PKI证书client-GW

一、组网需求

如图所示，某公司内部有一台OA服务器，在外移动办公的工作人员需要通过vpn,拨入到公司内网来对内网服OA服务器进行访问，采用证书认证的方式。

二、网络拓扑

三、配置要点

1、基本上网配置（详细请参见"路由模式上网配置章节"）

2、FortiGate配置IPsec VPN

3、PC端配置Forticlient客户端的拨号

说明：如果要删除IPSEC VPN第一阶段、第二阶段时，需要先删除被调用的路由或防火墙安全策略。

四、配置步骤

1、基本上网配置

配置详细过程请参照 "路由模式典型功能--单线上网--静态地址线路上网配置"一节：

接口IP配置如下：

路由配置如下

2、配置IPsec VPN

1）导入证书到FortiGate

需要提前通过证书颁发机构获取，以下三张证书：

给FortiGate VPN使用的数字证书、给user1使用的数据证书、CA证书颁发机构的根证书。

具体操作参考 " IPSec VPN--点到点vpn--PKI证书认证"一节。

需要事先在防火墙上导入VPN的CA服务器根证书：TACROOTCA和防火墙本地由CA签发过的证书：FortiGate1_BJ。

2）定义用户组

菜单：设置用户&设备--用户组：点击"新建"

添加用户组:IPsec-VPN-Group,添加user1用户到该组。

3）创建IPsec Client策略

推荐调整（模板默认是any peer，推荐配置指定的Peer证书）：

FortiClient拨号的VPN模板具体配置了什么：

config user local

edit "user1"

set type password

set passwd 11111111

end

config user group

edit "IPsec-VPN-Group"

set member "user1"

end

config user peer

edit "Dia-ca_peer"

set ca "CA_Cert_1"

end

config firewall address

edit "192.168.0.0/24"

set allow-routing enable

set subnet 192.168.0.0 255.255.255.0

edit "Dia-ca_range"

set type iprange

set comment "VPN: Dia-ca (Created by VPN wizard)"

set start-ip 10.202.1.100

set end-ip 10.202.1.200

end

config firewall addrgrp

edit "Dia-ca_split"

set member "192.168.0.0/24"

set comment "VPN: Dia-ca (Created by VPN wizard)"

end

config vpn ipsec phase1-interface

edit "Dia-ca"

set type dynamic

set interface "wan1"

set authmethod signature

set mode aggressive

set mode-cfg enable

set ipv4-dns-server1 114.114.114.114

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set dpd on-idle

set comments "VPN: Dia-ca (Created by VPN wizard)"

set xauthtype auto

set authusrgrp "IPsec-VPN-Group" // 用户名和密码

set certificate "FortiGate1_BJ" // 自己的用户证书

set peer "Dia-ca_peer" // 用于校验对方（user1）的证书

set ipv4-start-ip 10.202.1.100

set ipv4-end-ip 10.202.1.200

set ipv4-netmask 255.255.255.0

set ipv4-split-include "Dia-ca_split"

set save-password enable

set client-auto-negotiate enable

set client-keep-alive enable

set dpd-retryinterval 60

end

config vpn ipsec phase2-interface

edit "Dia-ca"

set phase1name "Dia-ca"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set comments "VPN: Dia-ca (Created by VPN wizard)"

end

config firewall policy

edit 2

set name "vpn_Dia-ca_remote"

set srcintf "Dia-ca"

set dstintf "lan"

set srcaddr "Dia-ca_range"

set dstaddr "192.168.0.0/24"

set action accept

set schedule "always"

set service "ALL"

set comments "VPN: Dia-ca (Created by VPN wizard)"

set nat enable

end

3、PC端配置Forticlient客户端

1）通过CA中心，获取个人数字证书，具体过程请参考" IPSec VPN--点到点vpn--PKI证书认证"一节。

先导入个人证书，然后再导入CA根证书：

导入CA根证书：

确认证书导入情况：

2）配置FortiClient软件

五、检查配置结果

VPNClient在FortiGate上的debug拨号过程：

FortiGate1_BeiJing # diagnose debug application ike -1

Debug messages will be on for 13 minutes.

FortiGate1_BeiJing # diagnose debug enable

FortiGate1_BeiJing # ike 0: comes 192.168.91.133:500->100.1.1.1:500,ifindex=7....

ike 0: IKEv1 exchange=Aggressive id=f9694dbf0b294dce/0000000000000000 len=614

ike 0: in F9694DBF0B294DCE000000000000000001100400000000000000026604000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E00808003000380020002800400050000002802010000800B0001000C00040001518080010007800E01008003000380020004800400050A0000C4E7DAF79F97482B9BCDCA6F58553391C9A52F87F1731C9803D74453B98098F7739BEA35F49C5C5DF777D15A6BAE2DA3964663D74DFECCBE421CA407DDFD75AC866BAFE944512FF96FC639B270DFBEA72D18666289F752A7ED0E1D0C75F1A12DB404B8CD7FCB493672D0717BCFB488EA07E2821CC4645EE72EB8C15830ED454441E4EB44FEED8631FAEFD01E5618F7EAD4318B40EEE49A19C61BA77EDD64804051FE0785157167D3A0EAA8846934876E9D50F8C73AAEC376EB360BA93237020A5505000014FCC90A9E50E17C62651D990DBFF5F0970D00007D090000003073310B300906035504061302434E3110300E06035504070C074265694A696E673111300F060355040A0C08466F7274696E6574310C300A060355040B0C03544143310E300C06035504030C0575736572313121301F06092A864886F70D0109011612757365723140666F7274696E65742E636F6D0700001412F5F28C457168A9702D9FE274CC01000D000005040D0000144A131C81070358455C5728F20E95452F0D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D000014AFCAD71368A1F1C96B8696FC775701000D0000144C53427B6D465D1B337BB755A37A7FEF00000014B4F01CA951E9DA8D0BAFBBD34AD3044E

ike 0:f9694dbf0b294dce/0000000000000000:242: responder: aggressive mode get 1st message...

