<![CDATA[IPSEC - Clients can't connect to VPN.]]>I have had issues with Configuring VPN server on Firewall, I was hoping someone can help me.
My environment is configured as the following:

  • Windows server 2022(with AD,DHCP,DNS, NPS)
  • Pfsense Firewall (suppose the add of 192.168.78.1) (Configured a Radius server for Authentication. No issues with certificates, firewall rules or anything, I even disabled Firewall on both the client PC and the WIN Server).

Below there is one log in IPSEC logs that I need a help with:

  • Jan 13 14:20:35 charon 63599 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory

Check the Full IPSEC (VPN Server) logs Here:

  • Jan 13 14:20:35 charon 63599 00[DMN] Starting IKE charon daemon (strongSwan 5.9.11, FreeBSD 14.0-CURRENT, amd64)
  • Jan 13 14:20:35 charon 63599 00[CFG] PKCS11 module '<name>' lacks library path
  • Jan 13 14:20:35 charon 63599 00[LIB] providers loaded by OpenSSL: legacy default
  • Jan 13 14:20:35 charon 63599 00[CFG] loaded attribute INTERNAL_IP4_DNS: c0:a8:0d:0e
  • Jan 13 14:20:35 charon 63599 00[CFG] loaded attribute (27674): xx:xx:xx:xx:xx:xx:xx:xx:xx
  • Jan 13 14:20:35 charon 63599 00[CFG] using '/sbin/resolvconf' to install DNS servers
  • Jan 13 14:20:35 charon 63599 00[KNL] unable to set UDP_ENCAP: Invalid argument
  • Jan 13 14:20:35 charon 63599 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
  • Jan 13 14:20:35 charon 63599 00[CFG] loaded 1 RADIUS server configuration
  • Jan 13 14:20:35 charon 63599 00[CFG] loading unbound resolver config from '/etc/resolv.conf'
  • Jan 13 14:20:35 charon 63599 00[CFG] loading unbound trust anchors from '/usr/local/etc/ipsec.d/dnssec.keys'
  • Jan 13 14:20:35 charon 63599 00[CFG] ipseckey plugin is disabled
  • Jan 13 14:20:35 charon 63599 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
  • Jan 13 14:20:35 charon 63599 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
  • Jan 13 14:20:35 charon 63599 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
  • Jan 13 14:20:35 charon 63599 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
  • Jan 13 14:20:35 charon 63599 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
  • Jan 13 14:20:35 charon 63599 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
  • Jan 13 14:20:35 charon 63599 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
  • Jan 13 14:20:35 charon 63599 00[LIB] loaded plugins: charon eap-radius unbound pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey ipseckey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
  • Jan 13 14:20:35 charon 63599 00[JOB] spawning 16 worker threads
  • Jan 13 14:20:36 charon 63599 05[CFG] vici client 1 connected
  • Jan 13 14:20:36 charon 63599 05[CFG] vici client 1 requests: get-keys
  • Jan 13 14:20:36 charon 63599 16[CFG] vici client 1 requests: get-shared
  • Jan 13 14:20:36 charon 63599 15[CFG] vici client 1 requests: load-cert
  • Jan 13 14:20:36 charon 63599 15[CFG] loaded certificate 'C=country, ST=State, L=Toronto, O= company, OU= department, CN= firewall-hostname'
  • Jan 13 14:20:36 charon 63599 15[CFG] vici client 1 requests: load-cert
  • Jan 13 14:20:36 charon 63599 15[CFG] loaded certificate 'DC=com, DC=ACME, CN=ACME-ACME-CA'
  • Jan 13 14:20:36 charon 63599 15[CFG] vici client 1 requests: load-key
  • Jan 13 14:20:36 charon 63599 15[CFG] loaded ANY private key
  • Jan 13 14:20:36 charon 63599 15[CFG] vici client 1 requests: get-authorities
  • Jan 13 14:20:36 charon 63599 14[CFG] vici client 1 requests: get-pools
  • Jan 13 14:20:36 charon 63599 15[CFG] vici client 1 requests: load-pool
  • Jan 13 14:20:36 charon 63599 15[CFG] added vici pool mobile-pool-v4: 10.9.9.0, 254 entries
  • Jan 13 14:20:36 charon 63599 14[CFG] vici client 1 requests: get-conns
  • Jan 13 14:20:36 charon 63599 13[CFG] vici client 1 requests: load-conn
  • Jan 13 14:20:36 charon 63599 13[CFG] conn bypass:
  • Jan 13 14:20:36 charon 63599 13[CFG] child bypasslan:
  • Jan 13 14:20:36 charon 63599 13[CFG] rekey_time = 3600
  • Jan 13 14:20:36 charon 63599 13[CFG] life_time = 3960
  • Jan 13 14:20:36 charon 63599 13[CFG] rand_time = 360
  • Jan 13 14:20:36 charon 63599 13[CFG] rekey_bytes = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] life_bytes = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] rand_bytes = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] rekey_packets = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] life_packets = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] rand_packets = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] updown = (null)
