Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    From 2.4.5_1 to 2.5.0.a.20210115.2350 - ipsec mobile client vpn certificate based no longer working

    Scheduled Pinned Locked Moved 2.5 Development Snapshots (Retired)
    4 Posts 2 Posters 676 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      qsystems
      last edited by

      I've migrated again from 2.4.5_1 to 2.5.0.a.20210115.2350 and my ipsec vpn is no longer working. From the logs, pfsense acts like it connects but the remote android devices never actually connect. pfsense does not show the connection under ipsec status except for a brief instant.

      Running a packet capture, both pfsense and android appear to be communicating in both directions. I do have a multiwan (ipv4 and ipv6) setup but this should not be a factor as it was working with 2.4.5_1.

      Site-to-site PSK ipsec on the other wan interface is working without issue.

      Log

      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> lease 192.168.48.2 by 'CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name' went offline
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleted SAD entry with SPI cb0021a5
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleting SAD entry with SPI cb0021a5
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleted SAD entry with SPI cbaf7528
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleting SAD entry with SPI cbaf7528
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleting policy 192.168.48.2/32|/0 === 0.0.0.0/0|/0 in
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleting policy 0.0.0.0/0|/0 === 192.168.48.2/32|/0 out
      Jan 16 21:09:16 portal charon[33071]: 05[NET] sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382]
      Jan 16 21:09:16 portal charon[33071]: 07[NET] <con-mobile|9> sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382] (57 bytes)
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> generating INFORMATIONAL response 2 [ ]
      Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> IKE_SA deleted
      Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> deleting IKE_SA con-mobile[9] between xxx.xx.xx.xxx[xxx.xx.xx.xxx]...166.170.223.88[CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name]
      Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> received DELETE for IKE_SA con-mobile[9]
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
      Jan 16 21:09:16 portal charon[33071]: 07[NET] <con-mobile|9> received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500] (65 bytes)
      Jan 16 21:09:16 portal charon[33071]: 04[NET] waiting for data on sockets
      Jan 16 21:09:16 portal charon[33071]: 04[NET] received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500]
      Jan 16 21:09:16 portal charon[33071]: 05[NET] sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382]
      Jan 16 21:09:16 portal charon[33071]: 05[NET] sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382]
      Jan 16 21:09:16 portal charon[33071]: 05[NET] sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382]
      Jan 16 21:09:16 portal charon[33071]: 07[NET] <con-mobile|9> sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382] (699 bytes)
      Jan 16 21:09:16 portal charon[33071]: 07[NET] <con-mobile|9> sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382] (1248 bytes)
      Jan 16 21:09:16 portal charon[33071]: 05[NET] sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382]
      Jan 16 21:09:16 portal charon[33071]: 07[NET] <con-mobile|9> sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382] (1248 bytes)
      Jan 16 21:09:16 portal charon[33071]: 07[NET] <con-mobile|9> sending packet: from xxx.xx.xx.xxx[4500] to 166.170.223.88[6382] (1248 bytes)
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> generating IKE_AUTH response 1 [ EF(4/4) ]
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> generating IKE_AUTH response 1 [ EF(3/4) ]
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> generating IKE_AUTH response 1 [ EF(2/4) ]
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> generating IKE_AUTH response 1 [ EF(1/4) ]
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> splitting IKE message (4256 bytes) into 4 fragments
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <con-mobile|9> generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR SUBNET SUBNET U_SPLITINC U_SPLITINC DNS DNS6 U_DEFDOM U_SPLITDNS U_PFS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
      Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> CHILD_SA con-mobile{12} established with SPIs cbaf7528_i cb0021a5_o and TS 0.0.0.0/0|/0 === 192.168.48.2/32|/0
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> adding policy 0.0.0.0/0|/0 === 192.168.48.2/32|/0 out
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> adding policy 192.168.48.2/32|/0 === 0.0.0.0/0|/0 in
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> using encryption algorithm AES_GCM_16 with key size 288
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> adding SAD entry with SPI cb0021a5 and reqid {3}
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> using encryption algorithm AES_GCM_16 with key size 288
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> adding SAD entry with SPI cbaf7528 and reqid {3}
