[Solved] IPsec (IKEv2) via OPNsense and MikroTik

[inzrust]

Hi! All!

There is a problem when connecting OPNsense to MikroTik.

MikroTik can not configure SA.
I made up a test stand.
Versions last, stable.

Please tell me where I'm wrong.

Scheme

Code: [Select]

                    +----------+                     +----------+
 192.168.99.0/24   3| OPNsense |2   10.58.22.0/30   1| MikroTik |    192.168.88.0/24
                +---|__________|---------------------|__________|---+
                |                                                   |
               2|                                                  2|
            +-------+                                           +-------+
            | HOST1 |                                           | HOST2 |
            +-------+                                           +-------+


MikroTik

/ip address print

Code: [Select]

10.58.22.1/30      10.58.22.0      ether1
192.168.88.1/24    192.168.88.0    ether2-master

/ip firewall filter print

Code: [Select]

3    chain=input action=accept protocol=udp dst-port=500

4    chain=input action=accept protocol=udp dst-port=4500

5    chain=input action=accept protocol=ipsec-esp log=no

9    ;;; defconf: drop all not coming from LAN
     chain=input action=drop in-interface-list=!LAN

/ip firewall nat print

Code: [Select]

0    chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=192.168.99.0/24

1    chain=srcnat action=masquerade out-interface=ether1

/ip ipsec proposal print

Code: [Select]

name="test" auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=30m pfs-group=modp2048

/ip ipsec peer print

Code: [Select]

address=10.58.22.2/32 auth-method=pre-shared-key secret="test" generate-policy=port-strict policy-template-group=test exchange-mode=ike2 send-initial-contact=yes hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=modp2048 dpd-interval=2m

/ip ipsec policy print

Code: [Select]

group=test src-address=192.168.88.0/24 dst-address=192.168.99.0/24 protocol=all proposal=test template=yes

/ip ipsec policy group print

Code: [Select]

test

/log print

Code: [Select]

.....................
.....................

15:42:17 ipsec,info new ike2 SA (I): 10.58.22.1[4500]-10.58.22.2[4500] spi:9e96b25638ae0016:3cf48cce8745c6ff
15:42:17 ipsec,info peer authorized: 10.58.22.1[4500]-10.58.22.2[4500] spi:9e96b25638ae0016:3cf48cce8745c6ff
15:42:34 ipsec,error no proposal chosen

OPNSense

/usr/local/etc/ipsec.conf

Code: [Select]

# This file is automatically generated. Do not edit
config setup
  uniqueids = yes
  charondebug="chd 4"

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = yes
  installpolicy = yes
  type = tunnel
  dpdaction = none
  left = 10.58.22.2
  right = 10.58.22.1
  leftid = 10.58.22.2
  ikelifetime = 28800s
  lifetime = 3600s
  ike = aes256-sha512-modp2048!
  leftauth = psk
  rightauth = psk
  rightid = 10.58.22.1
  rightsubnet = 192.168.88.0/24
  leftsubnet = 192.168.99.0/24
  esp = aes256-sha512-modp2048,aes256gcm16-sha512-modp2048!
  auto = route

ipsec statusall

Code: [Select]

Status of IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.0-RELEASE-p12, amd64):
  uptime: 2 minutes, since Nov 13 13:50:58 2017
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Listening IP addresses:
  192.168.99.3
  10.58.22.2
Connections:
        con1:  10.58.22.2...10.58.22.1  IKEv2
        con1:   local:  [10.58.22.2] uses pre-shared key authentication
        con1:   remote: [10.58.22.1] uses pre-shared key authentication
        con1:   child:  192.168.99.0/24 === 192.168.88.0/24 TUNNEL
Routed Connections:
        con1{1}:  ROUTED, TUNNEL, reqid 1
        con1{1}:   192.168.99.0/24 === 192.168.88.0/24
Security Associations (1 up, 0 connecting):
        con1[2]: ESTABLISHED 2 minutes ago, 10.58.22.2[10.58.22.2]...10.58.22.1[10.58.22.1]
        con1[2]: IKEv2 SPIs: 8151fd73911c4573_i ce875f1011cf37df_r*, pre-shared key reauthentication in 7 hours
        con1[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048

