IKEv2 Verbindung mit Android 13

Forum zum Thema allgemeinen Fragen zu VPN

Moderator: Lancom-Systems Moderatoren

Benutzeravatar
tbc233
Beiträge: 343
Registriert: 01 Feb 2005, 21:56

IKEv2 Verbindung mit Android 13

Beitrag von tbc233 »

Hallo,
Ich hatte die letzten Jahre nie Probleme, mit Android Geräten eine VPN Verbindung zum Lancom aufzubauen. Nun mit einem nagelneuen Android 13 komm ich aber nicht weiter.

Ich habe mich im wesentlichen an https://support.lancom-systems.com/know ... d=32983593 gehalten, mit Ausnahme dass hier beim ersten Anlauf im Lancom Trace gleich mal aufkam, dass das Android offenbar DH 16 fordert, also habe ich das angehakt.

Der Trace bei Verbindungsaufbau sieht so aus:

Code: Alles auswählen

[VPN-Status] 2022/12/19 14:15:46,936
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 1072 bytes
Gateways: <LANCOM-PUBLIC-IP>:500<--<ANDROID-PUBLIC-IP>:47153
SPIs: 0xC12DF1EB4B6315DE0000000000000000, Message-ID 0
Peer identified: DEFAULT
IKE_SA ('', '' IPSEC_IKE SPIs 0xC12DF1EB4B6315DE7005462851E7D51C) entered to SADB
Received 4 notifications:
  +NAT_DETECTION_SOURCE_IP(0x70AD0FA46606D211CC6B2D33B73E1951DFF25893) (STATUS)
  +NAT_DETECTION_DESTINATION_IP(0xB39628CF99451D7C970322EAADF9CED62712DCD6) (STATUS)
  +IKEV2_FRAGMENTATION_SUPPORTED (STATUS)
  +SIGNATURE_HASH_ALGORITHMS(0x0001000200030004) (STATUS)
Peer (initiator) is behind a NAT
NAT-T enabled => switching on port 4500
We (responder) are not behind a NAT. NAT-T is already enabled
+IKE-SA:
  IKE-Proposal-1  (21 transforms)
    ENCR : AES-128-CTR AES-CBC-256 AES-128-CTR AES-CBC-192 AES-128-CTR AES-CBC-128
    PRF  : PRF-HMAC-SHA1 PRF-AES128-XCBC PRF-HMAC-SHA-256 PRF-HMAC-SHA-384 PRF-HMAC-SHA-512 PRF-AES128-CMAC
    INTEG: HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256 AES-XCBC-96 AES-CMAC-96
    DH   : 16 31 15 14
  IKE-Proposal-2  (20 transforms)
    ENCR : ENCR-CHACHA20-POLY1305 AES-GCM-16-256 AES-GCM-12 AES-GCM-8 AES-GCM-16-192 AES-GCM-12 AES-GCM-8 AES-GCM-16-128 AES-GCM-12 AES-GCM-8
    PRF  : PRF-HMAC-SHA1 PRF-AES128-XCBC PRF-HMAC-SHA-256 PRF-HMAC-SHA-384 PRF-HMAC-SHA-512 PRF-AES128-CMAC
    DH   : 16 31 15 14
+Received KE-DH-Group 16 (4096 bits)

[VPN-Status] 2022/12/19 14:15:47,622
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+IKE-SA:
  IKE-Proposal-1  (4 transforms)
    ENCR : AES-CBC-256
    PRF  : PRF-HMAC-SHA-512
    INTEG: HMAC-SHA-512
    DH   : 16
+KE-DH-Group 16 (4096 bits)
Switching to port pair 4500 ( NAT-T keep-alive is off)
IKE_SA_INIT [responder] for peer DEFAULT initiator id <no ipsec id>, responder id <no ipsec id>
initiator cookie: 0xC12DF1EB4B6315DE, responder cookie: 0x7005462851E7D51C
NAT-T enabled. We are not behind a nat, the remote side is  behind a nat
SA ISAKMP for peer DEFAULT
 Encryption                    : AES-CBC-256
 Integrity                     : AUTH-HMAC-SHA-512
 IKE-DH-Group                  : 16
 PRF                           : PRF-HMAC-SHA-512
life time soft 12/20/2022 17:15:47 (in 97200 sec) / 0 kb
life time hard 12/20/2022 20:15:47 (in 108000 sec) / 0 kb
DPD: NONE
Negotiated: IKEV2_FRAGMENTATION

Sending an IKE_SA_INIT-RESPONSE of 745 bytes (responder)
Gateways: <LANCOM-PUBLIC-IP>:4500--><ANDROID-PUBLIC-IP>:4500, tag 0 (UDP)
SPIs: 0xC12DF1EB4B6315DE7005462851E7D51C, Message-ID 0

[VPN-Status] 2022/12/19 14:15:47,623
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 624 bytes (encrypted)
Gateways: <LANCOM-PUBLIC-IP>:4500<--<ANDROID-PUBLIC-IP>:4500
SPIs: 0xC12DF1EB4B6315DE7005462851E7D51C, Message-ID 1
CHILD_SA ('', '' ) entered to SADB
Updating remote port to 55521
Received 1 notification:
  +MOBIKE_SUPPORTED (STATUS)
  find: No remote IDs found for peer DEFAULT

[VPN-Status] 2022/12/19 14:15:47,624
Peer DEFAULT: Constructing an IKE_AUTH-RESPONSE for send
NOTIFY(AUTHENTICATION_FAILED)
IKE_SA ('DEFAULT', 'ISAKMP-PEER-DEFAULT' IPSEC_IKE SPIs 0xC12DF1EB4B6315DE7005462851E7D51C) removed from SADB
Sending an IKE_AUTH-RESPONSE of 96 bytes (responder encrypted)
Gateways: <LANCOM-PUBLIC-IP>:4500--><ANDROID-PUBLIC-IP>:55521, tag 0 (UDP)
SPIs: 0xC12DF1EB4B6315DE7005462851E7D51C, Message-ID 1

[VPN-Status] 2022/12/19 14:15:47,624
IKE log: 141547.624805 Default IKE-DISCONNECT-RESPONSE: could not be sent for peer DEFAULT on message free (empty handle)


[VPN-Status] 2022/12/19 14:15:47,624
CHILD_SA ('', '' ) removed from SADB
CHILD_SA ('', '' ) freed
IKE_SA ('DEFAULT', 'ISAKMP-PEER-DEFAULT' IPSEC_IKE SPIs 0xC12DF1EB4B6315DE7005462851E7D51C) freed

[VPN-Status] 2022/12/19 14:15:47,742
Peer <UNKNOWN>: Received an INFORMATIONAL-REQUEST of 96 bytes
Gateways: <LANCOM-PUBLIC-IP>:4500<--<ANDROID-PUBLIC-IP>:55521
SPIs: 0xC12DF1EB4B6315DE7005462851E7D51C, Message-ID 2
-Could not find an IKE_SA for SPIs 0xC12DF1EB4B6315DE7005462851E7D51C
-NOTIFY(INVALID_IKE_SPI)
-Could not index message correctly. payload_num=46, error code=4
-No ENCR/INTEG algorithm(s) found in IKE_SA (No IKE_SA)

Peer <UNKNOWN>: Constructing an INFORMATIONAL-RESPONSE for send
Sending an INFORMATIONAL-RESPONSE of 36 bytes
Gateways: <LANCOM-PUBLIC-IP>:4500--><ANDROID-PUBLIC-IP>:55521, tag 0 (UDP)
SPIs: 0xC12DF1EB4B6315DE7005462851E7D51C, Message-ID 2

Mir fällt das NOTIFY(AUTHENTICATION_FAILED) da drin natürlich auf, aber die ID und der PSK stimmen, das habe ich dutzendfach überprüft.
Zielgerät ist ein 1900EF mit 10.50.0145

Hat jemand vielleicht eine Idee was ich noch versuchen könnte?
Liebe Grüße,
michael
Dr.Einstein
Beiträge: 2893
Registriert: 12 Jan 2010, 14:10

Re: IKEv2 Verbindung mit Android 13

Beitrag von Dr.Einstein »

Hi,

mach mal

Code: Alles auswählen

trace # vpn-ike vpn-debug 
dazu.

Gruß Dr.Einstein
Benutzeravatar
tbc233
Beiträge: 343
Registriert: 01 Feb 2005, 21:56

Re: IKEv2 Verbindung mit Android 13

Beitrag von tbc233 »

Vielen Dank für Deine Antwort.

Code: Alles auswählen

> trace # vpn-ike vpn-debug
VPN-IKE                    ON
VPN-Debug                  ON

root@1900EF:/
>
[VPN-IKE] 2022/12/19 15:48:31,750
[DEFAULT] Received packet:
IKE 2.0 Header:
Source/Port         : <ANDROID-PUBLIC-IP>:13188
Destination/Port    : <LANCOM-PUBLIC-IP>:500
Routing-tag         : 0
Com-channel         : 0
| Initiator cookie  : 93 44 67 0C D7 CE 33 81
| Responder cookie  : 00 00 00 00 00 00 00 00
| Next Payload      : SA
| Version           : 2.0
| Exchange type     : IKE_SA_INIT
| Flags             : 0x08   Initiator
| Msg-ID            : 0
| Length            : 1072 Bytes
SA Payload
| Next Payload      : KE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 408 Bytes
| PROPOSAL Payload
| | Next Payload    : PROPOSAL
| | Reserved        : 0x00
| | Length          : 200 Bytes
| | Proposal number : 1
| | Protocol ID     : IPSEC_IKE
| | SPI size        : 0
| | #Transforms     : 21
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-128-CTR (13)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-128-CTR (13)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-128-CTR (13)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-512 (14)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-384 (13)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-256 (12)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-XCBC-96 (5)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CMAC-96 (8)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 4096-BIT MODP (16)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : CURVE25519 (31)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 3072-BIT MODP (15)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 2048-BIT MODP (14)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA1 (2)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-AES128-XCBC (4)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-256 (5)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-384 (6)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-512 (7)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-AES128-CMAC (8)
| | | Attributes    : NONE
| PROPOSAL Payload
| | Next Payload    : NONE
| | Reserved        : 0x00
| | Length          : 204 Bytes
| | Proposal number : 2
| | Protocol ID     : IPSEC_IKE
| | SPI size        : 0
| | #Transforms     : 20
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : ENCR-CHACHA20-POLY1305 (28)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-12 (19)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-8 (18)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-12 (19)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-8 (18)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-12 (19)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-8 (18)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 4096-BIT MODP (16)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : CURVE25519 (31)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 3072-BIT MODP (15)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 2048-BIT MODP (14)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA1 (2)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-AES128-XCBC (4)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-256 (5)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-384 (6)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-512 (7)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-AES128-CMAC (8)
| | | Attributes    : NONE
KE Payload
| Next Payload      : NONCE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 520 Bytes
| DH Group          : 16
| Reserved2         : 0x0000
| DH-Key(4096 bits) : 26 5E 93 5C 17 E8 AE 29 20 DE 72 D4 46 DA 8E 5E
|                     93 2C 8D 93 E5 41 EE 09 89 EE 80 21 C5 F2 81 78
|                     0E F7 AB 1A 5D 26 99 2A B7 F3 AD BF DB 75 A7 5A
|                     E6 62 BF 40 3B 40 BC E6 97 FD 82 BF 35 DA 80 FA
|                     D8 CE 01 5A C9 12 FA 9B 54 DA 44 5E 32 BA 1B 9D
|                     90 B2 46 04 1F 9A 84 8A 11 C6 EF 4E 0B 20 08 D3
|                     BD 4B 2A CF D1 C4 B6 59 51 CE EB 3F 59 90 A5 06
|                     2C AF 34 F4 12 7A 63 72 9A 7F 87 C3 F8 9C EF 1A
|                     14 1E E7 12 0C 29 8F EE 83 E3 C5 F1 52 AE 1B 4C
|                     13 BC 0C F7 EE D9 7B CF 03 1C 0F B8 B5 C6 4B 90
|                     DC EC 46 3A 96 A3 17 D1 9F 5B 5B C1 8D 90 93 C6
|                     33 80 04 2C E4 39 B8 BA 70 A5 58 AB E6 FA D0 DF
|                     DA 71 B6 F6 F6 B9 4C CF 35 88 6E 24 83 CA 10 16
|                     3D CB AF 69 A5 50 9A 1C 65 10 71 B3 89 9E B7 F4
|                     AD DB 63 E2 1F 26 9E AE 8D 85 90 DC 0D 0A 40 CB
|                     43 3C F8 96 E3 8F 4C F3 3D 99 FE 93 D0 86 66 23
|                     BA 2B E7 C7 CB 61 F1 78 4A E4 1E FB 95 16 70 C2
|                     BB 7A 9F 1D FA B2 BC F6 31 40 20 00 14 19 E1 4E
|                     7E B0 0E 3A E3 61 C9 AD 93 BE FF 4F 9C 8E 4D 1B
|                     F8 C5 4A 9C 7E 0D AD 71 81 EF 31 9D C4 9D 09 3D
|                     F9 05 8E 33 E2 5A AC BF C5 12 C4 C7 57 F2 B0 86
|                     B1 3D 4C 07 99 56 3D F2 FC F8 23 9C 0F EF 42 CF
|                     FC 6B 0B AE 42 91 5A 2D E0 38 10 1A 5B 62 B6 77
|                     21 29 92 1C 36 E9 6C DD 03 CF 0D F9 53 5B 3B 2D
|                     5A 50 C3 EC EE 35 11 0E CA 13 B2 59 84 ED B8 61
|                     54 40 1F 5D 1F 97 80 39 95 18 FC F7 0F 6A 0C F2
|                     50 62 24 7B 41 96 26 2A F2 D9 3F FC 88 E3 94 50
|                     85 54 BA C4 08 D6 5D DC 43 7C 94 D5 0E 94 D3 DF
|                     11 23 F2 CA FF D0 26 DD D6 07 DF D1 49 6D B7 87
|                     18 01 3B FE 21 90 AD F3 00 04 EA 5B 84 BF 2E 6A
|                     B7 95 78 A9 65 0D 85 9F 19 DE 0B 76 D1 6D 6C 00
|                     FE D6 81 07 27 3A FB 5F FC BE 00 D9 2C F6 87 2C
NONCE Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 36 Bytes
| Nonce(256 bits)   : 22 C4 18 63 A0 72 93 55 60 31 E9 B2 71 E2 3A A9
|                     C5 51 85 3D DD DB 13 E4 77 52 4A 2B 6A 3B 49 94
NOTIFY Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 28 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : STATUS_NAT_DETECTION_SOURCE_IP
| Notif. data       : B2 3B B9 30 00 74 C3 49 E9 90 66 CB AE 60 15 A8
|                     0D 55 5A 32
NOTIFY Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 28 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : STATUS_NAT_DETECTION_DESTINATION_IP
| Notif. data       : 1F 0F 00 5A CB C1 EA 46 45 D7 38 8C E6 E0 99 C8
|                     90 86 C9 31
NOTIFY Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : IKEV2_FRAGMENTATION_SUPPORTED
NOTIFY Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 16 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : SIGNATURE_HASH_ALGORITHMS
| Sign. Hash Algs.  : SHA1, SHA-256, SHA-384, SHA-512

