Apr/07/2021 08:52:00 ipsec,debug ===== received 432 bytes from ISP ADDRESS[4500] to 192.168.20.3[4500]
Apr/07/2021 08:52:00 ipsec -> ike2 request, exchange: SA_INIT:0 ISP ADDRESS[4500] 0536c9b454b779f7:0000000000000000
Apr/07/2021 08:52:00 ipsec ike2 respond
Apr/07/2021 08:52:00 ipsec payload seen: NOTIFY (8 bytes)
Apr/07/2021 08:52:00 ipsec payload seen: NOTIFY (28 bytes)
Apr/07/2021 08:52:00 ipsec payload seen: NOTIFY (28 bytes)
Apr/07/2021 08:52:00 ipsec payload seen: NONCE (28 bytes)
Apr/07/2021 08:52:00 ipsec payload seen: KE (264 bytes)
Apr/07/2021 08:52:00 ipsec payload seen: SA (48 bytes)
Apr/07/2021 08:52:00 ipsec processing payload: NONCE
Apr/07/2021 08:52:00 ipsec processing payload: SA
Apr/07/2021 08:52:00 ipsec IKE Protocol: IKE
Apr/07/2021 08:52:00 ipsec  proposal #1
Apr/07/2021 08:52:00 ipsec   enc: aes128-cbc
Apr/07/2021 08:52:00 ipsec   prf: hmac-sha1
Apr/07/2021 08:52:00 ipsec   auth: sha1
Apr/07/2021 08:52:00 ipsec   dh: modp2048
Apr/07/2021 08:52:00 ipsec matched proposal:
Apr/07/2021 08:52:00 ipsec  proposal #1
Apr/07/2021 08:52:00 ipsec   enc: aes128-cbc
Apr/07/2021 08:52:00 ipsec   prf: hmac-sha1
Apr/07/2021 08:52:00 ipsec   auth: sha1
Apr/07/2021 08:52:00 ipsec   dh: modp2048
Apr/07/2021 08:52:00 ipsec processing payload: KE
Apr/07/2021 08:52:01 ipsec,debug => shared secret (size 0x100)
Apr/07/2021 08:52:01 ipsec,debug 0ded106f cbce211c 74037f12 3bcde2b1 317d9d02 49ef6ec1 cfc79b90 7d4d9dfd
Apr/07/2021 08:52:01 ipsec,debug d0a7a7b0 49d4304e dc65464d 3130e753 aa5cadf8 6e76f0e9 e086d31b 804b925a
Apr/07/2021 08:52:01 ipsec,debug 52d0d983 f4621dbf d6b900fe dfb6933a f2fa7eed b1d2541f 539ea0eb 80f9ff6f
Apr/07/2021 08:52:01 ipsec,debug bbd5a4c7 b2aea561 ef0e4d90 eadcaa6a 92052367 0ec63fe2 b18583b4 d2903e86
Apr/07/2021 08:52:01 ipsec,debug 35804855 a3e4dd43 c95af198 7888f2ce b122a67a 788c6341 e14c0305 84f37ede
Apr/07/2021 08:52:01 ipsec,debug def2f889 ebb4b136 665e80e5 17812598 62e32c39 f3706dcb 941fba6e ba2a7c52
Apr/07/2021 08:52:01 ipsec,debug a47b4c32 bc7389f3 7e6f0fe7 6876481b 1b70c895 886c3f3a 7b3d01ea 1d90cbd2
Apr/07/2021 08:52:01 ipsec,debug 6155b7d0 a24eda51 55bcbffc b1e04523 f14404b0 c0f52946 86b7110e cc10cd08
Apr/07/2021 08:52:01 ipsec adding payload: SA
Apr/07/2021 08:52:01 ipsec,debug => (size 0x30)
Apr/07/2021 08:52:01 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0080 03000008 02000002
Apr/07/2021 08:52:01 ipsec,debug 03000008 03000002 00000008 0400000e
Apr/07/2021 08:52:01 ipsec adding payload: KE
Apr/07/2021 08:52:01 ipsec,debug => (first 0x100 of 0x108)
Apr/07/2021 08:52:01 ipsec,debug 00000108 000e0000 0468f75b 043578de aad3ced2 0e711160 5ad1d37d b8fe02f7
Apr/07/2021 08:52:01 ipsec,debug 8e74f9a3 5e5a5f73 24b5b5bc f865e8cd 799ee834 225feb6f 5c6aa464 64a4c3a5
Apr/07/2021 08:52:01 ipsec,debug 5dbd982e 11331a1b 4155d920 c688ba06 d9a7cf6e 5ce8e5ec 612d73e9 1c07e310
Apr/07/2021 08:52:01 ipsec,debug 13508dc6 ca0f2ecb e5bbcbce 1804b270 3212950b c10f350c 001e71de f130166b
Apr/07/2021 08:52:01 ipsec,debug 119483ce 66dc2bf1 d6635ccd 0494d6f7 a40c4f46 89bcafed 4bc8d031 dbb07ed6
Apr/07/2021 08:52:01 ipsec,debug 4fbe2d84 31024742 177794df 9e772425 cffb20c0 4f9aa084 e241dc6f 3eeba166
Apr/07/2021 08:52:01 ipsec,debug 7547e7a8 8068e4ff 2e93d75e 8eb6e04b ecbd20e7 0cb683d0 3540d4fc fba2b6a0
Apr/07/2021 08:52:01 ipsec,debug dfc98c72 37eeef02 47f9d656 5a7de339 1016711e db02eefa 198aa7bc d9092c37
Apr/07/2021 08:52:01 ipsec adding payload: NONCE
Apr/07/2021 08:52:01 ipsec,debug => (size 0x1c)
Apr/07/2021 08:52:01 ipsec,debug 0000001c 7d9718fc 74402ada 8f9f886e b31142d4 d5da63fa d6f50df3
Apr/07/2021 08:52:01 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Apr/07/2021 08:52:01 ipsec,debug => (size 0x1c)
Apr/07/2021 08:52:01 ipsec,debug 0000001c 00004004 84021957 0645682e d107353e 495eaec4 766c46aa
Apr/07/2021 08:52:01 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Apr/07/2021 08:52:01 ipsec,debug => (size 0x1c)
Apr/07/2021 08:52:01 ipsec,debug 0000001c 00004005 c21f1d7d 0918525e 6f035e3c 6f9a1ba1 fad81cd1
Apr/07/2021 08:52:01 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
Apr/07/2021 08:52:01 ipsec,debug => (size 0x8)
Apr/07/2021 08:52:01 ipsec,debug 00000008 0000402e
Apr/07/2021 08:52:01 ipsec adding payload: CERTREQ
Apr/07/2021 08:52:01 ipsec,debug => (size 0x5)
Apr/07/2021 08:52:01 ipsec,debug 00000005 04
Apr/07/2021 08:52:01 ipsec <- ike2 reply, exchange: SA_INIT:0 ISP ADDRESS[4500] 0536c9b454b779f7:5554d89fdedaab65
Apr/07/2021 08:52:01 ipsec,debug ===== sending 437 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 08:52:01 ipsec,debug 1 times of 441 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 08:52:01 ipsec,debug => skeyseed (size 0x14)
Apr/07/2021 08:52:01 ipsec,debug 2960408e 015da77b 36b185cd 4bcb7c43 0643d314
Apr/07/2021 08:52:01 ipsec,debug => keymat (size 0x14)
Apr/07/2021 08:52:01 ipsec,debug 6f081aed fec462e5 9a272acb 6ec93ea8 c15843d2
Apr/07/2021 08:52:01 ipsec,debug => SK_ai (size 0x14)
Apr/07/2021 08:52:01 ipsec,debug bd23114b 8eedc230 de09e308 5766b132 db64850a
Apr/07/2021 08:52:01 ipsec,debug => SK_ar (size 0x14)
Apr/07/2021 08:52:01 ipsec,debug 8f99dc38 15e4d168 1e1f805d a646e99e abb5a3a1
Apr/07/2021 08:52:01 ipsec,debug => SK_ei (size 0x10)
Apr/07/2021 08:52:01 ipsec,debug 820f5dd1 34e984e1 3c482db9 dca24357
Apr/07/2021 08:52:01 ipsec,debug => SK_er (size 0x10)
Apr/07/2021 08:52:01 ipsec,debug db4b2822 f2df09de a709866d e9ee0e01
Apr/07/2021 08:52:01 ipsec,debug => SK_pi (size 0x14)
Apr/07/2021 08:52:01 ipsec,debug c3204228 2d23f613 b05d798d 84606b95 8d298512
Apr/07/2021 08:52:01 ipsec,debug => SK_pr (size 0x14)
Apr/07/2021 08:52:01 ipsec,debug 38513f47 8cb0260f 3aea150a 07ca23a0 c8420008
Apr/07/2021 08:52:01 ipsec,info new ike2 SA (R): 192.168.20.3[4500]-ISP ADDRESS[4500] spi:5554d89fdedaab65:0536c9b454b779f7
Apr/07/2021 08:52:01 ipsec processing payloads: VID (none found)
Apr/07/2021 08:52:01 ipsec processing payloads: NOTIFY
Apr/07/2021 08:52:01 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
Apr/07/2021 08:52:01 ipsec   notify: NAT_DETECTION_DESTINATION_IP
Apr/07/2021 08:52:01 ipsec   notify: NAT_DETECTION_SOURCE_IP
Apr/07/2021 08:52:01 ipsec (NAT-T) REMOTE LOCAL
Apr/07/2021 08:52:01 ipsec KA list add: 192.168.20.3[4500]->ISP ADDRESS[4500]
Apr/07/2021 08:52:01 ipsec fragmentation negotiated
Apr/07/2021 08:52:02 ipsec,debug ===== received 412 bytes from ISP ADDRESS[4500] to 192.168.20.3[4500]
Apr/07/2021 08:52:02 ipsec -> ike2 request, exchange: AUTH:1 ISP ADDRESS[4500] 0536c9b454b779f7:5554d89fdedaab65
Apr/07/2021 08:52:02 ipsec payload seen: ENC (384 bytes)
Apr/07/2021 08:52:02 ipsec processing payload: ENC
Apr/07/2021 08:52:02 ipsec,debug => iv (size 0x10)
Apr/07/2021 08:52:02 ipsec,debug af060ec5 938b1187 66cbb0a9 0518576c
Apr/07/2021 08:52:02 ipsec,debug => decrypted and trimmed payload (size 0x94)
Apr/07/2021 08:52:02 ipsec,debug 2700000c 01000000 ac154599 2900001c 02000000 bb88aab0 2ad7555e 9f979817
Apr/07/2021 08:52:02 ipsec,debug 28ba25b6 36214504 21000008 00004000 2c00002c 00000028 01030403 0193cac7
Apr/07/2021 08:52:02 ipsec,debug 0300000c 0100000c 800e0080 03000008 03000002 00000008 05000000 2d000018
Apr/07/2021 08:52:02 ipsec,debug 01000000 07000010 0000ffff 00000000 ffffffff 29000018 01000000 07000010
Apr/07/2021 08:52:02 ipsec,debug 0000ffff b05ca33b b05ca33b 00000008 00004007
Apr/07/2021 08:52:02 ipsec,debug decrypted packet
Apr/07/2021 08:52:02 ipsec payload seen: ID_I (12 bytes)
Apr/07/2021 08:52:02 ipsec payload seen: AUTH (28 bytes)
Apr/07/2021 08:52:02 ipsec payload seen: NOTIFY (8 bytes)
