IKEv2 connection failed

Hotelk · April 15, 2021, 11:21pm

Hello, I had a problem when I wanted to connect to my vpn provider (VyprVPN) using the IKEv2 protocol. I want to say right away that before that I had another VPN, namely ProtonVPN with which there were no problems when connecting. I also want to send my configuration /etc/ipsec.conf and logs so that you can help me figure it out. Thanks in advance

  Add connections here.
  config setup
        charondebug="all"
        uniqueids=never
  conn lan-passthrough
        leftsubnet=192.168.1.1/24
        rightsubnet=192.168.1.1/24
        authby=never
        type=pass
        auto=route

  conn  vyprvpn
        keyexchange=ikev2
        keyingtries=%forever
        dpdaction=none
        dpddelay=300s
        inactivity=3600s
        rekey=no
        forceencaps=yes
        authby=secret
        ike=aes256-aes128-sha256-sha1-modp3072-modp2048
        esp=aes128-aes256-sha256-modp3072-modp2048,aes128-aes256-sha256
        leftfirewall=yes
        left=192.168.1.1
        leftid=192.168.1.1
        leftsourceip=%config4
        leftsendcert=never
        leftauth=eap-mschapv2
        rightfirewall=yes
        rightauth=pubkey
        rightca=/etc/ipsec.d/cacerts/vypr.der
        right= VYPRVPN SERVER
        rightsendcert=never
        rightid=%any
        rightsubnet=0.0.0.0/0
        eap_identity="VYPRLOGIN"
        type=tunnel
        auto=add

SYSTEM LOG

 root@OpenWrt:~# ipsec up vyprvpn
initiating IKE_SA a[2] to 128.90.96.26
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.1[500] to 128.90.96.26[500] (1132 bytes)
received packet: from 128.90.96.26[500] to 192.168.1.1[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_3072, it requested MODP_2048
initiating IKE_SA a[2] to 128.90.96.26
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.1[500] to 128.90.96.26[500] (1004 bytes)
received packet: from 128.90.96.26[500] to 192.168.1.1[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
local host is behind NAT, sending keep alives
remote host is behind NAT
establishing CHILD_SA a{2}
generating IKE_AUTH request 1 [ IDi CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.1.1[4500] to 128.90.96.26[4500] (348 bytes)
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(1/11) ]
received fragment #1 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(2/11) ]
received fragment #2 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(3/11) ]
received fragment #3 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(4/11) ]
received fragment #4 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(5/11) ]
received fragment #5 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(6/11) ]
received fragment #6 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(7/11) ]
received fragment #7 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(8/11) ]
received fragment #8 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(9/11) ]
received fragment #9 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(10/11) ]
received fragment #10 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (512 bytes)
parsed IKE_AUTH response 1 [ EF(11/11) ]
received fragment #11 of 11, reassembled fragmented IKE message (5308 bytes)
parsed IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH EAP/REQ/ID N(AUTH_FOLLOWS) ]
received end entity cert "CN=*.vyprvpn.com"
received issuer cert "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com RSA SSL subCA"
received issuer cert "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority RSA"
no trusted RSA public key found for '128.90.96.26'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 192.168.1.1[4500] to 128.90.96.26[4500] (76 bytes)
establishing connection 'vyprvpn' failed

abej · April 16, 2021, 3:31am

Looks like it didn't like the wildcard cert *.vyprvpn.com

Hotelk · April 16, 2021, 11:58am

Any ideas how you can fix this? And yes, everything is normal with the certificate, because after executing this "ipsec listcacerts" command, it shows that the certificate is loaded.

  List of X.509 CA Certificates
  subject:  "C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=Golden Frog GmbH Root CA, E=goldenfrog email"
issuer:   "C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=Golden Frog GmbH Root CA, E=goldenfrog emai"
 validity:  not before Oct 17 23:14:10 2019, ok
 not after  Jan 19 06:14:07 2038, ok (expires in 6121 days)
  serial:    xx:xx:xx:xx:xx:xx:xx:xx
  flags:     CA CRLSign self-signed
  authkeyId: xx:47:d0:bc:17:76:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
  subjkeyId: xx:47:d0:bc:17:76:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
  pubkey:    RSA 4096 bits
  keyid:     xx:87:f1:c4:3c:14:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
  subjkey:   xx:47:d0:bc:17:76:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

frollic · April 16, 2021, 12:04pm

you should probably redact that email adress.

