IPSec DIFFIE_HELLMAN_GROUP
-
Hello! I've been trying to get my IPSec tunnel to work for a while now and I've tried about 20 different configs online and experimenting on my own but for some reason I keep ending up with the same errors. I've tried setting the PH value to 2048 bit as well, I've tried matching the received algorithims and nothing seems to work. I've checked the Netgate page on what the error is caused by and I didn't get far with that after finding out what it's caused by.
I've searched the forums a bit and I didn't find anything, any help would be appreciated! Thank you
pfSense Version: 2.4.4-RELEASE-p2
Firewall rules on IPSEC interface is set to any allow, and WAN allows IPSEC ports and port 500.Phase 1:
KE Version: IKev1
Authentication Method: Mutual PSK + Xauth
Negotiation Mode: Aggressive
My indentifier: My IP address
Peer identifier: Distinguised name (*********)
Pre-Shared Key: *******
Encryption Algorithim: AES 256bit SHA1 2(1024 bit)
NAT Traversal: Force
DPD: UncheckedPhase2:
Mode: Tunnel IPv4
Local Network: Network (0.0.0.0/0)
NAT/BINAT translation: None
Protocol: ESP
Encryption Algorithims: AES 256 bits
Hash Algorithims: SHA1
PFS key group: offMobile clients:
User Authentication: Local Database
Virtual Address Pool: 192.168.32.128/25
Save Xauth Password: checked
DNS Default Domain: pf.fw
DNS Servers: 192.168.1.1 & 1.1.1.1Apr 2 21:27:10 charon 12[IKE] <85> IKE_SA (unnamed)[85] state change: CONNECTING => DESTROYING Apr 2 21:27:10 charon 12[NET] <85> sending packet: from 192.168.1.1[500] to 172.58.172.159[45534] (56 bytes) Apr 2 21:27:10 charon 12[ENC] <85> generating INFORMATIONAL_V1 request 1957279736 [ N(NO_PROP) ] Apr 2 21:27:10 charon 12[IKE] <85> activating INFORMATIONAL task Apr 2 21:27:10 charon 12[IKE] <85> activating new tasks Apr 2 21:27:10 charon 12[IKE] <85> queueing INFORMATIONAL task Apr 2 21:27:10 charon 12[IKE] <85> no proposal found Apr 2 21:27:10 charon 12[CFG] <85> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 Apr 2 21:27:10 charon 12[CFG] <85> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable INTEGRITY_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable INTEGRITY_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable INTEGRITY_ALGORITHM found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[CFG] <85> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:10 charon 12[CFG] <85> selecting proposal: Apr 2 21:27:10 charon 12[IKE] <85> IKE_SA (unnamed)[85] state change: CREATED => CONNECTING Apr 2 21:27:10 charon 12[IKE] <85> 172.58.172.159 is initiating a Aggressive Mode IKE_SA Apr 2 21:27:10 charon 12[IKE] <85> received DPD vendor ID Apr 2 21:27:10 charon 12[IKE] <85> received Cisco Unity vendor ID Apr 2 21:27:10 charon 12[IKE] <85> received XAuth vendor ID Apr 2 21:27:10 charon 12[IKE] <85> received draft-ietf-ipsec-nat-t-ike-00 vendor ID Apr 2 21:27:10 charon 12[IKE] <85> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Apr 2 21:27:10 charon 12[IKE] <85> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Apr 2 21:27:10 charon 12[IKE] <85> received NAT-T (RFC 3947) vendor ID Apr 2 21:27:10 charon 12[IKE] <85> received FRAGMENTATION vendor ID Apr 2 21:27:10 charon 12[CFG] <85> found matching ike config: %any...%any with prio 24 Apr 2 21:27:10 charon 12[CFG] <85> candidate: %any...