Apr/07/2021 08:52:02 ipsec payload seen: SA (44 bytes)
Apr/07/2021 08:52:02 ipsec payload seen: TS_I (24 bytes)
Apr/07/2021 08:52:02 ipsec payload seen: TS_R (24 bytes)
Apr/07/2021 08:52:02 ipsec payload seen: NOTIFY (8 bytes)
Apr/07/2021 08:52:02 ipsec processing payloads: NOTIFY
Apr/07/2021 08:52:02 ipsec   notify: INITIAL_CONTACT
Apr/07/2021 08:52:02 ipsec   notify: USE_TRANSPORT_MODE
Apr/07/2021 08:52:02 ipsec ike auth: respond
Apr/07/2021 08:52:02 ipsec processing payload: ID_I
Apr/07/2021 08:52:02 ipsec ID_I (ADDR4): 172.21.69.153
Apr/07/2021 08:52:02 ipsec processing payload: ID_R (not found)
Apr/07/2021 08:52:02 ipsec processing payload: AUTH
Apr/07/2021 08:52:02 ipsec processing payloads: NOTIFY
Apr/07/2021 08:52:02 ipsec   notify: INITIAL_CONTACT
Apr/07/2021 08:52:02 ipsec   notify: USE_TRANSPORT_MODE
Apr/07/2021 08:52:02 ipsec processing payload: AUTH
Apr/07/2021 08:52:02 ipsec requested auth method: SKEY
Apr/07/2021 08:52:02 ipsec,debug => peer's auth (size 0x14)
Apr/07/2021 08:52:02 ipsec,debug bb88aab0 2ad7555e 9f979817 28ba25b6 36214504
Apr/07/2021 08:52:02 ipsec,debug => auth nonce (size 0x18)
Apr/07/2021 08:52:02 ipsec,debug 7d9718fc 74402ada 8f9f886e b31142d4 d5da63fa d6f50df3
Apr/07/2021 08:52:02 ipsec,debug => SK_p (size 0x14)
Apr/07/2021 08:52:02 ipsec,debug c3204228 2d23f613 b05d798d 84606b95 8d298512
Apr/07/2021 08:52:02 ipsec,debug => idhash (size 0x14)
Apr/07/2021 08:52:02 ipsec,debug a5b1f832 dceb7114 5dced26e de618f1c d0fdb445
Apr/07/2021 08:52:02 ipsec,debug => calculated peer's AUTH (size 0x14)
Apr/07/2021 08:52:02 ipsec,debug bb88aab0 2ad7555e 9f979817 28ba25b6 36214504
Apr/07/2021 08:52:02 ipsec,info,account peer authorized: 192.168.20.3[4500]-ISP ADDRESS[4500] spi:5554d89fdedaab65:0536c9b454b779f7
Apr/07/2021 08:52:02 ipsec initial contact
Apr/07/2021 08:52:02 ipsec processing payloads: NOTIFY
Apr/07/2021 08:52:02 ipsec   notify: INITIAL_CONTACT
Apr/07/2021 08:52:02 ipsec   notify: USE_TRANSPORT_MODE
Apr/07/2021 08:52:02 ipsec peer wants transport mode
Apr/07/2021 08:52:02 ipsec processing payload: CONFIG (not found)
Apr/07/2021 08:52:02 ipsec processing payload: SA
Apr/07/2021 08:52:02 ipsec IKE Protocol: ESP
Apr/07/2021 08:52:02 ipsec  proposal #1
Apr/07/2021 08:52:02 ipsec   enc: aes128-cbc
Apr/07/2021 08:52:02 ipsec   auth: sha1
Apr/07/2021 08:52:02 ipsec processing payload: TS_I
Apr/07/2021 08:52:02 ipsec 0.0.0.0/0
Apr/07/2021 08:52:02 ipsec processing payload: TS_R
Apr/07/2021 08:52:02 ipsec ISP CLIENT IP ADDRESS
Apr/07/2021 08:52:02 ipsec skipping not specific selector in transport mode with NAT
Apr/07/2021 08:52:02 ipsec ID_R (ADDR4): 192.168.20.3
Apr/07/2021 08:52:02 ipsec,debug => auth nonce (size 0x18)
Apr/07/2021 08:52:02 ipsec,debug d4af488f cad96d62 8be774c8 123901e3 58e09cd4 c6e87866
Apr/07/2021 08:52:02 ipsec,debug => SK_p (size 0x14)
Apr/07/2021 08:52:02 ipsec,debug 38513f47 8cb0260f 3aea150a 07ca23a0 c8420008
Apr/07/2021 08:52:02 ipsec,debug => idhash (size 0x14)
Apr/07/2021 08:52:02 ipsec,debug 202ec285 129628d6 7c3f0f0f 37f23881 a3a7b305
Apr/07/2021 08:52:02 ipsec,debug => my auth (size 0x14)
Apr/07/2021 08:52:02 ipsec,debug 7f00a7d9 eefede7c 03b323e7 0df78eae 7ee285ab
Apr/07/2021 08:52:02 ipsec adding payload: ID_R
Apr/07/2021 08:52:02 ipsec,debug => (size 0xc)
Apr/07/2021 08:52:02 ipsec,debug 0000000c 01000000 c0a81403
Apr/07/2021 08:52:02 ipsec adding payload: AUTH
Apr/07/2021 08:52:02 ipsec,debug => (size 0x1c)
Apr/07/2021 08:52:02 ipsec,debug 0000001c 02000000 7f00a7d9 eefede7c 03b323e7 0df78eae 7ee285ab
Apr/07/2021 08:52:02 ipsec adding notify: TS_UNACCEPTABLE
Apr/07/2021 08:52:02 ipsec,debug => (size 0x8)
Apr/07/2021 08:52:02 ipsec,debug 00000008 00000026
Apr/07/2021 08:52:02 ipsec <- ike2 reply, exchange: AUTH:1 ISP ADDRESS[4500] 0536c9b454b779f7:5554d89fdedaab65
Apr/07/2021 08:52:02 ipsec,debug ===== sending 364 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 08:52:02 ipsec,debug 1 times of 368 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 08:52:03 ipsec,debug KA: 192.168.20.3[4500]->ISP ADDRESS[4500]
Apr/07/2021 08:52:03 ipsec,debug 1 times of 1 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 13:35:39 ipsec,debug KA: 192.168.20.3[4500]->ISP ADDRESS[4500]
Apr/07/2021 13:35:39 ipsec,debug 1 times of 1 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 13:35:46 ipsec acquire for policy: 192.168.20.3 <=> ISP ADDRESS
Apr/07/2021 13:35:46 ipsec connection found for peer: ISP ADDRESS[4500]
Apr/07/2021 13:35:46 ipsec init child for policy: 192.168.20.3 <=> ISP ADDRESS
Apr/07/2021 13:35:46 ipsec init child continue
Apr/07/2021 13:35:46 ipsec offering proto: 3
Apr/07/2021 13:35:46 ipsec  proposal #1
Apr/07/2021 13:35:46 ipsec   enc: aes128-cbc
Apr/07/2021 13:35:46 ipsec   auth: sha1
Apr/07/2021 13:35:46 ipsec   dh: modp2048
Apr/07/2021 13:35:47 ipsec adding payload: NONCE
Apr/07/2021 13:35:47 ipsec,debug => (size 0x1c)
Apr/07/2021 13:35:47 ipsec,debug 0000001c 0af36dc6 1207b4fa f9f1205a 2b445e29 65c25d02 32600b42
Apr/07/2021 13:35:47 ipsec adding payload: KE
Apr/07/2021 13:35:47 ipsec,debug => (first 0x100 of 0x108)
Apr/07/2021 13:35:47 ipsec,debug 00000108 000e0000 4e77b09d 6f936632 eae614dc 16eb4064 b19e13e1 d7f79d83
Apr/07/2021 13:35:47 ipsec,debug 8290a0aa 63149161 9b09df59 319e2e47 f5d0a505 6559c831 1f7bbca5 f2a014cc
Apr/07/2021 13:35:47 ipsec,debug 81206fd0 4db7227c 0931a63d 58ca8d53 c3aace7e b655d72b 3324fb9f a0aa8be3
Apr/07/2021 13:35:47 ipsec,debug 1cf6f749 cddef5ac e428a76a 48b09bdb 6ba25279 97ac2b0f e9b09587 27f271e6
Apr/07/2021 13:35:47 ipsec,debug 10212786 cbc2dab6 45ad16bb 55929bc3 7b16baa8 d8af1b0d 8dff09fe b88cfd50
Apr/07/2021 13:35:47 ipsec,debug 3df7e88c 9fc6096c b5e0307f f28498b1 b4abf3ef 90f89488 6426b1d8 7feb3935
Apr/07/2021 13:35:47 ipsec,debug b0a2ab78 af1b5c27 0be7eba9 033418ac ab27d2c2 76bab16e cbd4b3f4 5c0ca0f9
Apr/07/2021 13:35:47 ipsec,debug 9b8a8273 bc76d5f5 7def9b3e 799d9d40 862ee392 8a307e9b 445b6fe5 5c8948d8
Apr/07/2021 13:35:47 ipsec adding payload: SA
Apr/07/2021 13:35:47 ipsec,debug => (size 0x34)
Apr/07/2021 13:35:47 ipsec,debug 00000034 00000030 01030404 01921624 0300000c 0100000c 800e0080 03000008
Apr/07/2021 13:35:47 ipsec,debug 03000002 03000008 0400000e 00000008 05000000
Apr/07/2021 13:35:47 ipsec initiator selector: 192.168.20.3 
Apr/07/2021 13:35:47 ipsec adding payload: TS_I
Apr/07/2021 13:35:47 ipsec,debug => (size 0x18)
Apr/07/2021 13:35:47 ipsec,debug 00000018 01000000 07000010 0000ffff c0a81403 c0a81403
Apr/07/2021 13:35:47 ipsec responder selector: ISP ADDRESS 
Apr/07/2021 13:35:47 ipsec adding payload: TS_R
Apr/07/2021 13:35:47 ipsec,debug => (size 0x18)
Apr/07/2021 13:35:47 ipsec,debug 00000018 01000000 07000010 0000ffff 4845becf 4845becf
Apr/07/2021 13:35:47 ipsec adding notify: USE_TRANSPORT_MODE
Apr/07/2021 13:35:47 ipsec,debug => (size 0x8)
Apr/07/2021 13:35:47 ipsec,debug 00000008 00004007
Apr/07/2021 13:35:47 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:0 ISP ADDRESS[4500] 0536c9b454b779f7:5554d89fdedaab65
Apr/07/2021 13:35:47 ipsec,debug ===== sending 604 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 13:35:47 ipsec,debug 1 times of 608 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 13:35:47 ipsec child negitiation timeout in state 4
Apr/07/2021 13:35:47 ipsec,info killing ike2 SA: 192.168.20.3[4500]-ISP ADDRESS[4500] spi:5554d89fdedaab65:0536c9b454b779f7
Apr/07/2021 13:35:47 ipsec adding payload: DELETE
Apr/07/2021 13:35:47 ipsec,debug => (size 0x8)
Apr/07/2021 13:35:47 ipsec,debug 00000008 01000000
