Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPsec died when upgrading to 2.5.0.a.20210107.2142 from 2.5 December 20 release

    IPsec
    2
    4
    186
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      seanr22a last edited by

      I'm running the 2.5 development release since it first came out. My IPsec config has been the same all the time at the main and remote site running without any issues. I'm well aware that it is a development release :)

      Today I updated from the 2.5 December 20 release too 2.5.0.a.20210107.2142 at the main and remote site and it killed IPsec - note that the configs are untouched. Everything else is working fine, only problem is IPsec.

      My ISP at both sites has their own modem with NAT that I can't touch, behind the ISP 'modem' at each site I have the pfsense box. To get a fresh logfile I disabled the tunnel, cleared the log file and enabled the tunnel so the logfile is from first start at the main site.

      Here is the log file if someone knows what it's saying:

      Jan 9 00:04:17 charon 80715 13[IKE] <con2000|4> IKE_SA con2000[4] state change: CONNECTING => DESTROYING
      Jan 9 00:04:17 charon 80715 13[NET] <con2000|4> sending packet: from 192.168.111.2[4500] to 14.207.69.123[11406] (65 bytes)
      Jan 9 00:04:17 charon 80715 13[ENC] <con2000|4> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Jan 9 00:04:17 charon 80715 13[IKE] <con2000|4> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      Jan 9 00:04:17 charon 80715 13[IKE] <con2000|4> tried 1 shared key for 'kallhall1a.dyndns.org' - 'huahin2a.dyndns.org', but MAC mismatched
      Jan 9 00:04:17 charon 80715 13[CFG] <con2000|4> selected peer config 'con2000'
      Jan 9 00:04:17 charon 80715 13[CFG] <4> candidate "con2000", match: 20/20/3100 (me/other/ike)
      Jan 9 00:04:17 charon 80715 13[CFG] <4> looking for peer configs matching 192.168.111.2[kallhall1a.dyndns.org]...14.207.69.123[huahin2a.dyndns.org]
      Jan 9 00:04:17 charon 80715 13[ENC] <4> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      Jan 9 00:04:17 charon 80715 13[NET] <4> received packet: from 14.207.69.123[11406] to 192.168.111.2[4500] (293 bytes)
      Jan 9 00:04:17 charon 80715 13[NET] <4> sending packet: from 192.168.111.2[500] to 14.207.69.123[500] (464 bytes)
      Jan 9 00:04:17 charon 80715 13[ENC] <4> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
      Jan 9 00:04:17 charon 80715 13[CFG] <4> sending supported signature hash algorithms: sha256 sha384 sha512 identity
      Jan 9 00:04:17 charon 80715 13[IKE] <4> remote host is behind NAT
      Jan 9 00:04:17 charon 80715 13[IKE] <4> local host is behind NAT, sending keep alives
      Jan 9 00:04:17 charon 80715 13[CFG] <4> received supported signature hash algorithms: sha256 sha384 sha512 identity
      Jan 9 00:04:17 charon 80715 13[CFG] <4> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
      Jan 9 00:04:17 charon 80715 13[CFG] <4> configured proposals: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
      Jan 9 00:04:17 charon 80715 13[CFG] <4> received proposals: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
      Jan 9 00:04:17 charon 80715 13[CFG] <4> proposal matches
      Jan 9 00:04:17 charon 80715 13[CFG] <4> selecting proposal:
      Jan 9 00:04:17 charon 80715 13[IKE] <4> IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
