root@vpn:~ # tcpdump -vvni vmx2 host 192.168.10.200 and host 109.118.89.166tcpdump: listening on vmx2, link-type EN10MB (Ethernet), capture size 262144 bytes15:51:15.293532 IP (tos 0x0, ttl 112, id 13393, offset 0, flags , proto TCP (6), length 52) 109.118.89.166.54068 > 192.168.10.200.443: Flags , cksum 0xac59 (correct), seq 3188826739, win 64240, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 015:51:15.293849 IP (tos 0x0, ttl 63, id 0, offset 0, flags , proto TCP (6), length 52) 192.168.10.200.443 > 109.118.89.166.54068: Flags [S.], cksum 0x533d (correct), seq 3068371436, ack 3188826740, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 015:51:15.329029 IP (tos 0x0, ttl 112, id 13394, offset 0, flags , proto TCP (6), length 40) 109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0x8cfe (correct), seq 1, ack 1, win 514, length 015:51:15.340584 IP (tos 0x0, ttl 111, id 0, offset 0, flags , proto TCP (6), length 557) 109.118.89.166.54068 > 192.168.10.200.443: Flags [P.], cksum 0xf1ca (correct), seq 1:518, ack 1, win 40960, length 51715:51:15.340971 IP (tos 0x0, ttl 63, id 30058, offset 0, flags , proto TCP (6), length 40) 192.168.10.200.443 > 109.118.89.166.54068: Flags [.], cksum 0x8b06 (correct), seq 1, ack 518, win 501, length 015:51:15.342638 IP (tos 0x0, ttl 63, id 30059, offset 0, flags , proto TCP (6), length 1440) 192.168.10.200.443 > 109.118.89.166.54068: Flags [.], cksum 0x0916 (correct), seq 1:1401, ack 518, win 501, length 140015:51:15.342649 IP (tos 0x0, ttl 63, id 30060, offset 0, flags , proto TCP (6), length 1440) 192.168.10.200.443 > 109.118.89.166.54068: Flags [.], cksum 0x8ff0 (correct), seq 1401:2801, ack 518, win 501, length 140015:51:15.342689 IP (tos 0x0, ttl 63, id 30061, offset 0, flags , proto TCP (6), length 565) 192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0xbe55 (correct), seq 2801:3326, ack 518, win 501, length 52515:51:15.352065 IP (tos 0x0, ttl 113, id 1, offset 0, flags , proto TCP (6), length 40) 109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xe788 (correct), seq 518, ack 1401, win 40954, length 015:51:15.352082 IP (tos 0x0, ttl 113, id 2, offset 0, flags , proto TCP (6), length 40) 109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xe215 (correct), seq 518, ack 2801, win 40949, length 015:51:15.352093 IP (tos 0x0, ttl 113, id 3, offset 0, flags , proto TCP (6), length 40) 109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xe00a (correct), seq 518, ack 3326, win 40947, length 015:51:15.376622 IP (tos 0x0, ttl 113, id 4, offset 0, flags , proto TCP (6), length 120) 109.118.89.166.54068 > 192.168.10.200.443: Flags [P.], cksum 0xef32 (correct), seq 518:598, ack 3326, win 40960, length 8015:51:15.377067 IP (tos 0x0, ttl 63, id 30062, offset 0, flags , proto TCP (6), length 311) 192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0x3914 (correct), seq 3326:3597, ack 598, win 501, length 27115:51:15.377116 IP (tos 0x0, ttl 63, id 30063, offset 0, flags , proto TCP (6), length 311) 192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0xe82e (correct), seq 3597:3868, ack 598, win 501, length 27115:51:15.385521 IP (tos 0x0, ttl 113, id 5, offset 0, flags , proto TCP (6), length 40) 