ike 0:f9694dbf0b294dce/0000000000000000:242: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100

ike 0:f9694dbf0b294dce/0000000000000000:242: VID RFC 3947 4A131C81070358455C5728F20E95452F

ike 0:f9694dbf0b294dce/0000000000000000:242: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448

ike 0:f9694dbf0b294dce/0000000000000000:242: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F

ike 0:f9694dbf0b294dce/0000000000000000:242: VID DPD AFCAD71368A1F1C96B8696FC77570100

ike 0:f9694dbf0b294dce/0000000000000000:242: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF

ike 0:f9694dbf0b294dce/0000000000000000:242: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E

ike 0::242: received peer identifier DER_ASN1_DN 'C = CN, L = BeiJing, O = Fortinet, OU = TAC, CN = user1, emailAddress = user1@fortinet.com'

ike 0: cache rebuild start

ike 0:Dia-ca: cached as wildcard, user peer 'Dia-ca_peer'

ike 0: cache rebuild done

ike 0: IKEv1 Aggressive, comes 192.168.91.133:500->100.1.1.1 7

ike 0:f9694dbf0b294dce/0000000000000000:242: negotiation result

ike 0:f9694dbf0b294dce/0000000000000000:242: proposal id = 1:

ike 0:f9694dbf0b294dce/0000000000000000:242: protocol id = ISAKMP:

ike 0:f9694dbf0b294dce/0000000000000000:242: trans_id = KEY_IKE.

ike 0:f9694dbf0b294dce/0000000000000000:242: encapsulation = IKE/none

ike 0:f9694dbf0b294dce/0000000000000000:242: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128

ike 0:f9694dbf0b294dce/0000000000000000:242: type=OAKLEY_HASH_ALG, val=SHA.

ike 0:f9694dbf0b294dce/0000000000000000:242: type=AUTH_METHOD, val=RSA_SIG.

ike 0:f9694dbf0b294dce/0000000000000000:242: type=OAKLEY_GROUP, val=MODP1536.

ike 0:f9694dbf0b294dce/0000000000000000:242: ISAKMP SA lifetime=86400

ike 0:f9694dbf0b294dce/0000000000000000:242: SA proposal chosen, matched gateway Dia-ca

ike 0:Dia-ca: created connection: 0x538c990 7 100.1.1.1->192.168.91.133:500.

ike 0:Dia-ca: HA L3 state 1/0

ike 0:Dia-ca:242: DPD negotiated

ike 0:Dia-ca:242: peer supports UNITY

ike 0:Dia-ca:242: enable FortiClient license check

ike 0:Dia-ca:242: FEC vendor ID received FEC but IP not set

ike 0:Dia-ca:242: selected NAT-T version: RFC 3947

ike 0:Dia-ca:242: cookie f9694dbf0b294dce/609aaea102c0f316

ike 0:Dia-ca:242: ISAKMP SA f9694dbf0b294dce/609aaea102c0f316 key 16:9AA6DE70258BEEE70F724DFFDCF2A14B

ike 0:Dia-ca: building CERTREQ for CA CA_Cert_1

ike 0:Dia-ca:242: local cert, subject='FortiGate1_BJ', issuer='TACROOTCA'

ike 0:Dia-ca:242: local CA cert, subject='TACROOTCA', issuer='TACROOTCA'