[VPN-Debug] 2022/12/19 15:48:31,757
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 1072 bytes
Gateways: <LANCOM-PUBLIC-IP>:500<--<ANDROID-PUBLIC-IP>:13188
SPIs: 0x9344670CD7CE33810000000000000000, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(SIGNATURE_HASH_ALGORITHMS)
QUB-DATA: <LANCOM-PUBLIC-IP>:500<---<ANDROID-PUBLIC-IP>:13188 rtg_tag 0 physical-channel WAN(1)
transport: [id: 14185591, UDP (17) {incoming unicast, fixed source address}, dst: <ANDROID-PUBLIC-IP>, tag 0 (U), src: <LANCOM-PUBLIC-IP>, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTERNET (4), mac address: e4:8d:8c:0f:db:82, port 0], local port: 500, remote port: 13188
+No IKE_SA found
Counting consumed licenses by active channels...
     1: (ANDERER-VPN-ZUGANG       , 78.132.30.196  , ikev1) -> 1
  Consumed connected licenses   : 1
  Negotiating connections       : 0
  IKE negotiations              : 0
  MPPE connections              : 0
  Licenses in use               : 1 < 25
  +Passive connection request accepted (32 micro seconds)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x9344670CD7CE33814B89EFB8A6F4866100000000, P1, RESPONDER): Setting Negotiation SA
  Referencing (IKE_SA, 0x9344670CD7CE33814B89EFB8A6F4866100000000, responder): use_count 3
Looking for payload NOTIFY(SIGNATURE_HASH_ALGORITHMS) (41)...Found 1 payload.
  +Received signature hash algorithms: SHA1, SHA-256, SHA-384, SHA-512
Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload.
  +Computing SHA1(0x9344670CD7CE33810000000000000000|<ANDROID-PUBLIC-IP>:13188)
  +Computing SHA1(0x9344670CD7CE33810000000000000000D58E60C53384)
  +Computed: 0x20C426CB1AE778B66C790E5815D740317BA0E79E
  +Received: 0xB23BB9300074C349E99066CBAE6015A80D555A32
  +Not equal => NAT-T enabled => switching on port 4500
Looking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload.
  +Computing SHA1(0x9344670CD7CE33810000000000000000|<LANCOM-PUBLIC-IP>:500)
  +Computing SHA1(0x9344670CD7CE338100000000000000003E44DDC201F4)
  +Computed: 0x1F0F005ACBC1EA4645D7388CE6E099C89086C931
  +Received: 0x1F0F005ACBC1EA4645D7388CE6E099C89086C931
  +Equal => NAT-T is already enabled
Looking for payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41)...Found 1 payload.
Looking for payload IKE_SA (33)...Found 1 payload.
  +Config   ENCR  transform(s): AES-GCM-16-256 AES-GCM-16-128 ENCR-CHACHA20-POLY1305 AES-CBC-256 AES-CBC-128
  +Received ENCR  transform(s): AES-128-CTR AES-CBC-256 AES-128-CTR AES-CBC-192 AES-128-CTR AES-CBC-128
  +Best intersection: AES-CBC-256
  +Config   PRF   transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-384 PRF-HMAC-SHA-256 PRF-HMAC-SHA1 PRF-HMAC-MD5
  +Received PRF   transform(s): PRF-HMAC-SHA1 PRF-AES128-XCBC PRF-HMAC-SHA-256 PRF-HMAC-SHA-384 PRF-HMAC-SHA-512 PRF-AES128-CMAC
  +Best intersection: PRF-HMAC-SHA-512
  +Config   INTEG transform(s): HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256 HMAC-SHA1 HMAC-MD5
  +Received INTEG transform(s): HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256 AES-XCBC-96 AES-CMAC-96
  +Best intersection: HMAC-SHA-512
  +Config   DH    transform(s): 16 15 14 2
  +Received DH    transform(s): 16 31 15 14
  +Best intersection: 16
Looking for payload NONCE (40)...Found 1 payload.
  +Nonce length=32 bytes
  +Nonce=0x22C41863A07293556031E9B271E23AA9C551853DDDDB13E477524A2B6A3B4994
  +SA-DATA-Ni=0x22C41863A07293556031E9B271E23AA9C551853DDDDB13E477524A2B6A3B4994

[VPN-IKE] 2022/12/19 15:48:32,101
[DEFAULT] Sending packet:
IKE 2.0 Header:
Source/Port         : <LANCOM-PUBLIC-IP>:500
Destination/Port    : <ANDROID-PUBLIC-IP>:13188
Routing-tag         : 0
Com-channel         : 0
| Initiator cookie  : 93 44 67 0C D7 CE 33 81
| Responder cookie  : 4B 89 EF B8 A6 F4 86 61
| Next Payload      : SA
| Version           : 2.0
| Exchange type     : IKE_SA_INIT
| Flags             : 0x20 Response
| Msg-ID            : 0
| Length            : 745 Bytes
SA Payload
| Next Payload      : KE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 48 Bytes
| PROPOSAL Payload
| | Next Payload    : NONE
| | Reserved        : 0x00
| | Length          : 44 Bytes
| | Proposal number : 1
| | Protocol ID     : IPSEC_IKE
| | SPI size        : 0
| | #Transforms     : 4
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-512 (7)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-512 (14)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 4096-BIT MODP (16)
| | | Attributes    : NONE
KE Payload
| Next Payload      : NONCE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 520 Bytes
| DH Group          : 16
| Reserved2         : 0x0000
| DH-Key(4096 bits) : 00 F7 D4 87 10 0A D5 C5 E6 D4 D5 26 9A 80 10 2C
|                     82 93 B4 E8 65 B1 FB 3D 17 01 C3 4E 72 28 68 11
|                     B0 CC 0F 5F E1 37 A0 4E 19 84 47 F2 52 60 DB 95
|                     F9 45 6D E2 B8 CD 1C ED 93 56 DF B7 D9 B8 B5 C5
|                     F7 8B AE 2E 56 81 F0 E3 DB EC 03 21 31 A9 9F 00
|                     46 D9 53 7A 20 16 C8 AA F4 76 DA B7 6A FA 09 22
|                     9D E5 27 43 4D 08 27 F8 B7 58 9F 50 4F 66 05 61
|                     BC 8A C6 56 BF 19 43 56 1A 14 3B EA 23 69 55 D6
|                     76 5F 21 17 69 22 79 4D A0 6A 8B AE CF F6 0E 2B
|                     BB 50 F1 B2 36 BC 77 E2 49 62 2C 03 38 2B 1F 98
|                     C3 3F 67 27 AD F8 47 7E E9 0E B1 98 E1 99 D0 AF
|                     CC 98 26 73 C3 AB 22 C4 8E 7A D5 15 CC 96 15 C6
|                     8A 53 40 BD EB FE D8 05 04 A2 E3 6B E7 95 09 21
|                     E9 9A 61 6B 9F F5 7B 06 0F FF A6 DC 62 A5 2C 09
|                     F2 37 1B BC B6 F4 8D 92 BB B1 56 58 B1 AF 8D 85
|                     B4 5D 86 21 49 90 8A E2 B1 B7 98 E9 64 1B 56 1F
|                     80 6A AE C4 D0 A9 30 12 DE 8F F9 E0 A3 23 6C FD
|                     DE 45 05 B8 9D D3 BC B1 75 3C 55 63 B7 3D 1D 8A
|                     4F 45 59 A9 32 78 16 71 1D 8D 8B 0E 24 A7 A8 8A
|                     DB 02 A1 F9 33 47 FA 26 72 0D 7B CA 0F 32 78 CA
|                     76 D1 AA A5 4C 23 D9 37 D8 55 0E F1 81 9A E5 77
|                     B0 15 EF 9E 59 27 64 73 C5 86 A1 D2 99 C2 B6 55
|                     93 94 2C 8A 23 16 62 69 47 55 70 62 12 CA 3E 5C
|                     53 B7 07 95 3D A3 6A D9 41 5C 48 4E 73 6D 4E B6
|                     7D CB A9 28 5E 9D 00 92 B8 BD B4 47 66 F4 67 46
|                     F5 34 1A D0 03 BD D6 D6 6A 19 FD 4C D3 C3 99 C6
|                     53 80 F6 67 D7 22 AB 1E 7C BB E6 4A A8 DF 67 47
|                     ED D6 5C 47 1F 28 67 C4 CC 6B 4B 79 EC 12 E0 E1
|                     40 09 28 59 5D 6D D2 84 2B B9 BF 47 D4 6D 18 FF
|                     11 85 D3 4F E7 2A BE 1C 0E 40 3C 5E 90 D5 28 EA
|                     48 2C 03 06 96 48 BC 0A 37 00 C6 7A 52 59 6D 3B
|                     53 FA B2 B7 BB BD 85 FC FB 24 B2 6A 43 1A 2D 85
NONCE Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 36 Bytes
| Nonce(256 bits)   : 82 6D 81 B1 BE C0 B4 1F 5A 4F 9D 34 A2 D5 76 A3
|                     6C 2C 77 63 60 FE DD 80 AF 09 B3 48 3D 0A 77 7A
NOTIFY Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 28 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : STATUS_NAT_DETECTION_SOURCE_IP
| Notif. data       : 00 17 43 1F E4 CE 4C D4 A5 7E D5 2A 91 96 86 81
|                     B9 CF 58 0A
NOTIFY Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 28 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : STATUS_NAT_DETECTION_DESTINATION_IP
| Notif. data       : 77 71 69 3A 34 BC A9 79 62 B7 C5 03 28 E6 70 31
|                     1F 59 63 36
NOTIFY Payload
| Next Payload      : CERTREQ
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : IKEV2_FRAGMENTATION_SUPPORTED
CERTREQ Payload
| Next Payload      : VENDOR
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 25 Bytes
| Cert. Type        : X509_SIG
| Cert. Autherity   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|                     00 00 00 00
VENDOR Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 24 Bytes
| Vendor ID         : 81 75 2E B5 91 4D 73 5C DF CD C8 58 C3 A8 ED 7C
|                     1C 66 D1 42

