IPSEC with Radius no IKE config found

[atom]

... and please: X509v3 extensions" ( System -> Trust -> Certificates ) of your server certificate.

[lirees]

the ip address of source is changed .. 109.118.89.166

Code Select Expand

root@vpn:~ # tcpdump -vvni vmx2 host 192.168.10.200 and host 109.118.89.166
tcpdump: listening on vmx2, link-type EN10MB (Ethernet), capture size 262144 bytes
15:51:15.293532 IP (tos 0x0, ttl 112, id 13393, offset 0, flags , proto TCP (6), length 52)
    109.118.89.166.54068 > 192.168.10.200.443: Flags , cksum 0xac59 (correct), seq 3188826739, win 64240, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
15:51:15.293849 IP (tos 0x0, ttl 63, id 0, offset 0, flags , proto TCP (6), length 52)
    192.168.10.200.443 > 109.118.89.166.54068: Flags [S.], cksum 0x533d (correct), seq 3068371436, ack 3188826740, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:51:15.329029 IP (tos 0x0, ttl 112, id 13394, offset 0, flags , proto TCP (6), length 40)
    109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0x8cfe (correct), seq 1, ack 1, win 514, length 0
15:51:15.340584 IP (tos 0x0, ttl 111, id 0, offset 0, flags , proto TCP (6), length 557)
    109.118.89.166.54068 > 192.168.10.200.443: Flags [P.], cksum 0xf1ca (correct), seq 1:518, ack 1, win 40960, length 517
15:51:15.340971 IP (tos 0x0, ttl 63, id 30058, offset 0, flags , proto TCP (6), length 40)
    192.168.10.200.443 > 109.118.89.166.54068: Flags [.], cksum 0x8b06 (correct), seq 1, ack 518, win 501, length 0
15:51:15.342638 IP (tos 0x0, ttl 63, id 30059, offset 0, flags , proto TCP (6), length 1440)
    192.168.10.200.443 > 109.118.89.166.54068: Flags [.], cksum 0x0916 (correct), seq 1:1401, ack 518, win 501, length 1400
15:51:15.342649 IP (tos 0x0, ttl 63, id 30060, offset 0, flags , proto TCP (6), length 1440)
    192.168.10.200.443 > 109.118.89.166.54068: Flags [.], cksum 0x8ff0 (correct), seq 1401:2801, ack 518, win 501, length 1400
15:51:15.342689 IP (tos 0x0, ttl 63, id 30061, offset 0, flags , proto TCP (6), length 565)
    192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0xbe55 (correct), seq 2801:3326, ack 518, win 501, length 525
15:51:15.352065 IP (tos 0x0, ttl 113, id 1, offset 0, flags , proto TCP (6), length 40)
    109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xe788 (correct), seq 518, ack 1401, win 40954, length 0
15:51:15.352082 IP (tos 0x0, ttl 113, id 2, offset 0, flags , proto TCP (6), length 40)
    109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xe215 (correct), seq 518, ack 2801, win 40949, length 0
15:51:15.352093 IP (tos 0x0, ttl 113, id 3, offset 0, flags , proto TCP (6), length 40)
    109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xe00a (correct), seq 518, ack 3326, win 40947, length 0
15:51:15.376622 IP (tos 0x0, ttl 113, id 4, offset 0, flags , proto TCP (6), length 120)
    109.118.89.166.54068 > 192.168.10.200.443: Flags [P.], cksum 0xef32 (correct), seq 518:598, ack 3326, win 40960, length 80
15:51:15.377067 IP (tos 0x0, ttl 63, id 30062, offset 0, flags , proto TCP (6), length 311)
    192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0x3914 (correct), seq 3326:3597, ack 598, win 501, length 271
15:51:15.377116 IP (tos 0x0, ttl 63, id 30063, offset 0, flags , proto TCP (6), length 311)
    192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0xe82e (correct), seq 3597:3868, ack 598, win 501, length 271