ike 0:Dia-ca:242: out F9694DBF0B294DCE609AAEA102C0F316011004000000000000000D0B0400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000380020002800400050A0000C4D148DE9E9EF80A145CAA09DC5CEC3EDBE0FAFD30B46C858443C04E27D46C82CB3E690A378CDB27E903FDC36F402157FFCBFD022E4807FE7ADCC2C56CB8EF41D7F1676218996885FB50B6106EE79A815D13A4F26EA8FCACFB97E06ACAB783B4B6EB41DA6BE366A908AB5F5469365DF8A194ADF09F49D6B5BF8BE106DF4346B979C1ACCEE9AE809F942CE7F53DC1C4AE5BED2E3493920C5F832C7944A99FD3CAA07860083AD84F409F2C2CD0859D161FBC935E420E2FA1483E6B2714D4E366669D050000146A413B33141367C3DB05B00F996A328B0600008709000000307D310B300906035504061302434E3110300E06035504070C074265694A696E673111300F060355040A0C08466F7274696E6574310C300A060355040B0C035441433116301406035504030C0D466F72746947617465315F424A3123302106092A864886F70D0109011614737570706F727440666F7274696E65742E636F6D0600047E04308204753082035DA00302010202030186BB300D06092A864886F70D01010B0500308189310B300906035504061302434E3110300E06035504080C074861694469616E3110300E06035504070C074265694A696E673111300F060355040A0C08466F7274696E6574310C300A060355040B0C035461633112301006035504030C09544143524F4F5443413121301F06092A864886F70D01090116126B6D6C697540666F7274696E65742E636F6D301E170D3139303332313039343935325A170D3230303332303039343935325A307D310B300906035504061302434E3110300E06035504070C074265694A696E673111300F060355040A0C08466F7274696E6574310C300A060355040B0C035441433116301406035504030C0D466F72746947617465315F424A3123302106092A864886F70D0109011614737570706F727440666F7274696E65742E636F6D30820122300D06092A864886F70D01010105000382010F003082010A02820101009A6463D9C44E7960421BDFE8DFB7A4ED47720B8CA347D0000C10126548EE71A5DD227CC8A5BD230A53609AA96D62D6B084180A7960EA754E8D7D5C1F4A974E9B545C0783612118544410BF728FE557A4FA502534DD7207097CECDE0E7201018F1EC3988690A0C3B08367738F0DF5EFECA441F48780A9E6D7BEBE898BAD4001E8859324615A23D989044D3D18B9FDBE35E2FFFBC7E3D6F20438CF7A7B380C4EC4297703A28EC39118C59CA2AA78585E578D04C65E6BD2B5F37219661D2A7F57208ECB9E3DA5CF00440790DA08AEAC63289DA828CD26A30DAF476202DCA73672959EE50085B45ECF093B16C9E8CDA14A071629145A0C208755CE8CEFD38732305B0203010001A381F03081ED300C0603551D130101FF04023000301D0603551D0E041604144B9D7BD015AA2FB4A1BAF396E9945AEF839AFF993081BD0603551D230481B53081B2801478BF7A00747924D5D431FBF518DED819A078D33EA1818FA4818C308189310B300906035504061302434E3110300E06035504080C074861694469616E3110300E06035504070C074265694A696E673111300F060355040A0C08466F7274696E6574310C300A060355040B0C035461633112301006035504030C09544143524F4F5443413121301F06092A864886F70D01090116126B6D6C697540666F7274696E65742E636F6D8208470443DD83AE2951300D06092A864886F70D01010B050003820101005AAAB548C74D2A5EBBA58C78A1D8D46DB901FD42B330F3E00E85FC03329681414B1E0356388FB0AAA663C597727537FF73416F4191B45B8C881A46728F6F4F8491DA1974AD514B19B89A1F55DDF589FECB29CC497D481C5EACB75B2E13964B4B8AC28F7A940FA48044E426B7333EDE10F8A5FA9303EC17B64FFC424A50FB3A4C0337FB3F52A843EDA489FC375814D3616A9538607CC971183E2C05550EF37BFB5AE1B93A8CB52595DAA4B6CB22B882CD8353B6A128E16055D0CCE178F01A9DD8A6C0F8FDC9BCD4462FDC6C97B59EBEBAA7CF9AA0867F9936942BA30609228204E5F2DDBEDE51AD4C496C5FC351B1C88A2D69DACCC8E326180782B6DAB33D22B5090004A1043082049830820380A0030201020208470443DD83AE2951300D06092A864886F70D01010B0500308189310B300906035504061302434E3110300E06035504080C074861694469616E3110300E06035504070C074265694A696E673111300F060355040A0C08466F7274696E6574310C300A060355040B0C035461633112301006035504030C09544143524F4F5443413121301F06092A864886F70D01090116126B6D6C697540666F7274696E65742E636F6D301E170D3137303330323130303931365A170D3237303232383130303931365A308189310B300906035504061302434E3110300E06035504080C074861694469616E3110300E06035504070C074265694A696E673111300F060355040A0C08466F7274696E6574310C300A060355040B0C035461633112301006035504030C09544143524F4F5443413121301F06092A864886F70D01090116126B6D6C697540666F7274696E65742E636F6D30820122300D06092A864886F70D01010105000382010F003082010A0282010100C181A6EB0FEE59BF057BFD537ED2CB48A2177BCF15B8D588DE56E9AB2A33BC735A2D3A4C4625B71E3967266FE529DBAF492EEDADEAD47D7DC27438A7597DE4E3D1CB9CAB569E656515B74BFB1EC15531892AF7B3838214CEB2AED59D6878A95DC1688AD2D5ECEF0DF92F31F97715F7775FE01F3EE8A36BFC6C4E7A94E018C8A7A124743CFCE17B6D8A6D0769B7115D2F496543D8B72FB7486A838FD07CF3E3E2A5635E08681488415387D985D3CD5F805E8F9602A0DD4DAC658C551EB5C7D10724A81A917F2F2B55369FE18E7A59048C3C7A8A05BC88EE0D09D275232CB5C645AFCB875E290E30FF38B876F01468CB82BF2EB2BBC266882430623CCBBD1D04350203010001A38201003081FD300F0603551D130101FF040530030101FF301D0603551D0E0416041478BF7A00747924D5D431FBF518DED819A078D33E3081BD0603551D230481B53081B2801478BF7A00747924D5D431FBF518DED819A078D33EA1818FA4818C308189310B300906035504061302434E3110300E06035504080C074861694469616E3110300E06035504070C074265694A696E673111300F060355040A0C08466F7274696E6574310C300A060355040B0C035461633112301006035504030C09544143524F4F5443413121301F06092A864886F70D01090116126B6D6C697540666F7274696E65742E636F6D8208470443DD83AE2951300B0603551D0F040403020186300D06092A864886F70D01010B0500038201010011346A52C59962B109509D971AA4114E3EAC7A21182FCD6239EA94F5934234430FC91A36620B66314C5F6391D84E829CBC987F3348298C1A56C316B7C28AF519159A161D9A63957BF8C090395FBCF5B4FBB13328DEFA816E891C1A11EAAF54CDD43293731321B08351BDEF8C0DBF764278B3BEE741FE3F7A2AC60EC9B77367D4FFF30F472E86AB5CAD892E961A102541DA590E18331D3370002702D29D6AB7ADA5F98912F92F62E066F826C3F75448519A12809EE46F3D873C7432C6FA25964979E93A4075479EE69F04BE49737A793082C7DBD3472CDA4970382898A5BD8C261F2A03C3CC04C333F365C92193D81E712917D30E35F7AD6C8853954777ADD5F30700010419882935234D8A273509FC79C6B5C56F860839F9F135717021F208F8C92E1151BCAB82A5078133579421FA1446E78AE4D6E25A1E00C32965EF276FB3A83F83F9A9FC7E8C0001ECE3A4FD3331124F0ACE13AEC0F7C5770D2C7624C009738F635E24BEDABA86D916906F78888F1A4C163A63760BAB0C3F7D2859D88B2F0E83FD42A5480313EAF83D81F3619E93977152A837F4F75F87095F296344C6CB13B5CE38E843476FFDDF157CA20358CB35842E4CBA2EE94D0B45D82EC64B67585BAF85EF3E75043CF6146CB1918027DF5B44EEEE768BA7C28156FB37EED1C17F7AE6DA0AC51090488E9E8C1504D792CA249F533F7DD712494C7908B55ACACD4A6EB721840D00009104308189310B300906035504061302434E3110300E06035504080C074861694469616E3110300E06035504070C074265694A696E673111300F060355040A0C08466F7274696E6574310C300A060355040B0C035461633112301006035504030C09544143524F4F5443413121301F06092A864886F70D01090116126B6D6C697540666F7274696E65742E636F6D140000144A131C81070358455C5728F20E95452F140000183A054B304BA2D9FEB86B68A04458CEB734B182E20D0000188AD9A37175A06D1585E776028866DFB1BDD091A00D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC02040D0000144C53427B6D465D1B337BB755A37A7FEF000000148299031757A36082C6A621DE00000000

ike 0:Dia-ca:242: sent IKE msg (agg_r1send): 100.1.1.1:500->192.168.91.133:500, len=3339, id=f9694dbf0b294dce/609aaea102c0f316

ike 0:Dia-ca:242: sent IKE msg (P1_RETRANSMIT): 100.1.1.1:500->192.168.91.133:500, len=3339, id=f9694dbf0b294dce/609aaea102c0f316

ike 0: comes 192.168.91.133:4500->100.1.1.2:4500,ifindex=7....

