Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec tunnels are not coming up since last update

    Development
    2
    25
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      luphi
      last edited by

      We are getting closer...

       # swanctl --load-conns --file /var/etc/ipsec/swanctl.conf
loaded connection 'bypass'
loading connection 'con1000' failed: invalid value for: proposals, config discarded
loading connection 'con2000' failed: invalid value for: proposals, config discarded
loaded 1 of 3 connections, 2 failed to load, 0 unloaded
      1 Reply Last reply Reply Quote 0
      • L
        luphi
        last edited by

        When I check the GUI (VPN -> IPsec -> Tunnels -> Edit Phase 1),
        the "Phase1 proposal (Encryption Algorithm)" box shown twice:

        a4eb677e-bcc6-453b-a9b4-93d12f7ead4e-grafik.png

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          That's a known issue that I just pushed a fix for: https://redmine.pfsense.org/issues/10151

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • L
            luphi
            last edited by

            thought, it might be related to my issue

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by jimp

              Doesn't appear to be. Looks like it's something with the way the P1 proposal is being formed with certain combinations of options. I finally found one tunnel on one of my VMs that is doing the same thing.

              Looks like what actually broke it is https://redmine.pfsense.org/issues/9726

              Not working: proposals = aes128gcm128-curve448
              Working: proposals = aes128gcm128-aesxcbc-curve448

              I reverted the change from the PR on there and it came up and started working again.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • L
                luphi
                last edited by luphi

                Mh, shouldn't the GUI avoid setting invalid combinations?
                Anyway, I changed some valid combination and now I get

                #  swanctl --load-conns --file /var/etc/ipsec/swanctl.conf
loaded connection 'bypass'
loaded connection 'con1000'
loaded connection 'con2000'
successfully loaded 3 connections, 0 unloaded

                but the tunnels are still not coming up
                Still nothing in tcpdump (filtering only on peer gw ip)

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  That's the issue with the commit. It is a valid combination, but it wasn't working due to that change.

                  Whatever problem that change was trying to solve needs a better solution.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • L
                    luphi
                    last edited by

                    Phase1 seems to work now, but still issues with phase2:
                    I can't figure it out

