VPN IPSEC IKEv2 Client Not Working

thiagok

Hi, how are you?

I have set a VPN IPSEC client to site with FreeRadius but it is not working:

Jun 9 23:52:20 charon 68813 09[IKE] <con-mobile|970> tried 1 shared key for '%any' - '177.67.63.254', but MAC mismatched
Jun 9 23:52:20 charon 68813 09[ENC] <con-mobile|970> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Jun 9 23:52:20 charon 68813 09[NET] <970> received packet: from 177.67.63.254[500] to 172.31.230.5[500] (424 bytes)
Jun 9 23:52:20 charon 68813 09[ENC] <970> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) ]
Jun 9 23:52:20 charon 68813 09[CFG] <970> looking for an IKEv2 config for 172.31.230.5...177.67.63.254
Jun 9 23:52:20 charon 68813 09[CFG] <970> candidate: 172.31.230.5...0.0.0.0/0, ::/0, prio 1052
Jun 9 23:52:20 charon 68813 09[CFG] <970> found matching ike config: 172.31.230.5...0.0.0.0/0, ::/0 with prio 1052
Jun 9 23:52:20 charon 68813 09[IKE] <970> local endpoint changed from 0.0.0.0[500] to 172.31.230.5[500]
Jun 9 23:52:20 charon 68813 09[IKE] <970> remote endpoint changed from 0.0.0.0 to 177.67.63.254[500]
Jun 9 23:52:20 charon 68813 09[IKE] <970> 177.67.63.254 is initiating an IKE_SA
Jun 9 23:52:20 charon 68813 09[IKE] <970> IKE_SA (unnamed)[970] state change: CREATED => CONNECTING
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable ENCRYPTION_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable ENCRYPTION_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable ENCRYPTION_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable ENCRYPTION_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable ENCRYPTION_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable ENCRYPTION_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable ENCRYPTION_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable ENCRYPTION_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable ENCRYPTION_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable ENCRYPTION_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable INTEGRITY_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable DIFFIE_HELLMAN_GROUP found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable ENCRYPTION_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable ENCRYPTION_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable ENCRYPTION_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> no acceptable INTEGRITY_ALGORITHM found
Jun 9 23:52:20 charon 68813 09[CFG] <970> selecting proposal:
Jun 9 23:52:20 charon 68813 09[CFG] <970> proposal matches
Jun 9 23:52:20 charon 68813 09[CFG] <970> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Jun 9 23:52:20 charon 68813 09[CFG] <970> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Jun 9 23:52:20 charon 68813 09[CFG] <970> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Jun 9 23:52:20 charon 68813 09[IKE] <970> sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Jun 9 23:52:20 charon 68813 09[IKE] <970> sending cert request for "C=US, O=Let's Encrypt, CN=R3"
Jun 9 23:52:20 charon 68813 09[ENC] <970> generating IKE_SA_INIT response 0 [ SA KE No CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 9 23:52:20 charon 68813 09[NET] <970> sending packet: from 172.31.230.5[500] to 177.67.63.254[500] (317 bytes)
Jun 9 23:52:20 charon 68813 09[NET] <970> received packet: from 177.67.63.254[500] to 172.31.230.5[500] (432 bytes)
Jun 9 23:52:20 charon 68813 09[ENC] <970> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Jun 9 23:52:20 charon 68813 09[CFG] <970> looking for peer configs matching 172.31.230.5[%any]...177.67.63.254[177.67.63.254]
Jun 9 23:52:20 charon 68813 09[CFG] <970> candidate "con-mobile", match: 1/1/1052 (me/other/ike)
Jun 9 23:52:20 charon 68813 09[CFG] <con-mobile|970> selected peer config 'con-mobile'
Jun 9 23:52:20 charon 68813 09[IKE] <con-mobile|970> tried 1 shared key for '%any' - '177.67.63.254', but MAC mismatched
Jun 9 23:52:20 charon 68813 09[ENC] <con-mobile|970> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jun 9 23:52:20 charon 68813 09[NET] <con-mobile|970> sending packet: from 172.31.230.5[500] to 177.67.63.254[500] (80 bytes)
Jun 9 23:52:20 charon 68813 09[IKE] <con-mobile|970> IKE_SA con-mobile[970] state change: CONNECTING => DESTROYING

Thanks in advanced.

Cheers,

Thiago.