ike 0: IKEv1 exchange=Aggressive id=f9694dbf0b294dce/609aaea102c0f316 len=1516

ike 0: in F9694DBF0B294DCE609AAEA102C0F3160610040100000000000005EC0AE0951C229AA4F63CCD36C71F3973010051A8DF18DC068CF95B58A2C5A994EAB239661664F580E2FDB8A33D10064C6D81262CCF753DCAF66F0CB4A5B68EAE24AF57D568941E18A0DAE0F246563681F3C01D5E3B048F4DC6CEFCA1223DD1E4AFAAF4CECF688C45D85928A11669AB932A582FA1FCECABA3F51A7340644AC7C896D3685C461DAF3CA0891DB100E1216958DD83FFA0D89B0A63032195768A673EF22A623C91DFCF273409DF69739D88057F25872C23AB456B62E834195B9C5D45A02E16BCF0E4D8F6BE8E6F0E0F306981F5B63F7A6E83E56E4F72C3C94F3B40AFFE7BB440ADA7923842DD258F51C93A15A23570A2F3D7650D4F4BDE2592F9DCA6839F539B143AA9BD24D1736CA37411A90141C8A0EB0EBFDCBF0943C90FB277FEE28DADD7A430E66EA0A81C343B05783D65F350C36EFA7EF5C93B61AE3A02044D50054051C68995552626791A7FF6975521EC697C23E49C6913E637877D02D9B730CBF71E2582A99CC2FD2DC66912A0F67BEFF571DF44FB8CBE8AD4E269EA52D6880D03ABAFCCD2D574FFE2E3DCCC875DFC0CADDFC1870675CE04B23221BA6D103672CE03E5737BFC87CF3F597FBD85824E02B1890F5FE83225AFB9BE997569E8ED6B1900EE746D0D007708BDF8B7B87BC7C56C8B1E7BC5DBA888A2ADCEB8931494127A879FDFD0AEE76FA036F2D4F41CB7FB800F8FC7FE44F7182BCE8645557007481D567C1D8AB7217CBE9CA6C3DA292DD6EF69A395D1FA003BBF4CF46D83A2449945A2C5D85842308E2C7EC23644174D2660C7D0B047C869BE2A9A21893FA056893350C5A0D20CBC91F4F5A19F5E75EED7A7A564726CA61F67B5033319FC22BCF925DE52EC39F6CB5D80268CADA4F4683B750979046AFBC697926136EC1B3A809F265889B974E1A3DE51DFCF85E50DB65BCB9D2D6DA1743C33AF474955F358FCC68156B8E0E281C5FEEA05324B575581D0466A4AD6B5AB7A1E5D0CF68A967C651BB2B01F6CCEDE772F645A4ED3D2B5D4D7E46AB0DDF6C2E5BE4759DA76BC2BC5E37C9D070F6EF2361583D7476D2513B3FB11DFBF90A8FC8438EE97EDD9A219449BA33AA151F6F91139AB9981045F081C82DED270C03B33FEBB0D6F1292B4A01452B4FE8F7254B3C09A28C6E5C9743C1984B0287FB77754D8E2AAB5C27D70428DE8529A0C0A4A15C71440C548B09F924205A0802C8483C2CBF426BEA74D40F697FAB882CFE83BCB0DAC08CA37E244B6D0ECCA4BA59A86BE1AEFDF9885F24EDC000B77B64F9406B44D26C07B60C5B37C742E3F9E8100C168FAEF51ACD2458395349725924E0FDD12F669BA8F3144E37632B204A6504F73B0F4D36BD55B2F1FEF4A8025669F5E554B62B6BBC6177BF362CC23493238785D4AB192BB04D31AAA0CF74DB15A4F95E84CA6C2A79110CBBFF6C2767435B8272013BD78ED535859533CD66CEE17425B403ABD993A0764210625B44A56CBDF9C043796BDEC82975516E7D82778EE38F63D1E222D858B4FA0051D2BC5F4C401D51997D67C3A3645454ED7B39107A094ADEE969717E7D389C90DF76A3E079DF026BAE6AC0DF88631927A611F01DAEF3E773C16FE27837FCFC128282CA1844D70FA6F357429FF7FB15F45B3DFF13491E76782A591D86BEC2DDF976ADA385A22E0C34BC74FFAE9B12FF435A433452953D37B038A7868B692B207B707DE60A296EE86D8294B2A53ABDFD6A1B207419F81C4259A96576CA7810539A54CA97C877B6BBC5918C6358059947369BF8BA7C86DAA14A34CF2EFC55A410AAAC5751DC5E3A848F1914E109FD12DFE412719AFF95B5C701D44E1ED9C62E7BE55722288D4AC8076499CF4EA25B07D699E6AAC62B5AD876194BA1921F6603F6308F2A374A5E028DDEB7E607B1D57F65B1FA13967061D8BF43BD7AE95464660F52AB3CB7B263192DFC71E021289A3ADAF92B31442C352E116A4D92D2A637CDFBDEC9373CE5E7EBC431A0E68C79BDA5B5A5A289FDC1079D1B474801D23C310B2544B411F18847E3C989A7FA502D489666BEA129D01F165B6A787F65CD8E1D5E22B7B245EDD8FDB40C4012C9B5B6252E19713643FF00AD818D6AC786785A4B2010B6DA589

ike 0:Dia-ca:242: responder: aggressive mode get 2nd response...

