IPsec died when upgrading to 2.5.0.a.20210107.2142 from 2.5 December 20 release
-
I'm running the 2.5 development release since it first came out. My IPsec config has been the same all the time at the main and remote site running without any issues. I'm well aware that it is a development release :)
Today I updated from the 2.5 December 20 release too 2.5.0.a.20210107.2142 at the main and remote site and it killed IPsec - note that the configs are untouched. Everything else is working fine, only problem is IPsec.
My ISP at both sites has their own modem with NAT that I can't touch, behind the ISP 'modem' at each site I have the pfsense box. To get a fresh logfile I disabled the tunnel, cleared the log file and enabled the tunnel so the logfile is from first start at the main site.
Here is the log file if someone knows what it's saying:
Jan 9 00:04:17 charon 80715 13[IKE] <con2000|4> IKE_SA con2000[4] state change: CONNECTING => DESTROYING
Jan 9 00:04:17 charon 80715 13[NET] <con2000|4> sending packet: from 192.168.111.2[4500] to 14.207.69.123[11406] (65 bytes)
Jan 9 00:04:17 charon 80715 13[ENC] <con2000|4> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 9 00:04:17 charon 80715 13[IKE] <con2000|4> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 9 00:04:17 charon 80715 13[IKE] <con2000|4> tried 1 shared key for 'kallhall1a.dyndns.org' - 'huahin2a.dyndns.org', but MAC mismatched
Jan 9 00:04:17 charon 80715 13[CFG] <con2000|4> selected peer config 'con2000'
Jan 9 00:04:17 charon 80715 13[CFG] <4> candidate "con2000", match: 20/20/3100 (me/other/ike)
Jan 9 00:04:17 charon 80715 13[CFG] <4> looking for peer configs matching 192.168.111.2[kallhall1a.dyndns.org]...14.207.69.123[huahin2a.dyndns.org]
Jan 9 00:04:17 charon 80715 13[ENC] <4> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 9 00:04:17 charon 80715 13[NET] <4> received packet: from 14.207.69.123[11406] to 192.168.111.2[4500] (293 bytes)
Jan 9 00:04:17 charon 80715 13[NET] <4> sending packet: from 192.168.111.2[500] to 14.207.69.123[500] (464 bytes)
Jan 9 00:04:17 charon 80715 13[ENC] <4> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jan 9 00:04:17 charon 80715 13[CFG] <4> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Jan 9 00:04:17 charon 80715 13[IKE] <4> remote host is behind NAT
Jan 9 00:04:17 charon 80715 13[IKE] <4> local host is behind NAT, sending keep alives
Jan 9 00:04:17 charon 80715 13[CFG] <4> received supported signature hash algorithms: sha256 sha384 sha512 identity
Jan 9 00:04:17 charon 80715 13[CFG] <4> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
Jan 9 00:04:17 charon 80715 13[CFG] <4> configured proposals: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
Jan 9 00:04:17 charon 80715 13[CFG] <4> received proposals: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
Jan 9 00:04:17 charon 80715 13[CFG] <4> proposal matches
Jan 9 00:04:17 charon 80715 13[CFG] <4> selecting proposal:
Jan 9 00:04:17 charon 80715 13[IKE] <4> IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
Jan 9 00:04:17 charon 80715 13[IKE] <4> 14.207.69.123 is initiating an IKE_SA
Jan 9 00:04:17 charon 80715 13[CFG] <4> found matching ike config: 192.168.111.2...huahin2a.dyndns.org with prio 3100
Jan 9 00:04:17 charon 80715 13[CFG] <4> candidate: 192.168.111.2...huahin2a.dyndns.org, prio 3100
Jan 9 00:04:17 charon 80715 13[CFG] <4> looking for an IKEv2 config for 192.168.111.2...14.207.69.123
