IPsec

TCP traffic over IPSec stalls with some packets not appearing on enc0

Pentium100 — Wed, 06 May 2026 13:09:55 GMT

@tinfoilmatt Because using policy based it would be something like 30 phase2 entries and we had a problem where some of them would stop working at random. Anyway, I found a solution to this. Firewall State Policy - set to "Floating States" (default was "Interface Bound States" and apparently this default was different on the older pfsense version) Now it seems to work

IPsec tunnel is not allowing port 445 traffic

paulhds — Sun, 26 Apr 2026 13:21:35 GMT

Hello...I have a tunnel bettwen to networks setup...I can ping and rdp on both sides of the network. However, on one side of the tunnel, port 445 (Microsoft) works; on the other side it does not work. I have rebuilt the IPSec tunnels...still an issue.

IPSec Tunnel up but only half the remote IPs ping

Ryan Eback — Wed, 25 Mar 2026 11:55:39 GMT

I have created an IPsec Tunnel between to offices.
Office A = 192.168.152.0/24
Office B = 192.168.24.64/26

I have no issues getting the tunnel connected. I can ping and access the devices at 192.168.24.70 - 192.168.24.80 from Office A. I am not able to access 192.168.24.90 - 192.168.24.110 from Office A.

Currently for testing, I am using Allow All rules across the tunnels.

I have no issues with my other tunnels from Office A. They are using CIDR 24 subnets, similar to Office A.

I don't know what I am missing.

IPv6 Leakage in IPsec Split-Tunneling (pfSense + FreeRADIUS)

0x44 — Sun, 15 Mar 2026 06:45:47 GMT

Hi all,
Client traffic leaks via IPv6, bypassing the tunnel because pfSense is configured only for IPv4.

Setup:
Client: Dual-stack (IPv4/IPv6).
pfSense: IPv4-only, IPsec Split Tunneling + FreeRADIUS.
Server: Dual-stack (IPv4/IPv6).

What is the best way to force IPv4 preference on the client side via pfSense/RADIUS settings? I need all traffic to the server to stay within the tunnel.
Thanks for help.

IPsec Traffic Initiation Only Works In One Direction

planedrop — Fri, 13 Mar 2026 02:47:31 GMT

I knew it had to be something stupid. I had a block rule for "This Firewall" on my internal "WAN" interface (not a real WAN) which was causing the ESP packets to be dropped on that interface. It's always simple stuff like that lol, after literally weeks and hours of troubleshooting thinking there is no way my config is wrong. Anyway, if anyone finds this later, check that you don't have block rules on the interface that the ESP packets arrive on.

IPSec With Multi WAN Failover Works Until Main WAN Restored

urbnsr — Tue, 03 Mar 2026 22:28:47 GMT

I have site A and site B. Site A has two WANs setup with failover group routing. WAN1 on tier 1, WAN 2 on tier 2 using dynamic DNS. Site B has one WAN and has IPSec configured to connect to site A's DDNS address.

This starts out fine and when site A's main WAN1 goes down, the tunnel switches over quickly to WAN2 without site B knowing anything different.

The problem is when site A's WAN1 is restored, pfSense does not rebuild the tunnel back to WAN1 and the tunnel is still connected through WAN2. IPSec traffic does not pass at this point even with WAN2 connection up. If I change site A's phase 1 "Gateway duplicates" to enable, traffic will pass. This option seems to be a problem because if the tunnel is still connected through WAN2 and WAN2 would go down, the tunnel appears still connected and does not re-establish the tunnel using the restored WAN1 connection. This may actually never happen, but it could...

I can manually disconnect tunnel with both WANs up and a re-connection will select WAN1.

Is there an option that would make site A's tunnel rebuild the connection back to WAN1 when WAN1 first gets restored?

I believe I understand what it is supposed to do - From Netgate docs:

------------
Failover with Gateway Groups and Dynamic DNS

IPsec can fail between multiple WANs, but it requires some coordination and relies upon gateway groups and dynamic DNS. If the first gateway goes down the tunnel will move to the next available WAN in the group. When the first WAN comes back up, the tunnel will be rebuilt there again.
------------

Thanks.

