Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec DIFFIE_HELLMAN_GROUP

    Scheduled Pinned Locked Moved IPsec
    9 Posts 2 Posters 2.4k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • SoarinS Offline
      Soarin
      last edited by Soarin

      Hello! I've been trying to get my IPSec tunnel to work for a while now and I've tried about 20 different configs online and experimenting on my own but for some reason I keep ending up with the same errors. I've tried setting the PH value to 2048 bit as well, I've tried matching the received algorithims and nothing seems to work. I've checked the Netgate page on what the error is caused by and I didn't get far with that after finding out what it's caused by.
      I've searched the forums a bit and I didn't find anything, any help would be appreciated! Thank you
      pfSense Version: 2.4.4-RELEASE-p2
      Firewall rules on IPSEC interface is set to any allow, and WAN allows IPSEC ports and port 500.

      Phase 1:
      KE Version: IKev1
      Authentication Method: Mutual PSK + Xauth
      Negotiation Mode: Aggressive
      My indentifier: My IP address
      Peer identifier: Distinguised name (*********)
      Pre-Shared Key: *******
      Encryption Algorithim: AES 256bit SHA1 2(1024 bit)
      NAT Traversal: Force
      DPD: Unchecked

      Phase2:
      Mode: Tunnel IPv4
      Local Network: Network (0.0.0.0/0)
      NAT/BINAT translation: None
      Protocol: ESP
      Encryption Algorithims: AES 256 bits
      Hash Algorithims: SHA1
      PFS key group: off

      Mobile clients:
      User Authentication: Local Database
      Virtual Address Pool: 192.168.32.128/25
      Save Xauth Password: checked
      DNS Default Domain: pf.fw
      DNS Servers: 192.168.1.1 & 1.1.1.1

