Hello, I had a problem when I wanted to connect to my vpn provider (VyprVPN) using the IKEv2 protocol. I want to say right away that before that I had another VPN, namely ProtonVPN with which there were no problems when connecting. I also want to send my configuration /etc/ipsec.conf and logs so that you can help me figure it out. Thanks in advance
Add connections here.
config setup
charondebug="all"
uniqueids=never
conn lan-passthrough
leftsubnet=192.168.1.1/24
rightsubnet=192.168.1.1/24
authby=never
type=pass
auto=route
conn vyprvpn
keyexchange=ikev2
keyingtries=%forever
dpdaction=none
dpddelay=300s
inactivity=3600s
rekey=no
forceencaps=yes
authby=secret
ike=aes256-aes128-sha256-sha1-modp3072-modp2048
esp=aes128-aes256-sha256-modp3072-modp2048,aes128-aes256-sha256
leftfirewall=yes
left=192.168.1.1
leftid=192.168.1.1
leftsourceip=%config4
leftsendcert=never
leftauth=eap-mschapv2
rightfirewall=yes
rightauth=pubkey
rightca=/etc/ipsec.d/cacerts/vypr.der
right= VYPRVPN SERVER
rightsendcert=never
rightid=%any
rightsubnet=0.0.0.0/0
eap_identity="VYPRLOGIN"
type=tunnel
auto=add
SYSTEM LOG
root@OpenWrt:~# ipsec up vyprvpn
initiating IKE_SA a[2] to 128.90.96.26
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.1[500] to 128.90.96.26[500] (1132 bytes)
received packet: from 128.90.96.26[500] to 192.168.1.1[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_3072, it requested MODP_2048
initiating IKE_SA a[2] to 128.90.96.26
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.1[500] to 128.90.96.26[500] (1004 bytes)
received packet: from 128.90.96.26[500] to 192.168.1.1[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
local host is behind NAT, sending keep alives
remote host is behind NAT
establishing CHILD_SA a{2}
generating IKE_AUTH request 1 [ IDi CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.1.1[4500] to 128.90.96.26[4500] (348 bytes)
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(1/11) ]
received fragment #1 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(2/11) ]
received fragment #2 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(3/11) ]
received fragment #3 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(4/11) ]
received fragment #4 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(5/11) ]
received fragment #5 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(6/11) ]
received fragment #6 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(7/11) ]
received fragment #7 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(8/11) ]
received fragment #8 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(9/11) ]
received fragment #9 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(10/11) ]
received fragment #10 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (512 bytes)
parsed IKE_AUTH response 1 [ EF(11/11) ]
received fragment #11 of 11, reassembled fragmented IKE message (5308 bytes)
parsed IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH EAP/REQ/ID N(AUTH_FOLLOWS) ]
received end entity cert "CN=*.vyprvpn.com"
received issuer cert "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com RSA SSL subCA"
received issuer cert "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority RSA"
no trusted RSA public key found for '128.90.96.26'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 192.168.1.1[4500] to 128.90.96.26[4500] (76 bytes)
establishing connection 'vyprvpn' failed