Hotelk · April 16, 2021, 12:08pm

Sorry, I did not understand in what sense to edit, where? If the post is without problems, but if in openwrt itself, then problems may already arise, since I do not know how to edit certificates.

frollic · April 16, 2021, 12:10pm

in your post.

i just mean you (probably) shouldn't expose your email address(es) to the internet.
it has nothing to do with the issue at hand.

Hotelk · April 16, 2021, 12:11pm

I'm sorry, I didn't notice that I'm spreading it. It's not mine anyway and is in the public domain :). Well, thanks for the notice

abej · April 16, 2021, 6:52pm

Check this out: https://serverfault.com/questions/850832/how-to-use-wildcard-certificate-with-ikev2-on-strongswan

Hotelk · April 17, 2021, 2:52am

I did everything as it was written in this instruction, namely add

left =% any
     leftid=@*.example.com
     leftcert = star_example_com.crt
     leftsendcert = always
     leftsubnet = 0.0.0.0 / 0

but the result is the same. I hope for your help. I also send my logs and ipsec.conf as I'm not sure if I did everything correctly.

 Add connections here.

 config setup
        charondebug="all"
        uniqueids=never

 conn lan-passthrough
        leftsubnet=192.168.1.1/24
        rightsubnet=192.168.1.1/24
        authby=never
        type=pass
        auto=route

 conn a
        keyexchange=ikev2
        keyingtries=%forever
        dpdaction=none
        dpddelay=300s
        inactivity=3600s
        rekey=no
        forceencaps=yes
        authby=secret
        ike=aes256gcm16-prfsha384-ecp521
        esp=aes256-sha256
        left=%any
        leftid=@*.vyprvpn.com
        leftcert=ca_vyprvpn_com.crt
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftsourceip=%config4
        leftauth=eap-mschapv2
        rightfirewall=yes
        rightauth=pubkey
        rightca=/etc/ipsec.d/cacerts/ca.vyprvpn.com.crt
        right=VYPRVPN SERVER
        rightsendcert=never
        rightid=%any
        rightsubnet=0.0.0.0/0
        eap_identity="VYPRLOGIN"
        type=tunnel
        auto=add

SYSTEM LOG

root@OpenWrt:~# ipsec up a
initiating IKE_SA a[2] to 128.90.96.54
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 100.110.159.55[500] to 128.90.96.54[500] (836 bytes)
received packet: from 128.90.96.54[500] to 100.110.159.55[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_521, it requested MODP_2048
initiating IKE_SA a[2] to 128.90.96.54
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 100.110.159.55[500] to 128.90.96.54[500] (960 bytes)
received packet: from 128.90.96.54[500] to 100.110.159.55[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
local host is behind NAT, sending keep alives
remote host is behind NAT
root@OpenWrt:~# ipsec up a
initiating IKE_SA a[3] to 128.90.96.54
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 100.110.159.55[500] to 128.90.96.54[500] (836 bytes)
received packet: from 128.90.96.54[500] to 100.110.159.55[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_521, it requested MODP_2048
initiating IKE_SA a[3] to 128.90.96.54
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 100.110.159.55[500] to 128.90.96.54[500] (960 bytes)
received packet: from 128.90.96.54[500] to 100.110.159.55[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
local host is behind NAT, sending keep alives
remote host is behind NAT
establishing CHILD_SA a{3}
generating IKE_AUTH request 1 [ IDi CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 100.110.159.55[4500] to 128.90.96.54[4500] (364 bytes)
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(1/11) ]
received fragment #1 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(2/11) ]
received fragment #2 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(3/11) ]
received fragment #3 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(4/11) ]
received fragment #4 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(5/11) ]
received fragment #5 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(6/11) ]
received fragment #6 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(7/11) ]
received fragment #7 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(8/11) ]
received fragment #8 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(9/11) ]
received fragment #9 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(10/11) ]
received fragment #10 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (512 bytes)
parsed IKE_AUTH response 1 [ EF(11/11) ]
received fragment #11 of 11, reassembled fragmented IKE message (5308 bytes)
parsed IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH EAP/REQ/ID N(AUTH_FOLLOWS) ]
received end entity cert "CN=*.vyprvpn.com"
received issuer cert "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com RSA SSL subCA"
received issuer cert "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority RSA"
no trusted RSA public key found for '128.90.96.54'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 100.110.159.55[4500] to 128.90.96.54[4500] (76 bytes)
establishing connection 'a' failed