[VPN-Debug] 2022/12/19 15:48:32,445
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Constructing payload KE (34):
  +Could not pop a DH-Group from DH-Group-Container => Generate a key-pair now
  +DH key-pair successfully generated in 341965 micro seconds
Constructing payload NONCE (40):
  +Nonce length=32 bytes
  +Nonce=0x826D81B1BEC0B41F5A4F9D34A2D576A36C2C776360FEDD80AF09B3483D0A777A
  +SA-DATA-Nr=0x826D81B1BEC0B41F5A4F9D34A2D576A36C2C776360FEDD80AF09B3483D0A777A
Constructing payload NOTIFY(DETECTION_SOURCE_IP) (41):
  +Computing SHA1(0x9344670CD7CE33814B89EFB8A6F48661|<LANCOM-PUBLIC-IP>:500)
  +Computing SHA1(0x9344670CD7CE33814B89EFB8A6F486613E44DDC201F4)
  +0x0017431FE4CE4CD4A57ED52A91968681B9CF580A
Constructing payload NOTIFY(DETECTION_DESTINATION_IP) (41):
  +Computing SHA1(0x9344670CD7CE33814B89EFB8A6F48661|<ANDROID-PUBLIC-IP>:13188)
  +Computing SHA1(0x9344670CD7CE33814B89EFB8A6F48661D58E60C53384)
  +0x7771693A34BCA97962B7C50328E670311F596336
Constructing payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41):
Constructing payload CERTREQ (38):
  +0x0000000000000000000000000000000000000000
Constructing payload VENDOR(FRAGMENTATION) (43):
Constructing payload VENDOR(FRAGMENTATION(C0000000)) (43):
Constructing payload VENDOR(ikev2 config payload: Do not narrow my traffic selector) (43):
Constructing payload VENDOR(activate lancom-systems notification private range) (43):
Constructing payload NOTIFY(DEVICE-ID) (41):
  +Peer does not support private notifications -> ignore
  +Could not pop a DH-Group from DH-Group-Container => Generate a key-pair now
  +DH key-pair successfully generated in 341965 micro seconds
+Shared secret derived in 342006 micro seconds
IKE_SA(0x9344670CD7CE33814B89EFB8A6F48661).EXPECTED-MSG-ID raised to 1
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x9344670CD7CE33814B89EFB8A6F4866100000000, P1, RESPONDER): Resetting Negotiation SA
  (IKE_SA, 'DEFAULT', 'ISAKMP-PEER-DEFAULT', 0x9344670CD7CE33814B89EFB8A6F4866100000000, responder): use_count --4
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 745 bytes (responder)
Gateways: <LANCOM-PUBLIC-IP>:4500--><ANDROID-PUBLIC-IP>:4500, tag 0 (UDP)
SPIs: 0x9344670CD7CE33814B89EFB8A6F48661, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), CERTREQ, VENDOR(activate lancom-systems notification private range)

[VPN-IKE] 2022/12/19 15:48:32,446
[DEFAULT] Received packet:
IKE 2.0 Header:
Source/Port         : <ANDROID-PUBLIC-IP>:53379
Destination/Port    : <LANCOM-PUBLIC-IP>:4500
Routing-tag         : 0
Com-channel         : 0
| Initiator cookie  : 93 44 67 0C D7 CE 33 81
| Responder cookie  : 4B 89 EF B8 A6 F4 86 61
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : IKE_AUTH
| Flags             : 0x08   Initiator
| Msg-ID            : 1
| Length            : 624 Bytes
ENCR Payload
| Next Payload      : IDI
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 596 Bytes
| IV                : 6C AC 00 FC 84 AD 35 F4 2E 58 42 5A 60 F5 65 A9
| Encrypted Data    : AB F8 32 DB D3 14 21 17 41 45 0F 13 1D B4 C0 3C
|                     58 C2 ED 02 C9 E9 EA DE CF F8 3E 3F 62 A7 81 AB
|                     15 61 F5 4D 42 AD F1 87 36 CB 3B 06 B8 3A 2F 9B
|                     3A FC 8E 4C D8 2B 30 F4 63 3C B0 4F D8 2A CE 43
|                     4A 09 ED E1 50 A6 E3 9B B5 79 6F 9A 9F 45 59 70
|                     EE 7C 81 4D 54 C5 D8 7C 03 D9 9B F4 29 CB BA 00
|                     95 78 63 98 EE 31 60 58 54 70 72 75 A2 73 D1 FC
|                     AA 69 0A 24 67 6F 57 A4 B0 23 A7 23 0B A8 C3 BB
|                     13 7F 03 AA 4B 02 01 7D 06 4C F2 98 EC 9E B9 8A
|                     25 58 4F D2 A2 80 64 C0 3A E9 7A 6A 47 2E 9D 73
|                     DE 79 FC D5 22 62 6B 52 09 F4 AD 06 2A D8 D4 1A
|                     A4 30 41 5C 44 16 59 B7 40 09 A4 08 1E 4C 62 35
|                     B7 CD 94 85 04 A3 C6 0A F8 74 EC D8 B4 BD A9 F8
|                     1C 08 F2 9D 12 AD 07 44 DC BF CE 3C 90 BE 9A 3C
|                     DB 65 72 70 2F E6 E6 BD ED 1E E0 BC F9 FC B3 7D
|                     54 51 DA B4 77 0B 6C F8 08 BF 27 61 31 0C 05 BC
|                     81 BA FE C3 F8 30 F9 56 1F EF 8A 6F 30 D3 D8 78
|                     32 07 6C 95 16 1C 34 70 DF CC 87 26 F6 B8 FB 52
|                     67 41 F1 8A 02 97 56 52 86 0F 07 01 31 CA E3 F7
|                     35 7A 86 BA A4 93 B3 38 EB C3 C3 41 49 4C F9 BF
|                     58 F5 85 45 39 39 A6 90 4C 6F 97 7F 25 C4 F8 01
|                     5B 06 95 B9 06 7E D6 4A 93 E9 20 61 98 C4 44 1F
|                     85 29 2F C8 E7 44 E9 63 20 09 BD 66 D4 0B C7 D3
|                     F6 DA DE 54 6A F5 06 2B 96 09 58 0C 54 A8 26 4A
|                     F7 8C EC E0 09 13 F5 63 43 F2 B3 4B D0 C6 0E AD
|                     A3 A6 2D 26 FB 86 B2 3D 1E A0 0A 70 24 11 12 40
|                     0A 9C B5 9F 1B 05 D5 D4 A0 70 F5 76 7D 84 7C 7B
|                     87 A1 EB 25 FF AC 45 36 52 DD 7A 5E 32 DB 32 77
|                     D8 B0 83 BC 18 80 FC 9D 78 71 C2 5D 5D 30 4C 89
|                     4A 24 DF 63 3F F6 42 75 33 36 84 D8 AC B0 98 B9
|                     81 5C 6F 35 EF 5D 5B 8A D6 BC 5E 8A 27 D2 F8 B0
|                     BD 65 AA 11 C6 D0 74 D5 68 AE 04 23 CC 64 98 B9
|                     F9 B0 BD AA 57 D0 AB 9C FC 12 B8 82 8A AD EF D2
|                     06 2E 8D 55 5C 5E DD FF 24 6D 05 7C B4 93 5A A3
| ICV               : 6B 77 D5 FE 79 56 3D 63 47 59 FE 20 75 D0 42 4F
|                     C6 89 64 70 3A 0C 73 BC ED FA 7F E8 7F D4 53 14

[VPN-IKE] 2022/12/19 15:48:32,451
[DEFAULT] Received packet after decryption:
IKE 2.0 Header:
Source/Port         : <ANDROID-PUBLIC-IP>:53379
Destination/Port    : <LANCOM-PUBLIC-IP>:4500
Routing-tag         : 0
Com-channel         : 0
| Initiator cookie  : 93 44 67 0C D7 CE 33 81
| Responder cookie  : 4B 89 EF B8 A6 F4 86 61
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : IKE_AUTH
| Flags             : 0x08   Initiator
| Msg-ID            : 1
| Length            : 624 Bytes
ENCR Payload
| Next Payload      : IDI
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 596 Bytes
| IV                : 6C AC 00 FC 84 AD 35 F4 2E 58 42 5A 60 F5 65 A9
| ICV               : 6B 77 D5 FE 79 56 3D 63 47 59 FE 20 75 D0 42 4F
|                     C6 89 64 70 3A 0C 73 BC ED FA 7F E8 7F D4 53 14
IDI Payload
| Next Payload      : IDR
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 16 Bytes
| ID type           : FQDN
| Reserved          : 0x000000
| ID                : android3
IDR Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 12 Bytes
| ID type           : IPV4_ADDR
| Reserved          : 0x000000
| ID                : <LANCOM-PUBLIC-IP>
NOTIFY Payload
| Next Payload      : AUTH
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : STATUS_MOBIKE_SUPPORTED
AUTH Payload
| Next Payload      : SA
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 72 Bytes
| Auth. Method      : PRESHARED_KEY
| Reserved          : 0x000000
| Auth. Data        : 28 FF B7 D3 B5 FB 93 B5 6E 97 32 69 5B 79 9A 3F
|                     86 C8 B0 9F AA 12 68 08 2C 07 97 0E 20 0A F3 AB
|                     9F 28 E5 8D 57 5F 2E 4E A4 92 D0 5D 8C ED 8A 99
|                     D8 4F AB ED 93 25 46 95 A9 DB DB 33 ED 88 E3 88
SA Payload
| Next Payload      : TSi
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 272 Bytes
| PROPOSAL Payload
| | Next Payload    : PROPOSAL
| | Reserved        : 0x00
| | Length          : 132 Bytes
| | Proposal number : 1
| | Protocol ID     : IPSEC_ESP
| | SPI size        : 4
| | #Transforms     : 12
| | SPI             : 36 51 DF D1
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-128-CTR (13)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-128-CTR (13)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-128-CTR (13)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-512 (14)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-384 (13)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-256 (12)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-XCBC-96 (5)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CMAC-96 (8)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: ESN (5)
| | | Reserved2     : 0x00
| | | Transform ID  : NONE (0)
| | | Attributes    : NONE
| PROPOSAL Payload
| | Next Payload    : NONE
| | Reserved        : 0x00
| | Length          : 136 Bytes
| | Proposal number : 2
| | Protocol ID     : IPSEC_ESP
| | SPI size        : 4
| | #Transforms     : 11
| | SPI             : 66 FB 28 A1
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : ENCR-CHACHA20-POLY1305 (28)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-12 (19)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-8 (18)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-12 (19)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-8 (18)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-12 (19)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-8 (18)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: ESN (5)
| | | Reserved2     : 0x00
| | | Transform ID  : NONE (0)
| | | Attributes    : NONE
TSi Payload
| Next Payload      : TSr
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 64 Bytes
| Number of TSs     : 2
| Reserved          : 0x000000
| Traffic Selector 0
| | Type            : TS_IPV4_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 16
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : 0.0.0.0 - 255.255.255.255
| Traffic Selector 1
| | Type            : TS_IPV6_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 40
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
TSr Payload
| Next Payload      : CP
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 64 Bytes
| Number of TSs     : 2
| Reserved          : 0x000000
| Traffic Selector 0
| | Type            : TS_IPV4_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 16
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : 0.0.0.0 - 255.255.255.255
| Traffic Selector 1
| | Type            : TS_IPV6_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 40
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
CP Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 32 Bytes
| Type              : REQUEST
| Reserved2         : 0x000000
| Attribute 0
| | Type            : Variable, INTERNAL_IP4_ADDRESS
| | Length          : 0
| | Value           :
| Attribute 1
| | Type            : Variable, INTERNAL_IP6_ADDRESS
| | Length          : 0
| | Value           :
| Attribute 2
| | Type            : Variable, INTERNAL_IP4_DNS
| | Length          : 0
| | Value           :
| Attribute 3
| | Type            : Variable, INTERNAL_IP6_DNS
| | Length          : 0
| | Value           :
| Attribute 4
| | Type            : Variable, INTERNAL_IP4_NETMASK
| | Length          : 0
| | Value           :
| Attribute 5
| | Type            : Variable, APPLICATION_VERSION
| | Length          : 0
| | Value           :
Rest                : BB 88 A8 03

[VPN-Debug] 2022/12/19 15:48:32,452
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 624 bytes (encrypted)
Gateways: <LANCOM-PUBLIC-IP>:4500<--<ANDROID-PUBLIC-IP>:4500
SPIs: 0x9344670CD7CE33814B89EFB8A6F48661, Message-ID 1
Payloads: ENCR
QUB-DATA: <LANCOM-PUBLIC-IP>:4500<---<ANDROID-PUBLIC-IP>:53379 rtg_tag 0 physical-channel WAN(1)
transport: [id: 14185591, UDP (17) {incoming unicast, fixed source address}, dst: <ANDROID-PUBLIC-IP>, tag 0 (U), src: <LANCOM-PUBLIC-IP>, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTERNET (4), mac address: e4:8d:8c:0f:db:82, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000054)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, IDI, IDR, NOTIFY(MOBIKE_SUPPORTED), AUTH(PSK), SA, TSI, TSR, CP(REQUEST)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x9344670CD7CE33814B89EFB8A6F4866100000001, P2, RESPONDER): Setting Negotiation SA
  Referencing (CHILD_SA, 0x9344670CD7CE33814B89EFB8A6F486610000000100, responder): use_count 3

