From 2.4.5_1 to 2.5.0.a.20210115.2350 - ipsec mobile client vpn certificate based no longer working
-
I've migrated again from 2.4.5_1 to 2.5.0.a.20210115.2350 and my ipsec vpn is no longer working. From the logs, pfsense acts like it connects but the remote android devices never actually connect. pfsense does not show the connection under ipsec status except for a brief instant.
Running a packet capture, both pfsense and android appear to be communicating in both directions. I do have a multiwan (ipv4 and ipv6) setup but this should not be a factor as it was working with 2.4.5_1.
Site-to-site PSK ipsec on the other wan interface is working without issue.
Log
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> lease 192.168.48.2 by 'CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name' went offline
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleted SAD entry with SPI cb0021a5
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleting SAD entry with SPI cb0021a5
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleted SAD entry with SPI cbaf7528
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleting SAD entry with SPI cbaf7528
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleting policy 192.168.48.2/32|/0 === 0.0.0.0/0|/0 in
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleting policy 0.0.0.0/0|/0 === 192.168.48.2/32|/0 out
Jan 16 21:09:16 portal charon[33071]: 05[NET] sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382]
Jan 16 21:09:16 portal charon[33071]: 07[NET] <con-mobile|9> sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382] (57 bytes)
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> generating INFORMATIONAL response 2 [ ]
Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> IKE_SA deleted
Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> deleting IKE_SA con-mobile[9] between xxx.xx.xx.xxx[xxx.xx.xx.xxx]...166.170.223.88[CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name]
Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> received DELETE for IKE_SA con-mobile[9]
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Jan 16 21:09:16 portal charon[33071]: 07[NET] <con-mobile|9> received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500] (65 bytes)
Jan 16 21:09:16 portal charon[33071]: 04[NET] waiting for data on sockets
Jan 16 21:09:16 portal charon[33071]: 04[NET] received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500]
Jan 16 21:09:16 portal charon[33071]: 05[NET] sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382]
Jan 16 21:09:16 portal charon[33071]: 05[NET] sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382]
Jan 16 21:09:16 portal charon[33071]: 05[NET] sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382]
Jan 16 21:09:16 portal charon[33071]: 07[NET] <con-mobile|9> sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382] (699 bytes)
Jan 16 21:09:16 portal charon[33071]: 07[NET] <con-mobile|9> sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382] (1248 bytes)
Jan 16 21:09:16 portal charon[33071]: 05[NET] sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382]
Jan 16 21:09:16 portal charon[33071]: 07[NET] <con-mobile|9> sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382] (1248 bytes)
Jan 16 21:09:16 portal charon[33071]: 07[NET] <con-mobile|9> sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382] (1248 bytes)
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> generating IKE_AUTH response 1 [ EF(4/4) ]
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> generating IKE_AUTH response 1 [ EF(3/4) ]
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> generating IKE_AUTH response 1 [ EF(2/4) ]
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> generating IKE_AUTH response 1 [ EF(1/4) ]
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> splitting IKE message (4256 bytes) into 4 fragments
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR SUBNET SUBNET U_SPLITINC U_SPLITINC DNS DNS6 U_DEFDOM U_SPLITDNS U_PFS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> CHILD_SA con-mobile{12} established with SPIs cbaf7528_i cb0021a5_o and TS 0.0.0.0/0|/0 === 192.168.48.2/32|/0
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> adding policy 0.0.0.0/0|/0 === 192.168.48.2/32|/0 out
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> adding policy 192.168.48.2/32|/0 === 0.0.0.0/0|/0 in
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> using encryption algorithm AES_GCM_16 with key size 288
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> adding SAD entry with SPI cb0021a5 and reqid {3}
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> using encryption algorithm AES_GCM_16 with key size 288
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> adding SAD entry with SPI cbaf7528 and reqid {3}
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleted SAD entry with SPI cbaf7528
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleting SAD entry with SPI cbaf7528
