Page MenuHomePhabricator

Setup DMVPN cannot work
Closed, ResolvedPublicBUG

Description

Hi

I setting up DMVPN on epa3. but vpn log have error "received INVALID_ID_INFORMATION error notify"

I was test network architecture have two site, one have static public IP, another have pppoe DHCP ip to internet. all site VYOS version is EPA3

When I finished set, and check charon log looking for "received INVALID_ID_INFORMATION error notify". and I run show IPsec sa see the DMVPN tunnel have be create and status is up.

In Spoke site information:

vyos@vyos# run show vpn ipsec sa
Connection           State    Up         Bytes In/Out    Remote address    Remote ID    Proposal
-------------------  -------  ---------  --------------  ----------------  -----------  ------------------------------------------------
dmvpn-DEVELVPN-tun0  up       9 seconds  N/A             116.90.86.xxx     N/A          AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[edit]
vyos@vyos# run show vpn ipsec sa v
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.12-amd64-vyos, x86_64):
  uptime: 93 minutes, since Jan 20 16:52:30 2019
  malloc: sbrk 2973696, mmap 0, used 801616, free 2172080
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  100.64.15.xx

Connections:
dmvpn-DEVELVPN-tun0:  %any...%any  IKEv1
dmvpn-DEVELVPN-tun0:   local:  [100.64.15.xx] uses pre-shared key authentication
dmvpn-DEVELVPN-tun0:   remote: uses pre-shared key authentication
       dmvpn:   child:  dynamic[gre] === dynamic[gre] TUNNEL
Security Associations (1 up, 0 connecting):
dmvpn-DEVELVPN-tun0[1]: ESTABLISHED 12 seconds ago, 100.64.15.85[100.64.15.xx]...116.90.86.181[116.90.86.xx]
dmvpn-DEVELVPN-tun0[1]: IKEv1 SPIs: 4d01aac360352af1_i* e7603d1a516592a9_r, rekeying in 59 minutes
dmvpn-DEVELVPN-tun0[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

In Hub site have follow information

vyos@vyos:~$ show vpn ipsec sa
Connection           State    Up          Bytes In/Out    Remote address    Remote ID     Proposal
-------------------  -------  ----------  --------------  ----------------  ------------  ------------------------------------------------
dmvpn-DEVELVPM-tun1  up       74 seconds  N/A             115.60.59.xxx     100.64.15.xx  AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
vyos@vyos:~$ show vpn ipsec sa v
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.12-amd64-vyos, x86_64):
  uptime: 92 minutes, since Jan 20 16:56:50 2019
  malloc: sbrk 2973696, mmap 0, used 806496, free 2167200
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  116.90.86.xxx
Connections:
dmvpn-DEVELVPM-tun1:  %any...%any  IKEv1
dmvpn-DEVELVPM-tun1:   local:  [116.90.86.181] uses pre-shared key authentication
dmvpn-DEVELVPM-tun1:   remote: uses pre-shared key authentication
       dmvpn:   child:  dynamic[gre] === dynamic[gre] TUNNEL
Security Associations (1 up, 0 connecting):
dmvpn-DEVELVPM-tun1[2]: ESTABLISHED 2 minutes ago, 116.90.86.xxx[116.90.86.xxx]...115.60.59.xxx[100.64.15.xx]
dmvpn-DEVELVPM-tun1[2]: IKEv1 SPIs: 6aec0fcb3f7b40a0_i c00c1e63a423e9e2_r*, rekeying in 57 minutes
dmvpn-DEVELVPM-tun1[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
vyos@vyos:~$

and I check log on spoke site

Jan 20 18:30:07 vyos charon: 10[CFG] vici terminate with source me 100.64.15.85 and other 116.90.86.xxx
Jan 20 18:30:07 vyos charon: 15[IKE] deleting IKE_SA dmvpn-DEVELVPN-tun0[2] between 100.64.15.85[100.64.15.85]...116.90.86.xxx[116.90.86.xxx]
Jan 20 18:30:07 vyos charon: 15[IKE] sending DELETE for IKE_SA dmvpn-DEVELVPN-tun0[2]
Jan 20 18:30:07 vyos charon: 15[ENC] generating INFORMATIONAL_V1 request 3653513929 [ HASH D ]
Jan 20 18:30:07 vyos charon: 15[NET] sending packet: from 100.64.15.85[4500] to 116.90.86.xxx[4500] (92 bytes)
Jan 20 18:30:07 vyos charon: 12[CFG] vici initiate 'dmvpn', me 100.64.15.85, other 116.90.86.xxx, limits 0
Jan 20 18:30:07 vyos charon: 10[IKE] initiating Main Mode IKE_SA dmvpn-DEVELVPN-tun0[3] to 116.90.86.xxx
Jan 20 18:30:07 vyos charon: 10[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Jan 20 18:30:07 vyos charon: 10[NET] sending packet: from 100.64.15.85[500] to 116.90.86.xxx[500] (216 bytes)
Jan 20 18:30:07 vyos charon: 13[NET] received packet: from 116.90.86.xxx[500] to 100.64.15.85[500] (160 bytes)
Jan 20 18:30:07 vyos charon: 13[ENC] parsed ID_PROT response 0 [ SA V V V V ]
Jan 20 18:30:07 vyos charon: 13[IKE] received XAuth vendor ID
Jan 20 18:30:07 vyos charon: 13[IKE] received DPD vendor ID
Jan 20 18:30:07 vyos charon: 13[IKE] received FRAGMENTATION vendor ID
Jan 20 18:30:07 vyos charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
Jan 20 18:30:07 vyos charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 20 18:30:07 vyos charon: 13[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jan 20 18:30:07 vyos charon: 13[NET] sending packet: from 100.64.15.85[500] to 116.90.86.xxx[500] (244 bytes)
Jan 20 18:30:07 vyos charon: 08[NET] received packet: from 116.90.86.xxx[500] to 100.64.15.85[500] (244 bytes)
Jan 20 18:30:07 vyos charon: 08[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jan 20 18:30:07 vyos charon: 08[IKE] local host is behind NAT, sending keep alives
Jan 20 18:30:07 vyos charon: 08[ENC] generating ID_PROT request 0 [ ID HASH ]
Jan 20 18:30:07 vyos charon: 08[NET] sending packet: from 100.64.15.85[4500] to 116.90.86.xxx[4500] (76 bytes)
Jan 20 18:30:07 vyos charon: 04[NET] received packet: from 116.90.86.xxx[4500] to 100.64.15.85[4500] (76 bytes)
Jan 20 18:30:07 vyos charon: 04[ENC] parsed ID_PROT response 0 [ ID HASH ]
Jan 20 18:30:07 vyos charon: 04[IKE] IKE_SA dmvpn-DEVELVPN-tun0[3] established between 100.64.15.85[100.64.15.85]...116.90.86.xxx[116.90.86.xxx]
Jan 20 18:30:07 vyos charon: 04[IKE] scheduling rekeying in 3579s
Jan 20 18:30:07 vyos charon: 04[IKE] maximum IKE_SA lifetime 3939s
Jan 20 18:30:07 vyos charon: 04[ENC] generating QUICK_MODE request 2482155956 [ HASH SA No KE ID ID ]
Jan 20 18:30:07 vyos charon: 04[NET] sending packet: from 100.64.15.85[4500] to 116.90.86.xxx[4500] (332 bytes)
Jan 20 18:30:07 vyos charon: 05[NET] received packet: from 116.90.86.xxx4500] to 100.64.15.85[4500] (76 bytes)
Jan 20 18:30:07 vyos charon: 05[ENC] parsed INFORMATIONAL_V1 request 627719152 [ HASH N(INVAL_ID) ]
Jan 20 18:30:07 vyos charon: 05[IKE] received INVALID_ID_INFORMATION error notify