[VPN-IKE] 2022/12/19 15:48:32,452
[DEFAULT] Sending packet before encryption:
IKE 2.0 Header:
Source/Port         : <LANCOM-PUBLIC-IP>:4500
Destination/Port    : <ANDROID-PUBLIC-IP>:53379
Routing-tag         : 0
Com-channel         : 0
| Initiator cookie  : 93 44 67 0C D7 CE 33 81
| Responder cookie  : 4B 89 EF B8 A6 F4 86 61
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : IKE_AUTH
| Flags             : 0x20 Response
| Msg-ID            : 1
| Length            : 96 Bytes
ENCR Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 68 Bytes
| IV                : 99 9D 1B FD E6 9F 45 8D EB 5F 1F 51 6D 51 E5 51
| ICV               : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NOTIFY Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : IPSEC_IKE
| SPI size          : 0
| Message type      : AUTHENTICATION_FAILED
Rest                : 00 00 00 00 00 00 00 07

[VPN-IKE] 2022/12/19 15:48:32,457
[DEFAULT] Sending packet after encryption:
IKE 2.0 Header:
Source/Port         : <LANCOM-PUBLIC-IP>:4500
Destination/Port    : <ANDROID-PUBLIC-IP>:53379
Routing-tag         : 0
Com-channel         : 0
| Initiator cookie  : 93 44 67 0C D7 CE 33 81
| Responder cookie  : 4B 89 EF B8 A6 F4 86 61
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : IKE_AUTH
| Flags             : 0x20 Response
| Msg-ID            : 1
| Length            : 96 Bytes
ENCR Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 68 Bytes
| IV                : 99 9D 1B FD E6 9F 45 8D EB 5F 1F 51 6D 51 E5 51
| Encrypted Data    : FC 71 9B 7B CD FB 46 6C 4F DC 5A 04 5A 14 BA DA
| ICV               : 46 1A 5A E2 FD 7C 7B 55 9B 27 84 AE 9F C5 E8 65
|                     E6 56 89 07 83 0E 1D B0 2C C2 99 3A C7 16 50 6B

[VPN-Debug] 2022/12/19 15:48:32,457
Peer DEFAULT: Constructing an IKE_AUTH-RESPONSE for send
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 96 bytes (responder encrypted)
Gateways: <LANCOM-PUBLIC-IP>:4500--><ANDROID-PUBLIC-IP>:53379, tag 0 (UDP)
SPIs: 0x9344670CD7CE33814B89EFB8A6F48661, Message-ID 1
Payloads: ENCR

[VPN-Debug] 2022/12/19 15:48:32,457
LCVPEI: IKE-R-IKE-key-mismatch
IKE-TRANSPORT freed

[VPN-IKE] 2022/12/19 15:48:32,490
[<UNKNOWN>] Received packet:
IKE 2.0 Header:
Source/Port         : <ANDROID-PUBLIC-IP>:53379
Destination/Port    : <LANCOM-PUBLIC-IP>:4500
Routing-tag         : 0
Com-channel         : 0
| Initiator cookie  : 93 44 67 0C D7 CE 33 81
| Responder cookie  : 4B 89 EF B8 A6 F4 86 61
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : INFORMATIONAL
| Flags             : 0x08   Initiator
| Msg-ID            : 2
| Length            : 96 Bytes
-No ENCR/INTEG algorithm(s) found in IKE_SA (No IKE_SA)
Rest                : 2A 00 00 44 5C 0A C0 B2 0D 32 9A BE E9 1A 7C E2
                      00 37 F9 32 8C BB 5F 99 3D 5A 2B 68 55 B0 00 1B
                      E5 33 A8 5F 7B B5 81 09 66 ED 84 A7 4E FA B1 27
                      38 40 38 84 BB 53 F6 25 3C 21 D2 B4 50 6A BB 9C
                      62 83 08 8C

[VPN-IKE] 2022/12/19 15:48:32,490
[<UNKNOWN>] Sending packet:
IKE 2.0 Header:
Source/Port         : <LANCOM-PUBLIC-IP>:4500
Destination/Port    : <ANDROID-PUBLIC-IP>:53379
Routing-tag         : 0
Com-channel         : 0
| Initiator cookie  : 93 44 67 0C D7 CE 33 81
| Responder cookie  : 4B 89 EF B8 A6 F4 86 61
| Next Payload      : NOTIFY
| Version           : 2.0
| Exchange type     : INFORMATIONAL
| Flags             : 0x20 Response
| Msg-ID            : 2
| Length            : 36 Bytes
NOTIFY Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : INVALID_IKE_SPI

[VPN-Debug] 2022/12/19 15:48:32,490
Peer <UNKNOWN>: Received an INFORMATIONAL-REQUEST of 96 bytes
Gateways: <LANCOM-PUBLIC-IP>:4500<--<ANDROID-PUBLIC-IP>:53379
SPIs: 0x9344670CD7CE33814B89EFB8A6F48661, Message-ID 2
Payloads: INVALID
QUB-DATA: <LANCOM-PUBLIC-IP>:4500<---<ANDROID-PUBLIC-IP>:53379 rtg_tag 0 physical-channel WAN(1)
transport: [id: 14185593, UDP (17) {incoming unicast, fixed source address}, dst: <ANDROID-PUBLIC-IP>, tag 0 (U), src: <LANCOM-PUBLIC-IP>, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTERNET (4), mac address: e4:8d:8c:0f:db:82, port 0], local port: 4500, remote port: 53379

Peer <UNKNOWN>: Constructing an INFORMATIONAL-RESPONSE for send
Sending an INFORMATIONAL-RESPONSE of 36 bytes
Gateways: <LANCOM-PUBLIC-IP>:4500--><ANDROID-PUBLIC-IP>:53379, tag 0 (UDP)
SPIs: 0x9344670CD7CE33814B89EFB8A6F48661, Message-ID 2
Payloads: NOTIFY(INVALID_IKE_SPI)

[VPN-Debug] 2022/12/19 15:48:32,491
IKE-TRANSPORT freed

Liebe Grüße,
michael
Dr.Einstein
Beiträge: 2893
Registriert: 12 Jan 2010, 14:10

Re: IKEv2 Verbindung mit Android 13

Beitrag von Dr.Einstein »

Ganz sicher, dass du im Lancom folgendes eingetragen hast:

Code: Alles auswählen

| ID type           : FQDN
| ID                : android3
Und der Key

Code: Alles auswählen

LCVPEI: IKE-R-IKE-key-mismatch
Nimm mal wirklich zum testen was ganz leichtes, '12345678' oder so

Unabhängig davon solltest du die 10.50Rel durch eine 10.50RU9 ersetzen. Die Rel-Version hatte unglaublich viele Macken.

Gruß Dr.Einstein
Benutzeravatar
tbc233
Beiträge: 343
Registriert: 01 Feb 2005, 21:56

Re: IKEv2 Verbindung mit Android 13

Beitrag von tbc233 »

Ja, ID android3, Identitätstyp habe ich laut Anleitung mit Key-ID begonnen, mittlerweile aber schon alle Varianten durchprobiert.

Passphrase habe ich ebenfalls bereits eine komplett einfache versucht, um hier alle Fehler auszuschließen.

Ich werde morgen mal wie von Dir vorgeschlagen das Gerät updaten.
Liebe Grüße,
michael
Dr.Einstein
Beiträge: 2893
Registriert: 12 Jan 2010, 14:10

Re: IKEv2 Verbindung mit Android 13

Beitrag von Dr.Einstein »

tbc233 hat geschrieben: 19 Dez 2022, 17:25 Ja, ID android3, Identitätstyp habe ich laut Anleitung mit Key-ID begonnen, mittlerweile aber schon alle Varianten durchprobiert.
Zumindest das ist falsch. FQDN wäre korrekt laut Debug. Meiner Meinung nach solltest du direkt beide Seiten auf FQDN ändern. Danach kannst du ja noch einmal die erwähnten Debugs laufen lassen ob diese 1:1 identisch aussehen oder nun anders.
Benutzeravatar
tbc233
Beiträge: 343
Registriert: 01 Feb 2005, 21:56

Re: IKEv2 Verbindung mit Android 13

Beitrag von tbc233 »

Danke.
Hab ich gemacht, nun gibt es zumindest keine Authentifizierungsfehler mehr. Aber Verbindung kommt leider trotzdem nicht zustande. Trace sieht so aus:

Code: Alles auswählen

> trace # vpn-ike vpn-debug
VPN-IKE                    ON
VPN-Debug                  ON

root@1900EF:/
>
[VPN-IKE] 2022/12/19 17:31:13,834
[DEFAULT] Received packet:
IKE 2.0 Header:
Source/Port         : <ANDROID-PUBLIC-IP>:31899
Destination/Port    : <LANCOM-PUBLIC-IP>:500
Routing-tag         : 0
Com-channel         : 0
| Initiator cookie  : EB 26 37 83 DE EA 94 47
| Responder cookie  : 00 00 00 00 00 00 00 00
| Next Payload      : SA
| Version           : 2.0
| Exchange type     : IKE_SA_INIT
| Flags             : 0x08   Initiator
| Msg-ID            : 0
| Length            : 1072 Bytes
SA Payload
| Next Payload      : KE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 408 Bytes
| PROPOSAL Payload
| | Next Payload    : PROPOSAL
| | Reserved        : 0x00
| | Length          : 200 Bytes
| | Proposal number : 1
| | Protocol ID     : IPSEC_IKE
| | SPI size        : 0
| | #Transforms     : 21
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-128-CTR (13)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-128-CTR (13)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-128-CTR (13)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-512 (14)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-384 (13)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-256 (12)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-XCBC-96 (5)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CMAC-96 (8)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 4096-BIT MODP (16)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : CURVE25519 (31)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 3072-BIT MODP (15)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 2048-BIT MODP (14)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA1 (2)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-AES128-XCBC (4)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-256 (5)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-384 (6)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-512 (7)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-AES128-CMAC (8)
| | | Attributes    : NONE
| PROPOSAL Payload
| | Next Payload    : NONE
| | Reserved        : 0x00
| | Length          : 204 Bytes
| | Proposal number : 2
| | Protocol ID     : IPSEC_IKE
| | SPI size        : 0
| | #Transforms     : 20
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : ENCR-CHACHA20-POLY1305 (28)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-12 (19)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-8 (18)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-12 (19)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-8 (18)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-12 (19)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-8 (18)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 4096-BIT MODP (16)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : CURVE25519 (31)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 3072-BIT MODP (15)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 2048-BIT MODP (14)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA1 (2)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-AES128-XCBC (4)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-256 (5)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-384 (6)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-512 (7)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-AES128-CMAC (8)
| | | Attributes    : NONE
KE Payload
| Next Payload      : NONCE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 520 Bytes
| DH Group          : 16
| Reserved2         : 0x0000
| DH-Key(4096 bits) : 1C 7D 96 F5 02 D5 2F 04 47 BE 82 E9 29 0D C0 7F
|                     35 1C C8 4F 85 0C D7 65 B5 08 23 32 C6 73 A3 5A
|                     95 A2 08 0B A4 EC 20 CD FA 4B 74 AD 78 D7 3F 6C
|                     52 1C 44 85 93 02 8E F0 A8 EC 15 3B D5 46 A6 41
|                     40 FE E0 6B 75 B7 2F D3 CE 4C 3A 14 F4 8E 68 88
|                     03 74 2C 8B 4A 02 49 8E AC C0 03 4B 0B 3E 40 B5
|                     E2 37 CF 8D 08 AD 2E 8F 46 17 AC 5B EE BE C6 D6
|                     67 0B CA 0B FA 2B E2 4A 7F A0 06 CC 64 35 0B 7D
|                     F5 58 18 1C 71 74 23 05 4D CF DD 1B 5A 98 0E B1
|                     E9 8C 65 5C 5E 67 EC A8 57 25 DA 26 B1 D9 AD 93
|                     21 DB 1E 0E 1B A9 8B 29 DF 0A 1C 4F 51 26 E3 A1
|                     52 06 98 51 2B 2C A3 EE 22 86 7D 16 42 F8 A2 86
|                     6C 8A CB 28 02 02 F4 B9 52 8C B2 35 0E 7D 7C 1F
|                     5E FA 04 8F D7 F4 87 28 20 C7 F5 43 F8 B5 D4 84
|                     24 B5 33 8F F8 45 78 CA 66 EF E5 E6 A3 37 74 21
|                     8E 95 92 95 09 AB 87 DF 39 01 3C FD E0 98 D6 02
|                     A5 46 56 4B BA E8 D2 3F D0 85 AD FC DF 5C CA A2
|                     58 20 D0 29 35 DB 8F A9 61 2F 8E 3A 4B 97 EF E0
|                     D8 25 64 30 D4 64 B5 CB 28 51 33 97 15 12 BF 57
|                     32 CF FE 40 ED 83 57 6A 83 D5 F4 99 36 C8 1B 72
|                     75 00 02 10 AF EA 14 91 F2 7F B6 3F 24 F9 78 3E
|                     7C D1 9E 39 12 69 07 7F 5C 72 00 4C 70 84 B1 B0
|                     69 75 74 1F 33 3C 4E 2F 65 08 9C 53 DB 2F E3 E2
|                     86 8C CB 32 05 8C 74 85 93 10 4D 69 CB F9 40 1F
|                     A8 33 78 4E 80 9E 1B C8 72 75 54 49 7C C0 F8 E1
|                     09 3D 8D 83 9A 16 5E 98 52 55 BC 3C 2A 03 2A 8C
|                     79 B7 D8 75 8F 9F 79 B2 0E 6E 4D C4 CF BF F5 87
|                     34 74 76 38 72 34 B2 9E 50 F3 D4 5A BD C5 77 7A
|                     83 60 29 CC 20 98 56 10 8F 86 0C 48 C4 69 D5 4B
|                     1E FC E9 03 4C 49 57 9B 0A 5E 93 6C F4 09 C2 06
|                     72 99 70 87 76 D2 6C 7A 48 CA 26 4F F0 D1 3B D3
|                     76 34 FD 70 1F F6 F2 A4 ED 9E 6C A7 0D AC 86 E9
NONCE Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 36 Bytes
| Nonce(256 bits)   : 01 46 EB 2F F4 21 4C 2A 57 40 25 D3 22 12 B7 90
|                     9A 67 73 32 09 ED B3 DC 59 CC 46 C3 0A C5 82 88
NOTIFY Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 28 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : STATUS_NAT_DETECTION_SOURCE_IP
| Notif. data       : 61 E4 FB AF 4B D3 4E CF 43 2C 74 B4 EB 0F 27 11
|                     42 00 9E 8D
NOTIFY Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 28 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : STATUS_NAT_DETECTION_DESTINATION_IP
| Notif. data       : 4A 12 E7 42 EA 29 2E AD 7C 04 7B 82 69 49 37 AC
|                     3C 32 52 6C
NOTIFY Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : IKEV2_FRAGMENTATION_SUPPORTED
NOTIFY Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 16 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : SIGNATURE_HASH_ALGORITHMS
| Sign. Hash Algs.  : SHA1, SHA-256, SHA-384, SHA-512