      Apr 2 21:27:10 	charon 		12[IKE] <85> IKE_SA (unnamed)[85] state change: CONNECTING => DESTROYING
Apr 2 21:27:10 	charon 		12[NET] <85> sending packet: from 192.168.1.1[500] to 172.58.172.159[45534] (56 bytes)
Apr 2 21:27:10 	charon 		12[ENC] <85> generating INFORMATIONAL_V1 request 1957279736 [ N(NO_PROP) ]
Apr 2 21:27:10 	charon 		12[IKE] <85> activating INFORMATIONAL task
Apr 2 21:27:10 	charon 		12[IKE] <85> activating new tasks
Apr 2 21:27:10 	charon 		12[IKE] <85> queueing INFORMATIONAL task
Apr 2 21:27:10 	charon 		12[IKE] <85> no proposal found
Apr 2 21:27:10 	charon 		12[CFG] <85> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Apr 2 21:27:10 	charon 		12[CFG] <85> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable INTEGRITY_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable INTEGRITY_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable INTEGRITY_ALGORITHM found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
Apr 2 21:27:10 	charon 		12[IKE] <85> IKE_SA (unnamed)[85] state change: CREATED => CONNECTING
Apr 2 21:27:10 	charon 		12[IKE] <85> 172.58.172.159 is initiating a Aggressive Mode IKE_SA
Apr 2 21:27:10 	charon 		12[IKE] <85> received DPD vendor ID
Apr 2 21:27:10 	charon 		12[IKE] <85> received Cisco Unity vendor ID
Apr 2 21:27:10 	charon 		12[IKE] <85> received XAuth vendor ID
Apr 2 21:27:10 	charon 		12[IKE] <85> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Apr 2 21:27:10 	charon 		12[IKE] <85> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 2 21:27:10 	charon 		12[IKE] <85> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr 2 21:27:10 	charon 		12[IKE] <85> received NAT-T (RFC 3947) vendor ID
Apr 2 21:27:10 	charon 		12[IKE] <85> received FRAGMENTATION vendor ID
Apr 2 21:27:10 	charon 		12[CFG] <85> found matching ike config: %any...%any with prio 24
Apr 2 21:27:10 	charon 		12[CFG] <85> candidate: %any...%any, prio 24
Apr 2 21:27:10 	charon 		12[CFG] <85> looking for an IKEv1 config for 192.168.1.1...172.58.172.159
Apr 2 21:27:10 	charon 		12[ENC] <85> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ]
Apr 2 21:27:10 	charon 		12[NET] <85> received packet: from 172.58.172.159[45534] to 192.168.1.1[500] (923 bytes)
Apr 2 21:27:07 	charon 		12[IKE] <84> IKE_SA (unnamed)[84] state change: CONNECTING => DESTROYING
Apr 2 21:27:07 	charon 		12[NET] <84> sending packet: from 192.168.1.1[500] to 172.58.172.159[45534] (56 bytes)
Apr 2 21:27:07 	charon 		12[ENC] <84> generating INFORMATIONAL_V1 request 317240572 [ N(NO_PROP) ]
Apr 2 21:27:07 	charon 		12[IKE] <84> activating INFORMATIONAL task
Apr 2 21:27:07 	charon 		12[IKE] <84> activating new tasks
Apr 2 21:27:07 	charon 		12[IKE] <84> queueing INFORMATIONAL task
Apr 2 21:27:07 	charon 		12[IKE] <84> no proposal found
Apr 2 21:27:07 	charon 		12[CFG] <84> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Apr 2 21:27:07 	charon 		12[CFG] <84> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable INTEGRITY_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable INTEGRITY_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable INTEGRITY_ALGORITHM found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
Apr 2 21:27:07 	charon 		12[IKE] <84> IKE_SA (unnamed)[84] state change: CREATED => CONNECTING
Apr 2 21:27:07 	charon 		12[IKE] <84> 172.58.172.159 is initiating a Aggressive Mode IKE_SA
Apr 2 21:27:07 	charon 		12[IKE] <84> received DPD vendor ID
Apr 2 21:27:07 	charon 		12[IKE] <84> received Cisco Unity vendor ID
Apr 2 21:27:07 	charon 		12[IKE] <84> received XAuth vendor ID
Apr 2 21:27:07 	charon 		12[IKE] <84> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Apr 2 21:27:07 	charon 		12[IKE] <84> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 2 21:27:07 	charon 		12[IKE] <84> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr 2 21:27:07 	charon 		12[IKE] <84> received NAT-T (RFC 3947) vendor ID
Apr 2 21:27:07 	charon 		12[IKE] <84> received FRAGMENTATION vendor ID
Apr 2 21:27:07 	charon 		12[CFG] <84> found matching ike config: %any...%any with prio 24
Apr 2 21:27:07 	charon 		12[CFG] <84> candidate: %any...%any, prio 24
Apr 2 21:27:07 	charon 		12[CFG] <84> looking for an IKEv1 config for 192.168.1.1...172.58.172.159
Apr 2 21:27:07 	charon 		12[ENC] <84> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ]
Apr 2 21:27:07 	charon 		12[NET] <84> received packet: from 172.58.172.159[45534] to 192.168.1.1[500] (923 bytes)

      I hardly understand pfSense but it was love at first sight.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        You should probably post the entire log snippet. From the first packet received from the mobile device to the end of the negotiation.

        Usually when you get the complete list logged like that you are not actually matching a configuration.

        What, exactly, are you trying to do? Mobile? Site-to-site? From what device?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • SoarinS Offline
          Soarin
          last edited by

          Thank you for the reply, I've updated it to the beginning of the connection. It's supposed to be a VPN for Windows10, Ubuntu PC and my Android device connecting.

          It doesn't work on on Ubuntu or Android, haven't tested it on Windows 10 yet.

          I hardly understand pfSense but it was love at first sight.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            The device in question is only offering MODP_1024 (Group 2) IKE proposals. Nothing else.