Jan 9 00:04:17 charon 80715 13[ENC] <4> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 9 00:04:17 charon 80715 13[NET] <4> received packet: from 14.207.69.123[500] to 192.168.111.2[500] (456 bytes)
Jan 9 00:04:12 charon 80715 13[IKE] <con2000|3> IKE_SA con2000[3] state change: CONNECTING => DESTROYING
Jan 9 00:04:12 charon 80715 13[NET] <con2000|3> sending packet: from 192.168.111.2[4500] to 14.207.69.123[11406] (65 bytes)
Jan 9 00:04:12 charon 80715 13[ENC] <con2000|3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 9 00:04:12 charon 80715 13[IKE] <con2000|3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 9 00:04:12 charon 80715 13[IKE] <con2000|3> tried 1 shared key for 'kallhall1a.dyndns.org' - 'huahin2a.dyndns.org', but MAC mismatched
Jan 9 00:04:12 charon 80715 13[CFG] <con2000|3> selected peer config 'con2000'
Jan 9 00:04:12 charon 80715 13[CFG] <3> candidate "con2000", match: 20/20/3100 (me/other/ike)
Jan 9 00:04:12 charon 80715 13[CFG] <3> looking for peer configs matching 192.168.111.2[kallhall1a.dyndns.org]...14.207.69.123[huahin2a.dyndns.org]
Jan 9 00:04:12 charon 80715 13[ENC] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 9 00:04:12 charon 80715 13[NET] <3> received packet: from 14.207.69.123[11406] to 192.168.111.2[4500] (293 bytes)
Jan 9 00:04:11 charon 80715 13[NET] <3> sending packet: from 192.168.111.2[500] to 14.207.69.123[500] (464 bytes)
Jan 9 00:04:11 charon 80715 13[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jan 9 00:04:11 charon 80715 13[CFG] <3> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Jan 9 00:04:11 charon 80715 13[IKE] <3> remote host is behind NAT
Jan 9 00:04:11 charon 80715 13[IKE] <3> local host is behind NAT, sending keep alives
Jan 9 00:04:11 charon 80715 13[CFG] <3> received supported signature hash algorithms: sha256 sha384 sha512 identity
Jan 9 00:04:11 charon 80715 13[CFG] <3> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
Jan 9 00:04:11 charon 80715 13[CFG] <3> configured proposals: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
Jan 9 00:04:11 charon 80715 13[CFG] <3> received proposals: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
Jan 9 00:04:11 charon 80715 13[CFG] <3> proposal matches
Jan 9 00:04:11 charon 80715 13[CFG] <3> selecting proposal:
Jan 9 00:04:11 charon 80715 13[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
Jan 9 00:04:11 charon 80715 13[IKE] <3> 14.207.69.123 is initiating an IKE_SA
Jan 9 00:04:11 charon 80715 13[CFG] <3> found matching ike config: 192.168.111.2...huahin2a.dyndns.org with prio 3100
Jan 9 00:04:11 charon 80715 13[CFG] <3> candidate: 192.168.111.2...huahin2a.dyndns.org, prio 3100
Jan 9 00:04:11 charon 80715 13[CFG] <3> looking for an IKEv2 config for 192.168.111.2...14.207.69.123
Jan 9 00:04:11 charon 80715 13[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 9 00:04:11 charon 80715 13[NET] <3> received packet: from 14.207.69.123[500] to 192.168.111.2[500] (456 bytes)
Jan 9 00:04:02 charon 80715 13[IKE] <con2000|2> IKE_SA con2000[2] state change: CONNECTING => DESTROYING
Jan 9 00:04:02 charon 80715 13[NET] <con2000|2> sending packet: from 192.168.111.2[4500] to 14.207.69.123[11406] (65 bytes)
Jan 9 00:04:02 charon 80715 13[ENC] <con2000|2> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 9 00:04:02 charon 80715 13[IKE] <con2000|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 9 00:04:02 charon 80715 13[IKE] <con2000|2> tried 1 shared key for 'kallhall1a.dyndns.org' - 'huahin2a.dyndns.org', but MAC mismatched
Jan 9 00:04:02 charon 80715 13[CFG] <con2000|2> selected peer config 'con2000'