[VPN-Debug] 2022/12/19 17:31:13,841
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 1072 bytes
Gateways: <LANCOM-PUBLIC-IP>:500<--<ANDROID-PUBLIC-IP>:31899
SPIs: 0xEB263783DEEA94470000000000000000, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(SIGNATURE_HASH_ALGORITHMS)
QUB-DATA: <LANCOM-PUBLIC-IP>:500<---<ANDROID-PUBLIC-IP>:31899 rtg_tag 0 physical-channel WAN(1)
transport: [id: 14188898, UDP (17) {incoming unicast, fixed source address}, dst: <ANDROID-PUBLIC-IP>, tag 0 (U), src: <LANCOM-PUBLIC-IP>, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTERNET (4), mac address: e4:8d:8c:0f:db:82, port 0], local port: 500, remote port: 31899
+No IKE_SA found
Counting consumed licenses by active channels...
     1: (ANDERER-VPN-ZUGANG       , <ANDROID-PUBLIC-IP>  , ikev1) -> 1
  Consumed connected licenses   : 1
  Negotiating connections       : 0
  IKE negotiations              : 0
  MPPE connections              : 0
  Licenses in use               : 1 < 25
  +Passive connection request accepted (32 micro seconds)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0xEB263783DEEA94473DAB40859566437200000000, P1, RESPONDER): Setting Negotiation SA
  Referencing (IKE_SA, 0xEB263783DEEA94473DAB40859566437200000000, responder): use_count 3
Looking for payload NOTIFY(SIGNATURE_HASH_ALGORITHMS) (41)...Found 1 payload.
  +Received signature hash algorithms: SHA1, SHA-256, SHA-384, SHA-512
Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload.
  +Computing SHA1(0xEB263783DEEA94470000000000000000|<ANDROID-PUBLIC-IP>:31899)
  +Computing SHA1(0xEB263783DEEA944700000000000000004E841EC47C9B)
  +Computed: 0x29569F9B179E13D7EB72EBCEFE9E57C65E9CBF3A
  +Received: 0x61E4FBAF4BD34ECF432C74B4EB0F271142009E8D
  +Not equal => NAT-T enabled => switching on port 4500
Looking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload.
  +Computing SHA1(0xEB263783DEEA94470000000000000000|<LANCOM-PUBLIC-IP>:500)
  +Computing SHA1(0xEB263783DEEA944700000000000000003E44DDC201F4)
  +Computed: 0x4A12E742EA292EAD7C047B82694937AC3C32526C
  +Received: 0x4A12E742EA292EAD7C047B82694937AC3C32526C
  +Equal => NAT-T is already enabled
Looking for payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41)...Found 1 payload.
Looking for payload IKE_SA (33)...Found 1 payload.
  +Config   ENCR  transform(s): AES-GCM-16-256 AES-GCM-16-128 ENCR-CHACHA20-POLY1305 AES-CBC-256 AES-CBC-128
  +Received ENCR  transform(s): AES-128-CTR AES-CBC-256 AES-128-CTR AES-CBC-192 AES-128-CTR AES-CBC-128
  +Best intersection: AES-CBC-256
  +Config   PRF   transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-384 PRF-HMAC-SHA-256 PRF-HMAC-SHA1 PRF-HMAC-MD5
  +Received PRF   transform(s): PRF-HMAC-SHA1 PRF-AES128-XCBC PRF-HMAC-SHA-256 PRF-HMAC-SHA-384 PRF-HMAC-SHA-512 PRF-AES128-CMAC
  +Best intersection: PRF-HMAC-SHA-512
  +Config   INTEG transform(s): HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256 HMAC-SHA1 HMAC-MD5
  +Received INTEG transform(s): HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256 AES-XCBC-96 AES-CMAC-96
  +Best intersection: HMAC-SHA-512
  +Config   DH    transform(s): 16 15 14 2
  +Received DH    transform(s): 16 31 15 14
  +Best intersection: 16
Looking for payload NONCE (40)...Found 1 payload.
  +Nonce length=32 bytes
  +Nonce=0x0146EB2FF4214C2A574025D32212B7909A67733209EDB3DC59CC46C30AC58288
  +SA-DATA-Ni=0x0146EB2FF4214C2A574025D32212B7909A67733209EDB3DC59CC46C30AC58288

[VPN-IKE] 2022/12/19 17:31:14,185
[DEFAULT] Sending packet:
IKE 2.0 Header:
Source/Port         : <LANCOM-PUBLIC-IP>:500
Destination/Port    : <ANDROID-PUBLIC-IP>:31899
Routing-tag         : 0
Com-channel         : 0
| Initiator cookie  : EB 26 37 83 DE EA 94 47
| Responder cookie  : 3D AB 40 85 95 66 43 72
| Next Payload      : SA
| Version           : 2.0
| Exchange type     : IKE_SA_INIT
| Flags             : 0x20 Response
| Msg-ID            : 0
| Length            : 745 Bytes
SA Payload
| Next Payload      : KE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 48 Bytes
| PROPOSAL Payload
| | Next Payload    : NONE
| | Reserved        : 0x00
| | Length          : 44 Bytes
| | Proposal number : 1
| | Protocol ID     : IPSEC_IKE
| | SPI size        : 0
| | #Transforms     : 4
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-512 (7)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-512 (14)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 4096-BIT MODP (16)
| | | Attributes    : NONE
KE Payload
| Next Payload      : NONCE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 520 Bytes
| DH Group          : 16
| Reserved2         : 0x0000
| DH-Key(4096 bits) : 13 81 29 FF 20 54 91 49 C0 C5 F6 87 62 D2 06 82
|                     67 E6 AD F9 7C 50 BE 3A AB B7 B6 41 AF F4 34 5F
|                     A0 EE 23 73 E4 CD 2B 00 A3 F2 8B B2 4C E4 38 46
|                     B9 87 8C B4 5D 8B 70 E3 03 AB 74 E0 48 AF 54 3C
|                     58 41 31 90 F8 82 96 F6 13 23 49 F4 53 B1 F3 9A
|                     06 75 A2 F5 5F 10 86 BC 8A C0 FB 1B 34 C1 57 F1
|                     01 5E 42 61 A1 8E 36 D6 D4 5C A1 F4 BF 06 66 90
|                     D6 3A C3 63 75 94 A5 41 60 14 13 15 62 3B 4F 75
|                     6D 82 BA 04 FD BD 8D 93 B5 C2 0E CF 03 FB 9D 0A
|                     12 5E CD 9C 64 A5 DB 42 A4 D4 F2 FA 0B 74 2A 5A
|                     61 AC A9 B7 54 8D FD C9 0D 53 38 4E D2 C7 86 53
|                     DF AE DC 05 4C B6 2E 6D 1D 12 A5 08 7F 50 84 C6
|                     CF D5 6D 94 57 AC DC A6 82 CC 93 FE 48 76 5B 7C
|                     1B 14 87 AF E6 ED 8A 33 C1 4C 3E 4C 06 F8 E1 2A
|                     6F 96 93 32 C7 41 D3 07 15 9C F3 5B 6C 9E 3A BA
|                     0D A4 44 48 04 EE 7F 26 A4 EC E8 6D 0D 56 BB FE
|                     6E 40 C8 02 B9 0D 69 C3 37 26 A3 AD 97 5E 21 93
|                     0F 2B 40 84 6F A8 5A 53 F8 69 AB E3 65 FE D8 07
|                     D3 9B 97 CA 75 9B D7 03 9E 98 C0 F9 B4 D3 5D 21
|                     17 7D C0 3D 77 41 30 B7 57 EA 5C 5E 26 2D 2E 04
|                     C0 41 9D D5 55 2B 41 7F 36 B9 4C F2 62 F8 50 C1
|                     87 A2 20 4E 37 74 FD 8F 94 D5 2F B1 55 E0 FA 1B
|                     D0 88 06 AB 15 3B 5D 9D D2 C0 87 97 2D 85 47 CE
|                     84 5A C4 A7 3A 0D 96 01 2A EB 81 F7 F6 AA 17 BF
|                     91 51 51 45 D2 1A D3 F1 19 F5 8D 19 75 3B A9 A9
|                     1B 27 B4 5B 98 74 1D 25 05 8F E1 FC B6 4E FC 8E
|                     FF C4 3A A0 97 91 C4 F7 09 FE 9E 1B F1 86 CF A4
|                     C4 7A 4E FD 3B 68 29 9D 09 F0 DE 3A DB 50 4B E2
|                     83 5D A7 9B 79 08 3F 60 DD 89 EB EC AA B6 83 DA
|                     D0 09 9A E8 34 A7 84 E9 29 FD 09 DA AC C4 CB 63
|                     75 75 B2 8F E8 13 1E A9 EC DA 1B DA 0A F2 8B AE
|                     F3 D5 05 FA 68 B6 20 02 82 20 A9 B4 1A 4D A1 C4
NONCE Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 36 Bytes
| Nonce(256 bits)   : 0E 14 65 D0 4F C3 6A 2C 25 38 75 22 1B 91 AD 9F
|                     5C B3 6E 23 D2 92 A4 E3 5A D4 E7 21 38 93 26 F2
NOTIFY Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 28 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : STATUS_NAT_DETECTION_SOURCE_IP
| Notif. data       : 7F 17 B7 97 67 52 98 09 28 FA 41 D4 6F 18 26 7B
|                     B0 5A C9 E7
NOTIFY Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 28 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : STATUS_NAT_DETECTION_DESTINATION_IP
| Notif. data       : 66 B4 FA 9C 61 CA 7A BE 40 C1 BB E3 F1 52 27 A2
|                     A3 30 5B EC
NOTIFY Payload
| Next Payload      : CERTREQ
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : IKEV2_FRAGMENTATION_SUPPORTED
CERTREQ Payload
| Next Payload      : VENDOR
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 25 Bytes
| Cert. Type        : X509_SIG
| Cert. Autherity   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|                     00 00 00 00
VENDOR Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 24 Bytes
| Vendor ID         : 81 75 2E B5 91 4D 73 5C DF CD C8 58 C3 A8 ED 7C
|                     1C 66 D1 42