15:51:15.385521 IP (tos 0x0, ttl 113, id 5, offset 0, flags , proto TCP (6), length 40)
    109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xdd92 (correct), seq 598, ack 3868, win 40957, length 0
15:51:15.405329 IP (tos 0x0, ttl 113, id 6, offset 0, flags , proto TCP (6), length 985)
    109.118.89.166.54068 > 192.168.10.200.443: Flags [P.], cksum 0x7ca7 (correct), seq 598:1543, ack 3868, win 40957, length 945
15:51:15.435464 IP (tos 0x0, ttl 63, id 30064, offset 0, flags , proto TCP (6), length 1033)
    192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0x67d4 (correct), seq 3868:4861, ack 1543, win 501, length 993
15:51:15.444194 IP (tos 0x0, ttl 113, id 7, offset 0, flags , proto TCP (6), length 40)
    109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xd603 (correct), seq 1543, ack 4861, win 40954, length 0
15:51:20.440757 IP (tos 0x0, ttl 63, id 30065, offset 0, flags , proto TCP (6), length 64)
    192.168.10.200.443 > 109.118.89.166.54068: Flags [P.], cksum 0x50c1 (correct), seq 4861:4885, ack 1543, win 501, length 24
15:51:20.440774 IP (tos 0x0, ttl 63, id 30066, offset 0, flags , proto TCP (6), length 40)
    192.168.10.200.443 > 109.118.89.166.54068: Flags [F.], cksum 0x73f0 (correct), seq 4885, ack 1543, win 501, length 0
15:51:20.449260 IP (tos 0x0, ttl 113, id 8, offset 0, flags , proto TCP (6), length 40)
    109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xd5e6 (correct), seq 1543, ack 4885, win 40959, length 0
15:51:20.450394 IP (tos 0x0, ttl 113, id 9, offset 0, flags , proto TCP (6), length 40)
    109.118.89.166.54068 > 192.168.10.200.443: Flags [.], cksum 0xd5e5 (correct), seq 1543, ack 4886, win 40959, length 0
15:51:20.563285 IP (tos 0x0, ttl 113, id 10, offset 0, flags , proto TCP (6), length 40)
    109.118.89.166.54068 > 192.168.10.200.443: Flags [F.], cksum 0xd5e3 (correct), seq 1543, ack 4886, win 40960, length 0
15:51:20.563576 IP (tos 0x0, ttl 63, id 30067, offset 0, flags , proto TCP (6), length 40)
    192.168.10.200.443 > 109.118.89.166.54068: Flags [.], cksum 0x73ef (correct), seq 4886, ack 1544, win 501, length 0
15:51:21.988990 IP (tos 0x0, ttl 114, id 13404, offset 0, flags , proto UDP (17), length 572)
    109.118.89.166.54073 > 192.168.10.200.500: [udp sum ok] isakmp 2.0 msgid 00000000 cookie c924710918dcbb12->0000000000000000: parent_sa ikev2_init:
    (sa: len=44
        (p: #1 protoid=isakmp transform=4 len=44
            (t: #1 type=encr id=aes (type=keylen value=0100))
            (t: #2 type=integ id=#12 )
            (t: #3 type=prf id=#5 )
            (t: #4 type=dh id=modp2048 )))
    (v2ke: len=256 group=modp2048)
    (nonce: len=48 nonce=(8759fa55a28df7a94de649308fb9b2680e99a96380ab070f95d4604150f2ce66c7fdabf3a335eca34a76843b25d68177) )
    (n: prot_id=#0 type=16430(status))
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
    (v2vid: len=20 vid=.+Qi...}|......a....)
    (v2vid: len=16 vid=.....A.......U. )
    (v2vid: len=16 vid=&$M8..a..*6.....)
    (v2vid: len=20 vid=.R.......I...[*Q....)
15:51:21.990034 IP (tos 0x0, ttl 64, id 60996, offset 0, flags , proto UDP (17), length 64)
    192.168.10.200.500 > 109.118.89.166.54073: [udp sum ok] isakmp 2.0 msgid 00000000 cookie c924710918dcbb12->97483448dff7c2dd: parent_sa ikev2_init:
    (n: prot_id=#0 type=14(no_protocol_chosen)