            You are only offering these:

            MODP_3072
            MODP_4096
            MODP_6144
            MODP_8192
            MODP_2048

            So nothing matches.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • SoarinS Offline
              Soarin
              last edited by

              @Derelict said in IPSec DIFFIE_HELLMAN_GROUP:

              MODP_3072

              Oh I didn't see that, how would I offer MODP_1024 too? I have the DH group set to 2, is that the right thing? Apologies for my ignorance

              I hardly understand pfSense but it was love at first sight.

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by Derelict

                I think you have not configured it correctly.

                You are configuring for a Cisco-style Mutual PSK + Xauth VPN.

                With modern clients you probably want IKEv2.

                Or, probably even easier, OpenVPN.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • SoarinS Offline
                  Soarin
                  last edited by

                  Thank you, I do have OpenVPN setup but I was hoping to setup a VPN that's just straight connect without any downloads or clients. Is this still possible?

                  I hardly understand pfSense but it was love at first sight.

                  1 Reply Last reply Reply Quote 0
                  • SoarinS Offline
                    Soarin
                    last edited by

                    Update, I've tried doing L2TP/IPSec instead and it has gotten much farther. I am confused with the errors now, I'll keep trying but this is where I've gotten to so far following this tutorial:
                    https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html

                    Apr 3 05:33:21 	charon 		07[IKE] <con-mobile|18> IKE_SA con-mobile[18] state change: DELETING => DESTROYING
Apr 3 05:33:21 	charon 		07[IKE] <con-mobile|18> IKE_SA con-mobile[18] state change: DELETING => DELETING
Apr 3 05:33:21 	charon 		07[IKE] <con-mobile|18> IKE_SA con-mobile[18] state change: ESTABLISHED => DELETING
Apr 3 05:33:21 	charon 		07[IKE] <con-mobile|18> deleting IKE_SA con-mobile[18] between 192.168.1.1[47.205.143.194]...172.58.175.108[100.78.231.143]
Apr 3 05:33:21 	charon 		07[IKE] <con-mobile|18> received DELETE for IKE_SA con-mobile[18]
Apr 3 05:33:21 	charon 		07[ENC] <con-mobile|18> parsed INFORMATIONAL_V1 request 2268793164 [ HASH D ]
Apr 3 05:33:21 	charon 		07[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (108 bytes)
Apr 3 05:33:21 	charon 		09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: DELETED => DESTROYING
Apr 3 05:33:21 	charon 		09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: DELETING => DELETED
Apr 3 05:33:21 	charon 		09[IKE] <con-mobile|18> closing CHILD_SA con-mobile{2} with SPIs c698a2e3_i (2974 bytes) 003c7e65_o (0 bytes) and TS 192.168.1.1/32|/0[udp/l2f] === 172.58.175.108/32|/0[udp]
Apr 3 05:33:21 	charon 		09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: INSTALLED => DELETING
Apr 3 05:33:21 	charon 		09[IKE] <con-mobile|18> received DELETE for ESP CHILD_SA with SPI 003c7e65
Apr 3 05:33:21 	charon 		09[ENC] <con-mobile|18> parsed INFORMATIONAL_V1 request 3090052457 [ HASH D ]
Apr 3 05:33:21 	charon 		09[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (92 bytes)
Apr 3 05:33:06 	charon 		09[IKE] <con-mobile|18> sending keep alive to 172.58.175.108[38448]
Apr 3 05:32:46 	charon 		09[IKE] <con-mobile|18> sending keep alive to 172.58.175.108[38448]
Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: INSTALLING => INSTALLED
Apr 3 05:32:22 	charon 		09[IKE] <con-mobile|18> CHILD_SA con-mobile{2} established with SPIs c698a2e3_i 003c7e65_o and TS 192.168.1.1/32|/0[udp/l2f] === 172.58.175.108/32|/0[udp]
Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> SPI 0x003c7e65, src 192.168.1.1 dst 172.58.175.108
Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> adding outbound ESP SA
Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> SPI 0xc698a2e3, src 172.58.175.108 dst 192.168.1.1
Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> adding inbound ESP SA
Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> using HMAC_SHA1_96 for integrity
Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> using AES_CBC for encryption
Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: CREATED => INSTALLING
Apr 3 05:32:22 	charon 		09[ENC] <con-mobile|18> parsed QUICK_MODE request 3416053440 [ HASH ]
Apr 3 05:32:22 	charon 		09[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (76 bytes)
Apr 3 05:32:22 	charon 		08[NET] <con-mobile|18> sending packet: from 192.168.1.1[4500] to 172.58.175.108[38448] (204 bytes)
Apr 3 05:32:22 	charon 		08[ENC] <con-mobile|18> generating QUICK_MODE response 3416053440 [ HASH SA No ID ID NAT-OA NAT-OA ]
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> received proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> proposal matches
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> selecting proposal:
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> no acceptable INTEGRITY_ALGORITHM found
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> selecting proposal:
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> no acceptable INTEGRITY_ALGORITHM found
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> selecting proposal:
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> config: 192.168.1.1/32|/0, received: 192.168.1.1/32|/0[udp/l2f] => match: 192.168.1.1/32|/0[udp/l2f]
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> selecting traffic selectors for us:
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> config: 172.58.175.108/32|/0, received: 172.58.175.108/32|/0[udp] => match: 172.58.175.108/32|/0[udp]
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> selecting traffic selectors for other:
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> found matching child config "con-mobile" with prio 2
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> candidate "con-mobile" with prio 1+1
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> 172.58.175.108/32|/0
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> proposing traffic selectors for other:
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> 192.168.1.1/32|/0
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> proposing traffic selectors for us:
Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> looking for a child config for 192.168.1.1/32|/0[udp/l2f] === 172.58.175.108/32|/0[udp]
Apr 3 05:32:22 	charon 		08[IKE] <con-mobile|18> changing received traffic selectors 100.78.231.143/32|/0[udp]=== 47.205.143.194/32|/0[udp/l2f] due to NAT
Apr 3 05:32:22 	charon 		08[ENC] <con-mobile|18> parsed QUICK_MODE request 3416053440 [ HASH SA No ID ID ]
Apr 3 05:32:22 	charon 		08[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (668 bytes)
Apr 3 05:32:21 	charon 		08[ENC] <con-mobile|18> parsed INFORMATIONAL_V1 request 3338137404 [ HASH N(INITIAL_CONTACT) ]
Apr 3 05:32:21 	charon 		08[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (108 bytes)
Apr 3 05:32:21 	charon 		09[NET] <con-mobile|18> sending packet: from 192.168.1.1[4500] to 172.58.175.108[38448] (76 bytes)
Apr 3 05:32:21 	charon 		09[ENC] <con-mobile|18> generating ID_PROT response 0 [ ID HASH ]
Apr 3 05:32:21 	charon 		09[IKE] <con-mobile|18> maximum IKE_SA lifetime 28529s