      Jan 9 00:04:17 charon 80715 13[IKE] <4> 14.207.69.123 is initiating an IKE_SA
      Jan 9 00:04:17 charon 80715 13[CFG] <4> found matching ike config: 192.168.111.2...huahin2a.dyndns.org with prio 3100
      Jan 9 00:04:17 charon 80715 13[CFG] <4> candidate: 192.168.111.2...huahin2a.dyndns.org, prio 3100
      Jan 9 00:04:17 charon 80715 13[CFG] <4> looking for an IKEv2 config for 192.168.111.2...14.207.69.123
      Jan 9 00:04:17 charon 80715 13[ENC] <4> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Jan 9 00:04:17 charon 80715 13[NET] <4> received packet: from 14.207.69.123[500] to 192.168.111.2[500] (456 bytes)
      Jan 9 00:04:12 charon 80715 13[IKE] <con2000|3> IKE_SA con2000[3] state change: CONNECTING => DESTROYING
      Jan 9 00:04:12 charon 80715 13[NET] <con2000|3> sending packet: from 192.168.111.2[4500] to 14.207.69.123[11406] (65 bytes)
      Jan 9 00:04:12 charon 80715 13[ENC] <con2000|3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Jan 9 00:04:12 charon 80715 13[IKE] <con2000|3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      Jan 9 00:04:12 charon 80715 13[IKE] <con2000|3> tried 1 shared key for 'kallhall1a.dyndns.org' - 'huahin2a.dyndns.org', but MAC mismatched
      Jan 9 00:04:12 charon 80715 13[CFG] <con2000|3> selected peer config 'con2000'
      Jan 9 00:04:12 charon 80715 13[CFG] <3> candidate "con2000", match: 20/20/3100 (me/other/ike)
      Jan 9 00:04:12 charon 80715 13[CFG] <3> looking for peer configs matching 192.168.111.2[kallhall1a.dyndns.org]...14.207.69.123[huahin2a.dyndns.org]
      Jan 9 00:04:12 charon 80715 13[ENC] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      Jan 9 00:04:12 charon 80715 13[NET] <3> received packet: from 14.207.69.123[11406] to 192.168.111.2[4500] (293 bytes)
      Jan 9 00:04:11 charon 80715 13[NET] <3> sending packet: from 192.168.111.2[500] to 14.207.69.123[500] (464 bytes)
      Jan 9 00:04:11 charon 80715 13[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
      Jan 9 00:04:11 charon 80715 13[CFG] <3> sending supported signature hash algorithms: sha256 sha384 sha512 identity
      Jan 9 00:04:11 charon 80715 13[IKE] <3> remote host is behind NAT
      Jan 9 00:04:11 charon 80715 13[IKE] <3> local host is behind NAT, sending keep alives
      Jan 9 00:04:11 charon 80715 13[CFG] <3> received supported signature hash algorithms: sha256 sha384 sha512 identity
      Jan 9 00:04:11 charon 80715 13[CFG] <3> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
      Jan 9 00:04:11 charon 80715 13[CFG] <3> configured proposals: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
      Jan 9 00:04:11 charon 80715 13[CFG] <3> received proposals: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
      Jan 9 00:04:11 charon 80715 13[CFG] <3> proposal matches
      Jan 9 00:04:11 charon 80715 13[CFG] <3> selecting proposal:
      Jan 9 00:04:11 charon 80715 13[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
      Jan 9 00:04:11 charon 80715 13[IKE] <3> 14.207.69.123 is initiating an IKE_SA
      Jan 9 00:04:11 charon 80715 13[CFG] <3> found matching ike config: 192.168.111.2...huahin2a.dyndns.org with prio 3100
      Jan 9 00:04:11 charon 80715 13[CFG] <3> candidate: 192.168.111.2...huahin2a.dyndns.org, prio 3100