[lirees]

... and please: X509v3 extensions" ( System -> Trust -> Certificates ) of your server certificate.

X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OPNsense Generated Server Certificate
            X509v3 Subject Key Identifier:
                81:B2:C1:F6:F7:33:5E:A0:1D:B5:10:1D:74:20:6D:75:A5:65:4A:99
            X509v3 Authority Key Identifier:
                keyid:DC:52:85:D6:C4:AB:A9:31:C5:D3:6B:F0:08:28:97:74:BC:6B:AF:22
                DirName:/C=IT/ST=MI/L=xxxxxxx/O=VM4B/emailAddress=adm@xxxxxxx.com/CN=vpn.mydomain.com
                serial:00

[atom]

I'll say that in your certificate the SAN-DNS entry is missing. This is mine.

X509v3 Subject Alternative Name:
                DNS:vpn.mydomain.com
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2

Could you please post

Code Select Expand

cat /usr/local/etc/swanctl/swanctl.conf | grep local_ts
only to check if this is really 0.0.0.0/0

[miken32]

Folks, "no proposal chosen" means there's a mismatch with your P1 settings. Under VPN/IPSec/Advanced Settings, bump up "Configuration management and plugins" logging to control instead of audit. Try to connect and check logs. You should see entries like this, showing what the client tried to use versus what the server can support. If there's success it will tell you what proposal was selected. Otherwise, it will give you "no proposal chosen" error.

Code Select Expand


2023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
2023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048


[lirees]

I'll say that in your certificate the SAN-DNS entry is missing. This is mine.

X509v3 Subject Alternative Name:
                DNS:vpn.mydomain.com
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2

Could you please post

Code Select Expand

cat /usr/local/etc/swanctl/swanctl.conf | grep local_ts
only to check if this is really 0.0.0.0/0

you have right .. i have not reported a part of the server certificate ..it looks like yours

        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OPNsense Generated Server Certificate
            X509v3 Subject Key Identifier:
                81:B2:C1:F6:F7:33:5E:A0:1D:B5:10:1D:74:20:6D:75:A5:65:4A:99
            X509v3 Authority Key Identifier:
                keyid:DC:52:85:D6:C4:AB:A9:31:C5:D3:6B:F0:08:28:97:74:BC:6B:AF:22
                DirName:/C=IT/ST=MI/L=xxxxxxx/O=VM4B/emailAddress=adm@xxxxxxx.com/CN=vpn.mydomain.com
                serial:00

            X509v3 Extended Key Usage:
                TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:vpn.mydomain.com

Code Select Expand

cat /usr/local/etc/swanctl/swanctl.conf | grep local_ts
                # local_ts = dynamic


all the lines of the file swanctl.conf i't commented with #

thanks

[lirees]

Folks, "no proposal chosen" means there's a mismatch with your P1 settings. Under VPN/IPSec/Advanced Settings, bump up "Configuration management and plugins" logging to control instead of audit. Try to connect and check logs. You should see entries like this, showing what the client tried to use versus what the server can support. If there's success it will tell you what proposal was selected. Otherwise, it will give you "no proposal chosen" error.

Code Select Expand


2023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
2023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2023-03-15T20:44:38-06:00 Informational charon 11[CFG] <4> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048


Configuration management and plugins set to Highest, restart opnsense ( after restart strongswan alway in down and i need to start manually from the shell ) but the log are the same