Apr/07/2021 13:35:47 ipsec <- ike2 request, exchange: INFORMATIONAL:1 ISP ADDRESS[4500] 0536c9b454b779f7:5554d89fdedaab65
Apr/07/2021 13:35:47 ipsec,debug ===== sending 284 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 13:35:47 ipsec,debug 1 times of 288 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 13:35:47 ipsec KA remove: 192.168.20.3[4500]->ISP ADDRESS[4500]
Apr/07/2021 13:35:47 ipsec,debug KA tree dump: 192.168.20.3[4500]->ISP ADDRESS[4500] (in_use=1)
Apr/07/2021 13:35:47 ipsec,debug KA removing this one...
Apr/07/2021 13:35:48 ipsec,debug ===== received 108 bytes from ISP ADDRESS[4500] to 192.168.20.3[4500]
Apr/07/2021 13:35:48 ipsec -> ike2 reply, exchange: INFORMATIONAL:1 ISP ADDRESS[4500] 0536c9b454b779f7:5554d89fdedaab65
Apr/07/2021 13:35:48 ipsec SPI 5554d89fdedaab65 not registered for ISP ADDRESS[4500]
Apr/07/2021 13:35:50 ipsec,debug ===== received 432 bytes from ISP ADDRESS[4500] to 192.168.20.3[4500]
Apr/07/2021 13:35:50 ipsec -> ike2 request, exchange: SA_INIT:0 ISP ADDRESS[4500] fbc83897ab43a555:0000000000000000
Apr/07/2021 13:35:50 ipsec ike2 respond
Apr/07/2021 13:35:50 ipsec payload seen: NOTIFY (8 bytes)
Apr/07/2021 13:35:50 ipsec payload seen: NOTIFY (28 bytes)
Apr/07/2021 13:35:50 ipsec payload seen: NOTIFY (28 bytes)
Apr/07/2021 13:35:50 ipsec payload seen: NONCE (28 bytes)
Apr/07/2021 13:35:50 ipsec payload seen: KE (264 bytes)
Apr/07/2021 13:35:50 ipsec payload seen: SA (48 bytes)
Apr/07/2021 13:35:50 ipsec processing payload: NONCE
Apr/07/2021 13:35:50 ipsec processing payload: SA
Apr/07/2021 13:35:50 ipsec IKE Protocol: IKE
Apr/07/2021 13:35:50 ipsec  proposal #1
Apr/07/2021 13:35:50 ipsec   enc: aes128-cbc
Apr/07/2021 13:35:50 ipsec   prf: hmac-sha1
Apr/07/2021 13:35:50 ipsec   auth: sha1
Apr/07/2021 13:35:50 ipsec   dh: modp2048
Apr/07/2021 13:35:50 ipsec matched proposal:
Apr/07/2021 13:35:50 ipsec  proposal #1
Apr/07/2021 13:35:50 ipsec   enc: aes128-cbc
Apr/07/2021 13:35:50 ipsec   prf: hmac-sha1
Apr/07/2021 13:35:50 ipsec   auth: sha1
Apr/07/2021 13:35:50 ipsec   dh: modp2048
Apr/07/2021 13:35:50 ipsec processing payload: KE
Apr/07/2021 13:35:51 ipsec,debug => shared secret (size 0x100)
Apr/07/2021 13:35:51 ipsec,debug aeba70f9 1a94284b f5f02784 3cb9da0e 33266280 7d241c0c 6d8b43a4 daea7c97
Apr/07/2021 13:35:51 ipsec,debug 62c19cf5 05c8a269 8e1f393e a3f19e30 2415b145 fceb4ec4 2fff3f0b 2debcbc9
Apr/07/2021 13:35:51 ipsec,debug 2ea4bf3b 8649e97c 036ecd1d 963a606f 3217e153 e544e5f8 da39bef1 482f1aa2
Apr/07/2021 13:35:51 ipsec,debug 9f5a32e3 9802a9ba a215b82f 8f0a4316 381012eb ee3da9a7 4b5b5880 40518a1a
Apr/07/2021 13:35:51 ipsec,debug 28cf575c 9b539f63 4bd91134 148a0f6f 802c40bf c08ceef5 25911815 1e29639d
Apr/07/2021 13:35:51 ipsec,debug ec37cf01 a021c781 2ee41173 7cb28944 ba0a7ed6 16e49d84 ba373cd8 cec0973f
Apr/07/2021 13:35:51 ipsec,debug 8f16929e 92a2be24 3e16b614 269c2a69 be9ffb36 d8264726 91aa6a6a 5fe1fca7
Apr/07/2021 13:35:51 ipsec,debug 9c269706 5a288aed 598c1520 6d94b8aa 29929aa1 9b0d63a9 8b419d79 aef88dc6
Apr/07/2021 13:35:51 ipsec adding payload: SA
Apr/07/2021 13:35:51 ipsec,debug => (size 0x30)
Apr/07/2021 13:35:51 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0080 03000008 02000002
Apr/07/2021 13:35:51 ipsec,debug 03000008 03000002 00000008 0400000e
Apr/07/2021 13:35:51 ipsec adding payload: KE
Apr/07/2021 13:35:51 ipsec,debug => (first 0x100 of 0x108)
Apr/07/2021 13:35:51 ipsec,debug 00000108 000e0000 d8176f70 63e173d9 3ad28d07 56f18dda 061169c3 82d2b57b
Apr/07/2021 13:35:51 ipsec,debug 12834e5f 2a603514 b6689e6e 741125a6 80c72c76 5b582402 4a03424e 7d8c2557
Apr/07/2021 13:35:51 ipsec,debug 101708cf e2960b6b ccc53570 58cd7f81 04919f83 ba2c6ca6 4b6653ce e0e7b858
Apr/07/2021 13:35:51 ipsec,debug 2df5eeab 956fa028 9301bda6 e15a2a68 7cec8117 35e6c1b3 c116275f 1b828a05
Apr/07/2021 13:35:51 ipsec,debug 45127fa9 2a688549 9d3eca41 e61563f5 d8d9c27e 7d969605 448e38c1 141c5ddd
Apr/07/2021 13:35:51 ipsec,debug 0dbba72a db87f38b f98dcd67 bd34fb61 936bbfdb 9891c554 9f10319f 7b3779cc
Apr/07/2021 13:35:51 ipsec,debug 855e338c 07d9cdff 242dd6b1 71ccfb27 3e1173f3 442db1d8 9dac4061 a0a9eedd
Apr/07/2021 13:35:51 ipsec,debug 27d643d4 d9963cdd 7f1bed3f c82bea4a 4cef3418 1b4c5e95 8fe5a0a7 42fb4d77
Apr/07/2021 13:35:51 ipsec adding payload: NONCE
Apr/07/2021 13:35:51 ipsec,debug => (size 0x1c)
Apr/07/2021 13:35:51 ipsec,debug 0000001c b63de5f1 f0be987e ed3ddd72 8aad48c1 bdc8ea07 f16841fa
Apr/07/2021 13:35:51 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Apr/07/2021 13:35:51 ipsec,debug => (size 0x1c)
Apr/07/2021 13:35:51 ipsec,debug 0000001c 00004004 070c0eb8 94ef2487 5547b50a c72e5c56 0372e162
Apr/07/2021 13:35:51 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Apr/07/2021 13:35:51 ipsec,debug => (size 0x1c)
Apr/07/2021 13:35:51 ipsec,debug 0000001c 00004005 35095469 88d9f906 0f9861e4 6868cdcd 4f501a44
Apr/07/2021 13:35:51 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
Apr/07/2021 13:35:51 ipsec,debug => (size 0x8)
Apr/07/2021 13:35:51 ipsec,debug 00000008 0000402e
Apr/07/2021 13:35:51 ipsec adding payload: CERTREQ
Apr/07/2021 13:35:51 ipsec,debug => (size 0x5)
Apr/07/2021 13:35:51 ipsec,debug 00000005 04
Apr/07/2021 13:35:51 ipsec <- ike2 reply, exchange: SA_INIT:0 ISP ADDRESS[4500] fbc83897ab43a555:a5eaa91b237c8515
Apr/07/2021 13:35:51 ipsec,debug ===== sending 437 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 13:35:51 ipsec,debug 1 times of 441 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 13:35:51 ipsec,debug => skeyseed (size 0x14)
Apr/07/2021 13:35:51 ipsec,debug f6709fd4 cefdcb7a 128fd4d3 ae41072a 804db9fa
Apr/07/2021 13:35:51 ipsec,debug => keymat (size 0x14)
Apr/07/2021 13:35:51 ipsec,debug 38c73286 dbbc608b 89bbd3e2 f4d5879a 7e96bed4
Apr/07/2021 13:35:51 ipsec,debug => SK_ai (size 0x14)
Apr/07/2021 13:35:51 ipsec,debug a2852e3f f710fb91 fae7ff5b c9b188cc 3a8e027c
Apr/07/2021 13:35:51 ipsec,debug => SK_ar (size 0x14)
Apr/07/2021 13:35:51 ipsec,debug 8015a9c3 9fc6e3c2 321daa74 fec26d1c 112dd7c1
Apr/07/2021 13:35:51 ipsec,debug => SK_ei (size 0x10)
Apr/07/2021 13:35:51 ipsec,debug 2fff8836 d55426ba 1769abf2 bb7300fe
Apr/07/2021 13:35:51 ipsec,debug => SK_er (size 0x10)
Apr/07/2021 13:35:51 ipsec,debug 05994acf f05e05ea 42120222 002599f7
Apr/07/2021 13:35:51 ipsec,debug => SK_pi (size 0x14)
Apr/07/2021 13:35:51 ipsec,debug 46c89d5e 516dba61 3cd5de99 81537e41 f269e214
Apr/07/2021 13:35:51 ipsec,debug => SK_pr (size 0x14)
Apr/07/2021 13:35:51 ipsec,debug f4bcb433 72451997 54ee8176 cfbf2de4 437ebf0d
Apr/07/2021 13:35:51 ipsec,info new ike2 SA (R): 192.168.20.3[4500]-ISP ADDRESS[4500] spi:a5eaa91b237c8515:fbc83897ab43a555
Apr/07/2021 13:35:51 ipsec processing payloads: VID (none found)
Apr/07/2021 13:35:51 ipsec processing payloads: NOTIFY
Apr/07/2021 13:35:51 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
Apr/07/2021 13:35:51 ipsec   notify: NAT_DETECTION_DESTINATION_IP
Apr/07/2021 13:35:51 ipsec   notify: NAT_DETECTION_SOURCE_IP
Apr/07/2021 13:35:51 ipsec (NAT-T) REMOTE LOCAL
Apr/07/2021 13:35:51 ipsec KA list add: 192.168.20.3[4500]->ISP ADDRESS[4500]
Apr/07/2021 13:35:51 ipsec fragmentation negotiated
Apr/07/2021 13:35:51 ipsec,debug ===== received 460 bytes from ISP ADDRESS[4500] to 192.168.20.3[4500]
Apr/07/2021 13:35:51 ipsec -> ike2 request, exchange: AUTH:1 ISP ADDRESS[4500] fbc83897ab43a555:a5eaa91b237c8515
Apr/07/2021 13:35:51 ipsec payload seen: ENC (432 bytes)
Apr/07/2021 13:35:51 ipsec processing payload: ENC
Apr/07/2021 13:35:51 ipsec,debug => iv (size 0x10)