ike 0:Dia-ca:242: dec F9694DBF0B294DCE609AAEA102C0F3160610040100000000000005EC09000474043082046B30820353A00302010202030186BD300D06092A864886F70D01010B0500308189310B300906035504061302434E3110300E06035504080C074861694469616E3110300E06035504070C074265694A696E673111300F060355040A0C08466F7274696E6574310C300A060355040B0C035461633112301006035504030C09544143524F4F5443413121301F06092A864886F70D01090116126B6D6C697540666F7274696E65742E636F6D301E170D3139303431353036333434375A170D3230303431343036333434375A3073310B300906035504061302434E3110300E06035504070C074265694A696E673111300F060355040A0C08466F7274696E6574310C300A060355040B0C03544143310E300C06035504030C0575736572313121301F06092A864886F70D0109011612757365723140666F7274696E65742E636F6D30820122300D06092A864886F70D01010105000382010F003082010A0282010100D295BFE3059DCBF014EEAF7B5FD810C3A9AAFE38BE92F2A49976D9F9757776F08BF914EB2D4B0B222AA88EF04CDBD225BFAFAC7DCA8E20C1B875F2C497766EFBF70E58AD06E178C7634BFED57B8504EBC08A5AD0262C630D09E49EEEF21C348847B1FB19ED0EE3C6EB28BA148F093E4A086B77CC841A55343ACD223904A68E11C7583677A0FA00D189F27B55F86D09F39166A80B5E6FD1813E4483C91B02E06F867AC3578E9E56CC4FF13B390DBEEC502DDB1BDF32F64498157B1BFC88C2C2335BCE7FC6076918051A6A3C860E5CB84A6393D4737700897988D94D9FD91864124A69C5BCEBF5A14B4E7B85261FE04E56538D75AE3C0B24C428F59770224A46230203010001A381F03081ED300C0603551D130101FF04023000301D0603551D0E04160414532EFDA10283466415A8C08114286DD194B8BBC13081BD0603551D230481B53081B2801478BF7A00747924D5D431FBF518DED819A078D33EA1818FA4818C308189310B300906035504061302434E3110300E06035504080C074861694469616E3110300E06035504070C074265694A696E673111300F060355040A0C08466F7274696E6574310C300A060355040B0C035461633112301006035504030C09544143524F4F5443413121301F06092A864886F70D01090116126B6D6C697540666F7274696E65742E636F6D8208470443DD83AE2951300D06092A864886F70D01010B0500038201010000FA03456B2F8BFB4E306480E2ABA6B484CB18F670EF85FFFD08506B64684803DAA3E3E5F1E40F97E12882C1666AEDDD9DC9A1DF4C634497A76E2B0E451B3826F0C0317BE3A621F3C7E5C455B08D4C43F3AC8B9911E5F8947886D09A48625E6852DCEB83CC90B2FF2D5FACC09ECA7B95BB09D86344F660AF52ABAC991D731A490069F320BA181A3B5DCFD88BF933065B232F8D7A84ECBFF9A1E0AFCD506E07E630084E275DFB77AB68D364DC1013AED6DBBECC83D87513256D1440AB52FC32C5D6D3CDC02A8F77AF9D40C0AFAE647DD697308837044805B6A6FD24EC1FFB22468CAC9A37B846ACFA77D42D59799D9DFD8D8A5A7DD0EAB57AF04C37C56B1E3A6F140001043913CFAD80421CB5C5BE8B45CD717355FFE32E1FCBB72B7F6584E191702A19133370EEED807C050B5327A1FEE7CB47AD4986CCCC38C301EFDE42B960DAD51E5E9774FDFDD4884D9952EB124E60381BE1F338B6C7DB186136CB9124D29470A0F33013CBE0B58979DDBC198B076205AF35525900FC247BA5F40809ED53499958B5E96F0B508AAB68C2F728CDFE1C8680F6A5AFA456084F332CB9B02049DB926B931D97DD305955001F7A088478E9E249B25B8D55CF460C73FAD964C0963D72AC0362250E9DE47D948C69E0757CA0D304D4851C326B581E9AEBE0442426E2B77AE94FA49AA75587FC1CC5FA123978E2CA17D822B4D57656190BAB2B06621D5B4AD2140000183644058B93386BFC5CCCC4D1D9D8CFA85E7AEC4C0B000018972F6CE046DC486B59066AFD634804DB43F885060000001C0000000101106002F9694DBF0B294DCE609AAEA102C0F31690D7C4CFD490809BA5CBD00B

ike 0:Dia-ca:242: received NAT-D payload type 20

ike 0:Dia-ca:242: received p1 notify type INITIAL-CONTACT

ike 0:Dia-ca:242: Validating X.509 certificate

ike 0:Dia-ca:242: peer cert, subject='user1', issuer='TACROOTCA'

ike 0:Dia-ca:242: peer ID verified

ike 0:Dia-ca:242: building fnbam peer candidate list

ike 0:Dia-ca:242: FNBAM_GROUP_NAME candidate 'Dia-ca_peer'

ike 0:Dia-ca:242: certificate validation pending

ike 0:Dia-ca:242: NAT detected: ME

ike 0: comes 192.168.91.133:4500->100.1.1.2:4500,ifindex=7....

ike 0: IKEv1 exchange=Aggressive id=f9694dbf0b294dce/609aaea102c0f316 len=1516

ike 0:Dia-ca:242: retransmission, ignored since still generating response

ike 0: comes 192.168.91.133:4500->100.1.1.1:4500,ifindex=7....

ike 0: IKEv1 exchange=Aggressive id=f9694dbf0b294dce/609aaea102c0f316 len=1516

ike 0:Dia-ca:242: retransmission, ignored since still generating response

ike 0:Dia-ca:242: fnbam reply 'Dia-ca_peer'

ike 0:Dia-ca:242: fnbam matched peer 'Dia-ca_peer'

ike 0:Dia-ca:242: certificate validation complete

ike 0:Dia-ca:242: certificate validation succeeded

ike 0:Dia-ca:242: signature verification succeeded

ike 0:Dia-ca:242: remote port change 500 -> 4500

ike 0:Dia-ca: adding new dynamic tunnel for 192.168.91.133:4500

ike 0:Dia-ca_0: added new dynamic tunnel for 192.168.91.133:4500

ike 0:Dia-ca_0:242: established IKE SA f9694dbf0b294dce/609aaea102c0f316

ike 0:Dia-ca_0: HA send IKE connection add 100.1.1.1->192.168.91.133

ike 0:Dia-ca_0:242: HA send IKE SA add f9694dbf0b294dce/609aaea102c0f316

ike 0:Dia-ca_0:242: processing INITIAL-CONTACT

ike 0:Dia-ca_0: flushing

ike 0:Dia-ca_0: flushed

ike 0:Dia-ca_0:242: processed INITIAL-CONTACT

ike 0:Dia-ca_0:242: initiating XAUTH.