                    Jan  3 16:01:52 eagle1 charon[92988]: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, FreeBSD 12.0-RELEASE-p10, amd64)
Jan  3 16:01:52 eagle1 charon[92988]: 00[CFG] PKCS11 module '<name>' lacks library path
Jan  3 16:01:52 eagle1 charon[92988]: 00[CFG] loaded PKCS#11 v2.20 library 'opensc' (/usr/local/lib/opensc-pkcs11.so)
Jan  3 16:01:52 eagle1 charon[92988]: 00[CFG]   OpenSC Project: OpenSC smartcard framework v0.19
Jan  3 16:01:52 eagle1 charon[92988]: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Jan  3 16:01:52 eagle1 charon[92988]: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Jan  3 16:01:52 eagle1 charon[92988]: 00[CFG] loading unbound resolver config from '/etc/resolv.conf'
Jan  3 16:01:52 eagle1 charon[92988]: 00[CFG] loading unbound trust anchors from '/usr/local/etc/ipsec.d/dnssec.keys'
Jan  3 16:01:52 eagle1 charon[92988]: 00[CFG] ipseckey plugin is disabled
Jan  3 16:01:52 eagle1 charon[92988]: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jan  3 16:01:52 eagle1 charon[92988]: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jan  3 16:01:52 eagle1 charon[92988]: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jan  3 16:01:52 eagle1 charon[92988]: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jan  3 16:01:52 eagle1 charon[92988]: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jan  3 16:01:52 eagle1 charon[92988]: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jan  3 16:01:52 eagle1 charon[92988]: 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
Jan  3 16:01:52 eagle1 charon[92988]: 00[CFG] loaded 0 RADIUS server configurations
Jan  3 16:01:52 eagle1 charon[92988]: 00[LIB] loaded plugins: charon unbound pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Jan  3 16:01:52 eagle1 charon[92988]: 00[JOB] spawning 16 worker threads
Jan  3 16:01:53 eagle1 charon[92988]: 07[CFG] vici client 1 connected
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] vici client 1 requests: get-keys
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] vici client 1 requests: get-shared
Jan  3 16:01:53 eagle1 charon[92988]: 07[CFG] vici client 1 requests: load-shared
Jan  3 16:01:53 eagle1 charon[92988]: 07[CFG] loaded IKE shared key with id 'ike-0' for: '%any', 'dxclab'
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] vici client 1 requests: load-shared
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] loaded IKE shared key with id 'ike-1' for: '%any', 'ssck'
Jan  3 16:01:53 eagle1 charon[92988]: 15[CFG] vici client 1 requests: get-authorities
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] vici client 1 requests: get-pools
Jan  3 16:01:53 eagle1 charon[92988]: 15[CFG] vici client 1 requests: get-conns
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] vici client 1 requests: load-conn
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]  conn bypass:
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   child bypass:
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rekey_time = 3600
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    life_time = 3960
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rand_time = 360
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rekey_bytes = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    life_bytes = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rand_bytes = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rekey_packets = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    life_packets = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rand_packets = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    updown = (null)
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    hostaccess = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    ipcomp = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    mode = PASS
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    policies = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    policies_fwd_out = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    dpd_action = clear
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    start_action = hold
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    close_action = clear
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    reqid = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    tfc = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    priority = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    interface = (null)
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    if_id_in = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    if_id_out = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    mark_in = 0/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    mark_in_sa = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    mark_out = 0/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    set_mark_in = 0/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    set_mark_out = 0/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    inactivity = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    proposals = ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    local_ts = 172.23.1.0/24|/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    remote_ts = 172.23.1.0/24|/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    hw_offload = no
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    sha256_96 = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    copy_df = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    copy_ecn = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    copy_dscp = out
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   version = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   local_addrs = %any
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   remote_addrs = 127.0.0.1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   local_port = 500
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   remote_port = 500
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   send_certreq = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   send_cert = CERT_SEND_IF_ASKED
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   ppk_id = (null)
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   ppk_required = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   mobike = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   aggressive = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   dscp = 0x00
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   encap = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   dpd_delay = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   dpd_timeout = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   fragmentation = 2
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   childless = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   unique = UNIQUE_NO
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   keyingtries = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   reauth_time = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   rekey_time = 14400
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   over_time = 1440
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   rand_time = 1440
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   proposals = IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   if_id_in = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   if_id_out = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   local:
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   remote:
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] added vici connection: bypass
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] installing 'bypass'
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] vici client 1 requests: load-conn
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]  conn con1000:
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   child con1000:
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rekey_time = 3600
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    life_time = 3600
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rand_time = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rekey_bytes = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    life_bytes = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rand_bytes = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rekey_packets = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    life_packets = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rand_packets = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    updown = (null)
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    hostaccess = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    ipcomp = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    mode = TUNNEL
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    policies = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    policies_fwd_out = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    dpd_action = restart
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    start_action = hold
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    close_action = clear
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    reqid = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    tfc = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    priority = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    interface = (null)
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    if_id_in = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    if_id_out = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    mark_in = 0/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    mark_in_sa = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    mark_out = 0/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    set_mark_in = 0/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    set_mark_out = 0/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    inactivity = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    proposals = ESP:AES_CBC_256/AES_XCBC_96/MODP_8192/NO_EXT_SEQ
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    local_ts = 172.23.0.0/19|/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    remote_ts = 145.16.214.0/24|/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    hw_offload = no
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    sha256_96 = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    copy_df = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    copy_ecn = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    copy_dscp = out
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   version = 2
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   local_addrs = 172.23.5.254
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   remote_addrs = 87.190.254.122
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   local_port = 500
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   remote_port = 500
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   send_certreq = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   send_cert = CERT_SEND_IF_ASKED
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   ppk_id = (null)
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   ppk_required = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   mobike = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   aggressive = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   dscp = 0x00
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   encap = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   dpd_delay = 5
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   dpd_timeout = 20
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   fragmentation = 2
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   childless = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   unique = UNIQUE_REPLACE
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   keyingtries = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   reauth_time = 25920
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   rekey_time = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   over_time = 2880
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   rand_time = 2880
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   proposals = IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_8192
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   if_id_in = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   if_id_out = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   local:
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    class = pre-shared key
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    id = luphi
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   remote:
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    class = pre-shared key
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    id = dxclab
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] added vici connection: con1000
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] installing 'con1000'
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] configured proposals: ESP:AES_CBC_256/AES_XCBC_96/NO_EXT_SEQ
Jan  3 16:01:53 eagle1 charon[92988]: 14[CHD] CHILD_SA con1000{1} state change: CREATED => ROUTED
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] vici client 1 requests: load-conn
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]  conn con2000:
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   child con2000:
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rekey_time = 3600
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    life_time = 3600
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rand_time = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rekey_bytes = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    life_bytes = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rand_bytes = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rekey_packets = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    life_packets = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    rand_packets = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    updown = (null)
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    hostaccess = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    ipcomp = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    mode = TUNNEL
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    policies = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    policies_fwd_out = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    dpd_action = restart
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    start_action = hold
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    close_action = clear