Apr/07/2021 13:35:51 ipsec,debug 5aef4a93 377cc7ed 89d3b0eb cc23e65b
Apr/07/2021 13:35:51 ipsec,debug => decrypted and trimmed payload (size 0x94)
Apr/07/2021 13:35:51 ipsec,debug 2700000c 01000000 ac154599 2900001c 02000000 546d02f7 1e06b4b3 abbef540
Apr/07/2021 13:35:51 ipsec,debug 31cb6060 a7d19249 21000008 00004000 2c00002c 00000028 01030403 00457966
Apr/07/2021 13:35:51 ipsec,debug 0300000c 0100000c 800e0080 03000008 03000002 00000008 05000000 2d000018
Apr/07/2021 13:35:51 ipsec,debug 01000000 07000010 0000ffff 00000000 ffffffff 29000018 01000000 07000010
Apr/07/2021 13:35:51 ipsec,debug 0000ffff b05ca33b b05ca33b 00000008 00004007
Apr/07/2021 13:35:51 ipsec,debug decrypted packet
Apr/07/2021 13:35:51 ipsec payload seen: ID_I (12 bytes)
Apr/07/2021 13:35:51 ipsec payload seen: AUTH (28 bytes)
Apr/07/2021 13:35:51 ipsec payload seen: NOTIFY (8 bytes)
Apr/07/2021 13:35:51 ipsec payload seen: SA (44 bytes)
Apr/07/2021 13:35:51 ipsec payload seen: TS_I (24 bytes)
Apr/07/2021 13:35:51 ipsec payload seen: TS_R (24 bytes)
Apr/07/2021 13:35:51 ipsec payload seen: NOTIFY (8 bytes)
Apr/07/2021 13:35:51 ipsec processing payloads: NOTIFY
Apr/07/2021 13:35:51 ipsec   notify: INITIAL_CONTACT
Apr/07/2021 13:35:51 ipsec   notify: USE_TRANSPORT_MODE
Apr/07/2021 13:35:51 ipsec ike auth: respond
Apr/07/2021 13:35:51 ipsec processing payload: ID_I
Apr/07/2021 13:35:51 ipsec ID_I (ADDR4): 172.21.69.153
Apr/07/2021 13:35:51 ipsec processing payload: ID_R (not found)
Apr/07/2021 13:35:51 ipsec processing payload: AUTH
Apr/07/2021 13:35:51 ipsec processing payloads: NOTIFY
Apr/07/2021 13:35:51 ipsec   notify: INITIAL_CONTACT
Apr/07/2021 13:35:51 ipsec   notify: USE_TRANSPORT_MODE
Apr/07/2021 13:35:51 ipsec processing payload: AUTH
Apr/07/2021 13:35:51 ipsec requested auth method: SKEY
Apr/07/2021 13:35:51 ipsec,debug => peer's auth (size 0x14)
Apr/07/2021 13:35:51 ipsec,debug 546d02f7 1e06b4b3 abbef540 31cb6060 a7d19249
Apr/07/2021 13:35:51 ipsec,debug => auth nonce (size 0x18)
Apr/07/2021 13:35:51 ipsec,debug b63de5f1 f0be987e ed3ddd72 8aad48c1 bdc8ea07 f16841fa
Apr/07/2021 13:35:51 ipsec,debug => SK_p (size 0x14)
Apr/07/2021 13:35:51 ipsec,debug 46c89d5e 516dba61 3cd5de99 81537e41 f269e214
Apr/07/2021 13:35:51 ipsec,debug => idhash (size 0x14)
Apr/07/2021 13:35:51 ipsec,debug c75bf466 a81b3aa9 4db72031 6beab7bd ea2af14a
Apr/07/2021 13:35:51 ipsec,debug => calculated peer's AUTH (size 0x14)
Apr/07/2021 13:35:51 ipsec,debug 546d02f7 1e06b4b3 abbef540 31cb6060 a7d19249
Apr/07/2021 13:35:51 ipsec,info,account peer authorized: 192.168.20.3[4500]-ISP ADDRESS[4500] spi:a5eaa91b237c8515:fbc83897ab43a555
Apr/07/2021 13:35:51 ipsec initial contact
Apr/07/2021 13:35:51 ipsec processing payloads: NOTIFY
Apr/07/2021 13:35:51 ipsec   notify: INITIAL_CONTACT
Apr/07/2021 13:35:51 ipsec   notify: USE_TRANSPORT_MODE
Apr/07/2021 13:35:51 ipsec peer wants transport mode
Apr/07/2021 13:35:51 ipsec processing payload: CONFIG (not found)
Apr/07/2021 13:35:51 ipsec processing payload: SA
Apr/07/2021 13:35:51 ipsec IKE Protocol: ESP
Apr/07/2021 13:35:51 ipsec  proposal #1
Apr/07/2021 13:35:51 ipsec   enc: aes128-cbc
Apr/07/2021 13:35:51 ipsec   auth: sha1
Apr/07/2021 13:35:51 ipsec processing payload: TS_I
Apr/07/2021 13:35:51 ipsec 0.0.0.0/0
Apr/07/2021 13:35:51 ipsec processing payload: TS_R
Apr/07/2021 13:35:51 ipsec ISP CLIENT IP ADDRESS
Apr/07/2021 13:35:51 ipsec skipping not specific selector in transport mode with NAT
Apr/07/2021 13:35:51 ipsec ID_R (ADDR4): 192.168.20.3
Apr/07/2021 13:35:51 ipsec,debug => auth nonce (size 0x18)
Apr/07/2021 13:35:51 ipsec,debug 5959863a e51c4d10 23bfa014 159c6889 c75d7572 0d0b26ae
Apr/07/2021 13:35:51 ipsec,debug => SK_p (size 0x14)
Apr/07/2021 13:35:51 ipsec,debug f4bcb433 72451997 54ee8176 cfbf2de4 437ebf0d
Apr/07/2021 13:35:51 ipsec,debug => idhash (size 0x14)
Apr/07/2021 13:35:51 ipsec,debug 32fcc29c 9044c1f7 fd57d487 d23b5e23 73a61790
Apr/07/2021 13:35:51 ipsec,debug => my auth (size 0x14)
Apr/07/2021 13:35:51 ipsec,debug ed34b106 5b7f5ca6 cc9e2fd2 ee78b9a1 eae7f478
Apr/07/2021 13:35:51 ipsec adding payload: ID_R
Apr/07/2021 13:35:51 ipsec,debug => (size 0xc)
Apr/07/2021 13:35:51 ipsec,debug 0000000c 01000000 c0a81403
Apr/07/2021 13:35:51 ipsec adding payload: AUTH
Apr/07/2021 13:35:51 ipsec,debug => (size 0x1c)
Apr/07/2021 13:35:51 ipsec,debug 0000001c 02000000 ed34b106 5b7f5ca6 cc9e2fd2 ee78b9a1 eae7f478
Apr/07/2021 13:35:51 ipsec adding notify: TS_UNACCEPTABLE
Apr/07/2021 13:35:51 ipsec,debug => (size 0x8)
Apr/07/2021 13:35:51 ipsec,debug 00000008 00000026
Apr/07/2021 13:35:51 ipsec <- ike2 reply, exchange: AUTH:1 ISP ADDRESS[4500] fbc83897ab43a555:a5eaa91b237c8515
Apr/07/2021 13:35:51 ipsec,debug ===== sending 348 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 13:35:51 ipsec,debug 1 times of 352 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 13:35:59 ipsec,debug KA: 192.168.20.3[4500]->ISP ADDRESS[4500]
Apr/07/2021 13:35:59 ipsec,debug 1 times of 1 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 13:36:19 ipsec,debug KA: 192.168.20.3[4500]->ISP ADDRESS[4500]
Apr/07/2021 13:36:19 ipsec,debug 1 times of 1 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 13:36:20 ipsec acquire for policy: 192.168.20.3 <=> ISP ADDRESS
Apr/07/2021 13:36:20 ipsec connection found for peer: ISP ADDRESS[4500]
Apr/07/2021 13:36:20 ipsec init child for policy: 192.168.20.3 <=> ISP ADDRESS
Apr/07/2021 13:36:20 ipsec init child continue
Apr/07/2021 13:36:20 ipsec offering proto: 3
Apr/07/2021 13:36:20 ipsec  proposal #1
Apr/07/2021 13:36:20 ipsec   enc: aes128-cbc
Apr/07/2021 13:36:20 ipsec   auth: sha1
Apr/07/2021 13:36:20 ipsec   dh: modp2048
Apr/07/2021 13:36:21 ipsec adding payload: NONCE
Apr/07/2021 13:36:21 ipsec,debug => (size 0x1c)
Apr/07/2021 13:36:21 ipsec,debug 0000001c 91141652 b4c48d3f 3483a233 73a0588c d5df0c65 0d4e0f06
Apr/07/2021 13:36:21 ipsec adding payload: KE
Apr/07/2021 13:36:21 ipsec,debug => (first 0x100 of 0x108)
Apr/07/2021 13:36:21 ipsec,debug 00000108 000e0000 bada2529 1e0245f2 e44228bb dbd2d0fb a9b83813 dbdf4f32
Apr/07/2021 13:36:21 ipsec,debug c5ab35e8 ff8caf12 eeb7ee87 06a178de 014edbda 70dbde77 26282e69 8a2de677
Apr/07/2021 13:36:21 ipsec,debug 428f0d48 38ea0e3c 2270f400 1487c9b3 6ae17b6d 6e10b4c6 f0e5a705 f4ca4744
Apr/07/2021 13:36:21 ipsec,debug d2b79c2a a487337d 75fbd994 7c78c8e2 e56996a9 ae8694d6 ff6dc113 4f345645
Apr/07/2021 13:36:21 ipsec,debug 44db7b33 8050bf04 6cbbcddc d4782dba 66049d5f 489e85a4 2bc9dd45 3cbd5246
Apr/07/2021 13:36:21 ipsec,debug 30425260 09f61a69 a4d799fe a339fa48 5aea0fce a0adeda0 e8082dc3 f1550513
Apr/07/2021 13:36:21 ipsec,debug 24991025 da17f558 29d5bbe6 3030437a 0051dd0c 133f42f7 fb3085ca 35b845e3
Apr/07/2021 13:36:21 ipsec,debug 0a29f03a 4dbf3662 1f847ecd b0fbd69c d245c672 a1f2f3e1 313fe865 aa3abac4
Apr/07/2021 13:36:21 ipsec adding payload: SA
Apr/07/2021 13:36:21 ipsec,debug => (size 0x34)
Apr/07/2021 13:36:21 ipsec,debug 00000034 00000030 01030404 02bd80b1 0300000c 0100000c 800e0080 03000008
Apr/07/2021 13:36:21 ipsec,debug 03000002 03000008 0400000e 00000008 05000000
Apr/07/2021 13:36:21 ipsec initiator selector: 192.168.20.3 
Apr/07/2021 13:36:21 ipsec adding payload: TS_I
Apr/07/2021 13:36:21 ipsec,debug => (size 0x18)
Apr/07/2021 13:36:21 ipsec,debug 00000018 01000000 07000010 0000ffff c0a81403 c0a81403
Apr/07/2021 13:36:21 ipsec responder selector: ISP ADDRESS 
Apr/07/2021 13:36:21 ipsec adding payload: TS_R
Apr/07/2021 13:36:21 ipsec,debug => (size 0x18)
Apr/07/2021 13:36:21 ipsec,debug 00000018 01000000 07000010 0000ffff 4845becf 4845becf
