IKEv2 IPSEC VPN - Randomly stopped working
-
@brswattt There are two lines that seem interesting to me:
Feb 9 11:19:28 charon 7913 09[IKE] <con-mobile|7> initiator did not reauthenticate as requested ... Feb 9 11:19:20 charon 7913 10[IKE] <con-mobile|6> rescheduling reauthentication in 8s after rekeying, lifetime reduced to 40s
Do you really need reauthentication?
This is set in phase 1 configuration under "Expiration and Replacement".
-
@mamawe What is the benefit with and without? I'm not sure if I do need it exactly, I just want the client to connect after the lifetime expires, thats all.
So now I'm back to not being able to connect, I changed my Phase 1 / Phase 2 encryption to 1 set.
This is my windows IPSEC Config for the connection:
Feb 9 12:00:23 charon 7913 07[MGR] <con-mobile|25> checkin of IKE_SA successful Feb 9 12:00:23 charon 7913 07[MGR] <con-mobile|25> checkin IKE_SA con-mobile[25] Feb 9 12:00:23 charon 7913 06[NET] sending packet: from $HOME_ip[4500] to $WORK_ip[4500] Feb 9 12:00:23 charon 7913 07[NET] <con-mobile|25> sending packet: from $HOME_ip[4500] to $WORK_ip[4500] (142 bytes) Feb 9 12:00:23 charon 7913 07[NET] <con-mobile|25> sending packet: from $HOME_ip[4500] to $WORK_ip[4500] (1248 bytes) Feb 9 12:00:23 charon 7913 07[IKE] <con-mobile|25> received retransmit of request with ID 1, retransmitting response Feb 9 12:00:23 charon 7913 07[ENC] <con-mobile|25> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Feb 9 12:00:23 charon 7913 07[ENC] <con-mobile|25> received fragment #2 of 3, reassembled fragmented IKE message (1462 bytes) Feb 9 12:00:23 charon 7913 07[ENC] <con-mobile|25> parsed IKE_AUTH request 1 [ EF(2/3) ] Feb 9 12:00:23 charon 7913 07[NET] <con-mobile|25> received packet: from $WORK_ip[4500] to $HOME_ip[4500] (572 bytes) Feb 9 12:00:23 charon 7913 07[MGR] IKE_SA con-mobile[25] successfully checked out Feb 9 12:00:23 charon 7913 09[MGR] <con-mobile|25> checkin of IKE_SA successful Feb 9 12:00:23 charon 7913 09[MGR] <con-mobile|25> checkin IKE_SA con-mobile[25] Feb 9 12:00:23 charon 7913 09[ENC] <con-mobile|25> received fragment #3 of 3, waiting for complete IKE message Feb 9 12:00:23 charon 7913 09[ENC] <con-mobile|25> parsed IKE_AUTH request 1 [ EF(3/3) ] Feb 9 12:00:23 charon 7913 09[NET] <con-mobile|25> received packet: from $WORK_ip[4500] to $HOME_ip[4500] (476 bytes) Feb 9 12:00:23 charon 7913 09[MGR] IKE_SA con-mobile[25] successfully checked out Feb 9 12:00:23 charon 7913 02[MGR] <con-mobile|25> checkin of IKE_SA successful Feb 9 12:00:23 charon 7913 02[MGR] <con-mobile|25> checkin IKE_SA con-mobile[25] Feb 9 12:00:23 charon 7913 02[ENC] <con-mobile|25> received fragment #1 of 3, waiting for complete IKE message Feb 9 12:00:23 charon 7913 08[NET] waiting for data on sockets Feb 9 12:00:23 charon 7913 09[MGR] checkout IKEv2 SA by message with SPIs e4f8c37ffe76d934_i 4af671f3400afd23_r Feb 9 12:00:23 charon 7913 02[ENC] <con-mobile|25> parsed IKE_AUTH request 1 [ EF(1/3) ] Feb 9 12:00:23 charon 7913 07[MGR] checkout IKEv2 SA by message with SPIs e4f8c37ffe76d934_i 4af671f3400afd23_r Feb 9 12:00:23 charon 7913 08[NET] received packet: from $WORK_ip[4500] to $HOME_ip[4500] Feb 9 12:00:23 charon 7913 02[NET] <con-mobile|25> received packet: from $WORK_ip[4500] to $HOME_ip[4500] (572 bytes) Feb 9 12:00:23 charon 7913 08[NET] waiting for data on sockets Feb 9 12:00:23 charon 7913 02[MGR] IKE_SA con-mobile[25] successfully checked out Feb 9 12:00:23 charon 7913 08[NET] received packet: from $WORK_ip[4500] to $HOME_ip[4500] Feb 9 12:00:23 charon 7913 02[MGR] checkout IKEv2 SA by message with SPIs e4f8c37ffe76d934_i 4af671f3400afd23_r Feb 9 12:00:23 charon 7913 08[NET] waiting for data on sockets Feb 9 12:00:23 charon 7913 08[NET] received packet: from $WORK_ip[4500] to $HOME_ip[4500] Feb 9 12:00:22 charon 7913 06[NET] sending packet: from $HOME_ip[4500] to $WORK_ip[4500] Feb 9 12:00:22 charon 7913 02[MGR] <con-mobile|25> checkin of IKE_SA successful Feb 9 12:00:22 charon 7913 02[MGR] <con-mobile|25> checkin IKE_SA con-mobile[25] Feb 9 12:00:22 charon 7913 06[NET] sending packet: from $HOME_ip[4500] to $WORK_ip[4500] Feb 9 12:00:22 charon 7913 02[NET] <con-mobile|25> sending packet: from $HOME_ip[4500] to $WORK_ip[4500] (142 bytes) Feb 9 12:00:22 charon 7913 02[NET] <con-mobile|25> sending packet: from $HOME_ip[4500] to $WORK_ip[4500] (1248 bytes) Feb 9 12:00:22 charon 7913 02[IKE] <con-mobile|25> received retransmit of request with ID 1, retransmitting response Feb 9 12:00:22 charon 7913 02[ENC] <con-mobile|25> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Feb 9 12:00:22 charon 7913 02[ENC] <con-mobile|25> received fragment #3 of 3, reassembled fragmented IKE message (1462 bytes) Feb 9 12:00:22 charon 7913 02[ENC] <con-mobile|25> parsed IKE_AUTH request 1 [ EF(3/3) ] Feb 9 12:00:22 charon 7913 02[NET] <con-mobile|25> received packet: from $WORK_ip[4500] to $HOME_ip[4500] (476 bytes) Feb 9 12:00:22 charon 7913 02[MGR] IKE_SA con-mobile[25] successfully checked out Feb 9 12:00:22 charon 7913 07[MGR] <con-mobile|25> checkin of IKE_SA successful Feb 9 12:00:22 charon 7913 07[MGR] <con-mobile|25> checkin IKE_SA con-mobile[25] Feb 9 12:00:22 charon 7913 07[ENC] <con-mobile|25> received fragment #2 of 3, waiting for complete IKE message Feb 9 12:00:22 charon 7913 07[ENC] <con-mobile|25> parsed IKE_AUTH request 1 [ EF(2/3) ] Feb 9 12:00:22 charon 7913 08[NET] waiting for data on sockets Feb 9 12:00:22 charon 7913 07[NET] <con-mobile|25> received packet: from $WORK_ip[4500] to $HOME_ip[4500] (572 bytes) Feb 9 12:00:22 charon 7913 02[MGR] checkout IKEv2 SA by message with SPIs e4f8c37ffe76d934_i 4af671f3400afd23_r Feb 9 12:00:22 charon 7913 07[MGR] IKE_SA con-mobile[25] successfully checked out Feb 9 12:00:22 charon 7913 08[NET] received packet: from $WORK_ip[4500] to $HOME_ip[4500] Feb 9 12:00:22 charon 7913 02[MGR] <con-mobile|25> checkin of IKE_SA successful Feb 9 12:00:22 charon 7913 02[MGR] <con-mobile|25> checkin IKE_SA con-mobile[25] Feb 9 12:00:22 charon 7913 02[ENC] <con-mobile|25> received fragment #1 of 3, waiting for complete IKE message Feb 9 12:00:22 charon 7913 02[ENC] <con-mobile|25> parsed IKE_AUTH request 1 [ EF(1/3) ] Feb 9 12:00:22 charon 7913 02[NET] <con-mobile|25> received packet: from $WORK_ip[4500] to $HOME_ip[4500] (572 bytes) Feb 9 12:00:22 charon 7913 07[MGR] checkout IKEv2 SA by message with SPIs e4f8c37ffe76d934_i 4af671f3400afd23_r Feb 9 12:00:22 charon 7913 08[NET] waiting for data on sockets Feb 9 12:00:22 charon 7913 02[MGR] IKE_SA con-mobile[25] successfully checked out Feb 9 12:00:22 charon 7913 08[NET] received packet: from $WORK_ip[4500] to $HOME_ip[4500] Feb 9 12:00:22 charon 7913 02[MGR] checkout IKEv2 SA by message with SPIs e4f8c37ffe76d934_i 4af671f3400afd23_r Feb 9 12:00:22 charon 7913 08[NET] waiting for data on sockets Feb 9 12:00:22 charon 7913 08[NET] received packet: from $WORK_ip[4500] to $HOME_ip[4500] Feb 9 12:00:21 charon 7913 06[NET] sending packet: from $HOME_ip[4500] to $WORK_ip[4500] Feb 9 12:00:21 charon 7913 02[MGR] <con-mobile|25> checkin of IKE_SA successful Feb 9 12:00:21 charon 7913 02[MGR] <con-mobile|25> checkin IKE_SA con-mobile[25] Feb 9 12:00:21 charon 7913 06[NET] sending packet: from $HOME_ip[4500] to $WORK_ip[4500] Feb 9 12:00:21 charon 7913 02[NET] <con-mobile|25> sending packet: from $HOME_ip[4500] to $WORK_ip[4500] (142 bytes) Feb 9 12:00:21 charon 7913 02[NET] <con-mobile|25> sending packet: from $HOME_ip[4500] to $WORK_ip[4500] (1248 bytes) Feb 9 12:00:21 charon 7913 02[ENC] <con-mobile|25> generating IKE_AUTH response 1 [ EF(2/2) ] Feb 9 12:00:21 charon 7913 02[ENC] <con-mobile|25> generating IKE_AUTH response 1 [ EF(1/2) ] Feb 9 12:00:21 charon 7913 02[ENC] <con-mobile|25> splitting IKE message (1325 bytes) into 2 fragments Feb 9 12:00:21 charon 7913 02[ENC] <con-mobile|25> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Feb 9 12:00:21 charon 7913 02[IKE] <con-mobile|25> sending end entity cert "CN=$HOME_ip" Feb 9 12:00:21 charon 7913 02[IKE] <con-mobile|25> authentication of '$HOME_ip' (myself) with RSA signature successful Feb 9 12:00:21 charon 7913 02[IKE] <con-mobile|25> peer supports MOBIKE Feb 9 12:00:21 charon 7913 02[IKE] <con-mobile|25> processing INTERNAL_IP6_SERVER attribute Feb 9 12:00:21 charon 7913 02[IKE] <con-mobile|25> processing INTERNAL_IP6_DNS attribute Feb 9 12:00:21 charon 7913 02[IKE] <con-mobile|25> processing INTERNAL_IP6_ADDRESS attribute Feb 9 12:00:21 charon 7913 02[IKE] <con-mobile|25> processing INTERNAL_IP4_SERVER attribute Feb 9 12:00:21 charon 7913 02[IKE] <con-mobile|25> processing INTERNAL_IP4_NBNS attribute Feb 9 12:00:21 charon 7913 02[IKE] <con-mobile|25> processing INTERNAL_IP4_DNS attribute Feb 9 12:00:21 charon 7913 02[IKE] <con-mobile|25> processing INTERNAL_IP4_ADDRESS attribute Feb 9 12:00:21 charon 7913 02[IKE] <con-mobile|25> initiating EAP_IDENTITY method (id 0x00) Feb 9 12:00:21 charon 7913 02[CFG] <con-mobile|25> selected peer config 'con-mobile' Feb 9 12:00:21 charon 7913 02[CFG] <25> candidate "con-mobile", match: 1/1/1052 (me/other/ike) Feb 9 12:00:21 charon 7913 02[CFG] <25> looking for peer configs matching $HOME_ip[%any]...