Actions
Bug #15930
open
Mobile IPsec clients can't connect after gateway failover
Added by Danilo Zrenjanin 19 days ago. Updated 12 days ago.
Status:
Incomplete
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Force Exclusion
Affected Version:
Affected Architecture:
Description
If a gateway group is defined and selected as the Interface in the IPsec setup, connections will function properly while the primary gateway is operational. However, when the primary gateway fails and the secondary gateway takes over, mobile IPsec clients are unable to connect to the backup WAN until the IPsec service is manually stopped and restarted.
Following the gateway failover:
The file located at /var/etc/ipsec/strongswan.conf correctly reflects the backup WAN interface with interfaces_use = ix2.
The configuration file at /var/etc/ipsec/swanctl.conf accurately displays the local ID as local_addrs = 192.168.99.10.
Packet capture confirms that packets are arriving on the backup WAN interface.
Nevertheless, the Status > System Logs > IPsec section does not display any logs related to incoming connection attempts, and the client reports that there was no response on the server side.
Restarting the IPsec service on the firewall allows clients to seamlessly connect to the backup WAN without any issues.
The issue described at https://redmine.pfsense.org/issues/15685 may be related; however, the local_addrs parameter is now accurate.
Related issues
Updated by Danilo Zrenjanin 19 days ago
- Related to Bug #15685: Mobile IPsec does not automatically switch to failover gateway added
Updated by Danilo Zrenjanin 19 days ago
- Subject changed from Mobile IPsec clinets can't connect after gateway failover to Mobile IPsec clients can't connect after gateway failover
Updated by Marcos M 17 days ago
- Status changed from New to Incomplete
- Release Notes changed from Default to Force Exclusion
I'm not able to reproduce this. After the gateway failover, the IPsec logs show that the service loads with the correct listening address:
Dec 16 14:11:08 charon 10898 12[CFG] local_addrs = 192.168.1.253 Dec 16 14:11:08 charon 10898 12[CFG] remote_addrs = 0.0.0.0/0, ::/0
Oddly enough, the retransmit timeout for the client is not aborted:
Dec 16 14:11:24 charon 10898 12[IKE] <con-mobile-grouppool-1|2> sending keep alive to 172.58.111.216[21339] Dec 16 14:11:28 charon 10898 12[IKE] <con-mobile-grouppool-1|2> retransmit 4 of request with message ID 23 Dec 16 14:11:28 charon 10898 12[NET] <con-mobile-grouppool-1|2> sending packet: from 192.168.100.2[4500] to 172.58.111.216[21339] (57 bytes) Dec 16 14:11:47 charon 10898 12[IKE] <con-mobile-grouppool-1|2> sending keep alive to 172.58.111.216[21339] Dec 16 14:12:07 charon 10898 12[IKE] <con-mobile-grouppool-1|2> sending keep alive to 172.58.111.216[21339] Dec 16 14:12:10 charon 10898 12[IKE] <con-mobile-grouppool-1|2> retransmit 5 of request with message ID 23 Dec 16 14:12:10 charon 10898 12[NET] <con-mobile-grouppool-1|2> sending packet: from 192.168.100.2[4500] to 172.58.111.216[21339] (57 bytes) Dec 16 14:12:29 charon 10898 13[IKE] <con-mobile-grouppool-1|2> sending keep alive to 172.58.111.216[21339] Dec 16 14:12:49 charon 10898 13[IKE] <con-mobile-grouppool-1|2> sending keep alive to 172.58.111.216[21339]
After DDNS updates the domain with the failover WAN's address and the client sees the updated address, the client connects.
Updated by Danilo Zrenjanin 12 days ago
I conducted another test and obtained identical results.
The logs below indicate that client1 (192.168.33.12), who is directly connected to WAN1 (192.168.33.20), successfully established the connection.