109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xdd92 (correct), seq 598, ack 3868, win 40957, length 015:51:15.405329 IP (tos 0x0, ttl 113, id 6, offset 0, flags , proto TCP (6), length 985) 109.118.89.166.54068 > 192.168.10.200.443: Flags [P.], cksum 0x7ca7 (correct), seq 598:1543, ack 3868, win 40957, length 94515:51:15.435464 IP (tos 0x0, ttl 63, id 30064, offset 0, flags , proto TCP (6), length 1033) 192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0x67d4 (correct), seq 3868:4861, ack 1543, win 501, length 99315:51:15.444194 IP (tos 0x0, ttl 113, id 7, offset 0, flags , proto TCP (6), length 40) 109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xd603 (correct), seq 1543, ack 4861, win 40954, length 015:51:20.440757 IP (tos 0x0, ttl 63, id 30065, offset 0, flags , proto TCP (6), length 64) 192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0x50c1 (correct), seq 4861:4885, ack 1543, win 501, length 2415:51:20.440774 IP (tos 0x0, ttl 63, id 30066, offset 0, flags , proto TCP (6), length 40) 192.168.10.200.443 > 109.118.89.166.54068: Flags [F.], cksum 0x73f0 (correct), seq 4885, ack 1543, win 501, length 015:51:20.449260 IP (tos 0x0, ttl 113, id 8, offset 0, flags , proto TCP (6), length 40) 109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xd5e6 (correct), seq 1543, ack 4885, win 40959, length 015:51:20.450394 IP (tos 0x0, ttl 113, id 9, offset 0, flags , proto TCP (6), length 40) 109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xd5e5 (correct), seq 1543, ack 4886, win 40959, length 015:51:20.563285 IP (tos 0x0, ttl 113, id 10, offset 0, flags , proto TCP (6), length 40) 109.118.89.166.54068 > 192.168.10.200.443: Flags [F.], cksum 0xd5e3 (correct), seq 1543, ack 4886, win 40960, length 015:51:20.563576 IP (tos 0x0, ttl 63, id 30067, offset 0, flags , proto TCP (6), length 40) 192.168.10.200.443 > 109.118.89.166.54068: Flags [.], cksum 0x73ef (correct), seq 4886, ack 1544, win 501, length 015:51:21.988990 IP (tos 0x0, ttl 114, id 13404, offset 0, flags , proto UDP (17), length 572) 109.118.89.166.54073 > 192.168.10.200.500: [udp sum ok] isakmp 2.0 msgid 00000000 cookie c924710918dcbb12->0000000000000000: parent_sa ikev2_init: (sa: len=44 (p: #1 protoid=isakmp transform=4 len=44 (t: #1 type=encr id=aes (type=keylen value=0100)) (t: #2 type=integ id=#12 ) (t: #3 type=prf id=#5 ) (t: #4 type=dh id=modp2048 ))) (v2ke: len=256 group=modp2048) (nonce: len=48 nonce=(8759fa55a28df7a94de649308fb9b2680e99a96380ab070f95d4604150f2ce66c7fdabf3a335eca34a76843b25d68177) ) (n: prot_id=#0 type=16430(status)) (n: prot_id=#0 type=16388(nat_detection_source_ip)) (n: prot_id=#0 type=16389(nat_detection_destination_ip)) (v2vid: len=20 vid=.+Qi...}|......a....) (v2vid: len=16 vid=.....A.......U. ) (v2vid: len=16 vid=&$M8..a..*6.....) (v2vid: len=20 vid=.R.......I...[*Q....)15:51:21.990034 IP (tos 0x0, ttl 64, id 60996, offset 0, flags , proto UDP (17), length 64) 192.168.10.200.500 > 109.118.89.166.54073: [udp sum ok] isakmp 2.0 msgid 00000000 cookie c924710918dcbb12->97483448dff7c2dd: parent_sa ikev2_init: (n: prot_id=#0 type=14(no_protocol_chosen)
... and please: X509v3 extensions" ( System -> Trust -> Certificates ) of your server certificate.