Apr/07/2021 13:36:21 ipsec adding notify: USE_TRANSPORT_MODE
Apr/07/2021 13:36:21 ipsec,debug => (size 0x8)
Apr/07/2021 13:36:21 ipsec,debug 00000008 00004007
Apr/07/2021 13:36:21 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:0 ISP ADDRESS[4500] fbc83897ab43a555:a5eaa91b237c8515
Apr/07/2021 13:36:21 ipsec,debug ===== sending 620 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 13:36:21 ipsec,debug 1 times of 624 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 13:36:21 ipsec child negitiation timeout in state 4
Apr/07/2021 13:36:21 ipsec,info killing ike2 SA: 192.168.20.3[4500]-ISP ADDRESS[4500] spi:a5eaa91b237c8515:fbc83897ab43a555
Apr/07/2021 13:36:21 ipsec adding payload: DELETE
Apr/07/2021 13:36:21 ipsec,debug => (size 0x8)
Apr/07/2021 13:36:21 ipsec,debug 00000008 01000000
Apr/07/2021 13:36:21 ipsec <- ike2 request, exchange: INFORMATIONAL:1 ISP ADDRESS[4500] fbc83897ab43a555:a5eaa91b237c8515
Apr/07/2021 13:36:21 ipsec,debug ===== sending 252 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 13:36:21 ipsec,debug 1 times of 256 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 13:36:21 ipsec KA remove: 192.168.20.3[4500]->ISP ADDRESS[4500]
Apr/07/2021 13:36:21 ipsec,debug KA tree dump: 192.168.20.3[4500]->ISP ADDRESS[4500] (in_use=1)
Apr/07/2021 13:36:21 ipsec,debug KA removing this one...
Apr/07/2021 13:36:22 ipsec,debug ===== received 92 bytes from ISP ADDRESS[4500] to 192.168.20.3[4500]
Apr/07/2021 13:36:22 ipsec -> ike2 reply, exchange: INFORMATIONAL:1 ISP ADDRESS[4500] fbc83897ab43a555:a5eaa91b237c8515
Apr/07/2021 13:36:22 ipsec SPI a5eaa91b237c8515 not registered for ISP ADDRESS[4500]
Apr/07/2021 13:36:24 ipsec,debug ===== received 432 bytes from ISP ADDRESS[4500] to 192.168.20.3[4500]
Apr/07/2021 13:36:24 ipsec -> ike2 request, exchange: SA_INIT:0 ISP ADDRESS[4500] 89bce8d0d7a745ef:0000000000000000
Apr/07/2021 13:36:24 ipsec ike2 respond
Apr/07/2021 13:36:24 ipsec payload seen: NOTIFY (8 bytes)
Apr/07/2021 13:36:24 ipsec payload seen: NOTIFY (28 bytes)
Apr/07/2021 13:36:24 ipsec payload seen: NOTIFY (28 bytes)
Apr/07/2021 13:36:24 ipsec payload seen: NONCE (28 bytes)
Apr/07/2021 13:36:24 ipsec payload seen: KE (264 bytes)
Apr/07/2021 13:36:24 ipsec payload seen: SA (48 bytes)
Apr/07/2021 13:36:24 ipsec processing payload: NONCE
Apr/07/2021 13:36:24 ipsec processing payload: SA
Apr/07/2021 13:36:24 ipsec IKE Protocol: IKE
Apr/07/2021 13:36:24 ipsec  proposal #1
Apr/07/2021 13:36:24 ipsec   enc: aes128-cbc
Apr/07/2021 13:36:24 ipsec   prf: hmac-sha1
Apr/07/2021 13:36:24 ipsec   auth: sha1
Apr/07/2021 13:36:24 ipsec   dh: modp2048
Apr/07/2021 13:36:24 ipsec matched proposal:
Apr/07/2021 13:36:24 ipsec  proposal #1
Apr/07/2021 13:36:24 ipsec   enc: aes128-cbc
Apr/07/2021 13:36:24 ipsec   prf: hmac-sha1
Apr/07/2021 13:36:24 ipsec   auth: sha1
Apr/07/2021 13:36:24 ipsec   dh: modp2048
Apr/07/2021 13:36:24 ipsec processing payload: KE
Apr/07/2021 13:36:25 ipsec,debug => shared secret (size 0x100)
Apr/07/2021 13:36:25 ipsec,debug 6c7516d9 9c9670be 0b16d419 4f2cac91 e5cda6cc 96428d3e 8b78237e f4594ced
Apr/07/2021 13:36:25 ipsec,debug 8711d24d ef2d90e9 b7f4bc5e a6c4ef9b 1bc328b7 c588ca9c 45e8fc5e ef786dae
Apr/07/2021 13:36:25 ipsec,debug 432666f9 688f385c 50a96296 08467135 0bddf82c 815c1771 2e45592c 2851f6ae
Apr/07/2021 13:36:25 ipsec,debug 74faa4c2 80d4cdc3 5692962a 25a1625a 43ccfa6f 8609f3f6 b83dac57 eacd7ea6
Apr/07/2021 13:36:25 ipsec,debug d925610c 253f7c6b 1575f444 653c83e3 704d983e 96c8d85a 2b8b6611 0073f181
Apr/07/2021 13:36:25 ipsec,debug d8496d2c b5016787 6a9fad0b 1170525a 176f9452 dd73618f af85f3b9 b6c779f5
Apr/07/2021 13:36:25 ipsec,debug 20396aea 76331ddd ba132fef 5a57f301 9e7d9d39 69bdea18 ceb7f8da 881e4849
Apr/07/2021 13:36:25 ipsec,debug f38c096f 1aea4e21 1934930f eedfc070 0aa41011 0681bb5e 4f90e8e3 717bbbb1
Apr/07/2021 13:36:25 ipsec adding payload: SA
Apr/07/2021 13:36:25 ipsec,debug => (size 0x30)
Apr/07/2021 13:36:25 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0080 03000008 02000002
Apr/07/2021 13:36:25 ipsec,debug 03000008 03000002 00000008 0400000e
Apr/07/2021 13:36:25 ipsec adding payload: KE
Apr/07/2021 13:36:25 ipsec,debug => (first 0x100 of 0x108)
Apr/07/2021 13:36:25 ipsec,debug 00000108 000e0000 25c6d76a 9cb6b6ad df0025a7 b9f964e2 58724d5c 19d284b8
Apr/07/2021 13:36:25 ipsec,debug 11324f6d f87da5fd 85f5d384 cc183a74 4d81195b 0344d8d4 bcc15d2b 9ba5a60f
Apr/07/2021 13:36:25 ipsec,debug e0d94b49 0af44735 fa526402 060a7c80 d03ca682 f2a1f138 ef580def cfdaa543
Apr/07/2021 13:36:25 ipsec,debug 01252718 734bb05d 3671dead d2fabf5f 0edc4594 92901ac9 ec3975fc 565743f5
Apr/07/2021 13:36:25 ipsec,debug 44899795 7fc3f93d b625d78b 234da447 9f86a42c da2ded2e 3776d498 193130ea
Apr/07/2021 13:36:25 ipsec,debug 3f243f1e 407fcbea b6584139 9cff0490 f143394d 0e5a65a7 e135ac28 96a70761
Apr/07/2021 13:36:25 ipsec,debug dbf427fc db37663c f074064a 25aee4c5 ebfd4f23 086be101 37e93a1b c2dc2825
Apr/07/2021 13:36:25 ipsec,debug d66eeb23 5cbd77ee e0eed07d bc4ce2f6 96aed9b1 008984a8 b8574446 4d1fa2c5
Apr/07/2021 13:36:25 ipsec adding payload: NONCE
Apr/07/2021 13:36:25 ipsec,debug => (size 0x1c)
Apr/07/2021 13:36:25 ipsec,debug 0000001c 48697613 6ec67da6 af5b6a52 a86ad848 7365c010 bd6a2478
Apr/07/2021 13:36:25 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Apr/07/2021 13:36:25 ipsec,debug => (size 0x1c)
Apr/07/2021 13:36:25 ipsec,debug 0000001c 00004004 3c242328 b661c2f6 89789793 adee08f9 4726520d
Apr/07/2021 13:36:25 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Apr/07/2021 13:36:25 ipsec,debug => (size 0x1c)
Apr/07/2021 13:36:25 ipsec,debug 0000001c 00004005 82b66212 131c2e89 607b30ce c2971d58 0eb7388a
Apr/07/2021 13:36:25 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
Apr/07/2021 13:36:25 ipsec,debug => (size 0x8)
Apr/07/2021 13:36:25 ipsec,debug 00000008 0000402e
Apr/07/2021 13:36:25 ipsec adding payload: CERTREQ
Apr/07/2021 13:36:25 ipsec,debug => (size 0x5)
Apr/07/2021 13:36:25 ipsec,debug 00000005 04
Apr/07/2021 13:36:25 ipsec <- ike2 reply, exchange: SA_INIT:0 ISP ADDRESS[4500] 89bce8d0d7a745ef:e6dc5476d3cf5126
Apr/07/2021 13:36:25 ipsec,debug ===== sending 437 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 13:36:25 ipsec,debug 1 times of 441 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 13:36:25 ipsec,debug => skeyseed (size 0x14)
Apr/07/2021 13:36:25 ipsec,debug a0f06947 136a13d4 64d0e53a 33500aa0 165dcc2c
Apr/07/2021 13:36:25 ipsec,debug => keymat (size 0x14)
Apr/07/2021 13:36:25 ipsec,debug 8bdbb31a fe167d65 49b7f268 b621a557 db3df7ec
Apr/07/2021 13:36:25 ipsec,debug => SK_ai (size 0x14)
Apr/07/2021 13:36:25 ipsec,debug b3323d93 a0deb0e6 08701ea1 2e21fff0 797d8ea7
Apr/07/2021 13:36:25 ipsec,debug => SK_ar (size 0x14)
Apr/07/2021 13:36:25 ipsec,debug 47095869 df53da5e 1e6cb375 1c8beb14 70a3528c
Apr/07/2021 13:36:25 ipsec,debug => SK_ei (size 0x10)
Apr/07/2021 13:36:25 ipsec,debug 5278f724 977d2976 f79113fb f29c9b3e
Apr/07/2021 13:36:25 ipsec,debug => SK_er (size 0x10)
Apr/07/2021 13:36:25 ipsec,debug 676c6d85 13f0e1b4 9c24fd3b 9d17a3f7
Apr/07/2021 13:36:25 ipsec,debug => SK_pi (size 0x14)
Apr/07/2021 13:36:25 ipsec,debug e2941106 3fda3383 2caf51a8 0ac1ccc0 bcac654f
Apr/07/2021 13:36:25 ipsec,debug => SK_pr (size 0x14)
Apr/07/2021 13:36:25 ipsec,debug 2bae0a16 e06e146c 2af58435 659b2343 25731708
Apr/07/2021 13:36:25 ipsec,info new ike2 SA (R): 192.168.20.3[4500]-ISP ADDRESS[4500] spi:e6dc5476d3cf5126:89bce8d0d7a745ef
Apr/07/2021 13:36:25 ipsec processing payloads: VID (none found)
