IPSec DIFFIE_HELLMAN_GROUP



  • Hello! I've been trying to get my IPSec tunnel to work for a while now and I've tried about 20 different configs online and experimenting on my own but for some reason I keep ending up with the same errors. I've tried setting the PH value to 2048 bit as well, I've tried matching the received algorithims and nothing seems to work. I've checked the Netgate page on what the error is caused by and I didn't get far with that after finding out what it's caused by.
    I've searched the forums a bit and I didn't find anything, any help would be appreciated! Thank you
    pfSense Version: 2.4.4-RELEASE-p2
    Firewall rules on IPSEC interface is set to any allow, and WAN allows IPSEC ports and port 500.

    Phase 1:
    KE Version: IKev1
    Authentication Method: Mutual PSK + Xauth
    Negotiation Mode: Aggressive
    My indentifier: My IP address
    Peer identifier: Distinguised name (*********)
    Pre-Shared Key: *******
    Encryption Algorithim: AES 256bit SHA1 2(1024 bit)
    NAT Traversal: Force
    DPD: Unchecked

    Phase2:
    Mode: Tunnel IPv4
    Local Network: Network (0.0.0.0/0)
    NAT/BINAT translation: None
    Protocol: ESP
    Encryption Algorithims: AES 256 bits
    Hash Algorithims: SHA1
    PFS key group: off

    Mobile clients:
    User Authentication: Local Database
    Virtual Address Pool: 192.168.32.128/25
    Save Xauth Password: checked
    DNS Default Domain: pf.fw
    DNS Servers: 192.168.1.1 & 1.1.1.1