cat /usr/local/etc/swanctl/swanctl.conf | grep local_ts
2023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_2562023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_20482023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
I'll say that in your certificate the SAN-DNS entry is missing. This is mine.X509v3 Subject Alternative Name: DNS:vpn.mydomain.com X509v3 Extended Key Usage: TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2Could you please post Code: [Select]cat /usr/local/etc/swanctl/swanctl.conf | grep local_tsonly to check if this is really 0.0.0.0/0
cat /usr/local/etc/swanctl/swanctl.conf | grep local_ts # local_ts = dynamic
Folks, "no proposal chosen" means there's a mismatch with your P1 settings. Under VPN/IPSec/Advanced Settings, bump up "Configuration management and plugins" logging to control instead of audit. Try to connect and check logs. You should see entries like this, showing what the client tried to use versus what the server can support. If there's success it will tell you what proposal was selected. Otherwise, it will give you "no proposal chosen" error.Code: [Select]2023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_2562023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_20482023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2023-03-16T08:01:07 Informational charon 16[NET] sending packet: from 192.168.10.200[500] to 5.90.77.85[43832] (36 bytes) 2023-03-16T08:01:07 Informational charon 16[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ] 2023-03-16T08:01:07 Informational charon 16[IKE] no IKE config found for 192.168.10.200...5.90.77.85, sending NO_PROPOSAL_CHOSEN 2023-03-16T08:01:07 Informational charon 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ] 2023-03-16T08:01:07 Informational charon 16[NET] received packet: from 5.90.77.85[43832] to 192.168.10.200[500] (544 bytes) 2023-03-16T08:00:47 Informational charon 00[JOB] spawning 16 worker threads 2023-03-16T08:00:47 Informational charon 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters 2023-03-16T08:00:47 Informational charon 00[CFG] loaded 0 RADIUS server configurations 2023-03-16T08:00:47 Informational charon 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 2023-03-16T08:00:47 Informational charon 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' 2023-03-16T08:00:47 Informational charon 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' 2023-03-16T08:00:47 Informational charon 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' 2023-03-16T08:00:47 Informational charon 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' 2023-03-16T08:00:47 Informational charon 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' 2023-03-16T08:00:47 Informational charon 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed 2023-03-16T08:00:47 Informational charon 00[KNL] unable to set UDP_ENCAP: Protocol not available 2023-03-16T08:00:47 Informational charon 00[NET] installing IKE bypass policy failed 2023-03-16T08:00:47 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available 2023-03-16T08:00:47 Informational charon 00[NET] installing IKE bypass policy failed 2023-03-16T08:00:47 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available 2023-03-16T08:00:47 Informational charon 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed 2023-03-16T08:00:47 Informational charon 00[KNL] unable to set UDP_ENCAP: Invalid argument 2023-03-16T08:00:47 Informational charon 00[NET] installing IKE bypass policy failed 2023-03-16T08:00:47 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available 2023-03-16T08:00:47 Informational charon 00[NET] installing IKE bypass policy failed 2023-03-16T08:00:47 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available 2023-03-16T08:00:47 Informational charon 00[CFG] using '/sbin/resolvconf' to install DNS servers 2023-03-16T08:00:47 Informational charon 00[DMN] Starting IKE charon daemon (strongSwan 5.9.10, FreeBSD 13.1-RELEASE-p7, amd64)
# cat /usr/local/etc/swanctl/swanctl.conf# Section defining IKE connection configurations.