How to configure IKev2+radius authentication
-
Hello, please understand my poor English.
https://www.netgate.com/docs/pfsense/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html
https://www.netgate.com/docs/pfsense/vpn/ipsec/ikev2-with-eap-radius.html
I have tried two links and failed.
I'm looking for a way to access it through a user/password.
EAP-MD5 seems to be connecting, but it's not easy.
I know security is not good.
Please refer me to a guide. -
What part of the linked documents failed? EAP-MSCHAPv2 is the "user/password" way, and still works.
Depending on your client operating systems you might need to add more P1/P2 encryption options to match what they expect, but the server setup described on that page is still accurate and working.
EDIT: Also, if English is not your first language, you might have more luck in one of our international forum categories if there is one that matches your native language.
-
I only set up EAP-RADIUS authentication without creating a client dictionary share key. Is there a problem?
-
Create a Certificate Authority
CAs
Descriptive name = IKEv2VPNca
Method = Creat an internal Certificate Authority
Key length (bits) = 2048
Digest Algorithm = sha 256
Lifetime (days) = 3650
Common Name = IKEv2CA
Country Code = KR
State or Province = SEOUL
City = SEOUL
Organization = UVPN
Organizational Unit = UVPNCertificates
Method = Creat an internal Certificate Authority
Descriptive name = IKEV2VPN Certificate
Certificate authority = IKEv2VPNca
Key length (bits) = 2048
Digest Algorithm = sha 256
Lifetime (days) = 3650
Common Name = uvpn5.serveirc.com
Country Code = KR
State or Province = SEOUL
City = SEOUL
Organization = UVPN
Organizational Unit = UVPN
Certificate Type = Server Certificate
Alternative Names = FQDN or Hostname , uvpn5.serveirc.com
IPaddress , 2xx.1xx.1xx.2xxUser Manager
Authentication serversDescriptive name = Radius
Type = RADIUS
Protocol = MS-CHAPv2
Hostname or IP address = 192.168.1.1
Shared Secret = uvpnuvpn
Services offered = Authentication
Authentication port = 1812
Accounting port = 1813
RADIUS NAS IP Attribute = WAN โ 2xx.1xx.1xx.2xxFreeRADIUS(Packge FreeRADIUS)
InterfacesInterface IP Address = 192.168.1.1
Port = 1812
Interface Type = Authentication
IP Version = IPv4NAS/Clients
Client IP Address = 192.168.1.1
Client IP Version = IPv4
Client Shortname = UVPN
Client Shared Secret = uvpnuvpnUsers
Username = user
Password = PasswordIPsec
Mobile Clients
Enable IPsec Mobile Client Support = Check
User Authentication = Radius
Provide a virtual IP address to clients = Check
70.70.70.1/24
Provide a list of accessible networks to clients = CheckTunnels
Phase1
Key Exchange version = IKEv2
Internet Protocol =ipv4
Interface = WAN
Authentication Method = EAP-RADIUS
My identifier = uvpn5.serveirc.com
Peer identifier = any
My Certificate = IKEV2 Certificates
Encryption Algorithm = 3Des
Hash = SHA1
DH Key group = 2(1024bit)Phase2
Mode = Tunnel IPv4
Local Network = network 0.0.0.0/0
Protocol = ESP
Encryption Algorithms = AES Auto
3Des
Hash Algorithms = sha1,sha256
PFS key group = offFirewall Rules
IPsec
Action = Pass
Interface = IPsec
Address Family = IPv4
Protocol = any
Source = any
Destination = anyThis is my Pfsense setup situation.