    Apr 2 21:27:10 	charon 		12[IKE] <85> IKE_SA (unnamed)[85] state change: CONNECTING => DESTROYING
    Apr 2 21:27:10 	charon 		12[NET] <85> sending packet: from 192.168.1.1[500] to 172.58.172.159[45534] (56 bytes)
    Apr 2 21:27:10 	charon 		12[ENC] <85> generating INFORMATIONAL_V1 request 1957279736 [ N(NO_PROP) ]
    Apr 2 21:27:10 	charon 		12[IKE] <85> activating INFORMATIONAL task
    Apr 2 21:27:10 	charon 		12[IKE] <85> activating new tasks
    Apr 2 21:27:10 	charon 		12[IKE] <85> queueing INFORMATIONAL task
    Apr 2 21:27:10 	charon 		12[IKE] <85> no proposal found
    Apr 2 21:27:10 	charon 		12[CFG] <85> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
    Apr 2 21:27:10 	charon 		12[CFG] <85> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable INTEGRITY_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable INTEGRITY_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable INTEGRITY_ALGORITHM found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:10 	charon 		12[CFG] <85> selecting proposal:
    Apr 2 21:27:10 	charon 		12[IKE] <85> IKE_SA (unnamed)[85] state change: CREATED => CONNECTING
    Apr 2 21:27:10 	charon 		12[IKE] <85> 172.58.172.159 is initiating a Aggressive Mode IKE_SA
    Apr 2 21:27:10 	charon 		12[IKE] <85> received DPD vendor ID
    Apr 2 21:27:10 	charon 		12[IKE] <85> received Cisco Unity vendor ID
    Apr 2 21:27:10 	charon 		12[IKE] <85> received XAuth vendor ID
    Apr 2 21:27:10 	charon 		12[IKE] <85> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Apr 2 21:27:10 	charon 		12[IKE] <85> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Apr 2 21:27:10 	charon 		12[IKE] <85> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Apr 2 21:27:10 	charon 		12[IKE] <85> received NAT-T (RFC 3947) vendor ID
    Apr 2 21:27:10 	charon 		12[IKE] <85> received FRAGMENTATION vendor ID
    Apr 2 21:27:10 	charon 		12[CFG] <85> found matching ike config: %any...%any with prio 24
    Apr 2 21:27:10 	charon 		12[CFG] <85> candidate: %any...%any, prio 24
    Apr 2 21:27:10 	charon 		12[CFG] <85> looking for an IKEv1 config for 192.168.1.1...172.58.172.159
    Apr 2 21:27:10 	charon 		12[ENC] <85> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ]
    Apr 2 21:27:10 	charon 		12[NET] <85> received packet: from 172.58.172.159[45534] to 192.168.1.1[500] (923 bytes)
    Apr 2 21:27:07 	charon 		12[IKE] <84> IKE_SA (unnamed)[84] state change: CONNECTING => DESTROYING
    Apr 2 21:27:07 	charon 		12[NET] <84> sending packet: from 192.168.1.1[500] to 172.58.172.159[45534] (56 bytes)
    Apr 2 21:27:07 	charon 		12[ENC] <84> generating INFORMATIONAL_V1 request 317240572 [ N(NO_PROP) ]
    Apr 2 21:27:07 	charon 		12[IKE] <84> activating INFORMATIONAL task
    Apr 2 21:27:07 	charon 		12[IKE] <84> activating new tasks
    Apr 2 21:27:07 	charon 		12[IKE] <84> queueing INFORMATIONAL task
    Apr 2 21:27:07 	charon 		12[IKE] <84> no proposal found
    Apr 2 21:27:07 	charon 		12[CFG] <84> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
    Apr 2 21:27:07 	charon 		12[CFG] <84> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable INTEGRITY_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable INTEGRITY_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable INTEGRITY_ALGORITHM found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found
    Apr 2 21:27:07 	charon 		12[CFG] <84> selecting proposal:
    Apr 2 21:27:07 	charon 		12[IKE] <84> IKE_SA (unnamed)[84] state change: CREATED => CONNECTING
    Apr 2 21:27:07 	charon 		12[IKE] <84> 172.58.172.159 is initiating a Aggressive Mode IKE_SA
    Apr 2 21:27:07 	charon 		12[IKE] <84> received DPD vendor ID
    Apr 2 21:27:07 	charon 		12[IKE] <84> received Cisco Unity vendor ID
    Apr 2 21:27:07 	charon 		12[IKE] <84> received XAuth vendor ID
    Apr 2 21:27:07 	charon 		12[IKE] <84> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Apr 2 21:27:07 	charon 		12[IKE] <84> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Apr 2 21:27:07 	charon 		12[IKE] <84> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Apr 2 21:27:07 	charon 		12[IKE] <84> received NAT-T (RFC 3947) vendor ID
    Apr 2 21:27:07 	charon 		12[IKE] <84> received FRAGMENTATION vendor ID
    Apr 2 21:27:07 	charon 		12[CFG] <84> found matching ike config: %any...%any with prio 24
    Apr 2 21:27:07 	charon 		12[CFG] <84> candidate: %any...%any, prio 24
    Apr 2 21:27:07 	charon 		12[CFG] <84> looking for an IKEv1 config for 192.168.1.1...172.58.172.159
    Apr 2 21:27:07 	charon 		12[ENC] <84> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ]
    Apr 2 21:27:07 	charon 		12[NET] <84> received packet: from 172.58.172.159[45534] to 192.168.1.1[500] (923 bytes) 
    

  • LAYER 8 Netgate

    You should probably post the entire log snippet. From the first packet received from the mobile device to the end of the negotiation.

    Usually when you get the complete list logged like that you are not actually matching a configuration.

    What, exactly, are you trying to do? Mobile? Site-to-site? From what device?



  • Thank you for the reply, I've updated it to the beginning of the connection. It's supposed to be a VPN for Windows10, Ubuntu PC and my Android device connecting.

    It doesn't work on on Ubuntu or Android, haven't tested it on Windows 10 yet.


  • LAYER 8 Netgate

    The device in question is only offering MODP_1024 (Group 2) IKE proposals. Nothing else.

    You are only offering these:

    MODP_3072
    MODP_4096
    MODP_6144
    MODP_8192
    MODP_2048

    So nothing matches.