Dec 21 20:13:00 charon 33472 12[NET] <con-mobile|2> sending packet: from 192.168.33.20[4500] to 192.168.33.12[4500] (256 bytes)
Dec 21 20:13:00 charon 33472 12[ENC] <con-mobile|2> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS SUBNET U_DEFDOM) N(ESP_TFC_PAD_N) SA TSi TSr ]
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> CHILD_SA con-mobile{1} established with SPIs cb3a8c7c_i 07b7f459_o and TS 192.168.10.0/24|/0 === 10.3.200.1/32|/0
Dec 21 20:13:00 charon 33472 12[CFG] <con-mobile|2> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> maximum IKE_SA lifetime 28238s
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> scheduling rekeying in 25358s
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> IKE_SA con-mobile[2] established between 192.168.33.20[SecondaryClient.ipbgd.office]...192.168.33.12[192.168.33.12]
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> no virtual IP found for %any6 requested by 'danilo@netgare.com'
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> peer requested virtual IP %any6
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> assigning virtual IP 10.3.200.1 to peer 'danilo@netgare.com'
Dec 21 20:13:00 charon 33472 12[CFG] <con-mobile|2> assigning new lease to 'danilo@netgare.com'
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> peer requested virtual IP %any
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> authentication of 'SecondaryClient.ipbgd.office' (myself) with EAP
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> authentication of '192.168.33.12' with EAP successful
Dec 21 20:13:00 charon 33472 12[ENC] <con-mobile|2> parsed IKE_AUTH request 5 [ AUTH ]
Dec 21 20:13:00 charon 33472 12[NET] <con-mobile|2> received packet: from 192.168.33.12[4500] to 192.168.33.20[4500] (112 bytes)
Dec 21 20:13:00 charon 33472 12[NET] <con-mobile|2> sending packet: from 192.168.33.20[4500] to 192.168.33.12[4500] (80 bytes)
Dec 21 20:13:00 charon 33472 12[ENC] <con-mobile|2> generating IKE_AUTH response 4 [ EAP/SUCC ]
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> EAP method EAP_MSCHAPV2 succeeded, MSK established
Dec 21 20:13:00 charon 33472 12[ENC] <con-mobile|2> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Dec 21 20:13:00 charon 33472 12[NET] <con-mobile|2> received packet: from 192.168.33.12[4500] to 192.168.33.20[4500] (80 bytes)
Dec 21 20:13:00 charon 33472 12[NET] <con-mobile|2> sending packet: from 192.168.33.20[4500] to 192.168.33.12[4500] (144 bytes)
Dec 21 20:13:00 charon 33472 12[ENC] <con-mobile|2> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Dec 21 20:13:00 charon 33472 12[ENC] <con-mobile|2> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Dec 21 20:13:00 charon 33472 12[NET] <con-mobile|2> received packet: from 192.168.33.12[4500] to 192.168.33.20[4500] (160 bytes)
Dec 21 20:13:00 charon 33472 12[NET] <con-mobile|2> sending packet: from 192.168.33.20[4500] to 192.168.33.12[4500] (112 bytes)
Dec 21 20:13:00 charon 33472 12[ENC] <con-mobile|2> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> initiating EAP_MSCHAPV2 method (id 0x57)
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> received EAP identity 'danilo@netgare.com'
Dec 21 20:13:00 charon 33472 12[ENC] <con-mobile|2> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Dec 21 20:13:00 charon 33472 12[NET] <con-mobile|2> received packet: from 192.168.33.12[4500] to 192.168.33.20[4500] (96 bytes)
Dec 21 20:13:00 charon 33472 12[NET] <con-mobile|2> sending packet: from 192.168.33.20[4500] to 192.168.33.12[4500] (196 bytes)
Dec 21 20:13:00 charon 33472 12[NET] <con-mobile|2> sending packet: from 192.168.33.20[4500] to 192.168.33.12[4500] (1236 bytes)
Dec 21 20:13:00 charon 33472 12[ENC] <con-mobile|2> generating IKE_AUTH response 1 [ EF(2/2) ]
Dec 21 20:13:00 charon 33472 12[ENC] <con-mobile|2> generating IKE_AUTH response 1 [ EF(1/2) ]
Dec 21 20:13:00 charon 33472 12[ENC] <con-mobile|2> splitting IKE message (1360 bytes) into 2 fragments
Dec 21 20:13:00 charon 33472 12[ENC] <con-mobile|2> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> sending end entity cert "CN=IPsecCert"
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> authentication of 'SecondaryClient.ipbgd.office' (myself) with RSA signature successful
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> peer supports MOBIKE, but disabled in config
Dec 21 20:13:00 charon 33472 12[IKE] <con-mobile|2> initiating EAP_IDENTITY method (id 0x00)
Dec 21 20:13:00 charon 33472 12[CFG] <con-mobile|2> selected peer config 'con-mobile'
Dec 21 20:13:00 charon 33472 12[CFG] <2> looking for peer configs matching 192.168.33.20[SecondaryClient.ipbgd.office]...192.168.33.12[192.168.33.12]
Dec 21 20:13:00 charon 33472 12[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) N(EAP_ONLY) ]
Dec 21 20:13:00 charon 33472 12[ENC] <2> unknown attribute type INTERNAL_DNS_DOMAIN
Dec 21 20:13:00 charon 33472 12[NET] <2> received packet: from 192.168.33.12[4500] to 192.168.33.20[4500] (400 bytes)
Dec 21 20:13:00 charon 33472 15[NET] <2> sending packet: from 192.168.33.20[500] to 192.168.33.12[500] (481 bytes)
Dec 21 20:13:00 charon 33472 15[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Dec 21 20:13:00 charon 33472 15[IKE] <2> sending cert request for "CN=IPsecCA"
Dec 21 20:13:00 charon 33472 15[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 21 20:13:00 charon 33472 15[IKE] <2> 192.168.33.12 is initiating an IKE_SA
Dec 21 20:13:00 charon 33472 15[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Dec 21 20:13:00 charon 33472 15[NET] <2> received packet: from 192.168.33.12[500] to 192.168.33.20[500] (548 bytes)
Dec 21 20:13:00 charon 33472 15[NET] <1> sending packet: from 192.168.33.20[500] to 192.168.33.12[500] (38 bytes)
Dec 21 20:13:00 charon 33472 15[ENC] <1> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Dec 21 20:13:00 charon 33472 15[IKE] <1> DH group ECP_256 unacceptable, requesting MODP_2048
Dec 21 20:13:00 charon 33472 15[CFG] <1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 21 20:13:00 charon 33472 15[IKE] <1> 192.168.33.12 is initiating an IKE_SA
Dec 21 20:13:00 charon 33472 15[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Dec 21 20:13:00 charon 33472 15[NET] <1> received packet: from 192.168.33.12[500] to 192.168.33.20[500] (356 bytes)
Here are the IPsec logs after removing the cable from the WAN1. The IPsec logs didn't indicate the update of the local_addrs.
Dec 21 20:19:38 charon 33472 04[NET] error writing to socket: Network is down Dec 21 20:19:38 charon 33472 11[NET] <con-mobile|2> sending packet: from 192.168.33.20[4500] to 192.168.33.12[4500] (80 bytes) Dec 21 20:19:38 charon 33472 11[IKE] <con-mobile|2> retransmit 4 of request with message ID 34 Dec 21 20:19:16 charon 33472 12[CFG] replaced vici connection: con-mobile-userpool-1 Dec 21 20:19:16 charon 33472 12[CFG] replaced vici connection: con-mobile Dec 21 20:19:16 charon 33472 12[CFG] updated vici connection: bypass Dec 21 20:19:16 charon 33472 15[CFG] updated vici pool mobile-userpool-1: 10.3.100.0, 254 entries Dec 21 20:19:16 charon 33472 15[CFG] updated vici pool mobile-pool-v4: 10.3.200.0, 254 entries Dec 21 20:19:16 charon 33472 05[CFG] loaded EAP shared key with id 'eap-2' for: 'macmini@netgate.com' Dec 21 20:19:16 charon 33472 05[CFG] loaded EAP shared key with id 'eap-1' for: 'danilo@netgare.com' Dec 21 20:19:16 charon 33472 05[CFG] loaded ANY private key Dec 21 20:19:16 charon 33472 13[CFG] loaded certificate 'CN=IPsecCA' Dec 21 20:19:16 charon 33472 14[CFG] loaded certificate 'CN=IPsecCert' Dec 21 20:19:16 charon 33472 05[CFG] loaded 0 RADIUS server configurations Dec 21 20:19:16 charon 33472 05[CFG] loaded 4 entries for attr plugin configuration Dec 21 20:19:16 charon 33472 05[CFG] ipseckey plugin is disabled Dec 21 20:19:14 charon 33472 04[NET] error writing to socket: Network is down Dec 21 20:19:14 charon 33472 05[NET] <con-mobile|2> sending packet: from 192.168.33.20[4500] to 192.168.33.12[4500] (80 bytes) Dec 21 20:19:14 charon 33472 05[IKE] <con-mobile|2> retransmit 3 of request with message ID 34 Dec 21 20:19:01 charon 33472 04[NET] error writing to socket: Network is down Dec 21 20:19:01 charon 33472 05[NET] <con-mobile|2> sending packet: from 192.168.33.20[4500] to 192.168.33.12[4500] (80 bytes) Dec 21 20:19:01 charon 33472 05[IKE] <con-mobile|2> retransmit 2 of request with message ID 34 Dec 21 20:18:54 charon 33472 04[NET] error writing to socket: Network is down Dec 21 20:18:54 charon 33472 05[NET] <con-mobile|2> sending packet: from 192.168.33.20[4500] to 192.168.33.12[4500] (80 bytes) Dec 21 20:18:54 charon 33472 05[IKE] <con-mobile|2> retransmit 1 of request with message ID 34 Dec 21 20:18:50 charon 33472 04[NET] error writing to socket: Network is down
However, the/var/etc/ipsec/swanctl.conf file reflected the updated local_addres = 192.168.99.10
con-mobile-defaults {
fragmentation = yes
unique = replace
version = 2
proposals = aes256gcm128-sha256-modp4096,aes256gcm128-sha256-modp1024,aes256-sha256-modp2048,aes256-sha1-modp2048
dpd_delay = 10s
rekey_time = 25920s
reauth_time = 0s
over_time = 2880s
rand_time = 2880s
encap = no
mobike = no
local_addrs = 192.168.99.10
remote_addrs = 0.0.0.0/0,::/0
pools = mobile-pool-v4
send_cert = always
local {
When attempting to establish a connection to WAN2 (192.168.99.10) from client2 (192.168.99.201), who is directly connected, the connection fails with the error message on the client: "The VPN server didn't respond." No new IPsec logs were generated under Status > System > Logs > IPsec. However, UDP packets on port 500 from client2 to WAN2 were captured, and the IPsec service was confirmed to be running.
After restarting the IPsec service, client2 successfully connected without any issues.
Dec 21 20:37:22 charon 42445 01[ENC] <con-mobile|1> parsed INFORMATIONAL response 2 [ ]
Dec 21 20:37:22 charon 42445 01[NET] <con-mobile|1> received packet: from 192.168.99.201[4500] to 192.168.99.10[4500] (64 bytes)
Dec 21 20:37:22 charon 42445 01[NET] <con-mobile|1> sending packet: from 192.168.99.10[4500] to 192.168.99.201[4500] (57 bytes)
Dec 21 20:37:22 charon 42445 01[ENC] <con-mobile|1> generating INFORMATIONAL request 2 [ ]
Dec 21 20:37:22 charon 42445 01[IKE] <con-mobile|1> sending DPD request
Dec 21 20:36:51 charon 42445 06[ENC] <con-mobile|1> parsed INFORMATIONAL response 1 [ ]
Dec 21 20:36:51 charon 42445 06[NET] <con-mobile|1> received packet: from 192.168.99.201[4500] to 192.168.99.10[4500] (64 bytes)
Dec 21 20:36:51 charon 42445 06[NET] <con-mobile|1> sending packet: from 192.168.99.10[4500] to 192.168.99.201[4500] (57 bytes)
Dec 21 20:36:51 charon 42445 06[ENC] <con-mobile|1> generating INFORMATIONAL request 1 [ ]
Dec 21 20:36:51 charon 42445 06[IKE] <con-mobile|1> sending DPD request
Dec 21 20:36:41 charon 42445 06[ENC] <con-mobile|1> parsed INFORMATIONAL response 0 [ ]
Dec 21 20:36:41 charon 42445 06[NET] <con-mobile|1> received packet: from 192.168.99.201[4500] to 192.168.99.10[4500] (64 bytes)
Dec 21 20:36:41 charon 42445 06[NET] <con-mobile|1> sending packet: from 192.168.99.10[4500] to 192.168.99.201[4500] (57 bytes)
Dec 21 20:36:41 charon 42445 06[ENC] <con-mobile|1> generating INFORMATIONAL request 0 [ ]
Dec 21 20:36:41 charon 42445 06[IKE] <con-mobile|1> sending DPD request
Dec 21 20:36:31 charon 42445 06[NET] <con-mobile|1> sending packet: from 192.168.99.10[4500] to 192.168.99.201[4500] (249 bytes)
Dec 21 20:36:31 charon 42445 06[ENC] <con-mobile|1> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS SUBNET U_DEFDOM) N(ESP_TFC_PAD_N) SA TSi TSr ]
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> CHILD_SA con-mobile{1} established with SPIs c965182f_i 0a1a30b7_o and TS 192.168.10.0/24|/0 === 10.3.200.1/32|/0
Dec 21 20:36:31 charon 42445 06[CFG] <con-mobile|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> maximum IKE_SA lifetime 26409s
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> scheduling rekeying in 23529s
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> IKE_SA con-mobile[1] established between 192.168.99.10[secondaryclient.ipbgd.office]...192.168.99.201[192.168.99.201]
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> no virtual IP found for %any6 requested by 'macmini@netgate.com'
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> peer requested virtual IP %any6
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> assigning virtual IP 10.3.200.1 to peer 'macmini@netgate.com'
Dec 21 20:36:31 charon 42445 06[CFG] <con-mobile|1> assigning new lease to 'macmini@netgate.com'
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> peer requested virtual IP %any
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> authentication of 'secondaryclient.ipbgd.office' (myself) with EAP
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> authentication of '192.168.99.201' with EAP successful
Dec 21 20:36:31 charon 42445 06[ENC] <con-mobile|1> parsed IKE_AUTH request 5 [ AUTH ]
Dec 21 20:36:31 charon 42445 06[NET] <con-mobile|1> received packet: from 192.168.99.201[4500] to 192.168.99.10[4500] (104 bytes)
Dec 21 20:36:31 charon 42445 06[NET] <con-mobile|1> sending packet: from 192.168.99.10[4500] to 192.168.99.201[4500] (65 bytes)
Dec 21 20:36:31 charon 42445 06[ENC] <con-mobile|1> generating IKE_AUTH response 4 [ EAP/SUCC ]
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> EAP method EAP_MSCHAPV2 succeeded, MSK established
Dec 21 20:36:31 charon 42445 06[ENC] <con-mobile|1> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Dec 21 20:36:31 charon 42445 06[NET] <con-mobile|1> received packet: from 192.168.99.201[4500] to 192.168.99.10[4500] (72 bytes)
Dec 21 20:36:31 charon 42445 06[NET] <con-mobile|1> sending packet: from 192.168.99.10[4500] to 192.168.99.201[4500] (134 bytes)
Dec 21 20:36:31 charon 42445 06[ENC] <con-mobile|1> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Dec 21 20:36:31 charon 42445 06[ENC] <con-mobile|1> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Dec 21 20:36:31 charon 42445 06[NET] <con-mobile|1> received packet: from 192.168.99.201[4500] to 192.168.99.10[4500] (144 bytes)
Dec 21 20:36:31 charon 42445 06[NET] <con-mobile|1> sending packet: from 192.168.99.10[4500] to 192.168.99.201[4500] (97 bytes)
Dec 21 20:36:31 charon 42445 06[ENC] <con-mobile|1> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> initiating EAP_MSCHAPV2 method (id 0x6F)
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> received EAP identity 'macmini@netgate.com'
Dec 21 20:36:31 charon 42445 06[ENC] <con-mobile|1> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Dec 21 20:36:31 charon 42445 06[NET] <con-mobile|1> received packet: from 192.168.99.201[4500] to 192.168.99.10[4500] (88 bytes)
Dec 21 20:36:31 charon 42445 06[NET] <con-mobile|1> sending packet: from 192.168.99.10[4500] to 192.168.99.201[4500] (164 bytes)
Dec 21 20:36:31 charon 42445 06[NET] <con-mobile|1> sending packet: from 192.168.99.10[4500] to 192.168.99.201[4500] (1248 bytes)
Dec 21 20:36:31 charon 42445 06[ENC] <con-mobile|1> generating IKE_AUTH response 1 [ EF(2/2) ]
Dec 21 20:36:31 charon 42445 06[ENC] <con-mobile|1> generating IKE_AUTH response 1 [ EF(1/2) ]
Dec 21 20:36:31 charon 42445 06[ENC] <con-mobile|1> splitting IKE message (1347 bytes) into 2 fragments
Dec 21 20:36:31 charon 42445 06[ENC] <con-mobile|1> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> sending end entity cert "CN=IPsecCert"
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> authentication of 'secondaryclient.ipbgd.office' (myself) with RSA signature successful
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> peer supports MOBIKE, but disabled in config
Dec 21 20:36:31 charon 42445 06[IKE] <con-mobile|1> initiating EAP_IDENTITY method (id 0x00)
Dec 21 20:36:31 charon 42445 06[CFG] <con-mobile|1> selected peer config 'con-mobile'
Dec 21 20:36:31 charon 42445 06[CFG] <1> looking for peer configs matching 192.168.99.10[secondaryclient.ipbgd.office]...192.168.99.201[192.168.99.201]
Dec 21 20:36:31 charon 42445 06[IKE] <1> received 2 cert requests for an unknown ca
Dec 21 20:36:31 charon 42445 06[IKE] <1> received cert request for "CN=IPsecCA"
Dec 21 20:36:31 charon 42445 06[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Dec 21 20:36:31 charon 42445 06[ENC] <1> unknown attribute type INTERNAL_DNS_DOMAIN
Dec 21 20:36:31 charon 42445 06[NET] <1> received packet: from 192.168.99.201[4500] to 192.168.99.10[4500] (416 bytes)
Dec 21 20:36:31 charon 42445 06[NET] <1> sending packet: from 192.168.99.10[500] to 192.168.99.201[500] (729 bytes)
Dec 21 20:36:31 charon 42445 06[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Dec 21 20:36:31 charon 42445 06[IKE] <1> sending cert request for "CN=IPsecCA"
Dec 21 20:36:31 charon 42445 06[CFG] <1> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_4096
Dec 21 20:36:31 charon 42445 06[IKE] <1> 192.168.99.201 is initiating an IKE_SA
Dec 21 20:36:31 charon 42445 06[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Dec 21 20:36:31 charon 42445 06[NET] <1> received packet: from 192.168.99.201[500] to 192.168.99.10[500] (680 bytes)
Dec 21 20:35:53 charon 42445 12[CFG] added vici connection: con-mobile-userpool-1
Dec 21 20:35:53 charon 42445 12[CFG] added vici connection: con-mobile
Dec 21 20:35:53 charon 42445 13[CFG] installing 'bypasslan'
Dec 21 20:35:53 charon 42445 13[CFG] added vici connection: bypass
Dec 21 20:35:53 charon 42445 13[CFG] added vici pool mobile-userpool-1: 10.3.100.0, 254 entries
Dec 21 20:35:53 charon 42445 14[CFG] added vici pool mobile-pool-v4: 10.3.200.0, 254 entries
Dec 21 20:35:53 charon 42445 01[CFG] loaded EAP shared key with id 'eap-2' for: 'macmini@netgate.com'
Dec 21 20:35:53 charon 42445 01[CFG] loaded EAP shared key with id 'eap-1' for: 'danilo@netgare.com'
Dec 21 20:35:53 charon 42445 15[CFG] loaded ANY private key
Dec 21 20:35:53 charon 42445 15[CFG] loaded certificate 'CN=IPsecCA'
Dec 21 20:35:53 charon 42445 15[CFG] loaded certificate 'CN=IPsecCert'
Dec 21 20:35:52 charon 42445 00[LIB] loaded plugins: charon unbound pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey ipseckey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Dec 21 20:35:52 charon 42445 00[CFG] loaded 0 RADIUS server configurations
Dec 21 20:35:52 charon 42445 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
Dec 21 20:35:52 charon 42445 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Dec 21 20:35:52 charon 42445 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Dec 21 20:35:52 charon 42445 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Dec 21 20:35:52 charon 42445 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Dec 21 20:35:52 charon 42445 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Dec 21 20:35:52 charon 42445 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Dec 21 20:35:52 charon 42445 00[CFG] ipseckey plugin is disabled
Dec 21 20:35:52 charon 42445 00[CFG] using '/sbin/resolvconf' to install DNS servers
Dec 21 20:35:52 charon 42445 00[LIB] providers loaded by OpenSSL: legacy default
Dec 21 20:35:52 charon 42445 00[CFG] PKCS11 module '<name>' lacks library path
Dec 21 20:35:52 charon 42445 00[DMN] Starting IKE charon daemon (strongSwan 5.9.14, FreeBSD 15.0-CURRENT, amd64)
Dec 21 20:35:44 charon 33472 00[DMN] SIGTERM received, shutting down
Dec 21 20:21:35 charon 33472 12[CFG] <con-mobile|2> lease 10.3.200.1 by 'danilo@netgare.com' went offline
Dec 21 20:21:35 charon 33472 12[IKE] <con-mobile|2> giving up after 5 retransmits
Dec 21 20:20:20 charon 33472 04[NET] error writing to socket: Network is down
Dec 21 20:20:20 charon 33472 12[NET] <con-mobile|2> sending packet: from 192.168.33.20[4500] to 192.168.33.12[4500] (80 bytes)
Dec 21 20:20:20 charon 33472 12[IKE] <con-mobile|2> retransmit 5 of request with message ID 34
Actions