%any, prio 24 Apr 2 21:27:10 charon 12[CFG] <85> looking for an IKEv1 config for 192.168.1.1...172.58.172.159 Apr 2 21:27:10 charon 12[ENC] <85> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ] Apr 2 21:27:10 charon 12[NET] <85> received packet: from 172.58.172.159[45534] to 192.168.1.1[500] (923 bytes) Apr 2 21:27:07 charon 12[IKE] <84> IKE_SA (unnamed)[84] state change: CONNECTING => DESTROYING Apr 2 21:27:07 charon 12[NET] <84> sending packet: from 192.168.1.1[500] to 172.58.172.159[45534] (56 bytes) Apr 2 21:27:07 charon 12[ENC] <84> generating INFORMATIONAL_V1 request 317240572 [ N(NO_PROP) ] Apr 2 21:27:07 charon 12[IKE] <84> activating INFORMATIONAL task Apr 2 21:27:07 charon 12[IKE] <84> activating new tasks Apr 2 21:27:07 charon 12[IKE] <84> queueing INFORMATIONAL task Apr 2 21:27:07 charon 12[IKE] <84> no proposal found Apr 2 21:27:07 charon 12[CFG] <84> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 Apr 2 21:27:07 charon 12[CFG] <84> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable ENCRYPTION_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable INTEGRITY_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable INTEGRITY_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable INTEGRITY_ALGORITHM found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[CFG] <84> no acceptable DIFFIE_HELLMAN_GROUP found Apr 2 21:27:07 charon 12[CFG] <84> selecting proposal: Apr 2 21:27:07 charon 12[IKE] <84> IKE_SA (unnamed)[84] state change: CREATED => CONNECTING Apr 2 21:27:07 charon 12[IKE] <84> 172.58.172.159 is initiating a Aggressive Mode IKE_SA Apr 2 21:27:07 charon 12[IKE] <84> received DPD vendor ID Apr 2 21:27:07 charon 12[IKE] <84> received Cisco Unity vendor ID Apr 2 21:27:07 charon 12[IKE] <84> received XAuth vendor ID Apr 2 21:27:07 charon 12[IKE] <84> received draft-ietf-ipsec-nat-t-ike-00 vendor ID Apr 2 21:27:07 charon 12[IKE] <84> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Apr 2 21:27:07 charon 12[IKE] <84> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Apr 2 21:27:07 charon 12[IKE] <84> received NAT-T (RFC 3947) vendor ID Apr 2 21:27:07 charon 12[IKE] <84> received FRAGMENTATION vendor ID Apr 2 21:27:07 charon 12[CFG] <84> found matching ike config: %any...%any with prio 24 Apr 2 21:27:07 charon 12[CFG] <84> candidate: %any...%any, prio 24 Apr 2 21:27:07 charon 12[CFG] <84> looking for an IKEv1 config for 192.168.1.1...172.58.172.159 Apr 2 21:27:07 charon 12[ENC] <84> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ] Apr 2 21:27:07 charon 12[NET] <84> received packet: from 172.58.172.159[45534] to 192.168.1.1[500] (923 bytes)
-
You should probably post the entire log snippet. From the first packet received from the mobile device to the end of the negotiation.
Usually when you get the complete list logged like that you are not actually matching a configuration.
What, exactly, are you trying to do? Mobile? Site-to-site? From what device?
-
Thank you for the reply, I've updated it to the beginning of the connection. It's supposed to be a VPN for Windows10, Ubuntu PC and my Android device connecting.
It doesn't work on on Ubuntu or Android, haven't tested it on Windows 10 yet.
-
The device in question is only offering MODP_1024 (Group 2) IKE proposals. Nothing else.
You are only offering these:
MODP_3072
MODP_4096
MODP_6144
MODP_8192
MODP_2048So nothing matches.
-
@Derelict said in IPSec DIFFIE_HELLMAN_GROUP:
MODP_3072
Oh I didn't see that, how would I offer MODP_1024 too? I have the DH group set to 2, is that the right thing? Apologies for my ignorance
-
I think you have not configured it correctly.
You are configuring for a Cisco-style Mutual PSK + Xauth VPN.
With modern clients you probably want IKEv2.
Or, probably even easier, OpenVPN.
