VPN Remote-access login issue

Hi,

I have this config using VPN IPSec IKEv2 using certificate for validate user.
set vpn ipsec options flexvpn

#Phase 1

set vpn ipsec esp-group ESP-RA lifetime ‘3600’

set vpn ipsec esp-group ESP-RA pfs ‘disable’

set vpn ipsec esp-group ESP-RA proposal 10 encryption ‘aes256gcm128’

set vpn ipsec esp-group ESP-RA proposal 10 hash ‘sha256’

#Phase 2

set vpn ipsec ike-group IKE-RA key-exchange ‘ikev2’

set vpn ipsec ike-group IKE-RA lifetime ‘7200’

set vpn ipsec ike-group IKE-RA proposal 10 dh-group ‘19’

set vpn ipsec ike-group IKE-RA proposal 10 encryption ‘aes256gcm128’

set vpn ipsec ike-group IKE-RA proposal 10 hash ‘sha256’

set vpn ipsec remote-access pool ra-ipv4 prefix ‘10.1.1.0/28’

set vpn ipsec remote-access connection ra authentication local-id ‘vpn.skyones.co

set vpn ipsec remote-access connection ra authentication server-mode ‘x509’

set vpn ipsec remote-access connection ra authentication x509 ca-certificate ‘ca_root’

set vpn ipsec remote-access connection ra authentication x509 certificate ‘server_cert’

set vpn ipsec remote-access connection ra esp-group ‘ESP-RA’

set vpn ipsec remote-access connection ra ike-group ‘IKE-RA’

set vpn ipsec remote-access connection ra local-address ‘x.x.x.x’

set vpn ipsec remote-access connection ra pool ‘ra-ipv4’

This is my log:
Oct 23 12:36:38 VyOS-Main charon: 14[NET] <9694> received packet: from 172.10.20.213[500] to 190.25.74.132[500] (370 bytes)

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received packet: from 172.10.20.213[500] to 190.25.74.132[500] (370 bytes)

Oct 23 12:36:38 VyOS-Main charon: 14[ENC] <9694> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]

Oct 23 12:36:38 VyOS-Main charon: 14[IKE] <9694> 172.10.20.213 is initiating an IKE_SA

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: 172.10.20.213 is initiating an IKE_SA

Oct 23 12:36:38 VyOS-Main charon: 14[CFG] <9694> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256

Oct 23 12:36:38 VyOS-Main charon: 14[ENC] <9694> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ]

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ]

Oct 23 12:36:38 VyOS-Main charon: 14[NET] <9694> sending packet: from 190.25.74.132[500] to 172.10.20.213[500] (293 bytes)

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: sending packet: from 190.25.74.132[500] to 172.10.20.213[500] (293 bytes)

Oct 23 12:36:38 VyOS-Main charon: 12[NET] <9694> received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (544 bytes)

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (544 bytes)

Oct 23 12:36:38 VyOS-Main charon: 12[ENC] <9694> parsed IKE_AUTH request 1 [ EF(1/4) ]

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: parsed IKE_AUTH request 1 [ EF(1/4) ]

Oct 23 12:36:38 VyOS-Main charon: 12[ENC] <9694> received fragment #1 of 4, waiting for complete IKE message

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received fragment #1 of 4, waiting for complete IKE message

Oct 23 12:36:38 VyOS-Main charon: 06[NET] <9694> received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (544 bytes)

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (544 bytes)

Oct 23 12:36:38 VyOS-Main charon: 06[ENC] <9694> parsed IKE_AUTH request 1 [ EF(2/4) ]

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: parsed IKE_AUTH request 1 [ EF(2/4) ]

Oct 23 12:36:38 VyOS-Main charon: 06[ENC] <9694> received fragment #2 of 4, waiting for complete IKE message

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received fragment #2 of 4, waiting for complete IKE message

Oct 23 12:36:38 VyOS-Main charon: 02[NET] <9694> received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (544 bytes)

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (544 bytes)

Oct 23 12:36:38 VyOS-Main charon: 02[ENC] <9694> parsed IKE_AUTH request 1 [ EF(3/4) ]

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: parsed IKE_AUTH request 1 [ EF(3/4) ]

Oct 23 12:36:38 VyOS-Main charon: 02[ENC] <9694> received fragment #3 of 4, waiting for complete IKE message

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received fragment #3 of 4, waiting for complete IKE message

Oct 23 12:36:38 VyOS-Main charon: 05[NET] <9694> received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (114 bytes)

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received packet: from 172.10.20.213[4500] to 190.25.74.132[4500] (114 bytes)

Oct 23 12:36:38 VyOS-Main charon: 05[ENC] <9694> parsed IKE_AUTH request 1 [ EF(4/4) ]

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: parsed IKE_AUTH request 1 [ EF(4/4) ]

Oct 23 12:36:38 VyOS-Main charon: 05[ENC] <9694> received fragment #4 of 4, reassembled fragmented IKE message (1559 bytes)

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received fragment #4 of 4, reassembled fragmented IKE message (1559 bytes)

Oct 23 12:36:38 VyOS-Main charon: 05[ENC] <9694> unknown attribute type INTERNAL_DNS_DOMAIN

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: unknown attribute type INTERNAL_DNS_DOMAIN

Oct 23 12:36:38 VyOS-Main charon: 05[ENC] <9694> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]

Oct 23 12:36:38 VyOS-Main charon: 05[IKE] <9694> received end entity cert “C=CO, ST=CUN, L=BOG, O=SKYONES, CN=vpn.skyones.co

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received end entity cert “C=CO, ST=CUN, L=BOG, O=SKYONES, CN=vpn.skyones.co

Oct 23 12:36:38 VyOS-Main charon: 05[CFG] <9694> looking for peer configs matching 190.25.74.132[vpn.skyones.co]…172.10.20.213[172.10.20.213]

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: looking for peer configs matching 190.25.74.132[vpn.skyones.co]…172.10.20.213[172.10.20.213]

Oct 23 12:36:38 VyOS-Main charon: 05[CFG] <ra-ra|9694> selected peer config ‘ra-ra’

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: selected peer config ‘ra-ra’

Oct 23 12:36:38 VyOS-Main charon: 05[IKE] <ra-ra|9694> no trusted RSA public key found for ‘172.10.20.213’

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: no trusted RSA public key found for ‘172.10.20.213’

Oct 23 12:36:38 VyOS-Main charon: 05[IKE] <ra-ra|9694> peer supports MOBIKE

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: peer supports MOBIKE

Oct 23 12:36:38 VyOS-Main charon: 05[IKE] <ra-ra|9694> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

Oct 23 12:36:38 VyOS-Main charon: 05[ENC] <ra-ra|9694> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Oct 23 12:36:38 VyOS-Main charon: 05[NET] <ra-ra|9694> sending packet: from 190.25.74.132[4500] to 172.10.20.213[4500] (65 bytes)

Oct 23 12:36:38 VyOS-Main charon-systemd[4969]: sending packet: from 190.25.74.132[4500] to 172.10.20.213[4500] (65 bytes)

Cert pk12 was created with ca_root and private key. validate cert and if ok.

Any ideas about what is wrong?

Hello,
Thanks for this info.
Best Regards
esther598

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.