i would migrate my pfsense installation to opnsense, all good but the configuration of the ipsec is a nightmare that i can't get over
i have always configure the ipsec with radius on pfsense in this way without problem, so i have reported all the steps on opnsense 23.1 ( fresh installation ) but not work ... i don't understand where i wrong
FQDN : vpn.mydomain.com ( for the external dns and as hostname of the opnsense machine )
System > Trust > Authorities
Descriptive name : CA_IPSEC
Common Name : vpn.mydomain.com
Lifetime : 3650
System > Trust > Certificates
Descriptive name : vpn.mydomain.com
Type : Server Cerificate
Lifetime : 3650
Common Name : vpn.mydomain.com
Alternative Names ( DNS ) : vpn.mydomain.com
- System > Access > Servers
add and test the connection of the radius server
- Firewall > Rules > WAN
open ports 500 and 4500 tpc/udp ipv4
- VPN > IPsec > Mobile Clients
Enable : checked
Backend for authentication : my_radius_server
Virtual IPv4 Address Pool : 192.168.100.0/24
Network List : checked
DNS Default Domain : checked ( mydomain.loc )
DNS Servers checked : 172.16.10.1
Phase 2 PFS Group : OFF
- VPN > IPsec > Tunnel Settings ( phase 1 )
Connection method : start on traffic ( try also the other )
Key Exchange version : V2
Authentication method : EAP-RADIUS
My identifier ( DN ) : vpn.mydomain.com
My Certificate : vpn.mydomain.com
Radius servers : my_radius_server
Hash algorithm : SHA256
DH key group : 14
Dead Peer Detection : checked
Lifetime : 28800
- VPN > IPsec > Tunnel Settings ( phase 2 )
Type : LAN Subnet
Protocol : ESP
Encryption algorithms : AES256
Hash algorithms : SHA1, SHA256
PFS key group : OFF
Lifetime : 3600
then i download the CA_IPSEC cert on the windows 10/11 client and install on Local Machine under Trusted Root Certification Authorities
for the configuration of the ipsec connection client side i use a simply power shell script run as administrator
Add-VpnConnection -Name "MYOFFICE" -ServerAddress "vpn.mydomain.com" -TunnelType IKEv2 -AuthenticationMethod EAP -EncryptionLevel "Required" -SplitTunneling -AllUserConnection
Set-VpnConnectionIPsecConfiguration -ConnectionName "MYOFFICE" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup None -PassThru -Force
Add-VpnConnectionRoute -ConnectionName "MYOFFICE" -DestinationPrefix 172.16.10.0/24 -PassThru
with pfsense this procedure work like charm, with opnsense the error when i try to connect is always ( opnsense side ):
[IKE] no IKE config found for xx.xx.xx.xxx. ...yyy.yyy.y.y..y.y, sending NO_PROPOSAL_CHOSEN
[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
on windows side :
The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is 13868.
i understand that the error in the logs is indicates that the IKEv2 security policy on the client did not match the configuration on the server but i can't don't understand where is the error and why whit pfsense work
Thanks in advance
P.S. why the IPEC service doesn't start automatically .. i need to run the command /usr/local/sbin/ipsec start from shell for have the service up and running
thanks
Firewall > Rules > WAN
open ports 500 and 4500 tpc/udp ipv4
You need to open 500 and 4500 only for UDP, but the ESP rule is missing.
thanks for your reply
if you referring to ESP in phase 2 it is specified ..
- VPN > IPsec > Tunnel Settings ( phase 2 )
Type : LAN Subnet
Protocol : ESP
Encryption algorithms : AES256
Hash algorithms : SHA1, SHA256
PFS key group : OFF
Lifetime : 3600
i have changed the rule for port 500 and 4500 only udp but nothing change
sorry for the mistake
you refer to the ESP rule on wan interface... rule added problem still persist
Please remove.
- VPN > IPsec > Mobile Clients
Virtual IPv4 Address Pool : 192.168.100.0/24
The IP address should be provided by the Radius server
- VPN > IPsec > Tunnel Settings ( phase 2 )
Type : LAN Subnet
Enter Network and 0.0.0.0/0 here
done .. no IKE config found for xxxxxxxx...xxxxxxx, sending NO_PROPOSAL_CHOSEN
Maybe there is an issue with your certificates. Please run a trace.
Netsh trace start VpnClient per=yes maxsize=0 filemode=single
.... connection test ...
Netsh trace stop
The trace file file can be read with the Event Viewer. Use filter RRAS-Provider .
done ... this is the complete log
LLivello Data e ora Origine ID evento Categoria attivitÃ
Errore 14/03/2023 12:32:41 Microsoft-Windows-RRAS 12000 Nessuna From !!!!!SDOWRAPPER.LIB!!!!!!!!!!
Errore 14/03/2023 12:32:41 Microsoft-Windows-RRAS 12000 Nessuna From !!!!!SDOWRAPPER.LIB!!!!!!!!!!
Informazioni 14/03/2023 12:32:41 Microsoft-Windows-RRAS 16001 Nessuna IPv6CP: Setting tracing parameters
Informazioni 14/03/2023 12:32:41 Microsoft-Windows-RRAS 16001 Nessuna PAP: Setting tracing parameters
Informazioni 14/03/2023 12:32:41 Microsoft-Windows-RRAS 6001 Nessuna FROM !!!!!WFP.LIB!!!!!!!!
Informazioni 14/03/2023 12:32:41 Microsoft-Windows-RRAS 14001 Nessuna From !!!!HOSTROUT.LIB!!!!!
Informazioni 14/03/2023 12:32:51 Microsoft-Windows-RRAS 6001 Nessuna VPNIKE Recevied message PROTOCOL_MSG_GetNewIkeTunnelId
Informazioni 14/03/2023 12:32:51 Microsoft-Windows-RRAS 6001 Nessuna Entering BaseConnectionFactory::GenerateConnectionId...
Informazioni 14/03/2023 12:32:51 Microsoft-Windows-RRAS 6001 Nessuna Leaving BaseConnectionFactory::GenerateConnectionId (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna VPNIKE Recevied message PROTOCOL_MSG_Start
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering ConnectionTable::GetConnection...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving ConnectionTable::GetConnection
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEProtocolEngine::GetRasDeviceParams...
Errore 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6002 Nessuna RasDeviceGetInfo=603,s=294
Errore 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6002 Nessuna RasDeviceGetInfo=0,s=294,noParams=3
Errore 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6002 Nessuna ConnectionId=4,Destination IP=x.xx.xx.xxx
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEProtocolEngine::GetRasDeviceParams (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Username: administrator
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Domain:
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Un-expected PSK size: 0 received. Ignoring the PSK.
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna CorrelationGuid: {13174144-53AF-0002-3093-2913AF53D901}
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna PhonebookPath: [C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk], EntryName: [VM4B]
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Destination Address: [x.xx.xx.xxx]
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna ConfigFlags: 0x08009288, ProtocolConfigFlags: 0x00000288
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna IdleTimeOut: -1, NetworkOutageTime: 1800
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna ipv6addres [IpRemote=0]
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna PrefixLength [0]
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering VPNIKEConnectionFactory::CreateConnection...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering BaseConnection::BaseConnection...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Configured IdleTimeOut:4294967295, approx. value used:4294967295
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna InterfaceIndex:12, MTU:1500
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving BaseConnection::BaseConnection (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEConnection::VPNIKEConnection...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering IPv4Helper::IPv4Helper...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving IPv4Helper::IPv4Helper (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering IPv6Helper::IPv6Helper...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving IPv6Helper::IPv6Helper
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering IPNotifications::IPNotifications...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving IPNotifications::IPNotifications
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Created new IPNotifications instance
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEConnection::VPNIKEConnection (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEClientConnection::VPNIKEClientConnection...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering BFEHandler::BFEHandler...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering BFEHandler::GetBfeHandle...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving BFEHandler::GetBfeHandle (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving BFEHandler::BFEHandler (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering ClientBFEHandler::ClientBFEHandler...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving ClientBFEHandler::ClientBFEHandler
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna BaseAAAHelper Instance is getting created
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Auth type is EAP hence initiating ClientEAPAuthHandler
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering EAPAuthHandler::EAPAuthHandler...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving EAPAuthHandler::EAPAuthHandler
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering ClientEAPAuthHandler::ClientEAPAuthHandler...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving ClientEAPAuthHandler::ClientEAPAuthHandler
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEClientConnection::VPNIKEClientConnection (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering ConnectionTable::Add...