/var/log/ipsec.log

Code: [Select]

Nov 13 09:49:40 OPNsense charon: 00[IKE] sending DELETE for IKE_SA con1[1]
Nov 13 09:49:40 OPNsense charon: 00[ENC] generating INFORMATIONAL request 0 [ D ]
Nov 13 09:49:40 OPNsense charon: 00[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (96 bytes)
Nov 13 09:49:40 OPNsense charon: 00[CHD] CHILD_SA con1{1} state change: ROUTED => DESTROYING
Nov 13 09:49:42 OPNsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.0-RELEASE-p12, amd64)
Nov 13 09:49:42 OPNsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Nov 13 09:49:42 OPNsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Nov 13 09:49:42 OPNsense charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Nov 13 09:49:42 OPNsense charon: 00[CFG]   loaded IKE secret for 10.58.22.1
Nov 13 09:49:42 OPNsense charon: 00[CFG]   loaded IKE secret for test
Nov 13 09:49:42 OPNsense charon: 00[CFG] loaded 0 RADIUS server configurations
Nov 13 09:49:42 OPNsense charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Nov 13 09:49:42 OPNsense charon: 00[JOB] spawning 16 worker threads
Nov 13 09:49:42 OPNsense charon: 16[CFG] received stroke: add connection 'con1'
Nov 13 09:49:42 OPNsense charon: 16[CFG] added configuration 'con1'
Nov 13 09:49:42 OPNsense charon: 16[CFG] received stroke: route 'con1'
Nov 13 09:49:42 OPNsense charon: 16[CHD] CHILD_SA con1{1} state change: CREATED => ROUTED
Nov 13 09:49:46 OPNsense charon: 16[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (424 bytes)
Nov 13 09:49:46 OPNsense charon: 16[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Nov 13 09:49:46 OPNsense charon: 16[IKE] 10.58.22.1 is initiating an IKE_SA
Nov 13 09:49:46 OPNsense charon: 16[IKE] 10.58.22.1 is initiating an IKE_SA
Nov 13 09:49:46 OPNsense charon: 16[IKE] faking NAT situation to enforce UDP encapsulation
Nov 13 09:49:46 OPNsense charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Nov 13 09:49:46 OPNsense charon: 16[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (440 bytes)
Nov 13 09:49:46 OPNsense charon: 16[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (432 bytes)
Nov 13 09:49:46 OPNsense charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr N(USE_TRANSP) ]
Nov 13 09:49:46 OPNsense charon: 16[CFG] looking for peer configs matching 10.58.22.2[%any]...10.58.22.1[10.58.22.1]
Nov 13 09:49:46 OPNsense charon: 16[CFG] selected peer config 'con1'
Nov 13 09:49:46 OPNsense charon: 16[IKE] authentication of '10.58.22.1' with pre-shared key successful
Nov 13 09:49:46 OPNsense charon: 16[IKE] authentication of '10.58.22.2' (myself) with pre-shared key
Nov 13 09:49:46 OPNsense charon: 16[IKE] IKE_SA con1[1] established between 10.58.22.2[10.58.22.2]...10.58.22.1[10.58.22.1]
Nov 13 09:49:46 OPNsense charon: 16[IKE] IKE_SA con1[1] established between 10.58.22.2[10.58.22.2]...10.58.22.1[10.58.22.1]
Nov 13 09:49:46 OPNsense charon: 16[IKE] scheduling reauthentication in 28209s
Nov 13 09:49:46 OPNsense charon: 16[IKE] maximum IKE_SA lifetime 28749s
Nov 13 09:49:46 OPNsense charon: 16[IKE] traffic selectors 10.58.22.2/32 === 10.58.22.1/32 inacceptable
Nov 13 09:49:46 OPNsense charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 13 09:49:46 OPNsense charon: 16[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
Nov 13 09:49:46 OPNsense charon: 16[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (192 bytes)
Nov 13 09:49:55 OPNsense charon: 16[KNL] creating acquire job for policy 10.58.22.2/32 === 10.58.22.1/32 with reqid {1}
Nov 13 09:49:55 OPNsense charon: 16[IKE] establishing CHILD_SA con1{2} reqid 1
Nov 13 09:49:55 OPNsense charon: 16[IKE] establishing CHILD_SA con1{2} reqid 1
Nov 13 09:49:55 OPNsense charon: 16[ENC] generating CREATE_CHILD_SA request 0 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Nov 13 09:49:55 OPNsense charon: 16[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (576 bytes)
Nov 13 09:49:56 OPNsense charon: 13[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (496 bytes)
Nov 13 09:49:56 OPNsense charon: 13[ENC] parsed CREATE_CHILD_SA request 2 [ No KE SA TSi TSr ]
Nov 13 09:49:56 OPNsense charon: 13[IKE] traffic selectors 10.58.22.2/32 === 10.58.22.1/32 inacceptable
Nov 13 09:49:56 OPNsense charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 13 09:49:56 OPNsense charon: 13[ENC] generating CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ]
Nov 13 09:49:56 OPNsense charon: 13[NET] sending packet: from 10.58.22.2[4500] to 10.58.22.1[4500] (96 bytes)
Nov 13 09:49:56 OPNsense charon: 16[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (240 bytes)
Nov 13 09:49:56 OPNsense charon: 16[ENC] parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
Nov 13 09:49:56 OPNsense charon: 16[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Nov 13 09:49:56 OPNsense charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 13 09:49:56 OPNsense charon: 16[CHD] CHILD_SA con1{2} state change: CREATED => DESTROYING