In Hub site see follow information

Jan 20 18:30:07 vyos charon: 14[NET] received packet: from 115.60.59.223[11918] to 116.90.86.xxx[4500] (92 bytes)
Jan 20 18:30:07 vyos charon: 14[ENC] parsed INFORMATIONAL_V1 request 3653513929 [ HASH D ]
Jan 20 18:30:07 vyos charon: 14[IKE] received DELETE for IKE_SA dmvpn-DEVELVPM-tun1[2]
Jan 20 18:30:07 vyos charon: 14[IKE] deleting IKE_SA dmvpn-DEVELVPM-tun1[2] between 116.90.86.xxx[116.90.86.xxx]...115.60.59.223[100.64.15.85]
Jan 20 18:30:07 vyos charon: 06[NET] received packet: from 115.60.59.223[11917] to 116.90.86.xxx[500] (216 bytes)
Jan 20 18:30:07 vyos charon: 06[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
Jan 20 18:30:07 vyos charon: 06[IKE] received XAuth vendor ID
Jan 20 18:30:07 vyos charon: 06[IKE] received DPD vendor ID
Jan 20 18:30:07 vyos charon: 06[IKE] received FRAGMENTATION vendor ID
Jan 20 18:30:07 vyos charon: 06[IKE] received NAT-T (RFC 3947) vendor ID
Jan 20 18:30:07 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 20 18:30:07 vyos charon: 06[IKE] 115.60.59.223 is initiating a Main Mode IKE_SA
Jan 20 18:30:07 vyos charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 20 18:30:07 vyos charon: 06[ENC] generating ID_PROT response 0 [ SA V V V V ]
Jan 20 18:30:07 vyos charon: 06[NET] sending packet: from 116.90.86.xxx[500] to 115.60.59.223[11917] (160 bytes)
Jan 20 18:30:07 vyos charon: 08[NET] received packet: from 115.60.59.223[11917] to 116.90.86.xxx[500] (244 bytes)
Jan 20 18:30:07 vyos charon: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jan 20 18:30:07 vyos charon: 08[IKE] remote host is behind NAT
Jan 20 18:30:07 vyos charon: 08[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jan 20 18:30:07 vyos charon: 08[NET] sending packet: from 116.90.86.xxx[500] to 115.60.59.223[11917] (244 bytes)
Jan 20 18:30:07 vyos charon: 10[NET] received packet: from 115.60.59.223[11918] to 116.90.86.xxx[4500] (76 bytes)
Jan 20 18:30:07 vyos charon: 10[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jan 20 18:30:07 vyos charon: 10[CFG] looking for pre-shared key peer configs matching 116.90.86.xxx...115.60.59.223[100.64.15.85]
Jan 20 18:30:07 vyos charon: 10[CFG] selected peer config "dmvpn-DEVELVPM-tun1"
Jan 20 18:30:07 vyos charon: 10[IKE] IKE_SA dmvpn-DEVELVPM-tun1[3] established between 116.90.86.xxx[116.90.86.xxx]...115.60.59.223[100.64.15.85]
Jan 20 18:30:07 vyos charon: 10[IKE] scheduling rekeying in 3459s
Jan 20 18:30:07 vyos charon: 10[IKE] maximum IKE_SA lifetime 3819s
Jan 20 18:30:07 vyos charon: 10[ENC] generating ID_PROT response 0 [ ID HASH ]
Jan 20 18:30:07 vyos charon: 10[NET] sending packet: from 116.90.86.xxx[4500] to 115.60.59.223[11918] (76 bytes)
Jan 20 18:30:07 vyos charon: 12[NET] received packet: from 115.60.59.223[11918] to 116.90.86.xxx[4500] (332 bytes)
Jan 20 18:30:07 vyos charon: 12[ENC] parsed QUICK_MODE request 2482155956 [ HASH SA No KE ID ID ]
Jan 20 18:30:07 vyos charon: 12[IKE] no matching CHILD_SA config found for 100.64.15.85/32[gre] === 116.90.86.xxx/32[gre]
Jan 20 18:30:07 vyos charon: 12[ENC] generating INFORMATIONAL_V1 request 627719152 [ HASH N(INVAL_ID) ]
Jan 20 18:30:07 vyos charon: 12[NET] sending packet: from 116.90.86.xxx[4500] to 115.60.59.223[11918] (76 bytes)

I think HUB site haven't issue.

Please check that issue

Thanks

David

Details

Difficulty level
Normal (likely a few hours)
Version
Vyos 1.2.0 EPA3
Why the issue appeared?
Will be filled on close

Event Timeline

syncer assigned this task to UnicronNL.Jan 20 2019, 11:19 AM
syncer triaged this task as Normal priority.

If you can see issue "T1100: Spoke site dynamic IP over NAT connect to Hub site."

Today I think the same problem as last time (1.2.0 RC10). That issue have more log you can see.

thanks.

UnicronNL added a subscriber: btopping.EditedJan 20 2019, 8:24 PM

@bjtangseng This is definitely a NAT issue, if i change the local_ts = dynamic[gre] in /etc/swanctl/swanctl.conf to local_ts = *.*.*.*/32[gre] i can replicate the error you get.

There is no way to override it yet have to be build in.

Hi all, I honestly forgot that I wrote this or I would have closed it. I'll go through and check for any other tickets I have open shortly.

Thanks!

Today, I try to edit swancl.conf, but doesn't work. I will wait you new build. I can test that again

@bjtangseng
can you please edit your swanctl.conf file and put the local_ts to 115.60.62.155/32[gre] ( local_ts = 115.60.62.155/32[gre] )
after editing swanctl please run:
sudo swanctl -q
then please check if you can connect with:
sudo swanctl -i -c dmvpn -S 100.64.161.96 -R 116.90.86.181 -l 2
or:
sudo swanctl -i -c dmvpn -S 0.0.0.0 -R 116.90.86.181 -l 2

pasik added a subscriber: pasik.Jan 21 2019, 9:42 PM

which site you want to change, Hub site or Spoke Site. last time I change swanctl.conf file, If I reboot Vyos that file will be change back to dynamic[gre].

@bjtangseng The spoke, and do not reboot.
make sure hub is up and do changes mentioned in previous post on the spoke (no reboot)
and post the output of:

sudo swanctl -i -c dmvpn -S 100.64.161.96 -R 116.90.86.181 -l 2
or:
sudo swanctl -i -c dmvpn -S 0.0.0.0 -R 116.90.86.181 -l 2

It is to see if it works to know what changes i have to make.
(so you test for me if connections work with nat :))

OK, I will test at tomorrow night (Beijing Time). If have any information, I will send messages

Now I will help you test DMVPN, If you have time, maybe we can do it together

@bjtangseng Can you post the output, than i can maybe look and mod things.

