Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC - Clients can't connect to VPN.

    Scheduled Pinned Locked Moved
    IPsec
    1
    1
    174
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Puzzled-Champ
      last edited by

      I have had issues with Configuring VPN server on Firewall, I was hoping someone can help me.
      My environment is configured as the following:

      • Windows server 2022(with AD,DHCP,DNS, NPS)
      • Pfsense Firewall (suppose the add of 192.168.78.1) (Configured a Radius server for Authentication. No issues with certificates, firewall rules or anything, I even disabled Firewall on both the client PC and the WIN Server).

      Below there is one log in IPSEC logs that I need a help with:

      • Jan 13 14:20:35 charon 63599 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory

      Check the Full IPSEC (VPN Server) logs Here:

      • Jan 13 14:20:35 charon 63599 00[DMN] Starting IKE charon daemon (strongSwan 5.9.11, FreeBSD 14.0-CURRENT, amd64)
      • Jan 13 14:20:35 charon 63599 00[CFG] PKCS11 module '<name>' lacks library path
      • Jan 13 14:20:35 charon 63599 00[LIB] providers loaded by OpenSSL: legacy default
      • Jan 13 14:20:35 charon 63599 00[CFG] loaded attribute INTERNAL_IP4_DNS: c0:a8:0d:0e
      • Jan 13 14:20:35 charon 63599 00[CFG] loaded attribute (27674): xx:xx:xx:xx:xx:xx:xx:xx:xx
      • Jan 13 14:20:35 charon 63599 00[CFG] using '/sbin/resolvconf' to install DNS servers
      • Jan 13 14:20:35 charon 63599 00[KNL] unable to set UDP_ENCAP: Invalid argument
      • Jan 13 14:20:35 charon 63599 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
      • Jan 13 14:20:35 charon 63599 00[CFG] loaded 1 RADIUS server configuration
      • Jan 13 14:20:35 charon 63599 00[CFG] loading unbound resolver config from '/etc/resolv.conf'
      • Jan 13 14:20:35 charon 63599 00[CFG] loading unbound trust anchors from '/usr/local/etc/ipsec.d/dnssec.keys'
      • Jan 13 14:20:35 charon 63599 00[CFG] ipseckey plugin is disabled
      • Jan 13 14:20:35 charon 63599 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
      • Jan 13 14:20:35 charon 63599 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
      • Jan 13 14:20:35 charon 63599 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
      • Jan 13 14:20:35 charon 63599 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
      • Jan 13 14:20:35 charon 63599 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
      • Jan 13 14:20:35 charon 63599 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
      • Jan 13 14:20:35 charon 63599 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
      • Jan 13 14:20:35 charon 63599 00[LIB] loaded plugins: charon eap-radius unbound pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey ipseckey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
      • Jan 13 14:20:35 charon 63599 00[JOB] spawning 16 worker threads
      • Jan 13 14:20:36 charon 63599 05[CFG] vici client 1 connected
      • Jan 13 14:20:36 charon 63599 05[CFG] vici client 1 requests: get-keys
      • Jan 13 14:20:36 charon 63599 16[CFG] vici client 1 requests: get-shared
      • Jan 13 14:20:36 charon 63599 15[CFG] vici client 1 requests: load-cert
      • Jan 13 14:20:36 charon 63599 15[CFG] loaded certificate 'C=country, ST=State, L=Toronto, O= company, OU= department, CN= firewall-hostname'
      • Jan 13 14:20:36 charon 63599 15[CFG] vici client 1 requests: load-cert
      • Jan 13 14:20:36 charon 63599 15[CFG] loaded certificate 'DC=com, DC=ACME, CN=ACME-ACME-CA'
      • Jan 13 14:20:36 charon 63599 15[CFG] vici client 1 requests: load-key
      • Jan 13 14:20:36 charon 63599 15[CFG] loaded ANY private key
      • Jan 13 14:20:36 charon 63599 15[CFG] vici client 1 requests: get-authorities
      • Jan 13 14:20:36 charon 63599 14[CFG] vici client 1 requests: get-pools
      • Jan 13 14:20:36 charon 63599 15[CFG] vici client 1 requests: load-pool
      • Jan 13 14:20:36 charon 63599 15[CFG] added vici pool mobile-pool-v4: 10.9.9.0, 254 entries
      • Jan 13 14:20:36 charon 63599 14[CFG] vici client 1 requests: get-conns
      • Jan 13 14:20:36 charon 63599 13[CFG] vici client 1 requests: load-conn
      • Jan 13 14:20:36 charon 63599 13[CFG] conn bypass:
      • Jan 13 14:20:36 charon 63599 13[CFG] child bypasslan:
      • Jan 13 14:20:36 charon 63599 13[CFG] rekey_time = 3600
      • Jan 13 14:20:36 charon 63599 13[CFG] life_time = 3960
      • Jan 13 14:20:36 charon 63599 13[CFG] rand_time = 360
      • Jan 13 14:20:36 charon 63599 13[CFG] rekey_bytes = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] life_bytes = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] rand_bytes = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] rekey_packets = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] life_packets = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] rand_packets = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] updown = (null)
