Ipsec mobile with Radius NPS MFA
-
So, I have put hours to get this working and it works now. However, there is one part that I could not figure out.
When I use Ipsec export apple profile and import this to my device, everything works beautifully, however, if I try to manually define the vpn settings on the IOS device, it just fails shortly after I try connecting.
The point of the matter is for me to easily connect to this VPN with AD credentials and MFA. It will not help me as much if I need to import profile everytime.
Checking the logs, I see that
crypto proposal matches, everything going well, but after splitting packets the 2nd time, it times out. Traffic never reaches NPS.Nov 14 18:46:12 charon 26343 09[IKE] <con-mobile|17> IKE_SA con-mobile[17] state change: CONNECTING => DESTROYING Nov 14 18:46:12 charon 26343 09[JOB] <con-mobile|17> deleting half open IKE_SA with 5.156.97.144 after timeout Nov 14 18:46:11 charon 26343 09[IKE] <con-mobile|15> IKE_SA con-mobile[15] state change: CONNECTING => DESTROYING Nov 14 18:46:11 charon 26343 09[JOB] <con-mobile|15> deleting half open IKE_SA with 93.168.76.124 after timeout Nov 14 18:46:02 charon 26343 09[IKE] <con-mobile|15> sending keep alive to 93.168.76.124[2973] Nov 14 18:45:42 charon 26343 09[NET] <con-mobile|17> sending packet: from <redacted IP>[4500] to 5.156.97.144[4656] (1103 bytes) Nov 14 18:45:42 charon 26343 09[NET] <con-mobile|17> sending packet: from <redacted IP>[4500] to 5.156.97.144[4656] (1248 bytes) Nov 14 18:45:42 charon 26343 09[ENC] <con-mobile|17> generating IKE_AUTH response 1 [ EF(2/2) ] Nov 14 18:45:42 charon 26343 09[ENC] <con-mobile|17> generating IKE_AUTH response 1 [ EF(1/2) ] Nov 14 18:45:42 charon 26343 09[ENC] <con-mobile|17> splitting IKE message (2286 bytes) into 2 fragments Nov 14 18:45:42 charon 26343 09[ENC] <con-mobile|17> generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] Nov 14 18:45:42 charon 26343 09[IKE] <con-mobile|17> sending issuer cert "C=US, O=Let's Encrypt, CN=E7" Nov 14 18:45:42 charon 26343 09[IKE] <con-mobile|17> sending end entity cert "CN=ipsec.domain.com" Nov 14 18:45:42 charon 26343 09[IKE] <con-mobile|17> authentication of 'ipsec.domain.com' (myself) with ECDSA_WITH_SHA256_DER successful Nov 14 18:45:42 charon 26343 09[IKE] <con-mobile|17> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 14 18:45:42 charon 26343 09[IKE] <con-mobile|17> peer supports MOBIKE Nov 14 18:45:42 charon 26343 09[IKE] <con-mobile|17> processing INTERNAL_DNS_DOMAIN attribute Nov 14 18:45:42 charon 26343 09[IKE] <con-mobile|17> processing INTERNAL_IP6_DNS attribute Nov 14 18:45:42 charon 26343 09[IKE] <con-mobile|17> processing INTERNAL_IP6_DHCP attribute Nov 14 18:45:42 charon 26343 09[IKE] <con-mobile|17> processing INTERNAL_IP6_ADDRESS attribute Nov 14 18:45:42 charon 26343 09[IKE] <con-mobile|17> processing INTERNAL_IP4_DNS attribute Nov 14 18:45:42 charon 26343 09[IKE] <con-mobile|17> processing INTERNAL_IP4_DHCP attribute Nov 14 18:45:42 charon 26343 09[IKE] <con-mobile|17> processing INTERNAL_IP4_NETMASK attribute Nov 14 18:45:42 charon 26343 09[IKE] <con-mobile|17> processing INTERNAL_IP4_ADDRESS attribute Nov 14 18:45:42 charon 26343 09[IKE] <con-mobile|17> initiating EAP_IDENTITY method (id 0x00) Nov 14 18:45:42 charon 26343 09[CFG] <con-mobile|17> selected peer config 'con-mobile' Nov 14 18:45:42 charon 26343 09[CFG] <17> candidate "con-mobile", match: 20/1/1052 (me/other/ike) Nov 14 18:45:42 charon 26343 09[CFG] <17> looking for peer configs matching <redacted IP>[ipsec.domain.com]...5.156.97.144[172.17.33.144] Nov 14 18:45:42 charon 26343 09[IKE] <17> remote endpoint changed from 5.156.97.144[6848] to 5.156.97.144[4656] Nov 14 18:45:42 charon 26343 09[IKE] <17> local endpoint changed from <redacted IP>[500] to <redacted IP>[4500] Nov 14 18:45:42 charon 26343 09[ENC] <17> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ] Nov 14 18:45:42 charon 26343 09[ENC] <17> unknown attribute type INTERNAL_DNS_DOMAIN Nov 14 18:45:42 charon 26343 09[NET] <17> received packet: from 5.156.97.144[4656] to <redacted IP>[4500] (374 bytes) Nov 14 18:45:42 charon 26343 13[NET] <17> sending packet: from <redacted IP>[500] to 5.156.97.144[6848] (509 bytes) Nov 14 18:45:42 charon 26343 13[ENC] <17> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] Nov 14 18:45:42 charon 26343 13[IKE] <17> sending cert request for "C=US, O=Let's Encrypt, CN=E8" Nov 14 18:45:42 charon 26343 13[IKE] <17> sending cert request for "C=US, O=Let's Encrypt, CN=E7" Nov 14 18:45:42 charon 26343 13[CFG] <17> sending supported signature hash algorithms: sha256 sha384 sha512 identity Nov 14 18:45:42 charon 26343 13[IKE] <17> remote host is behind NAT Nov 14 18:45:42 charon 26343 13[CFG] <17> received supported signature hash algorithms: sha512 sha384 sha256 Nov 14 18:45:42 charon 26343 13[CFG] <17> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048 Nov 14 18:45:42 charon 26343 13[CFG] <17> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048 Nov 14 18:45:42 charon 26343 13[CFG] <17> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256/UNKNOWN_6_36, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048/UNKNOWN_6_36, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256/UNKNOWN_6_36, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048/UNKNOWN_6_36, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Nov 14 18:45:42 charon 26343 13[CFG] <17> proposal matches Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable KEY_EXCHANGE_METHOD found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable (6) found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable KEY_EXCHANGE_METHOD found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable KEY_EXCHANGE_METHOD found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable KEY_EXCHANGE_METHOD found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable KEY_EXCHANGE_METHOD found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <17> no acceptable KEY_EXCHANGE_METHOD found Nov 14 18:45:42 charon 26343 13[CFG] <17> selecting proposal: Nov 14 18:45:42 charon 26343 13[IKE] <17> IKE_SA (unnamed)[17] state change: CREATED => CONNECTING Nov 14 18:45:42 charon 26343 13[IKE] <17> 5.156.97.144 is initiating an IKE_SA Nov 14 18:45:42 charon 26343 13[IKE] <17> remote endpoint changed from 0.0.0.0 to 5.156.97.144[6848] Nov 14 18:45:42 charon 26343 13[IKE] <17> local endpoint changed from 0.0.0.0[500] to <redacted IP>[500] Nov 14 18:45:42 charon 26343 13[CFG] <17> found matching ike config: <redacted IP>...0.0.0.0/0, ::/0 with prio 1052 Nov 14 18:45:42 charon 26343 13[CFG] <17> candidate: <redacted IP>...0.0.0.0/0, ::/0, prio 1052 Nov 14 18:45:42 charon 26343 13[CFG] <17> looking for an IKEv2 config for <redacted IP>...5.156.97.144 Nov 14 18:45:42 charon 26343 13[ENC] <17> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N((16438)) N((16438)) N((16438)) N((16438)) ] Nov 14 18:45:42 charon 26343 13[NET] <17> received packet: from 5.156.97.144[6848] to <redacted IP>[500] (786 bytes) Nov 14 18:45:42 charon 26343 13[IKE] <16> IKE_SA (unnamed)[16] state change: CONNECTING => DESTROYING Nov 14 18:45:42 charon 26343 13[NET] <16> sending packet: from <redacted IP>[500] to 5.156.97.144[6848] (38 bytes) Nov 14 18:45:42 charon 26343 13[ENC] <16> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Nov 14 18:45:42 charon 26343 13[IKE] <16> DH group ECP_256 unacceptable, requesting MODP_2048 Nov 14 18:45:42 charon 26343 13[IKE] <16> remote host is behind NAT Nov 14 18:45:42 charon 26343 13[CFG] <16> received supported signature hash algorithms: sha512 sha384 sha256 Nov 14 18:45:42 charon 26343 13[CFG] <16> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048 Nov 14 18:45:42 charon 26343 13[CFG] <16> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048 Nov 14 18:45:42 charon 26343 13[CFG] <16> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256/UNKNOWN_6_36, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048/UNKNOWN_6_36, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256/UNKNOWN_6_36, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048/UNKNOWN_6_36, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Nov 14 18:45:42 charon 26343 13[CFG] <16> proposal matches Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable KEY_EXCHANGE_METHOD found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable (6) found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable KEY_EXCHANGE_METHOD found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable PSEUDO_RANDOM_FUNCTION found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable KEY_EXCHANGE_METHOD found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable KEY_EXCHANGE_METHOD found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable KEY_EXCHANGE_METHOD found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[CFG] <16> no acceptable KEY_EXCHANGE_METHOD found Nov 14 18:45:42 charon 26343 13[CFG] <16> selecting proposal: Nov 14 18:45:42 charon 26343 13[IKE] <16> IKE_SA (unnamed)[16] state change: CREATED => CONNECTING Nov 14 18:45:42 charon 26343 13[IKE] <16> 5.156.97.144 is initiating an IKE_SA Nov 14 18:45:42 charon 26343 13[IKE] <16> remote endpoint changed from 0.0.0.0 to 5.156.97.144[6848] Nov 14 18:45:42 charon 26343 13[IKE] <16> local endpoint changed from 0.0.0.0[500] to <redacted IP>[500] Nov 14 18:45:42 charon 26343 13[CFG] <16> found matching ike config: <redacted IP>...0.0.0.0/0, ::/0 with prio 1052 Nov 14 18:45:42 charon 26343 13[CFG] <16> candidate: <redacted IP>...0.0.0.0/0, ::/0, prio 1052 Nov 14 18:45:42 charon 26343 13[CFG] <16> looking for an IKEv2 config for <redacted IP>...5.156.97.144 Nov 14 18:45:42 charon 26343 13[ENC] <16> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N((16438)) N((16438)) N((16438)) N((16438)) ] Nov 14 18:45:42 charon 26343 13[NET] <16> received packet: from 5.156.97.144[6848] to <redacted IP>[500] (594 bytes) Nov 14 18:45:41 charon 26343 13[NET] <con-mobile|15> sending packet: from <redacted IP>[4500] to 93.168.76.124[2973] (1104 bytes) Nov 14 18:45:41 charon 26343 13[NET] <con-mobile|15> sending packet: from <redacted IP>[4500] to 93.168.76.124[2973] (1248 bytes) Nov 14 18:45:41 charon 26343 13[ENC] <con-mobile|15> generating IKE_AUTH response 1 [ EF(2/2) ] Nov 14 18:45:41 charon 26343 13[ENC] <con-mobile|15> generating IKE_AUTH response 1 [ EF(1/2) ] Nov 14 18:45:41 charon 26343 13[ENC] <con-mobile|15> splitting IKE message (2287 bytes) into 2 fragments Nov 14 18:45:41 charon 26343 13[ENC] <con-mobile|15> generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] Nov 14 18:45:41 charon 26343 13[IKE] <con-mobile|15> sending issuer cert "C=US, O=Let's Encrypt, CN=E7" Nov 14 18:45:41 charon 26343 13[IKE] <con-mobile|15> sending end entity cert "CN=ipsec.domain.com" Nov 14 18:45:41 charon 26343 13[IKE] <con-mobile|15> authentication of 'ipsec.domain.com' (myself) with ECDSA_WITH_SHA256_DER successful Nov 14 18:45:41 charon 26343 13[IKE] <con-mobile|15> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 14 18:45:41 charon 26343 13[IKE] <con-mobile|15> peer supports MOBIKE Nov 14 18:45:41 charon 26343 13[IKE] <con-mobile|15> processing INTERNAL_DNS_DOMAIN attribute Nov 14 18:45:41 charon 26343 13[IKE] <con-mobile|15> processing INTERNAL_IP6_DNS attribute Nov 14 18:45:41 charon 26343 13[IKE] <con-mobile|15> processing INTERNAL_IP6_DHCP attribute Nov 14 18:45:41 charon 26343 13[IKE] <con-mobile|15> processing INTERNAL_IP6_ADDRESS attribute Nov 14 18:45:41 charon 26343 13[IKE] <con-mobile|15> processing INTERNAL_IP4_DNS attribute Nov 14 18:45:41 charon 26343 13[IKE] <con-mobile|15> processing INTERNAL_IP4_DHCP attribute Nov 14 18:45:41 charon 26343 13[IKE] <con-mobile|15> processing INTERNAL_IP4_NETMASK attribute Nov 14 18:45:41 charon 26343 13[IKE] <con-mobile|15> processing INTERNAL_IP4_ADDRESS attribute Nov 14 18:45:41 charon 26343 13[IKE] <con-mobile|15> initiating EAP_IDENTITY method (id 0x00) Nov 14 18:45:41 charon 26343 13[CFG] <con-mobile|15> selected peer config 'con-mobile' Nov 14 18:45:41 charon 26343 13[CFG] <15> candidate "con-mobile", match: 20/1/1052 (me/other/ike) Nov 14 18:45:41 charon 26343 13[CFG] <15> looking for peer configs matching <redacted IP>[ipsec.domain.com]...93.168.76.124[2001:16a2:c076:a93f:1cd8:1278:5e5:c7c] Nov 14 18:45:41 charon 26343 13[IKE] <15> remote endpoint changed from 93.168.76.124[3890] to 93.168.76.124[2973] Nov 14 18:45:41 charon 26343 13[IKE] <15> local endpoint changed from <redacted IP>[500] to <redacted IP>[4500] Nov 14 18:45:41 charon 26343 13[ENC] <15> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ] Nov 14 18:45:41 charon 26343 13[ENC] <15> unknown attribute type INTERNAL_DNS_DOMAIN Nov 14 18:45:41 charon 26343 13[NET] <15> received packet: from 93.168.76.124[2973] to <redacted IP>[4500] (386 bytes) Nov 14 18:45:41 charon 26343 13[NET] <15> sending packet: from <redacted IP>[500] to 93.168.76.124[3890] (509 bytes) Nov 14 18:45:41 charon 26343 13[ENC] <15> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] Nov 14 18:45:41 charon 26343 13[IKE] <15> sending cert request for "C=US, O=Let's Encrypt, CN=E8" Nov 14 18:45:41 charon 26343 13[IKE] <15> sending cert request for "C=US, O=Let's Encrypt, CN=E7" Nov 14 18:45:41 charon 26343 13[CFG] <15> sending supported signature hash algorithms: sha256 sha384 sha512 identity Nov 14 18:45:41 charon 26343 13[IKE] <15> remote host is behind NAT Nov 14 18:45:41 charon 26343 13[IKE] <15> local host is behind NAT, sending keep alives Nov 14 18:45:41 charon 26343 13[CFG] <15> received supported signature hash algorithms: sha512 sha384 sha256 Nov 14 18:45:41 charon 26343 13[CFG] <15> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048 Nov 14 18:45:41 charon 26343 13[CFG] <15> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048 Nov 14 18:45:41 charon 26343 13[CFG] <15> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256/UNKNOWN_6_36, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048/UNKNOWN_6_36, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256/UNKNOWN_6_36, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048/UNKNOWN_6_36, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Nov 14 18:45:41 charon 26343 13[CFG] <15> proposal matcheswhat am I missing here or do I absolutely have to use profile file?
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.