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleted SAD entry with SPI cbaf7528
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> deleting SAD entry with SPI cbaf7528
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> config: 192.168.48.2/32|/0, received: 0.0.0.0/0|/0 => match: 192.168.48.2/32|/0
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> selecting traffic selectors for other:
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> selecting traffic selectors for us:
      Jan 16 21:09:16 portal charon[33071]: 07[KNL] <con-mobile|9> got SPI cbaf7528
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> configured proposals: ESP:AES_GCM_16_256/MODP_4096/NO_EXT_SEQ, ESP:AES_GCM_16_192/MODP_4096/NO_EXT_SEQ, ESP:AES_GCM_16_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/AES_XCBC_96/MODP_4096/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_384_192/MODP_4096/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_512_256/MODP_4096/NO_EXT_SEQ, ESP:3DES_CBC/AES_XCBC_96/MODP_4096/NO_EXT_SEQ
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> received proposals: ESP:AES_GCM_16_256/AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/HMAC_SHA1_96/NO_EXT_SEQ
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> proposal matches
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> selecting proposal:
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> found matching child config "con-mobile" with prio 6
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> candidate "con-mobile" with prio 5+1
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> 192.168.48.2/32|/0
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> proposing traffic selectors for other:
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> 0.0.0.0/0|/0
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> proposing traffic selectors for us:
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> looking for a child config for 0.0.0.0/0|/0 === 0.0.0.0/0|/0
      Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> assigning virtual IP 192.168.48.2 to peer 'CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name'
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> reassigning offline lease to 'CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name'
      Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> peer requested virtual IP %any
      Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> sending end entity cert "CN=v.somedomain.net, C=US, ST=US, L=Some City, O=Some Name"
      Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> maximum IKE_SA lifetime 3547s
      Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> scheduling rekeying in 3187s
      Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> IKE_SA con-mobile[9] established between xxx.xx.xx.xxx[xxx.xx.xx.xxx]...166.170.223.88[CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name]
      Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> authentication of 'xxx.xx.xx.xxx' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
      Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> peer supports MOBIKE
      Jan 16 21:09:16 portal charon[33071]: 07[IKE] <con-mobile|9> authentication of 'CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name' with RSA_EMSA_PKCS1_SHA2_384 successful
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> reached self-signed root ca with a path length of 0
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> certificate "C=US, ST=US, L=Some City, O=Some Name, E=dan@somedomain.net, CN=somedomain.net" key: 16384 bit RSA
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> certificate status is not available
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> ocsp check skipped, no ocsp found
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> checking certificate status of "CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name"
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> using trusted ca certificate "C=US, ST=US, L=Some City, O=Some Name, E=dan@somedomain.net, CN=somedomain.net"
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> certificate "CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name" key: 4096 bit RSA
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> using certificate "CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name"
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <con-mobile|9> selected peer config 'con-mobile'
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <9> candidate "con-mobile", match: 1/1/1052 (me/other/ike)
      Jan 16 21:09:16 portal charon[33071]: 07[CFG] <9> looking for peer configs matching xxx.xx.xx.xxx[%any]...166.170.223.88[CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name]
      Jan 16 21:09:16 portal charon[33071]: 07[IKE] <9> received end entity cert "CN=android.somedomain.local.lan, C=US, ST=US, L=Some City, O=Some Name"
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <9> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <9> received fragment #4 of 4, reassembled fragmented IKE message (4326 bytes)
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <9> parsed IKE_AUTH request 1 [ EF(4/4) ]
      Jan 16 21:09:16 portal charon[33071]: 07[NET] <9> received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500] (769 bytes)