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> config: 192.168.48.2/32|/0, received: 0.0.0.0/0|/0 => match: 192.168.48.2/32|/0
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> selecting traffic selectors for other:
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> selecting traffic selectors for us:
Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> got SPI cbaf7528
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> configured proposals: ESP:AES_GCM_16_256/MODP_4096/NO_EXT_SEQ, ESP:AES_GCM_16_192/MODP_4096/NO_EXT_SEQ, ESP:AES_GCM_16_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/AES_XCBC_96/MODP_4096/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_384_192/MODP_4096/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_512_256/MODP_4096/NO_EXT_SEQ, ESP:3DES_CBC/AES_XCBC_96/MODP_4096/NO_EXT_SEQ
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> received proposals: ESP:AES_GCM_16_256/AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/HMAC_SHA1_96/NO_EXT_SEQ
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> proposal matches
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> selecting proposal:
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> found matching child config "con-mobile" with prio 6
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> candidate "con-mobile" with prio 5+1
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> 192.168.48.2/32|/0
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> proposing traffic selectors for other:
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> 0.0.0.0/0|/0
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> proposing traffic selectors for us:
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> looking for a child config for 0.0.0.0/0|/0 === 0.0.0.0/0|/0
Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> assigning virtual IP 192.168.48.2 to peer 'CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name'
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> reassigning offline lease to 'CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name'
Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> peer requested virtual IP %any
Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> sending end entity cert "CN=v.somedomain.net, C=US, ST=US, L=Some City, O=Some Name"
Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> maximum IKE_SA lifetime 3547s
Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> scheduling rekeying in 3187s
Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> IKE_SA con-mobile[9] established between xxx.xx.xx.xxx[xxx.xx.xx.xxx]...166.170.223.88[CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name]
Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> authentication of 'xxx.xx.xx.xxx' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> peer supports MOBIKE
Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> authentication of 'CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name' with RSA_EMSA_PKCS1_SHA2_384 successful
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> reached self-signed root ca with a path length of 0
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> certificate "C=US, ST=US, L=Some City, O=Some Name, E=dan@somedomain.net, CN=somedomain.net" key: 16384 bit RSA
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> certificate status is not available
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> ocsp check skipped, no ocsp found
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> checking certificate status of "CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name"
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> using trusted ca certificate "C=US, ST=US, L=Some City, O=Some Name, E=dan@somedomain.net, CN=somedomain.net"
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> certificate "CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name" key: 4096 bit RSA
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> using certificate "CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name"
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> selected peer config 'con-mobile'
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <9> candidate "con-mobile", match: 1/1/1052 (me/other/ike)
Jan 16 21:09:16 portal charon[33071]: 07[CFG] <9> looking for peer configs matching xxx.xx.xx.xxx[%any]...166.170.223.88[CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name]
Jan 16 21:09:16 portal charon[33071]: 07[IKE] <9> received end entity cert "CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name"
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <9> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <9> received fragment #4 of 4, reassembled fragmented IKE message (4326 bytes)
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <9> parsed IKE_AUTH request 1 [ EF(4/4) ]
Jan 16 21:09:16 portal charon[33071]: 07[NET] <9> received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500] (769 bytes)
Jan 16 21:09:16 portal charon[33071]: 04[NET] waiting for data on sockets