Apr 3 05:32:21 	charon 		09[IKE] <con-mobile|18> scheduling reauthentication in 27989s
Apr 3 05:32:21 	charon 		09[IKE] <con-mobile|18> IKE_SA con-mobile[18] state change: CONNECTING => ESTABLISHED
Apr 3 05:32:21 	charon 		09[IKE] <con-mobile|18> IKE_SA con-mobile[18] established between 192.168.1.1[47.205.143.194]...172.58.175.108[100.78.231.143]
Apr 3 05:32:21 	charon 		09[CFG] <18> selected peer config "con-mobile"
Apr 3 05:32:21 	charon 		09[CFG] <18> candidate "con-mobile", match: 1/1/28 (me/other/ike)
Apr 3 05:32:21 	charon 		09[CFG] <18> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Apr 3 05:32:21 	charon 		09[CFG] <18> looking for pre-shared key peer configs matching 192.168.1.1...172.58.175.108[100.78.231.143]
Apr 3 05:32:21 	charon 		09[ENC] <18> parsed ID_PROT request 0 [ ID HASH ]
Apr 3 05:32:21 	charon 		09[NET] <18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (92 bytes)
Apr 3 05:32:21 	charon 		09[NET] <18> sending packet: from 192.168.1.1[500] to 172.58.175.108[53584] (244 bytes)
Apr 3 05:32:21 	charon 		09[ENC] <18> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 3 05:32:21 	charon 		09[CFG] <18> candidate "con-mobile", match: 1/1/28 (me/other/ike)
Apr 3 05:32:21 	charon 		09[CFG] <18> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Apr 3 05:32:21 	charon 		09[IKE] <18> remote host is behind NAT
Apr 3 05:32:21 	charon 		09[IKE] <18> local host is behind NAT, sending keep alives
Apr 3 05:32:21 	charon 		09[ENC] <18> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 3 05:32:21 	charon 		09[NET] <18> received packet: from 172.58.175.108[53584] to 192.168.1.1[500] (228 bytes)
Apr 3 05:32:21 	charon 		09[NET] <18> sending packet: from 192.168.1.1[500] to 172.58.175.108[53584] (160 bytes)
Apr 3 05:32:21 	charon 		09[ENC] <18> generating ID_PROT response 0 [ SA V V V V ]
Apr 3 05:32:21 	charon 		09[IKE] <18> sending NAT-T (RFC 3947) vendor ID
Apr 3 05:32:21 	charon 		09[IKE] <18> sending FRAGMENTATION vendor ID
Apr 3 05:32:21 	charon 		09[IKE] <18> sending DPD vendor ID
Apr 3 05:32:21 	charon 		09[IKE] <18> sending XAuth vendor ID
Apr 3 05:32:21 	charon 		09[CFG] <18> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 3 05:32:21 	charon 		09[CFG] <18> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Apr 3 05:32:21 	charon 		09[CFG] <18> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Apr 3 05:32:21 	charon 		09[CFG] <18> proposal matches
Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable INTEGRITY_ALGORITHM found
Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable INTEGRITY_ALGORITHM found
Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable INTEGRITY_ALGORITHM found
Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
Apr 3 05:32:21 	charon 		09[IKE] <18> IKE_SA (unnamed)[18] state change: CREATED => CONNECTING
Apr 3 05:32:21 	charon 		09[IKE] <18> 172.58.175.108 is initiating a Main Mode IKE_SA
Apr 3 05:32:21 	charon 		09[IKE] <18> received DPD vendor ID
Apr 3 05:32:21 	charon 		09[IKE] <18> received FRAGMENTATION vendor ID
Apr 3 05:32:21 	charon 		09[IKE] <18> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Apr 3 05:32:21 	charon 		09[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 3 05:32:21 	charon 		09[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr 3 05:32:21 	charon 		09[IKE] <18> received NAT-T (RFC 3947) vendor ID
Apr 3 05:32:21 	charon 		09[CFG] <18> found matching ike config: %any...%any with prio 28
Apr 3 05:32:21 	charon 		09[CFG] <18> candidate: %any...%any, prio 28
Apr 3 05:32:21 	charon 		09[CFG] <18> candidate: %any...%any, prio 24
Apr 3 05:32:21 	charon 		09[CFG] <18> looking for an IKEv1 config for 192.168.1.1...172.58.175.108