Errore 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6000 Nessuna Add new connection with Id 4 @ index 4
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving ConnectionTable::Add (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Signalling the event that the number of connections are atleast 1
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving VPNIKEConnectionFactory::CreateConnection (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering BFEHandler::PopulateTrafficSelectors...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering TrafficSelectors::TrafficSelectors...
Errore 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6000 Nessuna Total list of TS Payloads = 1
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving TrafficSelectors::TrafficSelectors
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering TrafficSelectors::InitTsPayloads...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering TrafficSelectors::PopulateTsPayloadById...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering TrafficSelectors::GetDefaultTs...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving TrafficSelectors::GetDefaultTs
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering TrafficSelectors::GetDefaultTs...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving TrafficSelectors::GetDefaultTs
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving TrafficSelectors::PopulateTsPayloadById
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving TrafficSelectors::InitTsPayloads
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving BFEHandler::PopulateTrafficSelectors (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering ThreadPoolHelper::QueueWorkItem...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving ThreadPoolHelper::QueueWorkItem (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEProtocolEngine::DispatchMessageA...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Processing PROTOCOL_MSG_Start for hPort=3
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering ConnectionTable::GetConnection...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving ConnectionTable::GetConnection
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEClientConnection::ProcessStart...
Errore 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6002 Nessuna ===> Eap Method Type : 26
Errore 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6002 Nessuna SetEapAuthData EapBegin EapMethodId = 0
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering ClientBFEHandler::PlumbPolicy...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Adding Policy for Server address
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Building custom Client IKEv2 proposals
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Custom Client IKEv2 proposal count: 1
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Adding EAP as LocalAuth method
Errore 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6002 Nessuna IsPeerCertValidationForEapDiasabled: RegQueryValueEx for IkeAuthTypeNoServerCert failed with 2
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Adding Cert as RemoteAuth method
Errore 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6002 Nessuna IsCertRequestPayloadDisabled: RegQueryValueEx for DisableCertReqPayload failed with 2
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Adding Cert(method type: 7) as RemoteAuth method
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Adding Cert(method type: 8) as RemoteAuth method
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Chosen encryption: 3,localauth: 1,remoteauth: 2
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering BFEHandler::GetBfeHandle...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving BFEHandler::GetBfeHandle (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving ClientBFEHandler::PlumbPolicy (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Adding header v4 remote address to additional addresses
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering LogAdditionalAddresses...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna "Additional Address:
NumberOfIPv4Address: [1]
[0]:x.xx.xx.xxx
NumberOfIPv6Address: [0]"
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving LogAdditionalAddresses
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEConnection::UpdatePeerAdditionalAddresses...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEConnection::UpdatePeerAdditionalAddresses
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering ClientBFEHandler::StartSANegotiation...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering BFEHandler::GetBfeHandle...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving BFEHandler::GetBfeHandle (status: 0).
Errore 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6002 Nessuna IsCertSubjectNameCheckDisabled failed: RegQueryValueEx for DisableIKENameEkuCheck failed with 2
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna TunnelProtocolV4
Errore 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6000 Nessuna StartService failed with error: 0
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving ClientBFEHandler::StartSANegotiation (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna UpdateState: 0x00000001
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEClientConnection::ProcessStart (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Processing done PROTOCOL_MSG_Start for hPort=3. Error:0
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEProtocolEngine::DispatchMessageA (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 8001 Nessuna Entered: CloseTunnel
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 8001 Nessuna Entering InitializeVpnIkeRpcClient...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 8001 Nessuna Leaving InitializeVpnIkeRpcClient
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering VpnikeCloseTunnel...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Tunnel ID: 0x4, Failure reason: 13868
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering SignalSynchronizingEvent...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering SynchronizationEventManager::SignalAndDeleteEventHandle...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering SynchronizationEventManager::SignalEventHandle...
Errore 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6000 Nessuna SyncEventEntry object with 4 could NOT be found
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving SynchronizationEventManager::SignalEventHandle (status: 1168).
Errore 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6000 Nessuna SignalEventHandle failed: 1168
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving SynchronizationEventManager::SignalAndDeleteEventHandle (status: 1168).
Errore 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6000 Nessuna Signaling of synchronizing event failed. Error = 1168
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving SignalSynchronizingEvent (status: 1168).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering ConnectionTable::GetConnection...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving ConnectionTable::GetConnection
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEClientConnection::CloseTunnel...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering VPNIKEClientConnection::InitiateIkeCompleteCallback...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna UpdateState: 0x00000801
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Processing Close Tunnel with reason: 13868
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEClientConnection::Disconnect...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna UpdateState: 0x00100801
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEConnection::Disconnect...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna DisconnectReason: 2
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering IPv4Helper::Cleanup...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering IPv4Helper::ResetIPv4Settings...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving IPv4Helper::ResetIPv4Settings (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving IPv4Helper::Cleanup (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering IPv6Helper::Cleanup...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering IPv6Helper::ResetIPv6Settings...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving IPv6Helper::ResetIPv6Settings (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving IPv6Helper::Cleanup (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEConnection::Disconnect
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering ClientBFEHandler::DeletePolicy...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering BFEHandler::GetBfeHandle...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving BFEHandler::GetBfeHandle (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving ClientBFEHandler::DeletePolicy
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEClientConnection::Disconnect
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Connection State: 0x00100801
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEClientConnection::CloseTunnel (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving VpnikeCloseTunnel (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna InitiateIkeCompleteCallback:SA negotiation failure Status:13868 for TunnelID: 4
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna InitiateIkeCompleteCallback:All SA negotiation completed. Status:13868 for TunnelID: 4
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 8001 Nessuna Leaving: CloseTunnel
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna UpdateState: 0x00100C03
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna NotifyCaller(hPort=3, PROTOCOL_RES_Failure)
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Connection State: 0x00100C03
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving VPNIKEClientConnection::InitiateIkeCompleteCallback
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna VPNIKE Recevied message PROTOCOL_MSG_Stop
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering ThreadPoolHelper::QueueWorkItem...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving ThreadPoolHelper::QueueWorkItem (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEProtocolEngine::DispatchMessageA...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Processing PROTOCOL_MSG_Stop for hPort=3
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering ConnectionTable::GetConnection...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving ConnectionTable::GetConnection
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEClientConnection::ProcessStop...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna UpdateState: 0x00101C03
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEClientConnection::Disconnect...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Disconnect is in progress. No need to initiate again.
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEClientConnection::Disconnect
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna UpdateState: 0x00103C03
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Connection State: 0x00103C03
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Notify Rasman about VPNIKE connection stopped
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna NotifyCaller(hPort=3, PROTOCOL_RES_Stopped)
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna VPNIKE Recevied message PROTOCOL_MSG_LineDown
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering ThreadPoolHelper::QueueWorkItem...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving ThreadPoolHelper::QueueWorkItem (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEProtocolEngine::DispatchMessageA...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Processing PROTOCOL_MSG_LineDown for hPort=3
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering ConnectionTable::GetConnection...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving ConnectionTable::GetConnection
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna UpdateState: 0x00107C03
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEClientConnection::ProcessStop
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Processing done PROTOCOL_MSG_Stop for hPort=3. Error:0
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEProtocolEngine::DispatchMessageA (status: 0).