Are there any missing settings? -
Oct 30 16:21:31 charon 12[NET] <1> received packet: from 1xx.2xx.2xx.3x[7310] to 2xx.1xx.1xx.2xx[500] (604 bytes) Oct 30 16:21:31 charon 12[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Oct 30 16:21:31 charon 12[CFG] <1> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.3x Oct 30 16:21:31 charon 12[CFG] <1> candidate: %any...%any, prio 24 Oct 30 16:21:31 charon 12[CFG] <1> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052 Oct 30 16:21:31 charon 12[CFG] <1> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052 Oct 30 16:21:31 charon 12[IKE] <1> 1xx.2xx.2xx.3x is initiating an IKE_SA Oct 30 16:21:31 charon 12[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING Oct 30 16:21:31 charon 12[CFG] <1> selecting proposal: Oct 30 16:21:31 charon 12[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found Oct 30 16:21:31 charon 12[CFG] <1> selecting proposal: Oct 30 16:21:31 charon 12[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found Oct 30 16:21:31 charon 12[CFG] <1> selecting proposal: Oct 30 16:21:31 charon 12[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found Oct 30 16:21:31 charon 12[CFG] <1> selecting proposal: Oct 30 16:21:31 charon 12[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found Oct 30 16:21:31 charon 12[CFG] <1> selecting proposal: Oct 30 16:21:31 charon 12[CFG] <1> proposal matches Oct 30 16:21:31 charon 12[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 16:21:31 charon 12[CFG] <1> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 16:21:31 charon 12[CFG] <1> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 16:21:31 charon 12[IKE] <1> remote host is behind NAT Oct 30 16:21:31 charon 12[IKE] <1> DH group MODP_2048 inacceptable, requesting MODP_1024 Oct 30 16:21:31 charon 12[ENC] <1> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Oct 30 16:21:31 charon 12[NET] <1> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.3x[7310] (38 bytes) Oct 30 16:21:31 charon 12[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING Oct 30 16:21:31 charon 12[NET] <2> received packet: from 111.2xx.2xx.3x[7310] to 2xx.1xx.1xx.2xx[500] (476 bytes) Oct 30 16:21:31 charon 12[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Oct 30 16:21:31 charon 12[CFG] <2> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.3x Oct 30 16:21:31 charon 12[CFG] <2> candidate: %any...%any, prio 24 Oct 30 16:21:31 charon 12[CFG] <2> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052 Oct 30 16:21:31 charon 12[CFG] <2> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052 Oct 30 16:21:31 charon 12[IKE] <2> 1xx.2xx.2xx.3x is initiating an IKE_SA Oct 30 16:21:31 charon 12[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING Oct 30 16:21:31 charon 12[CFG] <2> selecting proposal: Oct 30 16:21:31 charon 12[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found Oct 30 16:21:31 charon 12[CFG] <2> selecting proposal: Oct 30 16:21:31 charon 12[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found Oct 30 16:21:31 charon 12[CFG] <2> selecting proposal: Oct 30 16:21:31 charon 12[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found Oct 30 16:21:31 charon 12[CFG] <2> selecting proposal: Oct 30 16:21:31 charon 12[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found Oct 30 16:21:31 charon 12[CFG] <2> selecting proposal: Oct 30 16:21:31 charon 12[CFG] <2> proposal matches Oct 30 16:21:31 charon 12[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 16:21:31 charon 12[CFG] <2> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 16:21:31 charon 12[CFG] <2> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 16:21:31 charon 12[IKE] <2> remote host is behind NAT Oct 30 16:21:31 charon 12[IKE] <2> sending cert request for "CN=IKEV2VPNca, C=KR, ST=SEOUL, L=SEOUL, O=UVPN, OU=UVPN" Oct 30 16:21:31 charon 12[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] Oct 30 16:21:31 charon 12[NET] <2> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.3x[7310] (341 bytes) Oct 30 16:21:31 charon 12[NET] <2> received packet: from 1xx.2xx.2xx.3x[8756] to 2xx.1xx.1xx.2xx[4500] (484 bytes) Oct 30 16:21:31 charon 12[ENC] <2> unknown attribute type (25) Oct 30 16:21:31 charon 12[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Oct 30 16:21:31 charon 12[CFG] <2> looking for peer configs matching 2xx.1xx.1xx.2xx[2xx.1xx.1xx.2xx]...1xx.2xx.2xx.3x[192.168.199.146] Oct 30 16:21:31 charon 12[CFG] <2> candidate "bypasslan", match: 1/1/24 (me/other/ike) Oct 30 16:21:31 charon 12[CFG] <bypasslan|2> selected peer config 'bypasslan' Oct 30 16:21:31 charon 12[IKE] <bypasslan|2> peer requested EAP, config inacceptable Oct 30 16:21:31 charon 12[CFG] <bypasslan|2> no alternative config found Oct 30 16:21:31 charon 12[IKE] <bypasslan|2> processing INTERNAL_IP4_ADDRESS attribute Oct 30 16:21:31 charon 12[IKE] <bypasslan|2> processing INTERNAL_IP4_DHCP attribute Oct 30 16:21:31 charon 12[IKE] <bypasslan|2> processing INTERNAL_IP4_DNS attribute Oct 30 16:21:31 charon 12[IKE] <bypasslan|2> processing INTERNAL_IP4_NETMASK attribute Oct 30 16:21:31 charon 12[IKE] <bypasslan|2> processing INTERNAL_IP6_ADDRESS attribute Oct 30 16:21:31 charon 12[IKE] <bypasslan|2> processing INTERNAL_IP6_DHCP attribute Oct 30 16:21:31 charon 12[IKE] <bypasslan|2> processing INTERNAL_IP6_DNS attribute Oct 30 16:21:31 charon 12[IKE] <bypasslan|2> processing (25) attribute Oct 30 16:21:31 charon 12[IKE] <bypasslan|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Oct 30 16:21:31 charon 12[IKE] <bypasslan|2> peer supports MOBIKE Oct 30 16:21:31 charon 12[ENC] <bypasslan|2> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Oct 30 16:21:31 charon 12[NET] <bypasslan|2> sending packet: from 2xx.1xx.1xx.2xx[4500] to 1xx.2xx.2xx.3x[8756] (68 bytes) Oct 30 16:21:31 charon 12[IKE] <bypasslan|2> IKE_SA bypasslan[2] state change: CONNECTING => DESTROYINGAccess to the iPhone failed log.