      • Jan 13 14:20:36 charon 63599 13[CFG] hostaccess = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] ipcomp = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] mode = PASS
      • Jan 13 14:20:36 charon 63599 13[CFG] policies = 1
      • Jan 13 14:20:36 charon 63599 13[CFG] policies_fwd_out = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] dpd_action = none
      • Jan 13 14:20:36 charon 63599 13[CFG] start_action = trap
      • Jan 13 14:20:36 charon 63599 13[CFG] close_action = none
      • Jan 13 14:20:36 charon 63599 13[CFG] reqid = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] tfc = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] priority = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] interface = (null)
      • Jan 13 14:20:36 charon 63599 13[CFG] if_id_in = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] if_id_out = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] mark_in = 0/0
      • Jan 13 14:20:36 charon 63599 13[CFG] mark_in_sa = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] mark_out = 0/0
      • Jan 13 14:20:36 charon 63599 13[CFG] set_mark_in = 0/0
      • Jan 13 14:20:36 charon 63599 13[CFG] set_mark_out = 0/0
      • Jan 13 14:20:36 charon 63599 13[CFG] label = (null)
      • Jan 13 14:20:36 charon 63599 13[CFG] label_mode = system
      • Jan 13 14:20:36 charon 63599 13[CFG] inactivity = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] proposals = ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
      • Jan 13 14:20:36 charon 63599 13[CFG] local_ts = 192.168.78.1/27|/0
      • Jan 13 14:20:36 charon 63599 13[CFG] remote_ts = 192.168.78.0/27|/0
      • Jan 13 14:20:36 charon 63599 13[CFG] hw_offload = no
      • Jan 13 14:20:36 charon 63599 13[CFG] sha256_96 = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] copy_df = 1
      • Jan 13 14:20:36 charon 63599 13[CFG] copy_ecn = 1
      • Jan 13 14:20:36 charon 63599 13[CFG] copy_dscp = out
      • Jan 13 14:20:36 charon 63599 13[CFG] version = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] local_addrs = %any
      • Jan 13 14:20:36 charon 63599 13[CFG] remote_addrs = 127.0.0.1
      • Jan 13 14:20:36 charon 63599 13[CFG] local_port = 500
      • Jan 13 14:20:36 charon 63599 13[CFG] remote_port = 500
      • Jan 13 14:20:36 charon 63599 13[CFG] send_certreq = 1
      • Jan 13 14:20:36 charon 63599 13[CFG] send_cert = CERT_SEND_IF_ASKED
      • Jan 13 14:20:36 charon 63599 13[CFG] ppk_id = (null)
      • Jan 13 14:20:36 charon 63599 13[CFG] ppk_required = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] mobike = 1
      • Jan 13 14:20:36 charon 63599 13[CFG] aggressive = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] dscp = 0x00
      • Jan 13 14:20:36 charon 63599 13[CFG] encap = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] dpd_delay = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] dpd_timeout = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] fragmentation = 2
      • Jan 13 14:20:36 charon 63599 13[CFG] childless = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] unique = UNIQUE_NO
      • Jan 13 14:20:36 charon 63599 13[CFG] keyingtries = 1
      • Jan 13 14:20:36 charon 63599 13[CFG] reauth_time = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] rekey_time = 14400
      • Jan 13 14:20:36 charon 63599 13[CFG] over_time = 1440
      • Jan 13 14:20:36 charon 63599 13[CFG] rand_time = 1440
      • Jan 13 14:20:36 charon 63599 13[CFG] proposals = IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
      • Jan 13 14:20:36 charon 63599 13[CFG] if_id_in = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] if_id_out = 0
      • Jan 13 14:20:36 charon 63599 13[CFG] local:
      • Jan 13 14:20:36 charon 63599 13[CFG] remote:
      • Jan 13 14:20:36 charon 63599 13[CFG] added vici connection: bypass
      • Jan 13 14:20:36 charon 63599 13[CFG] installing 'bypasslan'
      • Jan 13 14:20:36 charon 63599 14[CFG] vici client 1 requests: load-conn
      • Jan 13 14:20:36 charon 63599 14[CFG] conn con-mobile:
      • Jan 13 14:20:36 charon 63599 14[CFG] child con-mobile:
      • Jan 13 14:20:36 charon 63599 14[CFG] rekey_time = 3240
      • Jan 13 14:20:36 charon 63599 14[CFG] life_time = 3600
      • Jan 13 14:20:36 charon 63599 14[CFG] rand_time = 360
      • Jan 13 14:20:36 charon 63599 14[CFG] rekey_bytes = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] life_bytes = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] rand_bytes = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] rekey_packets = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] life_packets = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] rand_packets = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] updown = (null)