Jan 9 00:04:02 charon 80715 13[CFG] <2> candidate "con2000", match: 20/20/3100 (me/other/ike)
Jan 9 00:04:02 charon 80715 13[CFG] <2> looking for peer configs matching 192.168.111.2[kallhall1a.dyndns.org]...14.207.69.123[huahin2a.dyndns.org]
Jan 9 00:04:02 charon 80715 13[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 9 00:04:02 charon 80715 13[NET] <2> received packet: from 14.207.69.123[11406] to 192.168.111.2[4500] (293 bytes)
Jan 9 00:04:02 charon 80715 13[NET] <2> sending packet: from 192.168.111.2[500] to 14.207.69.123[500] (464 bytes)
Jan 9 00:04:02 charon 80715 13[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jan 9 00:04:02 charon 80715 13[CFG] <2> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Jan 9 00:04:02 charon 80715 13[IKE] <2> remote host is behind NAT
Jan 9 00:04:02 charon 80715 13[IKE] <2> local host is behind NAT, sending keep alives
Jan 9 00:04:02 charon 80715 13[CFG] <2> received supported signature hash algorithms: sha256 sha384 sha512 identity
Jan 9 00:04:02 charon 80715 13[CFG] <2> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
Jan 9 00:04:02 charon 80715 13[CFG] <2> configured proposals: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
Jan 9 00:04:02 charon 80715 13[CFG] <2> received proposals: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
Jan 9 00:04:02 charon 80715 13[CFG] <2> proposal matches
Jan 9 00:04:02 charon 80715 13[CFG] <2> selecting proposal:
Jan 9 00:04:02 charon 80715 13[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Jan 9 00:04:02 charon 80715 13[IKE] <2> 14.207.69.123 is initiating an IKE_SA
Jan 9 00:04:02 charon 80715 13[CFG] <2> found matching ike config: 192.168.111.2...huahin2a.dyndns.org with prio 3100
Jan 9 00:04:02 charon 80715 13[CFG] <2> candidate: 192.168.111.2...huahin2a.dyndns.org, prio 3100
Jan 9 00:04:02 charon 80715 13[CFG] <2> looking for an IKEv2 config for 192.168.111.2...14.207.69.123
Jan 9 00:04:02 charon 80715 13[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 9 00:04:02 charon 80715 13[NET] <2> received packet: from 14.207.69.123[500] to 192.168.111.2[500] (456 bytes)
Jan 9 00:04:01 charon 80715 13[CFG] vici client 1 disconnected
Jan 9 00:04:01 charon 80715 14[CHD] CHILD_SA con2000{1} state change: CREATED => ROUTED
Jan 9 00:04:01 charon 80715 14[CFG] configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ
Jan 9 00:04:01 charon 80715 14[CFG] installing 'con2000'
Jan 9 00:04:01 charon 80715 14[CFG] added vici connection: con2000
Jan 9 00:04:01 charon 80715 14[CFG] id = huahin2a.dyndns.org
Jan 9 00:04:01 charon 80715 14[CFG] class = pre-shared key
Jan 9 00:04:01 charon 80715 14[CFG] remote:
Jan 9 00:04:01 charon 80715 14[CFG] id = kallhall1a.dyndns.org
Jan 9 00:04:01 charon 80715 14[CFG] class = pre-shared key
Jan 9 00:04:01 charon 80715 14[CFG] local:
Jan 9 00:04:01 charon 80715 14[CFG] if_id_out = 0
Jan 9 00:04:01 charon 80715 14[CFG] if_id_in = 0
Jan 9 00:04:01 charon 80715 14[CFG] proposals = IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
Jan 9 00:04:01 charon 80715 14[CFG] rand_time = 2860
Jan 9 00:04:01 charon 80715 14[CFG] over_time = 2860
Jan 9 00:04:01 charon 80715 14[CFG] rekey_time = 25740
Jan 9 00:04:01 charon 80715 14[CFG] reauth_time = 25720
Jan 9 00:04:01 charon 80715 14[CFG] keyingtries = 1
Jan 9 00:04:01 charon 80715 14[CFG] unique = UNIQUE_REPLACE
Jan 9 00:04:01 charon 80715 14[CFG] childless = 0
Jan 9 00:04:01 charon 80715 14[CFG] fragmentation = 2
Jan 9 00:04:01 charon 80715 14[CFG] dpd_timeout = 72