vyos@vyos# sudo swanctl -i -c dmvpn -S 0.0.0.0 -R 116.90.86.181 -l 2
[JOB] watcher got notification, rebuilding
[JOB] watcher going to poll() 9 fds
[MGR] checkout IKE_SA by config 'dmvpn-DEVELVPN-tun0', me %any, other 116.90.86.181
[JOB] watcher got notification, rebuilding
[JOB] watcher going to poll() 9 fds
[JOB] watched FD 25 ready to write
[MGR] created IKE_SA (unnamed)[100]
[KNL] using 100.64.206.174 as address to reach 116.90.86.181/32
[IKE] queueing ISAKMP_VENDOR task
[IKE] queueing ISAKMP_CERT_PRE task
[IKE] queueing MAIN_MODE task
[IKE] queueing ISAKMP_CERT_POST task
[IKE] queueing ISAKMP_NATD task
[IKE] queueing QUICK_MODE task
[IKE] activating new tasks
[IKE] activating ISAKMP_VENDOR task
[IKE] activating ISAKMP_CERT_PRE task
[IKE] activating MAIN_MODE task
[IKE] activating ISAKMP_CERT_POST task
[IKE] activating ISAKMP_NATD task
[IKE] sending XAuth vendor ID
[ENC] added payload of type VENDOR_ID_V1 to message
[IKE] sending DPD vendor ID
[ENC] added payload of type VENDOR_ID_V1 to message
[IKE] sending FRAGMENTATION vendor ID
[ENC] added payload of type VENDOR_ID_V1 to message
[IKE] sending NAT-T (RFC 3947) vendor ID
[ENC] added payload of type VENDOR_ID_V1 to message
[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
[ENC] added payload of type VENDOR_ID_V1 to message
[IKE] initiating Main Mode IKE_SA dmvpn-DEVELVPN-tun0[100] to 116.90.86.181
[IKE] IKE_SA dmvpn-DEVELVPN-tun0[100] state change: CREATED => CONNECTING
[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
[ENC] order payloads in message
[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
[ENC] added payload of type VENDOR_ID_V1 to message
[ENC] added payload of type VENDOR_ID_V1 to message
[ENC] added payload of type VENDOR_ID_V1 to message
[ENC] added payload of type VENDOR_ID_V1 to message
[ENC] added payload of type VENDOR_ID_V1 to message
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[ENC] not encrypting payloads
[ENC] generating payload of type HEADER
[ENC] generating rule 0 IKE_SPI
[ENC] generating rule 1 IKE_SPI
[ENC] generating rule 2 U_INT_8
[ENC] generating rule 3 U_INT_4
[ENC] generating rule 4 U_INT_4
[ENC] generating rule 5 U_INT_8
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 FLAG
[ENC] generating rule 9 FLAG
[ENC] generating rule 10 FLAG
[ENC] generating rule 11 FLAG
[ENC] generating rule 12 FLAG
[ENC] generating rule 13 FLAG
[ENC] generating rule 14 U_INT_32
[ENC] generating rule 15 HEADER_LENGTH
[ENC] generating HEADER payload finished
[ENC] generating payload of type SECURITY_ASSOCIATION_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BIT
[ENC] generating rule 2 RESERVED_BIT
[ENC] generating rule 3 RESERVED_BIT
[ENC] generating rule 4 RESERVED_BIT
[ENC] generating rule 5 RESERVED_BIT
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 RESERVED_BIT
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC] generating rule 10 U_INT_32
[ENC] generating rule 11 U_INT_32
[ENC] generating rule 12 (1259)
[ENC] generating payload of type PROPOSAL_SUBSTRUCTURE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 U_INT_8
[ENC] generating rule 4 U_INT_8
[ENC] generating rule 5 SPI_SIZE
[ENC] generating rule 6 U_INT_8
[ENC] generating rule 7 SPI
[ENC] generating rule 8 (1261)
[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 U_INT_8
[ENC] generating rule 4 U_INT_8
[ENC] generating rule 5 RESERVED_BYTE
[ENC] generating rule 6 RESERVED_BYTE
[ENC] generating rule 7 (1263)
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating TRANSFORM_SUBSTRUCTURE_V1 payload finished
[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 U_INT_8
[ENC] generating rule 4 U_INT_8
[ENC] generating rule 5 RESERVED_BYTE
[ENC] generating rule 6 RESERVED_BYTE
[ENC] generating rule 7 (1263)
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating TRANSFORM_SUBSTRUCTURE_V1 payload finished
[ENC] generating PROPOSAL_SUBSTRUCTURE_V1 payload finished
[ENC] generating SECURITY_ASSOCIATION_V1 payload finished
[ENC] generating payload of type VENDOR_ID_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 FLAG
[ENC] generating rule 2 RESERVED_BIT
[ENC] generating rule 3 RESERVED_BIT
[ENC] generating rule 4 RESERVED_BIT
[ENC] generating rule 5 RESERVED_BIT
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 RESERVED_BIT
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC] generating rule 10 CHUNK_DATA
[ENC] generating VENDOR_ID_V1 payload finished
[ENC] generating payload of type VENDOR_ID_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 FLAG
[ENC] generating rule 2 RESERVED_BIT
[ENC] generating rule 3 RESERVED_BIT
[ENC] generating rule 4 RESERVED_BIT
[ENC] generating rule 5 RESERVED_BIT
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 RESERVED_BIT
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC] generating rule 10 CHUNK_DATA
[ENC] generating VENDOR_ID_V1 payload finished
[ENC] generating payload of type VENDOR_ID_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 FLAG
[ENC] generating rule 2 RESERVED_BIT
[ENC] generating rule 3 RESERVED_BIT
[ENC] generating rule 4 RESERVED_BIT
[ENC] generating rule 5 RESERVED_BIT
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 RESERVED_BIT
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC] generating rule 10 CHUNK_DATA
[ENC] generating VENDOR_ID_V1 payload finished
[ENC] generating payload of type VENDOR_ID_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 FLAG
[ENC] generating rule 2 RESERVED_BIT
[ENC] generating rule 3 RESERVED_BIT
[ENC] generating rule 4 RESERVED_BIT
[ENC] generating rule 5 RESERVED_BIT
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 RESERVED_BIT
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC] generating rule 10 CHUNK_DATA
[ENC] generating VENDOR_ID_V1 payload finished
[ENC] generating payload of type VENDOR_ID_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 FLAG
[ENC] generating rule 2 RESERVED_BIT
[ENC] generating rule 3 RESERVED_BIT
[ENC] generating rule 4 RESERVED_BIT
[ENC] generating rule 5 RESERVED_BIT
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 RESERVED_BIT
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC] generating rule 10 CHUNK_DATA
[ENC] generating VENDOR_ID_V1 payload finished
[NET] sending packet: from 100.64.206.174[500] to 116.90.86.181[500] (216 bytes)
[MGR] checkin IKE_SA dmvpn-DEVELVPN-tun0[100]
[MGR] checkin of IKE_SA successful
[NET] received packet: from 116.90.86.181[500] to 100.64.206.174[500] (160 bytes)
[ENC] parsing body of message, first payload is SECURITY_ASSOCIATION_V1
[ENC] starting parsing a SECURITY_ASSOCIATION_V1 payload
[ENC] parsing SECURITY_ASSOCIATION_V1 payload, 132 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 RESERVED_BIT
[ENC] parsing rule 2 RESERVED_BIT
[ENC] parsing rule 3 RESERVED_BIT
[ENC] parsing rule 4 RESERVED_BIT
[ENC] parsing rule 5 RESERVED_BIT
[ENC] parsing rule 6 RESERVED_BIT
[ENC] parsing rule 7 RESERVED_BIT
[ENC] parsing rule 8 RESERVED_BIT
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] parsing rule 10 U_INT_32
[ENC] parsing rule 11 U_INT_32
[ENC] parsing rule 12 (1259)
[ENC] 44 bytes left, parsing recursively PROPOSAL_SUBSTRUCTURE_V1
[ENC] parsing PROPOSAL_SUBSTRUCTURE_V1 payload, 120 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 RESERVED_BYTE
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] parsing rule 3 U_INT_8
[ENC] parsing rule 4 U_INT_8
[ENC] parsing rule 5 SPI_SIZE
[ENC] parsing rule 6 U_INT_8
[ENC] parsing rule 7 SPI
[ENC] parsing rule 8 (1261)
[ENC] 36 bytes left, parsing recursively TRANSFORM_SUBSTRUCTURE_V1
[ENC] parsing TRANSFORM_SUBSTRUCTURE_V1 payload, 112 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 RESERVED_BYTE
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] parsing rule 3 U_INT_8
[ENC] parsing rule 4 U_INT_8
[ENC] parsing rule 5 RESERVED_BYTE
[ENC] parsing rule 6 RESERVED_BYTE
[ENC] parsing rule 7 (1263)
[ENC] 28 bytes left, parsing recursively TRANSFORM_ATTRIBUTE_V1
[ENC] parsing TRANSFORM_ATTRIBUTE_V1 payload, 104 bytes left
[ENC] parsing rule 0 ATTRIBUTE_FORMAT
[ENC] parsing rule 1 ATTRIBUTE_TYPE
[ENC] parsing rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] parsing rule 3 ATTRIBUTE_VALUE
[ENC] parsing TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] 24 bytes left, parsing recursively TRANSFORM_ATTRIBUTE_V1
[ENC] parsing TRANSFORM_ATTRIBUTE_V1 payload, 100 bytes left
[ENC] parsing rule 0 ATTRIBUTE_FORMAT
[ENC] parsing rule 1 ATTRIBUTE_TYPE
[ENC] parsing rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] parsing rule 3 ATTRIBUTE_VALUE
[ENC] parsing TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] 20 bytes left, parsing recursively TRANSFORM_ATTRIBUTE_V1
[ENC] parsing TRANSFORM_ATTRIBUTE_V1 payload, 96 bytes left
[ENC] parsing rule 0 ATTRIBUTE_FORMAT
[ENC] parsing rule 1 ATTRIBUTE_TYPE
[ENC] parsing rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] parsing rule 3 ATTRIBUTE_VALUE
[ENC] parsing TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] 16 bytes left, parsing recursively TRANSFORM_ATTRIBUTE_V1
[ENC] parsing TRANSFORM_ATTRIBUTE_V1 payload, 92 bytes left
[ENC] parsing rule 0 ATTRIBUTE_FORMAT
[ENC] parsing rule 1 ATTRIBUTE_TYPE
[ENC] parsing rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] parsing rule 3 ATTRIBUTE_VALUE
[ENC] parsing TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] 12 bytes left, parsing recursively TRANSFORM_ATTRIBUTE_V1
[ENC] parsing TRANSFORM_ATTRIBUTE_V1 payload, 88 bytes left