IPsec with NAT Requires Traffic Initiation From One Side?

planedrop — Fri, 20 Feb 2026 00:32:49 GMT

To add to this, it seems that the packets are just never ending up on the IPsec interface of Site A. I can see that the ESP packets are hitting the interface they should be on pfSense (it's not really WAN but we can call it that), but they just don't actually get routed back through to the IPsec interface. I am not sure what would be dropping them at this point though, seems the state table isn't being opened or something. The SPD has the proper NATed subnet listed in it too so it's definitely correctly setup. Am I crazy in thinking this should work? Since this basically 1:1 NATs every IP within the /24 subnets that I have setup, shouldn't traffic destined for any 172.16.51.xxx IP be translated over to the 10.10.12.xxx equivalent IP?

Locate OIDs for tracking IPSEC tunnel metrics

cparks96 — Tue, 17 Feb 2026 16:28:30 GMT

Hello...trying to find the specific OIDs for the IPSEC tunnel info and metrics. Pfsense docs don't have anything related to them. I ran snmpwalk against ".1.3.6.1.2.1" for standard MIB-II metrics.

I'm tracking the SNMP interfaces right now but can't seem to find anything on IPSEC. is there a specific module I need to use?

IPSEC tunnel problem with Linux boxes

miboco — Wed, 04 Feb 2026 09:21:56 GMT

Hi, turns out the problem is with the mtu. Reducing it to 1400 solves the problem. Best regards, Mike

IPSEC - VTI mode Failover with PBR

jimp — Tue, 03 Feb 2026 20:07:53 GMT

The quick answer is you'll need to set the IPsec Filter Mode to VTI to allow those interfaces to use reply-to so the response traffic will use the correct interface. Set it on both sides. That will break any tunnel mode IPsec tunnels you may have, but if you don't have any, then it's only a positive change. The more complicated answer is that you should really run a dynamic routing protocol like BGP between those routers using the FRR package so the routing changes in a more reliable and predictable manner and isn't relying on filter trickery to avoid asymmetric routing.

Ipsec VPN connected but cannot ping from either side

edlentz — Wed, 28 Jan 2026 17:01:34 GMT

We have a new SG-1100 and trying to get a VPN using ipsec to an openswan 2.6 and IKE v1. We can get both phases to connect but no luck with any traffic between them. We have tried adding ipsec rules in the firewall with no luck. Is there something we might have missed. Desperate to gt this working

Thanks

IPSEC traffic become unidirectional and works fine when disabling firewall at pfsense

antonyms — Mon, 26 Jan 2026 12:11:46 GMT

We have several IPSEC tunnel connecting to pfsense gateway, version used is 2.8.1-RELEASE (amd64), built on Tue Sep 9 16:29:00 UTC 2025, FreeBSD 15.0-CURRENT. We reinstall tunnels quite often, once in a while, one of the tunnel we see traffic going only in one direction which means, from remote endpoint traffic reached at pfsense but no traffic back. We are not added any explicit firewall rules, but initially when we reboot pfsense the problem disappear, later we found that disabling firewall could work. Can you please help me to understand more on this problem. Please let me know what more details needed.

Thanks,
Antony

OpenVPN user access to networks behind IPSEC tunnels

tinfoilmatt — Fri, 02 Jan 2026 11:51:59 GMT

@ivica.glavocic Check out this article from the documentation, Assigning OpenVPN Interfaces. That's one way to get OVPN traffic onto an interface that can then be NAT'ed to/from. (This confusingly-named subsection, Allowing traffic over OpenVPN Tunnels, then becomes relevant, too.)

After Update to 25.11. trouble with ipsec vpn-to-vpn

hsrtreml — Tue, 23 Dec 2025 09:35:17 GMT

After success update to 25.11. ipsec vpn-to-vpn (between two netgate-boxes), no changes, is established: file service works, but no remote desktop works!

also on OpenVPN all Client configuration lost! But it works and no state informations...

