Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to configure IKev2+radius authentication

    Scheduled Pinned Locked Moved IPsec
    17 Posts 2 Posters 1.2k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O Offline
      Ohbyeongkwon
      last edited by

      I only set up EAP-RADIUS authentication without creating a client dictionary share key. Is there a problem?

      1 Reply Last reply Reply Quote 0
      • O Offline
        Ohbyeongkwon
        last edited by

        Create a Certificate Authority
        CAs
        Descriptive name = IKEv2VPNca
        Method = Creat an internal Certificate Authority
        Key length (bits) = 2048
        Digest Algorithm = sha 256
        Lifetime (days) = 3650
        Common Name = IKEv2CA
        Country Code = KR
        State or Province = SEOUL
        City = SEOUL
        Organization = UVPN
        Organizational Unit = UVPN

        Certificates
        Method = Creat an internal Certificate Authority
        Descriptive name = IKEV2VPN Certificate
        Certificate authority = IKEv2VPNca
        Key length (bits) = 2048
        Digest Algorithm = sha 256
        Lifetime (days) = 3650
        Common Name = uvpn5.serveirc.com
        Country Code = KR
        State or Province = SEOUL
        City = SEOUL
        Organization = UVPN
        Organizational Unit = UVPN
        Certificate Type = Server Certificate
        Alternative Names = FQDN or Hostname , uvpn5.serveirc.com
        IPaddress , 2xx.1xx.1xx.2xx

        User Manager
        Authentication servers

        Descriptive name = Radius
        Type = RADIUS
        Protocol = MS-CHAPv2
        Hostname or IP address = 192.168.1.1
        Shared Secret = uvpnuvpn
        Services offered = Authentication
        Authentication port = 1812
        Accounting port = 1813
        RADIUS NAS IP Attribute = WAN โ€“ 2xx.1xx.1xx.2xx

        FreeRADIUS(Packge FreeRADIUS)
        Interfaces

        Interface IP Address = 192.168.1.1
        Port = 1812
        Interface Type = Authentication
        IP Version = IPv4

        NAS/Clients

        Client IP Address = 192.168.1.1
        Client IP Version = IPv4
        Client Shortname = UVPN
        Client Shared Secret = uvpnuvpn

        Users

        Username = user
        Password = Password

        IPsec
        Mobile Clients
        Enable IPsec Mobile Client Support = Check
        User Authentication = Radius
        Provide a virtual IP address to clients = Check
        70.70.70.1/24
        Provide a list of accessible networks to clients = Check

        Tunnels
        Phase1
        Key Exchange version = IKEv2
        Internet Protocol =ipv4
        Interface = WAN
        Authentication Method = EAP-RADIUS
        My identifier = uvpn5.serveirc.com
        Peer identifier = any
        My Certificate = IKEV2 Certificates
        Encryption Algorithm = 3Des
        Hash = SHA1
        DH Key group = 2(1024bit)

        Phase2
        Mode = Tunnel IPv4
        Local Network = network 0.0.0.0/0
        Protocol = ESP
        Encryption Algorithms = AES Auto
        3Des
        Hash Algorithms = sha1,sha256
        PFS key group = off

        Firewall Rules
        IPsec
        Action = Pass
        Interface = IPsec
        Address Family = IPv4
        Protocol = any
        Source = any
        Destination = any

        This is my Pfsense setup situation.
        Are there any missing settings?