      Jan 9 00:04:11 charon 80715 13[CFG] <3> looking for an IKEv2 config for 192.168.111.2...14.207.69.123
      Jan 9 00:04:11 charon 80715 13[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Jan 9 00:04:11 charon 80715 13[NET] <3> received packet: from 14.207.69.123[500] to 192.168.111.2[500] (456 bytes)
      Jan 9 00:04:02 charon 80715 13[IKE] <con2000|2> IKE_SA con2000[2] state change: CONNECTING => DESTROYING
      Jan 9 00:04:02 charon 80715 13[NET] <con2000|2> sending packet: from 192.168.111.2[4500] to 14.207.69.123[11406] (65 bytes)
      Jan 9 00:04:02 charon 80715 13[ENC] <con2000|2> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Jan 9 00:04:02 charon 80715 13[IKE] <con2000|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      Jan 9 00:04:02 charon 80715 13[IKE] <con2000|2> tried 1 shared key for 'kallhall1a.dyndns.org' - 'huahin2a.dyndns.org', but MAC mismatched
      Jan 9 00:04:02 charon 80715 13[CFG] <con2000|2> selected peer config 'con2000'
      Jan 9 00:04:02 charon 80715 13[CFG] <2> candidate "con2000", match: 20/20/3100 (me/other/ike)
      Jan 9 00:04:02 charon 80715 13[CFG] <2> looking for peer configs matching 192.168.111.2[kallhall1a.dyndns.org]...14.207.69.123[huahin2a.dyndns.org]
      Jan 9 00:04:02 charon 80715 13[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      Jan 9 00:04:02 charon 80715 13[NET] <2> received packet: from 14.207.69.123[11406] to 192.168.111.2[4500] (293 bytes)
      Jan 9 00:04:02 charon 80715 13[NET] <2> sending packet: from 192.168.111.2[500] to 14.207.69.123[500] (464 bytes)
      Jan 9 00:04:02 charon 80715 13[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
      Jan 9 00:04:02 charon 80715 13[CFG] <2> sending supported signature hash algorithms: sha256 sha384 sha512 identity
      Jan 9 00:04:02 charon 80715 13[IKE] <2> remote host is behind NAT
      Jan 9 00:04:02 charon 80715 13[IKE] <2> local host is behind NAT, sending keep alives
      Jan 9 00:04:02 charon 80715 13[CFG] <2> received supported signature hash algorithms: sha256 sha384 sha512 identity
      Jan 9 00:04:02 charon 80715 13[CFG] <2> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
      Jan 9 00:04:02 charon 80715 13[CFG] <2> configured proposals: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
      Jan 9 00:04:02 charon 80715 13[CFG] <2> received proposals: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
      Jan 9 00:04:02 charon 80715 13[CFG] <2> proposal matches
      Jan 9 00:04:02 charon 80715 13[CFG] <2> selecting proposal:
      Jan 9 00:04:02 charon 80715 13[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
      Jan 9 00:04:02 charon 80715 13[IKE] <2> 14.207.69.123 is initiating an IKE_SA
      Jan 9 00:04:02 charon 80715 13[CFG] <2> found matching ike config: 192.168.111.2...huahin2a.dyndns.org with prio 3100
      Jan 9 00:04:02 charon 80715 13[CFG] <2> candidate: 192.168.111.2...huahin2a.dyndns.org, prio 3100
      Jan 9 00:04:02 charon 80715 13[CFG] <2> looking for an IKEv2 config for 192.168.111.2...14.207.69.123
      Jan 9 00:04:02 charon 80715 13[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Jan 9 00:04:02 charon 80715 13[NET] <2> received packet: from 14.207.69.123[500] to 192.168.111.2[500] (456 bytes)
      Jan 9 00:04:01 charon 80715 13[CFG] vici client 1 disconnected
      Jan 9 00:04:01 charon 80715 14[CHD] CHILD_SA con2000{1} state change: CREATED => ROUTED