  • @Derelict said in IPSec DIFFIE_HELLMAN_GROUP:

    MODP_3072

    Oh I didn't see that, how would I offer MODP_1024 too? I have the DH group set to 2, is that the right thing? Apologies for my ignorance


  • LAYER 8 Netgate

    I think you have not configured it correctly.

    You are configuring for a Cisco-style Mutual PSK + Xauth VPN.

    With modern clients you probably want IKEv2.

    Or, probably even easier, OpenVPN.



  • Thank you, I do have OpenVPN setup but I was hoping to setup a VPN that's just straight connect without any downloads or clients. Is this still possible?



  • Update, I've tried doing L2TP/IPSec instead and it has gotten much farther. I am confused with the errors now, I'll keep trying but this is where I've gotten to so far following this tutorial:
    https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html

    Apr 3 05:33:21 	charon 		07[IKE] <con-mobile|18> IKE_SA con-mobile[18] state change: DELETING => DESTROYING
    Apr 3 05:33:21 	charon 		07[IKE] <con-mobile|18> IKE_SA con-mobile[18] state change: DELETING => DELETING
    Apr 3 05:33:21 	charon 		07[IKE] <con-mobile|18> IKE_SA con-mobile[18] state change: ESTABLISHED => DELETING
    Apr 3 05:33:21 	charon 		07[IKE] <con-mobile|18> deleting IKE_SA con-mobile[18] between 192.168.1.1[47.205.143.194]...172.58.175.108[100.78.231.143]
    Apr 3 05:33:21 	charon 		07[IKE] <con-mobile|18> received DELETE for IKE_SA con-mobile[18]
    Apr 3 05:33:21 	charon 		07[ENC] <con-mobile|18> parsed INFORMATIONAL_V1 request 2268793164 [ HASH D ]
    Apr 3 05:33:21 	charon 		07[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (108 bytes)
    Apr 3 05:33:21 	charon 		09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: DELETED => DESTROYING
    Apr 3 05:33:21 	charon 		09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: DELETING => DELETED
    Apr 3 05:33:21 	charon 		09[IKE] <con-mobile|18> closing CHILD_SA con-mobile{2} with SPIs c698a2e3_i (2974 bytes) 003c7e65_o (0 bytes) and TS 192.168.1.1/32|/0[udp/l2f] === 172.58.175.108/32|/0[udp]
    Apr 3 05:33:21 	charon 		09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: INSTALLED => DELETING
    Apr 3 05:33:21 	charon 		09[IKE] <con-mobile|18> received DELETE for ESP CHILD_SA with SPI 003c7e65
    Apr 3 05:33:21 	charon 		09[ENC] <con-mobile|18> parsed INFORMATIONAL_V1 request 3090052457 [ HASH D ]
    Apr 3 05:33:21 	charon 		09[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (92 bytes)
    Apr 3 05:33:06 	charon 		09[IKE] <con-mobile|18> sending keep alive to 172.58.175.108[38448]
    Apr 3 05:32:46 	charon 		09[IKE] <con-mobile|18> sending keep alive to 172.58.175.108[38448]
    Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: INSTALLING => INSTALLED
    Apr 3 05:32:22 	charon 		09[IKE] <con-mobile|18> CHILD_SA con-mobile{2} established with SPIs c698a2e3_i 003c7e65_o and TS 192.168.1.1/32|/0[udp/l2f] === 172.58.175.108/32|/0[udp]
    Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> SPI 0x003c7e65, src 192.168.1.1 dst 172.58.175.108
    Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> adding outbound ESP SA
    Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> SPI 0xc698a2e3, src 172.58.175.108 dst 192.168.1.1
    Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> adding inbound ESP SA
    Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> using HMAC_SHA1_96 for integrity
    Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> using AES_CBC for encryption
    Apr 3 05:32:22 	charon 		09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: CREATED => INSTALLING
    Apr 3 05:32:22 	charon 		09[ENC] <con-mobile|18> parsed QUICK_MODE request 3416053440 [ HASH ]