[ENC] parsing rule 0 ATTRIBUTE_FORMAT
[ENC] parsing rule 1 ATTRIBUTE_TYPE
[ENC] parsing rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] parsing rule 3 ATTRIBUTE_VALUE
[ENC] parsing TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] 8 bytes left, parsing recursively TRANSFORM_ATTRIBUTE_V1
[ENC] parsing TRANSFORM_ATTRIBUTE_V1 payload, 84 bytes left
[ENC] parsing rule 0 ATTRIBUTE_FORMAT
[ENC] parsing rule 1 ATTRIBUTE_TYPE
[ENC] parsing rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] parsing rule 3 ATTRIBUTE_VALUE
[ENC] parsing TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] 4 bytes left, parsing recursively TRANSFORM_ATTRIBUTE_V1
[ENC] parsing TRANSFORM_ATTRIBUTE_V1 payload, 80 bytes left
[ENC] parsing rule 0 ATTRIBUTE_FORMAT
[ENC] parsing rule 1 ATTRIBUTE_TYPE
[ENC] parsing rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] parsing rule 3 ATTRIBUTE_VALUE
[ENC] parsing TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] parsing TRANSFORM_SUBSTRUCTURE_V1 payload finished
[ENC] parsing PROPOSAL_SUBSTRUCTURE_V1 payload finished
[ENC] parsing SECURITY_ASSOCIATION_V1 payload finished
[ENC] verifying payload of type SECURITY_ASSOCIATION_V1
[ENC] SECURITY_ASSOCIATION_V1 payload verified, adding to payload list
[ENC] starting parsing a VENDOR_ID_V1 payload
[ENC] parsing VENDOR_ID_V1 payload, 76 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 FLAG
[ENC] parsing rule 2 RESERVED_BIT
[ENC] parsing rule 3 RESERVED_BIT
[ENC] parsing rule 4 RESERVED_BIT
[ENC] parsing rule 5 RESERVED_BIT
[ENC] parsing rule 6 RESERVED_BIT
[ENC] parsing rule 7 RESERVED_BIT
[ENC] parsing rule 8 RESERVED_BIT
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] parsing rule 10 CHUNK_DATA
[ENC] parsing VENDOR_ID_V1 payload finished
[ENC] verifying payload of type VENDOR_ID_V1
[ENC] VENDOR_ID_V1 payload verified, adding to payload list
[ENC] starting parsing a VENDOR_ID_V1 payload
[ENC] parsing VENDOR_ID_V1 payload, 64 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 FLAG
[ENC] parsing rule 2 RESERVED_BIT
[ENC] parsing rule 3 RESERVED_BIT
[ENC] parsing rule 4 RESERVED_BIT
[ENC] parsing rule 5 RESERVED_BIT
[ENC] parsing rule 6 RESERVED_BIT
[ENC] parsing rule 7 RESERVED_BIT
[ENC] parsing rule 8 RESERVED_BIT
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] parsing rule 10 CHUNK_DATA
[ENC] parsing VENDOR_ID_V1 payload finished
[ENC] verifying payload of type VENDOR_ID_V1
[ENC] VENDOR_ID_V1 payload verified, adding to payload list
[ENC] starting parsing a VENDOR_ID_V1 payload
[ENC] parsing VENDOR_ID_V1 payload, 44 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 FLAG
[ENC] parsing rule 2 RESERVED_BIT
[ENC] parsing rule 3 RESERVED_BIT
[ENC] parsing rule 4 RESERVED_BIT
[ENC] parsing rule 5 RESERVED_BIT
[ENC] parsing rule 6 RESERVED_BIT
[ENC] parsing rule 7 RESERVED_BIT
[ENC] parsing rule 8 RESERVED_BIT
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] parsing rule 10 CHUNK_DATA
[ENC] parsing VENDOR_ID_V1 payload finished
[ENC] verifying payload of type VENDOR_ID_V1
[ENC] VENDOR_ID_V1 payload verified, adding to payload list
[ENC] starting parsing a VENDOR_ID_V1 payload
[ENC] parsing VENDOR_ID_V1 payload, 20 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 FLAG
[ENC] parsing rule 2 RESERVED_BIT
[ENC] parsing rule 3 RESERVED_BIT
[ENC] parsing rule 4 RESERVED_BIT
[ENC] parsing rule 5 RESERVED_BIT
[ENC] parsing rule 6 RESERVED_BIT
[ENC] parsing rule 7 RESERVED_BIT
[ENC] parsing rule 8 RESERVED_BIT
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] parsing rule 10 CHUNK_DATA
[ENC] parsing VENDOR_ID_V1 payload finished
[ENC] verifying payload of type VENDOR_ID_V1
[ENC] VENDOR_ID_V1 payload verified, adding to payload list
[ENC] process payload of type SECURITY_ASSOCIATION_V1
[ENC] process payload of type VENDOR_ID_V1
[ENC] process payload of type VENDOR_ID_V1
[ENC] process payload of type VENDOR_ID_V1
[ENC] process payload of type VENDOR_ID_V1
[ENC] verifying message structure
[ENC] found payload of type SECURITY_ASSOCIATION_V1
[ENC] found payload of type VENDOR_ID_V1
[ENC] found payload of type VENDOR_ID_V1
[ENC] found payload of type VENDOR_ID_V1
[ENC] found payload of type VENDOR_ID_V1
[ENC] parsed ID_PROT response 0 [ SA V V V V ]
[IKE] received XAuth vendor ID
[IKE] received DPD vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[CFG] selecting proposal:
[CFG] proposal matches
[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[IKE] reinitiating already active tasks
[IKE] ISAKMP_VENDOR task
[IKE] MAIN_MODE task
[LIB] size of DH secret exponent: 1023 bits
[ENC] added payload of type KEY_EXCHANGE_V1 to message
[ENC] added payload of type NONCE_V1 to message
[ENC] added payload of type NAT_D_V1 to message
[ENC] added payload of type NAT_D_V1 to message
[ENC] order payloads in message
[ENC] added payload of type KEY_EXCHANGE_V1 to message
[ENC] added payload of type NONCE_V1 to message
[ENC] added payload of type NAT_D_V1 to message
[ENC] added payload of type NAT_D_V1 to message
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[ENC] not encrypting payloads
[ENC] generating payload of type HEADER
[ENC] generating rule 0 IKE_SPI
[ENC] generating rule 1 IKE_SPI
[ENC] generating rule 2 U_INT_8
[ENC] generating rule 3 U_INT_4
[ENC] generating rule 4 U_INT_4
[ENC] generating rule 5 U_INT_8
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 FLAG
[ENC] generating rule 9 FLAG
[ENC] generating rule 10 FLAG
[ENC] generating rule 11 FLAG
[ENC] generating rule 12 FLAG
[ENC] generating rule 13 FLAG
[ENC] generating rule 14 U_INT_32
[ENC] generating rule 15 HEADER_LENGTH
[ENC] generating HEADER payload finished
[ENC] generating payload of type KEY_EXCHANGE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 CHUNK_DATA
[ENC] generating KEY_EXCHANGE_V1 payload finished
[ENC] generating payload of type NONCE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 FLAG
[ENC] generating rule 2 RESERVED_BIT
[ENC] generating rule 3 RESERVED_BIT
[ENC] generating rule 4 RESERVED_BIT
[ENC] generating rule 5 RESERVED_BIT
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 RESERVED_BIT
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC] generating rule 10 CHUNK_DATA
[ENC] generating NONCE_V1 payload finished
[ENC] generating payload of type NAT_D_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 CHUNK_DATA
[ENC] generating NAT_D_V1 payload finished
[ENC] generating payload of type NAT_D_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 CHUNK_DATA
[ENC] generating NAT_D_V1 payload finished
[NET] sending packet: from 100.64.206.174[500] to 116.90.86.181[500] (244 bytes)
[MGR] checkin IKE_SA dmvpn-DEVELVPN-tun0[100]
[MGR] checkin of IKE_SA successful
[NET] received packet: from 116.90.86.181[500] to 100.64.206.174[500] (244 bytes)
[ENC] parsing body of message, first payload is KEY_EXCHANGE_V1
[ENC] starting parsing a KEY_EXCHANGE_V1 payload
[ENC] parsing KEY_EXCHANGE_V1 payload, 216 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 RESERVED_BYTE
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] parsing rule 3 CHUNK_DATA
[ENC] parsing KEY_EXCHANGE_V1 payload finished
[ENC] verifying payload of type KEY_EXCHANGE_V1
[ENC] KEY_EXCHANGE_V1 payload verified, adding to payload list
[ENC] starting parsing a NONCE_V1 payload
[ENC] parsing NONCE_V1 payload, 84 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 FLAG
[ENC] parsing rule 2 RESERVED_BIT
[ENC] parsing rule 3 RESERVED_BIT
[ENC] parsing rule 4 RESERVED_BIT
[ENC] parsing rule 5 RESERVED_BIT
[ENC] parsing rule 6 RESERVED_BIT
[ENC] parsing rule 7 RESERVED_BIT
[ENC] parsing rule 8 RESERVED_BIT
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] parsing rule 10 CHUNK_DATA
[ENC] parsing NONCE_V1 payload finished
[ENC] verifying payload of type NONCE_V1
[ENC] NONCE_V1 payload verified, adding to payload list
[ENC] starting parsing a NAT_D_V1 payload
[ENC] parsing NAT_D_V1 payload, 48 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 RESERVED_BYTE
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] parsing rule 3 CHUNK_DATA
[ENC] parsing NAT_D_V1 payload finished
[ENC] verifying payload of type NAT_D_V1
[ENC] NAT_D_V1 payload verified, adding to payload list
[ENC] starting parsing a NAT_D_V1 payload
[ENC] parsing NAT_D_V1 payload, 24 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 RESERVED_BYTE
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] parsing rule 3 CHUNK_DATA
[ENC] parsing NAT_D_V1 payload finished
[ENC] verifying payload of type NAT_D_V1
[ENC] NAT_D_V1 payload verified, adding to payload list
[ENC] process payload of type KEY_EXCHANGE_V1
[ENC] process payload of type NONCE_V1
[ENC] process payload of type NAT_D_V1
[ENC] process payload of type NAT_D_V1
[ENC] verifying message structure
[ENC] found payload of type KEY_EXCHANGE_V1
[ENC] found payload of type NONCE_V1
[ENC] found payload of type NAT_D_V1
[ENC] found payload of type NAT_D_V1
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[IKE] local host is behind NAT, sending keep alives
[IKE] reinitiating already active tasks
[IKE] ISAKMP_VENDOR task
[IKE] MAIN_MODE task
[ENC] added payload of type ID_V1 to message
[ENC] added payload of type HASH_V1 to message
[ENC] order payloads in message
[ENC] added payload of type ID_V1 to message
[ENC] added payload of type HASH_V1 to message
[ENC] generating ID_PROT request 0 [ ID HASH ]
[ENC] insert payload ID_V1 into encrypted payload
[ENC] insert payload HASH_V1 into encrypted payload
[ENC] generating payload of type HEADER