ike 0:Dia-ca_0:242: sending XAUTH request

ike 0:Dia-ca_0:242: enc F9694DBF0B294DCE609AAEA102C0F316081006019C8E076E000000480E0000184FCE61DFB1A86EB30B279A30DE562C0E2107B5180000001401003589C088000040890000408A0000

ike 0:Dia-ca_0:242: out F9694DBF0B294DCE609AAEA102C0F316081006019C8E076E0000004CE7B3F7F94BB7FE7B2E009B5AAC57D3092DC91302DE89158BCFFE0953AE923C2B1478FBD8BC0992CAB3FC73EBCF92FFB4

ike 0:Dia-ca_0:242: sent IKE msg (cfg_send): 100.1.1.2:4500->192.168.91.133:4500, len=76, id=f9694dbf0b294dce/609aaea102c0f316:9c8e076e

ike 0:Dia-ca_0:242: peer has not completed XAUTH exchange

ike 0:Dia-ca: carrier up

ike 0: comes 192.168.91.133:4500->100.1.1.1:4500,ifindex=7....

ike 0: IKEv1 exchange=Mode config id=f9694dbf0b294dce/609aaea102c0f316:9c8e076e len=92

ike 0: in F9694DBF0B294DCE609AAEA102C0F316081006019C8E076E0000005CC50C8E127E4646C0D60B48A91F3B62F0CCD5E54140684A569692B55BFA35E1D9AA9B00F6FC55F2FDCD34F454B3D680C38A413E882E552967F33EAFAF8DC1BA00

ike 0:Dia-ca_0:242: dec F9694DBF0B294DCE609AAEA102C0F316081006019C8E076E0000005C0E000018E954B44B98A7D5FAD5CBBF0F98C26FB96098F59B0000002102003589C0880000408900057573657231408A00083131313131313131F7C4B89FE49506

ike 0:Dia-ca_0:242: received XAUTH_USER_NAME 'user1' length 5

ike 0:Dia-ca_0:242: received XAUTH_USER_PASSWORD length 8

ike 0:Dia-ca_0: XAUTH user "user1"

ike 0:Dia-ca: auth group IPsec-VPN-Group

ike 0:Dia-ca_0: XAUTH succeeded for user "user1" group "IPsec-VPN-Group"

ike 0:Dia-ca_0:242: enc F9694DBF0B294DCE609AAEA102C0F31608100601966BDD24000000400E0000186BEC91E8AE474127EB580A899C8F2B804FA05FA00000000C03003589C08F0001

ike 0:Dia-ca_0:242: out F9694DBF0B294DCE609AAEA102C0F31608100601966BDD240000004C614530000361A0A03A98B8582BF9C3CDCDD4D55C248EB6FF34AD4B542BAADEFF22F24B19BD4EA571D751F90F0F90F004

ike 0:Dia-ca_0:242: sent IKE msg (cfg_send): 100.1.1.1:4500->192.168.91.133:4500, len=76, id=f9694dbf0b294dce/609aaea102c0f316:966bdd24

ike 0:Dia-ca_0: HA send XAUTH

ike 0: comes 192.168.91.133:4500->100.1.1.1:4500,ifindex=7....

ike 0: IKEv1 exchange=Mode config id=f9694dbf0b294dce/609aaea102c0f316:966bdd24 len=76

ike 0: in F9694DBF0B294DCE609AAEA102C0F31608100601966BDD240000004CEEC6C002FC77516A6A5EEE5E51F8AB7759599E8808831B371DFBE09CEEED1205961198781E290A9CCFAE5C16AD719606

ike 0:Dia-ca_0:242: dec F9694DBF0B294DCE609AAEA102C0F31608100601966BDD240000004C0E00001880E05D46DD26C8F98402A08FC79D816BC876D0ED0000000804003589B8E9DADAB2DA989AF7FDAFB2F0D4E80F

ike 0: comes 192.168.91.133:4500->100.1.1.1:4500,ifindex=7....

ike 0: IKEv1 exchange=Mode config id=f9694dbf0b294dce/609aaea102c0f316:a00d80c2 len=140

ike 0: in F9694DBF0B294DCE609AAEA102C0F31608100601A00D80C20000008C498E7EDC6CE3FA2C20B3D642DFA3B7F1F4DA7826BB84C8AE07654AE746E4AD9D3A4DFB322F8106E79135739BEC8D5334507BBAC8F6B00FD2B5787D197FC18B3E0EAE15338861F5E93B4A33CBFEC4E55BAF55303F5824AADCEF92245C126EE90FE30E1D1F4C88FF664C86C2C4A756F1A2

ike 0:Dia-ca_0:242: dec F9694DBF0B294DCE609AAEA102C0F31608100601A00D80C20000008C0E000018E696B9240E36308FD9A054EC895B1B72A9D157300000005401003EE400010000000200000003000000040000000D00000008000000090000000A0000000B0000000F0000700000007002000070030000700400007006000070010000D40A0000D40B0000000700008384C903

ike 0:Dia-ca_0:242: mode-cfg type 1 request 0:''

ike 0:Dia-ca_0:242: mode-cfg using allocated IPv4 10.202.1.100

ike 0:Dia-ca_0:242: mode-cfg type 2 request 0:''

ike 0:Dia-ca_0:242: mode-cfg type 3 request 0:''

ike 0:Dia-ca_0:242: mode-cfg type 4 request 0:''

ike 0:Dia-ca_0:242: mode-cfg WINS ignored, no WINS servers configured

ike 0:Dia-ca_0:242: mode-cfg type 13 request 0:''

ike 0:Dia-ca_0:242: mode-cfg type 8 request 0:''

ike 0:Dia-ca_0:242: IPv6 pool is not configured

ike 0:Dia-ca_0:242: mode-cfg type 9 request 0:''

ike 0:Dia-ca_0:242: mode-cfg type 10 request 0:''

ike 0:Dia-ca_0:242: mode-cfg type 11 request 0:''

ike 0:Dia-ca_0:242: mode-cfg type 11 not supported, ignoring

ike 0:Dia-ca_0:242: mode-cfg type 15 request 0:''

ike 0:Dia-ca_0:242: mode-cfg type 28672 request 0:''

ike 0:Dia-ca_0:242: mode-cfg UNITY type 28672 requested

ike 0:Dia-ca_0:242: mode-cfg no banner configured, ignoring

ike 0:Dia-ca_0:242: mode-cfg type 28674 request 0:''

ike 0:Dia-ca_0:242: mode-cfg UNITY type 28674 requested

ike 0:Dia-ca_0:242: mode-cfg no domain configured, ignoring

ike 0:Dia-ca_0:242: mode-cfg type 28675 request 0:''

