@hipgroove
What do your proposals look like? There’s a sweet spot for mac and a sweet spot for windows 10.

@marcquark
Hi
I also struggled with SA duplicates for a long time , and as a result I wrote my own small program ( С ) that interacts with FreeBSD kernel ( PF_KEY Key Management API ) and Strongswan ( Vici and Stroke Protocol ) .
This program receives messages from the kernel when a new SA is installed and checks how many are currently in the system . If it finds a duplicate, it sends a Strongswan message to delete the duplicate
Here's what it looks like

Jun 16 10:05:43 daemon sa_checker started Jun 16 10:05:43 [KNL] successfully connected to PF_KEY_V2 socket Jun 16 10:05:54 [KNL] received message from kernel,type of message SADB_DELETE,errno = 0 ,seq number = 53850 Jun 16 10:05:54 [KNL] parsed data : SPI = 0xcecde75d , SRC ADDRESS = 10.3.100.100 , DST ADDRESS = 10.3.100.1 Jun 16 10:05:54 [KNL] received message from kernel,type of message SADB_ADD,errno = 0 ,seq number = 53851 Jun 16 10:05:54 [KNL] parsed data : REQID = 0x3e8, SPI = 0xcecde75d , SRC ADDRESS = 10.3.100.100 , DST ADDRESS = 10.3.100.1, SA TYPE = IPsec ESP Jun 16 10:05:54 [KNL] received message from kernel,type of message SADB_ADD,errno = 0 ,seq number = 53852 Jun 16 10:05:54 [KNL] parsed data : REQID = 0x3e8, SPI = 0xc459c817 , SRC ADDRESS = 10.3.100.1 , DST ADDRESS = 10.3.100.100, SA TYPE = IPsec ESP Jun 16 10:05:55 [KNL] successfully connected to stroke socket Jun 16 10:05:55 [KNL] stroke message successfully sended,waiting for reply .... Jun 16 10:05:55 [KNL] server reply is ' con1000{243}: INSTALLED, TUNNEL, reqid 1000, ESP SPIs: cb0c99c0_i c0d72295_o ' Jun 16 10:05:55 [KNL] server reply is ' con1000{244}: INSTALLED, TUNNEL, reqid 1000, ESP SPIs: cecde75d_i c459c817_o ' Jun 16 10:05:55 [IKE] total child's SA for deleting 1 Jun 16 10:05:55 [IKE] CHILD SA for deleting 243 Jun 16 10:05:55 [IKE] closing CHILD_SA con1000{243} with SPIs cb0c99c0_i (172 bytes) c0d72295_o (71116 bytes) and TS 0.0.0.0/0|/0 === 0.0.0.0/0|/0 Jun 16 10:05:55 [IKE] sending DELETE for ESP CHILD_SA with SPI cb0c99c0 Jun 16 10:05:55 [ENC] generating INFORMATIONAL request 1535 [ D ] Jun 16 10:05:55 [NET] sending packet: from 10.3.100.1[500] to 10.3.100.100[500] (80 bytes) Jun 16 10:05:55 [NET] received packet: from 10.3.100.100[500] to 10.3.100.1[500] (80 bytes) Jun 16 10:05:55 [ENC] parsed INFORMATIONAL response 1535 [ D ] Jun 16 10:05:55 [IKE] received DELETE for ESP CHILD_SA with SPI c0d72295 Jun 16 10:05:55 [IKE] CHILD_SA closed Jun 16 10:05:55 [IKE] CHILD SA with uniqueid 243 has deleted successfully Jun 16 10:05:55 [KNL] received message from kernel,type of message SADB_DELETE,errno = 0 ,seq number = 53853 Jun 16 10:05:55 [KNL] parsed data : SPI = 0xc5cdc8dd , SRC ADDRESS = 10.3.100.102 , DST ADDRESS = 10.3.100.1 Jun 16 10:05:55 [KNL] received message from kernel,type of message SADB_ADD,errno = 0 ,seq number = 53854 Jun 16 10:05:55 [KNL] parsed data : REQID = 0x7d0, SPI = 0xc5cdc8dd , SRC ADDRESS = 10.3.100.102 , DST ADDRESS = 10.3.100.1, SA TYPE = IPsec ESP Jun 16 10:05:55 [KNL] received message from kernel,type of message SADB_ADD,errno = 0 ,seq number = 53855 Jun 16 10:05:55 [KNL] parsed data : REQID = 0x7d0, SPI = 0xcd2b03b8 , SRC ADDRESS = 10.3.100.1 , DST ADDRESS = 10.3.100.102, SA TYPE = IPsec ESP Jun 16 10:05:56 [KNL] successfully connected to stroke socket Jun 16 10:05:56 [KNL] stroke message successfully sended,waiting for reply .... Jun 16 10:05:56 [KNL] server reply is ' con2000{242}: INSTALLED, TUNNEL, reqid 2000, ESP SPIs: ca05bb45_i c4a73853_o ' Jun 16 10:05:56 [KNL] server reply is ' con2000{245}: INSTALLED, TUNNEL, reqid 2000, ESP SPIs: c5cdc8dd_i cd2b03b8_o ' Jun 16 10:05:56 [IKE] total child's SA for deleting 1 Jun 16 10:05:56 [IKE] CHILD SA for deleting 242 Jun 16 10:05:56 [IKE] closing CHILD_SA con2000{242} with SPIs ca05bb45_i (0 bytes) c4a73853_o (216292 bytes) and TS 0.0.0.0/0|/0 === 0.0.0.0/0|/0 Jun 16 10:05:56 [IKE] sending DELETE for ESP CHILD_SA with SPI ca05bb45 Jun 16 10:05:56 [ENC] generating INFORMATIONAL request 127 [ D ] Jun 16 10:05:56 [NET] sending packet: from 10.3.100.1[500] to 10.3.100.102[500] (80 bytes) Jun 16 10:05:56 [NET] received packet: from 10.3.100.102[500] to 10.3.100.1[500] (80 bytes) Jun 16 10:05:56 [ENC] parsed INFORMATIONAL response 127 [ D ] Jun 16 10:05:56 [IKE] received DELETE for ESP CHILD_SA with SPI c4a73853 Jun 16 10:05:56 [IKE] CHILD_SA closed Jun 16 10:05:56 [IKE] CHILD SA with uniqueid 242 has deleted successfully