[VPN-Debug] 2022/12/19 17:31:14,528
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Constructing payload KE (34):
  +Could not pop a DH-Group from DH-Group-Container => Generate a key-pair now
  +DH key-pair successfully generated in 341991 micro seconds
Constructing payload NONCE (40):
  +Nonce length=32 bytes
  +Nonce=0x0E1465D04FC36A2C253875221B91AD9F5CB36E23D292A4E35AD4E721389326F2
  +SA-DATA-Nr=0x0E1465D04FC36A2C253875221B91AD9F5CB36E23D292A4E35AD4E721389326F2
Constructing payload NOTIFY(DETECTION_SOURCE_IP) (41):
  +Computing SHA1(0xEB263783DEEA94473DAB408595664372|<LANCOM-PUBLIC-IP>:500)
  +Computing SHA1(0xEB263783DEEA94473DAB4085956643723E44DDC201F4)
  +0x7F17B7976752980928FA41D46F18267BB05AC9E7
Constructing payload NOTIFY(DETECTION_DESTINATION_IP) (41):
  +Computing SHA1(0xEB263783DEEA94473DAB408595664372|<ANDROID-PUBLIC-IP>:31899)
  +Computing SHA1(0xEB263783DEEA94473DAB4085956643724E841EC47C9B)
  +0x66B4FA9C61CA7ABE40C1BBE3F15227A2A3305BEC
Constructing payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41):
Constructing payload CERTREQ (38):
  +0x0000000000000000000000000000000000000000
Constructing payload VENDOR(FRAGMENTATION) (43):
Constructing payload VENDOR(FRAGMENTATION(C0000000)) (43):
Constructing payload VENDOR(ikev2 config payload: Do not narrow my traffic selector) (43):
Constructing payload VENDOR(activate lancom-systems notification private range) (43):
Constructing payload NOTIFY(DEVICE-ID) (41):
  +Peer does not support private notifications -> ignore
  +Could not pop a DH-Group from DH-Group-Container => Generate a key-pair now
  +DH key-pair successfully generated in 341991 micro seconds
+Shared secret derived in 341981 micro seconds
IKE_SA(0xEB263783DEEA94473DAB408595664372).EXPECTED-MSG-ID raised to 1
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0xEB263783DEEA94473DAB40859566437200000000, P1, RESPONDER): Resetting Negotiation SA
  (IKE_SA, 'DEFAULT', 'ISAKMP-PEER-DEFAULT', 0xEB263783DEEA94473DAB40859566437200000000, responder): use_count --4
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 745 bytes (responder)
Gateways: <LANCOM-PUBLIC-IP>:4500--><ANDROID-PUBLIC-IP>:4500, tag 0 (UDP)
SPIs: 0xEB263783DEEA94473DAB408595664372, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), CERTREQ, VENDOR(activate lancom-systems notification private range)

[VPN-IKE] 2022/12/19 17:31:14,529
[DEFAULT] Received packet:
IKE 2.0 Header:
Source/Port         : <ANDROID-PUBLIC-IP>:47193
Destination/Port    : <LANCOM-PUBLIC-IP>:4500
Routing-tag         : 0
Com-channel         : 0
| Initiator cookie  : EB 26 37 83 DE EA 94 47
| Responder cookie  : 3D AB 40 85 95 66 43 72
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : IKE_AUTH
| Flags             : 0x08   Initiator
| Msg-ID            : 1
| Length            : 624 Bytes
ENCR Payload
| Next Payload      : IDI
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 596 Bytes
| IV                : EC 83 AC D5 D7 55 7D 68 99 B5 13 BA 29 7A 6B A2
| Encrypted Data    : 25 23 C8 5B 7B 89 95 3B D6 5B F1 6E 83 5E C3 0D
|                     AB 58 7B 4E C8 B0 5C AF 33 89 71 60 2E BB C7 C1
|                     C7 5D D7 1B 65 51 41 48 1E 46 D8 27 D7 4C 65 4B
|                     2B EF C4 B1 97 23 30 11 AE AF 6C AA 28 DB DE 90
|                     E7 CF 78 92 E1 4F 25 DC 1B B8 8E 2F C7 F0 BF DF
|                     68 B5 B6 17 A2 B8 68 29 4B CD 16 AE 45 D2 BB 45
|                     9D 6D DC BF 4C 51 BB FD 89 DE A6 A7 9E BD 5C AC
|                     E8 2C 15 B4 AE 60 D4 37 0A 66 2E 5F 51 D1 B5 E1
|                     4D 53 78 7F C2 E4 F0 B8 31 04 F7 B1 4A FC FD 8D
|                     02 A8 3A 99 F5 7A 6F B3 DB 22 9D CF CD 4B 82 E9
|                     F2 9C 20 30 AD 16 62 E2 9C 7B 97 9D 52 90 D9 7E
|                     28 7A E6 D1 9E 80 25 CE 78 85 1C 30 99 A5 E5 84
|                     8F 78 F5 BD 5A 23 05 87 D7 6D F4 1F 59 28 53 6C
|                     29 AE BC BB C9 9C B7 80 9C A3 70 4E 17 B5 F2 EA
|                     02 AD 30 A6 5B 12 96 75 98 D8 7A 0C B4 15 D2 E0
|                     9E 21 D1 C3 38 AD D2 F2 20 0B F9 29 BB EA D1 B1
|                     21 CC CC F6 10 78 06 79 5A 01 5C 1A 8D CF 15 94
|                     A4 39 F2 24 12 36 8F C6 9F C0 89 8E D2 92 A1 52
|                     08 FA C2 F6 44 07 97 0D 9B E3 3A AB BD 04 EC 14
|                     BD 4C 80 82 87 28 84 66 04 F7 E1 6E 8A 1A D5 AE
|                     8E 48 1E 0B 4B C5 33 F5 FB AE 9D ED 62 9A 05 C6
|                     BD 14 E3 36 B9 EA B2 FC 61 1D 38 70 92 5E E0 BB
|                     4C 63 C6 09 20 31 A2 EE 8E 21 62 C8 4A 17 9C 92
|                     29 F7 75 EF 94 A6 F4 DC 46 A0 D8 44 E1 92 45 AF
|                     D1 43 9C 6E 44 EC F9 78 32 0E B8 2F DC 1C E6 DA
|                     34 5A C5 DA D6 42 EA 02 3F 4A 31 C9 A7 FD 27 32
|                     5A 94 80 0A D7 D0 1A 88 5D 38 AB A8 63 73 7A 1F
|                     6C AB 1E 19 FC E7 7A 0E 02 64 C0 7C BB F8 CE CA
|                     99 73 14 B4 3E 81 14 95 8D 10 8C 9B 80 24 52 8E
|                     ED BD BD C5 BD 08 62 37 E6 0A 1F D6 47 9D A5 A6
|                     3A 3D 9E 26 36 0D A9 0A A2 0C 5F 77 DF BB 94 73
|                     3F 47 29 06 C8 CD 4C E7 0D AD 40 1E 29 07 B5 03
|                     9A 95 55 04 6D 59 E9 B5 2F 13 68 DE 1B F1 A0 BB
|                     B7 90 F2 9D D8 0B D0 79 0F 23 6D F1 B1 CD F4 02
| ICV               : 15 9E 25 B3 CB B0 0C 9F 52 52 B4 2F B7 3E 57 F7
|                     51 B8 F0 E3 B9 E4 98 71 78 F8 2C 95 1F 0B F9 84

[VPN-IKE] 2022/12/19 17:31:14,537
[DEFAULT] Received packet after decryption:
IKE 2.0 Header:
Source/Port         : <ANDROID-PUBLIC-IP>:47193
Destination/Port    : <LANCOM-PUBLIC-IP>:4500
Routing-tag         : 0
Com-channel         : 0
| Initiator cookie  : EB 26 37 83 DE EA 94 47
| Responder cookie  : 3D AB 40 85 95 66 43 72
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : IKE_AUTH
| Flags             : 0x08   Initiator
| Msg-ID            : 1
| Length            : 624 Bytes
ENCR Payload
| Next Payload      : IDI
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 596 Bytes
| IV                : EC 83 AC D5 D7 55 7D 68 99 B5 13 BA 29 7A 6B A2
| ICV               : 15 9E 25 B3 CB B0 0C 9F 52 52 B4 2F B7 3E 57 F7
|                     51 B8 F0 E3 B9 E4 98 71 78 F8 2C 95 1F 0B F9 84
IDI Payload
| Next Payload      : IDR
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 16 Bytes
| ID type           : FQDN
| Reserved          : 0x000000
| ID                : android3
IDR Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 12 Bytes
| ID type           : IPV4_ADDR
| Reserved          : 0x000000
| ID                : <LANCOM-PUBLIC-IP>
NOTIFY Payload
| Next Payload      : AUTH
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : STATUS_MOBIKE_SUPPORTED
AUTH Payload
| Next Payload      : SA
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 72 Bytes
| Auth. Method      : PRESHARED_KEY
| Reserved          : 0x000000
| Auth. Data        : 12 46 CE F1 02 3A 36 6C D7 CE C3 7B AC 05 97 77
|                     0F 30 65 49 0A 0D 1A 0B 96 C4 B5 85 68 4A EF 00
|                     96 05 25 85 35 2E 23 A2 BD 72 F0 C0 46 09 ED 93
|                     A1 48 F2 82 65 13 D7 7A 5B 98 FF 7F BA 64 58 42
SA Payload
| Next Payload      : TSi
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 272 Bytes
| PROPOSAL Payload
| | Next Payload    : PROPOSAL
| | Reserved        : 0x00
| | Length          : 132 Bytes
| | Proposal number : 1
| | Protocol ID     : IPSEC_ESP
| | SPI size        : 4
| | #Transforms     : 12
| | SPI             : 67 E4 A8 7F
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-128-CTR (13)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-128-CTR (13)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-128-CTR (13)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-512 (14)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-384 (13)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-256 (12)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-XCBC-96 (5)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CMAC-96 (8)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: ESN (5)
| | | Reserved2     : 0x00
| | | Transform ID  : NONE (0)
| | | Attributes    : NONE
| PROPOSAL Payload
| | Next Payload    : NONE
| | Reserved        : 0x00
| | Length          : 136 Bytes
| | Proposal number : 2
| | Protocol ID     : IPSEC_ESP
| | SPI size        : 4
| | #Transforms     : 11
| | SPI             : 42 27 B0 86
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : ENCR-CHACHA20-POLY1305 (28)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-12 (19)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-8 (18)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-12 (19)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-8 (18)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 192
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-12 (19)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-8 (18)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: ESN (5)
| | | Reserved2     : 0x00
| | | Transform ID  : NONE (0)
| | | Attributes    : NONE
TSi Payload
| Next Payload      : TSr
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 64 Bytes
| Number of TSs     : 2
| Reserved          : 0x000000
| Traffic Selector 0
| | Type            : TS_IPV4_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 16
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : 0.0.0.0 - 255.255.255.255
| Traffic Selector 1
| | Type            : TS_IPV6_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 40
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
TSr Payload
| Next Payload      : CP
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 64 Bytes
| Number of TSs     : 2
| Reserved          : 0x000000
| Traffic Selector 0
| | Type            : TS_IPV4_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 16
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : 0.0.0.0 - 255.255.255.255
| Traffic Selector 1
| | Type            : TS_IPV6_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 40
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
CP Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 32 Bytes
| Type              : REQUEST
| Reserved2         : 0x000000
| Attribute 0
| | Type            : Variable, INTERNAL_IP4_ADDRESS
| | Length          : 0
| | Value           :
| Attribute 1
| | Type            : Variable, INTERNAL_IP6_ADDRESS
| | Length          : 0
| | Value           :
| Attribute 2
| | Type            : Variable, INTERNAL_IP4_DNS
| | Length          : 0
| | Value           :
| Attribute 3
| | Type            : Variable, INTERNAL_IP6_DNS
| | Length          : 0
| | Value           :
| Attribute 4
| | Type            : Variable, INTERNAL_IP4_NETMASK
| | Length          : 0
| | Value           :
| Attribute 5
| | Type            : Variable, APPLICATION_VERSION
| | Length          : 0
| | Value           :
Rest                : 90 30 47 03