        1 Reply Last reply Reply Quote 0
        • O Offline
          Ohbyeongkwon
          last edited by Ohbyeongkwon 

          Oct 30 16:21:31	charon		12[NET] <1> received packet: from 1xx.2xx.2xx.3x[7310] to 2xx.1xx.1xx.2xx[500] (604 bytes)
Oct 30 16:21:31	charon		12[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 30 16:21:31	charon		12[CFG] <1> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.3x
Oct 30 16:21:31	charon		12[CFG] <1> candidate: %any...%any, prio 24
Oct 30 16:21:31	charon		12[CFG] <1> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052
Oct 30 16:21:31	charon		12[CFG] <1> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052
Oct 30 16:21:31	charon		12[IKE] <1> 1xx.2xx.2xx.3x is initiating an IKE_SA
Oct 30 16:21:31	charon		12[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Oct 30 16:21:31	charon		12[CFG] <1> selecting proposal:
Oct 30 16:21:31	charon		12[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 16:21:31	charon		12[CFG] <1> selecting proposal:
Oct 30 16:21:31	charon		12[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 16:21:31	charon		12[CFG] <1> selecting proposal:
Oct 30 16:21:31	charon		12[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 16:21:31	charon		12[CFG] <1> selecting proposal:
Oct 30 16:21:31	charon		12[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 16:21:31	charon		12[CFG] <1> selecting proposal:
Oct 30 16:21:31	charon		12[CFG] <1> proposal matches
Oct 30 16:21:31	charon		12[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 16:21:31	charon		12[CFG] <1> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 16:21:31	charon		12[CFG] <1> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 16:21:31	charon		12[IKE] <1> remote host is behind NAT
Oct 30 16:21:31	charon		12[IKE] <1> DH group MODP_2048 inacceptable, requesting MODP_1024
Oct 30 16:21:31	charon		12[ENC] <1> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 30 16:21:31	charon		12[NET] <1> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.3x[7310] (38 bytes)
Oct 30 16:21:31	charon		12[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
Oct 30 16:21:31	charon		12[NET] <2> received packet: from 111.2xx.2xx.3x[7310] to 2xx.1xx.1xx.2xx[500] (476 bytes)
Oct 30 16:21:31	charon		12[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 30 16:21:31	charon		12[CFG] <2> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.3x
Oct 30 16:21:31	charon		12[CFG] <2> candidate: %any...%any, prio 24
Oct 30 16:21:31	charon		12[CFG] <2> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052
Oct 30 16:21:31	charon		12[CFG] <2> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052
Oct 30 16:21:31	charon		12[IKE] <2> 1xx.2xx.2xx.3x is initiating an IKE_SA
Oct 30 16:21:31	charon		12[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Oct 30 16:21:31	charon		12[CFG] <2> selecting proposal:
Oct 30 16:21:31	charon		12[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 16:21:31	charon		12[CFG] <2> selecting proposal:
Oct 30 16:21:31	charon		12[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 16:21:31	charon		12[CFG] <2> selecting proposal:
Oct 30 16:21:31	charon		12[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 16:21:31	charon		12[CFG] <2> selecting proposal:
Oct 30 16:21:31	charon		12[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 16:21:31	charon		12[CFG] <2> selecting proposal:
Oct 30 16:21:31	charon		12[CFG] <2> proposal matches
Oct 30 16:21:31	charon		12[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 16:21:31	charon		12[CFG] <2> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 16:21:31	charon		12[CFG] <2> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 16:21:31	charon		12[IKE] <2> remote host is behind NAT
Oct 30 16:21:31	charon		12[IKE] <2> sending cert request for "CN=IKEV2VPNca, C=KR, ST=SEOUL, L=SEOUL, O=UVPN, OU=UVPN"
Oct 30 16:21:31	charon		12[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Oct 30 16:21:31	charon		12[NET] <2> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.3x[7310] (341 bytes)
Oct 30 16:21:31	charon		12[NET] <2> received packet: from 1xx.2xx.2xx.3x[8756] to 2xx.1xx.1xx.2xx[4500] (484 bytes)
Oct 30 16:21:31	charon		12[ENC] <2> unknown attribute type (25)
Oct 30 16:21:31	charon		12[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 30 16:21:31	charon		12[CFG] <2> looking for peer configs matching 2xx.1xx.1xx.2xx[2xx.1xx.1xx.2xx]...1xx.2xx.2xx.3x[192.168.199.146]
Oct 30 16:21:31	charon		12[CFG] <2> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Oct 30 16:21:31	charon		12[CFG] <bypasslan|2> selected peer config 'bypasslan'
Oct 30 16:21:31	charon		12[IKE] <bypasslan|2> peer requested EAP, config inacceptable
Oct 30 16:21:31	charon		12[CFG] <bypasslan|2> no alternative config found
Oct 30 16:21:31	charon		12[IKE] <bypasslan|2> processing INTERNAL_IP4_ADDRESS attribute
Oct 30 16:21:31	charon		12[IKE] <bypasslan|2> processing INTERNAL_IP4_DHCP attribute
Oct 30 16:21:31	charon		12[IKE] <bypasslan|2> processing INTERNAL_IP4_DNS attribute
Oct 30 16:21:31	charon		12[IKE] <bypasslan|2> processing INTERNAL_IP4_NETMASK attribute
Oct 30 16:21:31	charon		12[IKE] <bypasslan|2> processing INTERNAL_IP6_ADDRESS attribute
Oct 30 16:21:31	charon		12[IKE] <bypasslan|2> processing INTERNAL_IP6_DHCP attribute
Oct 30 16:21:31	charon		12[IKE] <bypasslan|2> processing INTERNAL_IP6_DNS attribute
Oct 30 16:21:31	charon		12[IKE] <bypasslan|2> processing (25) attribute
Oct 30 16:21:31	charon		12[IKE] <bypasslan|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 30 16:21:31	charon		12[IKE] <bypasslan|2> peer supports MOBIKE
Oct 30 16:21:31	charon		12[ENC] <bypasslan|2> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 30 16:21:31	charon		12[NET] <bypasslan|2> sending packet: from 2xx.1xx.1xx.2xx[4500] to 1xx.2xx.2xx.3x[8756] (68 bytes)
Oct 30 16:21:31	charon		12[IKE] <bypasslan|2> IKE_SA bypasslan[2] state change: CONNECTING => DESTROYING

          Access to the iPhone failed log.

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            From the logs it looks like your client Phase 1 settings don't match up. The client is asking for some settings that don't quite line up with what you have set.