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEClientConnection::ProcessLineDown...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna UpdateState: 0x0010FC03
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEClientConnection::Disconnect...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Connection already disconnected. Hence nothing to cleanup
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEClientConnection::Disconnect
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEClientConnection::ProcessLineDown
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEConnection::IdleTimerStop...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEConnection::IdleTimerStop
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering ConnectionTable::Remove...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Found the connection object 4 at index 4
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Removed connection with Id 4 at index 4
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving ConnectionTable::Remove
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering BaseConnectionFactory::ReleaseConnectionId...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving BaseConnectionFactory::ReleaseConnectionId
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEClientConnection::~VPNIKEClientConnection...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering RADIUSAccounting::StopInterimAccouting...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving RADIUSAccounting::StopInterimAccouting
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna BaseAAAHelper Instance is getting Deleted
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEClientConnection::~VPNIKEClientConnection
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEConnection::~VPNIKEConnection...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEConnection::Cleanup...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEConnection::IdleTimerStop...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEConnection::IdleTimerStop
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering ClientBFEHandler::~ClientBFEHandler...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving ClientBFEHandler::~ClientBFEHandler
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering BFEHandler::~BFEHandler...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering TrafficSelectors::~TrafficSelectors...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving TrafficSelectors::~TrafficSelectors
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving BFEHandler::~BFEHandler
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering IPv4Helper::~IPv4Helper...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving IPv4Helper::~IPv4Helper
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering IPv6Helper::~IPv6Helper...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving IPv6Helper::~IPv6Helper
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering ClientEAPAuthHandler::~ClientEAPAuthHandler...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering ClientEAPAuthHandler::Cleanup...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving ClientEAPAuthHandler::Cleanup
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving ClientEAPAuthHandler::~ClientEAPAuthHandler
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Entering EAPAuthHandler::~EAPAuthHandler...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving EAPAuthHandler::~EAPAuthHandler
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Deleting IPNotifications instance
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering IPNotifications::~IPNotifications...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering IPNotifications::Cleanup...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving IPNotifications::Cleanup
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving IPNotifications::~IPNotifications
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEConnection::Cleanup
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEConnection::~VPNIKEConnection
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Entering BaseConnection::~BaseConnection...
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Leaving BaseConnection::~BaseConnection
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6001 Nessuna Signalling the event that the number of connections have reached to zero
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Processing done PROTOCOL_MSG_LineDown for hPort=3. Error:0
Informazioni 14/03/2023 12:32:58 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEProtocolEngine::DispatchMessageA (status: 0).
Informazioni 14/03/2023 12:33:00 Microsoft-Windows-RRAS 6001 Nessuna VPNIKE Recevied message PROTOCOL_MSG_GetNewIkeTunnelId
Informazioni 14/03/2023 12:33:00 Microsoft-Windows-RRAS 6001 Nessuna Entering BaseConnectionFactory::GenerateConnectionId...
Informazioni 14/03/2023 12:33:00 Microsoft-Windows-RRAS 6001 Nessuna Leaving BaseConnectionFactory::GenerateConnectionId (status: 0).
Informazioni 14/03/2023 12:33:08 Microsoft-Windows-RRAS 6001 Nessuna VPNIKE Recevied message PROTOCOL_MSG_Start
Informazioni 14/03/2023 12:33:08 Microsoft-Windows-RRAS 6001 Nessuna Entering ConnectionTable::GetConnection...
Informazioni 14/03/2023 12:33:08 Microsoft-Windows-RRAS 6001 Nessuna Leaving ConnectionTable::GetConnection
Informazioni 14/03/2023 12:33:08 Microsoft-Windows-RRAS 6003 Nessuna Entering VPNIKEProtocolEngine::GetRasDeviceParams...
Errore 14/03/2023 12:33:08 Microsoft-Windows-RRAS 6002 Nessuna RasDeviceGetInfo=603,s=294
Errore 14/03/2023 12:33:08 Microsoft-Windows-RRAS 6002 Nessuna RasDeviceGetInfo=0,s=294,noParams=3
Errore 14/03/2023 12:33:08 Microsoft-Windows-RRAS 6002 Nessuna ConnectionId=5,Destination IP=x.xx.xx.xxx
Informazioni 14/03/2023 12:33:08 Microsoft-Windows-RRAS 6003 Nessuna Leaving VPNIKEProtocolEngine::GetRasDeviceParams (status: 0).
Informazioni 14/03/2023 12:33:08 Microsoft-Windows-RRAS 6001 Nessuna Username: administrator
Informazioni 14/03/2023 12:33:08 Microsoft-Windows-RRAS 6001 Nessuna Domain:
Informazioni 14/03/2023 12:33:08 Microsoft-Windows-RRAS 6001 Nessuna Un-expected PSK size: 0 received. Ignoring the PSK.
Informazioni 14/03/2023 12:33:08 Microsoft-Windows-RRAS 6001 Nessuna CorrelationGuid: {13174144-53AF-0002-6D93-2913AF53D901}
Not really helpful. :(
Maybe this is better.
netsh trace start WFP-IPsec per=yes maxsize=0 filemode=single
the only log different from "Informazioni 14/03/2023 16:49:28 0 Nessuna" are this
........
Informazioni 14/03/2023 16:49:28 0 Nessuna
Informazioni 14/03/2023 16:49:28 Microsoft-Windows-WFP 1013 Nessuna IPsec: Main Mode SA Terminated
Informazioni 14/03/2023 16:49:28 0 Nessuna
Informazioni 14/03/2023 16:49:28 Microsoft-Windows-WFP 1026 Nessuna WFP: User Mode Error
Informazioni 14/03/2023 16:49:28 0 Nessuna
Informazioni 14/03/2023 16:49:28 Microsoft-Windows-WFP 1025 Nessuna IPsec: Receive ISAKMP Packet
Informazioni 14/03/2023 16:49:28 0 Nessuna
Informazioni 14/03/2023 16:49:28 Microsoft-Windows-WFP 1024 Nessuna IPsec: Send ISAKMP Packet
Informazioni 14/03/2023 16:49:28 0 Nessuna
Informazioni 14/03/2023 16:49:28 Microsoft-Windows-WFP 1023 Nessuna IPsec: Negotiation Request Initiated
Informazioni 14/03/2023 16:49:28 0 Nessuna
.....
Could you post the details of the entries ...
