Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec: CREATE_CHILD_SA request failed

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 394 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wortlaut
      last edited by

      We have a pfSense 2.4.5 here, which provides our road warriors VPN access via IPsec IKEv2. The clients work with current Mac OS and the IKEv2 network interface provided by the operating system in the standard configuration, i.e. without a profile from the Apple Configurator.

      Actually everything works fine. Unfortunately the road warriors are kicked out of the tunnel one to three times a day. You can then connect again immediately, but phone calls made via our PBX in the office and RDP connections are then gone for the time being, of course.

      In the pfSense logs, I actually only find one anomaly in phase 2:

      Nov 11 14:49:41	charon		13[IKE] <con-mobile|1536> CREATE_CHILD_SA request with message ID 0 processing failed
      Nov 11 14:49:41	charon		13[IKE] <con-mobile|1536> integrity check failed
      Nov 11 14:49:41	charon		13[ENC] <con-mobile|1536> could not decrypt payloads
      Nov 11 14:49:41	charon		13[ENC] <con-mobile|1536> verifying encrypted payload integrity failed
      Nov 11 14:49:41	charon		13[LIB] <con-mobile|1536> MAC verification failed
      Nov 11 14:49:41	charon		13[NET] <con-mobile|1536> received packet: from xx.xx.xx.xx[4500] to xx.xx.xx.xx[4500] (192 bytes)
      

      Why is it not possible to decrypt the payload during a running connection? Does anybody have an idea? Or do I have to start somewhere else?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.