            In your P1 settings, in addition to what you have set for the P1 encryption, also set rows for:

            • AES, 256 bits, SHA256, DH Group 14
            • AES, 256 bits, SHA256, DH Group 28
            • AES, 256 bits, SHA256, DH Group 5
            • AES, 128 bits, SHA1, DH Group 2

            Then see if it gets farther along in the process.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • O Offline
              Ohbyeongkwon
              last edited by

              Thank you for your answer. However, authentication fails.

              1 Reply Last reply Reply Quote 0
              • jimpJ Offline
                jimp Rebel Alliance Developer Netgate
                last edited by

                What is in the logs now? The previous logs showed it was not reaching the authentication stage, it was failing before then.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • O Offline
                  Ohbyeongkwon
                  last edited by Ohbyeongkwon

                  AES, 256 bits, SHA256, DH Group 14 Log

                  Oct 30 22:30:19	charon		10[NET] <33> received packet: from 1xx.2xx.2xx.4[31066] to 2xx.1xx.1xx.2xx[500] (604 bytes)
Oct 30 22:30:19	charon		10[ENC] <33> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 30 22:30:19	charon		10[CFG] <33> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.4
Oct 30 22:30:19	charon		10[CFG] <33> candidate: %any...%any, prio 24
Oct 30 22:30:19	charon		10[CFG] <33> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052
Oct 30 22:30:19	charon		10[CFG] <33> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052
Oct 30 22:30:19	charon		10[IKE] <33> 1xx.2xx.2xx.4 is initiating an IKE_SA
Oct 30 22:30:19	charon		10[IKE] <33> IKE_SA (unnamed)[33] state change: CREATED => CONNECTING
Oct 30 22:30:19	charon		10[CFG] <33> selecting proposal:
Oct 30 22:30:19	charon		10[CFG] <33> proposal matches
Oct 30 22:30:19	charon		10[CFG] <33> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 22:30:19	charon		10[CFG] <33> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 30 22:30:19	charon		10[CFG] <33> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 30 22:30:19	charon		10[IKE] <33> remote host is behind NAT
Oct 30 22:30:19	charon		10[IKE] <33> sending cert request for "CN=IKEV2VPNca, C=KR, ST=SEOUL, L=SEOUL, O=UVPN, OU=UVPN"
Oct 30 22:30:19	charon		10[ENC] <33> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Oct 30 22:30:19	charon		10[NET] <33> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.4[31066] (473 bytes)
Oct 30 22:30:19	charon		10[NET] <33> received packet: from 1xx.2xx.2xx.4[5286] to 2xx.1xx.1xx.2xx[4500] (496 bytes)
Oct 30 22:30:19	charon		10[ENC] <33> unknown attribute type (25)
Oct 30 22:30:19	charon		10[ENC] <33> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 30 22:30:19	charon		10[CFG] <33> looking for peer configs matching 2xx.1xx.1xx.2xx[2xx.1xx.1xx.2xx]...1xx.2xx.2xx.4[10.39.158.223]
Oct 30 22:30:19	charon		10[CFG] <33> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Oct 30 22:30:19	charon		10[CFG] <bypasslan|33> selected peer config 'bypasslan'
Oct 30 22:30:19	charon		10[IKE] <bypasslan|33> peer requested EAP, config inacceptable
Oct 30 22:30:19	charon		10[CFG] <bypasslan|33> no alternative config found
Oct 30 22:30:19	charon		10[IKE] <bypasslan|33> processing INTERNAL_IP4_ADDRESS attribute
Oct 30 22:30:19	charon		10[IKE] <bypasslan|33> processing INTERNAL_IP4_DHCP attribute
Oct 30 22:30:19	charon		10[IKE] <bypasslan|33> processing INTERNAL_IP4_DNS attribute
Oct 30 22:30:19	charon		10[IKE] <bypasslan|33> processing INTERNAL_IP4_NETMASK attribute
Oct 30 22:30:19	charon		10[IKE] <bypasslan|33> processing INTERNAL_IP6_ADDRESS attribute
Oct 30 22:30:19	charon		10[IKE] <bypasslan|33> processing INTERNAL_IP6_DHCP attribute
Oct 30 22:30:19	charon		10[IKE] <bypasslan|33> processing INTERNAL_IP6_DNS attribute
Oct 30 22:30:19	charon		10[IKE] <bypasslan|33> processing (25) attribute
Oct 30 22:30:19	charon		10[IKE] <bypasslan|33> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 30 22:30:19	charon		10[IKE] <bypasslan|33> peer supports MOBIKE
Oct 30 22:30:19	charon		10[ENC] <bypasslan|33> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 30 22:30:19	charon		10[NET] <bypasslan|33> sending packet: from 2xx.1xx.1xx.2xx[4500] to 1xx.2xx.2xx.4[5286] (80 bytes)
Oct 30 22:30:19	charon		10[IKE] <bypasslan|33> IKE_SA bypasslan[33] state change: CONNECTING => DESTROYING