If you are interested, I can give you a program for the test

@tschmit I have same problem, client OSX 10.13 native client. All work fine with 2.4.4p3 but is broken with 2.4.5p1

I don't see default routes like /0 networks in my IPSec policy.

Did you set it up for mobile clients or site-to-site?

manual config of IPSec.conf won't cut it. I think the entire ipsec directory is generated on demand.

Can you should your full ipsec.conf

@jimp

for the time being, it'd be nice to have the first 64 bits tracking one of the LAN interfaces and the last 64 a user-definable range.

I think this is possible through some grepping while generating ipsec.conf with rightsourceip = <globally routable prefix> + <user-defined range>

I want to give clients IPv6 internet access and avoid NAT or manually defining the first 64 bits

@jimp I verified it. I change it to a RSA 2048 cert, it successfully loaded cert and I can establish conn

Dear all,

with the help of
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html
I managed to configure a IKEv2 SA and child SA for the ESP IPsec tunnel for my iPhone iOS v13.5.1
to pfSense 2.4.5.

I created a new PKI and converted the client certificate .p12 with a OpenSSL lib workaround I found here.
And after trying a while it works now for me. IPsec connection establishes fast and reliable.

But what I still do not understand with the above method is:
Why do I need to define PSK keys for the EAP authentication part after IKE handshake although
I already have a client certificate in place on the mobile that actually could also do this job (or even better).
iPhone allows to configure IKE connections to use the certificate as user authentication method.
But with this method set (instead of the user / pw pattern) I cannot manage to authenticate successfully.
EAP authentication of the client (iPhone) always gets aborted:

Last 1000 IPsec Log Entries. (Maximum 1000)
09[IKE] <con-mobile|2> IKE_SA con-mobile[2] state change: CONNECTING => DESTROYING
09[NET] <con-mobile|2> sending packet: from <ServerIP> [4500] to <iPhoneIP>[19330] (80 bytes)
09[ENC] <con-mobile|2> generating IKE_AUTH response 3 [ EAP/FAIL ]
09[IKE] <con-mobile|2> received EAP_NAK, sending EAP_FAILURE
09[ENC] <con-mobile|2> parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
09[NET] <con-mobile|2> received packet: from <iPhoneIP>[19330] to <ServerIP>[4500] (80 bytes)
09[NET] <con-mobile|2> sending packet: from <ServerIP>[4500] to <iPhoneIP> [19330] (112 bytes)
09[ENC] <con-mobile|2> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
09[IKE] <con-mobile|2> initiating EAP_MSCHAPV2 method (id 0xDC)
09[IKE] <con-mobile|2> received EAP identity 'Markus'
09[ASN] <con-mobile|2> file content is not binary ASN.1
09[ENC] <con-mobile|2> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
...