      • Jan 13 14:20:36 charon 63599 14[CFG] hostaccess = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] ipcomp = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] mode = TUNNEL
      • Jan 13 14:20:36 charon 63599 14[CFG] policies = 1
      • Jan 13 14:20:36 charon 63599 14[CFG] policies_fwd_out = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] dpd_action = none
      • Jan 13 14:20:36 charon 63599 14[CFG] start_action = none
      • Jan 13 14:20:36 charon 63599 14[CFG] close_action = none
      • Jan 13 14:20:36 charon 63599 14[CFG] reqid = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] tfc = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] priority = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] interface = (null)
      • Jan 13 14:20:36 charon 63599 14[CFG] if_id_in = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] if_id_out = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] mark_in = 0/0
      • Jan 13 14:20:36 charon 63599 14[CFG] mark_in_sa = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] mark_out = 0/0
      • Jan 13 14:20:36 charon 63599 14[CFG] set_mark_in = 0/0
      • Jan 13 14:20:36 charon 63599 14[CFG] set_mark_out = 0/0
      • Jan 13 14:20:36 charon 63599 14[CFG] label = (null)
      • Jan 13 14:20:36 charon 63599 14[CFG] label_mode = system
      • Jan 13 14:20:36 charon 63599 14[CFG] inactivity = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] proposals = ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
      • Jan 13 14:20:36 charon 63599 14[CFG] local_ts = 192.168.78.0/27|/0
      • Jan 13 14:20:36 charon 63599 14[CFG] remote_ts = dynamic
      • Jan 13 14:20:36 charon 63599 14[CFG] hw_offload = no
      • Jan 13 14:20:36 charon 63599 14[CFG] sha256_96 = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] copy_df = 1
      • Jan 13 14:20:36 charon 63599 14[CFG] copy_ecn = 1
      • Jan 13 14:20:36 charon 63599 14[CFG] copy_dscp = out
      • Jan 13 14:20:36 charon 63599 14[CFG] version = 2
      • Jan 13 14:20:36 charon 63599 14[CFG] local_addrs = 10.0.2.3
      • Jan 13 14:20:36 charon 63599 14[CFG] remote_addrs = 0.0.0.0/0, ::/0
      • Jan 13 14:20:36 charon 63599 14[CFG] local_port = 500
      • Jan 13 14:20:36 charon 63599 14[CFG] remote_port = 500
      • Jan 13 14:20:36 charon 63599 14[CFG] send_certreq = 1
      • Jan 13 14:20:36 charon 63599 14[CFG] send_cert = CERT_ALWAYS_SEND
      • Jan 13 14:20:36 charon 63599 14[CFG] ppk_id = (null)
      • Jan 13 14:20:36 charon 63599 14[CFG] ppk_required = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] mobike = 1
      • Jan 13 14:20:36 charon 63599 14[CFG] aggressive = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] dscp = 0x00
      • Jan 13 14:20:36 charon 63599 14[CFG] encap = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] dpd_delay = 10
      • Jan 13 14:20:36 charon 63599 14[CFG] dpd_timeout = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] fragmentation = 2
      • Jan 13 14:20:36 charon 63599 14[CFG] childless = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] unique = UNIQUE_REPLACE
      • Jan 13 14:20:36 charon 63599 14[CFG] keyingtries = 1
      • Jan 13 14:20:36 charon 63599 14[CFG] reauth_time = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] rekey_time = 25920
      • Jan 13 14:20:36 charon 63599 14[CFG] over_time = 2880
      • Jan 13 14:20:36 charon 63599 14[CFG] rand_time = 2880
      • Jan 13 14:20:36 charon 63599 14[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
      • Jan 13 14:20:36 charon 63599 14[CFG] if_id_in = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] if_id_out = 0
      • Jan 13 14:20:36 charon 63599 14[CFG] local:
      • Jan 13 14:20:36 charon 63599 14[CFG] class = public key
      • Jan 13 14:20:36 charon 63599 14[CFG] id = 192.168.78.1
      • Jan 13 14:20:36 charon 63599 14[CFG] cert = C=country, ST=State, L=City, O=Company, OU= department, CN= firewall-hostname
      • Jan 13 14:20:36 charon 63599 14[CFG] remote:
      • Jan 13 14:20:36 charon 63599 14[CFG] eap-type = EAP_RADIUS
      • Jan 13 14:20:36 charon 63599 14[CFG] class = EAP
      • Jan 13 14:20:36 charon 63599 14[CFG] eap_id = %any
      • Jan 13 14:20:36 charon 63599 14[CFG] id = %any
      • Jan 13 14:20:36 charon 63599 14[CFG] added vici connection: con-mobile
      • Jan 13 14:20:36 charon 63599 13[CFG] vici client 1 disconnected.

      Client PC logs :

      • CoId={C4824F1F-4615-0000-E017-84C41546DA01}: The user ACME-PC-002\Me dialed a connection named ACME which has failed. The error code returned on failure is 809.

      Thanks in Advance!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post