IPsec: CREATE_CHILD_SA request failed
-
We have a pfSense 2.4.5 here, which provides our road warriors VPN access via IPsec IKEv2. The clients work with current Mac OS and the IKEv2 network interface provided by the operating system in the standard configuration, i.e. without a profile from the Apple Configurator.
Actually everything works fine. Unfortunately the road warriors are kicked out of the tunnel one to three times a day. You can then connect again immediately, but phone calls made via our PBX in the office and RDP connections are then gone for the time being, of course.
In the pfSense logs, I actually only find one anomaly in phase 2:
Nov 11 14:49:41 charon 13[IKE] <con-mobile|1536> CREATE_CHILD_SA request with message ID 0 processing failed Nov 11 14:49:41 charon 13[IKE] <con-mobile|1536> integrity check failed Nov 11 14:49:41 charon 13[ENC] <con-mobile|1536> could not decrypt payloads Nov 11 14:49:41 charon 13[ENC] <con-mobile|1536> verifying encrypted payload integrity failed Nov 11 14:49:41 charon 13[LIB] <con-mobile|1536> MAC verification failed Nov 11 14:49:41 charon 13[NET] <con-mobile|1536> received packet: from xx.xx.xx.xx[4500] to xx.xx.xx.xx[4500] (192 bytes)
Why is it not possible to decrypt the payload during a running connection? Does anybody have an idea? Or do I have to start somewhere else?