Code Select Expand

2023-03-16T08:01:07 Informational charon 16[NET] sending packet: from 192.168.10.200[500] to 5.90.77.85[43832] (36 bytes)
2023-03-16T08:01:07 Informational charon 16[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2023-03-16T08:01:07 Informational charon 16[IKE] no IKE config found for 192.168.10.200...5.90.77.85, sending NO_PROPOSAL_CHOSEN
2023-03-16T08:01:07 Informational charon 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
2023-03-16T08:01:07 Informational charon 16[NET] received packet: from 5.90.77.85[43832] to 192.168.10.200[500] (544 bytes)
2023-03-16T08:00:47 Informational charon 00[JOB] spawning 16 worker threads
2023-03-16T08:00:47 Informational charon 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
2023-03-16T08:00:47 Informational charon 00[CFG] loaded 0 RADIUS server configurations
2023-03-16T08:00:47 Informational charon 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2023-03-16T08:00:47 Informational charon 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2023-03-16T08:00:47 Informational charon 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2023-03-16T08:00:47 Informational charon 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2023-03-16T08:00:47 Informational charon 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2023-03-16T08:00:47 Informational charon 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2023-03-16T08:00:47 Informational charon 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
2023-03-16T08:00:47 Informational charon 00[KNL] unable to set UDP_ENCAP: Protocol not available
2023-03-16T08:00:47 Informational charon 00[NET] installing IKE bypass policy failed
2023-03-16T08:00:47 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2023-03-16T08:00:47 Informational charon 00[NET] installing IKE bypass policy failed
2023-03-16T08:00:47 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2023-03-16T08:00:47 Informational charon 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2023-03-16T08:00:47 Informational charon 00[KNL] unable to set UDP_ENCAP: Invalid argument
2023-03-16T08:00:47 Informational charon 00[NET] installing IKE bypass policy failed
2023-03-16T08:00:47 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2023-03-16T08:00:47 Informational charon 00[NET] installing IKE bypass policy failed
2023-03-16T08:00:47 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2023-03-16T08:00:47 Informational charon 00[CFG] using '/sbin/resolvconf' to install DNS servers
2023-03-16T08:00:47 Informational charon 00[DMN] Starting IKE charon daemon (strongSwan 5.9.10, FreeBSD 13.1-RELEASE-p7, amd64)


this is the /usr/local/etc/swanctl/swanctl.conf but it's correct that all the liens are commented ( the include conf.d/ dir is empty )??

Code Select Expand

# cat /usr/local/etc/swanctl/swanctl.conf
# Section defining IKE connection configurations.
# connections {

    # Section for an IKE connection named <conn>.
    # <conn> {

        # IKE major version to use for connection.
        # version = 0

        # Local address(es) to use for IKE communication, comma separated.
        #local_addrs = %any

        # Remote address(es) to use for IKE communication, comma separated.
        #Remote_addrs = %any

        # Local UDP port for IKE communication.
        # local_port = 500

        # Remote UDP port for IKE communication.
        # remote_port = 500

        # Comma separated proposals to accept for IKE.
        # proposals = default

        # Virtual IPs to request in configuration payload / Mode Config.
        # vips =

        # Use Aggressive Mode in IKEv1.
        # aggressive = no

        # Set the Mode Config mode to use.
        # pull = yes

        # Differentiated Services Field Codepoint to set on outgoing IKE packets
        # (six binary digits).
        # dscp = 000000

        # Enforce UDP encapsulation by faking NAT-D payloads.
        # encap = no

        # Enables MOBIKE on IKEv2 connections.
        # mobike = yes

        # Interval of liveness checks (DPD).
        # dpd_delay = 0s

        # Timeout for DPD checks (IKEV1 only).
        # dpd_timeout = 0s

        # Use IKE UDP datagram fragmentation (yes, accept, no or force).
        # fragmentation = yes

        # Use childless IKE_SA initiation (allow, prefer, force or never).
        # childless = allow

        # Send certificate requests payloads (yes or no).
        # send_certreq = yes

        # Send certificate payloads (always, never or ifasked).
        # send_cert = ifasked

        # String identifying the Postquantum Preshared Key (PPK) to be used.
        # ppk_id =

        # Whether a Postquantum Preshared Key (PPK) is required for this
        # connection.
        # ppk_required = no

        # Number of retransmission sequences to perform during initial connect.
        # keyingtries = 1

        # Connection uniqueness policy (never, no, keep or replace).
        # unique = no

        # Time to schedule IKE reauthentication.
        # reauth_time = 0s

        # Time to schedule IKE rekeying.
        # rekey_time = 4h

        # Hard IKE_SA lifetime if rekey/reauth does not complete, as time.
        # over_time = 10% of rekey_time/reauth_time

        # Range of random time to subtract from rekey/reauth times.
        # rand_time = over_time

        # Comma separated list of named IP pools.
        # pools =

        # Default inbound XFRM interface ID for children.
        # if_id_in = 0

        # Default outbound XFRM interface ID for children.
        # if_id_out = 0

        # Whether this connection is a mediation connection.
        # mediation = no

        # The name of the connection to mediate this connection through.
        # mediated_by =

        # Identity under which the peer is registered at the mediation server.
        # mediation_peer =

        # Section for a local authentication round.
        # local<suffix> {

            # Optional numeric identifier by which authentication rounds are
            # sorted.  If not specified rounds are ordered by their position in
            # the config file/VICI message.
            # round = 0