[mimugmail]

I have no idea of Mikrotik, but for me it seems at OPNsense it's Mode Tunnel and on Mikrotik Mode Transport ...

[inzrust]

Hi, mimugmail.

It is template.
It must generate the necessary rule, but for some unknown reason it does not do so.

Now the situation is

Code: [Select]

/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
 0  XI  src-address=192.168.88.0/24 src-port=any dst-address=192.168.99.0/24 dst-port=any protocol=all action=encrypt level=require
       ipsec-protocols=esp tunnel=yes sa-src-address=10.58.22.1 sa-dst-address=10.58.22.2 proposal=test ph2-count=0

 1 T   group=test src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=test template=yes

 2  DA  src-address=10.58.22.1/32 src-port=any dst-address=10.58.22.2/32 dst-port=any protocol=all action=encrypt level=unique
       ipsec-protocols=esp tunnel=yes sa-src-address=10.58.22.1 sa-dst-address=10.58.22.2 proposal=test ph2-count=1


Code: [Select]

/ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
 0  E spi=0 src-address=10.58.22.1:5 dst-address=10.58.22.2:1 state=larval add-lifetime=0s/30s replay=0


Code: [Select]

/log print
18:00:37 ipsec,error no proposal chosen
18:12:40 ipsec,info killing ike2 SA: 10.58.22.1[4500]-10.58.22.2[4500] spi:0aebd3e888ffbd8c:eb3d798833168faf
18:12:45 ipsec,info new ike2 SA (I): 10.58.22.1[4500]-10.58.22.2[4500] spi:69e2d179b2a2e9f9:697e0487c7b3d3fe
18:12:45 ipsec,info peer authorized: 10.58.22.1[4500]-10.58.22.2[4500] spi:69e2d179b2a2e9f9:697e0487c7b3d3fe


Code: [Select]