Jan 9 00:04:01 charon 80715 14[CFG] dpd_delay = 12
Jan 9 00:04:01 charon 80715 14[CFG] encap = 0
Jan 9 00:04:01 charon 80715 14[CFG] dscp = 0x00
Jan 9 00:04:01 charon 80715 14[CFG] aggressive = 0
Jan 9 00:04:01 charon 80715 14[CFG] mobike = 0
Jan 9 00:04:01 charon 80715 14[CFG] ppk_required = 0
Jan 9 00:04:01 charon 80715 14[CFG] ppk_id = (null)
Jan 9 00:04:01 charon 80715 14[CFG] send_cert = CERT_SEND_IF_ASKED
Jan 9 00:04:01 charon 80715 14[CFG] send_certreq = 1
Jan 9 00:04:01 charon 80715 14[CFG] remote_port = 500
Jan 9 00:04:01 charon 80715 14[CFG] local_port = 500
Jan 9 00:04:01 charon 80715 14[CFG] remote_addrs = huahin2a.dyndns.org
Jan 9 00:04:01 charon 80715 14[CFG] local_addrs = 192.168.111.2
Jan 9 00:04:01 charon 80715 14[CFG] version = 2
Jan 9 00:04:01 charon 80715 14[CFG] copy_dscp = out
Jan 9 00:04:01 charon 80715 14[CFG] copy_ecn = 1
Jan 9 00:04:01 charon 80715 14[CFG] copy_df = 1
Jan 9 00:04:01 charon 80715 14[CFG] sha256_96 = 0
Jan 9 00:04:01 charon 80715 14[CFG] hw_offload = no
Jan 9 00:04:01 charon 80715 14[CFG] remote_ts = 192.168.11.0/24|/0 192.168.8.0/24|/0 192.168.11.0/24|/0 192.168.8.0/24|/0
Jan 9 00:04:01 charon 80715 14[CFG] local_ts = 192.168.12.0/24|/0 192.168.12.0/24|/0 192.168.17.0/24|/0 192.168.17.0/24|/0
Jan 9 00:04:01 charon 80715 14[CFG] proposals = ESP:AES_GCM_16_128/MODP_2048/NO_EXT_SEQ
Jan 9 00:04:01 charon 80715 14[CFG] inactivity = 0
Jan 9 00:04:01 charon 80715 14[CFG] set_mark_out = 0/0
Jan 9 00:04:01 charon 80715 14[CFG] set_mark_in = 0/0
Jan 9 00:04:01 charon 80715 14[CFG] mark_out = 0/0
Jan 9 00:04:01 charon 80715 14[CFG] mark_in_sa = 0
Jan 9 00:04:01 charon 80715 14[CFG] mark_in = 0/0
Jan 9 00:04:01 charon 80715 14[CFG] if_id_out = 0
Jan 9 00:04:01 charon 80715 14[CFG] if_id_in = 0
Jan 9 00:04:01 charon 80715 14[CFG] interface = (null)
Jan 9 00:04:01 charon 80715 14[CFG] priority = 0
Jan 9 00:04:01 charon 80715 14[CFG] tfc = 0
Jan 9 00:04:01 charon 80715 14[CFG] reqid = 0
Jan 9 00:04:01 charon 80715 14[CFG] close_action = clear
Jan 9 00:04:01 charon 80715 14[CFG] start_action = hold
Jan 9 00:04:01 charon 80715 14[CFG] dpd_action = hold
Jan 9 00:04:01 charon 80715 14[CFG] policies_fwd_out = 0
Jan 9 00:04:01 charon 80715 14[CFG] policies = 1
Jan 9 00:04:01 charon 80715 14[CFG] mode = TUNNEL
Jan 9 00:04:01 charon 80715 14[CFG] ipcomp = 0
Jan 9 00:04:01 charon 80715 14[CFG] hostaccess = 0
Jan 9 00:04:01 charon 80715 14[CFG] updown = (null)
Jan 9 00:04:01 charon 80715 14[CFG] rand_packets = 0
Jan 9 00:04:01 charon 80715 14[CFG] life_packets = 0
Jan 9 00:04:01 charon 80715 14[CFG] rekey_packets = 0
Jan 9 00:04:01 charon 80715 14[CFG] rand_bytes = 0
Jan 9 00:04:01 charon 80715 14[CFG] life_bytes = 0
Jan 9 00:04:01 charon 80715 14[CFG] rekey_bytes = 0
Jan 9 00:04:01 charon 80715 14[CFG] rand_time = 360
Jan 9 00:04:01 charon 80715 14[CFG] life_time = 3600
Jan 9 00:04:01 charon 80715 14[CFG] rekey_time = 3240
Jan 9 00:04:01 charon 80715 14[CFG] child con2000:
Jan 9 00:04:01 charon 80715 14[CFG] conn con2000:
Jan 9 00:04:01 charon 80715 14[CFG] vici client 1 requests: load-conn
Jan 9 00:04:01 charon 80715 06[CFG] installing 'bypasslan'
Jan 9 00:04:01 charon 80715 06[CFG] added vici connection: bypass
Jan 9 00:04:01 charon 80715 06[CFG] remote:
Jan 9 00:04:01 charon 80715 06[CFG] local:
Jan 9 00:04:01 charon 80715 06[CFG] if_id_out = 0
Jan 9 00:04:01 charon 80715 06[CFG] if_id_in = 0
Jan 9 00:04:01 charon 80715 06[CFG] proposals = IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Jan 9 00:04:01 charon 80715 06[CFG] rand_time = 1440