# connections { # Section for an IKE connection named <conn>. # <conn> { # IKE major version to use for connection. # version = 0 # Local address(es) to use for IKE communication, comma separated. #local_addrs = %any # Remote address(es) to use for IKE communication, comma separated. #Remote_addrs = %any # Local UDP port for IKE communication. # local_port = 500 # Remote UDP port for IKE communication. # remote_port = 500 # Comma separated proposals to accept for IKE. # proposals = default # Virtual IPs to request in configuration payload / Mode Config. # vips = # Use Aggressive Mode in IKEv1. # aggressive = no # Set the Mode Config mode to use. # pull = yes # Differentiated Services Field Codepoint to set on outgoing IKE packets # (six binary digits). # dscp = 000000 # Enforce UDP encapsulation by faking NAT-D payloads. # encap = no # Enables MOBIKE on IKEv2 connections. # mobike = yes # Interval of liveness checks (DPD). # dpd_delay = 0s # Timeout for DPD checks (IKEV1 only). # dpd_timeout = 0s # Use IKE UDP datagram fragmentation (yes, accept, no or force). # fragmentation = yes # Use childless IKE_SA initiation (allow, prefer, force or never). # childless = allow # Send certificate requests payloads (yes or no). # send_certreq = yes # Send certificate payloads (always, never or ifasked). # send_cert = ifasked # String identifying the Postquantum Preshared Key (PPK) to be used. # ppk_id = # Whether a Postquantum Preshared Key (PPK) is required for this # connection. # ppk_required = no # Number of retransmission sequences to perform during initial connect. # keyingtries = 1 # Connection uniqueness policy (never, no, keep or replace). # unique = no # Time to schedule IKE reauthentication. # reauth_time = 0s # Time to schedule IKE rekeying. # rekey_time = 4h # Hard IKE_SA lifetime if rekey/reauth does not complete, as time. # over_time = 10% of rekey_time/reauth_time # Range of random time to subtract from rekey/reauth times. # rand_time = over_time # Comma separated list of named IP pools. # pools = # Default inbound XFRM interface ID for children. # if_id_in = 0 # Default outbound XFRM interface ID for children. # if_id_out = 0 # Whether this connection is a mediation connection. # mediation = no # The name of the connection to mediate this connection through. # mediated_by = # Identity under which the peer is registered at the mediation server. # mediation_peer = # Section for a local authentication round. # local<suffix> { # Optional numeric identifier by which authentication rounds are # sorted. If not specified rounds are ordered by their position in # the config file/VICI message. # round = 0 # Comma separated list of certificate candidates to use for # authentication. # certs = # Section for a certificate candidate to use for authentication. # cert<suffix> = # Comma separated list of raw public key candidates to use for # authentication. # pubkeys = # Authentication to perform locally (pubkey, psk, xauth[-backend] or # eap[-method]). # auth = pubkey # IKE identity to use for authentication round. # id = # Client EAP-Identity to use in EAP-Identity exchange and the EAP # method. # eap_id = id # Server side EAP-Identity to expect in the EAP method. # aaa_id = remote-id # Client XAuth username used in the XAuth exchange. # xauth_id = id # cert<suffix> { # Absolute path to the certificate to load. # file = # Hex-encoded CKA_ID of the certificate on a token. # handle = # Optional slot number of the token that stores the certificate. # slot = # Optional PKCS#11 module name. # module = # } # } # Section for a remote authentication round. # remote<suffix> { # Optional numeric identifier by which authentication rounds are # sorted. If not specified rounds are ordered by their position in # the config file/VICI message. # round = 0 # IKE identity to expect for authentication round. # id = %any # Identity to use as peer identity during EAP authentication. # eap_id = id # Authorization group memberships to require. # groups = # Certificate policy OIDs the peer's certificate must have. # cert_policy = # Comma separated list of certificate to accept for authentication. # certs = # Section for a certificate to accept for authentication. # cert<suffix> = # Comma separated list of CA certificates to accept for # authentication. # cacerts = # Section for a CA certificate to accept for authentication. # cacert<suffix> = # Identity in CA certificate to accept for authentication. # ca_id = # Comma separated list of raw public keys to accept for # authentication. # pubkeys = # Certificate revocation policy, (strict, ifuri or relaxed). # revocation = relaxed # Authentication to expect from remote (pubkey, psk, xauth[-backend] # or eap[-method]). # auth = pubkey # cert<suffix> { # Absolute path to the certificate to load. # file = # Hex-encoded CKA_ID of the certificate on a token. # handle = # Optional slot number of the token that stores the certificate. # slot = # Optional PKCS#11 module name. # module = # } # cacert<suffix> { # Absolute path to the certificate to load. # file = # Hex-encoded CKA_ID of the CA certificate on a token. # handle = # Optional slot number of the token that stores the CA # certificate. # slot = # Optional PKCS#11 module name. # module = # } # } # children { # CHILD_SA configuration sub-section. # <child> { # AH proposals to offer for the CHILD_SA. # ah_proposals = # ESP proposals to offer for the CHILD_SA. # esp_proposals = default # Use incorrect 