            # Comma separated list of certificate candidates to use for
            # authentication.
            # certs =

            # Section for a certificate candidate to use for authentication.
            # cert<suffix> =

            # Comma separated list of raw public key candidates to use for
            # authentication.
            # pubkeys =

            # Authentication to perform locally (pubkey, psk, xauth[-backend] or
            # eap[-method]).
            # auth = pubkey

            # IKE identity to use for authentication round.
            # id =

            # Client EAP-Identity to use in EAP-Identity exchange and the EAP
            # method.
            # eap_id = id

            # Server side EAP-Identity to expect in the EAP method.
            # aaa_id = remote-id

            # Client XAuth username used in the XAuth exchange.
            # xauth_id = id

            # cert<suffix> {

                # Absolute path to the certificate to load.
                # file =

                # Hex-encoded CKA_ID of the certificate on a token.
                # handle =

                # Optional slot number of the token that stores the certificate.
                # slot =

                # Optional PKCS#11 module name.
                # module =

            # }

        # }

        # Section for a remote authentication round.
        # remote<suffix> {

            # Optional numeric identifier by which authentication rounds are
            # sorted.  If not specified rounds are ordered by their position in
            # the config file/VICI message.
            # round = 0

            # IKE identity to expect for authentication round.
            # id = %any

            # Identity to use as peer identity during EAP authentication.
            # eap_id = id

            # Authorization group memberships to require.
            # groups =

            # Certificate policy OIDs the peer's certificate must have.
            # cert_policy =

            # Comma separated list of certificate to accept for authentication.
            # certs =

            # Section for a certificate to accept for authentication.
            # cert<suffix> =

            # Comma separated list of CA certificates to accept for
            # authentication.
            # cacerts =

            # Section for a CA certificate to accept for authentication.
            # cacert<suffix> =

            # Identity in CA certificate to accept for authentication.
            # ca_id =

            # Comma separated list of raw public keys to accept for
            # authentication.
            # pubkeys =

            # Certificate revocation policy, (strict, ifuri or relaxed).
            # revocation = relaxed

            # Authentication to expect from remote (pubkey, psk, xauth[-backend]
            # or eap[-method]).
            # auth = pubkey

            # cert<suffix> {

                # Absolute path to the certificate to load.
                # file =

                # Hex-encoded CKA_ID of the certificate on a token.
                # handle =

                # Optional slot number of the token that stores the certificate.
                # slot =

                # Optional PKCS#11 module name.
                # module =

            # }

            # cacert<suffix> {

                # Absolute path to the certificate to load.
                # file =

                # Hex-encoded CKA_ID of the CA certificate on a token.
                # handle =

                # Optional slot number of the token that stores the CA
                # certificate.
                # slot =

                # Optional PKCS#11 module name.
                # module =

            # }

        # }

        # children {

            # CHILD_SA configuration sub-section.
            # <child> {

                # AH proposals to offer for the CHILD_SA.
                # ah_proposals =

                # ESP proposals to offer for the CHILD_SA.
                # esp_proposals = default

                # Use incorrect 96-bit truncation for HMAC-SHA-256.
                # sha256_96 = no

                # Local traffic selectors to include in CHILD_SA.
                # local_ts = dynamic

                # Remote selectors to include in CHILD_SA.
                # remote_ts = dynamic

                # Time to schedule CHILD_SA rekeying.
                # rekey_time = 1h

                # Maximum lifetime before CHILD_SA gets closed, as time.
                # life_time = rekey_time + 10%

                # Range of random time to subtract from rekey_time.
                # rand_time = life_time - rekey_time

                # Number of bytes processed before initiating CHILD_SA rekeying.
                # rekey_bytes = 0

                # Maximum bytes processed before CHILD_SA gets closed.
                # life_bytes = rekey_bytes + 10%

                # Range of random bytes to subtract from rekey_bytes.
                # rand_bytes = life_bytes - rekey_bytes

                # Number of packets processed before initiating CHILD_SA
                # rekeying.
                # rekey_packets = 0

                # Maximum number of packets processed before CHILD_SA gets
                # closed.
                # life_packets = rekey_packets + 10%