$WORK_ip[192.168.77.169] Feb 9 12:00:21 charon 7913 02[IKE] <25> received 58 cert requests for an unknown ca Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 74:90:04:91:02:a8:6b:bb:9d:67:27:dd:97:60:38:21:b6:5e:9b:51 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 42:d8:92:49:26:ea:53:93:82:22:7a:e5:fa:02:df:b3:99:e5:80:c4 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 87:00:6b:d6:d0:7d:11:75:69:82:01:a5:40:cf:55:f9:61:b8:38:4e Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 8b:39:c2:d3:d4:8a:d5:6c:00:c4:d9:b2:1e:88:c6:9e:22:a2:f6:f7 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 37:c2:ef:4f:95:7f:3d:f6:14:c3:9c:5d:b9:52:c2:8a:91:43:56:ce Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 68:33:0e:61:35:85:21:59:29:83:a3:c8:d2:d2:e1:40:6e:7a:b3:c1 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 17:4a:b8:2b:5f:fb:05:67:75:27:ad:49:5a:4a:5d:c4:22:cc:ea:4e Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 67:ec:9f:90:2d:cd:64:ae:fe:7e:bc:cd:f8:8c:51:28:f1:93:2c:12 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid c8:95:13:68:01:97:28:0a:2c:55:c3:fc:d3:90:f5:3a:05:3b:c9:fb Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid bb:c2:3e:29:0b:b3:28:77:1d:ad:3e:a2:4d:bd:f4:23:bd:06:b0:3d Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid e6:ff:c3:94:e8:38:59:7f:51:d4:80:42:19:76:27:cf:db:94:8e:c6 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 21:0f:2c:89:f7:c4:cd:5d:1b:82:5e:38:d6:c6:59:3b:a6:93:75:ae Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 3e:22:d4:2c:1f:02:44:b8:04:10:65:61:7c:c7:6b:ae:da:87:29:9c Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 83:31:7e:62:85:42:53:d6:d7:78:31:90:ec:91:90:56:e9:91:b9:e3 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 6d:aa:9b:09:87:c4:d0:d4:22:ed:40:07:37:4d:19:f1:91:ff:de:d3 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 42:32:b6:16:fa:04:fd:fe:5d:4b:7a:c3:fd:f7:4c:40:1d:5a:43:af Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid ab:30:d3:af:4b:d8:f1:6b:58:69:ee:45:69:29:da:84:b8:73:94:88 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid d5:2e:13:c1:ab:e3:49:da:e8:b4:95:94:ef:7c:38:43:60:64:66:bd Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 4a:81:0c:de:f0:c0:90:0f:19:06:42:31:35:a2:a2:8d:d3:44:fd:08 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 6e:58:4e:33:75:bd:57:f6:d5:42:1b:16:01:c2:d8:c0:f5:3a:9f:6e Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid ba:42:b0:81:88:53:88:1d:86:63:bd:4c:c0:5e:08:fe:ea:6e:bb:77 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 69:c4:27:db:59:69:68:18:47:e2:52:17:0a:e0:e5:7f:ab:9d:ef:0f Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 73:97:82:ea:b4:04:16:6e:25:d4:82:3c:37:db:f8:a8:12:fb:cf:26 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid f8:16:51:3c:fd:1b:44:9f:2e:6b:28:a1:97:22:1f:b8:1f:51:4e:3c Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 90:e2:41:c2:11:41:8b:95:b1:a9:e0:9c:37:24:7e:84:9f:e4:be:a1 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid a2:af:24:0a:da:e8:67:79:c8:a8:50:b3:c7:46:ee:d9:f7:1b:16:78 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid c4:30:28:c5:d3:e3:08:0c:10:44:8b:2c:77:ba:24:53:97:60:bb:f9 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 30:a4:e6:4f:de:76:8a:fc:ed:5a:90:84:28:30:46:79:2c:29:15:70 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid f7:93:19:ef:df:c1:f5:20:fb:ac:85:55:2c:f2:d2:8f:5a:b9:ca:0b Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid b5:99:33:43:ac:a2:17:c5:08:ba:88:8c:a6:92:7e:26:b3:0f:87:a9 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid a8:e3:02:96:70:a6:8b:57:eb:ec:ef:cc:29:4e:91:74:9a:d4:92:38 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid ed:0d:c8:d6:2c:d3:13:29:d8:82:fe:2d:c3:fc:c5:10:d3:4d:bb:14 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 86:26:cb:1b:c5:54:b3:9f:bd:6b:ed:63:7f:b9:89:a9:80:f1:f4:8a Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 5e:8c:53:18:22:60:1d:56:71:d6:6a:a0:cc:64:a0:60:07:43:d5:a8 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid f8:92:0b:e9:08:a9:c5:d5:a0:fb:f3:9a:aa:98:a5:74:37:49:ad:9f Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 87:e3:bf:32:24:27:c1:40:5d:27:36:c3:81:e0:1d:1a:71:d4:a0:39 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid e1:a0:5a:95:34:75:78:a7:ff:4d:cf:32:52:5d:f2:f8:2c:1a:e1:15 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 64:1d:f8:d5:0e:23:31:c2:29:b2:50:cb:32:f5:6d:f5:5c:8e:00:fa Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 68:33:0e:61:35:85:21:59:29:83:a3:c8:d2:d2:e1:40:6e:7a:b3:c1 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 7c:32:d4:85:fd:89:0a:66:b5:97:ce:86:f4:d5:26:a9:21:07:e8:3e Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid f9:27:b6:1b:0a:37:f3:c3:1a:fa:17:ec:2d:46:17:16:12:9d:0c:0e Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 88:a9:5a:ef:c0:84:fc:13:74:41:6b:b1:63:32:c2:cf:92:59:bb:3b Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 83:31:7e:62:85:42:53:d6:d7:78:31:90:ec:91:90:56:e9:91:b9:e3 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for "CN=pfsense.local.lan" Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 6a:47:a2:67:c9:2e:2f:19:68:8b:9b:86:61:66:95:ed:c1:2c:13:00 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 5c:b8:69:fe:8d:ef:c1:ed:66:27:ee:b2:12:0f:72:1b:b8:0a:0e:04 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15 Feb 9 12:00:21 charon 7913 02[IKE] <25> received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4 Feb 9 12:00:21 charon 7913 02[ENC] <25> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Feb 9 12:00:21 charon 7913 02[ENC] <25> received fragment #3 of 3, reassembled fragmented IKE message (1462 bytes) Feb 9 12:00:21 charon 7913 02[ENC] <25> parsed IKE_AUTH request 1 [ EF(3/3) ] Feb 9 12:00:21 charon 7913 02[NET] <25> received packet: from $WORK_ip[4500] to $HOME_ip[4500] (476 bytes) Feb 9 12:00:21 charon 7913 02[MGR] IKE_SA (unnamed)[25] successfully checked out Feb 9 12:00:21 charon 7913 02[MGR] checkout IKEv2 SA by message with SPIs e4f8c37ffe76d934_i 4af671f3400afd23_r Feb 9 12:00:21 charon 7913 08[NET] waiting for data on sockets Feb 9 12:00:21 charon 7913 08[NET] received packet: from $WORK_ip[4500] to $HOME_ip[4500] Feb 9 12:00:21 charon 7913 10[MGR] <25> checkin of IKE_SA successful Feb 9 12:00:21 charon 7913 10[MGR] <25> checkin IKE_SA (unnamed)[25] Feb 9 12:00:21 charon 7913 10[ENC] <25> received fragment #2 of 3, waiting for complete IKE message Feb 9 12:00:21 charon 7913 10[ENC] <25> parsed IKE_AUTH request 1 [ EF(2/3) ] Feb 9 12:00:21 charon 7913 10[NET] <25> received packet: from $WORK_ip[4500] to $HOME_ip[4500] (572 bytes) Feb 9 12:00:21 charon 7913 10[MGR] IKE_SA (unnamed)[25] successfully checked out Feb 9 12:00:21 charon 7913 10[MGR] checkout IKEv2 SA by message with SPIs e4f8c37ffe76d934_i 4af671f3400afd23_r Feb 9 12:00:21 charon 7913 08[NET] waiting for data on sockets Feb 9 12:00:21 charon 7913 08[NET] received packet: from $WORK_ip[4500] to $HOME_ip[4500] Feb 9 12:00:21 charon 7913 10[MGR] <25> checkin of IKE_SA successful Feb 9 12:00:21 charon 7913 10[MGR] <25> checkin IKE_SA (unnamed)[25] Feb 9 12:00:21 charon 7913 10[ENC] <25> received fragment #1 of 3, waiting for complete IKE message Feb 9 12:00:21 charon 7913 10[ENC] <25> parsed IKE_AUTH request 1 [ EF(1/3) ] Feb 9 12:00:21 charon 7913 10[NET] <25> received packet: from $WORK_ip[4500] to $HOME_ip[4500] (572 bytes) Feb 9 12:00:21 charon 7913 10[MGR] IKE_SA (unnamed)[25] successfully checked out Feb 9 12:00:21 charon 7913 10[MGR] checkout IKEv2 SA by message with SPIs e4f8c37ffe76d934_i 4af671f3400afd23_r Feb 9 12:00:21 charon 7913 08[NET] waiting for data on sockets Feb 9 12:00:21 charon 7913 08[NET] received packet: from $WORK_ip[4500] to $HOME_ip[4500] Feb 9 12:00:21 charon 7913 10[MGR] <25> checkin of IKE_SA successful Feb 9 12:00:21 charon 7913 10[MGR] <25> checkin IKE_SA (unnamed)[25] Feb 9 12:00:21 charon 7913 06[NET] sending packet: from $HOME_ip[500] to $WORK_ip[500] Feb 9 12:00:21 charon 7913 10[NET] <25> sending packet: from $HOME_ip[500] to $WORK_ip[500] (313 bytes) Feb 9 12:00:21 charon 7913 10[ENC] <25> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] Feb 9 12:00:21 charon 7913 10[IKE] <25> sending cert request for "CN=pfsense.local.lan" Feb 9 12:00:21 charon 7913 10[IKE] <25> remote host is behind NAT Feb 9 12:00:21 charon 7913 10[CFG] <25> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Feb 9 12:00:21 charon 7913 10[CFG] <25> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Feb 9 12:00:21 charon 7913 10[CFG] <25> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Feb 9 12:00:21 charon 7913 10[CFG] <25> proposal matches Feb 9 12:00:21 charon 7913 10[CFG] <25> selecting proposal: Feb 9 12:00:21 charon 7913 10[IKE] <25> IKE_SA (unnamed)[25] state change: CREATED => CONNECTING Feb 9 12:00:21 charon 7913 10[IKE] <25> $WORK_ip is initiating an IKE_SA Feb 9 12:00:21 charon 7913 10[ENC] <25> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Feb 9 12:00:21 charon 7913 10[IKE] <25> received Vid-Initial-Contact vendor ID Feb 9 12:00:21 charon 7913 10[IKE] <25> received MS-Negotiation Discovery Capable vendor ID Feb 9 12:00:21 charon 7913 10[IKE] <25> received MS NT5 ISAKMPOAKLEY v9 vendor ID Feb 9 12:00:21 charon 7913 10[CFG] <25> found matching ike config: $HOME_ip...0.0.0.0/0, ::/0 with prio 1052 Feb 9 12:00:21 charon 7913 10[CFG] <25> candidate: $HOME_ip...0.0.0.0/0, ::/0, prio 1052 Feb 9 12:00:21 charon 7913 10[CFG] <25> looking for an IKEv2 config for $HOME_ip...$WORK_ip Feb 9 12:00:21 charon 7913 10[ENC] <25> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ] Feb 9 12:00:21 charon 7913 10[NET] <25> received packet: from $WORK_ip[500] to $HOME_ip[500] (376 bytes) Feb 9 12:00:21 charon 7913 10[MGR] created IKE_SA (unnamed)[25] Feb 9 12:00:21 charon 7913 10[MGR] checkout IKEv2 SA by message with SPIs e4f8c37ffe76d934_i 0000000000000000_r Feb 9 12:00:21 charon 7913 08[NET] waiting for data on sockets Feb 9 12:00:21 charon 7913 08[NET] received packet: from $WORK_ip[500] to $HOME_ip[500]
-
Update:
I reset all the lifetimes to their default values (left blank and let it refill). Turned off reauth.