Jan 16 21:09:16 portal charon[33071]: 04[NET] received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500]
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <9> received fragment #3 of 4, waiting for complete IKE message
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <9> parsed IKE_AUTH request 1 [ EF(3/4) ]
Jan 16 21:09:16 portal charon[33071]: 07[NET] <9> received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500] (1248 bytes)
Jan 16 21:09:16 portal charon[33071]: 04[NET] waiting for data on sockets
Jan 16 21:09:16 portal charon[33071]: 04[NET] received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500]
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <9> received fragment #2 of 4, waiting for complete IKE message
Jan 16 21:09:16 portal charon[33071]: 07[ENC] <9> parsed IKE_AUTH request 1 [ EF(2/4) ]
Jan 16 21:09:16 portal charon[33071]: 07[NET] <9> received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500] (1248 bytes)
Jan 16 21:09:16 portal charon[33071]: 01[ENC] <9> received fragment #1 of 4, waiting for complete IKE message
Jan 16 21:09:16 portal charon[33071]: 01[ENC] <9> parsed IKE_AUTH request 1 [ EF(1/4) ]
Jan 16 21:09:16 portal charon[33071]: 04[NET] waiting for data on sockets
Jan 16 21:09:16 portal charon[33071]: 01[NET] <9> received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500] (1248 bytes)
Jan 16 21:09:16 portal charon[33071]: 04[NET] received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500]
Jan 16 21:09:16 portal charon[33071]: 04[NET] waiting for data on sockets
Jan 16 21:09:16 portal charon[33071]: 04[NET] received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500]
Jan 16 21:09:15 portal charon[33071]: 05[NET] sending packet: from xxx.xx.xx.xxx[500] to 166.170.223.88[32033]
Jan 16 21:09:15 portal charon[33071]: 01[NET] <9> sending packet: from xxx.xx.xx.xxx[500] to 166.170.223.88[32033] (489 bytes)
Jan 16 21:09:15 portal charon[33071]: 01[ENC] <9> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jan 16 21:09:15 portal charon[33071]: 01[IKE] <9> sending cert request for "C=US, ST=US, L=Some City, O=Some Name, E=dan@somedomain.net, CN=somedomain.net"
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Jan 16 21:09:15 portal charon[33071]: 01[IKE] <9> remote host is behind NAT
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> received supported signature hash algorithms: sha256 sha384 sha512
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048_256
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> configured proposals: IKE:AES_GCM_16_256/PRF_AES128_XCBC/CURVE_25519, IKE:AES_GCM_16_256/PRF_AES128_XCBC/MODP_8192, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048_256, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> received proposals: IKE:AES_CBC_256/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_512/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048_256/ECP_384/ECP_256/MODP_2048/MODP_1536, IKE:AES_GCM_16_256/AES_GCM_16_128/PRF_HMAC_SHA2_512/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048_256/ECP_384/ECP_256/MODP_2048/MODP_1536
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> proposal matches
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> selecting proposal:
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> no acceptable ENCRYPTION_ALGORITHM found
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> selecting proposal:
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> no acceptable PSEUDO_RANDOM_FUNCTION found
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> selecting proposal:
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> no acceptable ENCRYPTION_ALGORITHM found
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> selecting proposal:
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> no acceptable PSEUDO_RANDOM_FUNCTION found
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> selecting proposal:
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> no acceptable ENCRYPTION_ALGORITHM found
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> selecting proposal:
Jan 16 21:09:15 portal charon[33071]: 01[IKE] <9> 166.170.223.88 is initiating an IKE_SA
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> found matching ike config: xxx.xx.xx.xxx, xxxx:xxxx:xxxx:xxxx::x...0.0.0.0/0, ::/0 with prio 1052
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> candidate: xxx.xx.xx.xxx, xxxx:xxxx:xxxx:xxxx::x...0.0.0.0/0, ::/0, prio 1052
Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> looking for an IKEv2 config for xxx.xx.xx.xxx...166.170.223.88
Jan 16 21:09:15 portal charon[33071]: 01[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 16 21:09:15 portal charon[33071]: 01[NET] <9> received packet: from 166.170.223.88[32033] to xxx.xx.xx.xxx[500] (658 bytes)
Jan 16 21:09:15 portal charon[33071]: 04[NET] waiting for data on sockets
Jan 16 21:09:15 portal charon[33071]: 04[NET] received packet: from 166.170.223.88[32033] to xxx.xx.xx.xxx[500]swanctl.conf
# This file is automatically generated. Do not edit
connections {
bypass {