                  AES, 256 bits, SHA256, DH Group 28

                  Oct 30 22:32:59	charon		08[CFG] rereading secrets
Oct 30 22:32:59	charon		08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Oct 30 22:32:59	charon		08[CFG] loaded RSA private key from '/var/etc/ipsec/ipsec.d/private/cert-1.key'
Oct 30 22:32:59	charon		08[CFG] loaded EAP secret for xxxxxx87@gmail.com
Oct 30 22:32:59	charon		08[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Oct 30 22:32:59	charon		08[CFG] loaded ca certificate "CN=IKEV2VPNca, C=KR, ST=SEOUL, L=SEOUL, O=UVPN, OU=UVPN" from '/usr/local/etc/ipsec.d/cacerts/3c718073.0.crt'
Oct 30 22:32:59	charon		08[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Oct 30 22:32:59	charon		08[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Oct 30 22:32:59	charon		08[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Oct 30 22:32:59	charon		08[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Oct 30 22:32:59	charon		08[CFG] received stroke: unroute 'bypasslan'
Oct 30 22:32:59	charon		08[CFG] proposing traffic selectors for us:
Oct 30 22:32:59	charon		08[CFG] 192.168.1.0/24|/0
Oct 30 22:32:59	charon		08[CFG] proposing traffic selectors for other:
Oct 30 22:32:59	charon		08[CFG] 192.168.1.0/24|/0
Oct 30 22:32:59	ipsec_starter	23387	shunt policy 'bypasslan' uninstalled
Oct 30 22:32:59	charon		05[CFG] received stroke: delete connection 'bypasslan'
Oct 30 22:32:59	charon		05[CFG] deleted connection 'bypasslan'
Oct 30 22:32:59	charon		07[CFG] received stroke: delete connection 'con-mobile'
Oct 30 22:32:59	charon		07[CFG] deleted connection 'con-mobile'
Oct 30 22:32:59	charon		05[CFG] received stroke: add connection 'bypasslan'
Oct 30 22:32:59	charon		05[CFG] conn bypasslan
Oct 30 22:32:59	charon		05[CFG] left=%any
Oct 30 22:32:59	charon		05[CFG] leftsubnet=192.168.1.0/24
Oct 30 22:32:59	charon		05[CFG] right=%any
Oct 30 22:32:59	charon		05[CFG] rightsubnet=192.168.1.0/24
Oct 30 22:32:59	charon		05[CFG] dpddelay=30
Oct 30 22:32:59	charon		05[CFG] dpdtimeout=150
Oct 30 22:32:59	charon		05[CFG] sha256_96=no
Oct 30 22:32:59	charon		05[CFG] mediation=no
Oct 30 22:32:59	charon		05[CFG] added configuration 'bypasslan'
Oct 30 22:32:59	charon		07[CFG] received stroke: route 'bypasslan'
Oct 30 22:32:59	charon		07[CFG] proposing traffic selectors for us:
Oct 30 22:32:59	charon		07[CFG] 192.168.1.0/24|/0
Oct 30 22:32:59	charon		07[CFG] proposing traffic selectors for other:
Oct 30 22:32:59	charon		07[CFG] 192.168.1.0/24|/0
Oct 30 22:32:59	ipsec_starter	23387	'bypasslan' shunt PASS policy installed
Oct 30 22:32:59	charon		05[CFG] received stroke: add connection 'con-mobile'
Oct 30 22:32:59	charon		05[CFG] conn con-mobile
Oct 30 22:32:59	charon		05[CFG] left=2xx.1xx.1xx.2xx
Oct 30 22:32:59	charon		05[CFG] leftsubnet=0.0.0.0/0
Oct 30 22:32:59	charon		05[CFG] leftauth=pubkey
Oct 30 22:32:59	charon		05[CFG] leftid=fqdn:uvpn5.serveirc.com
Oct 30 22:32:59	charon		05[CFG] leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
Oct 30 22:32:59	charon		05[CFG] right=%any
Oct 30 22:32:59	charon		05[CFG] rightsourceip=70.70.70.1/24
Oct 30 22:32:59	charon		05[CFG] rightauth=eap-mschapv2
Oct 30 22:32:59	charon		05[CFG] eap_identity=%any
Oct 30 22:32:59	charon		05[CFG] ike=aes256-sha256-ecp256bp!
Oct 30 22:32:59	charon		05[CFG] esp=aes256-sha1,aes256-sha256,aes192-sha1,aes192-sha256,aes128-sha1,aes128-sha256,3des-sha1,3des-sha256!
Oct 30 22:32:59	charon		05[CFG] dpddelay=10
Oct 30 22:32:59	charon		05[CFG] dpdtimeout=60
Oct 30 22:32:59	charon		05[CFG] dpdaction=1
Oct 30 22:32:59	charon		05[CFG] sha256_96=no
Oct 30 22:32:59	charon		05[CFG] mediation=no
Oct 30 22:32:59	charon		05[CFG] keyexchange=ikev2
Oct 30 22:32:59	charon		05[CFG] reusing virtual IP address pool 70.70.70.1/24
Oct 30 22:32:59	charon		05[CFG] loaded certificate "CN=uvpn5.serveirc.com, C=KR, ST=SEOUL, L=SEOUL, O=UVPN, OU=UVPN" from '/var/etc/ipsec/ipsec.d/certs/cert-1.crt'
Oct 30 22:32:59	charon		05[CFG] added configuration 'con-mobile'