thanks
Nome registro:
Origine: Microsoft-Windows-WFP
Data: 14/03/2023 16:49:28
ID evento: 1013
Categoria attività :Nessuna
Livello: Informazioni
Parole chiave: (137438953472)
Utente: N/D
Computer: PC
Descrizione:
IPsec: Main Mode SA Terminated
XML evento:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WFP" Guid="{0c478c5b-0351-41b1-8c58-4a6737da32e3}" />
<EventID>1013</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000002000000000</Keywords>
<TimeCreated SystemTime="2023-03-14T15:49:28.8252335Z" />
<EventRecordID>24</EventRecordID>
<Correlation />
<Execution ProcessID="3968" ThreadID="16648" />
<Channel>
</Channel>
<Computer>PC</Computer>
<Security />
</System>
<EventData>
<Data Name="MainModeLocalAddressLength">16</Data>
<Data Name="MainModeLocalAddress">02000000AC140A020000000000000000</Data>
<Data Name="MainModePeerAddressLength">16</Data>
<Data Name="MainModePeerAddress">0200000002271F7C0000000000000000</Data>
<Data Name="KeyingModule">2</Data>
<Data Name="SaLuid">10</Data>
<Data Name="ICookie">16589922534102917378</Data>
<Data Name="RCookie">13349597362303481189</Data>
</EventData>
</Event>
Nome registro:
Origine: Microsoft-Windows-WFP
Data: 14/03/2023 16:49:28
ID evento: 1026
Categoria attività :Nessuna
Livello: Informazioni
Parole chiave: (549755813888)
Utente: N/D
Computer: PC
Descrizione:
WFP: User Mode Error
XML evento:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WFP" Guid="{0c478c5b-0351-41b1-8c58-4a6737da32e3}" />
<EventID>1026</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x1000008000000000</Keywords>
<TimeCreated SystemTime="2023-03-14T15:49:28.8251107Z" />
<EventRecordID>22</EventRecordID>
<Correlation />
<Execution ProcessID="3968" ThreadID="16648" />
<Channel>
</Channel>
<Computer>PC</Computer>
<Security />
</System>
<EventData>
<Data Name="Function">Peer</Data>
<Data Name="ErrorCode">13868</Data>
</EventData>
</Event>
Nome registro:
Origine: Microsoft-Windows-WFP
Data: 14/03/2023 16:49:28
ID evento: 1025
Categoria attività :Nessuna
Livello: Informazioni
Parole chiave: (8589934592)
Utente: N/D
Computer: PC
Descrizione:
IPsec: Receive ISAKMP Packet
XML evento:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WFP" Guid="{0c478c5b-0351-41b1-8c58-4a6737da32e3}" />
<EventID>1025</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x1000000200000000</Keywords>
<TimeCreated SystemTime="2023-03-14T15:49:28.8250728Z" />
<EventRecordID>20</EventRecordID>
<Correlation />
<Execution ProcessID="3968" ThreadID="16648" />
<Channel>
</Channel>
<Computer>PC</Computer>
<Security />
</System>
<EventData>
<Data Name="ICookie">02e173c8a53e3be6</Data>
<Data Name="RCookie">65359762124c43b9</Data>
<Data Name="ExchangeType">IKEv2 SA Init Mode</Data>
<Data Name="Length">36</Data>
<Data Name="NextPayload">NOTIFY</Data>
<Data Name="Flags">32</Data>
<Data Name="MessageID">0</Data>
<Data Name="LocalAddress">172.20.10.2</Data>
<Data Name="LocalPort">500</Data>
<Data Name="LocalProtocol">0</Data>
<Data Name="RemoteAddress">2.39.31.124</Data>
<Data Name="RemotePort">500</Data>
<Data Name="RemoteProtocol">0</Data>
<Data Name="InterfaceLuid">19985273102270464</Data>
<Data Name="ProfileId">1</Data>
</EventData>
</Event>
Nome registro:
Origine: Microsoft-Windows-WFP
Data: 14/03/2023 16:49:28
ID evento: 1024
Categoria attività :Nessuna
Livello: Informazioni
Parole chiave: (4294967296)
Utente: N/D
Computer: PC
Descrizione:
IPsec: Send ISAKMP Packet
XML evento:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WFP" Guid="{0c478c5b-0351-41b1-8c58-4a6737da32e3}" />
<EventID>1024</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x1000000100000000</Keywords>
<TimeCreated SystemTime="2023-03-14T15:49:28.7694548Z" />
<EventRecordID>18</EventRecordID>
<Correlation />
<Execution ProcessID="3968" ThreadID="16648" />
<Channel>
</Channel>
<Computer>PC</Computer>
<Security />
</System>
<EventData>
<Data Name="ICookie">02e173c8a53e3be6</Data>
<Data Name="RCookie">0000000000000000</Data>
<Data Name="ExchangeType">IKEv2 SA Init Mode</Data>
<Data Name="Length">544</Data>
<Data Name="NextPayload">SA</Data>
<Data Name="Flags">8</Data>
<Data Name="MessageID">0</Data>
<Data Name="LocalAddress">172.20.10.2</Data>
<Data Name="LocalPort">500</Data>
<Data Name="LocalProtocol">0</Data>
<Data Name="RemoteAddress">2.39.31.124</Data>
<Data Name="RemotePort">500</Data>
<Data Name="RemoteProtocol">0</Data>
<Data Name="InterfaceLuid">19985273102270464</Data>
</EventData>
</Event>
Nome registro:
Origine: Microsoft-Windows-WFP
Data: 14/03/2023 16:49:28
ID evento: 1023
Categoria attività :Nessuna
Livello: Informazioni
Parole chiave: (4294967296)
Utente: N/D
Computer: PC
Descrizione:
IPsec: Negotiation Request Initiated
XML evento:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WFP" Guid="{0c478c5b-0351-41b1-8c58-4a6737da32e3}" />
<EventID>1023</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x1000000100000000</Keywords>
<TimeCreated SystemTime="2023-03-14T15:49:28.7611708Z" />
<EventRecordID>16</EventRecordID>
<Correlation />
<Execution ProcessID="3968" ThreadID="14960" />
<Channel>
</Channel>
<Computer>PC</Computer>
<Security />
</System>
<EventData>
<Data Name="KeyingModule">IKEv2</Data>
<Data Name="AcquireContext">31</Data>
<Data Name="LocalAddressLength">16</Data>
<Data Name="LocalAddress">02000000AC140A020000000000000000</Data>
<Data Name="RemoteAddressLength">16</Data>
<Data Name="RemoteAddress">0200000002271F7C0000000000000000</Data>
<Data Name="Mode">Tunnel Mode</Data>
<Data Name="FilterId">9223372036854789942</Data>
<Data Name="IPProtocol">0</Data>
<Data Name="InterfaceLuid">19985273102270464</Data>
<Data Name="ProfileId">0</Data>
<Data Name="LocalUdpEncapPort">0</Data>
<Data Name="RemoteUdpEncapPort">0</Data>
<Data Name="MMTargetName">vpn.vmforbusiness.com</Data>
<Data Name="EMTargetName">NULL</Data>
<Data Name="NumTokens">0</Data>
<Data Name="Token1Type">NULL</Data>
<Data Name="Token1Principal">NULL</Data>
<Data Name="Token1Mode">NULL</Data>
<Data Name="Token1">0</Data>
<Data Name="Token2Type">NULL</Data>
<Data Name="Token2Principal">NULL</Data>
<Data Name="Token2Mode">NULL</Data>
<Data Name="Token2">0</Data>
<Data Name="Token3Type">NULL</Data>
<Data Name="Token3Principal">NULL</Data>
<Data Name="Token3Mode">NULL</Data>
<Data Name="Token3">0</Data>
<Data Name="Token4Type">NULL</Data>
<Data Name="Token4Principal">NULL</Data>
<Data Name="Token4Mode">NULL</Data>
<Data Name="Token4">0</Data>
<Data Name="VirtualIfTunnelId">8</Data>
<Data Name="TrafficSelectorId">1</Data>
<Data Name="Flags">24</Data>
<Data Name="RekeySPI">0</Data>
<Data Name="OrigVirtualIfTunnelId">0</Data>
<Data Name="PacketLocalAddressLength">0</Data>
<Data Name="PacketLocalAddress">
</Data>
<Data Name="PacketRemoteAddressLength">0</Data>
<Data Name="PacketRemoteAddress">
</Data>
<Data Name="PacketIPProtocol">0</Data>
<Data Name="PacketInterfaceLuid">0</Data>
<Data Name="PacketProfileId">0</Data>
</EventData>
</Event>
Could you please post "Signature Algorithm" and "X509v3 extensions" ( System -> Trust -> Certificates ) of your server certificate.