-
Thank you, I do have OpenVPN setup but I was hoping to setup a VPN that's just straight connect without any downloads or clients. Is this still possible?
-
Update, I've tried doing L2TP/IPSec instead and it has gotten much farther. I am confused with the errors now, I'll keep trying but this is where I've gotten to so far following this tutorial:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.htmlApr 3 05:33:21 charon 07[IKE] <con-mobile|18> IKE_SA con-mobile[18] state change: DELETING => DESTROYING Apr 3 05:33:21 charon 07[IKE] <con-mobile|18> IKE_SA con-mobile[18] state change: DELETING => DELETING Apr 3 05:33:21 charon 07[IKE] <con-mobile|18> IKE_SA con-mobile[18] state change: ESTABLISHED => DELETING Apr 3 05:33:21 charon 07[IKE] <con-mobile|18> deleting IKE_SA con-mobile[18] between 192.168.1.1[47.205.143.194]...172.58.175.108[100.78.231.143] Apr 3 05:33:21 charon 07[IKE] <con-mobile|18> received DELETE for IKE_SA con-mobile[18] Apr 3 05:33:21 charon 07[ENC] <con-mobile|18> parsed INFORMATIONAL_V1 request 2268793164 [ HASH D ] Apr 3 05:33:21 charon 07[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (108 bytes) Apr 3 05:33:21 charon 09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: DELETED => DESTROYING Apr 3 05:33:21 charon 09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: DELETING => DELETED Apr 3 05:33:21 charon 09[IKE] <con-mobile|18> closing CHILD_SA con-mobile{2} with SPIs c698a2e3_i (2974 bytes) 003c7e65_o (0 bytes) and TS 192.168.1.1/32|/0[udp/l2f] === 172.58.175.108/32|/0[udp] Apr 3 05:33:21 charon 09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: INSTALLED => DELETING Apr 3 05:33:21 charon 09[IKE] <con-mobile|18> received DELETE for ESP CHILD_SA with SPI 003c7e65 Apr 3 05:33:21 charon 09[ENC] <con-mobile|18> parsed INFORMATIONAL_V1 request 3090052457 [ HASH D ] Apr 3 05:33:21 charon 09[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (92 bytes) Apr 3 05:33:06 charon 09[IKE] <con-mobile|18> sending keep alive to 172.58.175.108[38448] Apr 3 05:32:46 charon 09[IKE] <con-mobile|18> sending keep alive to 172.58.175.108[38448] Apr 3 05:32:22 charon 09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: INSTALLING => INSTALLED Apr 3 05:32:22 charon 09[IKE] <con-mobile|18> CHILD_SA con-mobile{2} established with SPIs c698a2e3_i 003c7e65_o and TS 192.168.1.1/32|/0[udp/l2f] === 172.58.175.108/32|/0[udp] Apr 3 05:32:22 charon 09[CHD] <con-mobile|18> SPI 0x003c7e65, src 192.168.1.1 dst 172.58.175.108 Apr 3 05:32:22 charon 09[CHD] <con-mobile|18> adding outbound ESP SA Apr 3 05:32:22 charon 09[CHD] <con-mobile|18> SPI 0xc698a2e3, src 172.58.175.108 dst 192.168.1.1 Apr 3 05:32:22 charon 09[CHD] <con-mobile|18> adding inbound ESP SA Apr 3 05:32:22 charon 09[CHD] <con-mobile|18> using HMAC_SHA1_96 for integrity Apr 3 05:32:22 charon 09[CHD] <con-mobile|18> using AES_CBC for encryption Apr 3 05:32:22 charon 09[CHD] <con-mobile|18> CHILD_SA con-mobile{2} state change: CREATED => INSTALLING Apr 3 05:32:22 charon 09[ENC] <con-mobile|18> parsed QUICK_MODE request 3416053440 [ HASH ] Apr 3 05:32:22 charon 09[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (76 bytes) Apr 3 05:32:22 charon 08[NET] <con-mobile|18> sending packet: from 192.168.1.1[4500] to 172.58.175.108[38448] (204 bytes) Apr 3 05:32:22 charon 08[ENC] <con-mobile|18> generating QUICK_MODE response 3416053440 [ HASH SA No ID ID NAT-OA NAT-OA ] Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> received proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> proposal matches Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> selecting proposal: Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> no acceptable INTEGRITY_ALGORITHM found Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> selecting proposal: Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> no acceptable INTEGRITY_ALGORITHM found Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> selecting proposal: Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> config: 192.168.1.1/32|/0, received: 192.168.1.1/32|/0[udp/l2f] => match: 192.168.1.1/32|/0[udp/l2f] Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> selecting traffic selectors for us: Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> config: 172.58.175.108/32|/0, received: 172.58.175.108/32|/0[udp] => match: 172.58.175.108/32|/0[udp] Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> selecting traffic selectors for other: Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> found matching child config "con-mobile" with prio 2 Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> candidate "con-mobile" with prio 1+1 Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> 172.58.175.108/32|/0 Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> proposing traffic selectors for other: Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> 192.168.1.1/32|/0 Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> proposing traffic selectors for us: Apr 3 05:32:22 charon 08[CFG] <con-mobile|18> looking for a child config for 192.168.1.1/32|/0[udp/l2f] === 172.58.175.108/32|/0[udp] Apr 3 05:32:22 charon 08[IKE] <con-mobile|18> changing received traffic selectors 100.78.231.143/32|/0[udp]=== 47.205.143.194/32|/0[udp/l2f] due to NAT Apr 3 05:32:22 charon 08[ENC] <con-mobile|18> parsed QUICK_MODE request 3416053440 [ HASH SA No ID ID ] Apr 3 05:32:22 charon 08[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (668 bytes) Apr 3 05:32:21 charon 08[ENC] <con-mobile|18> parsed INFORMATIONAL_V1 request 3338137404 [ HASH N(INITIAL_CONTACT) ] Apr 3 05:32:21 charon 08[NET] <con-mobile|18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (108 bytes) Apr 3 05:32:21 charon 09[NET] <con-mobile|18> sending packet: from 192.168.1.1[4500] to 172.58.175.108[38448] (76 bytes) Apr 3 05:32:21 charon 09[ENC] <con-mobile|18> generating ID_PROT response 0 [ ID HASH ] Apr 3 05:32:21 charon 09[IKE] <con-mobile|18> maximum IKE_SA lifetime 28529s Apr 3 05:32:21 charon 09[IKE] <con-mobile|18> scheduling reauthentication in 27989s Apr 3 05:32:21 charon 09[IKE] <con-mobile|18> IKE_SA con-mobile[18] state change: CONNECTING => ESTABLISHED Apr 3 05:32:21 charon 09[IKE] <con-mobile|18> IKE_SA con-mobile[18] established between 192.168.1.1[47.205.143.194]...172.58.175.108[100.78.231.143] Apr 3 05:32:21 charon 09[CFG] <18> selected peer config "con-mobile" Apr 3 05:32:21 charon 09[CFG] <18> candidate "con-mobile", match: 1/1/28 (me/other/ike) Apr 3 05:32:21 charon 09[CFG] <18> candidate "bypasslan", match: 1/1/24 (me/other/ike) Apr 3 05:32:21 charon 09[CFG] <18> looking for pre-shared key peer configs matching 192.168.1.1...172.58.175.108[100.78.231.143] Apr 3 05:32:21 charon 09[ENC] <18> parsed ID_PROT request 0 [ ID HASH ] Apr 3 05:32:21 charon 09[NET] <18> received