Apr/07/2021 13:36:25 ipsec processing payloads: NOTIFY
Apr/07/2021 13:36:25 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
Apr/07/2021 13:36:25 ipsec   notify: NAT_DETECTION_DESTINATION_IP
Apr/07/2021 13:36:25 ipsec   notify: NAT_DETECTION_SOURCE_IP
Apr/07/2021 13:36:25 ipsec (NAT-T) REMOTE LOCAL
Apr/07/2021 13:36:25 ipsec KA list add: 192.168.20.3[4500]->ISP ADDRESS[4500]
Apr/07/2021 13:36:25 ipsec fragmentation negotiated
Apr/07/2021 13:36:26 ipsec,debug ===== received 428 bytes from ISP ADDRESS[4500] to 192.168.20.3[4500]
Apr/07/2021 13:36:26 ipsec -> ike2 request, exchange: AUTH:1 ISP ADDRESS[4500] 89bce8d0d7a745ef:e6dc5476d3cf5126
Apr/07/2021 13:36:26 ipsec payload seen: ENC (400 bytes)
Apr/07/2021 13:36:26 ipsec processing payload: ENC
Apr/07/2021 13:36:26 ipsec,debug => iv (size 0x10)
Apr/07/2021 13:36:26 ipsec,debug 2089ddd1 4dd0028a 43f44c7d 48bf5247
Apr/07/2021 13:36:26 ipsec,debug => decrypted and trimmed payload (size 0x94)
Apr/07/2021 13:36:26 ipsec,debug 2700000c 01000000 ac154599 2900001c 02000000 c3278863 4bfea4ec ceafc452
Apr/07/2021 13:36:26 ipsec,debug ab7e1cb4 ac9174ed 21000008 00004000 2c00002c 00000028 01030403 02ed1eb0
Apr/07/2021 13:36:26 ipsec,debug 0300000c 0100000c 800e0080 03000008 03000002 00000008 05000000 2d000018
Apr/07/2021 13:36:26 ipsec,debug 01000000 07000010 0000ffff 00000000 ffffffff 29000018 01000000 07000010
Apr/07/2021 13:36:26 ipsec,debug 0000ffff b05ca33b b05ca33b 00000008 00004007
Apr/07/2021 13:36:26 ipsec,debug decrypted packet
Apr/07/2021 13:36:26 ipsec payload seen: ID_I (12 bytes)
Apr/07/2021 13:36:26 ipsec payload seen: AUTH (28 bytes)
Apr/07/2021 13:36:26 ipsec payload seen: NOTIFY (8 bytes)
Apr/07/2021 13:36:26 ipsec payload seen: SA (44 bytes)
Apr/07/2021 13:36:26 ipsec payload seen: TS_I (24 bytes)
Apr/07/2021 13:36:26 ipsec payload seen: TS_R (24 bytes)
Apr/07/2021 13:36:26 ipsec payload seen: NOTIFY (8 bytes)
Apr/07/2021 13:36:26 ipsec processing payloads: NOTIFY
Apr/07/2021 13:36:26 ipsec   notify: INITIAL_CONTACT
Apr/07/2021 13:36:26 ipsec   notify: USE_TRANSPORT_MODE
Apr/07/2021 13:36:26 ipsec ike auth: respond
Apr/07/2021 13:36:26 ipsec processing payload: ID_I
Apr/07/2021 13:36:26 ipsec ID_I (ADDR4): 172.21.69.153
Apr/07/2021 13:36:26 ipsec processing payload: ID_R (not found)
Apr/07/2021 13:36:26 ipsec processing payload: AUTH
Apr/07/2021 13:36:26 ipsec processing payloads: NOTIFY
Apr/07/2021 13:36:26 ipsec   notify: INITIAL_CONTACT
Apr/07/2021 13:36:26 ipsec   notify: USE_TRANSPORT_MODE
Apr/07/2021 13:36:26 ipsec processing payload: AUTH
Apr/07/2021 13:36:26 ipsec requested auth method: SKEY
Apr/07/2021 13:36:26 ipsec,debug => peer's auth (size 0x14)
Apr/07/2021 13:36:26 ipsec,debug c3278863 4bfea4ec ceafc452 ab7e1cb4 ac9174ed
Apr/07/2021 13:36:26 ipsec,debug => auth nonce (size 0x18)
Apr/07/2021 13:36:26 ipsec,debug 48697613 6ec67da6 af5b6a52 a86ad848 7365c010 bd6a2478
Apr/07/2021 13:36:26 ipsec,debug => SK_p (size 0x14)
Apr/07/2021 13:36:26 ipsec,debug e2941106 3fda3383 2caf51a8 0ac1ccc0 bcac654f
Apr/07/2021 13:36:26 ipsec,debug => idhash (size 0x14)
Apr/07/2021 13:36:26 ipsec,debug def86bc2 0e9c5c7a 0b1ea216 d0218a44 47b6a7cd
Apr/07/2021 13:36:26 ipsec,debug => calculated peer's AUTH (size 0x14)
Apr/07/2021 13:36:26 ipsec,debug c3278863 4bfea4ec ceafc452 ab7e1cb4 ac9174ed
Apr/07/2021 13:36:26 ipsec,info,account peer authorized: 192.168.20.3[4500]-ISP ADDRESS[4500] spi:e6dc5476d3cf5126:89bce8d0d7a745ef
Apr/07/2021 13:36:26 ipsec initial contact
Apr/07/2021 13:36:26 ipsec processing payloads: NOTIFY
Apr/07/2021 13:36:26 ipsec   notify: INITIAL_CONTACT
Apr/07/2021 13:36:26 ipsec   notify: USE_TRANSPORT_MODE
Apr/07/2021 13:36:26 ipsec peer wants transport mode
Apr/07/2021 13:36:26 ipsec processing payload: CONFIG (not found)
Apr/07/2021 13:36:26 ipsec processing payload: SA
Apr/07/2021 13:36:26 ipsec IKE Protocol: ESP
Apr/07/2021 13:36:26 ipsec  proposal #1
Apr/07/2021 13:36:26 ipsec   enc: aes128-cbc
Apr/07/2021 13:36:26 ipsec   auth: sha1
Apr/07/2021 13:36:26 ipsec processing payload: TS_I
Apr/07/2021 13:36:26 ipsec 0.0.0.0/0
Apr/07/2021 13:36:26 ipsec processing payload: TS_R
Apr/07/2021 13:36:26 ipsec ISP CLIENT IP ADDRESS
Apr/07/2021 13:36:26 ipsec skipping not specific selector in transport mode with NAT
Apr/07/2021 13:36:26 ipsec ID_R (ADDR4): 192.168.20.3
Apr/07/2021 13:36:26 ipsec,debug => auth nonce (size 0x18)
Apr/07/2021 13:36:26 ipsec,debug 1a7282db 6c7c55b5 9cc3462f a05029ae e8697751 bc576a8e
Apr/07/2021 13:36:26 ipsec,debug => SK_p (size 0x14)
Apr/07/2021 13:36:26 ipsec,debug 2bae0a16 e06e146c 2af58435 659b2343 25731708
Apr/07/2021 13:36:26 ipsec,debug => idhash (size 0x14)
Apr/07/2021 13:36:26 ipsec,debug a4912301 4695b4ab a9dcf6f3 4f5c9771 9115697c
Apr/07/2021 13:36:26 ipsec,debug => my auth (size 0x14)
Apr/07/2021 13:36:26 ipsec,debug 04f8d6c8 63253661 f10cd15a 265d269d 6c959dc3
Apr/07/2021 13:36:26 ipsec adding payload: ID_R
Apr/07/2021 13:36:26 ipsec,debug => (size 0xc)
Apr/07/2021 13:36:26 ipsec,debug 0000000c 01000000 c0a81403
Apr/07/2021 13:36:26 ipsec adding payload: AUTH
Apr/07/2021 13:36:26 ipsec,debug => (size 0x1c)
Apr/07/2021 13:36:26 ipsec,debug 0000001c 02000000 04f8d6c8 63253661 f10cd15a 265d269d 6c959dc3
Apr/07/2021 13:36:26 ipsec adding notify: TS_UNACCEPTABLE
Apr/07/2021 13:36:26 ipsec,debug => (size 0x8)
Apr/07/2021 13:36:26 ipsec,debug 00000008 00000026
Apr/07/2021 13:36:26 ipsec <- ike2 reply, exchange: AUTH:1 ISP ADDRESS[4500] 89bce8d0d7a745ef:e6dc5476d3cf5126
Apr/07/2021 13:36:26 ipsec,debug ===== sending 364 bytes from 192.168.20.3[4500] to ISP ADDRESS[4500]
Apr/07/2021 13:36:26 ipsec,debug 1 times of 368 bytes message will be sent to ISP ADDRESS[4500]
Apr/07/2021 13:36:39 ipsec,debug KA: 192.168.20.3[4500]->ISP ADDRESS[4500]
Apr/07/2021 13:36:39 ipsec,debug 1 times of 1 bytes message will be sent to ISP ADDRESS[4500]
Without most making any sense to me, I have a feeling that there is a NAT issue causing it? Then again, why without changing anything, and by disabling-enabling the peer, it comes back on-line? I vaguely remember that during some tests if I unplugged and then powered back the client before the 10-minute DPD check (5 times every 120 seconds), the link would be established automatically...just in case it matters.
C) I haven't checked your firewall rules. Again, sniffing is your best friend here, it will show you how far the packets get. If a packet arrives to some intermediate router but doesn't leave it, that router may not have a route for it, a firewall rule in chain forwardon that router may block it, or an IPsec policy may divert it into an SA; if a packet arrives to the destination router but there is no response to it, a firewall rule in chain input may block the request packet, an IPsec policy may reverse-match it (which means the packet is dropped if it doesn't arrive via the SA associated to that policy), a route may be missing for the response, or the process expected to receive that request doesn't listen (maybe because there is a restriction on addresses from which the requests are accepted).
Let me work on the firewall rules and get back to you...all three MT clients + Server MT (and the rest clients in the future) are/will be behind regular ISP modems (modems take care of firewall rules, in the sense that they are not in bridge mode). Was looking/hoping to keep a very simple firewall rule table in the MT's, under the understanding that MT firewall works in the opposite way than "commercial modems", meaning allowing everything-unless-blocking-it ...