And you ipsec.log beggining with "received packet: from "
Signature Algorithm: sha256WithRSAEncryption
2023-03-15T06:24:39 Informational charon 05[NET] sending packet: from 192.168.10.200[500] to 93.66.66.180[8899] (36 bytes)
2023-03-15T06:24:39 Informational charon 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2023-03-15T06:24:39 Informational charon 05[IKE] no IKE config found for 192.168.10.200...93.66.66.180, sending NO_PROPOSAL_CHOSEN
2023-03-15T06:24:39 Informational charon 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
2023-03-15T06:24:39 Informational charon 05[NET] received packet: from 93.66.66.180[8899] to 192.168.10.200[500] (544 bytes)
thanks
Can you do a tcpdump on the console ?
tcpdump -vvni <wan interface> host 192.168.10.200 and host 93.66.66.180
... and please: X509v3 extensions" ( System -> Trust -> Certificates ) of your server certificate.
the ip address of source is changed .. 109.118.89.166
root@vpn:~ # tcpdump -vvni vmx2 host 192.168.10.200 and host 109.118.89.166
tcpdump: listening on vmx2, link-type EN10MB (Ethernet), capture size 262144 bytes
15:51:15.293532 IP (tos 0x0, ttl 112, id 13393, offset 0, flags , proto TCP (6), length 52)
109.118.89.166.54068 > 192.168.10.200.443: Flags , cksum 0xac59 (correct), seq 3188826739, win 64240, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
15:51:15.293849 IP (tos 0x0, ttl 63, id 0, offset 0, flags , proto TCP (6), length 52)
192.168.10.200.443 > 109.118.89.166.54068: Flags [S.], cksum 0x533d (correct), seq 3068371436, ack 3188826740, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:51:15.329029 IP (tos 0x0, ttl 112, id 13394, offset 0, flags , proto TCP (6), length 40)
109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0x8cfe (correct), seq 1, ack 1, win 514, length 0
15:51:15.340584 IP (tos 0x0, ttl 111, id 0, offset 0, flags , proto TCP (6), length 557)
109.118.89.166.54068 > 192.168.10.200.443: Flags [P.], cksum 0xf1ca (correct), seq 1:518, ack 1, win 40960, length 517
15:51:15.340971 IP (tos 0x0, ttl 63, id 30058, offset 0, flags , proto TCP (6), length 40)
192.168.10.200.443 > 109.118.89.166.54068: Flags [.], cksum 0x8b06 (correct), seq 1, ack 518, win 501, length 0
15:51:15.342638 IP (tos 0x0, ttl 63, id 30059, offset 0, flags , proto TCP (6), length 1440)
192.168.10.200.443 > 109.118.89.166.54068: Flags [.], cksum 0x0916 (correct), seq 1:1401, ack 518, win 501, length 1400
15:51:15.342649 IP (tos 0x0, ttl 63, id 30060, offset 0, flags , proto TCP (6), length 1440)
192.168.10.200.443 > 109.118.89.166.54068: Flags [.], cksum 0x8ff0 (correct), seq 1401:2801, ack 518, win 501, length 1400
15:51:15.342689 IP (tos 0x0, ttl 63, id 30061, offset 0, flags , proto TCP (6), length 565)
192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0xbe55 (correct), seq 2801:3326, ack 518, win 501, length 525
15:51:15.352065 IP (tos 0x0, ttl 113, id 1, offset 0, flags , proto TCP (6), length 40)
109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xe788 (correct), seq 518, ack 1401, win 40954, length 0
15:51:15.352082 IP (tos 0x0, ttl 113, id 2, offset 0, flags , proto TCP (6), length 40)
109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xe215 (correct), seq 518, ack 2801, win 40949, length 0
15:51:15.352093 IP (tos 0x0, ttl 113, id 3, offset 0, flags , proto TCP (6), length 40)
109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xe00a (correct), seq 518, ack 3326, win 40947, length 0
15:51:15.376622 IP (tos 0x0, ttl 113, id 4, offset 0, flags , proto TCP (6), length 120)
109.118.89.166.54068 > 192.168.10.200.443: Flags [P.], cksum 0xef32 (correct), seq 518:598, ack 3326, win 40960, length 80
15:51:15.377067 IP (tos 0x0, ttl 63, id 30062, offset 0, flags , proto TCP (6), length 311)
192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0x3914 (correct), seq 3326:3597, ack 598, win 501, length 271
15:51:15.377116 IP (tos 0x0, ttl 63, id 30063, offset 0, flags , proto TCP (6), length 311)
192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0xe82e (correct), seq 3597:3868, ack 598, win 501, length 271
15:51:15.385521 IP (tos 0x0, ttl 113, id 5, offset 0, flags , proto TCP (6), length 40)
109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xdd92 (correct), seq 598, ack 3868, win 40957, length 0
15:51:15.405329 IP (tos 0x0, ttl 113, id 6, offset 0, flags , proto TCP (6), length 985)
109.118.89.166.54068 > 192.168.10.200.443: Flags [P.], cksum 0x7ca7 (correct), seq 598:1543, ack 3868, win 40957, length 945
15:51:15.435464 IP (tos 0x0, ttl 63, id 30064, offset 0, flags , proto TCP (6), length 1033)
192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0x67d4 (correct), seq 3868:4861, ack 1543, win 501, length 993
15:51:15.444194 IP (tos 0x0, ttl 113, id 7, offset 0, flags , proto TCP (6), length 40)
109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xd603 (correct), seq 1543, ack 4861, win 40954, length 0
15:51:20.440757 IP (tos 0x0, ttl 63, id 30065, offset 0, flags , proto TCP (6), length 64)
192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0x50c1 (correct), seq 4861:4885, ack 1543, win 501, length 24
15:51:20.440774 IP (tos 0x0, ttl 63, id 30066, offset 0, flags , proto TCP (6), length 40)
192.168.10.200.443 > 109.118.89.166.54068: Flags [F.], cksum 0x73f0 (correct), seq 4885, ack 1543, win 501, length 0
15:51:20.449260 IP (tos 0x0, ttl 113, id 8, offset 0, flags , proto TCP (6), length 40)
109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xd5e6 (correct), seq 1543, ack 4885, win 40959, length 0
15:51:20.450394 IP (tos 0x0, ttl 113, id 9, offset 0, flags , proto TCP (6), length 40)
109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xd5e5 (correct), seq 1543, ack 4886, win 40959, length 0
15:51:20.563285 IP (tos 0x0, ttl 113, id 10, offset 0, flags , proto TCP (6), length 40)
109.118.89.166.54068 > 192.168.10.200.443: Flags [F.], cksum 0xd5e3 (correct), seq 1543, ack 4886, win 40960, length 0
15:51:20.563576 IP (tos 0x0, ttl 63, id 30067, offset 0, flags , proto TCP (6), length 40)
192.168.10.200.443 > 109.118.89.166.54068: Flags [.], cksum 0x73ef (correct), seq 4886, ack 1544, win 501, length 0
15:51:21.988990 IP (tos 0x0, ttl 114, id 13404, offset 0, flags , proto UDP (17), length 572)
109.118.89.166.54073 > 192.168.10.200.500: [udp sum ok] isakmp 2.0 msgid 00000000 cookie c924710918dcbb12->0000000000000000: parent_sa ikev2_init:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0100))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=modp2048 )))
(v2ke: len=256 group=modp2048)
(nonce: len=48 nonce=(8759fa55a28df7a94de649308fb9b2680e99a96380ab070f95d4604150f2ce66c7fdabf3a335eca34a76843b25d68177) )
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(v2vid: len=20 vid=.+Qi...}|......a....)
(v2vid: len=16 vid=.....A.......U. )
(v2vid: len=16 vid=&$M8..a..*6.....)
(v2vid: len=20 vid=.R.......I...[*Q....)
15:51:21.990034 IP (tos 0x0, ttl 64, id 60996, offset 0, flags , proto UDP (17), length 64)
192.168.10.200.500 > 109.118.89.166.54073: [udp sum ok] isakmp 2.0 msgid 00000000 cookie c924710918dcbb12->97483448dff7c2dd: parent_sa ikev2_init:
(n: prot_id=#0 type=14(no_protocol_chosen)
Quote from: atom on March 15, 2023, 02:32:52 PM
... and please: X509v3 extensions" ( System -> Trust -> Certificates ) of your server certificate.