External Users can't reach IPSec Resources

patient0 — Fri, 19 Dec 2025 22:08:30 GMT

@bh2026 not used IPSec myself but have you read through Netgate documentation: IPsec Site-to-Site VPN Example, Firewall Rules. Are there firewall rules in place for the VPN clients to access?

S2S IPSEC creates connections with duplicate reqids

rr247 — Thu, 18 Dec 2025 11:56:51 GMT

@tinfoilmatt Both the connections use the same reqid. And that is the problem because the reqid is used for creating SAD/SPD entries. The result is that there are two SPD entries pointing to the same SAD entry which makes the formerly established connection not working because there are wrong encryption values used.

source interface ip wrong

SteveITS — Fri, 12 Dec 2025 14:27:57 GMT

@jbates58 The right side connects to the left side? The listener/server is site B here: https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-psk.html#site-b and has a few differences like Child SA Start Action and LifeTime and Child SA Close Action. I can see one end of a client's tunnel from here, and Dead Peer Detection is off for it; I want to say we did that on both ends but am not sure offhand. On that router we have "Peer identifier" set to the FQDN of the other end.

Update

thespirit — Fri, 21 Nov 2025 08:41:12 GMT

Update to this problem. I could not ping from the remote peer to the local peer again. This time I just disable (for testing) the "block all" rule and the remote peer was able to ping again.

Interestingly, after I enable the "block all" rule again, the remote peer was still able to ping.
I really don't know why this happens, but I will manually add a rule for the ESP protocol and see if this helps.

Anyone an idea why this could happen?

Concatenated IPsec VPN

tinfoilmatt — Thu, 20 Nov 2025 13:26:29 GMT

@conbonbur Here's an option/idea from the docs using OpenVPN instead of IPsec: OpenVPN Site-to-Site Configuration Example with SSL/TLS 'Hub and spoke' is the topology you're after—where Site A would be your so-called 'hub', and Sites B and C the so-called 'spokes'. Pretty sure a hub-and-spoke topology could be accomplished with IPsec by implementing a particular NAT configuration and/or static routing. But either way the short answer is: yes, it's possible.

Strange behavior with IPsec tunnel and ESP packets getting blocked

thespirit — Thu, 20 Nov 2025 10:51:21 GMT

@femtosize Ohh yeah i see what you mean. Yes I do agree, an info on the documentation would definitely help here! In this case, this post can be considered as done.

Cato Networks to PFSense Site to Site VPN

JustinMorse — Wed, 19 Nov 2025 18:23:21 GMT

Has anyone successfully setup a site to site ipsec vpn between Cato Networks and PFSense?

We got phase 1 and phase 2 to come up but routing is not working.

We are configured with IKEV2 and routed mode.

We are not sure what IP to assign to the PFSense VTI Interface and what IP to use for the PFSense next hop.

The Cato Management Application does not make this obvious. The CMA Only provides a native network subnet which is not a specific IP.

Block with no log rule on WAN breaks IPsec rekeying

femtosize — Tue, 18 Nov 2025 13:42:25 GMT

To stop the logs getting full of rubbish I added an explicit "block IPv4 any any" to the WAN interfaces on a pair of firewalls which are connected using an IPsec VPN.
This seemed to work fine until the phase 2s tried to rekey.
The rekeying failed and the whole VPN was ripped down and reestablished.

Is that expected?

Disabling the block rules made everything work properly again.

Should I have added rules of allow IKE and ESP before the block rule? Or should the automatically added ones been enough?

Where do the automatically generated IPsec rules end up in processing order?
Is there a way I can see this?

Is there a better way to stop the default block rules logging?

Ipsec mobile with Radius NPS MFA

Laxarus — Fri, 14 Nov 2025 16:09:27 GMT

So, I have put hours to get this working and it works now. However, there is one part that I could not figure out.