      Jan 9 00:04:01 charon 80715 14[CFG] configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ
      Jan 9 00:04:01 charon 80715 14[CFG] installing 'con2000'
      Jan 9 00:04:01 charon 80715 14[CFG] added vici connection: con2000
      Jan 9 00:04:01 charon 80715 14[CFG] id = huahin2a.dyndns.org
      Jan 9 00:04:01 charon 80715 14[CFG] class = pre-shared key
      Jan 9 00:04:01 charon 80715 14[CFG] remote:
      Jan 9 00:04:01 charon 80715 14[CFG] id = kallhall1a.dyndns.org
      Jan 9 00:04:01 charon 80715 14[CFG] class = pre-shared key
      Jan 9 00:04:01 charon 80715 14[CFG] local:
      Jan 9 00:04:01 charon 80715 14[CFG] if_id_out = 0
      Jan 9 00:04:01 charon 80715 14[CFG] if_id_in = 0
      Jan 9 00:04:01 charon 80715 14[CFG] proposals = IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
      Jan 9 00:04:01 charon 80715 14[CFG] rand_time = 2860
      Jan 9 00:04:01 charon 80715 14[CFG] over_time = 2860
      Jan 9 00:04:01 charon 80715 14[CFG] rekey_time = 25740
      Jan 9 00:04:01 charon 80715 14[CFG] reauth_time = 25720
      Jan 9 00:04:01 charon 80715 14[CFG] keyingtries = 1
      Jan 9 00:04:01 charon 80715 14[CFG] unique = UNIQUE_REPLACE
      Jan 9 00:04:01 charon 80715 14[CFG] childless = 0
      Jan 9 00:04:01 charon 80715 14[CFG] fragmentation = 2
      Jan 9 00:04:01 charon 80715 14[CFG] dpd_timeout = 72
      Jan 9 00:04:01 charon 80715 14[CFG] dpd_delay = 12
      Jan 9 00:04:01 charon 80715 14[CFG] encap = 0
      Jan 9 00:04:01 charon 80715 14[CFG] dscp = 0x00
      Jan 9 00:04:01 charon 80715 14[CFG] aggressive = 0
      Jan 9 00:04:01 charon 80715 14[CFG] mobike = 0
      Jan 9 00:04:01 charon 80715 14[CFG] ppk_required = 0
      Jan 9 00:04:01 charon 80715 14[CFG] ppk_id = (null)
      Jan 9 00:04:01 charon 80715 14[CFG] send_cert = CERT_SEND_IF_ASKED
      Jan 9 00:04:01 charon 80715 14[CFG] send_certreq = 1
      Jan 9 00:04:01 charon 80715 14[CFG] remote_port = 500
      Jan 9 00:04:01 charon 80715 14[CFG] local_port = 500
      Jan 9 00:04:01 charon 80715 14[CFG] remote_addrs = huahin2a.dyndns.org
      Jan 9 00:04:01 charon 80715 14[CFG] local_addrs = 192.168.111.2
      Jan 9 00:04:01 charon 80715 14[CFG] version = 2
      Jan 9 00:04:01 charon 80715 14[CFG] copy_dscp = out
      Jan 9 00:04:01 charon 80715 14[CFG] copy_ecn = 1
      Jan 9 00:04:01 charon 80715 14[CFG] copy_df = 1
      Jan 9 00:04:01 charon 80715 14[CFG] sha256_96 = 0
      Jan 9 00:04:01 charon 80715 14[CFG] hw_offload = no
      Jan 9 00:04:01 charon 80715 14[CFG] remote_ts = 192.168.11.0/24|/0 192.168.8.0/24|/0 192.168.11.0/24|/0 192.168.8.0/24|/0
      Jan 9 00:04:01 charon 80715 14[CFG] local_ts = 192.168.12.0/24|/0 192.168.12.0/24|/0 192.168.17.0/24|/0 192.168.17.0/24|/0
      Jan 9 00:04:01 charon 80715 14[CFG] proposals = ESP:AES_GCM_16_128/MODP_2048/NO_EXT_SEQ
      Jan 9 00:04:01 charon 80715 14[CFG] inactivity = 0
      Jan 9 00:04:01 charon 80715 14[CFG] set_mark_out = 0/0
      Jan 9 00:04:01 charon 80715 14[CFG] set_mark_in = 0/0
      Jan 9 00:04:01 charon 80715 14[CFG] mark_out = 0/0
      Jan 9 00:04:01 charon 80715 14[CFG] mark_in_sa = 0
      Jan 9 00:04:01 charon 80715 14[CFG] mark_in = 0/0
      Jan 9 00:04:01 charon 80715 14[CFG] if_id_out = 0
      Jan 9 00:04:01 charon 80715 14[CFG] if_id_in = 0