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OPNsense Generated Server Certificate
X509v3 Subject Key Identifier:
81:B2:C1:F6:F7:33:5E:A0:1D:B5:10:1D:74:20:6D:75:A5:65:4A:99
X509v3 Authority Key Identifier:
keyid:DC:52:85:D6:C4:AB:A9:31:C5:D3:6B:F0:08:28:97:74:BC:6B:AF:22
DirName:/C=IT/ST=MI/L=xxxxxxx/O=VM4B/emailAddress=adm@xxxxxxx.com/CN=vpn.mydomain.com
serial:00
I'll say that in your certificate the SAN-DNS entry is missing. This is mine.
X509v3 Subject Alternative Name:
DNS:vpn.mydomain.com
X509v3 Extended Key Usage:
TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
Could you please post
cat /usr/local/etc/swanctl/swanctl.conf | grep local_ts
only to check if this is really 0.0.0.0/0
Folks, "no proposal chosen" means there's a mismatch with your P1 settings. Under VPN/IPSec/Advanced Settings, bump up "Configuration management and plugins" logging to control instead of audit. Try to connect and check logs. You should see entries like this, showing what the client tried to use versus what the server can support. If there's success it will tell you what proposal was selected. Otherwise, it will give you "no proposal chosen" error.
2023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
2023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Quote from: atom on March 15, 2023, 04:53:27 PM
I'll say that in your certificate the SAN-DNS entry is missing. This is mine.
X509v3 Subject Alternative Name:
DNS:vpn.mydomain.com
X509v3 Extended Key Usage:
TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
Could you please post
cat /usr/local/etc/swanctl/swanctl.conf | grep local_ts
only to check if this is really 0.0.0.0/0
you have right .. i have not reported a part of the server certificate ..it looks like yours
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OPNsense Generated Server Certificate
X509v3 Subject Key Identifier:
81:B2:C1:F6:F7:33:5E:A0:1D:B5:10:1D:74:20:6D:75:A5:65:4A:99
X509v3 Authority Key Identifier:
keyid:DC:52:85:D6:C4:AB:A9:31:C5:D3:6B:F0:08:28:97:74:BC:6B:AF:22
DirName:/C=IT/ST=MI/L=xxxxxxx/O=VM4B/emailAddress=adm@xxxxxxx.com/CN=vpn.mydomain.com
serial:00
X509v3 Extended Key Usage:
TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:vpn.mydomain.com
cat /usr/local/etc/swanctl/swanctl.conf | grep local_ts
# local_ts = dynamic
all the lines of the file swanctl.conf i't commented with #
thanks
Quote from: miken32 on March 16, 2023, 03:52:12 AM
Folks, "no proposal chosen" means there's a mismatch with your P1 settings. Under VPN/IPSec/Advanced Settings, bump up "Configuration management and plugins" logging to control instead of audit. Try to connect and check logs. You should see entries like this, showing what the client tried to use versus what the server can support. If there's success it will tell you what proposal was selected. Otherwise, it will give you "no proposal chosen" error.
2023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
2023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Configuration management and plugins set to Highest, restart opnsense ( after restart strongswan alway in down and i need to start manually from the shell ) but the log are the same
2023-03-16T08:01:07 Informational charon 16[NET] sending packet: from 192.168.10.200[500] to 5.90.77.85[43832] (36 bytes)
2023-03-16T08:01:07 Informational charon 16[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2023-03-16T08:01:07 Informational charon 16[IKE] no IKE config found for 192.168.10.200...5.90.77.85, sending NO_PROPOSAL_CHOSEN
2023-03-16T08:01:07 Informational charon 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
2023-03-16T08:01:07 Informational charon 16[NET] received packet: from 5.90.77.85[43832] to 192.168.10.200[500] (544 bytes)
2023-03-16T08:00:47 Informational charon 00[JOB] spawning 16 worker threads
2023-03-16T08:00:47 Informational charon 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
2023-03-16T08:00:47 Informational charon 00[CFG] loaded 0 RADIUS server configurations
2023-03-16T08:00:47 Informational charon 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2023-03-16T08:00:47 Informational charon 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2023-03-16T08:00:47 Informational charon 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2023-03-16T08:00:47 Informational charon 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2023-03-16T08:00:47 Informational charon 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2023-03-16T08:00:47 Informational charon 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2023-03-16T08:00:47 Informational charon 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
2023-03-16T08:00:47 Informational charon 00[KNL] unable to set UDP_ENCAP: Protocol not available
2023-03-16T08:00:47 Informational charon 00[NET] installing IKE bypass policy failed
2023-03-16T08:00:47 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2023-03-16T08:00:47 Informational charon 00[NET] installing IKE bypass policy failed
2023-03-16T08:00:47 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2023-03-16T08:00:47 Informational charon 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2023-03-16T08:00:47 Informational charon 00[KNL] unable to set UDP_ENCAP: Invalid argument
2023-03-16T08:00:47 Informational charon 00[NET] installing IKE bypass policy failed
2023-03-16T08:00:47 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2023-03-16T08:00:47 Informational charon 00[NET] installing IKE bypass policy failed
2023-03-16T08:00:47 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2023-03-16T08:00:47 Informational charon 00[CFG] using '/sbin/resolvconf' to install DNS servers
2023-03-16T08:00:47 Informational charon 00[DMN] Starting IKE charon daemon (strongSwan 5.9.10, FreeBSD 13.1-RELEASE-p7, amd64)this is the /usr/local/etc/swanctl/swanctl.conf but it's correct that all the liens are commented ( the include conf.d/ dir is empty )??