When I use Ipsec export apple profile and import this to my device, everything works beautifully, however, if I try to manually define the vpn settings on the IOS device, it just fails shortly after I try connecting.

The point of the matter is for me to easily connect to this VPN with AD credentials and MFA. It will not help me as much if I need to import profile everytime.

Checking the logs, I see that
crypto proposal matches, everything going well, but after splitting packets the 2nd time, it times out. Traffic never reaches NPS.


Nov 14 18:46:12	charon	26343	09[IKE]  IKE_SA con-mobile[17] state change: CONNECTING => DESTROYING
Nov 14 18:46:12	charon	26343	09[JOB]  deleting half open IKE_SA with 5.156.97.144 after timeout
Nov 14 18:46:11	charon	26343	09[IKE]  IKE_SA con-mobile[15] state change: CONNECTING => DESTROYING
Nov 14 18:46:11	charon	26343	09[JOB]  deleting half open IKE_SA with 93.168.76.124 after timeout
Nov 14 18:46:02	charon	26343	09[IKE]  sending keep alive to 93.168.76.124[2973]
Nov 14 18:45:42	charon	26343	09[NET]  sending packet: from [4500] to 5.156.97.144[4656] (1103 bytes)
Nov 14 18:45:42	charon	26343	09[NET]  sending packet: from [4500] to 5.156.97.144[4656] (1248 bytes)
Nov 14 18:45:42	charon	26343	09[ENC]  generating IKE_AUTH response 1 [ EF(2/2) ]
Nov 14 18:45:42	charon	26343	09[ENC]  generating IKE_AUTH response 1 [ EF(1/2) ]
Nov 14 18:45:42	charon	26343	09[ENC]  splitting IKE message (2286 bytes) into 2 fragments
Nov 14 18:45:42	charon	26343	09[ENC]  generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Nov 14 18:45:42	charon	26343	09[IKE]  sending issuer cert "C=US, O=Let's Encrypt, CN=E7"
Nov 14 18:45:42	charon	26343	09[IKE]  sending end entity cert "CN=ipsec.domain.com"
Nov 14 18:45:42	charon	26343	09[IKE]  authentication of 'ipsec.domain.com' (myself) with ECDSA_WITH_SHA256_DER successful
Nov 14 18:45:42	charon	26343	09[IKE]  received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 14 18:45:42	charon	26343	09[IKE]  peer supports MOBIKE
Nov 14 18:45:42	charon	26343	09[IKE]  processing INTERNAL_DNS_DOMAIN attribute
Nov 14 18:45:42	charon	26343	09[IKE]  processing INTERNAL_IP6_DNS attribute
Nov 14 18:45:42	charon	26343	09[IKE]  processing INTERNAL_IP6_DHCP attribute
Nov 14 18:45:42	charon	26343	09[IKE]  processing INTERNAL_IP6_ADDRESS attribute
Nov 14 18:45:42	charon	26343	09[IKE]  processing INTERNAL_IP4_DNS attribute
Nov 14 18:45:42	charon	26343	09[IKE]  processing INTERNAL_IP4_DHCP attribute
Nov 14 18:45:42	charon	26343	09[IKE]  processing INTERNAL_IP4_NETMASK attribute
Nov 14 18:45:42	charon	26343	09[IKE]  processing INTERNAL_IP4_ADDRESS attribute
Nov 14 18:45:42	charon	26343	09[IKE]  initiating EAP_IDENTITY method (id 0x00)
Nov 14 18:45:42	charon	26343	09[CFG]  selected peer config 'con-mobile'
Nov 14 18:45:42	charon	26343	09[CFG] <17> candidate "con-mobile", match: 20/1/1052 (me/other/ike)
Nov 14 18:45:42	charon	26343	09[CFG] <17> looking for peer configs matching [ipsec.domain.com]...5.156.97.144[172.17.33.144]
Nov 14 18:45:42	charon	26343	09[IKE] <17> remote endpoint changed from 5.156.97.144[6848] to 5.156.97.144[4656]
Nov 14 18:45:42	charon	26343	09[IKE] <17> local endpoint changed from [500] to [4500]
Nov 14 18:45:42	charon	26343	09[ENC] <17> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Nov 14 18:45:42	charon	26343	09[ENC] <17> unknown attribute type INTERNAL_DNS_DOMAIN
Nov 14 18:45:42	charon	26343	09[NET] <17> received packet: from 5.156.97.144[4656] to [4500] (374 bytes)