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    reqid = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    tfc = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    priority = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    interface = (null)
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    if_id_in = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    if_id_out = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    mark_in = 0/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    mark_in_sa = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    mark_out = 0/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    set_mark_in = 0/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    set_mark_out = 0/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    inactivity = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    proposals = ESP:AES_CBC_256/AES_XCBC_96/MODP_8192/NO_EXT_SEQ
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    local_ts = 172.23.0.0/19|/0 172.23.0.0/19|/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    remote_ts = 10.42.0.0/20|/0 10.0.1.0/24|/0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    hw_offload = no
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    sha256_96 = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    copy_df = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    copy_ecn = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    copy_dscp = out
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   version = 2
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   local_addrs = 172.23.5.254
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   remote_addrs = ssck.ddns.net
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   local_port = 500
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   remote_port = 500
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   send_certreq = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   send_cert = CERT_SEND_IF_ASKED
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   ppk_id = (null)
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   ppk_required = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   mobike = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   aggressive = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   dscp = 0x00
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   encap = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   dpd_delay = 10
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   dpd_timeout = 60
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   fragmentation = 2
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   childless = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   unique = UNIQUE_REPLACE
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   keyingtries = 1
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   reauth_time = 25920
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   rekey_time = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   over_time = 2880
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   rand_time = 2880
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   proposals = IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_8192
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   if_id_in = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   if_id_out = 0
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   local:
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    class = pre-shared key
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    id = luphi
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]   remote:
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    class = pre-shared key
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG]    id = ssck
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] added vici connection: con2000
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] installing 'con2000'
Jan  3 16:01:53 eagle1 charon[92988]: 14[CFG] configured proposals: ESP:AES_CBC_256/AES_XCBC_96/NO_EXT_SEQ
Jan  3 16:01:53 eagle1 charon[92988]: 14[CHD] CHILD_SA con2000{2} state change: CREATED => ROUTED
Jan  3 16:01:53 eagle1 charon[92988]: 13[CFG] vici client 1 disconnected
Jan  3 16:01:53 eagle1 charon[92988]: 13[KNL] creating acquire job for policy 172.23.5.254/32|/0 === 93.245.202.216/32|/0 with reqid {2}
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1> queueing IKE_VENDOR task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1> queueing IKE_INIT task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1> queueing IKE_NATD task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1> queueing IKE_CERT_PRE task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1> queueing IKE_AUTH task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1> queueing IKE_CERT_POST task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1> queueing IKE_CONFIG task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1> queueing IKE_AUTH_LIFETIME task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1> queueing CHILD_CREATE task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1> activating new tasks
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1>   activating IKE_VENDOR task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1>   activating IKE_INIT task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1>   activating IKE_NATD task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1>   activating IKE_CERT_PRE task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1>   activating IKE_AUTH task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1>   activating IKE_CERT_POST task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1>   activating IKE_CONFIG task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1>   activating CHILD_CREATE task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1>   activating IKE_AUTH_LIFETIME task
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1> initiating IKE_SA con2000[1] to 93.245.202.216
Jan  3 16:01:53 eagle1 charon[92988]: 12[IKE] <con2000|1> IKE_SA con2000[1] state change: CREATED => CONNECTING
Jan  3 16:01:53 eagle1 charon[92988]: 12[CFG] <con2000|1> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_8192
Jan  3 16:01:53 eagle1 charon[92988]: 12[CFG] <con2000|1> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Jan  3 16:01:53 eagle1 charon[92988]: 12[ENC] <con2000|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan  3 16:01:53 eagle1 charon[92988]: 12[NET] <con2000|1> sending packet: from 172.23.5.254[500] to 93.245.202.216[500] (1232 bytes)
Jan  3 16:01:54 eagle1 charon[92988]: 12[NET] <con2000|1> received packet: from 93.245.202.216[500] to 172.23.5.254[500] (1232 bytes)
Jan  3 16:01:54 eagle1 charon[92988]: 12[ENC] <con2000|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan  3 16:01:54 eagle1 charon[92988]: 12[IKE] <con2000|1> received FRAGMENTATION_SUPPORTED notify
Jan  3 16:01:54 eagle1 charon[92988]: 12[IKE] <con2000|1> received SIGNATURE_HASH_ALGORITHMS notify
Jan  3 16:01:54 eagle1 charon[92988]: 12[CFG] <con2000|1> selecting proposal:
Jan  3 16:01:54 eagle1 charon[92988]: 12[CFG] <con2000|1>   proposal matches
Jan  3 16:01:54 eagle1 charon[92988]: 12[CFG] <con2000|1> received proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_8192
Jan  3 16:01:54 eagle1 charon[92988]: 12[CFG] <con2000|1> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_8192
Jan  3 16:01:54 eagle1 charon[92988]: 12[CFG] <con2000|1> selected proposal: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_8192