ike 0:Dia-ca_0:242: mode-cfg UNITY type 28675 requested

ike 0:Dia-ca_0:242: mode-cfg UNITY type 28675 not supported, ignoring

ike 0:Dia-ca_0:242: mode-cfg type 28676 request 0:''

ike 0:Dia-ca_0:242: mode-cfg UNITY type 28676 requested

ike 0:Dia-ca_0:242: mode-cfg type 28678 request 0:''

ike 0:Dia-ca_0:242: mode-cfg UNITY type 28678 requested

ike 0:Dia-ca_0:242: mode-cfg type 28673 request 0:''

ike 0:Dia-ca_0:242: mode-cfg UNITY type 28673 requested

ike 0:Dia-ca_0:242: mode-cfg type 21514 requested

ike 0:Dia-ca_0:242: mode-cfg type 21515 requested

ike 0:Dia-ca_0:242: mode-cfg type 7 request 0:''

ike 0:Dia-ca_0:242: mode-cfg assigned (1) IPv4 address 10.202.1.100

ike 0:Dia-ca_0:242: mode-cfg assigned (2) IPv4 netmask 255.255.255.0

ike 0:Dia-ca_0:242: mode-cfg send (13) 0:192.168.0.0/255.255.255.0:0

ike 0:Dia-ca_0:242: mode-cfg send (3) IPv4 DNS(1) 114.114.114.114

ike 0:Dia-ca_0:242: mode-cfg assigned (9) IPv6 prefix 128 netmask ffffffffffffffffffffffffffffffff

ike 0:Dia-ca_0:242: mode-cfg send INTERNAL_IP6_SUBNET

ike 0:Dia-ca_0:242: mode-cfg IPv6 DNS ignored, no IPv6 DNS servers found

ike 0:Dia-ca_0:242: mode-cfg send (28676) IPv4 subnet 192.168.0.0/255.255.255.0 port 0 proto 0

ike 0:Dia-ca_0:242: mode-cfg send APPLICATION_VERSION 'FortiGate-100E v6.0.4,build0231,190107 (GA)'

ike 0:Dia-ca_0:242: mode-cfg send (28673) UNITY_SAVE_PASSWD

ike 0:Dia-ca_0:242: mode-cfg send (21514) FNT_AUTO_NEGOTIATE

ike 0:Dia-ca_0:242: mode-cfg send (21515) FNT_KEEP_ALIVE

ike 0:Dia-ca_0 HA send mode-cfg

ike 0:Dia-ca_0:242: enc F9694DBF0B294DCE609AAEA102C0F31608100601A00D80C2000000E50E0000186BA50F25DB6C19C70EBFAF762E18BA835427709D000000B102003EE4000100040ACA016400020004FFFFFF00000D0008C0A80000FFFFFF00000300047272727200090010FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000F002000000000000000000000000000000000000000000000000000000000000000007004000EC0A80000FFFFFF000000000000000007002B466F727469476174652D313030452076362E302E342C6275696C64303233312C3139303130372028474129F0010001D40A0001D40B0001

ike 0:Dia-ca_0:242: out F9694DBF0B294DCE609AAEA102C0F31608100601A00D80C2000000EC46FD8005EF15C007132F90C81911E7BD683747259280D1E062CA92E49D7988215EA123BE154FD4B32F5BC8CE5879B0AA01BDC7A96DCF403B17DB98F7DD0F91F0389BAF9FEE34DAF7949CD17044AE7C4C00DABFA13B16B84E43EC4654B00CF60EAAB95B59AFA890F83DA20AE98A4935CECA10AE6117CFDD3E4EC03BC82C2D4D87048121201EDEDF0286BEBE4452AD2FF202204F4F322500BB4447B3C7CFF190D160952FDE0FC5491A51E5263830C230F0D4D66325C61A701CE539444EE511ED0FE6F0E214448436EC7C6C22299DE277B8

ike 0:Dia-ca_0:242: sent IKE msg (cfg_send): 100.1.1.1:4500->192.168.91.133:4500, len=236, id=f9694dbf0b294dce/609aaea102c0f316:a00d80c2

ike 0: comes 192.168.91.133:4500->100.1.1.1:4500,ifindex=7....

ike 0: IKEv1 exchange=Quick id=f9694dbf0b294dce/609aaea102c0f316:8836b87a len=716

ike 0: in F9694DBF0B294DCE609AAEA102C0F316081020018836B87A000002CC946C3D4BA8430D66BD267B7C72A89FDDC9F15A93CFCEE6E438B89D3A4A17262B4A8D6EA6252CBF1DC7D8F475CDEA2FAC1611C112454489CA42776DACB1AB83597DCAFD0E4A1CD0314C134845BDDEF00EFE030A898F459D3014069AD4CEA9725773FAF08F3F9A9E3192693F991A10203695BEC50A9096B99428B922B0FF59EA4719DEFD1DE966973044D2803D36CECE90BA7BEF5A11B3FC000DBC7B44EC6611D9325DF11EF1C77A572810FD90003CEB35498CDC6B21DC630427ED9841ED3F4A65D0BE3A40B4F800D21BB53CCCF9E127336B30E6B85B481BB96A06E5EEC3CCB13497B1F0B9608D676AB92705CE3793F560E36DF621C37DC4152DC9A4E90396FAAD27F946B66FF9A2F68848CBDDD117403A073DC066FE540371092A8C1FE2668BCF7D1F23F327F38638048DDF7EE9DDE83E7D1F585E3CD880B8493B9D45B5154983237D9F8FE1826E13568E7489CD2AA023E60AF61590754DE64C52ED6D9E55F6F5C4D7369AB571F11190A5878A5BEFDAE64C8C458E81F237D5C36B2E8833FF4823949FAF590E120C7C1353D6A59692AB6CB9F0C283E1E5299E918F6523E5065CE0D34CD87B14D60B475C7625F40D4CFC4C3C806807A5ED2F92396BE9CE00925C6FA66C8E00DAEDB557B7205F310CE69CF9B42AC123BAEF27967C35102FD9EDFCC0AC470536F3A84E47DE82E7C2EB0B881D2E756383DFB2AE23A196470CCB96BB4BED5BE593A19EBACD81F974E0C65B19F5B92A5491B26F4CF9C3BF50DE5BFB271E880A218175D8BAA9E872FE425BE9202E92859EE8C694A564B17A0275BB511FDA0A0333AEEDED6617FE7D83679728C894E2DFFCB5DA9281C1CF201DC9BD18B50D0B63BADF3463C50FCDEA5D2EB74131BE34DF9E24976854635DB19608C961A8FA6A53033A47AA77D255CA2E05AE60D0A04A7CA259B95DFE19B8198133007E006010ED92BF49C3C5A8CC0139C4CCD50632