Connected.... Rekey in about 3 hours. Will update when I get home from work if it stayed connected. -
@brswattt said in IKEv2 IPSEC VPN - Randomly stopped working:
Feb 9 11:19:51 charon 7913 14[IKE] <con-mobile|7> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
I noticed this line, looks like your client has some issues, during rekey you should see at lease 1 proposal
can you dump the ipsec log from your client?
-
@lolipoplo I have corrected that specific issue, my Windows client had a registry key forcing certain proposal settings. I don't have that issue now.
I just saw a phase 2 rekey go and be successful. I'm thinking about triggering a manual rekey for phase 1 to see if it works.
-
Okay, I triggered a manual rekey of the Phase 1 connection and it doesn't seem like it worked. I was able to connect after though.
Feb 9 15:42:47 charon 71704 12[MGR] <con-mobile|3> checkin of IKE_SA successful Feb 9 15:42:47 charon 71704 12[MGR] <con-mobile|3> checkin IKE_SA con-mobile[3] Feb 9 15:42:47 charon 71704 12[MGR] IKE_SA con-mobile[3] successfully checked out Feb 9 15:42:47 charon 71704 12[MGR] checkout IKEv2 SA with SPIs 909dd139ad9a2016_i 28cb1ec1bac43146_r Feb 9 15:42:44 charon 71704 13[CFG] vici client 1385 disconnected Feb 9 15:42:44 charon 71704 13[CFG] vici client 1385 requests: list-sas Feb 9 15:42:44 charon 71704 13[CFG] vici client 1385 registered for: list-sa Feb 9 15:42:44 charon 71704 07[CFG] vici client 1385 connected Feb 9 15:42:44 charon 71704 15[CFG] vici client 1384 disconnected Feb 9 15:42:44 charon 71704 10[CFG] vici client 1384 requests: list-sas Feb 9 15:42:44 charon 71704 10[CFG] vici client 1384 registered for: list-sa Feb 9 15:42:44 charon 71704 15[CFG] vici client 1384 connected Feb 9 15:42:39 charon 71704 11[CFG] vici client 1383 disconnected Feb 9 15:42:39 charon 71704 09[CFG] vici client 1383 requests: list-sas Feb 9 15:42:39 charon 71704 11[CFG] vici client 1383 registered for: list-sa Feb 9 15:42:39 charon 71704 08[CFG] vici client 1383 connected Feb 9 15:42:38 charon 71704 15[CFG] vici client 1382 disconnected Feb 9 15:42:38 charon 71704 10[CFG] vici client 1382 requests: list-sas Feb 9 15:42:38 charon 71704 10[CFG] vici client 1382 registered for: list-sa Feb 9 15:42:38 charon 71704 07[CFG] vici client 1382 connected Feb 9 15:42:36 charon 71704 15[MGR] <con-mobile|3> checkin of IKE_SA successful Feb 9 15:42:36 charon 71704 15[MGR] <con-mobile|3> checkin IKE_SA con-mobile[3] Feb 9 15:42:36 charon 71704 15[MGR] IKE_SA con-mobile[3] successfully checked out Feb 9 15:42:36 charon 71704 15[MGR] checkout IKEv2 SA with SPIs 909dd139ad9a2016_i 28cb1ec1bac43146_r Feb 9 15:42:35 charon 71704 15[MGR] IKE_SA checkout not successful Feb 9 15:42:35 charon 71704 15[MGR] checkout IKEv2 SA by message with SPIs 66b6641a86f9ba9a_i 22d4293daaeb31a6_r Feb 9 15:42:35 charon 71704 01[NET] waiting for data on sockets Feb 9 15:42:35 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 15:42:34 charon 71704 15[MGR] IKE_SA checkout not successful Feb 9 15:42:34 charon 71704 15[MGR] checkout IKEv2 SA by message with SPIs 66b6641a86f9ba9a_i 22d4293daaeb31a6_r Feb 9 15:42:34 charon 71704 01[NET] waiting for data on sockets Feb 9 15:42:34 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 15:42:33 charon 71704 12[MGR] IKE_SA checkout not successful Feb 9 15:42:33 charon 71704 12[MGR] checkout IKEv2 SA by message with SPIs 66b6641a86f9ba9a_i 22d4293daaeb31a6_r Feb 9 15:42:33 charon 71704 01[NET] waiting for data on sockets Feb 9 15:42:33 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 15:42:33 charon 71704 08[CFG] vici client 1381 disconnected Feb 9 15:42:33 charon 71704 11[CFG] vici client 1381 requests: list-sas Feb 9 15:42:33 charon 71704 08[CFG] vici client 1381 registered for: list-sa Feb 9 15:42:33 charon 71704 11[CFG] vici client 1381 connected Feb 9 15:42:32 charon 71704 09[MGR] IKE_SA checkout not successful Feb 9 15:42:32 charon 71704 09[MGR] checkout IKEv2 SA by message with SPIs 66b6641a86f9ba9a_i 22d4293daaeb31a6_r Feb 9 15:42:32 charon 71704 01[NET] waiting for data on sockets Feb 9 15:42:32 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 15:42:31 charon 71704 07[CFG] vici client 1380 disconnected Feb 9 15:42:31 charon 71704 10[CFG] vici client 1380 requests: list-sas Feb 9 15:42:31 charon 71704 15[CFG] vici client 1380 registered for: list-sa Feb 9 15:42:31 charon 71704 07[CFG] vici client 1380 connected Feb 9 15:42:30 charon 71704 10[MGR] <con-mobile|3> checkin of IKE_SA successful Feb 9 15:42:30 charon 71704 02[NET] sending packet: from $HOME_IP[4500] to $WORK_IP[53561] Feb 9 15:42:30 charon 71704 10[MGR] <con-mobile|3> checkin IKE_SA con-mobile[3] Feb 9 15:42:30 charon 71704 10[NET] <con-mobile|3> sending packet: from $HOME_IP[4500] to $WORK_IP[53561] (245 bytes) Feb 9 15:42:30 charon 71704 10[IKE] <con-mobile|3> retransmit 3 of request with message ID 270 Feb 9 15:42:30 charon 71704 10[MGR] IKE_SA con-mobile[3] successfully checked out Feb 9 15:42:30 charon 71704 10[MGR] checkout IKEv2 SA with SPIs 909dd139ad9a2016_i 28cb1ec1bac43146_r Feb 9 15:42:28 charon 71704 11[CFG] vici client 1379 disconnected Feb 9 15:42:28 charon 71704 14[CFG] vici client 1379 requests: list-sas Feb 9 15:42:28 charon 71704 08[CFG] vici client 1379 registered for: list-sa Feb 9 15:42:28 charon 71704 14[CFG] vici client 1379 connected Feb 9 15:42:26 charon 71704 11[MGR] <con-mobile|3> checkin of IKE_SA successful Feb 9 15:42:26 charon 71704 11[MGR] <con-mobile|3> checkin IKE_SA con-mobile[3] Feb 9 15:42:26 charon 71704 11[MGR] IKE_SA con-mobile[3] successfully checked out Feb 9 15:42:26 charon 71704 11[MGR] checkout IKEv2 SA with SPIs 909dd139ad9a2016_i 28cb1ec1bac43146_r Feb 9 15:42:25 charon 71704 07[CFG] vici client 1378 disconnected Feb 9 15:42:25 charon 71704 15[CFG] vici client 1378 requests: list-sas Feb 9 15:42:25 charon 71704 07[CFG] vici client 1378 registered for: list-sa Feb 9 15:42:25 charon 71704 06[CFG] vici client 1378 connected Feb 9 15:42:24 charon 71704 01[NET] waiting for data on sockets Feb 9 15:42:24 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 15:42:22 charon 71704 14[CFG] vici client 1377 disconnected Feb 9 15:42:22 charon 71704 08[CFG] vici client 1377 requests: list-sas Feb 9 15:42:22 charon 71704 08[CFG] vici client 1377 registered for: list-sa Feb 9 15:42:22 charon 71704 11[CFG] vici client 1377 connected Feb 9 15:42:19 charon 71704 06[CFG] vici client 1376 disconnected Feb 9 15:42:19 charon 71704 07[CFG] vici client 1376 requests: list-sas Feb 9 15:42:19 charon 71704 15[CFG] vici client 1376 registered for: list-sa Feb 9 15:42:19 charon 71704 07[CFG] vici client 1376 connected Feb 9 15:42:17 charon 71704 12[MGR] <con-mobile|3> checkin of IKE_SA successful Feb 9 15:42:17 charon 71704 02[NET] sending packet: from $HOME_IP[4500] to $WORK_IP[53561] Feb 9 15:42:17 charon 71704 12[MGR] <con-mobile|3> checkin IKE_SA con-mobile[3] Feb 9 15:42:17 charon 71704 12[NET] <con-mobile|3> sending packet: from $HOME_IP[4500] to $WORK_IP[53561] (245 bytes) Feb 9 15:42:17 charon 71704 12[IKE] <con-mobile|3> retransmit 2 of request with message ID 270 Feb 9 15:42:17 charon 71704 12[MGR] IKE_SA con-mobile[3] successfully checked out Feb 9 15:42:17 charon 71704 12[MGR] checkout IKEv2 SA with SPIs 909dd139ad9a2016_i 28cb1ec1bac43146_r Feb 9 15:42:16 charon 71704 08[MGR] <con-mobile|3> checkin of IKE_SA successful Feb 9 15:42:16 charon 71704 08[MGR] <con-mobile|3> checkin IKE_SA con-mobile[3] Feb 9 15:42:16 charon 71704 08[MGR] IKE_SA con-mobile[3] successfully checked out Feb 9 15:42:16 charon 71704 08[MGR] checkout IKEv2 SA with SPIs 909dd139ad9a2016_i 28cb1ec1bac43146_r Feb 9 15:42:16 