Re: Discovery of external IP address (Noip.com)

Posted: Thu Apr 08, 2021 9:05 pm
by sindy
It seems that the log is from the only client whose configuration you haven't posted.

As you specify the peers' addresses as domain names, I can imagine the incoming initial packet from the "server" to land on a wrong peer there, as I had such an issue when testing my setup with no static port forwarding; after reboot, the peer with address=some.fqdn was effectively created with address=0.0.0.0/0, thus it was shadowing other peers with individual addresses lower in the peer list, and those remote peers couldn't connect as they were processed by a wrong peer at this machine. But this explanation only makes sense if you have some other peer with fqdn defined at that client, which is placed before the one representing your "server".

NAT doesn't seem to be involved as the connection you've posted did not show any src-nat or dst-nat.

Regarding the connection to port 1701, is it not shown in /ip firewall connection print where dst-address~"the.remote.public.ip" even when it works?

Re: Discovery of external IP address (Noip.com)

Posted: Sun Apr 11, 2021 11:53 am
by ramirez
It seems that the log is from the only client whose configuration you haven't posted.
 
[admin@Client3] > export hide-sensitive 
# apr/11/2021 10:48:08 by RouterOS 6.48.1
# software id = 
#
# model = RBmAPL-2nD
# serial number = 
/interface l2tp-client
add connect-to=dnsln.ddns.net disabled=no max-mru=1400 max-mtu=1400 \
    name=l2tp-out1 user=Tz
/interface wireless
set [ find default-name=wlan1 ] country= disabled=no distance=indoors \
    frequency=auto installation=indoor max-station-count=1 mode=ap-bridge name=\
    Wlan1 ssid="hidden" wmm-support=enabled wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-128 prf-algorithm=\
    sha1
add dh-group=modp2048 enc-algorithm=aes-128 name=Tz prf-algorithm=sha1
/ip ipsec peer
add address=dnsln.ddns.net exchange-mode=ike2 name=Tz profile=Tz
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc pfs-group=modp2048
add enc-algorithms=aes-128-cbc name=proposal1Tz pfs-group=modp2048
/ip pool
add name=pool1 ranges=192.168.200.2
/ip dhcp-server
add address-pool=pool1 disabled=no interface=Wlan1 lease-time=1d name=dhcp1
/system logging action
add disk-file-count=10 disk-file-name=ipsecStart disk-lines-per-file=5000 name=\
    ipsecFiles target=disk
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.200.1/24 interface=Wlan1 network=192.168.200.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.200.0/24 dns-server=8.8.8.8 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=10.0.0.0/8 list="Local Subnet"
add address=172.16.0.0/12 list="Local Subnet"
add address=192.168.0.0/16 list="Local Subnet"
/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 \
    protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=forward comment="accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=\
    out,ipsec
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list="!Local Subnet" \
    new-routing-mark=Traffic_for_vpn passthrough=yes src-address=192.168.200.2
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec identity
add peer=Tz
/ip ipsec policy
set 0 disabled=yes
add dst-address=PublicIpAddress/32 peer=Tz proposal=proposal1Tz \
    src-address=192.168.20.3/32
/ip route
add distance=1 gateway=192.168.91.1 routing-mark=Traffic_for_vpn
add distance=1 dst-address=172.21.69.0/24 gateway=192.168.91.1
/ip service
set telnet disabled=yes
/system clock
set time-zone-name=
/system identity
set name=Client1
/system logging
add action=ipsecFiles disabled=yes topics=ipsec,!packet
/tool sniffer
set file-name=Sniffer filter-port="hidden" filter-stream=yes streaming-enabled=yes \
    streaming-server=172.69.21.153:winbox
     
But this explanation only makes sense if you have some other peer with fqdn defined at that client, which is placed before the one representing your "server".
There are no other peers on this client machine .