Hotelk · April 19, 2021, 11:48pm

Maybe it's because I don't have all strongSwan files installed? Namely, I installed

opkg install strongswan-default strongswan-mod-md4 strongswan-mod-openssl strongswan-mod-uci strongswan-mod-eap-mschapv2 strongswan-mod-eap-identity

I cannot download all strongSwan files as I have no space for this (my router has a small amount of RAM) If so, can you tell me which file is missing?

Hotelk · April 21, 2021, 1:20am

After adding "rightid=@ro1.vpn.goldenfrog.com" I got a new error "parsed IKE_AUTH response 1 [N (AUTH_FAILED) received AUTHENTICATION_FAILED notify error" what is better than nothing. Any ideas why this error appeared? I checked "/etc/ipsec.secrets" several times for errors, but nothing is not ours. Moreover, I even created a tunnel on my ios device where this login and password works.

conn a
        keyexchange=ikev2
        keyingtries=%forever
        dpdaction=none
        dpddelay=300s
        inactivity=3600s
        rekey=no
        forceencaps=yes
        authby=pubkey
        ike=aes256gcm16-prfsha384-modp2048
        esp=aes256-sha256
        left=%any
        leftid="CN=*.vyprvpn.com"
        leftcert=ca_vyprvpn_com.crt
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftsourceip=%config4
        leftauth=eap-mschapv2
        rightfirewall=yes
        rightauth=pubkey
        rightca=/etc/ipsec.d/cacerts/ca.vyprvpn.com.crt
        right=ro1.vpn.goldenfrog.com
        rightsendcert=always
        rightid=@ro1.vpn.goldenfrog.com
        rightsubnet=0.0.0.0/0
        eap_identity="mylogin"
        type=tunnel
        auto=add

# /etc/ipsec.secrets
root@OpenWrt:~# cat /etc/ipsec.secrets
 /etc/ipsec.secrets - strongSwan IPsec secrets file

LOGIN : EAP "Password"

# SYSTEM LOG

root@OpenWrt:~# ipsec up a
initiating IKE_SA a[6] to 128.90.96.54
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 100.110.29.82[500] to 128.90.96.54[500] (960 bytes)
received packet: from 128.90.96.54[500] to 100.110.29.82[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
local host is behind NAT, sending keep alives
remote host is behind NAT
sending cert request for "C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=Golden Frog GmbH Root CA, E=admin@goldenfrog.cоm"
establishing CHILD_SA a{6}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 100.110.29.82[4500] to 128.90.96.54[4500] (444 bytes)
received packet: from 128.90.96.54[4500] to 100.110.29.82[4500] (76 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'a' failed

Hotelk · April 21, 2021, 12:33pm

Also found a very old IKEv1 VyprVPN configuration. The problem is that it was written for EdgeRouter Lite and IKEv1 is used there, but I need the IKEv2 protocol. Can someone adapt this instruction for OpenWRT? https://community.ui.com/questions/very-slow-throughput-for-IPSec-on-EdgeRouter-Lite/d922363a-d4ca-4feb-9ddf-5b68c7fa2afa

Beernd · April 22, 2021, 6:07am

Expand your firmware space with a USB stick (Extroot). If you don't have a USB port, buy another used router.