    Apr 3 05:32:22 	charon 		09[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (76 bytes)
    Apr 3 05:32:22 	charon 		08[NET] <con-mobile|18> sending packet: from 192.168.1.1[4500] to 172.58.175.108[38448] (204 bytes)
    Apr 3 05:32:22 	charon 		08[ENC] <con-mobile|18> generating QUICK_MODE response 3416053440 [ HASH SA No ID ID NAT-OA NAT-OA ]
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> received proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> proposal matches
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> selecting proposal:
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> no acceptable INTEGRITY_ALGORITHM found
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> selecting proposal:
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> no acceptable INTEGRITY_ALGORITHM found
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> selecting proposal:
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> config: 192.168.1.1/32|/0, received: 192.168.1.1/32|/0[udp/l2f] => match: 192.168.1.1/32|/0[udp/l2f]
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> selecting traffic selectors for us:
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> config: 172.58.175.108/32|/0, received: 172.58.175.108/32|/0[udp] => match: 172.58.175.108/32|/0[udp]
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> selecting traffic selectors for other:
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> found matching child config "con-mobile" with prio 2
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> candidate "con-mobile" with prio 1+1
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> 172.58.175.108/32|/0
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> proposing traffic selectors for other:
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> 192.168.1.1/32|/0
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> proposing traffic selectors for us:
    Apr 3 05:32:22 	charon 		08[CFG] <con-mobile|18> looking for a child config for 192.168.1.1/32|/0[udp/l2f] === 172.58.175.108/32|/0[udp]
    Apr 3 05:32:22 	charon 		08[IKE] <con-mobile|18> changing received traffic selectors 100.78.231.143/32|/0[udp]=== 47.205.143.194/32|/0[udp/l2f] due to NAT
    Apr 3 05:32:22 	charon 		08[ENC] <con-mobile|18> parsed QUICK_MODE request 3416053440 [ HASH SA No ID ID ]
    Apr 3 05:32:22 	charon 		08[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (668 bytes)
    Apr 3 05:32:21 	charon 		08[ENC] <con-mobile|18> parsed INFORMATIONAL_V1 request 3338137404 [ HASH N(INITIAL_CONTACT) ]
    Apr 3 05:32:21 	charon 		08[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (108 bytes)
    Apr 3 05:32:21 	charon 		09[NET] <con-mobile|18> sending packet: from 192.168.1.1[4500] to 172.58.175.108[38448] (76 bytes)
    Apr 3 05:32:21 	charon 		09[ENC] <con-mobile|18> generating ID_PROT response 0 [ ID HASH ]
    Apr 3 05:32:21 	charon 		09[IKE] <con-mobile|18> maximum IKE_SA lifetime 28529s
    Apr 3 05:32:21 	charon 		09[IKE] <con-mobile|18> scheduling reauthentication in 27989s
    Apr 3 05:32:21 	charon 		09[IKE] <con-mobile|18> IKE_SA con-mobile[18] state change: CONNECTING => ESTABLISHED
    Apr 3 05:32:21 	charon 		09[IKE] <con-mobile|18> IKE_SA con-mobile[18] established between 192.168.1.1[47.205.143.194]...172.58.175.108[100.78.231.143]
    Apr 3 05:32:21 	charon 		09[CFG] <18> selected peer config "con-mobile"
    Apr 3 05:32:21 	charon 		09[CFG] <18> candidate "con-mobile", match: 1/1/28 (me/other/ike)
    Apr 3 05:32:21 	charon 		09[CFG] <18> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Apr 3 05:32:21 	charon 		09[CFG] <18> looking for pre-shared key peer configs matching 192.168.1.1...172.58.175.108[100.78.231.143]