      Jan 9 00:04:01 charon 80715 14[CFG] interface = (null)
      Jan 9 00:04:01 charon 80715 14[CFG] priority = 0
      Jan 9 00:04:01 charon 80715 14[CFG] tfc = 0
      Jan 9 00:04:01 charon 80715 14[CFG] reqid = 0
      Jan 9 00:04:01 charon 80715 14[CFG] close_action = clear
      Jan 9 00:04:01 charon 80715 14[CFG] start_action = hold
      Jan 9 00:04:01 charon 80715 14[CFG] dpd_action = hold
      Jan 9 00:04:01 charon 80715 14[CFG] policies_fwd_out = 0
      Jan 9 00:04:01 charon 80715 14[CFG] policies = 1
      Jan 9 00:04:01 charon 80715 14[CFG] mode = TUNNEL
      Jan 9 00:04:01 charon 80715 14[CFG] ipcomp = 0
      Jan 9 00:04:01 charon 80715 14[CFG] hostaccess = 0
      Jan 9 00:04:01 charon 80715 14[CFG] updown = (null)
      Jan 9 00:04:01 charon 80715 14[CFG] rand_packets = 0
      Jan 9 00:04:01 charon 80715 14[CFG] life_packets = 0
      Jan 9 00:04:01 charon 80715 14[CFG] rekey_packets = 0
      Jan 9 00:04:01 charon 80715 14[CFG] rand_bytes = 0
      Jan 9 00:04:01 charon 80715 14[CFG] life_bytes = 0
      Jan 9 00:04:01 charon 80715 14[CFG] rekey_bytes = 0
      Jan 9 00:04:01 charon 80715 14[CFG] rand_time = 360
      Jan 9 00:04:01 charon 80715 14[CFG] life_time = 3600
      Jan 9 00:04:01 charon 80715 14[CFG] rekey_time = 3240
      Jan 9 00:04:01 charon 80715 14[CFG] child con2000:
      Jan 9 00:04:01 charon 80715 14[CFG] conn con2000:
      Jan 9 00:04:01 charon 80715 14[CFG] vici client 1 requests: load-conn
      Jan 9 00:04:01 charon 80715 06[CFG] installing 'bypasslan'
      Jan 9 00:04:01 charon 80715 06[CFG] added vici connection: bypass
      Jan 9 00:04:01 charon 80715 06[CFG] remote:
      Jan 9 00:04:01 charon 80715 06[CFG] local:
      Jan 9 00:04:01 charon 80715 06[CFG] if_id_out = 0
      Jan 9 00:04:01 charon 80715 06[CFG] if_id_in = 0
      Jan 9 00:04:01 charon 80715 06[CFG] proposals = IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
      Jan 9 00:04:01 charon 80715 06[CFG] rand_time = 1440
      Jan 9 00:04:01 charon 80715 06[CFG] over_time = 1440
      Jan 9 00:04:01 charon 80715 06[CFG] rekey_time = 14400
      Jan 9 00:04:01 charon 80715 06[CFG] reauth_time = 0
      Jan 9 00:04:01 charon 80715 06[CFG] keyingtries = 1
      Jan 9 00:04:01 charon 80715 06[CFG] unique = UNIQUE_NO
      Jan 9 00:04:01 charon 80715 06[CFG] childless = 0
      Jan 9 00:04:01 charon 80715 06[CFG] fragmentation = 2
      Jan 9 00:04:01 charon 80715 06[CFG] dpd_timeout = 0
      Jan 9 00:04:01 charon 80715 06[CFG] dpd_delay = 0
      Jan 9 00:04:01 charon 80715 06[CFG] encap = 0
      Jan 9 00:04:01 charon 80715 06[CFG] dscp = 0x00
      Jan 9 00:04:01 charon 80715 06[CFG] aggressive = 0
      Jan 9 00:04:01 charon 80715 06[CFG] mobike = 1
      Jan 9 00:04:01 charon 80715 06[CFG] ppk_required = 0
      Jan 9 00:04:01 charon 80715 06[CFG] ppk_id = (null)
      Jan 9 00:04:01 charon 80715 06[CFG] send_cert = CERT_SEND_IF_ASKED
      Jan 9 00:04:01 charon 80715 06[CFG] send_certreq = 1
      Jan 9 00:04:01 charon 80715 06[CFG] remote_port = 500
      Jan 9 00:04:01 charon 80715 06[CFG] local_port = 500
      Jan 9 00:04:01 charon 80715 06[CFG] remote_addrs = 127.0.0.1
      Jan 9 00:04:01 charon 80715 06[CFG] local_addrs = %any
      Jan 9 00:04:01 charon 80715 06[CFG] version = 0
      Jan 9 00:04:01 charon 80715 06[CFG] copy_dscp = out