-
From the logs it looks like your client Phase 1 settings don't match up. The client is asking for some settings that don't quite line up with what you have set.
In your P1 settings, in addition to what you have set for the P1 encryption, also set rows for:
- AES, 256 bits, SHA256, DH Group 14
- AES, 256 bits, SHA256, DH Group 28
- AES, 256 bits, SHA256, DH Group 5
- AES, 128 bits, SHA1, DH Group 2
Then see if it gets farther along in the process.
-
Thank you for your answer. However, authentication fails.
-
What is in the logs now? The previous logs showed it was not reaching the authentication stage, it was failing before then.
-
AES, 256 bits, SHA256, DH Group 14 Log
Oct 30 22:30:19 charon 10[NET] <33> received packet: from 1xx.2xx.2xx.4[31066] to 2xx.1xx.1xx.2xx[500] (604 bytes) Oct 30 22:30:19 charon 10[ENC] <33> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Oct 30 22:30:19 charon 10[CFG] <33> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.4 Oct 30 22:30:19 charon 10[CFG] <33> candidate: %any...%any, prio 24 Oct 30 22:30:19 charon 10[CFG] <33> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052 Oct 30 22:30:19 charon 10[CFG] <33> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052 Oct 30 22:30:19 charon 10[IKE] <33> 1xx.2xx.2xx.4 is initiating an IKE_SA Oct 30 22:30:19 charon 10[IKE] <33> IKE_SA (unnamed)[33] state change: CREATED => CONNECTING Oct 30 22:30:19 charon 10[CFG] <33> selecting proposal: Oct 30 22:30:19 charon 10[CFG] <33> proposal matches Oct 30 22:30:19 charon 10[CFG] <33> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 22:30:19 charon 10[CFG] <33> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Oct 30 22:30:19 charon 10[CFG] <33> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Oct 30 22:30:19 charon 10[IKE] <33> remote host is behind NAT Oct 30 22:30:19 charon 10[IKE] <33> sending cert request for "CN=IKEV2VPNca, C=KR, ST=SEOUL, L=SEOUL, O=UVPN, OU=UVPN" Oct 30 22:30:19 charon 10[ENC] <33> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] Oct 30 22:30:19 charon 10[NET] <33> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.4[31066] (473 bytes) Oct 30 22:30:19 charon 10[NET] <33> received packet: from 1xx.2xx.2xx.4[5286] to 2xx.1xx.1xx.2xx[4500] (496 bytes) Oct 30 22:30:19 charon 10[ENC] <33> unknown attribute type (25) Oct 30 22:30:19 charon 10[ENC] <33> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Oct 30 22:30:19 charon 10[CFG] <33> looking for peer configs matching 2xx.1xx.1xx.2xx[2xx.1xx.1xx.2xx]...1xx.2xx.2xx.4[10.39.158.223] Oct 30 22:30:19 charon 10[CFG] <33> candidate "bypasslan", match: 1/1/24 (me/other/ike) Oct 30 22:30:19 charon 10[CFG] <bypasslan|33> selected peer config 'bypasslan' Oct 30 22:30:19 charon 10[IKE] <bypasslan|33> peer requested EAP, config inacceptable Oct 30 22:30:19 charon 10[CFG] <bypasslan|33> no alternative config found Oct 30 22:30:19 charon 10[IKE] <bypasslan|33> processing INTERNAL_IP4_ADDRESS attribute Oct 30 22:30:19 charon 10[IKE] <bypasslan|33> processing INTERNAL_IP4_DHCP attribute Oct 30 22:30:19 charon 10[IKE] <bypasslan|33> processing INTERNAL_IP4_DNS attribute Oct 30 22:30:19 charon 10[IKE] <bypasslan|33> processing INTERNAL_IP4_NETMASK attribute Oct 30 22:30:19 charon 10[IKE] <bypasslan|33> processing INTERNAL_IP6_ADDRESS attribute Oct 30 22:30:19 charon 10[IKE] <bypasslan|33> processing INTERNAL_IP6_DHCP attribute Oct 30 22:30:19 charon 10[IKE] <bypasslan|33> processing INTERNAL_IP6_DNS attribute Oct 30 22:30:19 charon 10[IKE] <bypasslan|33> processing (25) attribute Oct 30 22:30:19 charon 10[IKE] <bypasslan|33> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Oct 30 22:30:19 charon 10[IKE] <bypasslan|33> peer supports MOBIKE Oct 30 22:30:19 charon 10[ENC] <bypasslan|33> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Oct 30 22:30:19 charon 10[NET] <bypasslan|33> sending packet: from 2xx.1xx.1xx.2xx[4500] to 1xx.2xx.2xx.4[5286] (80 bytes) Oct 30 22:30:19 charon 10[IKE] <bypasslan|33> IKE_SA bypasslan[33] state change: CONNECTING => DESTROYINGAES, 256 bits, SHA256, DH Group 28