charon 71704 11[CFG] vici client 1375 disconnected Feb 9 15:42:16 charon 71704 08[CFG] vici client 1375 requests: list-sas Feb 9 15:42:16 charon 71704 08[CFG] vici client 1375 registered for: list-sa Feb 9 15:42:16 charon 71704 11[CFG] vici client 1375 connected Feb 9 15:42:15 charon 71704 16[MGR] <con-mobile|3> checkin of IKE_SA successful Feb 9 15:42:15 charon 71704 16[MGR] <con-mobile|3> checkin IKE_SA con-mobile[3] Feb 9 15:42:15 charon 71704 16[IKE] <con-mobile|3> INFORMATIONAL request with message ID 503 processing failed Feb 9 15:42:15 charon 71704 16[IKE] <con-mobile|3> integrity check failed Feb 9 15:42:15 charon 71704 16[ENC] <con-mobile|3> could not decrypt payloads Feb 9 15:42:15 charon 71704 16[ENC] <con-mobile|3> verifying encrypted payload integrity failed Feb 9 15:42:15 charon 71704 16[NET] <con-mobile|3> received packet: from $WORK_IP[53561] to $HOME_IP[4500] (72 bytes) Feb 9 15:42:15 charon 71704 16[MGR] IKE_SA con-mobile[3] successfully checked out Feb 9 15:42:15 charon 71704 16[MGR] checkout IKEv2 SA by message with SPIs 909dd139ad9a2016_i 28cb1ec1bac43146_r Feb 9 15:42:15 charon 71704 01[NET] waiting for data on sockets Feb 9 15:42:15 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 15:42:14 charon 71704 14[MGR] <con-mobile|3> checkin of IKE_SA successful Feb 9 15:42:14 charon 71704 14[MGR] <con-mobile|3> checkin IKE_SA con-mobile[3] Feb 9 15:42:14 charon 71704 14[IKE] <con-mobile|3> INFORMATIONAL request with message ID 503 processing failed Feb 9 15:42:14 charon 71704 14[IKE] <con-mobile|3> integrity check failed Feb 9 15:42:14 charon 71704 14[ENC] <con-mobile|3> could not decrypt payloads Feb 9 15:42:14 charon 71704 14[ENC] <con-mobile|3> verifying encrypted payload integrity failed Feb 9 15:42:14 charon 71704 14[NET] <con-mobile|3> received packet: from $WORK_IP[53561] to $HOME_IP[4500] (72 bytes) Feb 9 15:42:14 charon 71704 14[MGR] IKE_SA con-mobile[3] successfully checked out Feb 9 15:42:14 charon 71704 14[MGR] checkout IKEv2 SA by message with SPIs 909dd139ad9a2016_i 28cb1ec1bac43146_r Feb 9 15:42:14 charon 71704 01[NET] waiting for data on sockets Feb 9 15:42:14 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 15:42:13 charon 71704 07[CFG] vici client 1374 disconnected Feb 9 15:42:13 charon 71704 07[CFG] vici client 1374 requests: list-sas Feb 9 15:42:13 charon 71704 15[CFG] vici client 1374 registered for: list-sa Feb 9 15:42:13 charon 71704 06[CFG] vici client 1374 connected Feb 9 15:42:13 charon 71704 07[MGR] <con-mobile|3> checkin of IKE_SA successful Feb 9 15:42:13 charon 71704 07[MGR] <con-mobile|3> checkin IKE_SA con-mobile[3] Feb 9 15:42:13 charon 71704 07[IKE] <con-mobile|3> INFORMATIONAL request with message ID 503 processing failed Feb 9 15:42:13 charon 71704 07[IKE] <con-mobile|3> integrity check failed Feb 9 15:42:13 charon 71704 07[ENC] <con-mobile|3> could not decrypt payloads Feb 9 15:42:13 charon 71704 07[ENC] <con-mobile|3> verifying encrypted payload integrity failed Feb 9 15:42:13 charon 71704 07[NET] <con-mobile|3> received packet: from $WORK_IP[53561] to $HOME_IP[4500] (72 bytes) Feb 9 15:42:13 charon 71704 07[MGR] IKE_SA con-mobile[3] successfully checked out Feb 9 15:42:13 charon 71704 07[MGR] checkout IKEv2 SA by message with SPIs 909dd139ad9a2016_i 28cb1ec1bac43146_r Feb 9 15:42:13 charon 71704 01[NET] waiting for data on sockets Feb 9 15:42:13 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 15:42:11 charon 71704 11[CFG] vici client 1373 disconnected Feb 9 15:42:11 charon 71704 11[CFG] vici client 1373 requests: list-sas Feb 9 15:42:11 charon 71704 16[CFG] vici client 1373 registered for: list-sa Feb 9 15:42:11 charon 71704 11[CFG] vici client 1373 connected Feb 9 15:42:09 charon 71704 16[MGR] <con-mobile|3> checkin of IKE_SA successful Feb 9 15:42:09 charon 71704 02[NET] sending packet: from $HOME_IP[4500] to $WORK_IP[53561] Feb 9 15:42:09 charon 71704 16[MGR] <con-mobile|3> checkin IKE_SA con-mobile[3] Feb 9 15:42:09 charon 71704 16[NET] <con-mobile|3> sending packet: from $HOME_IP[4500] to $WORK_IP[53561] (245 bytes) Feb 9 15:42:09 charon 71704 16[IKE] <con-mobile|3> retransmit 1 of request with message ID 270 Feb 9 15:42:09 charon 71704 16[MGR] IKE_SA con-mobile[3] successfully checked out Feb 9 15:42:09 charon 71704 16[MGR] checkout IKEv2 SA with SPIs 909dd139ad9a2016_i 28cb1ec1bac43146_r Feb 9 15:42:07 charon 71704 06[CFG] vici client 1372 disconnected Feb 9 15:42:07 charon 71704 15[CFG] vici client 1372 requests: list-sas Feb 9 15:42:07 charon 71704 15[CFG] vici client 1372 registered for: list-sa Feb 9 15:42:07 charon 71704 06[CFG] vici client 1372 connected Feb 9 15:42:06 charon 71704 13[MGR] <con-mobile|3> checkin of IKE_SA successful Feb 9 15:42:06 charon 71704 13[MGR] <con-mobile|3> checkin IKE_SA con-mobile[3] Feb 9 15:42:06 charon 71704 13[MGR] IKE_SA con-mobile[3] successfully checked out Feb 9 15:42:06 charon 71704 13[MGR] checkout IKEv2 SA with SPIs 909dd139ad9a2016_i 28cb1ec1bac43146_r Feb 9 15:42:05 charon 71704 10[MGR] <con-mobile|3> checkin of IKE_SA successful Feb 9 15:42:05 charon 71704 10[MGR] <con-mobile|3> checkin IKE_SA con-mobile[3] Feb 9 15:42:05 charon 71704 10[IKE] <con-mobile|3> CREATE_CHILD_SA response with message ID 270 processing failed Feb 9 15:42:05 charon 71704 10[IKE] <con-mobile|3> integrity check failed Feb 9 15:42:05 charon 71704 10[ENC] <con-mobile|3> could not decrypt payloads Feb 9 15:42:05 charon 71704 10[ENC] <con-mobile|3> verifying encrypted payload integrity failed Feb 9 15:42:05 charon 71704 10[NET] <con-mobile|3> received packet: from $WORK_IP[53561] to $HOME_IP[4500] (264 bytes) Feb 9 15:42:05 charon 71704 10[MGR] IKE_SA con-mobile[3] successfully checked out Feb 9 15:42:05 charon 71704 10[MGR] checkout IKEv2 SA by message with SPIs 909dd139ad9a2016_i 28cb1ec1bac43146_r Feb 9 15:42:05 charon 71704 01[NET] waiting for data on sockets Feb 9 15:42:05 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 15:42:05 charon 71704 10[MGR] <con-mobile|3> checkin of IKE_SA successful Feb 9 15:42:05 charon 71704 02[NET] sending packet: from $HOME_IP[4500] to $WORK_IP[53561] Feb 9 15:42:05 charon 71704 10[MGR] <con-mobile|3> checkin IKE_SA con-mobile[3] Feb 9 15:42:05 charon 71704 10[NET] <con-mobile|3> sending packet: from $HOME_IP[4500] to $WORK_IP[53561] (245 bytes) Feb 9 15:42:05 charon 71704 10[ENC] <con-mobile|3> generating CREATE_CHILD_SA request 270 [ SA No KE ] Feb 9 15:42:05 charon 71704 10[CFG] <con-mobile|3> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Feb 9 15:42:05 charon 71704 10[IKE] <con-mobile|3> IKE_SA con-mobile[4] state change: CREATED => CONNECTING Feb 9 15:42:05 charon 71704 10[IKE] <con-mobile|3> initiating IKE_SA con-mobile[4] to $WORK_IP Feb 9 15:42:05 charon 71704 10[IKE] <con-mobile|3> IKE_SA con-mobile[3] state change: ESTABLISHED => REKEYING Feb 9 15:42:05 charon 71704 10[MGR] <con-mobile|3> created IKE_SA (unnamed)[4] Feb 9 15:42:05 charon 71704 10[IKE] <con-mobile|3> activating IKE_REKEY task Feb 9 15:42:05 charon 71704 10[IKE] <con-mobile|3> activating new tasks Feb 9 15:42:05 charon 71704 10[IKE] <con-mobile|3> queueing IKE_REKEY task Feb 9 15:42:05 charon 71704 10[MGR] IKE_SA con-mobile[3] successfully checked out Feb 9 15:42:05 charon 71704 10[MGR] checkout IKEv2 SA with SPIs 909dd139ad9a2016_i 28cb1ec1bac43146_r Feb 9 15:42:05 charon 71704 07[CFG] received stroke: rekey 'con-mobile[3]'
-
So the rekey didn't work of course....here is the log
Only thing I can see that is weird is the "verifying encrypted payload integrity failed"/ "CREATE_CHILD_SA response with message ID 355 processing failed" Any idea guys? Real annoying, now I can't even connect back.