packet: from 172.58.175.108[38448] to 192.168.1.1[4500] (92 bytes) Apr 3 05:32:21 charon 09[NET] <18> sending packet: from 192.168.1.1[500] to 172.58.175.108[53584] (244 bytes) Apr 3 05:32:21 charon 09[ENC] <18> generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Apr 3 05:32:21 charon 09[CFG] <18> candidate "con-mobile", match: 1/1/28 (me/other/ike) Apr 3 05:32:21 charon 09[CFG] <18> candidate "bypasslan", match: 1/1/24 (me/other/ike) Apr 3 05:32:21 charon 09[IKE] <18> remote host is behind NAT Apr 3 05:32:21 charon 09[IKE] <18> local host is behind NAT, sending keep alives Apr 3 05:32:21 charon 09[ENC] <18> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Apr 3 05:32:21 charon 09[NET] <18> received packet: from 172.58.175.108[53584] to 192.168.1.1[500] (228 bytes) Apr 3 05:32:21 charon 09[NET] <18> sending packet: from 192.168.1.1[500] to 172.58.175.108[53584] (160 bytes) Apr 3 05:32:21 charon 09[ENC] <18> generating ID_PROT response 0 [ SA V V V V ] Apr 3 05:32:21 charon 09[IKE] <18> sending NAT-T (RFC 3947) vendor ID Apr 3 05:32:21 charon 09[IKE] <18> sending FRAGMENTATION vendor ID Apr 3 05:32:21 charon 09[IKE] <18> sending DPD vendor ID Apr 3 05:32:21 charon 09[IKE] <18> sending XAuth vendor ID Apr 3 05:32:21 charon 09[CFG] <18> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Apr 3 05:32:21 charon 09[CFG] <18> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 Apr 3 05:32:21 charon 09[CFG] <18> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Apr 3 05:32:21 charon 09[CFG] <18> proposal matches Apr 3 05:32:21 charon 09[CFG] <18> selecting proposal: Apr 3 05:32:21 charon 09[CFG] <18> no acceptable INTEGRITY_ALGORITHM found Apr 3 05:32:21 charon 09[CFG] <18> selecting proposal: Apr 3 05:32:21 charon 09[CFG] <18> no acceptable INTEGRITY_ALGORITHM found Apr 3 05:32:21 charon 09[CFG] <18> selecting proposal: Apr 3 05:32:21 charon 09[CFG] <18> no acceptable INTEGRITY_ALGORITHM found Apr 3 05:32:21 charon 09[CFG] <18> selecting proposal: Apr 3 05:32:21 charon 09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found Apr 3 05:32:21 charon 09[CFG] <18> selecting proposal: Apr 3 05:32:21 charon 09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found Apr 3 05:32:21 charon 09[CFG] <18> selecting proposal: Apr 3 05:32:21 charon 09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found Apr 3 05:32:21 charon 09[CFG] <18> selecting proposal: Apr 3 05:32:21 charon 09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found Apr 3 05:32:21 charon 09[CFG] <18> selecting proposal: Apr 3 05:32:21 charon 09[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found Apr 3 05:32:21 charon 09[CFG] <18> selecting proposal: Apr 3 05:32:21 charon 09[IKE] <18> IKE_SA (unnamed)[18] state change: CREATED => CONNECTING Apr 3 05:32:21 charon 09[IKE] <18> 172.58.175.108 is initiating a Main Mode IKE_SA Apr 3 05:32:21 charon 09[IKE] <18> received DPD vendor ID Apr 3 05:32:21 charon 09[IKE] <18> received FRAGMENTATION vendor ID Apr 3 05:32:21 charon 09[IKE] <18> received draft-ietf-ipsec-nat-t-ike-00 vendor ID Apr 3 05:32:21 charon 09[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Apr 3 05:32:21 charon 09[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Apr 3 05:32:21 charon 09[IKE] <18> received NAT-T (RFC 3947) vendor ID Apr 3 05:32:21 charon 09[CFG] <18> found matching ike config: %any...%any with prio 28 Apr 3 05:32:21 charon 09[CFG] <18> candidate: %any...