Apr 3 05:32:21 	charon 		09[ENC] <18> parsed ID_PROT request 0 [ SA V V V V V V ]
Apr 3 05:32:21 	charon 		09[NET] <18> received packet: from 172.58.175.108[53584] to 192.168.1.1[500] (724 bytes)
Apr 3 05:32:02 	charon 		10[CFG] added configuration 'con-mobile'
Apr 3 05:32:02 	charon 		10[CFG] keyexchange=ikev1
Apr 3 05:32:02 	charon 		10[CFG] mediation=no
Apr 3 05:32:02 	charon 		10[CFG] sha256_96=no
Apr 3 05:32:02 	charon 		10[CFG] dpdtimeout=150
Apr 3 05:32:02 	charon 		10[CFG] dpddelay=30
Apr 3 05:32:02 	charon 		10[CFG] esp=aes256-sha1,aes256-sha256!
Apr 3 05:32:02 	charon 		10[CFG] ike=aes128-sha1-modp1024,aes256-sha1-modp1024,aes128-sha256-modp1024,aes256-sha256-modp1024!
Apr 3 05:32:02 	charon 		10[CFG] rightauth=psk
Apr 3 05:32:02 	charon 		10[CFG] rightdns=192.168.1.1,1.1.1.1
Apr 3 05:32:02 	charon 		10[CFG] right=%any
Apr 3 05:32:02 	charon 		10[CFG] leftid=47.205.143.194
Apr 3 05:32:02 	charon 		10[CFG] leftauth=psk
Apr 3 05:32:02 	charon 		10[CFG] left=%any
Apr 3 05:32:02 	charon 		10[CFG] conn con-mobile
Apr 3 05:32:02 	charon 		10[CFG] received stroke: add connection 'con-mobile'
Apr 3 05:32:02 	ipsec_starter 	88382 	'bypasslan' shunt PASS policy installed
Apr 3 05:32:02 	charon 		10[CFG] received stroke: route 'bypasslan'
Apr 3 05:32:02 	charon 		09[CFG] added configuration 'bypasslan'
Apr 3 05:32:02 	charon 		09[CFG] mediation=no
Apr 3 05:32:02 	charon 		09[CFG] sha256_96=no
Apr 3 05:32:02 	charon 		09[CFG] dpdtimeout=150
Apr 3 05:32:02 	charon 		09[CFG] dpddelay=30
Apr 3 05:32:02 	charon 		09[CFG] rightsubnet=10.10.10.0/24
Apr 3 05:32:02 	charon 		09[CFG] right=%any
Apr 3 05:32:02 	charon 		09[CFG] leftsubnet=10.10.10.0/24
Apr 3 05:32:02 	charon 		09[CFG] left=%any
Apr 3 05:32:02 	charon 		09[CFG] conn bypasslan
Apr 3 05:32:02 	charon 		09[CFG] received stroke: add connection 'bypasslan'
Apr 3 05:32:02 	charon 		09[CFG] deleted connection 'con-mobile'
Apr 3 05:32:02 	charon 		09[CFG] received stroke: delete connection 'con-mobile'
Apr 3 05:32:02 	charon 		10[CFG] deleted connection 'bypasslan'
Apr 3 05:32:02 	charon 		10[CFG] received stroke: delete connection 'bypasslan'
Apr 3 05:32:02 	ipsec_starter 	88382 	shunt policy 'bypasslan' uninstalled
Apr 3 05:32:02 	charon 		10[CFG] received stroke: unroute 'bypasslan'
Apr 3 05:32:02 	charon 		11[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Apr 3 05:32:02 	charon 		11[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Apr 3 05:32:02 	charon 		11[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Apr 3 05:32:02 	charon 		11[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Apr 3 05:32:02 	charon 		11[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Apr 3 05:32:02 	charon 		11[CFG] loaded IKE secret for %any
Apr 3 05:32:02 	charon 		11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Apr 3 05:32:02 	charon 		11[CFG] rereading secrets

                    I hardly understand pfSense but it was love at first sight.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by Derelict

                      That depends on the mix of clients mostly.

                      What you are trying to do there typically requires the Cisco Anyconnect client on Windows anyway.

                      If you MUST try this, try IKEv2 but that will probably require the strongswan app on android.

                      There is no 100% universal solution unfortunately. The client support is too varied.

                      Yes, OpenVPN requires a client but in most cases it is free and your configuration will be substantially similar across any device it supports.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 2
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.