    Apr 3 05:32:21 	charon 		09[ENC] <18> parsed ID_PROT request 0 [ ID HASH ]
    Apr 3 05:32:21 	charon 		09[NET] <18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (92 bytes)
    Apr 3 05:32:21 	charon 		09[NET] <18> sending packet: from 192.168.1.1[500] to 172.58.175.108[53584] (244 bytes)
    Apr 3 05:32:21 	charon 		09[ENC] <18> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Apr 3 05:32:21 	charon 		09[CFG] <18> candidate "con-mobile", match: 1/1/28 (me/other/ike)
    Apr 3 05:32:21 	charon 		09[CFG] <18> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Apr 3 05:32:21 	charon 		09[IKE] <18> remote host is behind NAT
    Apr 3 05:32:21 	charon 		09[IKE] <18> local host is behind NAT, sending keep alives
    Apr 3 05:32:21 	charon 		09[ENC] <18> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Apr 3 05:32:21 	charon 		09[NET] <18> received packet: from 172.58.175.108[53584] to 192.168.1.1[500] (228 bytes)
    Apr 3 05:32:21 	charon 		09[NET] <18> sending packet: from 192.168.1.1[500] to 172.58.175.108[53584] (160 bytes)
    Apr 3 05:32:21 	charon 		09[ENC] <18> generating ID_PROT response 0 [ SA V V V V ]
    Apr 3 05:32:21 	charon 		09[IKE] <18> sending NAT-T (RFC 3947) vendor ID
    Apr 3 05:32:21 	charon 		09[IKE] <18> sending FRAGMENTATION vendor ID
    Apr 3 05:32:21 	charon 		09[IKE] <18> sending DPD vendor ID
    Apr 3 05:32:21 	charon 		09[IKE] <18> sending XAuth vendor ID
    Apr 3 05:32:21 	charon 		09[CFG] <18> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Apr 3 05:32:21 	charon 		09[CFG] <18> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Apr 3 05:32:21 	charon 		09[CFG] <18> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Apr 3 05:32:21 	charon 		09[CFG] <18> proposal matches
    Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
    Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable INTEGRITY_ALGORITHM found
    Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
    Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable INTEGRITY_ALGORITHM found
    Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
    Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable INTEGRITY_ALGORITHM found
    Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
    Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
    Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
    Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
    Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
    Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
    Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
    Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
    Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
    Apr 3 05:32:21 	charon 		09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
    Apr 3 05:32:21 	charon 		09[CFG] <18> selecting proposal:
    Apr 3 05:32:21 	charon 		09[IKE] <18> IKE_SA (unnamed)[18] state change: CREATED => CONNECTING
    Apr 3 05:32:21 	charon 		09[IKE] <18> 172.58.175.108 is initiating a Main Mode IKE_SA
    Apr 3 05:32:21 	charon 		09[IKE] <18> received DPD vendor ID
    Apr 3 05:32:21 	charon 		09[IKE] <18> received FRAGMENTATION vendor ID
    Apr 3 05:32:21 	charon 		09[IKE] <18> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Apr 3 05:32:21 	charon 		09[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Apr 3 05:32:21 	charon 		09[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Apr 3 05:32:21 	charon 		09[IKE] <18> received NAT-T (RFC 3947) vendor ID
    Apr 3 05:32:21 	charon 		09[CFG] <18> found matching ike config: %any...%any with prio 28
    Apr 3 05:32:21 	charon 		09[CFG] <18> candidate: %any...%any, prio 28