                # Range of random packets to subtract from packets_bytes.
                # rand_packets = life_packets - rekey_packets

                # Updown script to invoke on CHILD_SA up and down events.
                # updown =

                # Hostaccess variable to pass to updown script.
                # hostaccess = no

                # IPsec Mode to establish (tunnel, transport, transport_proxy,
                # beet, pass or drop).
                # mode = tunnel

                # Whether to install IPsec policies or not.
                # policies = yes

                # Whether to install outbound FWD IPsec policies or not.
                # policies_fwd_out = no

                # Action to perform on DPD timeout (clear, trap or restart).
                # dpd_action = clear

                # Enable IPComp compression before encryption.
                # ipcomp = no

                # Timeout before closing CHILD_SA after inactivity.
                # inactivity = 0s

                # Fixed reqid to use for this CHILD_SA.
                # reqid = 0

                # Optional fixed priority for IPsec policies.
                # priority = 0

                # Optional interface name to restrict IPsec policies.
                # interface =

                # Netfilter mark and mask for input traffic.
                # mark_in = 0/0x00000000

                # Whether to set *mark_in* on the inbound SA.
                # mark_in_sa = no

                # Netfilter mark and mask for output traffic.
                # mark_out = 0/0x00000000

                # Netfilter mark applied to packets after the inbound IPsec SA
                # processed them.
                # set_mark_in = 0/0x00000000

                # Netfilter mark applied to packets after the outbound IPsec SA
                # processed them.
                # set_mark_out = 0/0x00000000

                # Inbound XFRM interface ID (32-bit unsigned integer).
                # if_id_in = 0

                # Outbound XFRM interface ID (32-bit unsigned integer).
                # if_id_out = 0

                # Optional security label (e.g. SELinux context), IKEv2 only.
                # Refer to label_mode for details on how labels are processed.
                # label =

                # Security label mode (system, simple or selinux), IKEv2 only.
                # label_mode = system

                # Traffic Flow Confidentiality padding.
                # tfc_padding = 0

                # IPsec replay window to configure for this CHILD_SA.
                # replay_window = 32

                # Enable hardware offload for this CHILD_SA, if supported by the
                # IPsec implementation.
                # hw_offload = no

                # Whether to copy the DF bit to the outer IPv4 header in tunnel
                # mode.
                # copy_df = yes

                # Whether to copy the ECN header field to/from the outer IP
                # header in tunnel mode.
                # copy_ecn = yes

                # Whether to copy the DSCP header field to/from the outer IP
                # header in tunnel mode.
                # copy_dscp = out

                # Action to perform after loading the configuration (none, trap,
                # start).
                # start_action = none

                # Action to perform after a CHILD_SA gets closed (none, trap,
                # start).
                # close_action = none

            # }

        # }

    # }

# }

# Section defining secrets for IKE/EAP/XAuth authentication and private key
# decryption.
# secrets {

    # EAP secret section for a specific secret.
    # eap<suffix> {

        # Value of the EAP/XAuth secret.
        # secret =

        # Identity the EAP/XAuth secret belongs to.
        # id<suffix> =

    # }

    # XAuth secret section for a specific secret.
    # xauth<suffix> {

    # }

    # NTLM secret section for a specific secret.
    # ntlm<suffix> {

        # Value of the NTLM secret.
        # secret =

        # Identity the NTLM secret belongs to.
        # id<suffix> =

    # }

    # IKE preshared secret section for a specific secret.
    # ike<suffix> {

        # Value of the IKE preshared secret.
        # secret =

        # IKE identity the IKE preshared secret belongs to.
        # id<suffix> =

    # }

    # Postquantum Preshared Key (PPK) section for a specific secret.
    # ppk<suffix> {

        # Value of the PPK.
        # secret =

        # PPK identity the PPK belongs to.
        # id<suffix> =

    # }

    # Private key decryption passphrase for a key in the private folder.
    # private<suffix> {

        # File name in the private folder for which this passphrase should be
        # used.
        # file =

        # Value of decryption passphrase for private key.
        # secret =

    # }

    # Private key decryption passphrase for a key in the rsa folder.
    # rsa<suffix> {

        # File name in the rsa folder for which this passphrase should be used.
        # file =

        # Value of decryption passphrase for RSA key.
        # secret =

    # }

    # Private key decryption passphrase for a key in the ecdsa folder.
    # ecdsa<suffix> {

        # File name in the ecdsa folder for which this passphrase should be
        # used.
        # file =

        # Value of decryption passphrase for ECDSA key.
        # secret =

    # }

    # Private key decryption passphrase for a key in the pkcs8 folder.
    # pkcs8<suffix> {

        # File name in the pkcs8 folder for which this passphrase should be
        # used.
        # file =

        # Value of decryption passphrase for PKCS#8 key.
        # secret =

    # }

    # PKCS#12 decryption passphrase for a container in the pkcs12 folder.
    # pkcs12<suffix> {

        # File name in the pkcs12 folder for which this passphrase should be
        # used.
        # file =

        # Value of decryption passphrase for PKCS#12 container.
        # secret =

    # }

    # Definition for a private key that's stored on a token/smartcard.
    # token<suffix> {

        # Hex-encoded CKA_ID of the private key on the token.
        # handle =

        # Optional slot number to access the token.
        # slot =

        # Optional PKCS#11 module name to access the token.
        # module =

        # Optional PIN required to access the key on the token. If none is
        # provided the user is prompted during an interactive --load-creds call.
        # pin =

    # }

# }

# Section defining named pools.
# pools {

    # Section defining a single pool with a unique name.
    # <name> {

        # Addresses allocated in pool.
        # addrs =

        # Comma separated list of additional attributes from type <attr>.
        # <attr> =

    # }

# }

# Section defining attributes of certification authorities.
# authorities {

    # Section defining a certification authority with a unique name.
    # <name> {

        # CA certificate belonging to the certification authority.
        # cacert =

        # Absolute path to the certificate to load.
        # file =

        # Hex-encoded CKA_ID of the CA certificate on a token.
        # handle =

        # Optional slot number of the token that stores the CA certificate.
        # slot =

        # Optional PKCS#11 module name.
        # module =

        # Comma-separated list of CRL distribution points.
        # crl_uris =

        # Comma-separated list of OCSP URIs.
        # ocsp_uris =

        # Defines the base URI for the Hash and URL feature supported by IKEv2.
        # cert_uri_base =

    # }

# }

# Include config snippets
include conf.d/*.conf



thanks

[atom]

Did you also check the "Enable IPsec" box ?   ( VPN: IPsec: Tunnel Settings )

[lirees]

Sure... I've done more checks and it appears that the web interface configuration is not reported in the config file

i have add in the authentication the local user and add a Pre-Shared Keys but the file  /usr/local/etc/ipsec.secrets is empty

if i run ipsec statusall the configuration and  the cert is not reported

Code Select Expand

Status of IKE charon daemon (strongSwan 5.9.10, FreeBSD 13.1-RELEASE-p7, amd64):
  uptime: 2 hours, since Mar 16 08:00:46 2023
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Listening IP addresses:
  192.168.1.1
  172.16.10.1
  192.168.10.200
  192.168.120.1
Connections:
Security Associations (0 up, 0 connecting):
  none




the result of the command must be something like this

Code Select Expand

Status of IKE charon daemon (strongSwan 5.9.4, FreeBSD 12.3-STABLE, amd64):
  uptime: 7 days, since Mar 08 16:17:33 2023
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon eap-radius unbound pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Listening IP addresses:
  192.168.1.1
  172.16.10.2
  192.168.10.200
  192.168.120.1
Connections:
      bypass:  %any...127.0.0.1  IKEv1/2
      bypass:   local:  uses any authentication
      bypass:   remote: uses any authentication
   bypasslan:   child:  172.16.10.0/24|/0 === 172.16.10.0/24|/0 PASS
  con-mobile:  192.168.10.200...0.0.0.0/0, ::/0  IKEv2, dpddelay=10s
  con-mobile:   local:  [vpn.mydomain.com] uses public key authentication
  con-mobile:    cert:  "C=IT, ST=Italia, L=Nova Milanese, O=VM srl, E=admin@xxxxxxxxx.com, CN=office.xxxxxxxxx.com"
  con-mobile:   remote: [%any] uses EAP_RADIUS authentication with EAP identity '%any'
  con-mobile:   child:  172.16.10.0/24|/0 === dynamic TUNNEL, dpdaction=clear
Shunted Connections:
   bypasslan:  172.16.10.0/24|/0 === 172.16.10.0/24|/0 PASS
Security Associations (0 up, 0 connecting):
  none