Jan  3 16:01:54 eagle1 charon[92988]: 12[CFG] <con2000|1> received supported signature hash algorithms: sha256 sha384 sha512 identity
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> local host is behind NAT, sending keep alives
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> remote host is behind NAT
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> reinitiating already active tasks
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1>   IKE_CERT_PRE task
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1>   IKE_AUTH task
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> authentication of 'luphi' (myself) with pre-shared key
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> successfully created shared key MAC
Jan  3 16:01:55 eagle1 charon[92988]: 12[CFG] <con2000|1> proposing traffic selectors for us:
Jan  3 16:01:55 eagle1 charon[92988]: 12[CFG] <con2000|1>  172.23.0.0/19|/0
Jan  3 16:01:55 eagle1 charon[92988]: 12[CFG] <con2000|1>  172.23.0.0/19|/0
Jan  3 16:01:55 eagle1 charon[92988]: 12[CFG] <con2000|1> proposing traffic selectors for other:
Jan  3 16:01:55 eagle1 charon[92988]: 12[CFG] <con2000|1>  10.42.0.0/20|/0
Jan  3 16:01:55 eagle1 charon[92988]: 12[CFG] <con2000|1>  10.0.1.0/24|/0
Jan  3 16:01:55 eagle1 charon[92988]: 12[CFG] <con2000|1> configured proposals: ESP:AES_CBC_256/AES_XCBC_96/NO_EXT_SEQ
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> establishing CHILD_SA con2000{3} reqid 2
Jan  3 16:01:55 eagle1 charon[92988]: 12[ENC] <con2000|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan  3 16:01:55 eagle1 charon[92988]: 12[NET] <con2000|1> sending packet: from 172.23.5.254[4500] to 93.245.202.216[4500] (268 bytes)
Jan  3 16:01:55 eagle1 charon[92988]: 12[NET] <con2000|1> received packet: from 93.245.202.216[4500] to 172.23.5.254[4500] (124 bytes)
Jan  3 16:01:55 eagle1 charon[92988]: 12[ENC] <con2000|1> parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(NO_PROP) ]
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> authentication of 'ssck' with pre-shared key successful
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> IKE_SA con2000[1] established between 172.23.5.254[luphi]...93.245.202.216[ssck]
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> IKE_SA con2000[1] state change: CONNECTING => ESTABLISHED
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> scheduling reauthentication in 24475s
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> maximum IKE_SA lifetime 27355s
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jan  3 16:01:55 eagle1 charon[92988]: 12[CFG] <con2000|1> configured proposals: ESP:AES_CBC_256/AES_XCBC_96/MODP_8192/NO_EXT_SEQ
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> failed to establish CHILD_SA, keeping IKE_SA
Jan  3 16:01:55 eagle1 charon[92988]: 12[CHD] <con2000|1> CHILD_SA con2000{3} state change: CREATED => DESTROYING
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> received AUTH_LIFETIME of 28232s, reauthentication already scheduled in 24475s
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> activating new tasks
Jan  3 16:01:55 eagle1 charon[92988]: 12[IKE] <con2000|1> nothing to initiate
Jan  3 16:01:55 eagle1 charon[92988]: 10[CFG] vici client 2 connected
Jan  3 16:01:55 eagle1 charon[92988]: 09[CFG] vici client 2 registered for: list-sa
Jan  3 16:01:55 eagle1 charon[92988]: 09[CFG] vici client 2 requests: list-sas
Jan  3 16:01:55 eagle1 charon[92988]: 09[CFG] vici client 2 disconnected
Jan  3 16:01:57 eagle1 charon[92988]: 10[CFG] vici client 3 connected
Jan  3 16:01:57 eagle1 charon[92988]: 10[CFG] vici client 3 registered for: list-sa
Jan  3 16:01:57 eagle1 charon[92988]: 12[CFG] vici client 3 requests: list-sas
Jan  3 16:01:57 eagle1 charon[92988]: 10[CFG] vici client 3 disconnected
Jan  3 16:01:59 eagle1 charon[92988]: 12[KNL] creating acquire job for policy 172.23.5.254/32|/0 === 93.245.202.216/32|/0 with reqid {2}
Jan  3 16:01:59 eagle1 charon[92988]: 12[IKE] <con2000|1> queueing CHILD_CREATE task
Jan  3 16:01:59 eagle1 charon[92988]: 12[IKE] <con2000|1> activating new tasks
Jan  3 16:01:59 eagle1 charon[92988]: 12[IKE] <con2000|1>   activating CHILD_CREATE task
Jan  3 16:01:59 eagle1 charon[92988]: 12[CFG] <con2000|1> proposing traffic selectors for us:
Jan  3 16:01:59 eagle1 charon[92988]: 12[CFG] <con2000|1>  172.23.0.0/19|/0
Jan  3 16:01:59 eagle1 charon[92988]: 12[CFG] <con2000|1>  172.23.0.0/19|/0
Jan  3 16:01:59 eagle1 charon[92988]: 12[CFG] <con2000|1> proposing traffic selectors for other:
Jan  3 16:01:59 eagle1 charon[92988]: 12[CFG] <con2000|1>  10.42.0.0/20|/0
Jan  3 16:01:59 eagle1 charon[92988]: 12[CFG] <con2000|1>  10.0.1.0/24|/0
Jan  3 16:01:59 eagle1 charon[92988]: 12[CFG] <con2000|1> configured proposals: ESP:AES_CBC_256/AES_XCBC_96/MODP_8192/NO_EXT_SEQ
Jan  3 16:01:59 eagle1 charon[92988]: 12[IKE] <con2000|1> establishing CHILD_SA con2000{4} reqid 2
Jan  3 16:01:59 eagle1 charon[92988]: 12[ENC] <con2000|1> generating CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Jan  3 16:01:59 eagle1 charon[92988]: 12[ENC] <con2000|1> splitting IKE message (1260 bytes) into 2 fragments
Jan  3 16:01:59 eagle1 charon[92988]: 12[ENC] <con2000|1> generating CREATE_CHILD_SA request 2 [ EF(1/2) ]
Jan  3 16:01:59 eagle1 charon[92988]: 12[ENC] <con2000|1> generating CREATE_CHILD_SA request 2 [ EF(2/2) ]
Jan  3 16:01:59 eagle1 charon[92988]: 12[NET] <con2000|1> sending packet: from 172.23.5.254[4500] to 93.245.202.216[4500] (1248 bytes)
Jan  3 16:01:59 eagle1 charon[92988]: 12[NET] <con2000|1> sending packet: from 172.23.5.254[4500] to 93.245.202.216[4500] (80 bytes)
Jan  3 16:02:00 eagle1 charon[92988]: 12[NET] <con2000|1> received packet: from 93.245.202.216[4500] to 172.23.5.254[4500] (76 bytes)
Jan  3 16:02:00 eagle1 charon[92988]: 12[ENC] <con2000|1> parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
Jan  3 16:02:00 eagle1 charon[92988]: 12[IKE] <con2000|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jan  3 16:02:00 eagle1 charon[92988]: 12[CFG] <con2000|1> configured proposals: ESP:AES_CBC_256/AES_XCBC_96/MODP_8192/NO_EXT_SEQ
Jan  3 16:02:00 eagle1 charon[92988]: 12[IKE] <con2000|1> failed to establish CHILD_SA, keeping IKE_SA
Jan  3 16:02:00 eagle1 charon[92988]: 12[CHD] <con2000|1> CHILD_SA con2000{4} state change: CREATED => DESTROYING
Jan  3 16:02:00 eagle1 charon[92988]: 12[IKE] <con2000|1> activating new tasks
Jan  3 16:02:00 eagle1 charon[92988]: 12[IKE] <con2000|1> nothing to initiate
Jan  3 16:02:02 eagle1 charon[92988]: 08[CFG] vici client 4 connected
Jan  3 16:02:02 eagle1 charon[92988]: 08[CFG] vici client 4 registered for: list-sa
Jan  3 16:02:02 eagle1 charon[92988]: 08[CFG] vici client 4 requests: list-sas
Jan  3 16:02:02 eagle1 charon[92988]: 08[CFG] vici client 4 disconnected
                    1 Reply Last reply Reply Quote 0
                    • L
                      luphi
                      last edited by

                      When I try to edit p1 proposal, the key-length is always empty

                      f8acfcd6-3f2e-403a-90d4-05bcb6437b7e-grafik.png

                      1 Reply Last reply Reply Quote 0
                      • L
                        luphi
                        last edited by

                        tunnels are up again.
                        Thanky you jimp for fast and competent support.
                        Really appreciate it.

                        Cheers,
                        luphi

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.