Hotelk · April 24, 2021, 12:23am

I doubt that this is a solution to the problem, since I rechecked all the files and did not find any problems with them. I think there is a problem with the certificate

Beernd · April 24, 2021, 1:39pm

If you think the problem is with the certificate, check it on a VM Linux system, like Mint or Ubuntu.

sudo apt-get update

sudo apt-get install strongswan libstrongswan-extra-plugins libcharon-standard-plugins libcharon-extra-plugins resolvconf

sudo dpkg-reconfigure resolvconf

/etc/ipsec.conf:

conn a
        keyexchange=ikev2
        keyingtries=%forever
        dpdaction=none
        dpddelay=300s
        inactivity=3600s
        rekey=no
        leftsourceip=%config4,%config6
        leftsendcert=never
        leftauth=eap-mschapv2
        rightauth=pubkey
        right=ro1.vpn.goldenfrog.com
        rightid=%any
        rightca=/etc/ipsec.d/cacerts/ca.vyprvpn.com.crt
        rightsubnet=0.0.0.0/0,::/0
        rightsendcert=always
        eap_identity="mylogin"
        type=tunnel
        auto=add

/etc/ipsec.secrets:

mylogin : EAP "Password"

sudo ipsec restart

sudo ipsec up a

Hotelk · April 26, 2021, 2:43am

I did all these operations on Linux lite. As a result, the same error. I am sending you my logs. Is there a problem with the certificate?

sudo ipsec up a

initiating IKE_SA a[1] to 128.90.96.54
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.254.132[500] to 128.90.96.54[500] (1128 bytes)
received packet: from 128.90.96.54[500] to 192.168.254.132[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_256, it requested MODP_2048
initiating IKE_SA a[1] to 128.90.96.54
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.254.132[500] to 128.90.96.54[500] (1320 bytes)
received packet: from 128.90.96.54[500] to 192.168.254.132[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
local host is behind NAT, sending keep alives
remote host is behind NAT
sending cert request for "C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=Golden Frog GmbH Root CA, E=EMAIL
no IDi configured, fall back on IP address
establishing CHILD_SA a{1}
generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.254.132[4500] to 128.90.96.54[4500] (396 bytes)
received packet: from 128.90.96.54[4500] to 192.168.254.132[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(1/5) ]
received fragment #1 of 5, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 192.168.254.132[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(2/5) ]
received fragment #2 of 5, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 192.168.254.132[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(3/5) ]
received fragment #3 of 5, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 192.168.254.132[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(4/5) ]
received fragment #4 of 5, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 192.168.254.132[4500] (224 bytes)
parsed IKE_AUTH response 1 [ EF(5/5) ]
received fragment #5 of 5, reassembled fragmented IKE message (2140 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID N(AUTH_FOLLOWS) ]
received end entity cert "CN=*.vyprvpn.com"
no trusted RSA public key found for '128.90.96.54'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 192.168.254.132[4500] to 128.90.96.54[4500] (76 bytes)
establishing connection 'a' failed

sudo ipsec listcacerts


List of X.509 CA Certificates
subject: "C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=Golden Frog GmbH Root CA, E=EMAIL
issuer: "C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=Golden Frog GmbH Root CA, E=EMAIL
validity: not before Oct 17 15:14:10 2019, ok
not after Oct 12 15:14:10 2039, ok (expires in 6743 days)
serial: xx:xx:xx:xx:xx:xx:xx:xx
flags: CA CRLSign self-signed
authkeyId: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
subjkeyId: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
pubkey: RSA 4096 bits
keyid: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
subjkey: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

cat /etc/ipsec.d/cacerts/ca.vyprvpn.com.crt

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Hotelk · April 26, 2021, 3:32am

Well, I tried to establish a connection via IKEv1 using Linux lite following this instruction (https://forum.goldenfrog.com/t/aes-ni-gcm-support/824/6). It provides an RSA KEY which I did not find on the vyprvpn site. Following those instructions, I also received an error parsed INFORMATIONAL_V1 request 1353558285 [ HASH N(AUTH_FAILED) ] received AUTHENTICATION_FAILED error notify. Then I decided to check the authenticity of their certificate, which was indicated on the forum.