[ENC] generating rule 0 IKE_SPI
[ENC] generating rule 1 IKE_SPI
[ENC] generating rule 2 U_INT_8
[ENC] generating rule 3 U_INT_4
[ENC] generating rule 4 U_INT_4
[ENC] generating rule 5 U_INT_8
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 FLAG
[ENC] generating rule 9 FLAG
[ENC] generating rule 10 FLAG
[ENC] generating rule 11 FLAG
[ENC] generating rule 12 FLAG
[ENC] generating rule 13 FLAG
[ENC] generating rule 14 U_INT_32
[ENC] generating rule 15 HEADER_LENGTH
[ENC] generating HEADER payload finished
[ENC] generating payload of type ID_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 U_INT_8
[ENC] generating rule 4 U_INT_8
[ENC] generating rule 5 U_INT_16
[ENC] generating rule 6 CHUNK_DATA
[ENC] generating ID_V1 payload finished
[ENC] generating payload of type HASH_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 CHUNK_DATA
[ENC] generating HASH_V1 payload finished
[ENC] generated content in encrypted payload
[ENC] generating payload of type ENCRYPTED_V1
[ENC] generating rule 0 ENCRYPTED_DATA
[ENC] generating ENCRYPTED_V1 payload finished
[NET] sending packet: from 100.64.206.174[4500] to 116.90.86.181[4500] (76 bytes)
[MGR] checkin IKE_SA dmvpn-DEVELVPN-tun0[100]
[MGR] checkin of IKE_SA successful
[NET] received packet: from 116.90.86.181[4500] to 100.64.206.174[4500] (76 bytes)
[ENC] parsing body of message, first payload is ID_V1
[ENC] parsing ENCRYPTED_V1 payload, 48 bytes left
[ENC] parsing rule 0 ENCRYPTED_DATA
[ENC] parsing ENCRYPTED_V1 payload finished
[ENC] process payload of type ENCRYPTED_V1
[ENC] found an encrypted payload
[ENC] parsing ID_V1 payload, 48 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 RESERVED_BYTE
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] parsing rule 3 U_INT_8
[ENC] parsing rule 4 U_INT_8
[ENC] parsing rule 5 U_INT_16
[ENC] parsing rule 6 CHUNK_DATA
[ENC] parsing ID_V1 payload finished
[ENC] parsing HASH_V1 payload, 36 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 RESERVED_BYTE
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] parsing rule 3 CHUNK_DATA
[ENC] parsing HASH_V1 payload finished
[ENC] parsed content of encrypted payload
[ENC] insert decrypted payload of type ID_V1 at end of list
[ENC] insert decrypted payload of type HASH_V1 at end of list
[ENC] verifying message structure
[ENC] found payload of type ID_V1
[ENC] found payload of type HASH_V1
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA dmvpn-DEVELVPN-tun0[100] established between 100.64.206.174[100.64.206.174]...116.90.86.181[116.90.86.181]
[IKE] IKE_SA dmvpn-DEVELVPN-tun0[100] state change: CONNECTING => ESTABLISHED
[IKE] scheduling rekeying in 3559s
[IKE] maximum IKE_SA lifetime 3919s
[IKE] activating new tasks
[IKE] activating QUICK_MODE task
[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ
[KNL] got SPI c7d749ca
[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ
[LIB] size of DH secret exponent: 1023 bits
[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
[ENC] added payload of type NONCE_V1 to message
[ENC] added payload of type KEY_EXCHANGE_V1 to message
[CFG] proposing traffic selectors for us:
[CFG] 115.60.59.223/32[gre]
[CFG] proposing traffic selectors for other:
[CFG] 116.90.86.181/32[gre]
[ENC] added payload of type ID_V1 to message
[ENC] added payload of type ID_V1 to message
[ENC] order payloads in message
[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
[ENC] added payload of type NONCE_V1 to message
[ENC] added payload of type KEY_EXCHANGE_V1 to message
[ENC] added payload of type ID_V1 to message
[ENC] added payload of type ID_V1 to message
[ENC] generating QUICK_MODE request 2108957326 [ HASH SA No KE ID ID ]
[ENC] insert payload HASH_V1 into encrypted payload
[ENC] insert payload SECURITY_ASSOCIATION_V1 into encrypted payload
[ENC] insert payload NONCE_V1 into encrypted payload
[ENC] insert payload KEY_EXCHANGE_V1 into encrypted payload
[ENC] insert payload ID_V1 into encrypted payload
[ENC] insert payload ID_V1 into encrypted payload
[ENC] generating payload of type HEADER
[ENC] generating rule 0 IKE_SPI
[ENC] generating rule 1 IKE_SPI
[ENC] generating rule 2 U_INT_8
[ENC] generating rule 3 U_INT_4
[ENC] generating rule 4 U_INT_4
[ENC] generating rule 5 U_INT_8
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 FLAG
[ENC] generating rule 9 FLAG
[ENC] generating rule 10 FLAG
[ENC] generating rule 11 FLAG
[ENC] generating rule 12 FLAG
[ENC] generating rule 13 FLAG
[ENC] generating rule 14 U_INT_32
[ENC] generating rule 15 HEADER_LENGTH
[ENC] generating HEADER payload finished
[ENC] generating payload of type HASH_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 CHUNK_DATA
[ENC] generating HASH_V1 payload finished
[ENC] generating payload of type SECURITY_ASSOCIATION_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BIT
[ENC] generating rule 2 RESERVED_BIT
[ENC] generating rule 3 RESERVED_BIT
[ENC] generating rule 4 RESERVED_BIT
[ENC] generating rule 5 RESERVED_BIT
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 RESERVED_BIT
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC] generating rule 10 U_INT_32
[ENC] generating rule 11 U_INT_32
[ENC] generating rule 12 (1259)
[ENC] generating payload of type PROPOSAL_SUBSTRUCTURE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 U_INT_8
[ENC] generating rule 4 U_INT_8
[ENC] generating rule 5 SPI_SIZE
[ENC] generating rule 6 U_INT_8
[ENC] generating rule 7 SPI
[ENC] generating rule 8 (1261)
[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 U_INT_8
[ENC] generating rule 4 U_INT_8
[ENC] generating rule 5 RESERVED_BYTE
[ENC] generating rule 6 RESERVED_BYTE
[ENC] generating rule 7 (1263)
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating TRANSFORM_SUBSTRUCTURE_V1 payload finished
[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 U_INT_8
[ENC] generating rule 4 U_INT_8
[ENC] generating rule 5 RESERVED_BYTE
[ENC] generating rule 6 RESERVED_BYTE
[ENC] generating rule 7 (1263)
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating TRANSFORM_SUBSTRUCTURE_V1 payload finished
[ENC] generating PROPOSAL_SUBSTRUCTURE_V1 payload finished
[ENC] generating SECURITY_ASSOCIATION_V1 payload finished
[ENC] generating payload of type NONCE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 FLAG
[ENC] generating rule 2 RESERVED_BIT
[ENC] generating rule 3 RESERVED_BIT
[ENC] generating rule 4 RESERVED_BIT
[ENC] generating rule 5 RESERVED_BIT
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 RESERVED_BIT
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC] generating rule 10 CHUNK_DATA
[ENC] generating NONCE_V1 payload finished
[ENC] generating payload of type KEY_EXCHANGE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 CHUNK_DATA
[ENC] generating KEY_EXCHANGE_V1 payload finished
[ENC] generating payload of type ID_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 U_INT_8
[ENC] generating rule 4 U_INT_8
[ENC] generating rule 5 U_INT_16
[ENC] generating rule 6 CHUNK_DATA
[ENC] generating ID_V1 payload finished
[ENC] generating payload of type ID_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 U_INT_8
[ENC] generating rule 4 U_INT_8
[ENC] generating rule 5 U_INT_16
[ENC] generating rule 6 CHUNK_DATA
[ENC] generating ID_V1 payload finished
[ENC] generated content in encrypted payload
[ENC] generating payload of type ENCRYPTED_V1
[ENC] generating rule 0 ENCRYPTED_DATA
[ENC] generating ENCRYPTED_V1 payload finished
[NET] sending packet: from 100.64.206.174[4500] to 116.90.86.181[4500] (332 bytes)
[MGR] checkin IKE_SA dmvpn-DEVELVPN-tun0[100]
[MGR] checkin of IKE_SA successful
[NET] received packet: from 116.90.86.181[4500] to 100.64.206.174[4500] (76 bytes)
[ENC] parsing body of message, first payload is HASH_V1
[ENC] parsing ENCRYPTED_V1 payload, 48 bytes left
[ENC] parsing rule 0 ENCRYPTED_DATA
[ENC] parsing ENCRYPTED_V1 payload finished
[ENC] process payload of type ENCRYPTED_V1
[ENC] found an encrypted payload
[ENC] parsing HASH_V1 payload, 48 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 RESERVED_BYTE
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] parsing rule 3 CHUNK_DATA
[ENC] parsing HASH_V1 payload finished
[ENC] parsing NOTIFY_V1 payload, 24 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 RESERVED_BIT
[ENC] parsing rule 2 RESERVED_BIT
[ENC] parsing rule 3 RESERVED_BIT
[ENC] parsing rule 4 RESERVED_BIT
[ENC] parsing rule 5 RESERVED_BIT
[ENC] parsing rule 6 RESERVED_BIT
[ENC] parsing rule 7 RESERVED_BIT
[ENC] parsing rule 8 RESERVED_BIT
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] parsing rule 10 U_INT_32
[ENC] parsing rule 11 U_INT_8
[ENC] parsing rule 12 SPI_SIZE
[ENC] parsing rule 13 U_INT_16
[ENC] parsing rule 14 SPI
[ENC] parsing rule 15 CHUNK_DATA
[ENC] parsing NOTIFY_V1 payload finished
[ENC] parsed content of encrypted payload
[ENC] insert decrypted payload of type HASH_V1 at end of list
[ENC] insert decrypted payload of type NOTIFY_V1 at end of list
[ENC] verifying message structure
[ENC] found payload of type NOTIFY_V1
[ENC] found payload of type NOTIFY_V1
[ENC] parsed INFORMATIONAL_V1 request 2815069379 [ HASH N(INVAL_ID) ]
[IKE] received INVALID_ID_INFORMATION error notify
[CHD] CHILD_SA dmvpn{241} state change: CREATED => DESTROYING
[KNL] deleting SAD entry with SPI c7d749ca
[KNL] deleted SAD entry with SPI c7d749ca
[MGR] checkin IKE_SA dmvpn-DEVELVPN-tun0[100]
[MGR] checkin of IKE_SA successful
initiate failed: establishing CHILD_SA 'dmvpn' failed
[edit]