Nov 13 15:13:00 OPNsense charon: 15[CFG] received stroke: add connection 'con1'
Nov 13 15:13:00 OPNsense charon: 15[CFG] added configuration 'con1'
Nov 13 15:13:00 OPNsense charon: 14[CFG] received stroke: route 'con1'
Nov 13 15:13:00 OPNsense charon: 14[CHD] CHILD_SA con1{1} state change: CREATED => ROUTED
Nov 13 15:13:02 OPNsense charon: 14[MGR] checkout IKEv2 SA by message with SPIs 69e2d179b2a2e9f9_i 0000000000000000_r
Nov 13 15:13:02 OPNsense charon: 14[MGR] created IKE_SA (unnamed)[1]
Nov 13 15:13:02 OPNsense charon: 14[NET] received packet: from 10.58.22.1[4500] to 10.58.22.2[4500] (424 bytes)
Nov 13 15:13:02 OPNsense charon: 14[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Nov 13 15:13:02 OPNsense charon: 14[IKE] 10.58.22.1 is initiating an IKE_SA
Nov 13 15:13:02 OPNsense charon: 14[IKE] 10.58.22.1 is initiating an IKE_SA
Nov 13 15:13:02 OPNsense charon: 14[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Nov 13 15:13:02 OPNsense charon: 14[IKE] natd_chunk => 22 bytes @ 0x000005f67b2fed80
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: 69 E2 D1 79 B2 A2 E9 F9 00 00 00 00 00 00 00 00  i..y............
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: 0A 3A 16 02 11 94                                .:....
Nov 13 15:13:02 OPNsense charon: 14[IKE] natd_hash => 20 bytes @ 0x000005f67b2fed60
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: CA FB B1 9B B7 EF FD FD E1 1A F1 30 E3 DC 7F 1C  ...........0....
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: 77 10 4A EA                                      w.J.
Nov 13 15:13:02 OPNsense charon: 14[IKE] natd_chunk => 22 bytes @ 0x000005f67b2fed80
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: 69 E2 D1 79 B2 A2 E9 F9 00 00 00 00 00 00 00 00  i..y............
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: 0A 3A 16 01 11 94                                .:....
Nov 13 15:13:02 OPNsense charon: 14[IKE] natd_hash => 20 bytes @ 0x000005f67b2feda0
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: A2 C7 51 4B 71 33 0F 89 96 2B 94 EF AA 07 D6 F1  ..QKq3...+......
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: 18 24 D6 B4                                      .$..
Nov 13 15:13:02 OPNsense charon: 14[IKE] precalculated src_hash => 20 bytes @ 0x000005f67b2feda0
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: A2 C7 51 4B 71 33 0F 89 96 2B 94 EF AA 07 D6 F1  ..QKq3...+......
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: 18 24 D6 B4                                      .$..
Nov 13 15:13:02 OPNsense charon: 14[IKE] precalculated dst_hash => 20 bytes @ 0x000005f67b2fed60
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: CA FB B1 9B B7 EF FD FD E1 1A F1 30 E3 DC 7F 1C  ...........0....
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: 77 10 4A EA                                      w.J.
Nov 13 15:13:02 OPNsense charon: 14[IKE] received dst_hash => 20 bytes @ 0x000005f67b2fe840
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: CA FB B1 9B B7 EF FD FD E1 1A F1 30 E3 DC 7F 1C  ...........0....