Feb 9 19:35:11 charon 71704 14[CFG] vici client 4445 disconnected Feb 9 19:35:11 charon 71704 11[CFG] vici client 4445 requests: list-sas Feb 9 19:35:11 charon 71704 12[CFG] vici client 4445 registered for: list-sa Feb 9 19:35:11 charon 71704 11[CFG] vici client 4445 connected Feb 9 19:35:09 charon 71704 14[MGR] <con-mobile|6> checkin of IKE_SA successful Feb 9 19:35:09 charon 71704 02[NET] sending packet: from $HOME_IP[4500] to $WORK_IP[53561] Feb 9 19:35:09 charon 71704 14[MGR] <con-mobile|6> checkin IKE_SA con-mobile[6] Feb 9 19:35:09 charon 71704 14[NET] <con-mobile|6> sending packet: from $HOME_IP[4500] to $WORK_IP[53561] (245 bytes) Feb 9 19:35:09 charon 71704 14[IKE] <con-mobile|6> retransmit 3 of request with message ID 355 Feb 9 19:35:09 charon 71704 14[MGR] IKE_SA con-mobile[6] successfully checked out Feb 9 19:35:09 charon 71704 14[MGR] checkout IKEv2 SA with SPIs 1421db634937e70d_i 638725af6178c479_r Feb 9 19:35:08 charon 71704 10[CFG] vici client 4444 disconnected Feb 9 19:35:08 charon 71704 07[CFG] vici client 4444 requests: list-sas Feb 9 19:35:08 charon 71704 10[CFG] vici client 4444 registered for: list-sa Feb 9 19:35:08 charon 71704 07[CFG] vici client 4444 connected Feb 9 19:35:06 charon 71704 16[MGR] IKE_SA checkout not successful Feb 9 19:35:06 charon 71704 16[MGR] checkout IKEv2 SA by message with SPIs ee9bd6c6f5645f0e_i adf777d30f13ecb5_r Feb 9 19:35:06 charon 71704 01[NET] waiting for data on sockets Feb 9 19:35:06 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 19:35:05 charon 71704 16[MGR] IKE_SA checkout not successful Feb 9 19:35:05 charon 71704 16[MGR] checkout IKEv2 SA by message with SPIs ee9bd6c6f5645f0e_i adf777d30f13ecb5_r Feb 9 19:35:05 charon 71704 01[NET] waiting for data on sockets Feb 9 19:35:05 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 19:35:04 charon 71704 11[CFG] vici client 4443 disconnected Feb 9 19:35:04 charon 71704 12[CFG] vici client 4443 requests: list-sas Feb 9 19:35:04 charon 71704 11[CFG] vici client 4443 registered for: list-sa Feb 9 19:35:04 charon 71704 14[CFG] vici client 4443 connected Feb 9 19:35:04 charon 71704 11[MGR] IKE_SA checkout not successful Feb 9 19:35:04 charon 71704 11[MGR] checkout IKEv2 SA by message with SPIs ee9bd6c6f5645f0e_i adf777d30f13ecb5_r Feb 9 19:35:04 charon 71704 01[NET] waiting for data on sockets Feb 9 19:35:04 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 19:35:04 charon 71704 01[NET] waiting for data on sockets Feb 9 19:35:04 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 19:35:03 charon 71704 11[MGR] IKE_SA checkout not successful Feb 9 19:35:03 charon 71704 11[MGR] checkout IKEv2 SA by message with SPIs ee9bd6c6f5645f0e_i adf777d30f13ecb5_r Feb 9 19:35:03 charon 71704 01[NET] waiting for data on sockets Feb 9 19:35:03 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 19:35:03 charon 71704 06[MGR] <con-mobile|6> checkin of IKE_SA successful Feb 9 19:35:03 charon 71704 06[MGR] <con-mobile|6> checkin IKE_SA con-mobile[6] Feb 9 19:35:03 charon 71704 06[MGR] IKE_SA con-mobile[6] successfully checked out Feb 9 19:35:03 charon 71704 06[MGR] checkout IKEv2 SA with SPIs 1421db634937e70d_i 638725af6178c479_r Feb 9 19:35:03 charon 71704 07[CFG] vici client 4442 disconnected Feb 9 19:35:03 charon 71704 16[CFG] vici client 4442 requests: list-sas Feb 9 19:35:03 charon 71704 07[CFG] vici client 4442 registered for: list-sa Feb 9 19:35:03 charon 71704 16[CFG] vici client 4442 connected Feb 9 19:34:58 charon 71704 14[CFG] vici client 4441 disconnected Feb 9 19:34:58 charon 71704 12[CFG] vici client 4441 requests: list-sas Feb 9 19:34:58 charon 71704 14[CFG] vici client 4441 registered for: list-sa Feb 9 19:34:58 charon 71704 12[CFG] vici client 4441 connected Feb 9 19:34:57 charon 71704 16[CFG] vici client 4440 disconnected Feb 9 19:34:57 charon 71704 07[CFG] vici client 4440 requests: list-sas Feb 9 19:34:57 charon 71704 16[CFG] vici client 4440 registered for: list-sa Feb 9 19:34:57 charon 71704 10[CFG] vici client 4440 connected Feb 9 19:34:56 charon 71704 02[NET] sending packet: from $HOME_IP[4500] to $WORK_IP[53561] Feb 9 19:34:56 charon 71704 07[MGR] <con-mobile|6> checkin of IKE_SA successful Feb 9 19:34:56 charon 71704 07[MGR] <con-mobile|6> checkin IKE_SA con-mobile[6] Feb 9 19:34:56 charon 71704 07[NET] <con-mobile|6> sending packet: from $HOME_IP[4500] to $WORK_IP[53561] (245 bytes) Feb 9 19:34:56 charon 71704 07[IKE] <con-mobile|6> retransmit 2 of request with message ID 355 Feb 9 19:34:56 charon 71704 07[MGR] IKE_SA con-mobile[6] successfully checked out Feb 9 19:34:56 charon 71704 07[MGR] checkout IKEv2 SA with SPIs 1421db634937e70d_i 638725af6178c479_r Feb 9 19:34:53 charon 71704 07[MGR] <con-mobile|6> checkin of IKE_SA successful Feb 9 19:34:53 charon 71704 07[MGR] <con-mobile|6> checkin IKE_SA con-mobile[6] Feb 9 19:34:53 charon 71704 07[MGR] IKE_SA con-mobile[6] successfully checked out Feb 9 19:34:53 charon 71704 07[MGR] checkout IKEv2 SA with SPIs 1421db634937e70d_i 638725af6178c479_r Feb 9 19:34:52 charon 71704 12[CFG] vici client 4439 disconnected Feb 9 19:34:52 charon 71704 15[CFG] vici client 4439 requests: list-sas Feb 9 19:34:52 charon 71704 15[CFG] vici client 4439 registered for: list-sa Feb 9 19:34:52 charon 71704 14[CFG] vici client 4439 connected Feb 9 19:34:52 charon 71704 10[CFG] vici client 4438 disconnected Feb 9 19:34:52 charon 71704 16[CFG] vici client 4438 requests: list-sas Feb 9 19:34:52 charon 71704 10[CFG] vici client 4438 registered for: list-sa Feb 9 19:34:52 charon 71704 16[CFG] vici client 4438 connected Feb 9 19:34:51 charon 71704 06[MGR] <con-mobile|6> checkin of IKE_SA successful Feb 9 19:34:51 charon 71704 06[MGR] <con-mobile|6> checkin IKE_SA con-mobile[6] Feb 9 19:34:51 charon 71704 06[IKE] <con-mobile|6> INFORMATIONAL request with message ID 1016 processing failed Feb 9 19:34:51 charon 71704 06[IKE] <con-mobile|6> integrity check failed Feb 9 19:34:51 charon 71704 06[ENC] <con-mobile|6> could not decrypt payloads Feb 9 19:34:51 charon 71704 06[ENC] <con-mobile|6> verifying encrypted payload integrity failed Feb 9 19:34:51 charon 71704 06[NET] <con-mobile|6> received packet: from $WORK_IP[53561] to $HOME_IP[4500] (72 bytes) Feb 9 19:34:51 charon 71704 06[MGR] IKE_SA con-mobile[6] successfully checked out Feb 9 19:34:51 charon 71704 06[MGR] checkout IKEv2 SA by message with SPIs 1421db634937e70d_i 638725af6178c479_r Feb 9 19:34:51 charon 71704 01[NET] waiting for data on sockets Feb 9 19:34:51 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 19:34:50 charon 71704 06[MGR] <con-mobile|6> checkin of IKE_SA successful Feb 9 19:34:50 charon 71704 06[MGR] <con-mobile|6> checkin IKE_SA con-mobile[6] Feb 9 19:34:50 charon 71704 06[IKE] <con-mobile|6> INFORMATIONAL request with message ID 1016 processing failed Feb 9 19:34:50 charon 71704 06[IKE] <con-mobile|6> integrity check failed Feb 9 19:34:50 charon 71704 06[ENC] <con-mobile|6> could not decrypt payloads Feb 9 19:34:50 charon 71704 06[ENC] <con-mobile|6> verifying encrypted payload integrity failed Feb 9 19:34:50 charon 71704 06[NET] <con-mobile|6> received packet: from $WORK_IP[53561] to $HOME_IP[4500] (72 bytes) Feb 9 19:34:50 charon 71704 06[MGR] IKE_SA con-mobile[6] successfully checked out Feb 9 19:34:50 charon 71704 06[MGR] checkout IKEv2 SA by message with SPIs 1421db634937e70d_i 638725af6178c479_r Feb 9 19:34:50 charon 71704 01[NET] waiting for data on sockets Feb 9 19:34:50 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 19:34:49 charon 71704 06[MGR] <con-mobile|6> checkin of IKE_SA successful Feb 9 19:34:49 charon 71704 02[NET] sending packet: from $HOME_IP[4500] to $WORK_IP[53561] Feb 9 19:34:49 charon 71704 06[MGR] <con-mobile|6> checkin IKE_SA con-mobile[6] Feb 9 19:34:49 charon 71704 06[NET] <con-mobile|6> sending packet: from $HOME_IP[4500] to $WORK_IP[53561] (245 bytes) Feb 9 19:34:49 charon 71704 06[IKE] <con-mobile|6> retransmit 1 of request with message ID 355 Feb 9 19:34:49 charon 71704 06[MGR] IKE_SA con-mobile[6] successfully checked out Feb 9 19:34:49 charon 71704 06[MGR] checkout IKEv2 SA with SPIs 1421db634937e70d_i 638725af6178c479_r Feb 9 19:34:49 charon 71704 07[MGR] <con-mobile|6> checkin of IKE_SA successful Feb 9 19:34:49 charon 71704 07[MGR] <con-mobile|6> checkin IKE_SA con-mobile[6] Feb 9 19:34:49 charon 71704 07[IKE] <con-mobile|6> INFORMATIONAL request with message ID 1016 processing failed Feb 9 19:34:49 charon 71704 07[IKE] <con-mobile|6> integrity