      Jan 16 21:09:16 portal charon[33071]: 04[NET] waiting for data on sockets
      Jan 16 21:09:16 portal charon[33071]: 04[NET] received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500]
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <9> received fragment #3 of 4, waiting for complete IKE message
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <9> parsed IKE_AUTH request 1 [ EF(3/4) ]
      Jan 16 21:09:16 portal charon[33071]: 07[NET] <9> received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500] (1248 bytes)
      Jan 16 21:09:16 portal charon[33071]: 04[NET] waiting for data on sockets
      Jan 16 21:09:16 portal charon[33071]: 04[NET] received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500]
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <9> received fragment #2 of 4, waiting for complete IKE message
      Jan 16 21:09:16 portal charon[33071]: 07[ENC] <9> parsed IKE_AUTH request 1 [ EF(2/4) ]
      Jan 16 21:09:16 portal charon[33071]: 07[NET] <9> received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500] (1248 bytes)
      Jan 16 21:09:16 portal charon[33071]: 01[ENC] <9> received fragment #1 of 4, waiting for complete IKE message
      Jan 16 21:09:16 portal charon[33071]: 01[ENC] <9> parsed IKE_AUTH request 1 [ EF(1/4) ]
      Jan 16 21:09:16 portal charon[33071]: 04[NET] waiting for data on sockets
      Jan 16 21:09:16 portal charon[33071]: 01[NET] <9> received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500] (1248 bytes)
      Jan 16 21:09:16 portal charon[33071]: 04[NET] received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500]
      Jan 16 21:09:16 portal charon[33071]: 04[NET] waiting for data on sockets
      Jan 16 21:09:16 portal charon[33071]: 04[NET] received packet: from 166.170.223.88[6382] to xxx.xx.xx.xxx[4500]
      Jan 16 21:09:15 portal charon[33071]: 05[NET] sending packet: from xxx.xx.xx.xxx[500] to 166.170.223.88[32033]
      Jan 16 21:09:15 portal charon[33071]: 01[NET] <9> sending packet: from xxx.xx.xx.xxx[500] to 166.170.223.88[32033] (489 bytes)
      Jan 16 21:09:15 portal charon[33071]: 01[ENC] <9> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
      Jan 16 21:09:15 portal charon[33071]: 01[IKE] <9> sending cert request for "C=US, ST=US, L=Some City, O=Some Name, E=dan@somedomain.net, CN=somedomain.net"
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> sending supported signature hash algorithms: sha256 sha384 sha512 identity
      Jan 16 21:09:15 portal charon[33071]: 01[IKE] <9> remote host is behind NAT
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> received supported signature hash algorithms: sha256 sha384 sha512
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048_256
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> configured proposals: IKE:AES_GCM_16_256/PRF_AES128_XCBC/CURVE_25519, IKE:AES_GCM_16_256/PRF_AES128_XCBC/MODP_8192, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048_256, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> received proposals: IKE:AES_CBC_256/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_512/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048_256/ECP_384/ECP_256/MODP_2048/MODP_1536, IKE:AES_GCM_16_256/AES_GCM_16_128/PRF_HMAC_SHA2_512/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048_256/ECP_384/ECP_256/MODP_2048/MODP_1536
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> proposal matches
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> selecting proposal:
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> no acceptable ENCRYPTION_ALGORITHM found
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> selecting proposal:
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> no acceptable PSEUDO_RANDOM_FUNCTION found
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> selecting proposal:
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> no acceptable ENCRYPTION_ALGORITHM found
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> selecting proposal:
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> no acceptable PSEUDO_RANDOM_FUNCTION found
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> selecting proposal:
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> no acceptable ENCRYPTION_ALGORITHM found
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> selecting proposal:
      Jan 16 21:09:15 portal charon[33071]: 01[IKE] <9> 166.170.223.88 is initiating an IKE_SA
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> found matching ike config: xxx.xx.xx.xxx, xxxx:xxxx:xxxx:xxxx::x...0.0.0.0/0, ::/0 with prio 1052
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> candidate: xxx.xx.xx.xxx, xxxx:xxxx:xxxx:xxxx::x...0.0.0.0/0, ::/0, prio 1052
      Jan 16 21:09:15 portal charon[33071]: 01[CFG] <9> looking for an IKEv2 config for xxx.xx.xx.xxx...166.170.223.88
      Jan 16 21:09:15 portal charon[33071]: 01[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Jan 16 21:09:15 portal charon[33071]: 01[NET] <9> received packet: from 166.170.223.88[32033] to xxx.xx.xx.xxx[500] (658 bytes)
      Jan 16 21:09:15 portal charon[33071]: 04[NET] waiting for data on sockets
      Jan 16 21:09:15 portal charon[33071]: 04[NET] received packet: from 166.170.223.88[32033] to xxx.xx.xx.xxx[500]