remote_addrs = 127.0.0.1
}
con-mobile : con-mobile-defaults {
# Stub to load con-mobile-defaults
}
con200000 {
fragmentation = yes
unique = replace
version = 2
proposals = aes256-sha1-modp4096,aes192-sha1-modp4096,aes128-sha1-modp4096,aes128gcm128-sha1-modp4096,aes192gcm128-sha1-modp4096,aes256gcm128-sha1-modp4096,aes256-sha256-modp4096,aes256-sha384-modp4096,aes256-sha512-modp4096
rekey_time = 28755s
reauth_time = 28755s
over_time = 45s
rand_time = 45s
encap = no
mobike = no
local_addrs = 75.x.x.x
remote_addrs = 136.x.x.x
pools =
local {
id = 75.x.x.x
auth = psk
}
remote {
id = 136.x.x.x
auth = psk
}
children {
con0 {
dpd_action = clear
mode = tunnel
policies = yes
life_time = 3600s
rekey_time = 3240s
rand_time = 360s
start_action = trap
local_ts = 192.168.45.0/24
remote_ts = 192.168.2.0/24
esp_proposals = aes256gcm128-modp4096,aes256gcm96-modp4096,aes256gcm64-modp4096,aes192gcm128-modp4096,aes192gcm96-modp4096,aes192gcm64-modp4096,aes128gcm128-modp4096,aes128gcm96-modp4096,aes128gcm64-modp4096,aes256-sha1-modp4096,aes256-sha256-modp4096,aes256-sha384-modp4096,aes256-sha512-modp4096,aes256-aesxcbc-modp4096,aes192-sha1-modp4096,aes192-sha256-modp4096,aes192-sha384-modp4096,aes192-sha512-modp4096,aes192-aesxcbc-modp4096,aes128-sha1-modp4096,aes128-sha256-modp4096,aes128-sha384-modp4096,aes128-sha512-modp4096,aes128-aesxcbc-modp4096
}
con1 {
dpd_action = clear
mode = tunnel
policies = yes
life_time = 3600s
rekey_time = 3240s
rand_time = 360s
start_action = trap
local_ts = 192.168.24.0/24
remote_ts = 192.168.2.0/24
esp_proposals = aes256gcm128-modp4096,aes256gcm96-modp4096,aes256gcm64-modp4096,aes192gcm128-modp4096,aes192gcm96-modp4096,aes192gcm64-modp4096,aes128gcm128-modp4096,aes128gcm96-modp4096,aes128gcm64-modp4096,aes256-sha1-modp4096,aes256-sha256-modp4096,aes256-sha384-modp4096,aes256-sha512-modp4096,aes256-aesxcbc-modp4096,aes192-sha1-modp4096,aes192-sha256-modp4096,aes192-sha384-modp4096,aes192-sha512-modp4096,aes192-aesxcbc-modp4096,aes128-sha1-modp4096,aes128-sha256-modp4096,aes128-sha384-modp4096,aes128-sha512-modp4096,aes128-aesxcbc-modp4096
}
}
}
}
con-mobile-defaults {
fragmentation = yes
unique = replace
version = 2
proposals = aes256gcm128-aesxcbc-curve25519,aes256gcm128-aesxcbc-modp8192,aes256gcm128-sha512-modp2048s256,aes256-sha512-modp2048,aes256-sha384-modp2048,aes256-sha256-modp1024
dpd_delay = 10s
dpd_timeout = 60s
rekey_time = 3240s
reauth_time = 0s
over_time = 360s
rand_time = 360s
encap = no
mobike = yes
local_addrs = 136.x.x.x,x
x:x
remote_addrs = 0.0.0.0/0,::/0
pools = mobile-pool-v4, mobile-pool-v6
send_cert = always
local {
id = 136.x.x.x
auth = pubkey
cert {
file = /var/etc/ipsec/x509/cert-1.crt
}
}
remote {
auth = pubkey
cacerts = /var/etc/ipsec/x509ca/189015ff.0
}
children {
con-mobile {
dpd_action = clear
mode = tunnel
policies = yes
life_time = 3600s
rekey_time = 3240s
rand_time = 360s
start_action = none
local_ts = 0.0.0.0/0
esp_proposals = aes256gcm128-modp4096,aes192gcm128-modp4096,aes128gcm128-modp4096,aes256-sha1-modp4096,aes256-sha256-modp4096,aes256-sha384-modp4096,aes256-sha512-modp4096,aes256-aesxcbc-modp4096,3des-sha1-modp4096,3des-sha256-modp4096,3des-sha384-modp4096,3des-sha512-modp4096,3des-aesxcbc-modp4096
}
}
}
pools {
mobile-pool-v4 : mobile-pool {
addrs = 192.168.48.0/24
subnet = 0.0.0.0/0,192.168.45.0/24
split_include = 0.0.0.0/0,192.168.45.0/24
}
mobile-pool-v6 : mobile-pool {
addrs = 2001x:6::/64
}
}
mobile-pool {
dns = 192.168.45.250,2001x:1::5
# Search domain and default domain
28674 = "somedomain.local.lan"
28675 = "somedomain.local.lan"
28679 = "16"
}
secrets {
private-0 {
file = /var/etc/ipsec/private/cert-1.key
}
ike-1 {
secret = asecret
id-0 = %any
id-1 = 136.x.x.x
}
}
Could you list the 'swanctl --list-<name>' required?
-
Openvpn and stunnel seem to be working well however and as I recall this was not the experience when I first attempted a development snapshot some months ago. Also seems to improve my ipv6 experience with google fiber - on 2.4.5_1 IPv6 connectivity would fail in around 24 hours. I moved part of the network away from the HE tunnel to google as Netflix streaming seems to be a moving target to keep blocking ipv6 on the various AWS servers they are additionally using now.
So I have no plans to migrate back to 2.4 now
-
Deleted all mobile configs and put back in the active config, unchecked group authentication under mobile client - extended configuration. It now works.
Not sure why it stopped working on update. Maybe due to the disabled additional phase 1 mobile client entry I had before? Left it there but disabled as I had some time ago attempted to get the ipsec mobile vpn up on all WAN interfaces.
-
@qsystems said in From 2.4.5_1 to 2.5.0.a.20210115.2350 - ipsec mobile client vpn certificate based no longer working:
Deleted all mobile configs and put back in the active config, unchecked group authentication under mobile client - extended configuration. It now works.
Could be related to group authentication, see https://redmine.pfsense.org/issues/10748
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.