%any, prio 28 Apr 3 05:32:21 charon 09[CFG] <18> candidate: %any...%any, prio 24 Apr 3 05:32:21 charon 09[CFG] <18> looking for an IKEv1 config for 192.168.1.1...172.58.175.108 Apr 3 05:32:21 charon 09[ENC] <18> parsed ID_PROT request 0 [ SA V V V V V V ] Apr 3 05:32:21 charon 09[NET] <18> received packet: from 172.58.175.108[53584] to 192.168.1.1[500] (724 bytes) Apr 3 05:32:02 charon 10[CFG] added configuration 'con-mobile' Apr 3 05:32:02 charon 10[CFG] keyexchange=ikev1 Apr 3 05:32:02 charon 10[CFG] mediation=no Apr 3 05:32:02 charon 10[CFG] sha256_96=no Apr 3 05:32:02 charon 10[CFG] dpdtimeout=150 Apr 3 05:32:02 charon 10[CFG] dpddelay=30 Apr 3 05:32:02 charon 10[CFG] esp=aes256-sha1,aes256-sha256! Apr 3 05:32:02 charon 10[CFG] ike=aes128-sha1-modp1024,aes256-sha1-modp1024,aes128-sha256-modp1024,aes256-sha256-modp1024! Apr 3 05:32:02 charon 10[CFG] rightauth=psk Apr 3 05:32:02 charon 10[CFG] rightdns=192.168.1.1,1.1.1.1 Apr 3 05:32:02 charon 10[CFG] right=%any Apr 3 05:32:02 charon 10[CFG] leftid=47.205.143.194 Apr 3 05:32:02 charon 10[CFG] leftauth=psk Apr 3 05:32:02 charon 10[CFG] left=%any Apr 3 05:32:02 charon 10[CFG] conn con-mobile Apr 3 05:32:02 charon 10[CFG] received stroke: add connection 'con-mobile' Apr 3 05:32:02 ipsec_starter 88382 'bypasslan' shunt PASS policy installed Apr 3 05:32:02 charon 10[CFG] received stroke: route 'bypasslan' Apr 3 05:32:02 charon 09[CFG] added configuration 'bypasslan' Apr 3 05:32:02 charon 09[CFG] mediation=no Apr 3 05:32:02 charon 09[CFG] sha256_96=no Apr 3 05:32:02 charon 09[CFG] dpdtimeout=150 Apr 3 05:32:02 charon 09[CFG] dpddelay=30 Apr 3 05:32:02 charon 09[CFG] rightsubnet=10.10.10.0/24 Apr 3 05:32:02 charon 09[CFG] right=%any Apr 3 05:32:02 charon 09[CFG] leftsubnet=10.10.10.0/24 Apr 3 05:32:02 charon 09[CFG] left=%any Apr 3 05:32:02 charon 09[CFG] conn bypasslan Apr 3 05:32:02 charon 09[CFG] received stroke: add connection 'bypasslan' Apr 3 05:32:02 charon 09[CFG] deleted connection 'con-mobile' Apr 3 05:32:02 charon 09[CFG] received stroke: delete connection 'con-mobile' Apr 3 05:32:02 charon 10[CFG] deleted connection 'bypasslan' Apr 3 05:32:02 charon 10[CFG] received stroke: delete connection 'bypasslan' Apr 3 05:32:02 ipsec_starter 88382 shunt policy 'bypasslan' uninstalled Apr 3 05:32:02 charon 10[CFG] received stroke: unroute 'bypasslan' Apr 3 05:32:02 charon 11[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls' Apr 3 05:32:02 charon 11[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Apr 3 05:32:02 charon 11[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Apr 3 05:32:02 charon 11[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Apr 3 05:32:02 charon 11[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Apr 3 05:32:02 charon 11[CFG] loaded IKE secret for %any Apr 3 05:32:02 charon 11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Apr 3 05:32:02 charon 11[CFG] rereading secrets
-
That depends on the mix of clients mostly.
What you are trying to do there typically requires the Cisco Anyconnect client on Windows anyway.
If you MUST try this, try IKEv2 but that will probably require the strongswan app on android.
There is no 100% universal solution unfortunately. The client support is too varied.
Yes, OpenVPN requires a client but in most cases it is free and your configuration will be substantially similar across any device it supports.