bjtangseng added a comment.EditedJan 23 2019, 1:10 PM

I try to change local_ts in swanctl.conf, but nothing to change.

vyos@vyos# cat /etc/swanctl/swanctl.conf

generated by /opt/vyatta/sbin/dmvpn-config.pl

connections {

dmvpn-DEVELVPN-tun0 {
        proposals = aes256-sha1-modp1024,aes128-sha1-modp1024
        version = 1
        rekey_time = 3600s
        keyingtries = 0
        local {
                auth = psk
        }
        remote {
                auth = psk
        }
        children {
                dmvpn {
                        esp_proposals = aes256-sha1-modp1024,3des-md5-modp1024
                        rekey_time = 1800s
                        rand_time = 540s
                       ** local_ts = 115.60.59.xxx/32[gre]**
                        remote_ts = dynamic[gre]
                        mode = tunnel
                }
        }
}

}

@bjtangseng
I think you replaced the wrong ip in the swanctl.conf

i see:
[CFG] 115.60.59.223/32[gre] (is this the ip of your nat interface?)
[CFG] proposing traffic selectors for other:
[CFG] 116.90.86.181/32[gre]

can you als check the hub log which ip the ipsec request came from?

the INVALID_ID_INFORMATION error means that the nework ip received on the HUB is not is not the ip you request from. (115.60.59.223/32)

that IP(115.60.59.223) is public IP after NAT.

IP(100.64.206.174)acquired by PPPoE after dial-up to Internet.