ike 0:Dia-ca_0:242:178: responder received first quick-mode message

ike 0:Dia-ca_0:242: dec F9694DBF0B294DCE609AAEA102C0F316081020018836B87A000002CC01000018F6255A04D95820FAA2FA71365808458BE5C078430A00009800000001000000010000008C01030404719F82D403000020010C0000800100018002A8C08004000380060080800500028003000503000020020C0000800100018002A8C08004000380060080800500028003000503000020030C0000800100018002A8C08004000380060100800500028003000500000020040C0000800100018002A8C08004000380060100800500028003000504000014D6FDF651FF7961EB5509319DC21A24F3050000C43E8824CBC5B02729AB3867EF298A2AB0B332E44CBF61CF51FEDE27C8A8BA293195ECE30312ACD33C4549CE202BB0E4D1C686635E1128DCE9E73DA74F1B21A0F13377AFBB0A612E389A04014FF3704BD63F0646BB4DD175E67CE27B232FC806A1197973DBB4DF8104B1870BFAB5EB09616E1125862E48B88246932D836C1729FE4BFA2CCEFD8ADB7020B2632440C0179F654616F7657BB87D3540735A390440DD050BFC174B0AD1ADF0C23A0EB2A5D2124B02923839A9A793569BB2FC1D09B3380500000C010000000ACA01640B000010040000000000000000000000000000FC0100000001007DF65645523D310A4643545645523D362E302E352E303230390A5549443D32333733343933394142434434323133383736433946383135383930374334440A49503D31302E312E312E3130300A4D41433D30302D30632D32392D64622D62612D31623B30302D30632D32392D64622D62612D31313B0A484F53543D6C69756B616E676D696E672D50430A555345523D75736572310A4F535645523D4D6963726F736F66742057696E646F7773203720556C74696D6174652045646974696F6E2C2036342D6269742053657276696365205061636B203120286275696C642037363031290A5245475F5354415455533D300A00DBEB8E98FBBB84B1C4BD8697BDD7AE0F

ike 0:Dia-ca_0:242: received p1 notify type FORTICLIENT-CONNECT

ike 0:Dia-ca_0:242:178: FORTICLIENT-CONNECT received, license status = 4

ike 0:Dia-ca_0:242:178: FCC request len = 240, data = 'VER=1

FCTVER=6.0.5.0209

UID=23734939ABCD4213876C9F8158907C4D

IP=10.1.1.100

MAC=00-0c-29-db-ba-1b;00-0c-29-db-ba-11;

HOST=liukangming-PC

USER=user1

OSVER=Microsoft Windows 7 Ultimate Edition, 64-bit Service Pack 1 (build 7601)

REG_STATUS=0

ike 0:Dia-ca_0:242:178: FCC reply len = 14, data = 'VER=1

CODE=0

ike 0:Dia-ca_0:242:178: peer proposal is: peer:0:10.202.1.100-10.202.1.100:0, me:0:0.0.0.0-255.255.255.255:0

ike 0:Dia-ca_0:242:Dia-ca:178: trying

ike 0:Dia-ca_0:242:Dia-ca:178: matched phase2

ike 0:Dia-ca_0:242:Dia-ca:178: dynamic client

ike 0:Dia-ca_0:242:Dia-ca:178: my proposal:

ike 0:Dia-ca_0:242:Dia-ca:178: proposal id = 1:

ike 0:Dia-ca_0:242:Dia-ca:178: protocol id = IPSEC_ESP:

ike 0:Dia-ca_0:242:Dia-ca:178: PFS DH group = 14

ike 0:Dia-ca_0:242:Dia-ca:178: trans_id = ESP_AES_CBC (key_len = 128)

ike 0:Dia-ca_0:242:Dia-ca:178: encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:Dia-ca_0:242:Dia-ca:178: type = AUTH_ALG, val=SHA1

ike 0:Dia-ca_0:242:Dia-ca:178: trans_id = ESP_AES_CBC (key_len = 256)

ike 0:Dia-ca_0:242:Dia-ca:178: encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:Dia-ca_0:242:Dia-ca:178: type = AUTH_ALG, val=SHA1

ike 0:Dia-ca_0:242:Dia-ca:178: trans_id = ESP_AES_CBC (key_len = 128)

ike 0:Dia-ca_0:242:Dia-ca:178: encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:Dia-ca_0:242:Dia-ca:178: type = AUTH_ALG, val=SHA2_256

ike 0:Dia-ca_0:242:Dia-ca:178: trans_id = ESP_AES_CBC (key_len = 256)

ike 0:Dia-ca_0:242:Dia-ca:178: encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:Dia-ca_0:242:Dia-ca:178: type = AUTH_ALG, val=SHA2_256

ike 0:Dia-ca_0:242:Dia-ca:178: trans_id = ESP_AES_GCM_16 (key_len = 128)

ike 0:Dia-ca_0:242:Dia-ca:178: encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:Dia-ca_0:242:Dia-ca:178: type = AUTH_ALG, val=NULL

ike 0:Dia-ca_0:242:Dia-ca:178: trans_id = ESP_AES_GCM_16 (key_len = 256)

ike 0:Dia-ca_0:242:Dia-ca:178: encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:Dia-ca_0:242:Dia-ca:178: type = AUTH_ALG, val=NULL

ike 0:Dia-ca_0:242:Dia-ca:178: trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)

ike 0:Dia-ca_0:242:Dia-ca:178: encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:Dia-ca_0:242:Dia-ca:178: type = AUTH_ALG, val=NULL

ike 0:Dia-ca_0:242:Dia-ca:178: proposal id = 2:

ike 0:Dia-ca_0:242:Dia-ca:178: protocol id = IPSEC_ESP:

ike 0:Dia-ca_0:242:Dia-ca:178: PFS DH group = 5