Nov 14 18:45:42	charon	26343	13[NET] <17> sending packet: from [500] to 5.156.97.144[6848] (509 bytes)
Nov 14 18:45:42	charon	26343	13[ENC] <17> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Nov 14 18:45:42	charon	26343	13[IKE] <17> sending cert request for "C=US, O=Let's Encrypt, CN=E8"
Nov 14 18:45:42	charon	26343	13[IKE] <17> sending cert request for "C=US, O=Let's Encrypt, CN=E7"
Nov 14 18:45:42	charon	26343	13[CFG] <17> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Nov 14 18:45:42	charon	26343	13[IKE] <17> remote host is behind NAT
Nov 14 18:45:42	charon	26343	13[CFG] <17> received supported signature hash algorithms: sha512 sha384 sha256
Nov 14 18:45:42	charon	26343	13[CFG] <17> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Nov 14 18:45:42	charon	26343	13[CFG] <17> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Nov 14 18:45:42	charon	26343	13[CFG] <17> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256/UNKNOWN_6_36, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048/UNKNOWN_6_36, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256/UNKNOWN_6_36, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048/UNKNOWN_6_36, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 14 18:45:42	charon	26343	13[CFG] <17> proposal matches
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable KEY_EXCHANGE_METHOD found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable (6) found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable KEY_EXCHANGE_METHOD found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable KEY_EXCHANGE_METHOD found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable KEY_EXCHANGE_METHOD found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable KEY_EXCHANGE_METHOD found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <17> no acceptable KEY_EXCHANGE_METHOD found
Nov 14 18:45:42	charon	26343	13[CFG] <17> selecting proposal:
Nov 14 18:45:42	charon	26343	13[IKE] <17> IKE_SA (unnamed)[17] state change: CREATED => CONNECTING
Nov 14 18:45:42	charon	26343	13[IKE] <17> 5.156.97.144 is initiating an IKE_SA
Nov 14 18:45:42	charon	26343	13[IKE] <17> remote endpoint changed from 0.0.0.0 to 5.156.97.144[6848]
Nov 14 18:45:42	charon	26343	13[IKE] <17> local endpoint changed from 0.0.0.0[500] to [500]
Nov 14 18:45:42	charon	26343	13[CFG] <17> found matching ike config: ...0.0.0.0/0, ::/0 with prio 1052
Nov 14 18:45:42	charon	26343	13[CFG] <17> candidate: ...0.0.0.0/0, ::/0, prio 1052
Nov 14 18:45:42	charon	26343	13[CFG] <17> looking for an IKEv2 config for ...5.156.97.144
Nov 14 18:45:42	charon	26343	13[ENC] <17> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N((16438)) N((16438)) N((16438)) N((16438)) ]
Nov 14 18:45:42	charon	26343	13[NET] <17> received packet: from 5.156.97.144[6848] to [500] (786 bytes)
Nov 14 18:45:42	charon	26343	13[IKE] <16> IKE_SA (unnamed)[16] state change: CONNECTING => DESTROYING
Nov 14 18:45:42	charon	26343	13[NET] <16> sending packet: from [500] to 5.156.97.144[6848] (38 bytes)
Nov 14 18:45:42	charon	26343	13[ENC] <16> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Nov 14 18:45:42	charon	26343	13[IKE] <16> DH group ECP_256 unacceptable, requesting MODP_2048
Nov 14 18:45:42	charon	26343	13[IKE] <16> remote host is behind NAT
Nov 14 18:45:42	charon	26343	13[CFG] <16> received supported signature hash algorithms: sha512 sha384 sha256