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: 77 10 4A EA                                      w.J.
Nov 13 15:13:02 OPNsense charon: 14[IKE] received src_hash => 20 bytes @ 0x000005f67b2fe8c0
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: A2 C7 51 4B 71 33 0F 89 96 2B 94 EF AA 07 D6 F1  ..QKq3...+......
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: 18 24 D6 B4                                      .$..
Nov 13 15:13:02 OPNsense charon: 14[IKE] faking NAT situation to enforce UDP encapsulation
Nov 13 15:13:02 OPNsense charon: 14[IKE] shared Diffie Hellman secret => 256 bytes @ 0x000005f67b39a700
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: 4E 55 14 75 5C E7 9C 43 49 A0 41 51 3E A6 B1 A7  NU.u\..CI.AQ>...
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: A8 8E 45 7F D6 60 80 66 A6 C9 45 81 C7 77 CD 7A  ..E..`.f..E..w.z
Nov 13 15:13:02 OPNsense charon: 14[IKE]   32: D6 D1 C6 09 5C A8 97 F4 F8 0D ED 08 AB 92 7E A9  ....\.........~.
Nov 13 15:13:02 OPNsense charon: 14[IKE]   48: 7B 13 D0 F7 3D 8E 3E EB A0 AA FA 16 75 D4 38 61  {...=.>.....u.8a
Nov 13 15:13:02 OPNsense charon: 14[IKE]   64: DF 4B 3D 13 85 64 98 73 B9 57 72 E8 6A B5 0C CC  .K=..d.s.Wr.j...
Nov 13 15:13:02 OPNsense charon: 14[IKE]   80: D1 8D 0B 7B F3 4C DF 0F 39 4F 10 45 BA CA B9 02  ...{.L..9O.E....
Nov 13 15:13:02 OPNsense charon: 14[IKE]   96: 61 66 EC 4A 9A 18 26 0C E1 7B 1B 0A 29 6D FC 4A  af.J..&..{..)m.J
Nov 13 15:13:02 OPNsense charon: 14[IKE]  112: 2A 5A 89 05 7C D3 F2 2E 47 B7 20 0F 4B E1 A8 D8  *Z..|...G. .K...
Nov 13 15:13:02 OPNsense charon: 14[IKE]  128: 5B 73 53 CB 06 80 F2 DB 07 E5 68 20 91 D9 44 7A  [sS.......h ..Dz
Nov 13 15:13:02 OPNsense charon: 14[IKE]  144: A3 B7 21 3D 06 9E 4D 15 D5 9F D0 16 68 68 9D 0D  ..!=..M.....hh..
Nov 13 15:13:02 OPNsense charon: 14[IKE]  160: 1B 7C 01 54 2B 98 D8 EC A0 90 D9 15 D2 E2 6F 02  .|.T+.........o.
Nov 13 15:13:02 OPNsense charon: 14[IKE]  176: 49 41 AB 22 D2 02 A9 58 24 C4 35 F1 3C 5A 5A DA  IA."...X$.5.<ZZ.
Nov 13 15:13:02 OPNsense charon: 14[IKE]  192: B7 96 2E 8F 65 4C BC 2E 32 97 60 A0 A0 E7 EA FA  ....eL..2.`.....
Nov 13 15:13:02 OPNsense charon: 14[IKE]  208: 55 F7 6F CF 11 D5 0E 47 9F A1 88 43 96 20 21 DD  U.o....G...C. !.
Nov 13 15:13:02 OPNsense charon: 14[IKE]  224: 26 D8 03 19 CB 6B FA BC 52 9D 92 B8 AE D9 81 3A  &....k..R......:
Nov 13 15:13:02 OPNsense charon: 14[IKE]  240: 8A 04 3D EF 12 60 6E 3C FF 66 64 D9 51 55 DE F6  ..=..`n<.fd.QU..
Nov 13 15:13:02 OPNsense charon: 14[IKE] SKEYSEED => 64 bytes @ 0x000005f67b340300
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: 8A FD EC FB 20 56 CE 28 F6 3B 88 E2 51 C0 CC 58  .... V.(.;..Q..X
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: 58 04 F8 BF 4C 0B B0 93 45 6F 64 17 1F 47 B3 EF  X...L...Eod..G..
Nov 13 15:13:02 OPNsense charon: 14[IKE]   32: D2 E6 6F DC 98 28 E6 9D 7C 15 19 07 E5 E4 57 A1  ..o..(..|.....W.
Nov 13 15:13:02 OPNsense charon: 14[IKE]   48: A6 D0 95 E3 6D 40 4B 9D 7E 5E D1 6B 9F BC 35 E8  ....m@K.~^.k..5.