check failed Feb 9 19:34:49 charon 71704 07[ENC] <con-mobile|6> could not decrypt payloads Feb 9 19:34:49 charon 71704 07[ENC] <con-mobile|6> verifying encrypted payload integrity failed Feb 9 19:34:49 charon 71704 07[NET] <con-mobile|6> received packet: from $WORK_IP[53561] to $HOME_IP[4500] (72 bytes) Feb 9 19:34:49 charon 71704 07[MGR] IKE_SA con-mobile[6] successfully checked out Feb 9 19:34:49 charon 71704 07[MGR] checkout IKEv2 SA by message with SPIs 1421db634937e70d_i 638725af6178c479_r Feb 9 19:34:49 charon 71704 01[NET] waiting for data on sockets Feb 9 19:34:49 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 19:34:47 charon 71704 07[MGR] <con-mobile|6> checkin of IKE_SA successful Feb 9 19:34:47 charon 71704 07[MGR] <con-mobile|6> checkin IKE_SA con-mobile[6] Feb 9 19:34:47 charon 71704 07[MGR] IKE_SA con-mobile[6] successfully checked out Feb 9 19:34:47 charon 71704 07[MGR] checkout IKEv2 SA with SPIs 1421db634937e70d_i 638725af6178c479_r Feb 9 19:34:46 charon 71704 09[CFG] vici client 4437 disconnected Feb 9 19:34:46 charon 71704 11[CFG] vici client 4437 requests: list-sas Feb 9 19:34:46 charon 71704 10[CFG] vici client 4437 registered for: list-sa Feb 9 19:34:46 charon 71704 09[CFG] vici client 4437 connected Feb 9 19:34:46 charon 71704 16[CFG] vici client 4436 disconnected Feb 9 19:34:46 charon 71704 06[CFG] vici client 4436 requests: list-sas Feb 9 19:34:46 charon 71704 06[CFG] vici client 4436 registered for: list-sa Feb 9 19:34:46 charon 71704 11[CFG] vici client 4436 connected Feb 9 19:34:45 charon 71704 16[MGR] <con-mobile|6> checkin of IKE_SA successful Feb 9 19:34:45 charon 71704 16[MGR] <con-mobile|6> checkin IKE_SA con-mobile[6] Feb 9 19:34:45 charon 71704 16[IKE] <con-mobile|6> CREATE_CHILD_SA response with message ID 355 processing failed Feb 9 19:34:45 charon 71704 16[IKE] <con-mobile|6> integrity check failed Feb 9 19:34:45 charon 71704 16[ENC] <con-mobile|6> could not decrypt payloads Feb 9 19:34:45 charon 71704 16[ENC] <con-mobile|6> verifying encrypted payload integrity failed Feb 9 19:34:45 charon 71704 16[NET] <con-mobile|6> received packet: from $WORK_IP[53561] to $HOME_IP[4500] (264 bytes) Feb 9 19:34:45 charon 71704 16[MGR] IKE_SA con-mobile[6] successfully checked out Feb 9 19:34:45 charon 71704 16[MGR] checkout IKEv2 SA by message with SPIs 1421db634937e70d_i 638725af6178c479_r Feb 9 19:34:45 charon 71704 01[NET] waiting for data on sockets Feb 9 19:34:45 charon 71704 01[NET] received packet: from $WORK_IP[53561] to $HOME_IP[4500] Feb 9 19:34:45 charon 71704 16[MGR] <con-mobile|6> checkin of IKE_SA successful Feb 9 19:34:45 charon 71704 02[NET] sending packet: from $HOME_IP[4500] to $WORK_IP[53561] Feb 9 19:34:45 charon 71704 16[MGR] <con-mobile|6> checkin IKE_SA con-mobile[6] Feb 9 19:34:45 charon 71704 16[NET] <con-mobile|6> sending packet: from $HOME_IP[4500] to $WORK_IP[53561] (245 bytes) Feb 9 19:34:45 charon 71704 16[ENC] <con-mobile|6> generating CREATE_CHILD_SA request 355 [ SA No KE ] Feb 9 19:34:45 charon 71704 16[CFG] <con-mobile|6> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Feb 9 19:34:45 charon 71704 16[IKE] <con-mobile|6> IKE_SA con-mobile[7] state change: CREATED => CONNECTING Feb 9 19:34:45 charon 71704 16[IKE] <con-mobile|6> initiating IKE_SA con-mobile[7] to $WORK_IP Feb 9 19:34:45 charon 71704 16[IKE] <con-mobile|6> IKE_SA con-mobile[6] state change: ESTABLISHED => REKEYING Feb 9 19:34:45 charon 71704 16[MGR] <con-mobile|6> created IKE_SA (unnamed)[7] Feb 9 19:34:45 charon 71704 16[IKE] <con-mobile|6> activating IKE_REKEY task Feb 9 19:34:45 charon 71704 16[IKE] <con-mobile|6> activating new tasks Feb 9 19:34:45 charon 71704 16[IKE] <con-mobile|6> queueing IKE_REKEY task
-
CONNECTION ATTEMPT AFTER REKEY FAIL LOG:
Feb 9 20:07:10 charon 71704 07[CFG] vici client 4816 disconnected Feb 9 20:07:10 charon 71704 15[CFG] vici client 4816 requests: list-sas Feb 9 20:07:10 charon 71704 13[CFG] vici client 4816 registered for: list-sa Feb 9 20:07:10 charon 71704 15[CFG] vici client 4816 connected Feb 9 20:07:04 charon 71704 10[CFG] vici client 4815 disconnected Feb 9 20:07:04 charon 71704 12[CFG] vici client 4815 requests: list-sas Feb 9 20:07:04 charon 71704 12[CFG] vici client 4815 registered for: list-sa Feb 9 20:07:04 charon 71704 10[CFG] vici client 4815 connected Feb 9 20:06:58 charon 71704 15[CFG] vici client 4814 disconnected Feb 9 20:06:58 charon 71704 13[CFG] vici client 4814 requests: list-sas Feb 9 20:06:58 charon 71704 15[CFG] vici client 4814 registered for: list-sa Feb 9 20:06:58 charon 71704 15[CFG] vici client 4814 connected Feb 9 20:06:52 charon 71704 11[CFG] vici client 4813 disconnected Feb 9 20:06:52 charon 71704 12[CFG] vici client 4813 requests: list-sas Feb 9 20:06:52 charon 71704 11[CFG] vici client 4813 registered for: list-sa Feb 9 20:06:52 charon 71704 10[CFG] vici client 4813 connected Feb 9 20:06:51 charon 71704 02[NET] sending packet: from $HOME_IP[4500] to $WORK_IP[4500] Feb 9 20:06:51 charon 71704 12[MGR] <con-mobile|22> checkin of IKE_SA successful Feb 9 20:06:51 charon 71704 12[MGR] <con-mobile|22> checkin IKE_SA con-mobile[22] Feb 9 20:06:51 charon 71704 02[NET] sending packet: from $HOME_IP[4500] to $WORK_IP[4500] Feb 9 20:06:51 charon 71704 12[NET] <con-mobile|22> sending packet: from $HOME_IP[4500] to $WORK_IP[4500] (142 bytes) Feb 9 20:06:51 charon 71704 12[NET] <con-mobile|22> sending packet: from $HOME_IP[4500] to $WORK_IP[4500] (1248 bytes) Feb 9 20:06:51 charon 71704 12[IKE] <con-mobile|22> received retransmit of request with ID 1, retransmitting response Feb 9 20:06:51 charon 71704 12[ENC] <con-mobile|22> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Feb 9 20:06:51 charon 71704 12[ENC] <con-mobile|22> received fragment #3 of 3, reassembled fragmented IKE message (1462 bytes) Feb 9 20:06:51 charon 71704 12[ENC] <con-mobile|22> parsed IKE_AUTH request 1 [ EF(3/3) ] Feb 9 20:06:51 charon 71704 12[NET] <con-mobile|22> received packet: from $WORK_IP[4500] to $HOME_IP[4500] (476 bytes) Feb 9 20:06:51 charon 71704 12[MGR] IKE_SA con-mobile[22] successfully checked out Feb 9 20:06:51 charon 71704 10[MGR] <con-mobile|22> checkin of IKE_SA successful Feb 9 20:06:51 charon 71704 10[MGR] <con-mobile|22> checkin IKE_SA con-mobile[22] Feb 9 20:06:51 charon 71704 10[ENC] <con-mobile|22> received fragment #2 of 3, waiting for complete IKE message Feb 9 20:06:51 charon 71704 10[ENC] <con-mobile|22> parsed IKE_AUTH request 1 [ EF(2/3) ] Feb 9 20:06:51 charon 71704 12[MGR] checkout IKEv2 SA by message with SPIs 5ee9fe8f57c94e02_i c1dec6d4df43d766_r Feb 9 20:06:51 charon 71704 10[NET] <con-mobile|22> received packet: from $WORK_IP[4500] to $HOME_IP[4500] (572 bytes) Feb 9 20:06:51 charon 71704 01[NET] waiting for data on sockets Feb 9 20:06:51 charon 71704 10[MGR] IKE_SA con-mobile[22] successfully checked out Feb 9 20:06:51 charon 71704 01[NET] received packet: from $WORK_IP[4500] to $HOME_IP[4500] Feb 9 20:06:51 charon 71704 10[MGR] checkout IKEv2 SA by message with SPIs 5ee9fe8f57c94e02_i c1dec6d4df43d766_r Feb 9 20:06:51 charon 71704 01[NET] waiting for data on sockets Feb 9 20:06:51 charon 71704 01[NET] received packet: from $WORK_IP[4500] to $HOME_IP[4500] Feb 9 20:06:51 charon 71704 10[MGR] <con-mobile|22> checkin of IKE_SA successful Feb 9 20:06:51 charon 71704 10[MGR] <con-mobile|22> checkin IKE_SA con-mobile[22] Feb 9 20:06:51 charon 71704 10[ENC] <con-mobile|22> received fragment #1 of 3, waiting for complete IKE message Feb 9 20:06:51 charon 71704 10[ENC] <con-mobile|22> parsed IKE_AUTH request 1 [ EF(1/3) ] Feb 9 20:06:51 charon 71704 10[NET] <con-mobile|22> received packet: from $WORK_IP[4500] to $HOME_IP[4500] (572 bytes) Feb 9 20:06:51 charon 71704 10[MGR] IKE_SA con-mobile[22] successfully checked out Feb 9 20:06:51 charon 71704 10[MGR] checkout IKEv2 SA by message with SPIs 5ee9fe8f57c94e02_i c1dec6d4df43d766_r Feb 9 20:06:51 charon 71704 01[NET] waiting for data on sockets Feb 9 20:06:51 charon 71704 01[NET] received packet: from $WORK_IP[4500] to $HOME_IP[4500] Feb 9 20:06:50 charon 71704 02[NET] sending packet: from $HOME_IP[4500] to $WORK_IP[4500] Feb 9 20:06:50 charon 71704 10[MGR] <con-mobile|22> checkin of IKE_SA successful Feb 9 20:06:50 charon 71704 10[MGR] <con-mobile|22> checkin IKE_SA con-mobile[22] Feb 9 20:06:50 charon 71704 02[NET] sending packet: from $HOME_IP[4500] to $WORK_IP[4500] Feb 9 20:06:50 charon 71704 10[NET] <con-mobile|22> sending packet: from $HOME_IP[4500] to $WORK_IP[4500] (142 