Oct 30 22:32:59	charon		07[NET] <34> received packet: from 1xx.2xx.2xx.4[31067] to 2xx.1xx.1xx.2xx[500] (604 bytes)
Oct 30 22:32:59	charon		07[ENC] <34> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 30 22:32:59	charon		07[CFG] <34> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.4
Oct 30 22:32:59	charon		07[CFG] <34> candidate: %any...%any, prio 24
Oct 30 22:32:59	charon		07[CFG] <34> candidate: 222.108.111.245...%any, prio 1052
Oct 30 22:32:59	charon		07[CFG] <34> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052
Oct 30 22:32:59	charon		07[IKE] <34> 1xx.2xx.2xx.4 is initiating an IKE_SA
Oct 30 22:32:59	charon		07[IKE] <34> IKE_SA (unnamed)[34] state change: CREATED => CONNECTING
Oct 30 22:32:59	charon		07[CFG] <34> selecting proposal:
Oct 30 22:32:59	charon		07[CFG] <34> no acceptable DIFFIE_HELLMAN_GROUP found
Oct 30 22:32:59	charon		07[CFG] <34> selecting proposal:
Oct 30 22:32:59	charon		07[CFG] <34> no acceptable DIFFIE_HELLMAN_GROUP found
Oct 30 22:32:59	charon		07[CFG] <34> selecting proposal:
Oct 30 22:32:59	charon		07[CFG] <34> no acceptable DIFFIE_HELLMAN_GROUP found
Oct 30 22:32:59	charon		07[CFG] <34> selecting proposal:
Oct 30 22:32:59	charon		07[CFG] <34> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 22:32:59	charon		07[CFG] <34> selecting proposal:
Oct 30 22:32:59	charon		07[CFG] <34> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 22:32:59	charon		07[CFG] <34> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 22:32:59	charon		07[CFG] <34> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BP
Oct 30 22:32:59	charon		07[IKE] <34> remote host is behind NAT
Oct 30 22:32:59	charon		07[IKE] <34> received proposals inacceptable
Oct 30 22:32:59	charon		07[ENC] <34> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 30 22:32:59	charon		07[NET] <34> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.4[31067] (36 bytes)
Oct 30 22:32:59	charon		07[IKE] <34> IKE_SA (unnamed)[34] state change: CONNECTING => DESTROYING
Oct 30 22:32:59	charon		07[NET] <35> received packet: from 1xx.2xx.2xx.4[31067] to 2xx.1xx.1xx.2xx[500] (604 bytes)
Oct 30 22:32:59	charon		07[ENC] <35> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 30 22:32:59	charon		07[CFG] <35> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.4
Oct 30 22:32:59	charon		07[CFG] <35> candidate: %any...%any, prio 24
Oct 30 22:32:59	charon		07[CFG] <35> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052
Oct 30 22:32:59	charon		07[CFG] <35> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052
Oct 30 22:32:59	charon		07[IKE] <35> 1xx.2xx.2xx.4 is initiating an IKE_SA
Oct 30 22:32:59	charon		07[IKE] <35> IKE_SA (unnamed)[35] state change: CREATED => CONNECTING
Oct 30 22:32:59	charon		07[CFG] <35> selecting proposal:
Oct 30 22:32:59	charon		07[CFG] <35> no acceptable DIFFIE_HELLMAN_GROUP found
Oct 30 22:32:59	charon		07[CFG] <35> selecting proposal:
Oct 30 22:32:59	charon		07[CFG] <35> no acceptable DIFFIE_HELLMAN_GROUP found
Oct 30 22:32:59	charon		07[CFG] <35> selecting proposal:
Oct 30 22:32:59	charon		07[CFG] <35> no acceptable DIFFIE_HELLMAN_GROUP found
Oct 30 22:32:59	charon		07[CFG] <35> selecting proposal:
Oct 30 22:32:59	charon		07[CFG] <35> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 22:32:59	charon		07[CFG] <35> selecting proposal:
Oct 30 22:32:59	charon		07[CFG] <35> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 22:32:59	charon		07[CFG] <35> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 22:32:59	charon		07[CFG] <35> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BP
Oct 30 22:32:59	charon		07[IKE] <35> remote host is behind NAT
Oct 30 22:32:59	charon		07[IKE] <35> received proposals inacceptable
Oct 30 22:32:59	charon		07[ENC] <35> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 30 22:32:59	charon		07[NET] <35> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.4[31067] (36 bytes)
Oct 30 22:32:59	charon		07[IKE] <35> IKE_SA (unnamed)[35] state change: CONNECTING => DESTROYING