Jan 9 00:04:01 charon 80715 06[CFG] over_time = 1440
Jan 9 00:04:01 charon 80715 06[CFG] rekey_time = 14400
Jan 9 00:04:01 charon 80715 06[CFG] reauth_time = 0
Jan 9 00:04:01 charon 80715 06[CFG] keyingtries = 1
Jan 9 00:04:01 charon 80715 06[CFG] unique = UNIQUE_NO
Jan 9 00:04:01 charon 80715 06[CFG] childless = 0
Jan 9 00:04:01 charon 80715 06[CFG] fragmentation = 2
Jan 9 00:04:01 charon 80715 06[CFG] dpd_timeout = 0
Jan 9 00:04:01 charon 80715 06[CFG] dpd_delay = 0
Jan 9 00:04:01 charon 80715 06[CFG] encap = 0
Jan 9 00:04:01 charon 80715 06[CFG] dscp = 0x00
Jan 9 00:04:01 charon 80715 06[CFG] aggressive = 0
Jan 9 00:04:01 charon 80715 06[CFG] mobike = 1
Jan 9 00:04:01 charon 80715 06[CFG] ppk_required = 0
Jan 9 00:04:01 charon 80715 06[CFG] ppk_id = (null)
Jan 9 00:04:01 charon 80715 06[CFG] send_cert = CERT_SEND_IF_ASKED
Jan 9 00:04:01 charon 80715 06[CFG] send_certreq = 1
Jan 9 00:04:01 charon 80715 06[CFG] remote_port = 500
Jan 9 00:04:01 charon 80715 06[CFG] local_port = 500
Jan 9 00:04:01 charon 80715 06[CFG] remote_addrs = 127.0.0.1
Jan 9 00:04:01 charon 80715 06[CFG] local_addrs = %any
Jan 9 00:04:01 charon 80715 06[CFG] version = 0
Jan 9 00:04:01 charon 80715 06[CFG] copy_dscp = out
Jan 9 00:04:01 charon 80715 06[CFG] copy_ecn = 1
Jan 9 00:04:01 charon 80715 06[CFG] copy_df = 1
Jan 9 00:04:01 charon 80715 06[CFG] sha256_96 = 0
Jan 9 00:04:01 charon 80715 06[CFG] hw_offload = no
Jan 9 00:04:01 charon 80715 06[CFG] remote_ts = 192.168.12.0/24|/0
Jan 9 00:04:01 charon 80715 06[CFG] local_ts = 192.168.12.0/24|/0
Jan 9 00:04:01 charon 80715 06[CFG] proposals = ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jan 9 00:04:01 charon 80715 06[CFG] inactivity = 0
Jan 9 00:04:01 charon 80715 06[CFG] set_mark_out = 0/0
Jan 9 00:04:01 charon 80715 06[CFG] set_mark_in = 0/0
Jan 9 00:04:01 charon 80715 06[CFG] mark_out = 0/0
Jan 9 00:04:01 charon 80715 06[CFG] mark_in_sa = 0
Jan 9 00:04:01 charon 80715 06[CFG] mark_in = 0/0
Jan 9 00:04:01 charon 80715 06[CFG] if_id_out = 0
Jan 9 00:04:01 charon 80715 06[CFG] if_id_in = 0
Jan 9 00:04:01 charon 80715 06[CFG] interface = (null)
Jan 9 00:04:01 charon 80715 06[CFG] priority = 0
Jan 9 00:04:01 charon 80715 06[CFG] tfc = 0
Jan 9 00:04:01 charon 80715 06[CFG] reqid = 0
Jan 9 00:04:01 charon 80715 06[CFG] close_action = clear
Jan 9 00:04:01 charon 80715 06[CFG] start_action = hold
Jan 9 00:04:01 charon 80715 06[CFG] dpd_action = clear
Jan 9 00:04:01 charon 80715 06[CFG] policies_fwd_out = 0
Jan 9 00:04:01 charon 80715 06[CFG] policies = 1
Jan 9 00:04:01 charon 80715 06[CFG] mode = PASS
Jan 9 00:04:01 charon 80715 06[CFG] ipcomp = 0
Jan 9 00:04:01 charon 80715 06[CFG] hostaccess = 0
Jan 9 00:04:01 charon 80715 06[CFG] updown = (null)
Jan 9 00:04:01 charon 80715 06[CFG] rand_packets = 0
Jan 9 00:04:01 charon 80715 06[CFG] life_packets = 0
Jan 9 00:04:01 charon 80715 06[CFG] rekey_packets = 0
Jan 9 00:04:01 charon 80715 06[CFG] rand_bytes = 0
Jan 9 00:04:01 charon 80715 06[CFG] life_bytes = 0
Jan 9 00:04:01 charon 80715 06[CFG] rekey_bytes = 0
Jan 9 00:04:01 charon 80715 06[CFG] rand_time = 360
Jan 9 00:04:01 charon 80715 06[CFG] life_time = 3960
Jan 9 00:04:01 charon 80715 06[CFG] rekey_time = 3600
Jan 9 00:04:01 charon 80715 06[CFG] child bypasslan:
Jan 9 00:04:01 charon 80715 06[CFG] conn bypass:
Jan 9 00:04:01 charon 80715 06[CFG] vici client 1 requests: load-conn
Jan 9 00:04:01 charon 80715 06[CFG] vici client 1 requests: get-conns
Jan 9 00:04:01 charon 80715 06[CFG] vici client 1 requests: get-pools