Oct 30 22:32:59 charon 08[CFG] rereading secrets Oct 30 22:32:59 charon 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Oct 30 22:32:59 charon 08[CFG] loaded RSA private key from '/var/etc/ipsec/ipsec.d/private/cert-1.key' Oct 30 22:32:59 charon 08[CFG] loaded EAP secret for xxxxxx87@gmail.com Oct 30 22:32:59 charon 08[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Oct 30 22:32:59 charon 08[CFG] loaded ca certificate "CN=IKEV2VPNca, C=KR, ST=SEOUL, L=SEOUL, O=UVPN, OU=UVPN" from '/usr/local/etc/ipsec.d/cacerts/3c718073.0.crt' Oct 30 22:32:59 charon 08[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Oct 30 22:32:59 charon 08[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Oct 30 22:32:59 charon 08[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Oct 30 22:32:59 charon 08[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls' Oct 30 22:32:59 charon 08[CFG] received stroke: unroute 'bypasslan' Oct 30 22:32:59 charon 08[CFG] proposing traffic selectors for us: Oct 30 22:32:59 charon 08[CFG] 192.168.1.0/24|/0 Oct 30 22:32:59 charon 08[CFG] proposing traffic selectors for other: Oct 30 22:32:59 charon 08[CFG] 192.168.1.0/24|/0 Oct 30 22:32:59 ipsec_starter 23387 shunt policy 'bypasslan' uninstalled Oct 30 22:32:59 charon 05[CFG] received stroke: delete connection 'bypasslan' Oct 30 22:32:59 charon 05[CFG] deleted connection 'bypasslan' Oct 30 22:32:59 charon 07[CFG] received stroke: delete connection 'con-mobile' Oct 30 22:32:59 charon 07[CFG] deleted connection 'con-mobile' Oct 30 22:32:59 charon 05[CFG] received stroke: add connection 'bypasslan' Oct 30 22:32:59 charon 05[CFG] conn bypasslan Oct 30 22:32:59 charon 05[CFG] left=%any Oct 30 22:32:59 charon 05[CFG] leftsubnet=192.168.1.0/24 Oct 30 22:32:59 charon 05[CFG] right=%any Oct 30 22:32:59 charon 05[CFG] rightsubnet=192.168.1.0/24 Oct 30 22:32:59 charon 05[CFG] dpddelay=30 Oct 30 22:32:59 charon 05[CFG] dpdtimeout=150 Oct 30 22:32:59 charon 05[CFG] sha256_96=no Oct 30 22:32:59 charon 05[CFG] mediation=no Oct 30 22:32:59 charon 05[CFG] added configuration 'bypasslan' Oct 30 22:32:59 charon 07[CFG] received stroke: route 'bypasslan' Oct 30 22:32:59 charon 07[CFG] proposing traffic selectors for us: Oct 30 22:32:59 charon 07[CFG] 192.168.1.0/24|/0 Oct 30 22:32:59 charon 07[CFG] proposing traffic selectors for other: Oct 30 22:32:59 charon 07[CFG] 192.168.1.0/24|/0 Oct 30 22:32:59 ipsec_starter 23387 'bypasslan' shunt PASS policy installed Oct 30 22:32:59 charon 05[CFG] received stroke: add connection 'con-mobile' Oct 30 22:32:59 charon 05[CFG] conn con-mobile Oct 30 22:32:59 charon 05[CFG] left=2xx.1xx.1xx.2xx Oct 30 22:32:59 charon 05[CFG] leftsubnet=0.0.0.0/0 Oct 30 22:32:59 charon 05[CFG] leftauth=pubkey Oct 30 22:32:59 charon 05[CFG] leftid=fqdn:uvpn5.serveirc.com Oct 30 22:32:59 charon 05[CFG] leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt Oct 30 22:32:59 charon 05[CFG] right=%any Oct 30 22:32:59 charon 05[CFG] rightsourceip=70.70.70.1/24 Oct 30 22:32:59 charon 05[CFG] rightauth=eap-mschapv2 Oct 30 22:32:59 charon 05[CFG] eap_identity=%any Oct 30 22:32:59 charon 05[CFG] ike=aes256-sha256-ecp256bp! Oct 30 22:32:59 charon 05[CFG] esp=aes256-sha1,aes256-sha256,aes192-sha1,aes192-sha256,aes128-sha1,aes128-sha256,3des-sha1,3des-sha256! Oct 30 22:32:59 charon 05[CFG] dpddelay=10 Oct 30 22:32:59 charon 05[CFG] dpdtimeout=60 Oct 30 22:32:59 charon 05[CFG] dpdaction=1 Oct 30 22:32:59 charon 05[CFG] sha256_96=no Oct 30 22:32:59 charon 05[CFG] mediation=no Oct 30 22:32:59 charon 05[CFG] keyexchange=ikev2 Oct 30 22:32:59 charon 05[CFG] reusing virtual IP address pool 70.70.70.1/24 Oct 30 22:32:59 charon 05[CFG] loaded certificate "CN=uvpn5.serveirc.com, C=KR, ST=SEOUL, L=SEOUL, O=UVPN, OU=UVPN" from '/var/etc/ipsec/ipsec.d/certs/cert-1.crt' Oct 30 22:32:59 charon 05[CFG] added configuration 'con-mobile' Oct 30 22:32:59 charon 07[NET] <34> received packet: from 1xx.2xx.2xx.4[31067] to 2xx.1xx.1xx.2xx[500] (604 bytes) Oct 30 22:32:59 charon 07[ENC] <34> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Oct 30 22:32:59 charon 07[CFG] <34> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.4 Oct 30 22:32:59 charon 07[CFG] <34> candidate: %any...%any, prio 24 Oct 30 22:32:59 charon 07[CFG] <34> candidate: 222.108.111.245...%any, prio 1052 Oct 30 22:32:59 charon 07[CFG] <34> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052 Oct 30 22:32:59 charon 07[IKE] <34> 1xx.2xx.2xx.4 is initiating an IKE_SA Oct 30 22:32:59 charon 07[IKE] <34> IKE_SA (unnamed)[34] state change: CREATED => CONNECTING Oct 30 22:32:59 charon 07[CFG] <34> selecting proposal: Oct 30 22:32:59 charon 07[CFG] <34> no acceptable DIFFIE_HELLMAN_GROUP found Oct 30 22:32:59 charon 07[CFG] <34> selecting proposal: Oct 30 22:32:59 charon 07[CFG] <34> no acceptable DIFFIE_HELLMAN_GROUP found Oct 30 22:32:59 charon 07[CFG] <34> selecting proposal: Oct 30 22:32:59 charon 07[CFG] <34> no acceptable DIFFIE_HELLMAN_GROUP found Oct 30 22:32:59 charon 07[CFG] <34> selecting proposal: Oct 30 22:32:59 charon 07[CFG] <34> no acceptable ENCRYPTION_ALGORITHM found Oct 30 22:32:59 charon 07[CFG] <34> selecting proposal: Oct 30 22:32:59 charon 07[CFG] <34> no acceptable ENCRYPTION_ALGORITHM found Oct 30 22:32:59 charon 07[CFG] <34> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 22:32:59 charon 07[CFG] <34> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BP Oct 30 22:32:59 charon 07[IKE] <34> remote host is behind NAT Oct 30 22:32:59 charon 07[IKE] <34> received proposals inacceptable Oct 30 22:32:59 charon 07[ENC] <34> generating IKE_SA_INIT response 0 [ N(NO_PROP) ] Oct 30 22:32:59 charon 07[NET] <34> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.4[31067] (36 bytes) Oct 30 22:32:59 charon 07[IKE] <34> IKE_SA (unnamed)[34] state change: CONNECTING => DESTROYING Oct 30 22:32:59 charon 07[NET] <35> received packet: from 1xx.2xx.2xx.4[31067] to 2xx.1xx.1xx.2xx[500] (604 bytes) Oct 30 22:32:59 charon 07[ENC] <35> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Oct 30 22:32:59 charon 07[CFG] <35> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.4 Oct 30 22:32:59 charon 07[CFG] <35> candidate: %any...%any, prio 24 Oct 30 22:32:59 charon 07[CFG] <35> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052 Oct 30 22:32:59 charon 07[CFG] <35> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052 Oct 30 22:32:59 charon 07[IKE] <35> 1xx.2xx.2xx.4 is initiating an IKE_SA Oct 30 22:32:59 charon 07[IKE] <35> IKE_SA (unnamed)[35] state change: CREATED => CONNECTING Oct 30 22:32:59 charon 07[CFG] <35> selecting proposal: Oct 30 22:32:59 charon 07[CFG] <35> no acceptable DIFFIE_HELLMAN_GROUP found Oct 30 22:32:59 charon 07[CFG] <35> selecting proposal: Oct 30 22:32:59 charon 07[CFG] <35> no acceptable DIFFIE_HELLMAN_GROUP found Oct 30 22:32:59 charon 07[CFG] <35> selecting proposal: Oct 30 22:32:59 charon 07[CFG] <35> no acceptable DIFFIE_HELLMAN_GROUP found Oct 30 22:32:59 charon 07[CFG] <35> selecting proposal: Oct 30 22:32:59 charon 07[CFG] <35> no acceptable ENCRYPTION_ALGORITHM found Oct 30 22:32:59 charon 07[CFG] <35> selecting proposal: Oct 30 22:32:59 charon 07[CFG] <35> no acceptable ENCRYPTION_ALGORITHM found Oct 30 22:32:59 charon 07[CFG] <35> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 22:32:59 charon 07[CFG] <35> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BP Oct 30 22:32:59 charon 07[IKE] <35> remote host is behind NAT Oct 30 22:32:59 charon 07[IKE] <35> received proposals inacceptable Oct 30 22:32:59 charon 07[ENC] <35> generating IKE_SA_INIT response 0 [ N(NO_PROP) ] Oct 30 22:32:59 charon 07[NET] <35> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.4[31067] (36 bytes) Oct 30 22:32:59 charon 07[IKE] <35> IKE_SA (unnamed)[35] state change: CONNECTING => DESTROYINGAES, 256 bits, SHA256, DH Group 5
Oct 30 22:41:38 charon 10[NET] <36> received packet: from 1xx.2xx.2xx.4[31068] to 2xx.1xx.1xx.2xx[500] (604 bytes) Oct 30 22:41:38 charon 10[ENC] <36> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Oct 30 22:41:38 charon 10[CFG] <36> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.4 Oct 30 22:41:38 charon 10[CFG] <36> candidate: %any...%any, prio 24 Oct 30 22:41:38 charon 10[CFG] <36> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052 Oct 30 22:41:38 charon 10[CFG] <36> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052 Oct 30 22:41:38 charon 10[IKE] <36> 1xx.2xx.2xx.4 is initiating an IKE_SA Oct 30 22:41:38 charon 10[IKE] <36> IKE_SA (unnamed)[36] state change: CREATED => CONNECTING Oct 30 22:41:38 charon 10[CFG] <36> selecting proposal: Oct 30 22:41:38 charon 10[CFG] <36> no acceptable DIFFIE_HELLMAN_GROUP found Oct 30 22:41:38 charon 10[CFG] <36> selecting proposal: Oct 30 22:41:38 charon 10[CFG] <36> no acceptable DIFFIE_HELLMAN_GROUP found Oct 30 22:41:38 charon 10[CFG] <36> selecting proposal: Oct 30 22:41:38 charon 10[CFG] <36> proposal matches Oct 30 22:41:38 charon 10[CFG] <36> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 22:41:38 charon 10[CFG] <36> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 Oct 30 22:41:38 charon 10[CFG] <36> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 Oct 30 22:41:38 charon 10[IKE] <36> remote host is behind NAT Oct 30 22:41:38 charon 10[IKE] <36> DH group MODP_2048 inacceptable, requesting MODP_1536 Oct 30 22:41:38 charon 10[ENC] <36> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Oct 30 22:41:38 charon 10[NET] <36> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.4[31068] (38 bytes) Oct 30 22:41:38 charon 10[IKE] <36> IKE_SA (unnamed)[36] state change: CONNECTING => DESTROYING Oct 30 22:41:38 charon 10[NET] <37> received packet: from 1xx.2xx.2xx.4[31068] to 2xx.1xx.1xx.2xx[500] (540 bytes) Oct 30 22:41:38 charon 10[ENC] <37> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Oct 30 22:41:38 charon 10[CFG] <37> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.4 Oct 30 22:41:38 charon 10[CFG] <37> candidate: %any...%any, prio 24 Oct 30 22:41:38 charon 10[CFG] <37> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052 Oct 30 22:41:38 charon 10[CFG] <37> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052 Oct 30 22:41:38 charon 10[IKE] <37> 1xx.2xx.2xx.4 is initiating an IKE_SA Oct 30 22:41:38 charon 10[IKE] <37> IKE_SA (unnamed)[37] state change: CREATED => CONNECTING Oct 30 22:41:38 charon 10[CFG] <37> selecting proposal: Oct 30 22:41:38 charon 10[CFG] <37> no acceptable DIFFIE_HELLMAN_GROUP found Oct 30 22:41:38 charon 10[CFG] <37> selecting proposal: Oct 30 22:41:38 charon 10[CFG] <37> no acceptable DIFFIE_HELLMAN_GROUP found Oct 30 22:41:38 charon 10[CFG] <37> selecting proposal: Oct 30 22:41:38 charon 10[CFG] <37> proposal matches Oct 30 22:41:38 charon 10[CFG] <37> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 22:41:38 charon 10[CFG] <37> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 Oct 30 22:41:38 charon 10[CFG] <37> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 Oct 30 22:41:38 charon 10[IKE] <37> remote host is behind NAT Oct 30 22:41:38 charon 10[IKE] <37> sending cert request for "CN=IKEV2VPNca, C=KR, ST=SEOUL, L=SEOUL, O=UVPN, OU=UVPN" Oct 30 22:41:38 charon 10[ENC] <37> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] Oct 30 22:41:38 charon 10[NET] <37> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.4[31068] (409 bytes) Oct 30 22:41:38 charon 10[NET] <37> received packet: from 1xx.2xx.2xx.4[5288] to 2xx.1xx.1xx.2xx[4500] (496 bytes) Oct 30 22:41:38 charon 10[ENC] <37> unknown attribute type (25) Oct 30 22:41:38 charon 10[ENC] <37> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Oct 30 22:41:38 charon 10[CFG] <37> looking for peer configs matching 2xx.1xx.1xx.2xx[2xx.1xx.1xx.2xx]...1xx.2xx.2xx.4[10.39.158.223] Oct 30 22:41:38 charon 10[CFG] <37> candidate "bypasslan", match: 1/1/24 (me/other/ike) Oct 30 22:41:38 charon 10[CFG] <bypasslan|37> selected peer config 'bypasslan' Oct 30 22:41:38 charon 10[IKE] <bypasslan|37> peer requested EAP, config inacceptable Oct 30 22:41:38 charon 10[CFG] <bypasslan|37> no alternative config found Oct 30 22:41:38 charon 10[IKE] <bypasslan|37> processing INTERNAL_IP4_ADDRESS attribute Oct 30 22:41:38 charon 10[IKE] <bypasslan|37> processing INTERNAL_IP4_DHCP attribute Oct 30 22:41:38 charon 10[IKE] <bypasslan|37> processing INTERNAL_IP4_DNS attribute Oct 30 22:41:38 charon 10[IKE] <bypasslan|37> processing INTERNAL_IP4_NETMASK attribute Oct 30 22:41:38 charon 10[IKE] <bypasslan|37> processing INTERNAL_IP6_ADDRESS attribute Oct 30 22:41:38 charon 10[IKE] <bypasslan|37> processing INTERNAL_IP6_DHCP attribute Oct 30 22:41:38 charon 10[IKE] <bypasslan|37> processing INTERNAL_IP6_DNS attribute Oct 30 22:41:38 charon 10[IKE] <bypasslan|37> processing (25) attribute Oct 30 22:41:38 charon 10[IKE] <bypasslan|37> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Oct 30 22:41:38 charon 10[IKE] <bypasslan|37> peer supports MOBIKE Oct 30 22:41:38 charon 10[ENC] <bypasslan|37> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Oct 30 22:41:38 charon 10[NET] <bypasslan|37> sending packet: from 2xx.1xx.1xx.2xx[4500] to 1xx.2xx.2xx.4[5288] (80 bytes) Oct 30 22:41:38 charon 10[IKE] <bypasslan|37> IKE_SA bypasslan[37] state change: CONNECTING => DESTROYINGAES, 128 bits, SHA1, DH Group 2
Oct 30 22:47:52 charon 05[NET] <38> received packet: from 1xx.2xx.2xx.4[31069] to 2xx.1xx.1xx.2xx[500] (604 bytes) Oct 30 22:47:52 charon 05[ENC] <38> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Oct 30 22:47:52 charon 05[CFG] <38> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.4 Oct 30 22:47:52 charon 05[CFG] <38> candidate: %any...%any, prio 24 Oct 30 22:47:52 charon 05[CFG] <38> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052 Oct 30 22:47:52 charon 05[CFG] <38> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052 Oct 30 22:47:52 charon 05[IKE] <38> 1xx.2xx.2xx.4 is initiating an IKE_SA Oct 30 22:47:52 charon 05[IKE] <38> IKE_SA (unnamed)[38] state change: CREATED => CONNECTING Oct 30 22:47:52 charon 05[CFG] <38> selecting proposal: Oct 30 22:47:52 charon 05[CFG] <38> no acceptable ENCRYPTION_ALGORITHM found Oct 30 22:47:52 charon 05[CFG] <38> selecting proposal: Oct 30 22:47:52 charon 05[CFG] <38> no acceptable ENCRYPTION_ALGORITHM found Oct 30 22:47:52 charon 05[CFG] <38> selecting proposal: Oct 30 22:47:52 charon 05[CFG] <38> no acceptable ENCRYPTION_ALGORITHM found Oct 30 22:47:52 charon 05[CFG] <38> selecting proposal: Oct 30 22:47:52 charon 05[CFG] <38> proposal matches Oct 30 22:47:52 charon 05[CFG] <38> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 22:47:52 charon 05[CFG] <38> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 22:47:52 charon 05[CFG] <38> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 22:47:52 charon 05[IKE] <38> remote host is behind NAT Oct 30 22:47:52 charon 05[IKE] <38> DH group MODP_2048 inacceptable, requesting MODP_1024 Oct 30 22:47:52 charon 05[ENC] <38> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Oct 30 22:47:52 charon 05[NET] <38> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.4[31069] (38 bytes) Oct 30 22:47:52 charon 05[IKE] <38> IKE_SA (unnamed)[38] state change: CONNECTING => DESTROYING Oct 30 22:47:52 charon 05[NET] <39> received packet: from 1xx.2xx.2xx.4[31069] to 2xx.1xx.1xx.2xx[500] (476 bytes) Oct 30 22:47:52 charon 05[ENC] <39> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Oct 30 22:47:52 charon 05[CFG] <39> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.4 Oct 30 22:47:52 charon 05[CFG] <39> candidate: %any...%any, prio 24 Oct 30 22:47:52 charon 05[CFG] <39> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052 Oct 30 22:47:52 charon 05[CFG] <39> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052 Oct 30 22:47:52 charon 05[IKE] <39> 1xx.2xx.2xx.4 is initiating an IKE_SA Oct 30 22:47:52 charon 05[IKE] <39> IKE_SA (unnamed)[39] state change: CREATED => CONNECTING Oct 30 22:47:52 charon 05[CFG] <39> selecting proposal: Oct 30 22:47:52 charon 05[CFG] <39> no acceptable ENCRYPTION_ALGORITHM found Oct 30 22:47:52 charon 05[CFG] <39> selecting proposal: Oct 30 22:47:52 charon 05[CFG] <39> no acceptable ENCRYPTION_ALGORITHM found Oct 30 22:47:52 charon 05[CFG] <39> selecting proposal: Oct 30 22:47:52 charon 05[CFG] <39> no acceptable ENCRYPTION_ALGORITHM found Oct 30 22:47:52 charon 05[CFG] <39> selecting proposal: Oct 30 22:47:52 charon 05[CFG] <39> proposal matches Oct 30 22:47:52 charon 05[CFG] <39> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 22:47:52 charon 05[CFG] <39> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 22:47:52 charon 05[CFG] <39> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 30 22:47:52 charon 05[IKE] <39> remote host is behind NAT Oct 30 22:47:52 charon 05[IKE] <39> sending cert request for "CN=IKEV2VPNca, C=KR, ST=SEOUL, L=SEOUL, O=UVPN, OU=UVPN" Oct 30 22:47:52 charon 05[ENC] <39> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] Oct 30 22:47:52 charon 05[NET] <39> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.4[31069] (345 bytes) Oct 30 22:47:52 charon 05[NET] <39> received packet: from 1xx.2xx.2xx.4[5289] to 2xx.1xx.1xx.2xx[4500] (492 bytes) Oct 30 22:47:52 charon 05[ENC] <39> unknown attribute type (25) Oct 30 22:47:52 charon 05[ENC] <39> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Oct 30 22:47:52 charon 05[CFG] <39> looking for peer configs matching 2xx.1xx.1xx.2xx[2xx.1xx.1xx.2xx]...1xx.2xx.2xx.4[1x.3x.1xx.2xx] Oct 30 22:47:52 charon 05[CFG] <39> candidate "bypasslan", match: 1/1/24 (me/other/ike) Oct 30 22:47:52 charon 05[CFG] <bypasslan|39> selected peer config 'bypasslan' Oct 30 22:47:52 charon 05[IKE] <bypasslan|39> peer requested EAP, config inacceptable Oct 30 22:47:52 charon 05[CFG] <bypasslan|39> no alternative config found Oct 30 22:47:52 charon 05[IKE] <bypasslan|39> processing INTERNAL_IP4_ADDRESS attribute Oct 30 22:47:52 charon 05[IKE] <bypasslan|39> processing INTERNAL_IP4_DHCP attribute Oct 30 22:47:52 charon 05[IKE] <bypasslan|39> processing INTERNAL_IP4_DNS attribute Oct 30 22:47:52 charon 05[IKE] <bypasslan|39> processing INTERNAL_IP4_NETMASK attribute Oct 30 22:47:52 charon 05[IKE] <bypasslan|39> processing INTERNAL_IP6_ADDRESS attribute Oct 30 22:47:52 charon 05[IKE] <bypasslan|39> processing INTERNAL_IP6_DHCP attribute Oct 30 22:47:52 charon 05[IKE] <bypasslan|39> processing INTERNAL_IP6_DNS attribute Oct 30 22:47:52 charon 05[IKE] <bypasslan|39> processing (25) attribute Oct 30 22:47:52 charon 05[IKE] <bypasslan|39> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Oct 30 22:47:52 charon 05[IKE] <bypasslan|39> peer supports MOBIKE Oct 30 22:47:52 charon 05[ENC] <bypasslan|39> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Oct 30 22:47:52 charon 05[NET] <bypasslan|39> sending packet: from 2xx.1xx.1xx.2xx[4500] to 1xx.2xx.2xx.4[5289] (76 bytes) Oct 30 22:47:52 charon 05[IKE] <bypasslan|39> IKE_SA bypasslan[39] state change: CONNECTING => DESTROYING -
That looks better but it's still not matching the P1. The encryption matches but eventually it falls through to bypasslan which only happens when it failed to completely match up with the mobile VPN instance.
What client is this and how is it configured? Did you install the CA on the client and set it to be trusted?
-
No, what I want is a user ID/password connection method without installing a certificate on the client.
-
Anything with IKEv2/EAP is going to require a certificate on the client. The client at least needs to know to trust the server certificate CA.
You can try one of the older setups like PSK+xauth but it is not as secure or likely to work on as many current client operating systems.
-
@jimp Can you tell me how to set up PSK + Xauth?
-
It's in the online documentation.
-
@jimp Can I use a Radius server with PSK + Xauth? I still lack a lot of information about VPN.
-
Yes, you can. The information you need is in the online documentation. I cannot walk you through it.
-
Thank you for the good information. I'm sure I'll succeed.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.