IP 116.90.86.181 is my hub site static public IP

UnicronNL added a comment.EditedJan 23 2019, 2:02 PM

can you put log from hub?
ipsec log

This is my Hub site log

MGR] checkout IKE_SA by config 'dmvpn-DEVELVPN-tun1', me (null), other (null)
[MGR] found existing IKE_SA 261 with a 'dmvpn-DEVELVPN-tun1' config
[IKE] queueing QUICK_MODE task
[IKE] activating new tasks
[IKE] activating QUICK_MODE task
[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ
[KNL] got SPI c5245f0c
[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ
[LIB] size of DH secret exponent: 1023 bits
[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
[ENC] added payload of type NONCE_V1 to message
[ENC] added payload of type KEY_EXCHANGE_V1 to message
[CFG] proposing traffic selectors for us:
[CFG] 116.90.86.181/32[gre]
[CFG] proposing traffic selectors for other:
[CFG] 115.60.58.68/32[gre]
[ENC] added payload of type ID_V1 to message
[ENC] added payload of type ID_V1 to message
[ENC] order payloads in message
[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
[ENC] added payload of type NONCE_V1 to message
[ENC] added payload of type KEY_EXCHANGE_V1 to message
[ENC] added payload of type ID_V1 to message
[ENC] added payload of type ID_V1 to message
[ENC] generating QUICK_MODE request 2362635397 [ HASH SA No KE ID ID ]
[ENC] insert payload HASH_V1 into encrypted payload
[ENC] insert payload SECURITY_ASSOCIATION_V1 into encrypted payload
[ENC] insert payload NONCE_V1 into encrypted payload
[ENC] insert payload KEY_EXCHANGE_V1 into encrypted payload
[ENC] insert payload ID_V1 into encrypted payload
[ENC] insert payload ID_V1 into encrypted payload
[ENC] generating payload of type HEADER
[ENC] generating rule 0 IKE_SPI
[ENC] generating rule 1 IKE_SPI
[ENC] generating rule 2 U_INT_8
[ENC] generating rule 3 U_INT_4
[ENC] generating rule 4 U_INT_4
[ENC] generating rule 5 U_INT_8
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 FLAG
[ENC] generating rule 9 FLAG
[ENC] generating rule 10 FLAG
[ENC] generating rule 11 FLAG
[ENC] generating rule 12 FLAG
[ENC] generating rule 13 FLAG
[ENC] generating rule 14 U_INT_32
[ENC] generating rule 15 HEADER_LENGTH
[ENC] generating HEADER payload finished
[ENC] generating payload of type HASH_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 CHUNK_DATA
[ENC] generating HASH_V1 payload finished
[ENC] generating payload of type SECURITY_ASSOCIATION_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BIT
[ENC] generating rule 2 RESERVED_BIT
[ENC] generating rule 3 RESERVED_BIT
[ENC] generating rule 4 RESERVED_BIT
[ENC] generating rule 5 RESERVED_BIT
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 RESERVED_BIT
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC] generating rule 10 U_INT_32
[ENC] generating rule 11 U_INT_32
[ENC] generating rule 12 (1259)
[ENC] generating payload of type PROPOSAL_SUBSTRUCTURE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 U_INT_8
[ENC] generating rule 4 U_INT_8
[ENC] generating rule 5 SPI_SIZE
[ENC] generating rule 6 U_INT_8
[ENC] generating rule 7 SPI
[ENC] generating rule 8 (1261)
[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 U_INT_8
[ENC] generating rule 4 U_INT_8
[ENC] generating rule 5 RESERVED_BYTE
[ENC] generating rule 6 RESERVED_BYTE
[ENC] generating rule 7 (1263)
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating TRANSFORM_SUBSTRUCTURE_V1 payload finished
[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 U_INT_8
[ENC] generating rule 4 U_INT_8
[ENC] generating rule 5 RESERVED_BYTE
[ENC] generating rule 6 RESERVED_BYTE
[ENC] generating rule 7 (1263)
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
[ENC] generating TRANSFORM_SUBSTRUCTURE_V1 payload finished
[ENC] generating PROPOSAL_SUBSTRUCTURE_V1 payload finished
[ENC] generating SECURITY_ASSOCIATION_V1 payload finished
[ENC] generating payload of type NONCE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 FLAG
[ENC] generating rule 2 RESERVED_BIT
[ENC] generating rule 3 RESERVED_BIT
[ENC] generating rule 4 RESERVED_BIT
[ENC] generating rule 5 RESERVED_BIT
[ENC] generating rule 6 RESERVED_BIT
[ENC] generating rule 7 RESERVED_BIT
[ENC] generating rule 8 RESERVED_BIT
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC] generating rule 10 CHUNK_DATA
[ENC] generating NONCE_V1 payload finished
[ENC] generating payload of type KEY_EXCHANGE_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 CHUNK_DATA
[ENC] generating KEY_EXCHANGE_V1 payload finished
[ENC] generating payload of type ID_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 U_INT_8
[ENC] generating rule 4 U_INT_8
[ENC] generating rule 5 U_INT_16
[ENC] generating rule 6 CHUNK_DATA
[ENC] generating ID_V1 payload finished
[ENC] generating payload of type ID_V1
[ENC] generating rule 0 U_INT_8
[ENC] generating rule 1 RESERVED_BYTE
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC] generating rule 3 U_INT_8
[ENC] generating rule 4 U_INT_8
[ENC] generating rule 5 U_INT_16
[ENC] generating rule 6 CHUNK_DATA
[ENC] generating ID_V1 payload finished
[ENC] generated content in encrypted payload
[ENC] generating payload of type ENCRYPTED_V1
[ENC] generating rule 0 ENCRYPTED_DATA
[ENC] generating ENCRYPTED_V1 payload finished
[NET] sending packet: from 116.90.86.181[4500] to 115.60.58.68[9789] (332 bytes)
[MGR] checkin IKE_SA dmvpn-DEVELVPN-tun1[261]
[MGR] checkin of IKE_SA successful
[NET] received packet: from 115.60.58.68[9789] to 116.90.86.181[4500] (76 bytes)
[ENC] parsing body of message, first payload is HASH_V1
[ENC] parsing ENCRYPTED_V1 payload, 48 bytes left
[ENC] parsing rule 0 ENCRYPTED_DATA
[ENC] parsing ENCRYPTED_V1 payload finished
[ENC] process payload of type ENCRYPTED_V1
[ENC] found an encrypted payload
[ENC] parsing HASH_V1 payload, 48 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 RESERVED_BYTE
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] parsing rule 3 CHUNK_DATA
[ENC] parsing HASH_V1 payload finished
[ENC] parsing NOTIFY_V1 payload, 24 bytes left
[ENC] parsing rule 0 U_INT_8
[ENC] parsing rule 1 RESERVED_BIT
[ENC] parsing rule 2 RESERVED_BIT
[ENC] parsing rule 3 RESERVED_BIT
[ENC] parsing rule 4 RESERVED_BIT
[ENC] parsing rule 5 RESERVED_BIT
[ENC] parsing rule 6 RESERVED_BIT
[ENC] parsing rule 7 RESERVED_BIT
[ENC] parsing rule 8 RESERVED_BIT
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] parsing rule 10 U_INT_32
[ENC] parsing rule 11 U_INT_8
[ENC] parsing rule 12 SPI_SIZE
[ENC] parsing rule 13 U_INT_16
[ENC] parsing rule 14 SPI
[ENC] parsing rule 15 CHUNK_DATA
[ENC] parsing NOTIFY_V1 payload finished
[ENC] parsed content of encrypted payload
[ENC] insert decrypted payload of type HASH_V1 at end of list
[ENC] insert decrypted payload of type NOTIFY_V1 at end of list
[ENC] verifying message structure
[ENC] found payload of type NOTIFY_V1
[ENC] found payload of type NOTIFY_V1
[ENC] parsed INFORMATIONAL_V1 request 2841066598 [ HASH N(INVAL_ID) ]
[IKE] received INVALID_ID_INFORMATION error notify
[CHD] CHILD_SA dmvpn{296} state change: CREATED => DESTROYING
[KNL] deleting SAD entry with SPI c5245f0c
[KNL] deleted SAD entry with SPI c5245f0c
[MGR] checkin IKE_SA dmvpn-DEVELVPN-tun1[261]
[MGR] checkin of IKE_SA successful

@bjtangseng,
Does your nat address change everytime?