Jan 9 00:04:01 charon 80715 06[CFG] vici client 1 requests: get-authorities
Jan 9 00:04:01 charon 80715 06[CFG] loaded IKE shared key with id 'ike-0' for: '%any', 'fqdn:huahin2a.dyndns.org'
Jan 9 00:04:01 charon 80715 06[CFG] vici client 1 requests: load-shared
Jan 9 00:04:01 charon 80715 06[CFG] vici client 1 requests: get-shared
Jan 9 00:04:01 charon 80715 06[CFG] vici client 1 requests: get-keys
Jan 9 00:04:01 charon 80715 16[CFG] vici client 1 connected
Jan 9 00:04:01 charon 80715 06[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
Jan 9 00:04:01 charon 80715 06[NET] <1> sending packet: from 192.168.111.2[500] to 14.207.69.123[500] (36 bytes)
Jan 9 00:04:01 charon 80715 06[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jan 9 00:04:01 charon 80715 06[IKE] <1> no IKE config found for 192.168.111.2...14.207.69.123, sending NO_PROPOSAL_CHOSEN
Jan 9 00:04:01 charon 80715 06[CFG] <1> looking for an IKEv2 config for 192.168.111.2...14.207.69.123
Jan 9 00:04:01 charon 80715 06[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 9 00:04:01 charon 80715 06[NET] <1> received packet: from 14.207.69.123[500] to 192.168.111.2[500] (456 bytes)
Jan 9 00:04:00 charon 80715 00[JOB] spawning 16 worker threads
Jan 9 00:04:00 charon 80715 00[LIB] loaded plugins: charon unbound pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Jan 9 00:04:00 charon 80715 00[CFG] loaded 0 RADIUS server configurations
Jan 9 00:04:00 charon 80715 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
Jan 9 00:04:00 charon 80715 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jan 9 00:04:00 charon 80715 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jan 9 00:04:00 charon 80715 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jan 9 00:04:00 charon 80715 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jan 9 00:04:00 charon 80715 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jan 9 00:04:00 charon 80715 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jan 9 00:04:00 charon 80715 00[CFG] ipseckey plugin is disabled
Jan 9 00:04:00 charon 80715 00[CFG] loading unbound trust anchors from '/usr/local/etc/ipsec.d/dnssec.keys'
Jan 9 00:04:00 charon 80715 00[CFG] loading unbound resolver config from '/etc/resolv.conf'
Jan 9 00:04:00 charon 80715 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Jan 9 00:04:00 charon 80715 00[KNL] unable to set UDP_ENCAP: Invalid argument
Jan 9 00:04:00 charon 80715 00[CFG] OpenSC Project: OpenSC smartcard framework v0.21
Jan 9 00:04:00 charon 80715 00[CFG] loaded PKCS#11 v2.20 library 'opensc' (/usr/local/lib/opensc-pkcs11.so)
Jan 9 00:04:00 charon 80715 00[CFG] PKCS11 module '<name>' lacks library path
Jan 9 00:04:00 charon 80715 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, FreeBSD 12.2-STABLE, amd64) -
Solved.
I deleted the IPsec configuration at both sites (main and remote) and entered the same configuration again and now it's working !
Apperently Update did something wrong with the config that wasn't visible in the GUI.
-
The only auth-related change is that IDs weren't getting the proper type added in some cases in the backend but that did not change anything in the config. So it's possible you didn't have the correct ID type selected when you set it up before.
-
@jimp I don't know about the ID, I have used the same config long time and it was was made following the netgate/pfsense guide how to setup ipsec. It's working now after clearing and re-enter the config :)
Thank you for taking your time to answer