  • Jan 13 14:20:36 charon 63599 13[CFG] hostaccess = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] ipcomp = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] mode = PASS
  • Jan 13 14:20:36 charon 63599 13[CFG] policies = 1
  • Jan 13 14:20:36 charon 63599 13[CFG] policies_fwd_out = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] dpd_action = none
  • Jan 13 14:20:36 charon 63599 13[CFG] start_action = trap
  • Jan 13 14:20:36 charon 63599 13[CFG] close_action = none
  • Jan 13 14:20:36 charon 63599 13[CFG] reqid = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] tfc = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] priority = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] interface = (null)
  • Jan 13 14:20:36 charon 63599 13[CFG] if_id_in = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] if_id_out = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] mark_in = 0/0
  • Jan 13 14:20:36 charon 63599 13[CFG] mark_in_sa = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] mark_out = 0/0
  • Jan 13 14:20:36 charon 63599 13[CFG] set_mark_in = 0/0
  • Jan 13 14:20:36 charon 63599 13[CFG] set_mark_out = 0/0
  • Jan 13 14:20:36 charon 63599 13[CFG] label = (null)
  • Jan 13 14:20:36 charon 63599 13[CFG] label_mode = system
  • Jan 13 14:20:36 charon 63599 13[CFG] inactivity = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] proposals = ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
  • Jan 13 14:20:36 charon 63599 13[CFG] local_ts = 192.168.78.1/27|/0
  • Jan 13 14:20:36 charon 63599 13[CFG] remote_ts = 192.168.78.0/27|/0
  • Jan 13 14:20:36 charon 63599 13[CFG] hw_offload = no
  • Jan 13 14:20:36 charon 63599 13[CFG] sha256_96 = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] copy_df = 1
  • Jan 13 14:20:36 charon 63599 13[CFG] copy_ecn = 1
  • Jan 13 14:20:36 charon 63599 13[CFG] copy_dscp = out
  • Jan 13 14:20:36 charon 63599 13[CFG] version = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] local_addrs = %any
  • Jan 13 14:20:36 charon 63599 13[CFG] remote_addrs = 127.0.0.1
  • Jan 13 14:20:36 charon 63599 13[CFG] local_port = 500
  • Jan 13 14:20:36 charon 63599 13[CFG] remote_port = 500
  • Jan 13 14:20:36 charon 63599 13[CFG] send_certreq = 1
  • Jan 13 14:20:36 charon 63599 13[CFG] send_cert = CERT_SEND_IF_ASKED
  • Jan 13 14:20:36 charon 63599 13[CFG] ppk_id = (null)
  • Jan 13 14:20:36 charon 63599 13[CFG] ppk_required = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] mobike = 1
  • Jan 13 14:20:36 charon 63599 13[CFG] aggressive = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] dscp = 0x00
  • Jan 13 14:20:36 charon 63599 13[CFG] encap = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] dpd_delay = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] dpd_timeout = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] fragmentation = 2
  • Jan 13 14:20:36 charon 63599 13[CFG] childless = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] unique = UNIQUE_NO
  • Jan 13 14:20:36 charon 63599 13[CFG] keyingtries = 1
  • Jan 13 14:20:36 charon 63599 13[CFG] reauth_time = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] rekey_time = 14400
  • Jan 13 14:20:36 charon 63599 13[CFG] over_time = 1440
  • Jan 13 14:20:36 charon 63599 13[CFG] rand_time = 1440
  • Jan 13 14:20:36 charon 63599 13[CFG] proposals = IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
  • Jan 13 14:20:36 charon 63599 13[CFG] if_id_in = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] if_id_out = 0
  • Jan 13 14:20:36 charon 63599 13[CFG] local:
  • Jan 13 14:20:36 charon 63599 13[CFG] remote:
  • Jan 13 14:20:36 charon 63599 13[CFG] added vici connection: bypass
  • Jan 13 14:20:36 charon 63599 13[CFG] installing 'bypasslan'
  • Jan 13 14:20:36 charon 63599 14[CFG] vici client 1 requests: load-conn
  • Jan 13 14:20:36 charon 63599 14[CFG] conn con-mobile:
  • Jan 13 14:20:36 charon 63599 14[CFG] child con-mobile:
  • Jan 13 14:20:36 charon 63599 14[CFG] rekey_time = 3240
  • Jan 13 14:20:36 charon 63599 14[CFG] life_time = 3600
  • Jan 13 14:20:36 charon 63599 14[CFG] rand_time = 360
  • Jan 13 14:20:36 charon 63599 14[CFG] rekey_bytes = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] life_bytes = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] rand_bytes = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] rekey_packets = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] life_packets = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] rand_packets = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] updown = (null)
  • Jan 13 14:20:36 charon 63599 14[CFG] hostaccess = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] ipcomp = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] mode = TUNNEL
  • Jan 13 14:20:36 charon 63599 14[CFG] policies = 1
  • Jan 13 14:20:36 charon 63599 14[CFG] policies_fwd_out = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] dpd_action = none
  • Jan 13 14:20:36 charon 63599 14[CFG] start_action = none
  • Jan 13 14:20:36 charon 63599 14[CFG] close_action = none
  • Jan 13 14:20:36 charon 63599 14[CFG] reqid = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] tfc = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] priority = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] interface = (null)
  • Jan 13 14:20:36 charon 63599 14[CFG] if_id_in = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] if_id_out = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] mark_in = 0/0
  • Jan 13 14:20:36 charon 63599 14[CFG] mark_in_sa = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] mark_out = 0/0
  • Jan 13 14:20:36 charon 63599 14[CFG] set_mark_in = 0/0
  • Jan 13 14:20:36 charon 63599 14[CFG] set_mark_out = 0/0
  • Jan 13 14:20:36 charon 63599 14[CFG] label = (null)
  • Jan 13 14:20:36 charon 63599 14[CFG] label_mode = system
  • Jan 13 14:20:36 charon 63599 14[CFG] inactivity = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] proposals = ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
  • Jan 13 14:20:36 charon 63599 14[CFG] local_ts = 192.168.78.0/27|/0
  • Jan 13 14:20:36 charon 63599 14[CFG] remote_ts = dynamic
  • Jan 13 14:20:36 charon 63599 14[CFG] hw_offload = no
  • Jan 13 14:20:36 charon 63599 14[CFG] sha256_96 = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] copy_df = 1
  • Jan 13 14:20:36 charon 63599 14[CFG] copy_ecn = 1
  • Jan 13 14:20:36 charon 63599 14[CFG] copy_dscp = out
  • Jan 13 14:20:36 charon 63599 14[CFG] version = 2
  • Jan 13 14:20:36 charon 63599 14[CFG] local_addrs = 10.0.2.3
  • Jan 13 14:20:36 charon 63599 14[CFG] remote_addrs = 0.0.0.0/0, ::/0
  • Jan 13 14:20:36 charon 63599 14[CFG] local_port = 500
  • Jan 13 14:20:36 charon 63599 14[CFG] remote_port = 500
  • Jan 13 14:20:36 charon 63599 14[CFG] send_certreq = 1
  • Jan 13 14:20:36 charon 63599 14[CFG] send_cert = CERT_ALWAYS_SEND
  • Jan 13 14:20:36 charon 63599 14[CFG] ppk_id = (null)
  • Jan 13 14:20:36 charon 63599 14[CFG] ppk_required = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] mobike = 1
  • Jan 13 14:20:36 charon 63599 14[CFG] aggressive = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] dscp = 0x00
  • Jan 13 14:20:36 charon 63599 14[CFG] encap = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] dpd_delay = 10
  • Jan 13 14:20:36 charon 63599 14[CFG] dpd_timeout = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] fragmentation = 2
  • Jan 13 14:20:36 charon 63599 14[CFG] childless = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] unique = UNIQUE_REPLACE
  • Jan 13 14:20:36 charon 63599 14[CFG] keyingtries = 1
  • Jan 13 14:20:36 charon 63599 14[CFG] reauth_time = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] rekey_time = 25920
  • Jan 13 14:20:36 charon 63599 14[CFG] over_time = 2880
  • Jan 13 14:20:36 charon 63599 14[CFG] rand_time = 2880
  • Jan 13 14:20:36 charon 63599 14[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
  • Jan 13 14:20:36 charon 63599 14[CFG] if_id_in = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] if_id_out = 0
  • Jan 13 14:20:36 charon 63599 14[CFG] local:
  • Jan 13 14:20:36 charon 63599 14[CFG] class = public key
  • Jan 13 14:20:36 charon 63599 14[CFG] id = 192.168.78.1
  • Jan 13 14:20:36 charon 63599 14[CFG] cert = C=country, ST=State, L=City, O=Company, OU= department, CN= firewall-hostname
  • Jan 13 14:20:36 charon 63599 14[CFG] remote:
  • Jan 13 14:20:36 charon 63599 14[CFG] eap-type = EAP_RADIUS
  • Jan 13 14:20:36 charon 63599 14[CFG] class = EAP
  • Jan 13 14:20:36 charon 63599 14[CFG] eap_id = %any
  • Jan 13 14:20:36 charon 63599 14[CFG] id = %any
  • Jan 13 14:20:36 charon 63599 14[CFG] added vici connection: con-mobile
  • Jan 13 14:20:36 charon 63599 13[CFG] vici client 1 disconnected.

Client PC logs :

  • CoId={C4824F1F-4615-0000-E017-84C41546DA01}: The user ACME-PC-002\Me dialed a connection named ACME which has failed. The error code returned on failure is 809.

Thanks in Advance!

]]>https://forum.netgate.com/topic/185563/ipsec-clients-can-t-connect-to-vpnRSS for NodeThu, 18 Jun 2026 08:58:40 GMTMon, 15 Jan 2024 21:58:25 GMT60