The hub received from [CFG] 115.60.58.68/32[gre] and not from 115.60.59.223.
so seems your nat ip changed? does it change often?

Yes, When I redial pppoe the IP meybe change.

@bjtangseng, Ah that is the problem. I do not know if there is an option allow any network, have to do some research.

bjtangseng added a comment.EditedJan 23 2019, 2:48 PM

In spoke site

 vyos@vyos# run show vpn ipsec sa v
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.12-amd64-vyos, x86_64):
  uptime: 2 days, since Jan 21 13:31:56 2019
  malloc: sbrk 2953216, mmap 0, used 869728, free 2083488
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 43
  loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  100.64.206.174
Connections:
dmvpn-DEVELVPN-tun0:  %any...%any  IKEv1
dmvpn-DEVELVPN-tun0:   local:  [100.64.206.174] uses pre-shared key authentication
dmvpn-DEVELVPN-tun0:   remote: uses pre-shared key authentication
       dmvpn:   child:  dynamic[gre] === dynamic[gre] TUNNEL
Security Associations (1 up, 0 connecting):
dmvpn-DEVELVPN-tun0[198]: ESTABLISHED 2 minutes ago, **100.64.206.174[100.64.206.174]...116.90.86.181[116.90.86.181]**
dmvpn-DEVELVPN-tun0[198]: IKEv1 SPIs: d29d454d1e81def4_i* c2c4819915040e60_r, rekeying in 56 minutes
dmvpn-DEVELVPN-tun0[198]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[edit]

In hub site

vyos@vyos# run show vpn ipsec sa v
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.12-amd64-vyos, x86_64):
  uptime: 3 days, since Jan 20 16:56:50 2019
  malloc: sbrk 2973696, mmap 0, used 845328, free 2128368
  worker threads: 10 of 16 idle, 5/0/1/0 working, job queue: 0/0/0/0, scheduled: 44
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  116.90.86.181
Connections:
dmvpn-DEVELVPN-tun1:  %any...%any  IKEv1
dmvpn-DEVELVPN-tun1:   local:  [116.90.86.181] uses pre-shared key authentication
dmvpn-DEVELVPN-tun1:   remote: uses pre-shared key authentication
       dmvpn:   child:  dynamic[gre] === dynamic[gre] TUNNEL
Security Associations (1 up, 2 connecting):
dmvpn-DEVELVPN-tun1[275]: ESTABLISHED 2 minutes ago, **116.90.86.181[116.90.86.181]...115.60.58.68[100.64.206.174]**
dmvpn-DEVELVPN-tun1[275]: IKEv1 SPIs: d29d454d1e81def4_i c2c4819915040e60_r*, rekeying in 57 minutes
dmvpn-DEVELVPN-tun1[275]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

[edit]

you can see some different

You can see that the Remote ID used between the two sites does not match. In the last three line.

can you do:
sudo swanctl --list-sas

In spoke site

vyos@vyos# sudo swanctl --list-sas
dmvpn-DEVELVPN-tun0: #203, ESTABLISHED, IKEv1, 8da928b00def36ef_i* 6d59f89b19d6e3d0_r

local  '100.64.206.174' @ 100.64.206.174[4500]
remote '116.90.86.181' @ 116.90.86.181[4500]
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 63s ago, rekeying in 3527s

[edit]

In HUB site

dmvpn-DEVELVPN-tun1: #279, ESTABLISHED, IKEv1, 421a0a66fdd7baed_i 4206a30344568dc4_r*

local  '116.90.86.181' @ 116.90.86.181[4500]
remote '100.64.206.174' @ 115.60.58.68[9789]
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 152s ago, rekeying in 3312s

@bjtangseng
On the HUB, can you change in /etc/swanctl/swanctl.conf
remote_ts = dynamic[gre] to remote_ts = 0.0.0.0/0[gre]

than run sudo swanctl -q on the HUB
and try to connect again from the spoke.

Congratulations, VPN is connected

In Hub site

vyos@vyos# sudo swanctl --list-sas
dmvpn-DEVELVPN-tun1: #284, ESTABLISHED, IKEv1, e9c65edb2875d65a_i b2ab3d7211a0b9a1_r*
  local  '116.90.86.181' @ 116.90.86.181[4500]
  remote '100.64.206.174' @ 115.60.58.68[9789]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 333s ago, rekeying in 3144s
  dmvpn: #297, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 333s ago, rekeying in 1139s, expires in 1647s
    in  c76bad2b,   1940 bytes,    17 packets,    11s ago
    out c8c08ae2,   1899 bytes,    17 packets,    11s ago
    local  116.90.86.181/32[gre]
    remote 100.64.206.174/32[gre]

In spoke site

vyos@vyos# sudo swanctl --list-sas
dmvpn-DEVELVPN-tun0: #207, ESTABLISHED, IKEv1, e9c65edb2875d65a_i* b2ab3d7211a0b9a1_r
  local  '100.64.206.174' @ 100.64.206.174[4500]
  remote '116.90.86.181' @ 116.90.86.181[4500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 374s ago, rekeying in 2898s
  dmvpn: #350, reqid 4, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 374s ago, rekeying in 918s, expires in 1606s
    in  c8c08ae2,   1899 bytes,    17 packets,    52s ago
    out c76bad2b,   1940 bytes,    17 packets,    52s ago
    local  100.64.206.174/32[gre]
    remote 116.90.86.181/32[gre]
[edit]

And more bug, when I change Hub swanctl.conf file. And run show IPSec sa and run show IPSec sa v. I can see deferent information.

vyos@vyos# run show vpn ipsec sa 
Connection           State    Up    Bytes In/Out    Remote address    Remote ID    Proposal
-------------------  -------  ----  --------------  ----------------  -----------  ----------
dmvpn-DEVELVPN-tun1  down     N/A   N/A             N/A               N/A          N/A
[edit]
vyos@vyos# run show vpn ipsec sa v
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.12-amd64-vyos, x86_64):
  uptime: 3 days, since Jan 20 16:56:50 2019
  malloc: sbrk 2973696, mmap 0, used 853664, free 2120032
  worker threads: 10 of 16 idle, 5/0/1/0 working, job queue: 0/0/0/0, scheduled: 53
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  116.90.86.181
Connections:
dmvpn-DEVELVPN-tun1:  %any...%any  IKEv1
dmvpn-DEVELVPN-tun1:   local:  [116.90.86.181] uses pre-shared key authentication
dmvpn-DEVELVPN-tun1:   remote: uses pre-shared key authentication
       dmvpn:   child:  dynamic[gre] === 0.0.0.0/0[gre] TUNNEL
Security Associations (1 up, 2 connecting):
dmvpn-DEVELVPN-tun1[284]: ESTABLISHED 10 minutes ago, 116.90.86.181[116.90.86.181]...115.60.58.68[100.64.206.174]
dmvpn-DEVELVPN-tun1[284]: IKEv1 SPIs: e9c65edb2875d65a_i b2ab3d7211a0b9a1_r*, rekeying in 46 minutes
dmvpn-DEVELVPN-tun1[284]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
       dmvpn{297}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c76bad2b_i c8c08ae2_o
       dmvpn{297}:  AES_CBC_256/HMAC_SHA1_96/MODP_1024, 1940 bytes_i (17 pkts, 336s ago), 1899 bytes_o (17 pkts, 336s ago), rekeying in 13 minutes
       dmvpn{297}:   116.90.86.181/32[gre] === 100.64.206.174/32[gre]

[edit]

@bjtangseng so changing that remote_ts = 0.0.0.0/0[gre] fixed it right?

That bug is because there is a grep in "CONNECTING" when it finds that it displays as down.
it does not account for child connections yet.

bjtangseng added a comment.EditedJan 23 2019, 5:01 PM

Yes, when I change Hub site remote_ts from dynamic to 0.0.0.0/0, That VPN was worked.

syncer closed this task as Resolved.Jan 27 2019, 12:27 AM
syncer mentioned this in T1207: DMVPN behind NAT.
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-GA) board.