bytes) Feb 9 20:06:50 charon 71704 10[NET] <con-mobile|22> sending packet: from $HOME_IP[4500] to $WORK_IP[4500] (1248 bytes) Feb 9 20:06:50 charon 71704 10[IKE] <con-mobile|22> received retransmit of request with ID 1, retransmitting response Feb 9 20:06:50 charon 71704 10[ENC] <con-mobile|22> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Feb 9 20:06:50 charon 71704 10[ENC] <con-mobile|22> received fragment #2 of 3, reassembled fragmented IKE message (1462 bytes) Feb 9 20:06:50 charon 71704 10[ENC] <con-mobile|22> parsed IKE_AUTH request 1 [ EF(2/3) ] Feb 9 20:06:50 charon 71704 10[NET] <con-mobile|22> received packet: from $WORK_IP[4500] to $HOME_IP[4500] (572 bytes) Feb 9 20:06:50 charon 71704 10[MGR] IKE_SA con-mobile[22] successfully checked out Feb 9 20:06:50 charon 71704 12[MGR] <con-mobile|22> checkin of IKE_SA successful Feb 9 20:06:50 charon 71704 12[MGR] <con-mobile|22> checkin IKE_SA con-mobile[22] Feb 9 20:06:50 charon 71704 12[ENC] <con-mobile|22> received fragment #3 of 3, waiting for complete IKE message Feb 9 20:06:50 charon 71704 12[ENC] <con-mobile|22> parsed IKE_AUTH request 1 [ EF(3/3) ] Feb 9 20:06:50 charon 71704 12[NET] <con-mobile|22> received packet: from $WORK_IP[4500] to $HOME_IP[4500] (476 bytes) Feb 9 20:06:50 charon 71704 12[MGR] IKE_SA con-mobile[22] successfully checked out Feb 9 20:06:50 charon 71704 11[MGR] <con-mobile|22> checkin of IKE_SA successful Feb 9 20:06:50 charon 71704 11[MGR] <con-mobile|22> checkin IKE_SA con-mobile[22] Feb 9 20:06:50 charon 71704 11[ENC] <con-mobile|22> received fragment #1 of 3, waiting for complete IKE message Feb 9 20:06:50 charon 71704 01[NET] waiting for data on sockets Feb 9 20:06:50 charon 71704 11[ENC] <con-mobile|22> parsed IKE_AUTH request 1 [ EF(1/3) ] Feb 9 20:06:50 charon 71704 12[MGR] checkout IKEv2 SA by message with SPIs 5ee9fe8f57c94e02_i c1dec6d4df43d766_r Feb 9 20:06:50 charon 71704 10[MGR] checkout IKEv2 SA by message with SPIs 5ee9fe8f57c94e02_i c1dec6d4df43d766_r Feb 9 20:06:50 charon 71704 01[NET] received packet: from $WORK_IP[4500] to $HOME_IP[4500] Feb 9 20:06:50 charon 71704 11[NET] <con-mobile|22> received packet: from $WORK_IP[4500] to $HOME_IP[4500] (572 bytes) Feb 9 20:06:50 charon 71704 01[NET] waiting for data on sockets Feb 9 20:06:50 charon 71704 11[MGR] IKE_SA con-mobile[22] successfully checked out Feb 9 20:06:50 charon 71704 01[NET] received packet: from $WORK_IP[4500] to $HOME_IP[4500] Feb 9 20:06:50 charon 71704 11[MGR] checkout IKEv2 SA by message with SPIs 5ee9fe8f57c94e02_i c1dec6d4df43d766_r Feb 9 20:06:50 charon 71704 01[NET] waiting for data on sockets Feb 9 20:06:50 charon 71704 01[NET] received packet: from $WORK_IP[4500] to $HOME_IP[4500] Feb 9 20:06:50 charon 71704 02[NET] sending packet: from $HOME_IP[4500] to $WORK_IP[4500] Feb 9 20:06:50 charon 71704 11[MGR] <con-mobile|22> checkin of IKE_SA successful Feb 9 20:06:50 charon 71704 11[MGR] <con-mobile|22> checkin IKE_SA con-mobile[22] Feb 9 20:06:50 charon 71704 02[NET] sending packet: from $HOME_IP[4500] to $WORK_IP[4500] Feb 9 20:06:50 charon 71704 11[NET] <con-mobile|22> sending packet: from $HOME_IP[4500] to $WORK_IP[4500] (142 bytes) Feb 9 20:06:50 charon 71704 11[NET] <con-mobile|22> sending packet: from $HOME_IP[4500] to $WORK_IP[4500] (1248 bytes) Feb 9 20:06:50 charon 71704 11[ENC] <con-mobile|22> generating IKE_AUTH response 1 [ EF(2/2) ] Feb 9 20:06:50 charon 71704 11[ENC] <con-mobile|22> generating IKE_AUTH response 1 [ EF(1/2) ] Feb 9 20:06:50 charon 71704 11[ENC] <con-mobile|22> splitting IKE message (1325 bytes) into 2 fragments Feb 9 20:06:50 charon 71704 11[ENC] <con-mobile|22> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Feb 9 20:06:50 charon 71704 11[IKE] <con-mobile|22> sending end entity cert "CN=$HOME_IP" Feb 9 20:06:50 charon 71704 11[IKE] <con-mobile|22> authentication of '$HOME_IP' (myself) with RSA signature successful Feb 9 20:06:49 charon 71704 11[IKE] <con-mobile|22> peer supports MOBIKE Feb 9 20:06:49 charon 71704 11[IKE] <con-mobile|22> processing INTERNAL_IP6_SERVER attribute Feb 9 20:06:49 charon 71704 11[IKE] <con-mobile|22> processing INTERNAL_IP6_DNS attribute Feb 9 20:06:49 charon 71704 11[IKE] <con-mobile|22> processing INTERNAL_IP6_ADDRESS attribute Feb 9 20:06:49 charon 71704 11[IKE] <con-mobile|22> processing INTERNAL_IP4_SERVER attribute Feb 9 20:06:49 charon 71704 11[IKE] <con-mobile|22> processing INTERNAL_IP4_NBNS attribute Feb 9 20:06:49 charon 71704 11[IKE] <con-mobile|22> processing INTERNAL_IP4_DNS attribute Feb 9 20:06:49 charon 71704 11[IKE] <con-mobile|22> processing INTERNAL_IP4_ADDRESS attribute Feb 9 20:06:49 charon 71704 11[IKE] <con-mobile|22> initiating EAP_IDENTITY method (id 0x00) Feb 9 20:06:49 charon 71704 11[CFG] <con-mobile|22> selected peer config 'con-mobile' Feb 9 20:06:49 charon 71704 11[CFG] <22> candidate "con-mobile", match: 1/1/1052 (me/other/ike) Feb 9 20:06:49 charon 71704 11[CFG] <22> looking for peer configs matching $HOME_IP[%any]...$WORK_IP[192.168.77.169] Feb 9 20:06:49 charon 71704 11[IKE] <22> received 58 cert requests for an unknown ca Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 74:90:04:91:02:a8:6b:bb:9d:67:27:dd:97:60:38:21:b6:5e:9b:51 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 42:d8:92:49:26:ea:53:93:82:22:7a:e5:fa:02:df:b3:99:e5:80:c4 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 87:00:6b:d6:d0:7d:11:75:69:82:01:a5:40:cf:55:f9:61:b8:38:4e Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 8b:39:c2:d3:d4:8a:d5:6c:00:c4:d9:b2:1e:88:c6:9e:22:a2:f6:f7 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 37:c2:ef:4f:95:7f:3d:f6:14:c3:9c:5d:b9:52:c2:8a:91:43:56:ce Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 68:33:0e:61:35:85:21:59:29:83:a3:c8:d2:d2:e1:40:6e:7a:b3:c1 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 17:4a:b8:2b:5f:fb:05:67:75:27:ad:49:5a:4a:5d:c4:22:cc:ea:4e Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 67:ec:9f:90:2d:cd:64:ae:fe:7e:bc:cd:f8:8c:51:28:f1:93:2c:12 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid c8:95:13:68:01:97:28:0a:2c:55:c3:fc:d3:90:f5:3a:05:3b:c9:fb Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid bb:c2:3e:29:0b:b3:28:77:1d:ad:3e:a2:4d:bd:f4:23:bd:06:b0:3d Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid e6:ff:c3:94:e8:38:59:7f:51:d4:80:42:19:76:27:cf:db:94:8e:c6 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 21:0f:2c:89:f7:c4:cd:5d:1b:82:5e:38:d6:c6:59:3b:a6:93:75:ae Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 3e:22:d4:2c:1f:02:44:b8:04:10:65:61:7c:c7:6b:ae:da:87:29:9c Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 83:31:7e:62:85:42:53:d6:d7:78:31:90:ec:91:90:56:e9:91:b9:e3 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 6d:aa:9b:09:87:c4:d0:d4:22:ed:40:07:37:4d:19:f1:91:ff:de:d3 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 42:32:b6:16:fa:04:fd:fe:5d:4b:7a:c3:fd:f7:4c:40:1d:5a:43:af Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid ab:30:d3:af:4b:d8:f1:6b:58:69:ee:45:69:29:da:84:b8:73:94:88 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid d5:2e:13:c1:ab:e3:49:da:e8:b4:95:94:ef:7c:38:43:60:64:66:bd Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 4a:81:0c:de:f0:c0:90:0f:19:06:42:31:35:a2:a2:8d:d3:44:fd:08 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 6e:58:4e:33:75:bd:57:f6:d5:42:1b:16:01:c2:d8:c0:f5:3a:9f:6e Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid ba:42:b0:81:88:53:88:1d:86:63:bd:4c:c0:5e:08:fe:ea:6e:bb:77 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 69:c4:27:db:59:69:68:18:47:e2:52:17:0a:e0:e5:7f:ab:9d:ef:0f Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 73:97:82:ea:b4:04:16:6e:25:d4:82:3c:37:db:f8:a8:12:fb:cf:26 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid f8:16:51:3c:fd:1b:44:9f:2e:6b:28:a1:97:22:1f:b8:1f:51:4e:3c Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 90:e2:41:c2:11:41:8b:95:b1:a9:e0:9c:37:24:7e:84:9f:e4:be:a1 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid a2:af:24:0a:da:e8:67:79:c8:a8:50:b3:c7:46:ee:d9:f7:1b:16:78 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid c4:30:28:c5:d3:e3:08:0c:10:44:8b:2c:77:ba:24:53:97:60:bb:f9 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 30:a4:e6:4f:de:76:8a:fc:ed:5a:90:84:28:30:46:79:2c:29:15:70 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid f7:93:19:ef:df:c1:f5:20:fb:ac:85:55:2c:f2:d2:8f:5a:b9:ca:0b Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid b5:99:33:43:ac:a2:17:c5:08:ba:88:8c:a6:92:7e:26:b3:0f:87:a9 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid a8:e3:02:96:70:a6:8b:57:eb:ec:ef:cc:29:4e:91:74:9a:d4:92:38 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid ed:0d:c8:d6:2c:d3:13:29:d8:82:fe:2d:c3:fc:c5:10:d3:4d:bb:14 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 86:26:cb:1b:c5:54:b3:9f:bd:6b:ed:63:7f:b9:89:a9:80:f1:f4:8a Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 5e:8c:53:18:22:60:1d:56:71:d6:6a:a0:cc:64:a0:60:07:43:d5:a8 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid f8:92:0b:e9:08:a9:c5:d5:a0:fb:f3:9a:aa:98:a5:74:37:49:ad:9f Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 87:e3:bf:32:24:27:c1:40:5d:27:36:c3:81:e0:1d:1a:71:d4:a0:39 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid e1:a0:5a:95:34:75:78:a7:ff:4d:cf:32:52:5d:f2:f8:2c:1a:e1:15 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 64:1d:f8:d5:0e:23:31:c2:29:b2:50:cb:32:f5:6d:f5:5c:8e:00:fa Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 68:33:0e:61:35:85:21:59:29:83:a3:c8:d2:d2:e1:40:6e:7a:b3:c1 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 7c:32:d4:85:fd:89:0a:66:b5:97:ce:86:f4:d5:26:a9:21:07:e8:3e Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid f9:27:b6:1b:0a:37:f3:c3:1a:fa:17:ec:2d:46:17:16:12:9d:0c:0e Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 88:a9:5a:ef:c0:84:fc:13:74:41:6b:b1:63:32:c2:cf:92:59:bb:3b Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 83:31:7e:62:85:42:53:d6:d7:78:31:90:ec:91:90:56:e9:91:b9:e3 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for "CN=pfsense.local.lan" Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 6a:47:a2:67:c9:2e:2f:19:68:8b:9b:86:61:66:95:ed:c1:2c:13:00 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 5c:b8:69:fe:8d:ef:c1:ed:66:27:ee:b2:12:0f:72:1b:b8:0a:0e:04 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15 Feb 9 20:06:49 charon 71704 11[IKE] <22> received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4 Feb 9 20:06:49 charon 71704 11[ENC] <22> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Feb 9 20:06:49 charon 71704 11[ENC] <22> received fragment #2 of 3, reassembled fragmented IKE message (1462 bytes) Feb 9 20:06:49 charon 71704 11[ENC] <22> parsed IKE_AUTH request 1 [ EF(2/3) ] Feb 9 20:06:49 charon 71704 11[NET] <22> received packet: from $WORK_IP[4500] to $HOME_IP[4500] (572 bytes) Feb 9 20:06:49 charon 71704 11[MGR] IKE_SA (unnamed)[22] successfully checked out Feb 9 20:06:49 charon 71704 10[MGR] <22> checkin of IKE_SA successful Feb 9 20:06:49 charon 71704 10[MGR] <22> checkin IKE_SA (unnamed)[22] Feb 9 20:06:49 charon 71704 10[ENC] <22> received fragment #3 of 3, waiting for complete IKE message Feb 9 20:06:49 charon 71704 10[ENC] <22> parsed IKE_AUTH request 1 [ EF(3/3) ] Feb 9 20:06:49 charon 71704 10[NET] <22> received packet: from $WORK_IP[4500] to $HOME_IP[4500] (476 bytes) Feb 9 20:06:49 charon 71704 10[MGR] IKE_SA (unnamed)[22] successfully checked out Feb 9 20:06:49 charon 71704 12[MGR] <22> checkin of IKE_SA successful Feb 9 20:06:49 charon 71704 12[MGR] <22> checkin IKE_SA (unnamed)[22] Feb 9 20:06:49 charon 71704 12[ENC] <22> received fragment #1 of 3, waiting for complete IKE message Feb 9 20:06:49 charon 71704 12[ENC] <22> parsed IKE_AUTH request 1 [ EF(1/3) ] Feb 9 20:06:49 charon 71704 01[NET] waiting for data on sockets Feb 9 20:06:49 charon 71704 10[MGR] checkout IKEv2 SA by message with SPIs 5ee9fe8f57c94e02_i c1dec6d4df43d766_r Feb 9 20:06:49 charon 71704 12[NET] <22> received packet: from $WORK_IP[4500] to $HOME_IP[4500] (572 bytes) Feb 9 20:06:49 charon 71704 01[NET] received packet: from $WORK_IP[4500] to $HOME_IP[4500] Feb 9 20:06:49 charon 71704 11[MGR] checkout IKEv2 SA by message with SPIs 5ee9fe8f57c94e02_i c1dec6d4df43d766_r Feb 9 20:06:49 charon 71704 01[NET] waiting for data on sockets Feb 9 20:06:49 charon 71704 12[MGR] IKE_SA (unnamed)[22] successfully checked out Feb 9 20:06:49 charon 71704 01[NET] received packet: from $WORK_IP[4500] to $HOME_IP[4500] Feb 9 20:06:49 charon 71704 12[MGR] checkout IKEv2 SA by message with SPIs 5ee9fe8f57c94e02_i c1dec6d4df43d766_r Feb 9 20:06:49 charon 71704 01[NET] waiting for data on sockets Feb 9 20:06:49 charon 71704 01[NET] received packet: from $WORK_IP[4500] to $HOME_IP[4500] Feb 9 20:06:49 charon 71704 12[MGR] <22> checkin of IKE_SA successful Feb 9 20:06:49 charon 71704 12[MGR] <22> checkin IKE_SA (unnamed)[22] Feb 9 20:06:49 charon 71704 02[NET] sending packet: from $HOME_IP[500] to $WORK_IP[500] Feb 9 20:06:49 charon 71704 12[NET] <22> sending packet: from $HOME_IP[500] to $WORK_IP[500] (313 bytes) Feb 9 20:06:49 charon 71704 12[ENC] <22> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] Feb 9 20:06:49 charon 71704 12[IKE] <22> sending cert request for "CN=pfsense.local.lan" Feb 9 20:06:49 charon 71704 12[IKE] <22> remote host is behind NAT Feb 9 20:06:49 charon 71704 12[CFG] <22> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Feb 9 20:06:49 charon 71704 12[CFG] <22> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 9 20:06:49 charon 71704 12[CFG] <22> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Feb 9 20:06:49 charon 71704 12[CFG] <22> proposal matches Feb 9 20:06:49 charon 71704 12[CFG] <22> selecting proposal: Feb 9 20:06:49 charon 71704 12[IKE] <22> IKE_SA (unnamed)[22] state change: CREATED => CONNECTING Feb 9 20:06:49 charon 71704 12[IKE] <22> $WORK_IP is initiating an IKE_SA Feb 9 20:06:49 charon 71704 12[ENC] <22> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Feb 9 20:06:49 charon 71704 12[IKE] <22> received Vid-Initial-Contact vendor ID Feb 9 20:06:49 charon 71704 12[IKE] <22> received MS-Negotiation Discovery Capable vendor ID Feb 9 20:06:49 charon 71704 12[IKE] <22> received MS NT5 ISAKMPOAKLEY v9 vendor ID Feb 9 20:06:49 charon 71704 12[CFG] <22> found matching ike config: $HOME_IP...0.0.0.0/0, ::/0 with prio 1052 Feb 9 20:06:49 charon 71704 12[CFG] <22> candidate: $HOME_IP...0.0.0.0/0, ::/0, prio 1052 Feb 9 20:06:49 charon 71704 12[CFG] <22> looking for an IKEv2 config for $HOME_IP...$WORK_IP Feb 9 20:06:49 charon 71704 12[ENC] <22> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ] Feb 9 20:06:49 charon 71704 12[NET] <22> received packet: from $WORK_IP[500] to $HOME_IP[500] (376 bytes) Feb 9 20:06:49 charon 71704 12[MGR] created IKE_SA (unnamed)[22] Feb 9 20:06:49 charon 71704 12[MGR] checkout IKEv2 SA by message with SPIs 5ee9fe8f57c94e02_i 0000000000000000_r Feb 9 20:06:49 charon 71704 01[NET] waiting for data on sockets Feb 9 20:06:49 charon 71704 01[NET] received packet: from $WORK_IP[500] to $HOME_IP[500]
-
@brswattt said in IKEv2 IPSEC VPN - Randomly stopped working:
@mamawe What is the benefit with and without? I'm not sure if I do need it exactly, I just want the client to connect after the lifetime expires, thats all.
The benefit depends on what your situation is.
Basically rekeying means replacing only the session keys while reauthentication means tearing down the IKE session and creating a new one from scratch. With IKEv2, rekeying can be done for Child SAs (ESP) as well as for the IKE SAs (IKE itself) by exchanging CREATE_CHILD_SA messages. IKEv1 supports only reauthentication of the IKE SA.
I personally haven't been in a situation where I needed reauthentication with IKEv2.
This page from the Strongswan Wiki may explain the topic better than I can do it.
-
@mamawe Regarding rekeying, if you follow the link to interoperability issues with Windows on the Strongswan Wiki page, you can find that at least with Windows 7 clients rekeying of the IKE SA does only work with DH group modp1024.
I don't know if that applies to your client.
-
@mamawe it's a Windows 10 machine. Definitely a Windows issue as my Android phone had no problem rekeying both phases.
-
@brswattt Looks like that bug reaches out to windows 10 as well. I triggered a manual rekey with these algorithim settings (windows default), and I can rekey just fine.
go back to this: and rekey fails 100% of the time.
I dont understand how in 2022 windows 10 is still forcing you to use less secure parameters
Even setting the Group to DH2 with the AESGCM256, it still doesn't work, so I'm forced to use AES/SHA1/DH2 which isn't secure at all. Thanks Microsoft.That algorithm works on Android though. Very stupid.
-
I added/changed it to AES/SHA256/DH14 in my router and client settings and rekey works! Way better than SHA1/DH2. I can live with this..