[VPN-Debug] 2022/12/19 17:31:14,538
Config parser update peer's ANDROID3 remote gateway to <ANDROID-PUBLIC-IP> (old 0.0.0.0)
[VPN-Debug] 2022/12/19 17:31:14,543
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 624 bytes (encrypted)
Gateways: <LANCOM-PUBLIC-IP>:4500<--<ANDROID-PUBLIC-IP>:4500
SPIs: 0xEB263783DEEA94473DAB408595664372, Message-ID 1
Payloads: ENCR
QUB-DATA: <LANCOM-PUBLIC-IP>:4500<---<ANDROID-PUBLIC-IP>:47193 rtg_tag 0 physical-channel WAN(1)
transport: [id: 14188898, UDP (17) {incoming unicast, fixed source address}, dst: <ANDROID-PUBLIC-IP>, tag 0 (U), src: <LANCOM-PUBLIC-IP>, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTERNET (4), mac address: e4:8d:8c:0f:db:82, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000054)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, IDI, IDR, NOTIFY(MOBIKE_SUPPORTED), AUTH(PSK), SA, TSI, TSR, CP(REQUEST)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0xEB263783DEEA94473DAB40859566437200000001, P2, RESPONDER): Setting Negotiation SA
  Referencing (CHILD_SA, 0xEB263783DEEA94473DAB4085956643720000000100, responder): use_count 3
Looking for payload IDI (35)...Found 1 payload.
  +Received-ID android3:FQDN matches the Expected-ID android3:FQDN
  +Config   ENCR  transform(s): AES-GCM-16-256 AES-GCM-16-128 ENCR-CHACHA20-POLY1305 AES-CBC-256 AES-CBC-128
  +Received ENCR  transform(s): AES-CBC-256
  +Best intersection: AES-CBC-256
  +Config   PRF   transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-384 PRF-HMAC-SHA-256 PRF-HMAC-SHA1 PRF-HMAC-MD5
  +Received PRF   transform(s): PRF-HMAC-SHA-512
  +Best intersection: PRF-HMAC-SHA-512
  +Config   INTEG transform(s): HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256 HMAC-SHA1 HMAC-MD5
  +Received INTEG transform(s): HMAC-SHA-512
  +Best intersection: HMAC-SHA-512
  +Config   DH    transform(s): 16 15 14 2
  +Received DH    transform(s): 16
  +Best intersection: 16
Looking for payload TSI (44)...Found 1 payload.
  Looking for a rule...
  Trying rule 0: IPSEC-0-ANDROID3-PR0-L0-R0
  Determining best intersection for TSi
  Expected TS :(  0,     0-65535,   10.121.14.237-10.121.14.237  )
  Received TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Intersection:(  0,     0-65535,   10.121.14.237-10.121.14.237  )
  Determining best intersection for TSi
  Expected TS :(  0,     0-65535,   10.121.14.237-10.121.14.237  )
  Received TS :(  0,     0-65535,                                      ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
  -No intersection
  Best        :(  0,     0-65535,   10.121.14.237-10.121.14.237  )
  Determining best intersection for TSr
  Expected TS :(  0,     0-65535,     10.121.14.0-10.121.14.255  )
  Received TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Intersection:(  0,     0-65535,     10.121.14.0-10.121.14.255  )
  Determining best intersection for TSr
  Expected TS :(  0,     0-65535,     10.121.14.0-10.121.14.255  )
  Received TS :(  0,     0-65535,                                      ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
  -No intersection
  Best        :(  0,     0-65535,     10.121.14.0-10.121.14.255  )
  +Valid intersection found
  TSi: (  0,     0-65535,   10.121.14.237-10.121.14.237  )
  TSr: (  0,     0-65535,     10.121.14.0-10.121.14.255  )
  +TSi OK.
Looking for payload TSR (45)...Found 1 payload.
  +TSr OK.
Looking for payload CHILD_SA (33)...Found 1 payload.
  +Config   ENCR  transform(s): AES-GCM-16-256 AES-GCM-16-128 AES-CBC-256 AES-CBC-192 AES-CBC-128
  +Received ENCR  transform(s): AES-128-CTR AES-CBC-256 AES-128-CTR AES-CBC-192 AES-128-CTR AES-CBC-128
  +Best intersection: AES-CBC-256
  +Config   INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1 HMAC-MD5
  +Received INTEG transform(s): HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256 AES-XCBC-96 AES-CMAC-96
  +Best intersection: HMAC-SHA-512
  +Config   ESN   transform(s): NONE
  +Received ESN   transform(s): NONE
  +Best intersection: NONE

[VPN-IKE] 2022/12/19 17:31:14,548
[ANDROID3] Sending packet before encryption:
IKE 2.0 Header:
Source/Port         : <LANCOM-PUBLIC-IP>:4500
Destination/Port    : <ANDROID-PUBLIC-IP>:47193
Routing-tag         : 0
Com-channel         : 13
| Initiator cookie  : EB 26 37 83 DE EA 94 47
| Responder cookie  : 3D AB 40 85 95 66 43 72
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : IKE_AUTH
| Flags             : 0x20 Response
| Msg-ID            : 1
| Length            : 304 Bytes
ENCR Payload
| Next Payload      : IDR
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 276 Bytes
| IV                : 8F 48 60 F2 DB CA 42 02 CC 91 63 1B C2 4A 1C 5F
| ICV               : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IDR Payload
| Next Payload      : AUTH
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 16 Bytes
| ID type           : FQDN
| Reserved          : 0x000000
| ID                : android3
AUTH Payload
| Next Payload      : CP
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 72 Bytes
| Auth. Method      : PRESHARED_KEY
| Reserved          : 0x000000
| Auth. Data        : 01 58 11 8A 77 37 9D AE 40 23 F9 02 7F 1C 20 93
|                     33 7B D8 48 A7 BF 03 6C E3 A9 AB 9D 02 F9 54 37
|                     C0 53 C7 A4 69 1C 4D B1 79 0C 41 91 7C 24 D2 7A
|                     BE EB 21 11 51 30 B6 8F 2E 63 07 DA 49 D4 F9 F3
CP Payload
| Next Payload      : TSi
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 32 Bytes
| Type              : REPLY
| Reserved2         : 0x000000
| Attribute 0
| | Type            : Variable, INTERNAL_IP4_ADDRESS
| | Length          : 4
| | Value           : 10.121.14.237
| Attribute 1
| | Type            : Variable, INTERNAL_IP4_DNS
| | Length          : 4
| | Value           : 10.121.14.1
| Attribute 2
| | Type            : Variable, INTERNAL_IP4_DNS
| | Length          : 4
| | Value           : 10.121.14.1
TSi Payload
| Next Payload      : TSr
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 24 Bytes
| Number of TSs     : 1
| Reserved          : 0x000000
| Traffic Selector 0
| | Type            : TS_IPV4_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 16
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : 10.121.14.237 - 10.121.14.237
TSr Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 24 Bytes
| Number of TSs     : 1
| Reserved          : 0x000000
| Traffic Selector 0
| | Type            : TS_IPV4_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 16
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : 10.121.14.0 - 10.121.14.255
NOTIFY Payload
| Next Payload      : SA
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : STATUS_INITIAL_CONTACT
SA Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 44 Bytes
| PROPOSAL Payload
| | Next Payload    : NONE
| | Reserved        : 0x00
| | Length          : 40 Bytes
| | Proposal number : 1
| | Protocol ID     : IPSEC_ESP
| | SPI size        : 4
| | #Transforms     : 3
| | SPI             : 6B B6 16 88
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-512 (14)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: ESN (5)
| | | Reserved2     : 0x00
| | | Transform ID  : NONE (0)
| | | Attributes    : NONE
Rest                : 00 00 00 03

[VPN-IKE] 2022/12/19 17:31:14,550
[ANDROID3] Sending packet after encryption:
IKE 2.0 Header:
Source/Port         : <LANCOM-PUBLIC-IP>:4500
Destination/Port    : <ANDROID-PUBLIC-IP>:47193
Routing-tag         : 0
Com-channel         : 13
| Initiator cookie  : EB 26 37 83 DE EA 94 47
| Responder cookie  : 3D AB 40 85 95 66 43 72
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : IKE_AUTH
| Flags             : 0x20 Response
| Msg-ID            : 1
| Length            : 304 Bytes
ENCR Payload
| Next Payload      : IDR
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 276 Bytes
| IV                : 8F 48 60 F2 DB CA 42 02 CC 91 63 1B C2 4A 1C 5F
| Encrypted Data    : 1B 47 A1 3B 73 31 CC 5B 2B 86 93 18 6B 9D 32 3E
|                     72 9F 3F E9 53 5D 48 C8 F9 42 62 8F 93 2B 40 31
|                     95 CE 48 84 0B 04 5C 87 A8 96 F8 C3 AB 44 3E E1
|                     F2 05 EF 1A 2D 63 D7 BC 08 2D A4 C5 6C A1 96 BB
|                     A8 92 BB F6 BA D0 68 E1 7B CA DC DF 3D F3 D9 07
|                     6A 47 16 3C 22 C5 04 EF 57 8B 39 FB F3 B4 F5 B1
|                     3F AD 0A 73 6A FE 2C 5B 94 63 04 E3 74 D7 91 83
|                     A7 0D 8B 90 07 CD FA 48 C9 B5 18 36 35 A8 04 63
|                     74 C9 6B 62 DB E9 70 9B D3 4E 41 8A 13 B0 F5 23
|                     EE BC 2B 9D 38 36 76 DC 8A 63 7F EF 92 56 67 03
|                     B3 56 9F 5A F2 C8 06 F4 E6 D1 CF BF 17 00 8B 00
|                     2C 4F 1A 75 B3 4D A4 08 BE 16 9A 2C 95 87 8F 4D
|                     13 EB 39 35 BC 8E 5D 98 CC E4 C2 F5 EF 47 B6 1B
|                     C0 83 B4 7D 29 72 A5 09 C7 13 BA D3 A5 26 A1 BE
| ICV               : 9F AA 9B 5D A1 F1 AE 35 32 D5 71 58 9B 4E AA 4E
|                     AE 90 E8 3F 15 1F 0A 15 72 A9 3D FA F6 06 61 B4

[VPN-Debug] 2022/12/19 17:31:14,552
CRYPTACCESS: Registering combined id: 52

[VPN-Debug] 2022/12/19 17:31:14,552
CRYPTACCESS: Registering combined id: 18

[VPN-Debug] 2022/12/19 17:31:14,552
Peer ANDROID3: Constructing an IKE_AUTH-RESPONSE for send
Constructing payload NOTIFY(MANAGEMENT_IP4_ADDRESS) (41):
Constructing payload NOTIFY(MANAGEMENT_IP6_ADDRESS) (41):
Constructing payload CP(REPLY) (47):
  +INTERNAL_IP4_ADDRESS(10.121.14.237)
  +INTERNAL_IP4_DNS(10.121.14.1)
  +INTERNAL_IP4_DNS(10.121.14.1)
Constructing payload NOTIFY(INITIAL_CONTACT) (41):
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
IKE_SA(0xEB263783DEEA94473DAB408595664372).EXPECTED-MSG-ID raised to 2
IPSEC overhead initialized to 42
IPSEC transport created in hardware context
(IKEv2-Exchange 'ANDROID3', 'IPSEC-0-ANDROID3-PR0-L0-R0' 0xEB263783DEEA94473DAB40859566437200000001, P2, RESPONDER, comchannel 13): Resetting Negotiation SA
  (CHILD_SA, 'ANDROID3', 'IPSEC-0-ANDROID3-PR0-L0-R0', 0xEB263783DEEA94473DAB4085956643720000000100, responder): use_count --2
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 304 bytes (responder encrypted)
Gateways: <LANCOM-PUBLIC-IP>:4500--><ANDROID-PUBLIC-IP>:47193, tag 0 (UDP)
SPIs: 0xEB263783DEEA94473DAB408595664372, Message-ID 1
Payloads: ENCR

[VPN-Debug] 2022/12/19 17:31:14,552
Peer ANDROID3: Trigger next pended request to establish an exchange
  Current request is none
  IKE_SA is not REPLACED
There are 0 pending requests

[VPN-IKE] 2022/12/19 17:31:14,640
[ANDROID3] Received packet:
IKE 2.0 Header:
Source/Port         : <ANDROID-PUBLIC-IP>:47193
Destination/Port    : <LANCOM-PUBLIC-IP>:4500
Routing-tag         : 0
Com-channel         : 13
| Initiator cookie  : EB 26 37 83 DE EA 94 47
| Responder cookie  : 3D AB 40 85 95 66 43 72
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : INFORMATIONAL
| Flags             : 0x08   Initiator
| Msg-ID            : 2
| Length            : 96 Bytes
ENCR Payload
| Next Payload      : DELETE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 68 Bytes
| IV                : 5E D4 F5 3F 68 35 7D 1C 4C 89 E5 23 50 EC A9 72
| Encrypted Data    : E2 93 B3 6B 18 22 9F 52 44 27 8C 81 72 79 E5 88
| ICV               : 68 99 96 0E 73 B5 03 32 BE E2 2B C9 E0 55 90 3C
|                     32 41 AB 84 25 08 A0 C3 7D 43 96 50 3C 2D 50 A1

[VPN-IKE] 2022/12/19 17:31:14,641
[ANDROID3] Received packet after decryption:
IKE 2.0 Header:
Source/Port         : <ANDROID-PUBLIC-IP>:47193
Destination/Port    : <LANCOM-PUBLIC-IP>:4500
Routing-tag         : 0
Com-channel         : 13
| Initiator cookie  : EB 26 37 83 DE EA 94 47
| Responder cookie  : 3D AB 40 85 95 66 43 72
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : INFORMATIONAL
| Flags             : 0x08   Initiator
| Msg-ID            : 2
| Length            : 96 Bytes
ENCR Payload
| Next Payload      : DELETE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 68 Bytes
| IV                : 5E D4 F5 3F 68 35 7D 1C 4C 89 E5 23 50 EC A9 72
| ICV               : 68 99 96 0E 73 B5 03 32 BE E2 2B C9 E0 55 90 3C
|                     32 41 AB 84 25 08 A0 C3 7D 43 96 50 3C 2D 50 A1
DELETE Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : IPSEC_IKE
| SPI size          : 0
| #SPIs             : 0
Rest                : 27 09 5F 9C BC FE 48 07

[VPN-Debug] 2022/12/19 17:31:14,641
Peer ANDROID3 [responder]: Received an INFORMATIONAL-REQUEST of 96 bytes (encrypted)
Gateways: <LANCOM-PUBLIC-IP>:4500<--<ANDROID-PUBLIC-IP>:47193
SPIs: 0xEB263783DEEA94473DAB408595664372, Message-ID 2
Payloads: ENCR
QUB-DATA: <LANCOM-PUBLIC-IP>:4500<---<ANDROID-PUBLIC-IP>:47193 rtg_tag 0 physical-channel WAN(1) vpn-channel 13
transport: [id: 14188898, UDP (17) {incoming unicast, fixed source address}, dst: <ANDROID-PUBLIC-IP>, tag 0 (U), src: <LANCOM-PUBLIC-IP>, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTERNET (4), mac address: e4:8d:8c:0f:db:82, port 0], local port: 4500, remote port: 47193, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000054)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, DELETE

[VPN-IKE] 2022/12/19 17:31:14,642
[ANDROID3] Sending packet before encryption:
IKE 2.0 Header:
Source/Port         : <LANCOM-PUBLIC-IP>:4500
Destination/Port    : <ANDROID-PUBLIC-IP>:47193
Routing-tag         : 0
Com-channel         : 13
| Initiator cookie  : EB 26 37 83 DE EA 94 47
| Responder cookie  : 3D AB 40 85 95 66 43 72
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : INFORMATIONAL
| Flags             : 0x20 Response
| Msg-ID            : 2
| Length            : 112 Bytes
ENCR Payload
| Next Payload      : DELETE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 84 Bytes
| IV                : B8 A6 44 CF E6 47 83 0E 9D 78 CC 5B 66 FC 93 0B
| ICV               : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DELETE Payload
| Next Payload      : DELETE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : IPSEC_IKE
| SPI size          : 0
| #SPIs             : 0
DELETE Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 12 Bytes
| Protocol ID       : IPSEC_ESP
| SPI size          : 4
| #SPIs             : 1
| SPI 000           : 6B B6 16 88
Rest                : 00 00 00 00 00 00 00 00 00 00 00 0B

[VPN-Debug] 2022/12/19 17:31:14,642
CRYPTACCESS: Unregistering combined id: 18

[VPN-Debug] 2022/12/19 17:31:14,643
CRYPTACCESS: Unregistering combined id: 52

[VPN-IKE] 2022/12/19 17:31:14,644
[ANDROID3] Sending packet after encryption:
IKE 2.0 Header:
Source/Port         : <LANCOM-PUBLIC-IP>:4500
Destination/Port    : <ANDROID-PUBLIC-IP>:47193
Routing-tag         : 0
Com-channel         : 13
| Initiator cookie  : EB 26 37 83 DE EA 94 47
| Responder cookie  : 3D AB 40 85 95 66 43 72
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : INFORMATIONAL
| Flags             : 0x20 Response
| Msg-ID            : 2
| Length            : 112 Bytes
ENCR Payload
| Next Payload      : DELETE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 84 Bytes
| IV                : B8 A6 44 CF E6 47 83 0E 9D 78 CC 5B 66 FC 93 0B
| Encrypted Data    : DE 38 87 6B 6B 46 AF 71 A3 3D 23 0F 00 E0 8A 3F
|                     55 D9 6F 57 2D 60 73 79 E5 DC 5B ED A9 13 29 0F
| ICV               : 0A 45 74 66 F8 25 00 21 82 69 A6 7C 7E A0 DD 09
|                     61 6E 9A 07 4B 80 AC 4A 47 97 05 6B 9B B4 9C 6D

[VPN-Debug] 2022/12/19 17:31:14,644
Peer ANDROID3: Constructing an INFORMATIONAL-RESPONSE for send
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
IKE_SA(0xEB263783DEEA94473DAB408595664372).EXPECTED-MSG-ID raised to 3
+(request, response) pair inserted into retransmission map
Sending an INFORMATIONAL-RESPONSE of 112 bytes (responder encrypted)
Gateways: <LANCOM-PUBLIC-IP>:4500--><ANDROID-PUBLIC-IP>:47193, tag 0 (UDP)
SPIs: 0xEB263783DEEA94473DAB408595664372, Message-ID 2
Payloads: ENCR
Liebe Grüße,
michael
Dr.Einstein
Beiträge: 2893
Registriert: 12 Jan 2010, 14:10

Re: IKEv2 Verbindung mit Android 13

Beitrag von Dr.Einstein »

Jetzt wird es leider schwerer, das Android schickt dir ein

Code: Alles auswählen

ENCR Payload
| Next Payload      : DELETE
also jetzt lehnt nicht mehr der Lancom ab, sondern irgendwas passt dem Android an der Lancom Authentifizierung nicht. Das Android müsste für IKEv2 ein Log führen, wo man den Fehler auslesen kann (Android native client). Ich vermute, es liegt an der ID Kombination. Ändere mal im Lancom die lokale und entfernte ID auf einen vollständigen Domainnamen ab, z.B. android3.intern und versuche es erneut.
Zuletzt geändert von Dr.Einstein am 19 Dez 2022, 17:55, insgesamt 2-mal geändert.
Benutzeravatar
tbc233
Beiträge: 343
Registriert: 01 Feb 2005, 21:56

Re: IKEv2 Verbindung mit Android 13

Beitrag von tbc233 »

Ja, das dachte ich mir auch dass es nun nicht mehr am Lancom liegt.
Leider weiß ich nicht, wie ich beim Android hier an mehr Debug Infos ran kommen könnte.

Ein ändern der ID auf android3.intern oder auch android3.com hat leider nichts verändert.
Liebe Grüße,
michael
Dr.Einstein
Beiträge: 2893
Registriert: 12 Jan 2010, 14:10

Re: IKEv2 Verbindung mit Android 13

Beitrag von Dr.Einstein »

Hast du den PSK im Lancom für Remote und Lokal identisch gesetzt?
Benutzeravatar
tbc233
Beiträge: 343
Registriert: 01 Feb 2005, 21:56

Re: IKEv2 Verbindung mit Android 13

Beitrag von tbc233 »

Ja, ist identisch.
Liebe Grüße,
michael
Dr.Einstein
Beiträge: 2893
Registriert: 12 Jan 2010, 14:10

Re: IKEv2 Verbindung mit Android 13

Beitrag von Dr.Einstein »

Probier mal als Local ID Type Key-ID statt FQDN, aber gleicher Inhalt. Habe hier mehrere Anleitungen gefunden, wo sich Aussage gegen Aussage stellt mit FQDN und Key-ID (Gruppenschlüssel).

Die Logdatei solltest du unter Einstellungen finden. Habe leider (oder zum Glück?) aktuell kein Androidhandy zur Hand.

Vielleicht mag das Handy auch nicht 2x den gleichen DNS Server:

Code: Alles auswählen

| Attribute 1
| | Type            : Variable, INTERNAL_IP4_DNS
| | Length          : 4
| | Value           : 10.121.14.1
| Attribute 2
| | Type            : Variable, INTERNAL_IP4_DNS
| | Length          : 4
| | Value           : 10.121.14.1
GrandDixence
Beiträge: 1054
Registriert: 19 Aug 2014, 22:41

Re: IKEv2 Verbindung mit Android 13

Beitrag von GrandDixence »

Google hat in den neusten Android-Versionen deutlich an der Sicherheitsschraube gedreht und die Sicherheitsanforderungen erhöht.

Wer sich nicht mit Google herumärgern will, der verwendet die entsprechende VPN-Anleitung unter:
fragen-zum-thema-vpn-f14/vpn-via-androi ... tml#p97795
und setzt die VPN-App "strongSwan VPN Client" ein. Im Dezember 2022 diese Android-VPN-Anleitung das letzte Mal positiv getestet mit LCOS 10.42 RU7 und der aktuellen strongSwan-Android App unter Android 12.

Persönlich finde ich die hier präsentierten Verschlüsselungseinstellungen des LANCOM-Router zu lasch: Mindestens DH31 (CURVE25519) in Kombination mit AES-GCM-128 sollte mit neueren Android-Versionen als VPN-Endpunkt schon drin liegen. => Siehe 2. Proposal vom IKE_SA_INIT-Telegramm.

Wer dann den VPN-Tunnel zum Android-Gerät gemäss dieser VPN-Anleitung eingerichtet hat, kann das Maschinenzertifikat (X.509) auch gleich für die WLAN-Anmeldung per WPA2-Enterprise verwenden. Dabei muss zwingend darauf geachtet werden, dass neuere Android-Versionen eine SAN-Pflicht für X.509-Zertifikate fordern. Siehe dazu:
https://www.heise.de/hintergrund/Chrome ... 17594.html

Kurzum für OpenSSL:

Code: Alles auswählen

subjectAltName = DNS:routerGrandDixence.spdns.de
oder

Code: Alles auswählen

subjectAltName = IP:<Öffentliche IPv4-Adresse meines Routers>
also:

Code: Alles auswählen

subjectAltName = IP:1.2.3.4
Die SAN-Pflicht hat man den Google-Mitarbeiter:innen zu verdanken...

wenn es Google nicht gäbe, hätte man einige Probleme weniger auf dieser Erdkugel!

Weiterer (viel Zeit kostender) Stolperstein beim Einsatz von WPA2-Enterprise auf Android 12 war dann noch der WLAN-Konfigurationsparameter "Domäne" (Domain). Der RADIUS-Server (im LANCOM-Router) muss ein Radius-Maschinenzertifikat präsentieren (inklusive SAN natürlich), welches zum WLAN-Konfigurationsparameter Domäne (Domain) in den Android-Einstellungen passt. Also zum Beispiel:

WLAN-Konfigurationsparameter "Domäne": mycompany.com

Radius-Maschinenzertifikat (X.509) von Router 1: zentrale.mycompany.com
Radius-Maschinenzertifikat (X.509) von Router 2: nebenstelle.mycompany.ch
Dr.Einstein
Beiträge: 2893
Registriert: 12 Jan 2010, 14:10

Re: IKEv2 Verbindung mit Android 13

Beitrag von Dr.Einstein »

GrandDixence hat geschrieben: 19 Dez 2022, 20:53 Persönlich finde ich die hier präsentierten Verschlüsselungseinstellungen des LANCOM-Router zu lasch: AES-GCM-128
Begründe das mal bitte.
GrandDixence
Beiträge: 1054
Registriert: 19 Aug 2014, 22:41

Re: IKEv2 Verbindung mit Android 13

Beitrag von GrandDixence »

Nach Möglichkeit sind "authentifizierte Verschlüsselungsmodi" (z.B. GCM) gegenüber "Encrypt-then-MAC" oder "MAC-then-Encrypt" (z.B. CBC) zu bevorzugen. Siehe dazu Seite 4 unter:
https://www.golem.de/news/verschluessel ... 01457.html

Und zu DH31 (CURVE25519) gibt es einige gut verdauliche Hintergrundsinfos unter:
https://www.golem.de/news/bernstein-geg ... 10935.html

DH31 in Kombination mit AES-GCM-128 sind dank dem 2. Proposal vom IKE_SA_INIT-Telegramm realisierbar.
Zuletzt geändert von GrandDixence am 19 Dez 2022, 23:43, insgesamt 5-mal geändert.
Antworten