      Jan 9 00:04:01 charon 80715 06[CFG] copy_ecn = 1
      Jan 9 00:04:01 charon 80715 06[CFG] copy_df = 1
      Jan 9 00:04:01 charon 80715 06[CFG] sha256_96 = 0
      Jan 9 00:04:01 charon 80715 06[CFG] hw_offload = no
      Jan 9 00:04:01 charon 80715 06[CFG] remote_ts = 192.168.12.0/24|/0
      Jan 9 00:04:01 charon 80715 06[CFG] local_ts = 192.168.12.0/24|/0
      Jan 9 00:04:01 charon 80715 06[CFG] proposals = ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
      Jan 9 00:04:01 charon 80715 06[CFG] inactivity = 0
      Jan 9 00:04:01 charon 80715 06[CFG] set_mark_out = 0/0
      Jan 9 00:04:01 charon 80715 06[CFG] set_mark_in = 0/0
      Jan 9 00:04:01 charon 80715 06[CFG] mark_out = 0/0
      Jan 9 00:04:01 charon 80715 06[CFG] mark_in_sa = 0
      Jan 9 00:04:01 charon 80715 06[CFG] mark_in = 0/0
      Jan 9 00:04:01 charon 80715 06[CFG] if_id_out = 0
      Jan 9 00:04:01 charon 80715 06[CFG] if_id_in = 0
      Jan 9 00:04:01 charon 80715 06[CFG] interface = (null)
      Jan 9 00:04:01 charon 80715 06[CFG] priority = 0
      Jan 9 00:04:01 charon 80715 06[CFG] tfc = 0
      Jan 9 00:04:01 charon 80715 06[CFG] reqid = 0
      Jan 9 00:04:01 charon 80715 06[CFG] close_action = clear
      Jan 9 00:04:01 charon 80715 06[CFG] start_action = hold
      Jan 9 00:04:01 charon 80715 06[CFG] dpd_action = clear
      Jan 9 00:04:01 charon 80715 06[CFG] policies_fwd_out = 0
      Jan 9 00:04:01 charon 80715 06[CFG] policies = 1
      Jan 9 00:04:01 charon 80715 06[CFG] mode = PASS
      Jan 9 00:04:01 charon 80715 06[CFG] ipcomp = 0
      Jan 9 00:04:01 charon 80715 06[CFG] hostaccess = 0
      Jan 9 00:04:01 charon 80715 06[CFG] updown = (null)
      Jan 9 00:04:01 charon 80715 06[CFG] rand_packets = 0
      Jan 9 00:04:01 charon 80715 06[CFG] life_packets = 0
      Jan 9 00:04:01 charon 80715 06[CFG] rekey_packets = 0
      Jan 9 00:04:01 charon 80715 06[CFG] rand_bytes = 0
      Jan 9 00:04:01 charon 80715 06[CFG] life_bytes = 0
      Jan 9 00:04:01 charon 80715 06[CFG] rekey_bytes = 0
      Jan 9 00:04:01 charon 80715 06[CFG] rand_time = 360
      Jan 9 00:04:01 charon 80715 06[CFG] life_time = 3960
      Jan 9 00:04:01 charon 80715 06[CFG] rekey_time = 3600
      Jan 9 00:04:01 charon 80715 06[CFG] child bypasslan:
      Jan 9 00:04:01 charon 80715 06[CFG] conn bypass:
      Jan 9 00:04:01 charon 80715 06[CFG] vici client 1 requests: load-conn
      Jan 9 00:04:01 charon 80715 06[CFG] vici client 1 requests: get-conns
      Jan 9 00:04:01 charon 80715 06[CFG] vici client 1 requests: get-pools
      Jan 9 00:04:01 charon 80715 06[CFG] vici client 1 requests: get-authorities
      Jan 9 00:04:01 charon 80715 06[CFG] loaded IKE shared key with id 'ike-0' for: '%any', 'fqdn:huahin2a.dyndns.org'
      Jan 9 00:04:01 charon 80715 06[CFG] vici client 1 requests: load-shared
      Jan 9 00:04:01 charon 80715 06[CFG] vici client 1 requests: get-shared
      Jan 9 00:04:01 charon 80715 06[CFG] vici client 1 requests: get-keys
      Jan 9 00:04:01 charon 80715 16[CFG] vici client 1 connected
      Jan 9 00:04:01 charon 80715 06[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
      Jan 9 00:04:01 charon 80715 06[NET] <1> sending packet: from 192.168.111.2[500] to 14.207.69.123[500] (36 bytes)
      Jan 9 00:04:01 charon 80715 06[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