96-bit truncation for HMAC-SHA-256. # sha256_96 = no # Local traffic selectors to include in CHILD_SA. # local_ts = dynamic # Remote selectors to include in CHILD_SA. # remote_ts = dynamic # Time to schedule CHILD_SA rekeying. # rekey_time = 1h # Maximum lifetime before CHILD_SA gets closed, as time. # life_time = rekey_time + 10% # Range of random time to subtract from rekey_time. # rand_time = life_time - rekey_time # Number of bytes processed before initiating CHILD_SA rekeying. # rekey_bytes = 0 # Maximum bytes processed before CHILD_SA gets closed. # life_bytes = rekey_bytes + 10% # Range of random bytes to subtract from rekey_bytes. # rand_bytes = life_bytes - rekey_bytes # Number of packets processed before initiating CHILD_SA # rekeying. # rekey_packets = 0 # Maximum number of packets processed before CHILD_SA gets # closed. # life_packets = rekey_packets + 10% # Range of random packets to subtract from packets_bytes. # rand_packets = life_packets - rekey_packets # Updown script to invoke on CHILD_SA up and down events. # updown = # Hostaccess variable to pass to updown script. # hostaccess = no # IPsec Mode to establish (tunnel, transport, transport_proxy, # beet, pass or drop). # mode = tunnel # Whether to install IPsec policies or not. # policies = yes # Whether to install outbound FWD IPsec policies or not. # policies_fwd_out = no # Action to perform on DPD timeout (clear, trap or restart). # dpd_action = clear # Enable IPComp compression before encryption. # ipcomp = no # Timeout before closing CHILD_SA after inactivity. # inactivity = 0s # Fixed reqid to use for this CHILD_SA. # reqid = 0 # Optional fixed priority for IPsec policies. # priority = 0 # Optional interface name to restrict IPsec policies. # interface = # Netfilter mark and mask for input traffic. # mark_in = 0/0x00000000 # Whether to set *mark_in* on the inbound SA. # mark_in_sa = no # Netfilter mark and mask for output traffic. # mark_out = 0/0x00000000 # Netfilter mark applied to packets after the inbound IPsec SA # processed them. # set_mark_in = 0/0x00000000 # Netfilter mark applied to packets after the outbound IPsec SA # processed them. # set_mark_out = 0/0x00000000 # Inbound XFRM interface ID (32-bit unsigned integer). # if_id_in = 0 # Outbound XFRM interface ID (32-bit unsigned integer). # if_id_out = 0 # Optional security label (e.g. SELinux context), IKEv2 only. # Refer to label_mode for details on how labels are processed. # label = # Security label mode (system, simple or selinux), IKEv2 only. # label_mode = system # Traffic Flow Confidentiality padding. # tfc_padding = 0 # IPsec replay window to configure for this CHILD_SA. # replay_window = 32 # Enable hardware offload for this CHILD_SA, if supported by the # IPsec implementation. # hw_offload = no # Whether to copy the DF bit to the outer IPv4 header in tunnel # mode. # copy_df = yes # Whether to copy the ECN header field to/from the outer IP # header in tunnel mode. # copy_ecn = yes # Whether to copy the DSCP header field to/from the outer IP # header in tunnel mode. # copy_dscp = out # Action to perform after loading the configuration (none, trap, # start). # start_action = none # Action to perform after a CHILD_SA gets closed (none, trap, # start). # close_action = none # } # } # }# }# Section defining secrets for IKE/EAP/XAuth authentication and private key# decryption.# secrets { # EAP secret section for a specific secret. # eap<suffix> { # Value of the EAP/XAuth secret. # secret = # Identity the EAP/XAuth secret belongs to. # id<suffix> = # } # XAuth secret section for a specific secret. # xauth<suffix> { # } # NTLM secret section for a specific secret. # ntlm<suffix> { # Value of the NTLM secret. # secret = # Identity the NTLM secret belongs to. # id<suffix> = # } # IKE preshared secret section for a specific secret. # ike<suffix> { # Value of the IKE preshared secret. # secret = # IKE identity the IKE preshared secret belongs to. # id<suffix> = # } # Postquantum Preshared Key (PPK) section for a specific secret. # ppk<suffix> { # Value of the PPK. # secret = # PPK identity the PPK belongs to. # id<suffix> = # } # Private key decryption passphrase for a key in the private folder. # private<suffix> { # File name in the private folder for which this passphrase should be # used. # file = # Value of decryption passphrase for private key. # secret = # } # Private key decryption passphrase for a key in the rsa folder. # rsa<suffix> { # File name in the rsa folder for which this passphrase should be used. # file = # Value of decryption passphrase for RSA key. # secret = # } # Private key decryption passphrase for a key in the ecdsa folder. # ecdsa<suffix> { # File name in the ecdsa folder for which this passphrase should be # used. # file = # Value of decryption passphrase for ECDSA key. # secret = # } # Private key decryption passphrase for a key in the pkcs8 folder. # pkcs8<suffix> { # File name in the pkcs8 folder for which this passphrase should be # used. # file = # Value of decryption passphrase for PKCS#8 key. # secret = # } # PKCS#12 decryption passphrase for a container in the pkcs12 folder. # pkcs12<suffix> { # File name in the pkcs12 folder for which this passphrase should be # used. # file = # Value of decryption passphrase for PKCS#12 container. # secret = # } # Definition for a private key that's stored on a token/smartcard. # token<suffix> { # Hex-encoded CKA_ID of the private key on the token. # handle = # Optional slot number to access the token. # slot = # Optional PKCS#11 module name to access the token. # module = # Optional PIN required to access the key on the token. If none is # provided the user is prompted during an interactive --load-creds call. # pin = # }# }# Section defining named pools.# pools { # Section defining a single pool with a unique name. # <name> { # Addresses allocated in pool. # addrs = # Comma separated list of additional attributes from type <attr>. # <attr> = # }# }# Section defining attributes of certification authorities.# authorities { # Section defining a certification authority with a unique name. # <name> { # CA certificate belonging to the certification authority. # cacert = # Absolute path to the certificate to load. # file = # Hex-encoded CKA_ID of the CA certificate on a token. # handle = # Optional slot number of the token that stores the CA certificate. # slot = # Optional PKCS#11 module name. # module = # Comma-separated list of CRL distribution points. # crl_uris = # Comma-separated list of OCSP URIs. # ocsp_uris = # Defines the base URI for the Hash and URL feature supported by IKEv2. # cert_uri_base = # }# }# Include config snippetsinclude conf.d/*.conf
Status of IKE charon daemon (strongSwan 5.9.10, FreeBSD 13.1-RELEASE-p7, amd64): uptime: 2 hours, since Mar 16 08:00:46 2023 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock countersListening IP addresses: 192.168.1.1 172.16.10.1 192.168.10.200 192.168.120.1Connections:Security Associations (0 up, 0 connecting): none
Status of IKE charon daemon (strongSwan 5.9.4, FreeBSD 12.3-STABLE, amd64): uptime: 7 days, since Mar 08 16:17:33 2023 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon eap-radius unbound pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock countersListening IP addresses: 192.168.1.1 172.16.10.2 192.168.10.200 192.168.120.1Connections: bypass: %any...127.0.0.1 IKEv1/2 bypass: local: uses any authentication bypass: remote: uses any authentication bypasslan: child: 172.16.10.0/24|/0 === 172.16.10.0/24|/0 PASS con-mobile: 192.168.10.200...0.0.0.0/0, ::/0 IKEv2, dpddelay=10s con-mobile: local: [vpn.mydomain.com] uses public key authentication con-mobile: cert: "C=IT, ST=Italia, L=Nova Milanese, O=VM srl, E=admin@xxxxxxxxx.com, CN=office.xxxxxxxxx.com" con-mobile: remote: [%any] uses EAP_RADIUS authentication with EAP identity '%any' con-mobile: child: 172.16.10.0/24|/0 === dynamic TUNNEL, dpdaction=clearShunted Connections: bypasslan: 172.16.10.0/24|/0 === 172.16.10.0/24|/0 PASSSecurity Associations (0 up, 0 connecting): none
P.S. why the IPEC service doesn't start automatically .. i need to run the command /usr/local/sbin/ipsec start from shell for have the service up and running
ls -la /usr/local/etc/swanctl/
root@vpn:~ # ls -la /usr/local/etc/swanctl/total 42drwxr-xr-x 16 root wheel 19 Mar 16 15:09 .drwxr-xr-x 38 root wheel 120 Mar 16 15:09 ..drwxr-x--- 2 root wheel 2 Jan 23 04:10 blissdrwxr-xr-x 2 root wheel 2 Jan 25 11:23 conf.ddrwxr-x--- 2 root wheel 2 Jan 23 04:10 ecdsadrwxr-x--- 2 root wheel 2 Jan 23 04:10 pkcs12drwxr-x--- 2 root wheel 2 Jan 23 04:10 pkcs8drwxr-x--- 2 root wheel 2 Jan 23 04:10 privatedrwxr-xr-x 2 root wheel 2 Jan 25 11:23 pubkey-rw-r--r-- 1 root wheel 86 Mar 16 15:31 reqid_events.confdrwxr-x--- 2 root wheel 2 Jan 23 04:10 rsa-rw-r----- 1 root wheel 16420 Mar 9 04:14 swanctl.conf-rw-r----- 1 root wheel 16420 Mar 9 04:14 swanctl.conf.sampledrwxr-xr-x 2 root wheel 2 Jan 25 11:23 x509drwxr-xr-x 2 root wheel 2 Jan 25 11:23 x509aadrwxr-xr-x 2 root wheel 2 Jan 25 11:23 x509acdrwxr-xr-x 2 root wheel 2 Jan 25 11:23 x509cadrwxr-xr-x 2 root wheel 2 Jan 25 11:23 x509crldrwxr-xr-x 2 root wheel 2 Jan 25 11:23 x509ocsp
cat /var/log/configd/latest.log
<13>1 2023-03-17T09:06:35+01:00 vpn.vmforbusiness.com configd.py 209 - [meta sequenceId="222"] [a76be5c3-7a08-4d36-8b82-8113a69675ad] IPsec service start<13>1 2023-03-17T09:06:35+01:00 vpn.vmforbusiness.com configd.py 209 - [meta sequenceId="223"] [8aa0281c-0004-40db-a970-5d8f0a99bf6b] IPsec list legacy VirtualTunnelInterfaces