Nov 14 18:45:42	charon	26343	13[CFG] <16> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Nov 14 18:45:42	charon	26343	13[CFG] <16> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Nov 14 18:45:42	charon	26343	13[CFG] <16> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256/UNKNOWN_6_36, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048/UNKNOWN_6_36, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256/UNKNOWN_6_36, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048/UNKNOWN_6_36, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 14 18:45:42	charon	26343	13[CFG] <16> proposal matches
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable KEY_EXCHANGE_METHOD found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable (6) found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable KEY_EXCHANGE_METHOD found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable KEY_EXCHANGE_METHOD found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable KEY_EXCHANGE_METHOD found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable KEY_EXCHANGE_METHOD found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[CFG] <16> no acceptable KEY_EXCHANGE_METHOD found
Nov 14 18:45:42	charon	26343	13[CFG] <16> selecting proposal:
Nov 14 18:45:42	charon	26343	13[IKE] <16> IKE_SA (unnamed)[16] state change: CREATED => CONNECTING
Nov 14 18:45:42	charon	26343	13[IKE] <16> 5.156.97.144 is initiating an IKE_SA
Nov 14 18:45:42	charon	26343	13[IKE] <16> remote endpoint changed from 0.0.0.0 to 5.156.97.144[6848]
Nov 14 18:45:42	charon	26343	13[IKE] <16> local endpoint changed from 0.0.0.0[500] to [500]
Nov 14 18:45:42	charon	26343	13[CFG] <16> found matching ike config: ...0.0.0.0/0, ::/0 with prio 1052
Nov 14 18:45:42	charon	26343	13[CFG] <16> candidate: ...0.0.0.0/0, ::/0, prio 1052
Nov 14 18:45:42	charon	26343	13[CFG] <16> looking for an IKEv2 config for ...5.156.97.144
Nov 14 18:45:42	charon	26343	13[ENC] <16> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N((16438)) N((16438)) N((16438)) N((16438)) ]
Nov 14 18:45:42	charon	26343	13[NET] <16> received packet: from 5.156.97.144[6848] to [500] (594 bytes)
Nov 14 18:45:41	charon	26343	13[NET]  sending packet: from [4500] to 93.168.76.124[2973] (1104 bytes)
Nov 14 18:45:41	charon	26343	13[NET]  sending packet: from [4500] to 93.168.76.124[2973] (1248 bytes)
Nov 14 18:45:41	charon	26343	13[ENC]  generating IKE_AUTH response 1 [ EF(2/2) ]
Nov 14 18:45:41	charon	26343	13[ENC]  generating IKE_AUTH response 1 [ EF(1/2) ]
Nov 14 18:45:41	charon	26343	13[ENC]  splitting IKE message (2287 bytes) into 2 fragments
Nov 14 18:45:41	charon	26343	13[ENC]  generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Nov 14 18:45:41	charon	26343	13[IKE]  sending issuer cert "C=US, O=Let's Encrypt, CN=E7"
Nov 14 18:45:41	charon	26343	13[IKE]  sending end entity cert "CN=ipsec.domain.com"
Nov 14 18:45:41	charon	26343	13[IKE]  authentication of 'ipsec.domain.com' (myself) with ECDSA_WITH_SHA256_DER successful
Nov 14 18:45:41	charon	26343	13[IKE]  received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 14 18:45:41	charon	26343	13[IKE]  peer supports MOBIKE
Nov 14 18:45:41	charon	26343	13[IKE]  processing INTERNAL_DNS_DOMAIN attribute
Nov 14 18:45:41	charon	26343	13[IKE]  processing INTERNAL_IP6_DNS attribute
Nov 14 18:45:41	charon	26343	13[IKE]  processing INTERNAL_IP6_DHCP attribute
Nov 14 18:45:41	charon	26343	13[IKE]  processing INTERNAL_IP6_ADDRESS attribute