# cat /usr/local/etc/swanctl/swanctl.conf
# Section defining IKE connection configurations.
# connections {
# Section for an IKE connection named <conn>.
# <conn> {
# IKE major version to use for connection.
# version = 0
# Local address(es) to use for IKE communication, comma separated.
#local_addrs = %any
# Remote address(es) to use for IKE communication, comma separated.
#Remote_addrs = %any
# Local UDP port for IKE communication.
# local_port = 500
# Remote UDP port for IKE communication.
# remote_port = 500
# Comma separated proposals to accept for IKE.
# proposals = default
# Virtual IPs to request in configuration payload / Mode Config.
# vips =
# Use Aggressive Mode in IKEv1.
# aggressive = no
# Set the Mode Config mode to use.
# pull = yes
# Differentiated Services Field Codepoint to set on outgoing IKE packets
# (six binary digits).
# dscp = 000000
# Enforce UDP encapsulation by faking NAT-D payloads.
# encap = no
# Enables MOBIKE on IKEv2 connections.
# mobike = yes
# Interval of liveness checks (DPD).
# dpd_delay = 0s
# Timeout for DPD checks (IKEV1 only).
# dpd_timeout = 0s
# Use IKE UDP datagram fragmentation (yes, accept, no or force).
# fragmentation = yes
# Use childless IKE_SA initiation (allow, prefer, force or never).
# childless = allow
# Send certificate requests payloads (yes or no).
# send_certreq = yes
# Send certificate payloads (always, never or ifasked).
# send_cert = ifasked
# String identifying the Postquantum Preshared Key (PPK) to be used.
# ppk_id =
# Whether a Postquantum Preshared Key (PPK) is required for this
# connection.
# ppk_required = no
# Number of retransmission sequences to perform during initial connect.
# keyingtries = 1
# Connection uniqueness policy (never, no, keep or replace).
# unique = no
# Time to schedule IKE reauthentication.
# reauth_time = 0s
# Time to schedule IKE rekeying.
# rekey_time = 4h
# Hard IKE_SA lifetime if rekey/reauth does not complete, as time.
# over_time = 10% of rekey_time/reauth_time
# Range of random time to subtract from rekey/reauth times.
# rand_time = over_time
# Comma separated list of named IP pools.
# pools =
# Default inbound XFRM interface ID for children.
# if_id_in = 0
# Default outbound XFRM interface ID for children.
# if_id_out = 0
# Whether this connection is a mediation connection.
# mediation = no
# The name of the connection to mediate this connection through.
# mediated_by =
# Identity under which the peer is registered at the mediation server.
# mediation_peer =
# Section for a local authentication round.
# local<suffix> {
# Optional numeric identifier by which authentication rounds are
# sorted. If not specified rounds are ordered by their position in
# the config file/VICI message.
# round = 0
# Comma separated list of certificate candidates to use for
# authentication.
# certs =
# Section for a certificate candidate to use for authentication.
# cert<suffix> =
# Comma separated list of raw public key candidates to use for
# authentication.
# pubkeys =
# Authentication to perform locally (pubkey, psk, xauth[-backend] or
# eap[-method]).
# auth = pubkey
# IKE identity to use for authentication round.
# id =
# Client EAP-Identity to use in EAP-Identity exchange and the EAP
# method.
# eap_id = id
# Server side EAP-Identity to expect in the EAP method.
# aaa_id = remote-id
# Client XAuth username used in the XAuth exchange.
# xauth_id = id
# cert<suffix> {
# Absolute path to the certificate to load.
# file =
# Hex-encoded CKA_ID of the certificate on a token.
# handle =
# Optional slot number of the token that stores the certificate.
# slot =
# Optional PKCS#11 module name.
# module =
# }
# }
# Section for a remote authentication round.
# remote<suffix> {
# Optional numeric identifier by which authentication rounds are
# sorted. If not specified rounds are ordered by their position in
# the config file/VICI message.
# round = 0
# IKE identity to expect for authentication round.
# id = %any
# Identity to use as peer identity during EAP authentication.
# eap_id = id
# Authorization group memberships to require.
# groups =
# Certificate policy OIDs the peer's certificate must have.
# cert_policy =
# Comma separated list of certificate to accept for authentication.
# certs =
# Section for a certificate to accept for authentication.
# cert<suffix> =
# Comma separated list of CA certificates to accept for
# authentication.
# cacerts =
# Section for a CA certificate to accept for authentication.
# cacert<suffix> =
# Identity in CA certificate to accept for authentication.
# ca_id =
# Comma separated list of raw public keys to accept for
# authentication.
# pubkeys =
# Certificate revocation policy, (strict, ifuri or relaxed).
# revocation = relaxed
# Authentication to expect from remote (pubkey, psk, xauth[-backend]
# or eap[-method]).
# auth = pubkey
# cert<suffix> {
# Absolute path to the certificate to load.
# file =
# Hex-encoded CKA_ID of the certificate on a token.
# handle =
# Optional slot number of the token that stores the certificate.
# slot =
# Optional PKCS#11 module name.
# module =
# }
# cacert<suffix> {
# Absolute path to the certificate to load.
# file =
# Hex-encoded CKA_ID of the CA certificate on a token.
# handle =
# Optional slot number of the token that stores the CA
# certificate.
# slot =
# Optional PKCS#11 module name.
# module =
# }
# }
# children {
# CHILD_SA configuration sub-section.
# <child> {
# AH proposals to offer for the CHILD_SA.
# ah_proposals =
# ESP proposals to offer for the CHILD_SA.
# esp_proposals = default
# Use incorrect 96-bit truncation for HMAC-SHA-256.
# sha256_96 = no
# Local traffic selectors to include in CHILD_SA.
# local_ts = dynamic
# Remote selectors to include in CHILD_SA.
# remote_ts = dynamic
# Time to schedule CHILD_SA rekeying.
# rekey_time = 1h
# Maximum lifetime before CHILD_SA gets closed, as time.
# life_time = rekey_time + 10%
# Range of random time to subtract from rekey_time.
# rand_time = life_time - rekey_time
# Number of bytes processed before initiating CHILD_SA rekeying.
# rekey_bytes = 0
# Maximum bytes processed before CHILD_SA gets closed.
# life_bytes = rekey_bytes + 10%
# Range of random bytes to subtract from rekey_bytes.
# rand_bytes = life_bytes - rekey_bytes
# Number of packets processed before initiating CHILD_SA
# rekeying.
# rekey_packets = 0
# Maximum number of packets processed before CHILD_SA gets
# closed.
# life_packets = rekey_packets + 10%
# Range of random packets to subtract from packets_bytes.
# rand_packets = life_packets - rekey_packets
# Updown script to invoke on CHILD_SA up and down events.
# updown =
# Hostaccess variable to pass to updown script.
# hostaccess = no
# IPsec Mode to establish (tunnel, transport, transport_proxy,
# beet, pass or drop).
# mode = tunnel
# Whether to install IPsec policies or not.
# policies = yes
# Whether to install outbound FWD IPsec policies or not.
# policies_fwd_out = no
# Action to perform on DPD timeout (clear, trap or restart).
# dpd_action = clear
# Enable IPComp compression before encryption.
# ipcomp = no
# Timeout before closing CHILD_SA after inactivity.
# inactivity = 0s
# Fixed reqid to use for this CHILD_SA.
# reqid = 0
# Optional fixed priority for IPsec policies.
# priority = 0
# Optional interface name to restrict IPsec policies.
# interface =
# Netfilter mark and mask for input traffic.
# mark_in = 0/0x00000000
# Whether to set *mark_in* on the inbound SA.
# mark_in_sa = no
# Netfilter mark and mask for output traffic.
# mark_out = 0/0x00000000
# Netfilter mark applied to packets after the inbound IPsec SA
# processed them.
# set_mark_in = 0/0x00000000
# Netfilter mark applied to packets after the outbound IPsec SA
# processed them.
# set_mark_out = 0/0x00000000
# Inbound XFRM interface ID (32-bit unsigned integer).
# if_id_in = 0
# Outbound XFRM interface ID (32-bit unsigned integer).
# if_id_out = 0
# Optional security label (e.g. SELinux context), IKEv2 only.
# Refer to label_mode for details on how labels are processed.
# label =
# Security label mode (system, simple or selinux), IKEv2 only.
# label_mode = system
# Traffic Flow Confidentiality padding.
# tfc_padding = 0
# IPsec replay window to configure for this CHILD_SA.
# replay_window = 32
# Enable hardware offload for this CHILD_SA, if supported by the
# IPsec implementation.
# hw_offload = no
# Whether to copy the DF bit to the outer IPv4 header in tunnel
# mode.
# copy_df = yes
# Whether to copy the ECN header field to/from the outer IP
# header in tunnel mode.
# copy_ecn = yes
# Whether to copy the DSCP header field to/from the outer IP
# header in tunnel mode.