After changing/adding some firewall rules the auto-connect still doesn't happen but I see a difference regarding port 1701 now. Meaning that it appears now compared to before...
# Without being able to auto connect after powering up (15 min. offline) 

 4  SAC     protocol=udp src-address=PublicIpAddress:4500 dst-address=192.168.20.3:4500 
            reply-src-address=192.168.20.3:4500 reply-dst-address=PublicIpAddress:4500 timeout=2m59s 
            orig-packets=81 orig-bytes=21 715 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=89 repl-bytes=27 562 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 
            orig-rate=8.0kbps repl-rate=0bps 

 5    C     protocol=udp src-address=192.168.20.3:1701 dst-address=PublicIpAddress:1701 
            reply-src-address=PublicIpAddress:1701 reply-dst-address=192.168.20.3:1701 timeout=9s 
            orig-packets=2 orig-bytes=254 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 
            repl-bytes=0 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=1016bps 
            repl-rate=0bps 

# After disabling and enabling the peer (on the server side)


 4  SAC     protocol=udp src-address=PublicIpAddress:4500 dst-address=192.168.20.3:4500 
            reply-src-address=192.168.20.3:4500 reply-dst-address=PublicIpAddress:4500 timeout=2m59s 
            orig-packets=235 orig-bytes=63 752 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=225 repl-bytes=51 451 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 
            orig-rate=1640bps repl-rate=1152bps 

 6  SAC     protocol=udp src-address=192.168.20.3:1701 dst-address=PublicIpAddress:1701 
            reply-src-address=PublicIpAddress:1701 reply-dst-address=192.168.20.3:1701 timeout=2m59s 
            orig-packets=107 orig-bytes=12 934 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=124 repl-bytes=31 100 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 
            orig-rate=720bps repl-rate=968bps 
Regarding the connection to port 1701, is it not shown in /ip firewall connection print where dst-address~"the.remote.public.ip" even when it works?
Before it didn't, now (after the firewall rules) it does .

Re: Discovery of external IP address (Noip.com)

Posted: Sun Apr 11, 2021 5:44 pm
by sindy
Given that all policies are static, the proposals they use are identical at both ends, and there is no NAT involved at the client device itself, I'm afraid the fact that you get NO_PROPOSAL_CHOSEN is a consequence of some bug.

So I can only suggest a workaround:

/system scheduler add name=ipsec-wa on-event="/ip ipsec peer disable name ; delay 1m ; /ip ipsec peer enable name" start-time=startup

Re: Discovery of external IP address (Noip.com)

Posted: Mon Apr 12, 2021 4:48 pm
by ramirez
Thank you Sindy!
Do I have to replace the word "name" with the peer's actual name, or leave it as is? If I understand it correctly , upon reboot/shutdown etc. the schedule will basically do automatically, what I do manually - disable the peer once and then re-enable it?

Re: Discovery of external IP address (Noip.com)

Posted: Mon Apr 12, 2021 6:18 pm
by sindy
Of course replace name by the actual name of the peer. And yes, the scheduled script is a substitution of your manual disable/re-enable operation after reboot.

The scheduled script is a workaround. For a solution in future RouterOS versions, you have to raise a support ticket with Mikrotik; before doing that, create a supout.rif file while it is still bad after the reboot, and attach it to the ticket, as this is the first thing they will ask you to do anyway, no exceptions. You can put just a brief description to the ticket and a link to the post in this topic where you've shown the log, as the beginning of the topic is a bit away from this issue.

Re: Discovery of external IP address (Noip.com)

Posted: Mon Apr 12, 2021 8:29 pm
by ramirez
Thank you Sindy ! I will follow up with this post (Mikrotik support) and will try something extra with a dedicated server I have (and post results) to further assist other people and the progress of Router OS . Again ...much appreciate it !!!

Re: Discovery of external IP address (Noip.com)

Posted: Tue Apr 13, 2021 6:16 pm
by ramirez
Of course replace name by the actual name of the peer. And yes, the scheduled script is a substitution of your manual disable/re-enable operation after reboot.
I just tried it and it didn't bring the link up ...do you think I should make the delay 1m longer, say 3 minutes? Although I would imagine 1 minute should be enough after the power on...

I then manually disabled and re-enabled the link and it did come up...working on as detailed as possible description to send to support...

Re: Discovery of external IP address (Noip.com)

Posted: Tue Apr 13, 2021 10:24 pm
by sindy
...do you think I should make the delay 1m longer, say 3 minutes?
Possibly yes, but to me 1m should also be sufficient, the mAP lite is not that lazy. Maybe add a delay 1m before the disable.

It is still possible that the result depends on whether the initial request comes first from the remote peer or whether the local one is faster, but normally if none of the peers is passive, two IKE connections (active peers) are shown, at least for some time. I admit I rarely use transport mode, though, so maybe it's different there.

Re: Discovery of external IP address (Noip.com)

Posted: Thu Apr 15, 2021 2:23 pm
by ramirez
OK, the delay 1m before disable did the trick :-) ! I have also emailed support regarding the so far discussed ...

Re: Discovery of external IP address (Noip.com)

Posted: Sat Apr 24, 2021 1:25 pm
by ramirez
OK so far:

I have contacted support on the issue, and they asked to upgrade to V. 6.48.2 from 6.48.1, as some improvements took place regarding transport mode and IPsec. The problem persisted after the upgrade.

Then support suggested to include dst-nat rule to either machines (since both are behind NAT) and use passive mode on that machine. The problem with that is when using DDNS, MT will not allow a passive mode. In a further communication I mentioned that 2 clients could connect to the server, but one couldn’t (and none had port forwarding rules). They said that probably there were somewhere port forwarding rules. I can definitively confirm that in no modem nor any MT I have introduced port forwarding rules and yet the connection gets established (after some efforts but…gets established)

Here is what I discovered today and would like the community’s input and ideas so I can better phrase it to support:

One, out of the three clients to the server, got disconnected yesterday (I discovered due to an ISP public IP change). A couple of hours later a second client got disconnected and discovered that it was also due to a public IP change. In both cases the link did not return afterwards.

So, I went on and disabled and re-enabled all three links (as before). Did not make a difference.

Disabled completely on the server and the client MT (the first one that lost connection) all settings regarding the link (without re-enabling it), then on server disabled and re-enabled the other 2 peers and Voila the links got re-established!

I was completely baffled as you can imagine 😊 then I re-enabled the last remaining client with hopes…well, the link would not establish no matter what I tried! After about an hour or so research, I completely removed all settings regarding the link on that client, and on the server side I disabled the PPP/secret for that client. Entered from scratch all settings on client (L2TP client and IPsec), enabled the PPP secret on the server and then…
started noticing some packets coming in through the firewall ( chain=input action=accept protocol=udp dst-port=1701,500,4500 log=no log-prefix=" ) .

The link would still not establish, but when I disabled the peer and re-enabled it (I flushed esp and ah before), to my amazement the link established!!!

So, it seems that in transport mode because I use DDNS name if a public IP changes, when 5 minutes later (that’s my setting) that public IP address get’s renewed:

A) The link will not be re-established and disabling/enabling it will not “fix” it. As if it remembers the old IP and exchange?
B) Deleting the configuration and starting from scratch will bring me 90% close to a successful link and the final step will be flushing in IPsec and disabling/enabling the peer on the server side (didn’t try it on the client side, could be as well the case)

All three clients are currently connected to the server. Any thoughts on the above would be very much appreciated! Here are the firewall rules (if I should include something more, please let me know, I am not suggesting anywhere that I haven’t missed something).
Server

/ip firewall filter
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec

/ip firewall nat
add action=masquerade chain=srcnat


Client 1 

/ip firewall filter
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=forward comment="accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=output connection-state=established,related
add action=drop chain=output connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1



Client 2:

/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1


Client 3:

/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1

Re: Discovery of external IP address (Noip.com)

Posted: Sun Apr 25, 2021 11:09 am
by ramirez
UPDATE:

OK I can confirm: Last night one of the client's public IP address changed. The link went down and never came up.

What I did : Disabled on client the L2TP-out client - disabled all settings in IP/ipsec
On Server: Disabled the client's Secret @ PPP/secret , disabled the peer for that client
Rebooted both

Re-enable them all . Packets started coming in through client's firewall. Link would still stay inactive .

Disabled once more (on Server side) the peer in IP/ipsec and enabled it back.

The link came active.

Does this sound like a bug ? I have the feeling that because dynamic IP addresses are involved, when a location changes its public IP address this drops the link (ok so far) but when the Mt ....mynetname.net informs of the new address 5 minutes later the link would be "stuck" as for some reason "continues to remember" the old public IP address.

Does this make any sense to anyone ?