    Apr 3 05:32:21 	charon 		09[CFG] <18> candidate: %any...%any, prio 24
    Apr 3 05:32:21 	charon 		09[CFG] <18> looking for an IKEv1 config for 192.168.1.1...172.58.175.108
    Apr 3 05:32:21 	charon 		09[ENC] <18> parsed ID_PROT request 0 [ SA V V V V V V ]
    Apr 3 05:32:21 	charon 		09[NET] <18> received packet: from 172.58.175.108[53584] to 192.168.1.1[500] (724 bytes)
    Apr 3 05:32:02 	charon 		10[CFG] added configuration 'con-mobile'
    Apr 3 05:32:02 	charon 		10[CFG] keyexchange=ikev1
    Apr 3 05:32:02 	charon 		10[CFG] mediation=no
    Apr 3 05:32:02 	charon 		10[CFG] sha256_96=no
    Apr 3 05:32:02 	charon 		10[CFG] dpdtimeout=150
    Apr 3 05:32:02 	charon 		10[CFG] dpddelay=30
    Apr 3 05:32:02 	charon 		10[CFG] esp=aes256-sha1,aes256-sha256!
    Apr 3 05:32:02 	charon 		10[CFG] ike=aes128-sha1-modp1024,aes256-sha1-modp1024,aes128-sha256-modp1024,aes256-sha256-modp1024!
    Apr 3 05:32:02 	charon 		10[CFG] rightauth=psk
    Apr 3 05:32:02 	charon 		10[CFG] rightdns=192.168.1.1,1.1.1.1
    Apr 3 05:32:02 	charon 		10[CFG] right=%any
    Apr 3 05:32:02 	charon 		10[CFG] leftid=47.205.143.194
    Apr 3 05:32:02 	charon 		10[CFG] leftauth=psk
    Apr 3 05:32:02 	charon 		10[CFG] left=%any
    Apr 3 05:32:02 	charon 		10[CFG] conn con-mobile
    Apr 3 05:32:02 	charon 		10[CFG] received stroke: add connection 'con-mobile'
    Apr 3 05:32:02 	ipsec_starter 	88382 	'bypasslan' shunt PASS policy installed
    Apr 3 05:32:02 	charon 		10[CFG] received stroke: route 'bypasslan'
    Apr 3 05:32:02 	charon 		09[CFG] added configuration 'bypasslan'
    Apr 3 05:32:02 	charon 		09[CFG] mediation=no
    Apr 3 05:32:02 	charon 		09[CFG] sha256_96=no
    Apr 3 05:32:02 	charon 		09[CFG] dpdtimeout=150
    Apr 3 05:32:02 	charon 		09[CFG] dpddelay=30
    Apr 3 05:32:02 	charon 		09[CFG] rightsubnet=10.10.10.0/24
    Apr 3 05:32:02 	charon 		09[CFG] right=%any
    Apr 3 05:32:02 	charon 		09[CFG] leftsubnet=10.10.10.0/24
    Apr 3 05:32:02 	charon 		09[CFG] left=%any
    Apr 3 05:32:02 	charon 		09[CFG] conn bypasslan
    Apr 3 05:32:02 	charon 		09[CFG] received stroke: add connection 'bypasslan'
    Apr 3 05:32:02 	charon 		09[CFG] deleted connection 'con-mobile'
    Apr 3 05:32:02 	charon 		09[CFG] received stroke: delete connection 'con-mobile'
    Apr 3 05:32:02 	charon 		10[CFG] deleted connection 'bypasslan'
    Apr 3 05:32:02 	charon 		10[CFG] received stroke: delete connection 'bypasslan'
    Apr 3 05:32:02 	ipsec_starter 	88382 	shunt policy 'bypasslan' uninstalled
    Apr 3 05:32:02 	charon 		10[CFG] received stroke: unroute 'bypasslan'
    Apr 3 05:32:02 	charon 		11[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
    Apr 3 05:32:02 	charon 		11[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
    Apr 3 05:32:02 	charon 		11[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
    Apr 3 05:32:02 	charon 		11[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
    Apr 3 05:32:02 	charon 		11[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
    Apr 3 05:32:02 	charon 		11[CFG] loaded IKE secret for %any
    Apr 3 05:32:02 	charon 		11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Apr 3 05:32:02 	charon 		11[CFG] rereading secrets 
    

  • LAYER 8 Netgate

    That depends on the mix of clients mostly.

    What you are trying to do there typically requires the Cisco Anyconnect client on Windows anyway.

    If you MUST try this, try IKEv2 but that will probably require the strongswan app on android.

    There is no 100% universal solution unfortunately. The client support is too varied.

    Yes, OpenVPN requires a client but in most cases it is free and your configuration will be substantially similar across any device it supports.


Log in to reply