Result

sudo ipsec listcacerts

List of X.509 CA Certificates
subject: "C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=GoldenFrog-Inc CA, E=EMAIL
issuer: "C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=GoldenFrog-Inc CA, E=EMAIL
validity: not before Apr 09 16:19:21 2010, ok
not after Apr 06 16:19:21 2020, expired (384 days ago)
serial: d7:76:53:0b:7b:49:a6:ec
flags: CA self-signed
authkeyId: e1:f4:78:8c:87:94:67:45:52:2d:fe:4b:57:75:d8:86:90:39:17:05
subjkeyId: e1:f4:78:8c:87:94:67:45:52:2d:fe:4b:57:75:d8:86:90:39:17:05
pubkey: RSA 2048 bits
keyid: 32:e1:9b:d1:90:6e:2f:c6:4e:bf:07:7c:80:42:d3:04:6d:95:cb:b4
subjkey: e1:f4:78:8c:87:94:67:45:52:2d:fe:4b:57:75:d8:86:90:39:17:05

It turned out to be overdue. When I changed this certificate to a new one, I got the already familiar error (no RSA private key found for '192.168.254.132' generating INFORMATIONAL_V1 request 2397046550 [HASH N (AUTH_FAILED). The problem is that I did not find RSA goldenfrog-client.key anywhere on the site, but what has been expired on the forum for a long time. I also send you my logs

sudo ipsec up vyprvpn
initiating Main Mode IKE_SA vyprvpn[1] to 128.90.96.54
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.254.132[500] to 128.90.96.54[500] (240 bytes)
received packet: from 128.90.96.54[500] to 192.168.254.132[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.254.132[500] to 128.90.96.54[500] (244 bytes)
received packet: from 128.90.96.54[500] to 192.168.254.132[500] (244 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
remote host is behind NAT
sending cert request for "C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=GoldenFrog-Inc CA, E=[EMAIL]
sending cert request for "C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=Golden Frog GmbH Root CA, E=[EMAIL]
authentication of 'C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=goldenfrog-client, E=EMIAL (myself) successful
generating ID_PROT request 0 [ ID SIG CERTREQ CERTREQ N(INITIAL_CONTACT) ]
sending packet: from 192.168.254.132[4500] to 128.90.96.54[4500] (796 bytes)
received packet: from 128.90.96.54[4500] to 192.168.254.132[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 1353558285 [ HASH N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED error notify
establishing connection 'vyprvpn' failed

Beernd · April 26, 2021, 8:01pm

I have checked with VyprVPN support and they said that they do not offer IKEv2 certificates for manual configuration. Sorry.

Beernd · April 27, 2021, 2:07am

@Hotelk

I have read your private message. Maybe the support person could not answer my question because he did not know it.

Maybe that is the answer:

Hello, Thanks for reaching out and great question! Unfortunately, this is a set up that most likely won't work at this time due to the Strongswan client not currently supporting one of the needed certificates from our end. This is something we're working towards fixing in the future. Sorry for any inconvenience. Thanks again and please contact our 24/7 support team via live chat or email if you have any other questions or anything else that we can help you with.

This message is 5 months old.
Seems like VyprVPN is not flexible with the implementation.

Hotelk · April 27, 2021, 2:41am

I wrote to support by email, that's what they answered me:

I understand that you are trying to set up an IKEv2 connection on OpenWRT. While a connection setup may be possible, unfortunately, we do not have any instructions for the IKEv2 setup.

I answered them:

Hello, but what about this post on the forum? https://forum.goldenfrog.com/t/aes-ni-gcm-support/824/6 A user under the nickname mikedoug gave instructions for setting up Strongswan(IKEv1), and provided certificates.

We will wait for an answer, but my nerves are already getting tired. I want to buy a subscription to another vpn provider and establish a connection via the Wireguard protocol. VyprVPN has this protocol, but it is only available in their application. In fact, a very bad VPN provider with disgusting support.