      swanctl.conf

      # This file is automatically generated. Do not edit
      connections {
      bypass {
      remote_addrs = 127.0.0.1
      }
      con-mobile : con-mobile-defaults {
      # Stub to load con-mobile-defaults
      }
      con200000 {
      fragmentation = yes
      unique = replace
      version = 2
      proposals = aes256-sha1-modp4096,aes192-sha1-modp4096,aes128-sha1-modp4096,aes128gcm128-sha1-modp4096,aes192gcm128-sha1-modp4096,aes256gcm128-sha1-modp4096,aes256-sha256-modp4096,aes256-sha384-modp4096,aes256-sha512-modp4096
      rekey_time = 28755s
      reauth_time = 28755s
      over_time = 45s
      rand_time = 45s
      encap = no
      mobike = no
      local_addrs = 75.x.x.x
      remote_addrs = 136.x.x.x
      pools =
      local {
      id = 75.x.x.x
      auth = psk
      }
      remote {
      id = 136.x.x.x
      auth = psk
      }
      children {
      con0 {
      dpd_action = clear
      mode = tunnel
      policies = yes
      life_time = 3600s
      rekey_time = 3240s
      rand_time = 360s
      start_action = trap
      local_ts = 192.168.45.0/24
      remote_ts = 192.168.2.0/24
      esp_proposals = aes256gcm128-modp4096,aes256gcm96-modp4096,aes256gcm64-modp4096,aes192gcm128-modp4096,aes192gcm96-modp4096,aes192gcm64-modp4096,aes128gcm128-modp4096,aes128gcm96-modp4096,aes128gcm64-modp4096,aes256-sha1-modp4096,aes256-sha256-modp4096,aes256-sha384-modp4096,aes256-sha512-modp4096,aes256-aesxcbc-modp4096,aes192-sha1-modp4096,aes192-sha256-modp4096,aes192-sha384-modp4096,aes192-sha512-modp4096,aes192-aesxcbc-modp4096,aes128-sha1-modp4096,aes128-sha256-modp4096,aes128-sha384-modp4096,aes128-sha512-modp4096,aes128-aesxcbc-modp4096
      }
      con1 {
      dpd_action = clear
      mode = tunnel
      policies = yes
      life_time = 3600s
      rekey_time = 3240s
      rand_time = 360s
      start_action = trap
      local_ts = 192.168.24.0/24
      remote_ts = 192.168.2.0/24
      esp_proposals = aes256gcm128-modp4096,aes256gcm96-modp4096,aes256gcm64-modp4096,aes192gcm128-modp4096,aes192gcm96-modp4096,aes192gcm64-modp4096,aes128gcm128-modp4096,aes128gcm96-modp4096,aes128gcm64-modp4096,aes256-sha1-modp4096,aes256-sha256-modp4096,aes256-sha384-modp4096,aes256-sha512-modp4096,aes256-aesxcbc-modp4096,aes192-sha1-modp4096,aes192-sha256-modp4096,aes192-sha384-modp4096,aes192-sha512-modp4096,aes192-aesxcbc-modp4096,aes128-sha1-modp4096,aes128-sha256-modp4096,aes128-sha384-modp4096,aes128-sha512-modp4096,aes128-aesxcbc-modp4096
      }
      }
      }
      }
      con-mobile-defaults {
      fragmentation = yes
      unique = replace
      version = 2
      proposals = aes256gcm128-aesxcbc-curve25519,aes256gcm128-aesxcbc-modp8192,aes256gcm128-sha512-modp2048s256,aes256-sha512-modp2048,aes256-sha384-modp2048,aes256-sha256-modp1024
      dpd_delay = 10s
      dpd_timeout = 60s
      rekey_time = 3240s
      reauth_time = 0s
      over_time = 360s
      rand_time = 360s
      encap = no
      mobike = yes
      local_addrs = 136.x.x.x,xโŒxโŒ:x
      remote_addrs = 0.0.0.0/0,::/0
      pools = mobile-pool-v4, mobile-pool-v6
      send_cert = always
      local {
      id = 136.x.x.x
      auth = pubkey
      cert {
      file = /var/etc/ipsec/x509/cert-1.crt
      }
      }
      remote {
      auth = pubkey
      cacerts = /var/etc/ipsec/x509ca/189015ff.0
      }
      children {
      con-mobile {
      dpd_action = clear
      mode = tunnel
      policies = yes
      life_time = 3600s
      rekey_time = 3240s
      rand_time = 360s
      start_action = none
      local_ts = 0.0.0.0/0
      esp_proposals = aes256gcm128-modp4096,aes192gcm128-modp4096,aes128gcm128-modp4096,aes256-sha1-modp4096,aes256-sha256-modp4096,aes256-sha384-modp4096,aes256-sha512-modp4096,aes256-aesxcbc-modp4096,3des-sha1-modp4096,3des-sha256-modp4096,3des-sha384-modp4096,3des-sha512-modp4096,3des-aesxcbc-modp4096
      }
      }
      }
      pools {
      mobile-pool-v4 : mobile-pool {
      addrs = 192.168.48.0/24
      subnet = 0.0.0.0/0,192.168.45.0/24
      split_include = 0.0.0.0/0,192.168.45.0/24
      }
      mobile-pool-v6 : mobile-pool {
      addrs = 2001โŒx:6::/64
      }
      }
      mobile-pool {
      dns = 192.168.45.250,2001โŒx:1::5
      # Search domain and default domain
      28674 = "somedomain.local.lan"
      28675 = "somedomain.local.lan"
      28679 = "16"
      }
      secrets {
      private-0 {
      file = /var/etc/ipsec/private/cert-1.key
      }
      ike-1 {
      secret = asecret
      id-0 = %any
      id-1 = 136.x.x.x
      }
      }