# copy_dscp = out
# Action to perform after loading the configuration (none, trap,
# start).
# start_action = none
# Action to perform after a CHILD_SA gets closed (none, trap,
# start).
# close_action = none
# }
# }
# }
# }
# Section defining secrets for IKE/EAP/XAuth authentication and private key
# decryption.
# secrets {
# EAP secret section for a specific secret.
# eap<suffix> {
# Value of the EAP/XAuth secret.
# secret =
# Identity the EAP/XAuth secret belongs to.
# id<suffix> =
# }
# XAuth secret section for a specific secret.
# xauth<suffix> {
# }
# NTLM secret section for a specific secret.
# ntlm<suffix> {
# Value of the NTLM secret.
# secret =
# Identity the NTLM secret belongs to.
# id<suffix> =
# }
# IKE preshared secret section for a specific secret.
# ike<suffix> {
# Value of the IKE preshared secret.
# secret =
# IKE identity the IKE preshared secret belongs to.
# id<suffix> =
# }
# Postquantum Preshared Key (PPK) section for a specific secret.
# ppk<suffix> {
# Value of the PPK.
# secret =
# PPK identity the PPK belongs to.
# id<suffix> =
# }
# Private key decryption passphrase for a key in the private folder.
# private<suffix> {
# File name in the private folder for which this passphrase should be
# used.
# file =
# Value of decryption passphrase for private key.
# secret =
# }
# Private key decryption passphrase for a key in the rsa folder.
# rsa<suffix> {
# File name in the rsa folder for which this passphrase should be used.
# file =
# Value of decryption passphrase for RSA key.
# secret =
# }
# Private key decryption passphrase for a key in the ecdsa folder.
# ecdsa<suffix> {
# File name in the ecdsa folder for which this passphrase should be
# used.
# file =
# Value of decryption passphrase for ECDSA key.
# secret =
# }
# Private key decryption passphrase for a key in the pkcs8 folder.
# pkcs8<suffix> {
# File name in the pkcs8 folder for which this passphrase should be
# used.
# file =
# Value of decryption passphrase for PKCS#8 key.
# secret =
# }
# PKCS#12 decryption passphrase for a container in the pkcs12 folder.
# pkcs12<suffix> {
# File name in the pkcs12 folder for which this passphrase should be
# used.
# file =
# Value of decryption passphrase for PKCS#12 container.
# secret =
# }
# Definition for a private key that's stored on a token/smartcard.
# token<suffix> {
# Hex-encoded CKA_ID of the private key on the token.
# handle =
# Optional slot number to access the token.
# slot =
# Optional PKCS#11 module name to access the token.
# module =
# Optional PIN required to access the key on the token. If none is
# provided the user is prompted during an interactive --load-creds call.
# pin =
# }
# }
# Section defining named pools.
# pools {
# Section defining a single pool with a unique name.
# <name> {
# Addresses allocated in pool.
# addrs =
# Comma separated list of additional attributes from type <attr>.
# <attr> =
# }
# }
# Section defining attributes of certification authorities.
# authorities {
# Section defining a certification authority with a unique name.
# <name> {
# CA certificate belonging to the certification authority.
# cacert =
# Absolute path to the certificate to load.
# file =
# Hex-encoded CKA_ID of the CA certificate on a token.
# handle =
# Optional slot number of the token that stores the CA certificate.
# slot =
# Optional PKCS#11 module name.
# module =
# Comma-separated list of CRL distribution points.
# crl_uris =
# Comma-separated list of OCSP URIs.
# ocsp_uris =
# Defines the base URI for the Hash and URL feature supported by IKEv2.
# cert_uri_base =
# }
# }
# Include config snippets
include conf.d/*.confthanks
Did you also check the "Enable IPsec" box ? ( VPN: IPsec: Tunnel Settings )
Sure... I've done more checks and it appears that the web interface configuration is not reported in the config file
i have add in the authentication the local user and add a Pre-Shared Keys but the file /usr/local/etc/ipsec.secrets is empty
if i run ipsec statusall the configuration and the cert is not reported
Status of IKE charon daemon (strongSwan 5.9.10, FreeBSD 13.1-RELEASE-p7, amd64):
uptime: 2 hours, since Mar 16 08:00:46 2023
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Listening IP addresses:
192.168.1.1
172.16.10.1
192.168.10.200
192.168.120.1
Connections:
Security Associations (0 up, 0 connecting):
none
the result of the command must be something like this
Status of IKE charon daemon (strongSwan 5.9.4, FreeBSD 12.3-STABLE, amd64):
uptime: 7 days, since Mar 08 16:17:33 2023
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon eap-radius unbound pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Listening IP addresses:
192.168.1.1
172.16.10.2
192.168.10.200
192.168.120.1
Connections:
bypass: %any...127.0.0.1 IKEv1/2
bypass: local: uses any authentication
bypass: remote: uses any authentication
bypasslan: child: 172.16.10.0/24|/0 === 172.16.10.0/24|/0 PASS
con-mobile: 192.168.10.200...0.0.0.0/0, ::/0 IKEv2, dpddelay=10s
con-mobile: local: [vpn.mydomain.com] uses public key authentication
con-mobile: cert: "C=IT, ST=Italia, L=Nova Milanese, O=VM srl, E=admin@xxxxxxxxx.com, CN=office.xxxxxxxxx.com"
con-mobile: remote: [%any] uses EAP_RADIUS authentication with EAP identity '%any'
con-mobile: child: 172.16.10.0/24|/0 === dynamic TUNNEL, dpdaction=clear
Shunted Connections:
bypasslan: 172.16.10.0/24|/0 === 172.16.10.0/24|/0 PASS
Security Associations (0 up, 0 connecting):
none
I could imagine that this is the reason:
QuoteP.S. why the IPEC service doesn't start automatically .. i need to run the command /usr/local/sbin/ipsec start from shell for have the service up and running
Your should restart your box disable and re-enable ipsec and then check if the configuration is written to the file system.
nothing to do
1) I restarted the machine disabling and re-enabling ipsec and save the service does not start the configuration file is not written
2) I have delete all the config, restart the machine, config the mobile clients section, create phase 1 and 2, enabling ipsec and save the service does not start the configuration file is not written
3) I have delete all the config, restart the machine, in the mobile clients section only select type of authentication local user, enabling ipsec and save the service does not start the configuration file is not written
4 ) In the System > Firmware i have re-installed ipsec, in the mobile clients section only select type of authentication local user, enabling ipsec and save the service does not start the configuration file is not written
5) create a new fresh installation, only lan e wan interface configured in the wizard, in the mobile clients section only select type of authentication as local user, i have create phase 1 and 2 and i leave all as default .. enabling ipsec and save, the service does not start the configuration file is not written !
i have found one other post in the forum that talk ipsec thant not start and the log and the config are empty
https://forum.opnsense.org/index.php?topic=26682.0
Could you post the output of
ls -la /usr/local/etc/swanctl/
root@vpn:~ # ls -la /usr/local/etc/swanctl/
total 42
drwxr-xr-x 16 root wheel 19 Mar 16 15:09 .
drwxr-xr-x 38 root wheel 120 Mar 16 15:09 ..
drwxr-x--- 2 root wheel 2 Jan 23 04:10 bliss
drwxr-xr-x 2 root wheel 2 Jan 25 11:23 conf.d
drwxr-x--- 2 root wheel 2 Jan 23 04:10 ecdsa
drwxr-x--- 2 root wheel 2 Jan 23 04:10 pkcs12
drwxr-x--- 2 root wheel 2 Jan 23 04:10 pkcs8
drwxr-x--- 2 root wheel 2 Jan 23 04:10 private
drwxr-xr-x 2 root wheel 2 Jan 25 11:23 pubkey
-rw-r--r-- 1 root wheel 86 Mar 16 15:31 reqid_events.conf
drwxr-x--- 2 root wheel 2 Jan 23 04:10 rsa
-rw-r----- 1 root wheel 16420 Mar 9 04:14 swanctl.conf
-rw-r----- 1 root wheel 16420 Mar 9 04:14 swanctl.conf.sample
drwxr-xr-x 2 root wheel 2 Jan 25 11:23 x509
drwxr-xr-x 2 root wheel 2 Jan 25 11:23 x509aa
drwxr-xr-x 2 root wheel 2 Jan 25 11:23 x509ac
drwxr-xr-x 2 root wheel 2 Jan 25 11:23 x509ca
drwxr-xr-x 2 root wheel 2 Jan 25 11:23 x509crl
drwxr-xr-x 2 root wheel 2 Jan 25 11:23 x509ocsp
Looks good.
Are any messages in
cat /var/log/configd/latest.log
when i try to start the service the only message is this but the service not start
<13>1 2023-03-17T09:06:35+01:00 vpn.vmforbusiness.com configd.py 209 - [meta sequenceId="222"] [a76be5c3-7a08-4d36-8b82-8113a69675ad] IPsec service start
<13>1 2023-03-17T09:06:35+01:00 vpn.vmforbusiness.com configd.py 209 - [meta sequenceId="223"] [8aa0281c-0004-40db-a970-5d8f0a99bf6b] IPsec list legacy VirtualTunnelInterfaces
Mmmh. Did you check all three boxes ?