      Jan 9 00:04:01 charon 80715 06[IKE] <1> no IKE config found for 192.168.111.2...14.207.69.123, sending NO_PROPOSAL_CHOSEN
      Jan 9 00:04:01 charon 80715 06[CFG] <1> looking for an IKEv2 config for 192.168.111.2...14.207.69.123
      Jan 9 00:04:01 charon 80715 06[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Jan 9 00:04:01 charon 80715 06[NET] <1> received packet: from 14.207.69.123[500] to 192.168.111.2[500] (456 bytes)
      Jan 9 00:04:00 charon 80715 00[JOB] spawning 16 worker threads
      Jan 9 00:04:00 charon 80715 00[LIB] loaded plugins: charon unbound pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
      Jan 9 00:04:00 charon 80715 00[CFG] loaded 0 RADIUS server configurations
      Jan 9 00:04:00 charon 80715 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
      Jan 9 00:04:00 charon 80715 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
      Jan 9 00:04:00 charon 80715 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
      Jan 9 00:04:00 charon 80715 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
      Jan 9 00:04:00 charon 80715 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
      Jan 9 00:04:00 charon 80715 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
      Jan 9 00:04:00 charon 80715 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
      Jan 9 00:04:00 charon 80715 00[CFG] ipseckey plugin is disabled
      Jan 9 00:04:00 charon 80715 00[CFG] loading unbound trust anchors from '/usr/local/etc/ipsec.d/dnssec.keys'
      Jan 9 00:04:00 charon 80715 00[CFG] loading unbound resolver config from '/etc/resolv.conf'
      Jan 9 00:04:00 charon 80715 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
      Jan 9 00:04:00 charon 80715 00[KNL] unable to set UDP_ENCAP: Invalid argument
      Jan 9 00:04:00 charon 80715 00[CFG] OpenSC Project: OpenSC smartcard framework v0.21
      Jan 9 00:04:00 charon 80715 00[CFG] loaded PKCS#11 v2.20 library 'opensc' (/usr/local/lib/opensc-pkcs11.so)
      Jan 9 00:04:00 charon 80715 00[CFG] PKCS11 module '<name>' lacks library path
      Jan 9 00:04:00 charon 80715 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, FreeBSD 12.2-STABLE, amd64)

      1 Reply Last reply Reply Quote 0
      • S
        seanr22a last edited by

        Solved.

        I deleted the IPsec configuration at both sites (main and remote) and entered the same configuration again and now it's working !

        Apperently Update did something wrong with the config that wasn't visible in the GUI.

        1 Reply Last reply Reply Quote 1
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          The only auth-related change is that IDs weren't getting the proper type added in some cases in the backend but that did not change anything in the config. So it's possible you didn't have the correct ID type selected when you set it up before.

          S 1 Reply Last reply Reply Quote 0
          • S
            seanr22a @jimp last edited by

            @jimp I don't know about the ID, I have used the same config long time and it was was made following the netgate/pfsense guide how to setup ipsec. It's working now after clearing and re-enter the config :)

            Thank you for taking your time to answer 👍

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense Plus
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy