Hi,
I have this config using VPN IPSec IKEv2 using certificate for validate user.
set vpn ipsec options flexvpn
#Phase 1
set vpn ipsec esp-group ESP-RA lifetime ‘3600’
set vpn ipsec esp-group ESP-RA pfs ‘disable’
set vpn ipsec esp-group ESP-RA proposal 10 encryption ‘aes256gcm128’
set vpn ipsec esp-group ESP-RA proposal 10 hash ‘sha256’
#Phase 2
set vpn ipsec ike-group IKE-RA key-exchange ‘ikev2’
set vpn ipsec ike-group IKE-RA lifetime ‘7200’
set vpn ipsec ike-group IKE-RA proposal 10 dh-group ‘19’
set vpn ipsec ike-group IKE-RA proposal 10 encryption ‘aes256gcm128’
set vpn ipsec ike-group IKE-RA proposal 10 hash ‘sha256’
set vpn ipsec remote-access pool ra-ipv4 prefix ‘10.1.1.0/28’
set vpn ipsec remote-access connection ra authentication local-id ‘vpn.skyones.co’
set vpn ipsec remote-access connection ra authentication server-mode ‘x509’
set vpn ipsec remote-access connection ra authentication x509 ca-certificate ‘ca_root’
set vpn ipsec remote-access connection ra authentication x509 certificate ‘server_cert’
set vpn ipsec remote-access connection ra esp-group ‘ESP-RA’
set vpn ipsec remote-access connection ra ike-group ‘IKE-RA’
set vpn ipsec remote-access connection ra local-address ‘x.x.x.x’
set vpn ipsec remote-access connection ra pool ‘ra-ipv4’
This is my log:
Oct 23 12:36:38 VyOS-Main charon: 14[NET] <9694> received packet: from 172.10.20.213[500] to 190.25.74.132[500] (370 bytes)
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received packet: from 172.10.20.213[500] to 190.25.74.132[500] (370 bytes)
Oct 23 12:36:38 VyOS-Main charon: 14[ENC] <9694> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 23 12:36:38 VyOS-Main charon: 14[IKE] <9694> 172.10.20.213 is initiating an IKE_SA
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: 172.10.20.213 is initiating an IKE_SA
Oct 23 12:36:38 VyOS-Main charon: 14[CFG] <9694> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
Oct 23 12:36:38 VyOS-Main charon: 14[ENC] <9694> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ]
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ]
Oct 23 12:36:38 VyOS-Main charon: 14[NET] <9694> sending packet: from 190.25.74.132[500] to 172.10.20.213[500] (293 bytes)
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: sending packet: from 190.25.74.132[500] to 172.10.20.213[500] (293 bytes)
Oct 23 12:36:38 VyOS-Main charon: 12[NET] <9694> received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (544 bytes)
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (544 bytes)
Oct 23 12:36:38 VyOS-Main charon: 12[ENC] <9694> parsed IKE_AUTH request 1 [ EF(1/4) ]
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: parsed IKE_AUTH request 1 [ EF(1/4) ]
Oct 23 12:36:38 VyOS-Main charon: 12[ENC] <9694> received fragment #1 of 4, waiting for complete IKE message
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received fragment #1 of 4, waiting for complete IKE message
Oct 23 12:36:38 VyOS-Main charon: 06[NET] <9694> received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (544 bytes)
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (544 bytes)
Oct 23 12:36:38 VyOS-Main charon: 06[ENC] <9694> parsed IKE_AUTH request 1 [ EF(2/4) ]
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: parsed IKE_AUTH request 1 [ EF(2/4) ]
Oct 23 12:36:38 VyOS-Main charon: 06[ENC] <9694> received fragment #2 of 4, waiting for complete IKE message
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received fragment #2 of 4, waiting for complete IKE message
Oct 23 12:36:38 VyOS-Main charon: 02[NET] <9694> received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (544 bytes)
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (544 bytes)
Oct 23 12:36:38 VyOS-Main charon: 02[ENC] <9694> parsed IKE_AUTH request 1 [ EF(3/4) ]
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: parsed IKE_AUTH request 1 [ EF(3/4) ]
Oct 23 12:36:38 VyOS-Main charon: 02[ENC] <9694> received fragment #3 of 4, waiting for complete IKE message
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received fragment #3 of 4, waiting for complete IKE message
Oct 23 12:36:38 VyOS-Main charon: 05[NET] <9694> received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (114 bytes)
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (114 bytes)
Oct 23 12:36:38 VyOS-Main charon: 05[ENC] <9694> parsed IKE_AUTH request 1 [ EF(4/4) ]
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: parsed IKE_AUTH request 1 [ EF(4/4) ]
Oct 23 12:36:38 VyOS-Main charon: 05[ENC] <9694> received fragment #4 of 4, reassembled fragmented IKE message (1559 bytes)
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received fragment #4 of 4, reassembled fragmented IKE message (1559 bytes)
Oct 23 12:36:38 VyOS-Main charon: 05[ENC] <9694> unknown attribute type INTERNAL_DNS_DOMAIN
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: unknown attribute type INTERNAL_DNS_DOMAIN
Oct 23 12:36:38 VyOS-Main charon: 05[ENC] <9694> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Oct 23 12:36:38 VyOS-Main charon: 05[IKE] <9694> received end entity cert “C=CO, ST=CUN, L=BOG, O=SKYONES, CN=vpn.skyones.co”
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received end entity cert “C=CO, ST=CUN, L=BOG, O=SKYONES, CN=vpn.skyones.co”
Oct 23 12:36:38 VyOS-Main charon: 05[CFG] <9694> looking for peer configs matching 190.25.74.132[vpn.skyones.co]…172.10.20.213[172.10.20.213]
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: looking for peer configs matching 190.25.74.132[vpn.skyones.co]…172.10.20.213[172.10.20.213]
Oct 23 12:36:38 VyOS-Main charon: 05[CFG] <ra-ra|9694> selected peer config ‘ra-ra’
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: selected peer config ‘ra-ra’
Oct 23 12:36:38 VyOS-Main charon: 05[IKE] <ra-ra|9694> no trusted RSA public key found for ‘172.10.20.213’
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: no trusted RSA public key found for ‘172.10.20.213’
Oct 23 12:36:38 VyOS-Main charon: 05[IKE] <ra-ra|9694> peer supports MOBIKE
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: peer supports MOBIKE
Oct 23 12:36:38 VyOS-Main charon: 05[IKE] <ra-ra|9694> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 23 12:36:38 VyOS-Main charon: 05[ENC] <ra-ra|9694> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 23 12:36:38 VyOS-Main charon: 05[NET] <ra-ra|9694> sending packet: from 190.25.74.132[4500] to 172.10.20.213[4500] (65 bytes)
Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: sending packet: from 190.25.74.132[4500] to 172.10.20.213[4500] (65 bytes)
Cert pk12 was created with ca_root and private key. validate cert and if ok.
Any ideas about what is wrong?