Do you have an idea?

kind regards
Markus

That seems to have done the trick. Thanks a lot!

More than likely it's a problem with the other end, not pfSense, though not sure what it might be exactly.

Probably best to check the remote side status/logs to find out what it thinks is happening

I'm not aware of any list, but if you are using IKEv2, you are better off switching to Rekey instead of using Reauth+Make-before-break. On 2.4.x, uncheck Disable Rekey and check Disable Reauth. On 2.5.0, put the lifetime value in the rekey box and leave reauth empty.

You don't need "mschap multiotpmschap".

Step 1:
multiotp.php first line is wrong (#!/usr/bin/php -> #!/usr/local/bin/php).
multiotp.php -> /usr/local/bin/multiotp/

Step 2:
chmod +x /usr/local/bin/multiotp/multiotp.php
Maybe change the Timezone:
./multiotp.php -config timezone=Europe/Zurich (Which is Standard)
./multiotp.php -create usernamehere tOTP 5dc0424b2e7922f3472a0f8429a80b12 1234 (this is a example)
You can create the string (5dc0424b2e7922f3472a0f8429a80b12) on your Pfsense
and you can just add the string (5dc0424b2e7922f3472a0f8429a80b12) in your app.

Step 3:
freeradius.inc -> /usr/local/pkg/ add (After "with_ntdomain_hack = yes") -> ntlm_auth = "/usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}"

Step 4:
Restart

Step 5:
Try to connect again

Edit:
Error 98 = Authentication failed (wrong token length) -> 1234 + 6 digit Code form the app

Step 1:
multiotp.php first line is wrong (#!/usr/bin/php -> #!/usr/local/bin/php).
multiotp.php -> /usr/local/bin/multiotp/

Step 2:
chmod +x /usr/local/bin/multiotp/multiotp.php
Maybe change the Timezone:
./multiotp.php -config timezone=Europe/Zurich (Which is Standard)
./multiotp.php -create usernamehere tOTP 5dc0424b2e7922f3472a0f8429a80b12 1234 (this is a example)
You can create the string (5dc0424b2e7922f3472a0f8429a80b12) on your Pfsense
and you can just add the string (5dc0424b2e7922f3472a0f8429a80b12) in your app.

Step 3:
freeradius.inc -> /usr/local/pkg/ add (After "with_ntdomain_hack = yes") -> ntlm_auth = "/usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}"

Step 4:
Restart

Step 5:
Not needed (other Infos)

/etc/multiotp/ -> All Data you can find here
failure_delayed_time -> 300
max_block_failures -> 6
max_delayed_failures -> 3

multiotp.ini -> /etc/multiotp/config/ change -> max_block_failures=-1
multiotp.php -> /usr/local/bin/multiotp/ change -> if ($this->GetUserErrorCounter() <= $this->GetMaxBlockFailures()) {

This might sound crazy but, in your OpenVPN settings under IPv4 Local network(s), there is a space between the comma and the 192.168.251.0/24. I would remove that space. I don't know if it will help, but the instructions do read "comma-separated" - no mention of spaces. Otherwise I don't see anything wrong with your setup, and I do have a similar setup here which works fine (the other end of my IPSec tunnel is an Azure VNet).

I THINK I have a similar setup as you do...
On one location I have pfsense directly connected to the Internet, and the other site (my summer house) is using a 4G router which of course has it's own NAT. I am using a Dynamic DNS service for both locations (DynDNS and afraid). So on both ends I use the DNS name I have chosen for the respective Remote Gateways. But on the pfsense box (connected directly to the Internet) I set the peer identifier to the "internal WAN" of the other VPN server, not the public IP adress (or DNS).

In my case I have the LAN side of the 4G router set to 192.168.3.1 and the WAN it provides the ER-X is 192.168.3.10. So I select IP adress for peer identifier in pfsense and type in 192.168.3.10. That's all there is to it...

https://redmine.pfsense.org/issues/9767#note-1

Any ideas here? Thank you!

@Konstanti
I'll see what I can do.

Unfortunately it doesn't look like strongSwan will log the ID type. Not sure why, seems like it would be rather useful.

Since the fortigate is manually specifying an ID of an unknown type you might have better luck using a "Key ID" string or "User Distinguished Name" type. Put a custom string in the FortiGate side, like "fortigatevpn" and then put the same string on pfSense in the Peer identifier using one of the types I mentioned.

strongSwan will automatically use the type most appropriate for the given string in most cases, but if the far side is deliberately using the "wrong" type for values in that field, it might be difficult to force a match using a string which should be a specific (different) type.