[atom]

I could imagine that this is the reason:

P.S. why the IPEC service doesn't start automatically .. i need to run the command /usr/local/sbin/ipsec start from shell for have the service up and running

Your should restart your box disable and re-enable ipsec and then check if the configuration is written to the file system.

[lirees]

nothing to do

1) I restarted the machine disabling and re-enabling ipsec and save the service does not start the configuration file is not written

2) I have delete all the config, restart the machine, config  the mobile clients section, create phase 1 and 2, enabling ipsec and save the service does not start the configuration file is not written

3) I have delete all the config, restart the machine, in the mobile clients section only select type of authentication local user, enabling ipsec and save the service does not start the configuration file is not written

4 ) In the System > Firmware i have re-installed ipsec, in the mobile clients section only select type of authentication local user, enabling ipsec and save the service does not start the configuration file is not written

5) create a new fresh installation, only lan e wan interface configured in the wizard, in the mobile clients section only select type of authentication as local user, i have create phase 1 and 2 and i leave all as default .. enabling ipsec and save, the service does not start the configuration file is not written !

i have found one other post in the forum that talk ipsec thant not start and the log and the config are empty

https://forum.opnsense.org/index.php?topic=26682.0

[atom]

Could you post the output of

Code Select Expand

ls -la /usr/local/etc/swanctl/

[lirees]

Code Select Expand

root@vpn:~ # ls -la /usr/local/etc/swanctl/
total 42
drwxr-xr-x  16 root  wheel     19 Mar 16 15:09 .
drwxr-xr-x  38 root  wheel    120 Mar 16 15:09 ..
drwxr-x---   2 root  wheel      2 Jan 23 04:10 bliss
drwxr-xr-x   2 root  wheel      2 Jan 25 11:23 conf.d
drwxr-x---   2 root  wheel      2 Jan 23 04:10 ecdsa
drwxr-x---   2 root  wheel      2 Jan 23 04:10 pkcs12
drwxr-x---   2 root  wheel      2 Jan 23 04:10 pkcs8
drwxr-x---   2 root  wheel      2 Jan 23 04:10 private
drwxr-xr-x   2 root  wheel      2 Jan 25 11:23 pubkey
-rw-r--r--   1 root  wheel     86 Mar 16 15:31 reqid_events.conf
drwxr-x---   2 root  wheel      2 Jan 23 04:10 rsa
-rw-r-----   1 root  wheel  16420 Mar  9 04:14 swanctl.conf
-rw-r-----   1 root  wheel  16420 Mar  9 04:14 swanctl.conf.sample
drwxr-xr-x   2 root  wheel      2 Jan 25 11:23 x509
drwxr-xr-x   2 root  wheel      2 Jan 25 11:23 x509aa
drwxr-xr-x   2 root  wheel      2 Jan 25 11:23 x509ac
drwxr-xr-x   2 root  wheel      2 Jan 25 11:23 x509ca
drwxr-xr-x   2 root  wheel      2 Jan 25 11:23 x509crl
drwxr-xr-x   2 root  wheel      2 Jan 25 11:23 x509ocsp


[atom]

Looks good.

Are any messages in

Code Select Expand

cat /var/log/configd/latest.log

[lirees]

when i try to start the service the only message is this but the service not start

Code Select Expand

<13>1 2023-03-17T09:06:35+01:00 vpn.vmforbusiness.com configd.py 209 - [meta sequenceId="222"] [a76be5c3-7a08-4d36-8b82-8113a69675ad] IPsec service start
<13>1 2023-03-17T09:06:35+01:00 vpn.vmforbusiness.com configd.py 209 - [meta sequenceId="223"] [8aa0281c-0004-40db-a970-5d8f0a99bf6b] IPsec list legacy VirtualTunnelInterfaces