      Could you list the 'swanctl --list-<name>' required?

      Q 2 Replies Last reply Reply Quote 0
      • Q
        qsystems @qsystems
        last edited by

        Openvpn and stunnel seem to be working well however and as I recall this was not the experience when I first attempted a development snapshot some months ago. Also seems to improve my ipv6 experience with google fiber - on 2.4.5_1 IPv6 connectivity would fail in around 24 hours. I moved part of the network away from the HE tunnel to google as Netflix streaming seems to be a moving target to keep blocking ipv6 on the various AWS servers they are additionally using now.

        So I have no plans to migrate back to 2.4 now ๐Ÿ‘

        1 Reply Last reply Reply Quote 0
        • Q
          qsystems @qsystems
          last edited by

          Deleted all mobile configs and put back in the active config, unchecked group authentication under mobile client - extended configuration. It now works.

          Not sure why it stopped working on update. Maybe due to the disabled additional phase 1 mobile client entry I had before? Left it there but disabled as I had some time ago attempted to get the ipsec mobile vpn up on all WAN interfaces.

          viktor_gV 1 Reply Last reply Reply Quote 0
          • viktor_gV
            viktor_g Netgate @qsystems
            last edited by

            @qsystems said in From 2.4.5_1 to 2.5.0.a.20210115.2350 - ipsec mobile client vpn certificate based no longer working:

            Deleted all mobile configs and put back in the active config, unchecked group authentication under mobile client - extended configuration. It now works.

            Could be related to group authentication, see https://redmine.pfsense.org/issues/10748

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.