                  AES, 256 bits, SHA256, DH Group 5

                  Oct 30 22:41:38	charon		10[NET] <36> received packet: from 1xx.2xx.2xx.4[31068] to 2xx.1xx.1xx.2xx[500] (604 bytes)
Oct 30 22:41:38	charon		10[ENC] <36> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 30 22:41:38	charon		10[CFG] <36> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.4
Oct 30 22:41:38	charon		10[CFG] <36> candidate: %any...%any, prio 24
Oct 30 22:41:38	charon		10[CFG] <36> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052
Oct 30 22:41:38	charon		10[CFG] <36> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052
Oct 30 22:41:38	charon		10[IKE] <36> 1xx.2xx.2xx.4 is initiating an IKE_SA
Oct 30 22:41:38	charon		10[IKE] <36> IKE_SA (unnamed)[36] state change: CREATED => CONNECTING
Oct 30 22:41:38	charon		10[CFG] <36> selecting proposal:
Oct 30 22:41:38	charon		10[CFG] <36> no acceptable DIFFIE_HELLMAN_GROUP found
Oct 30 22:41:38	charon		10[CFG] <36> selecting proposal:
Oct 30 22:41:38	charon		10[CFG] <36> no acceptable DIFFIE_HELLMAN_GROUP found
Oct 30 22:41:38	charon		10[CFG] <36> selecting proposal:
Oct 30 22:41:38	charon		10[CFG] <36> proposal matches
Oct 30 22:41:38	charon		10[CFG] <36> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 22:41:38	charon		10[CFG] <36> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Oct 30 22:41:38	charon		10[CFG] <36> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Oct 30 22:41:38	charon		10[IKE] <36> remote host is behind NAT
Oct 30 22:41:38	charon		10[IKE] <36> DH group MODP_2048 inacceptable, requesting MODP_1536
Oct 30 22:41:38	charon		10[ENC] <36> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 30 22:41:38	charon		10[NET] <36> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.4[31068] (38 bytes)
Oct 30 22:41:38	charon		10[IKE] <36> IKE_SA (unnamed)[36] state change: CONNECTING => DESTROYING
Oct 30 22:41:38	charon		10[NET] <37> received packet: from 1xx.2xx.2xx.4[31068] to 2xx.1xx.1xx.2xx[500] (540 bytes)
Oct 30 22:41:38	charon		10[ENC] <37> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 30 22:41:38	charon		10[CFG] <37> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.4
Oct 30 22:41:38	charon		10[CFG] <37> candidate: %any...%any, prio 24
Oct 30 22:41:38	charon		10[CFG] <37> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052
Oct 30 22:41:38	charon		10[CFG] <37> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052
Oct 30 22:41:38	charon		10[IKE] <37> 1xx.2xx.2xx.4 is initiating an IKE_SA
Oct 30 22:41:38	charon		10[IKE] <37> IKE_SA (unnamed)[37] state change: CREATED => CONNECTING
Oct 30 22:41:38	charon		10[CFG] <37> selecting proposal:
Oct 30 22:41:38	charon		10[CFG] <37> no acceptable DIFFIE_HELLMAN_GROUP found
Oct 30 22:41:38	charon		10[CFG] <37> selecting proposal:
Oct 30 22:41:38	charon		10[CFG] <37> no acceptable DIFFIE_HELLMAN_GROUP found
Oct 30 22:41:38	charon		10[CFG] <37> selecting proposal:
Oct 30 22:41:38	charon		10[CFG] <37> proposal matches
Oct 30 22:41:38	charon		10[CFG] <37> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 22:41:38	charon		10[CFG] <37> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Oct 30 22:41:38	charon		10[CFG] <37> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Oct 30 22:41:38	charon		10[IKE] <37> remote host is behind NAT
Oct 30 22:41:38	charon		10[IKE] <37> sending cert request for "CN=IKEV2VPNca, C=KR, ST=SEOUL, L=SEOUL, O=UVPN, OU=UVPN"
Oct 30 22:41:38	charon		10[ENC] <37> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Oct 30 22:41:38	charon		10[NET] <37> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.4[31068] (409 bytes)
Oct 30 22:41:38	charon		10[NET] <37> received packet: from 1xx.2xx.2xx.4[5288] to 2xx.1xx.1xx.2xx[4500] (496 bytes)
Oct 30 22:41:38	charon		10[ENC] <37> unknown attribute type (25)
Oct 30 22:41:38	charon		10[ENC] <37> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 30 22:41:38	charon		10[CFG] <37> looking for peer configs matching 2xx.1xx.1xx.2xx[2xx.1xx.1xx.2xx]...1xx.2xx.2xx.4[10.39.158.223]
Oct 30 22:41:38	charon		10[CFG] <37> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Oct 30 22:41:38	charon		10[CFG] <bypasslan|37> selected peer config 'bypasslan'
Oct 30 22:41:38	charon		10[IKE] <bypasslan|37> peer requested EAP, config inacceptable
Oct 30 22:41:38	charon		10[CFG] <bypasslan|37> no alternative config found
Oct 30 22:41:38	charon		10[IKE] <bypasslan|37> processing INTERNAL_IP4_ADDRESS attribute
Oct 30 22:41:38	charon		10[IKE] <bypasslan|37> processing INTERNAL_IP4_DHCP attribute
Oct 30 22:41:38	charon		10[IKE] <bypasslan|37> processing INTERNAL_IP4_DNS attribute
Oct 30 22:41:38	charon		10[IKE] <bypasslan|37> processing INTERNAL_IP4_NETMASK attribute
Oct 30 22:41:38	charon		10[IKE] <bypasslan|37> processing INTERNAL_IP6_ADDRESS attribute
Oct 30 22:41:38	charon		10[IKE] <bypasslan|37> processing INTERNAL_IP6_DHCP attribute
Oct 30 22:41:38	charon		10[IKE] <bypasslan|37> processing INTERNAL_IP6_DNS attribute
Oct 30 22:41:38	charon		10[IKE] <bypasslan|37> processing (25) attribute
Oct 30 22:41:38	charon		10[IKE] <bypasslan|37> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 30 22:41:38	charon		10[IKE] <bypasslan|37> peer supports MOBIKE
Oct 30 22:41:38	charon		10[ENC] <bypasslan|37> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 30 22:41:38	charon		10[NET] <bypasslan|37> sending packet: from 2xx.1xx.1xx.2xx[4500] to 1xx.2xx.2xx.4[5288] (80 bytes)
Oct 30 22:41:38	charon		10[IKE] <bypasslan|37> IKE_SA bypasslan[37] state change: CONNECTING => DESTROYING

                  AES, 128 bits, SHA1, DH Group 2

                  Oct 30 22:47:52	charon		05[NET] <38> received packet: from 1xx.2xx.2xx.4[31069] to 2xx.1xx.1xx.2xx[500] (604 bytes)
Oct 30 22:47:52	charon		05[ENC] <38> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 30 22:47:52	charon		05[CFG] <38> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.4
Oct 30 22:47:52	charon		05[CFG] <38> candidate: %any...%any, prio 24
Oct 30 22:47:52	charon		05[CFG] <38> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052
Oct 30 22:47:52	charon		05[CFG] <38> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052
Oct 30 22:47:52	charon		05[IKE] <38> 1xx.2xx.2xx.4 is initiating an IKE_SA
Oct 30 22:47:52	charon		05[IKE] <38> IKE_SA (unnamed)[38] state change: CREATED => CONNECTING
Oct 30 22:47:52	charon		05[CFG] <38> selecting proposal:
Oct 30 22:47:52	charon		05[CFG] <38> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 22:47:52	charon		05[CFG] <38> selecting proposal:
Oct 30 22:47:52	charon		05[CFG] <38> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 22:47:52	charon		05[CFG] <38> selecting proposal:
Oct 30 22:47:52	charon		05[CFG] <38> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 22:47:52	charon		05[CFG] <38> selecting proposal:
Oct 30 22:47:52	charon		05[CFG] <38> proposal matches
Oct 30 22:47:52	charon		05[CFG] <38> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 22:47:52	charon		05[CFG] <38> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 22:47:52	charon		05[CFG] <38> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 22:47:52	charon		05[IKE] <38> remote host is behind NAT
Oct 30 22:47:52	charon		05[IKE] <38> DH group MODP_2048 inacceptable, requesting MODP_1024
Oct 30 22:47:52	charon		05[ENC] <38> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 30 22:47:52	charon		05[NET] <38> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.4[31069] (38 bytes)
Oct 30 22:47:52	charon		05[IKE] <38> IKE_SA (unnamed)[38] state change: CONNECTING => DESTROYING
Oct 30 22:47:52	charon		05[NET] <39> received packet: from 1xx.2xx.2xx.4[31069] to 2xx.1xx.1xx.2xx[500] (476 bytes)
Oct 30 22:47:52	charon		05[ENC] <39> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 30 22:47:52	charon		05[CFG] <39> looking for an ike config for 2xx.1xx.1xx.2xx...1xx.2xx.2xx.4
Oct 30 22:47:52	charon		05[CFG] <39> candidate: %any...%any, prio 24
Oct 30 22:47:52	charon		05[CFG] <39> candidate: 2xx.1xx.1xx.2xx...%any, prio 1052
Oct 30 22:47:52	charon		05[CFG] <39> found matching ike config: 2xx.1xx.1xx.2xx...%any with prio 1052
Oct 30 22:47:52	charon		05[IKE] <39> 1xx.2xx.2xx.4 is initiating an IKE_SA
Oct 30 22:47:52	charon		05[IKE] <39> IKE_SA (unnamed)[39] state change: CREATED => CONNECTING
Oct 30 22:47:52	charon		05[CFG] <39> selecting proposal:
Oct 30 22:47:52	charon		05[CFG] <39> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 22:47:52	charon		05[CFG] <39> selecting proposal:
Oct 30 22:47:52	charon		05[CFG] <39> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 22:47:52	charon		05[CFG] <39> selecting proposal:
Oct 30 22:47:52	charon		05[CFG] <39> no acceptable ENCRYPTION_ALGORITHM found
Oct 30 22:47:52	charon		05[CFG] <39> selecting proposal:
Oct 30 22:47:52	charon		05[CFG] <39> proposal matches
Oct 30 22:47:52	charon		05[CFG] <39> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 22:47:52	charon		05[CFG] <39> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 22:47:52	charon		05[CFG] <39> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 30 22:47:52	charon		05[IKE] <39> remote host is behind NAT
Oct 30 22:47:52	charon		05[IKE] <39> sending cert request for "CN=IKEV2VPNca, C=KR, ST=SEOUL, L=SEOUL, O=UVPN, OU=UVPN"
Oct 30 22:47:52	charon		05[ENC] <39> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Oct 30 22:47:52	charon		05[NET] <39> sending packet: from 2xx.1xx.1xx.2xx[500] to 1xx.2xx.2xx.4[31069] (345 bytes)
Oct 30 22:47:52	charon		05[NET] <39> received packet: from 1xx.2xx.2xx.4[5289] to 2xx.1xx.1xx.2xx[4500] (492 bytes)
Oct 30 22:47:52	charon		05[ENC] <39> unknown attribute type (25)
Oct 30 22:47:52	charon		05[ENC] <39> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 30 22:47:52	charon		05[CFG] <39> looking for peer configs matching 2xx.1xx.1xx.2xx[2xx.1xx.1xx.2xx]...1xx.2xx.2xx.4[1x.3x.1xx.2xx]
Oct 30 22:47:52	charon		05[CFG] <39> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Oct 30 22:47:52	charon		05[CFG] <bypasslan|39> selected peer config 'bypasslan'
Oct 30 22:47:52	charon		05[IKE] <bypasslan|39> peer requested EAP, config inacceptable
Oct 30 22:47:52	charon		05[CFG] <bypasslan|39> no alternative config found
Oct 30 22:47:52	charon		05[IKE] <bypasslan|39> processing INTERNAL_IP4_ADDRESS attribute
Oct 30 22:47:52	charon		05[IKE] <bypasslan|39> processing INTERNAL_IP4_DHCP attribute
Oct 30 22:47:52	charon		05[IKE] <bypasslan|39> processing INTERNAL_IP4_DNS attribute
Oct 30 22:47:52	charon		05[IKE] <bypasslan|39> processing INTERNAL_IP4_NETMASK attribute
Oct 30 22:47:52	charon		05[IKE] <bypasslan|39> processing INTERNAL_IP6_ADDRESS attribute
Oct 30 22:47:52	charon		05[IKE] <bypasslan|39> processing INTERNAL_IP6_DHCP attribute
Oct 30 22:47:52	charon		05[IKE] <bypasslan|39> processing INTERNAL_IP6_DNS attribute
Oct 30 22:47:52	charon		05[IKE] <bypasslan|39> processing (25) attribute
Oct 30 22:47:52	charon		05[IKE] <bypasslan|39> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 30 22:47:52	charon		05[IKE] <bypasslan|39> peer supports MOBIKE
Oct 30 22:47:52	charon		05[ENC] <bypasslan|39> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 30 22:47:52	charon		05[NET] <bypasslan|39> sending packet: from 2xx.1xx.1xx.2xx[4500] to 1xx.2xx.2xx.4[5289] (76 bytes)
Oct 30 22:47:52	charon		05[IKE] <bypasslan|39> IKE_SA bypasslan[39] state change: CONNECTING => DESTROYING
                  1 Reply Last reply Reply Quote 0
                  • jimpJ Offline
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    That looks better but it's still not matching the P1. The encryption matches but eventually it falls through to bypasslan which only happens when it failed to completely match up with the mobile VPN instance.

                    What client is this and how is it configured? Did you install the CA on the client and set it to be trusted?

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • O Offline
                      Ohbyeongkwon
                      last edited by

                      No, what I want is a user ID/password connection method without installing a certificate on the client.

                      1 Reply Last reply Reply Quote 0
                      • jimpJ Offline
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Anything with IKEv2/EAP is going to require a certificate on the client. The client at least needs to know to trust the server certificate CA.

                        You can try one of the older setups like PSK+xauth but it is not as secure or likely to work on as many current client operating systems.

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        O 1 Reply Last reply Reply Quote 0
                        • O Offline
                          Ohbyeongkwon @jimp
                          last edited by

                          @jimp Can you tell me how to set up PSK + Xauth?

                          1 Reply Last reply Reply Quote 0
                          • jimpJ Offline
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            It's in the online documentation.

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            O 1 Reply Last reply Reply Quote 0
                            • O Offline
                              Ohbyeongkwon @jimp
                              last edited by

                              @jimp Can I use a Radius server with PSK + Xauth? I still lack a lot of information about VPN.

                              1 Reply Last reply Reply Quote 0
                              • jimpJ Offline
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                Yes, you can. The information you need is in the online documentation. I cannot walk you through it.

                                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                O 1 Reply Last reply Reply Quote 0
                                • O Offline
                                  Ohbyeongkwon @jimp
                                  last edited by Ohbyeongkwon

                                  Thank you for the good information. I'm sure I'll succeed.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.