Nov 13 15:13:02 OPNsense charon: 14[IKE] Sk_d secret => 64 bytes @ 0x000005f67b340240
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: 5A 20 62 F0 3D BD C7 38 71 55 22 A9 A5 34 DB 0C  Z b.=..8qU"..4..
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: 0E 2C D5 AB 95 B5 B7 D9 E9 9B BE 85 47 03 C9 54  .,..........G..T
Nov 13 15:13:02 OPNsense charon: 14[IKE]   32: D6 7A 70 99 89 D0 AB 3E F2 C6 C1 C6 A7 FA CD 9C  .zp....>........
Nov 13 15:13:02 OPNsense charon: 14[IKE]   48: 02 99 42 E9 28 BF 61 A7 17 CC 85 D6 34 0F DD 86  ..B.(.a.....4...
Nov 13 15:13:02 OPNsense charon: 14[IKE] Sk_ai secret => 64 bytes @ 0x000005f67b3402c0
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: BF 2E 0F 2D C3 66 3F 73 57 BE C2 32 4B 28 1E 04  ...-.f?sW..2K(..
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: 5D 72 B7 81 09 1C 31 FA 86 49 40 BC 0B 30 95 2C  ]r....1..I@..0.,
Nov 13 15:13:02 OPNsense charon: 14[IKE]   32: A3 A1 C8 98 AF 48 57 DD EB C2 5E 0A 53 16 A5 0F  .....HW...^.S...
Nov 13 15:13:02 OPNsense charon: 14[IKE]   48: 65 5A AE 30 B7 FF 61 D3 61 13 5B FD 44 17 09 4D  eZ.0..a.a.[.D..M
Nov 13 15:13:02 OPNsense charon: 14[IKE] Sk_ar secret => 64 bytes @ 0x000005f67b340300
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: 71 09 B5 F7 41 61 4F 45 32 C6 30 89 A2 11 2B C5  q...AaOE2.0...+.
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: 81 9E 94 33 47 3C 58 32 CD 2B 5A 18 0A 02 0E 33  ...3G<X2.+Z....3
Nov 13 15:13:02 OPNsense charon: 14[IKE]   32: D3 33 A3 67 99 AC F8 55 2F AB 89 40 54 EB B3 7F  .3.g...U/..@T...
Nov 13 15:13:02 OPNsense charon: 14[IKE]   48: 0E 9E 6E 4F 7E 47 71 B2 B3 87 5D 3C 32 8F FA 52  ..nO~Gq...]<2..R
Nov 13 15:13:02 OPNsense charon: 14[IKE] Sk_ei secret => 32 bytes @ 0x000005f67b2fed80
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: 59 9C CC 46 01 34 25 E8 B8 28 A4 14 C1 B3 DB 28  Y..F.4%..(.....(
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: 1C 08 EC 20 92 02 75 45 44 4E 8B 92 EE AD CE 3C  ... ..uEDN.....<
Nov 13 15:13:02 OPNsense charon: 14[IKE] Sk_er secret => 32 bytes @ 0x000005f67b2fedc0
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: A7 D9 54 DD C7 2B 0F 1B 3C A7 77 F7 59 8E FF 6B  ..T..+..<.w.Y..k
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: F4 96 48 4C 74 38 0E 36 7B 14 75 0C 41 23 70 05  ..HLt8.6{.u.A#p.
Nov 13 15:13:02 OPNsense charon: 14[IKE] Sk_pi secret => 64 bytes @ 0x000005f67b340300
Nov 13 15:13:02 OPNsense charon: 14[IKE]    0: 5C D7 1C 66 DF 6A 88 FB 50 5B 85 9E 82 A7 75 B8  \..f.j..P[....u.
Nov 13 15:13:02 OPNsense charon: 14[IKE]   16: 1C 98 FB 9E 5B DB 32 36 2C 70 FB 75 9E 30 46 DD  ....[.26,p.u.0F.
Nov 13 15:13:02 OPNsense charon: 14[IKE]   32: 41 8B EA 2F B0 3E 1B 01 73 D6 1D 7D AA FF E2 02  A../.>..s..}....
Nov 13 15:13:02 OPNsense charon: 14[IKE]   48: 4A 78 A2 B2 66 6D D4 04 3A A3 4B F5 06 37 D6 35  Jx..fm..:.K..7.5
Nov 13 15:13:02 OPNsense charon: 14[IKE] Sk_pr secret => 64 bytes @ 0x000005f67b3402c0

I now have an idea where I'm wrong. Now I'll check.

[inzrust]

Thank you. The problem really was with "politics."