Nov 14 18:45:41	charon	26343	13[IKE]  processing INTERNAL_IP4_DNS attribute
Nov 14 18:45:41	charon	26343	13[IKE]  processing INTERNAL_IP4_DHCP attribute
Nov 14 18:45:41	charon	26343	13[IKE]  processing INTERNAL_IP4_NETMASK attribute
Nov 14 18:45:41	charon	26343	13[IKE]  processing INTERNAL_IP4_ADDRESS attribute
Nov 14 18:45:41	charon	26343	13[IKE]  initiating EAP_IDENTITY method (id 0x00)
Nov 14 18:45:41	charon	26343	13[CFG]  selected peer config 'con-mobile'
Nov 14 18:45:41	charon	26343	13[CFG] <15> candidate "con-mobile", match: 20/1/1052 (me/other/ike)
Nov 14 18:45:41	charon	26343	13[CFG] <15> looking for peer configs matching [ipsec.domain.com]...93.168.76.124[2001:16a2:c076:a93f:1cd8:1278:5e5:c7c]
Nov 14 18:45:41	charon	26343	13[IKE] <15> remote endpoint changed from 93.168.76.124[3890] to 93.168.76.124[2973]
Nov 14 18:45:41	charon	26343	13[IKE] <15> local endpoint changed from [500] to [4500]
Nov 14 18:45:41	charon	26343	13[ENC] <15> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Nov 14 18:45:41	charon	26343	13[ENC] <15> unknown attribute type INTERNAL_DNS_DOMAIN
Nov 14 18:45:41	charon	26343	13[NET] <15> received packet: from 93.168.76.124[2973] to [4500] (386 bytes)
Nov 14 18:45:41	charon	26343	13[NET] <15> sending packet: from [500] to 93.168.76.124[3890] (509 bytes)
Nov 14 18:45:41	charon	26343	13[ENC] <15> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Nov 14 18:45:41	charon	26343	13[IKE] <15> sending cert request for "C=US, O=Let's Encrypt, CN=E8"
Nov 14 18:45:41	charon	26343	13[IKE] <15> sending cert request for "C=US, O=Let's Encrypt, CN=E7"
Nov 14 18:45:41	charon	26343	13[CFG] <15> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Nov 14 18:45:41	charon	26343	13[IKE] <15> remote host is behind NAT
Nov 14 18:45:41	charon	26343	13[IKE] <15> local host is behind NAT, sending keep alives
Nov 14 18:45:41	charon	26343	13[CFG] <15> received supported signature hash algorithms: sha512 sha384 sha256
Nov 14 18:45:41	charon	26343	13[CFG] <15> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Nov 14 18:45:41	charon	26343	13[CFG] <15> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Nov 14 18:45:41	charon	26343	13[CFG] <15> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256/UNKNOWN_6_36, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048/UNKNOWN_6_36, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256/UNKNOWN_6_36, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048/UNKNOWN_6_36, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 14 18:45:41	charon	26343	13[CFG] <15> proposal matches

what am I missing here or do I absolutely have to use profile file?

Workaround needed for IPsec VTI limitation with dynamic remote gateways (0.0.0.0 not supported)

mcury — Wed, 12 Nov 2025 11:14:11 GMT

@Averlon Indeed. There are valid use cases for both options. Thanks for the feedback

IPsec VTI tunnel problem with multiple subnets

keyser — Tue, 11 Nov 2025 17:22:37 GMT

@HyperactiveSloth Hmm, my VTI tunnels status shows 0.0.0.0/0 as the network in both ends in order for me to assign what traffic goes down the tunnel (by assigning routes to the VTI Gateway created when the IPsec interface sis assigned). Your IPsec status looks like a tunnelmode Phase 2, where the local/remote subnets are assigned in the Phase 2 settings. Strange…. If it was tunnelmode I’m quite sure your issue is the “missing” split connections setting…. Guess I’m out of ideas :-(