IKEv2 connection failed

Hello, I had a problem when I wanted to connect to my vpn provider (VyprVPN) using the IKEv2 protocol. I want to say right away that before that I had another VPN, namely ProtonVPN with which there were no problems when connecting. I also want to send my configuration /etc/ipsec.conf and logs so that you can help me figure it out. Yes, I also know that there is no official instruction from VyprVPN. I think that it is not needed because you can say that I am setting up an IKEv2 connection for linux. Thanks in advance

P.S i am using openwrt

Add connections here.
config setup
charondebug=“all”
uniqueids=never
conn lan-passthrough
leftsubnet=192.168.1.1/24
rightsubnet=192.168.1.1/24
authby=never
type=pass
auto=route

conn vyprvpn
keyexchange=ikev2
keyingtries=%forever
dpdaction=none
dpddelay=300s
inactivity=3600s
rekey=no
forceencaps=yes
authby=secret
ike=aes256-aes128-sha256-sha1-modp3072-modp2048
esp=aes128-aes256-sha256-modp3072-modp2048,aes128-aes256-sha256
leftfirewall=yes
left=192.168.1.1
leftid=192.168.1.1
leftsourceip=%config4
leftsendcert=never
leftauth=eap-mschapv2
rightfirewall=yes
rightauth=pubkey
rightca=/etc/ipsec.d/cacerts/vypr.der
right= VYPRVPN SERVER
rightsendcert=never
rightid=%any
rightsubnet=0.0.0.0/0
eap_identity=“VYPRLOGIN”
type=tunnel
auto=add

SYSTEM LOG

root@OpenWrt:~# ipsec up vyprvpn
initiating IKE_SA a[2] to 128.90.96.26
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.1[500] to 128.90.96.26[500] (1132 bytes)
received packet: from 128.90.96.26[500] to 192.168.1.1[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn’t accept DH group MODP_3072, it requested MODP_2048
initiating IKE_SA a[2] to 128.90.96.26
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.1[500] to 128.90.96.26[500] (1004 bytes)
received packet: from 128.90.96.26[500] to 192.168.1.1[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
local host is behind NAT, sending keep alives
remote host is behind NAT
establishing CHILD_SA a{2}
generating IKE_AUTH request 1 [ IDi CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.1.1[4500] to 128.90.96.26[4500] (348 bytes)
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(1/11) ]
received fragment #1 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(2/11) ]
received fragment #2 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(3/11) ]
received fragment #3 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(4/11) ]
received fragment #4 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(5/11) ]
received fragment #5 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(6/11) ]
received fragment #6 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(7/11) ]
received fragment #7 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(8/11) ]
received fragment #8 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(9/11) ]
received fragment #9 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(10/11) ]
received fragment #10 of 11, waiting for complete IKE message
received packet: from 128.90.96.26[4500] to 192.168.1.1[4500] (512 bytes)
parsed IKE_AUTH response 1 [ EF(11/11) ]
received fragment #11 of 11, reassembled fragmented IKE message (5308 bytes)
parsed IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH EAP/REQ/ID N(AUTH_FOLLOWS) ]
received end entity cert “CN=*.vyprvpn.com”
received issuer cert “C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com RSA SSL subCA”
received issuer cert “C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority RSA”
no trusted RSA public key found for ‘128.90.96.26’
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 192.168.1.1[4500] to 128.90.96.26[4500] (76 bytes)
establishing connection ‘vyprvpn’ failed

Hey, welcome to the forum!

I would recommend changing these two lines:

ike=aes256-aes128-sha256-sha1-modp3072-modp2048
esp=aes128-aes256-sha256-modp3072-modp2048,aes128-aes256-sha256

To this:

ike=aes256gcm16-prfsha384-ecp521
esp=aes256-sha256

Let us know if that helps!

Hello, I did everything as you said and send you the results, unfortunately it did not work. I also created a post at https://forum.openwrt.org/t/ikev2-connection-failed/94122 so that they can help me there, you can read it, I also send you my logs.

Add connections here.
config setup
charondebug=“all”
uniqueids=never

conn lan-passthrough
leftsubnet=192.168.1.1/24
rightsubnet=192.168.1.1/24
authby=never
type=pass
auto=route

conn a
keyexchange=ikev2
keyingtries=%forever
dpdaction=none
dpddelay=300s
inactivity=3600s
rekey=no
forceencaps=yes
authby=secret
ike=aes256gcm16-prfsha384-ecp521
esp=aes256-sha256
left=%any
leftid=@*.vyprvpn.com
leftcert=ca_vyprvpn_com.crt
leftsendcert=always
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftsourceip=%config4
leftauth=eap-mschapv2
rightfirewall=yes
rightauth=pubkey
rightca=/etc/ipsec.d/cacerts/ca.vyprvpn.com.crt
right=VYPRVPN SERVER
rightsendcert=never
rightid=%any
rightsubnet=0.0.0.0/0
eap_identity=“VYPRLOGIN”
type=tunnel
auto=add

SYSTEM LOG

root@OpenWrt:~# ipsec up a
initiating IKE_SA a[2] to 128.90.96.54
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 100.110.159.55[500] to 128.90.96.54[500] (836 bytes)
received packet: from 128.90.96.54[500] to 100.110.159.55[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn’t accept DH group ECP_521, it requested MODP_2048
initiating IKE_SA a[2] to 128.90.96.54
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 100.110.159.55[500] to 128.90.96.54[500] (960 bytes)
received packet: from 128.90.96.54[500] to 100.110.159.55[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
local host is behind NAT, sending keep alives
remote host is behind NAT
root@OpenWrt:~# ipsec up a
initiating IKE_SA a[3] to 128.90.96.54
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 100.110.159.55[500] to 128.90.96.54[500] (836 bytes)
received packet: from 128.90.96.54[500] to 100.110.159.55[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn’t accept DH group ECP_521, it requested MODP_2048
initiating IKE_SA a[3] to 128.90.96.54
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 100.110.159.55[500] to 128.90.96.54[500] (960 bytes)
received packet: from 128.90.96.54[500] to 100.110.159.55[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
local host is behind NAT, sending keep alives
remote host is behind NAT
establishing CHILD_SA a{3}
generating IKE_AUTH request 1 [ IDi CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 100.110.159.55[4500] to 128.90.96.54[4500] (364 bytes)
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(1/11) ]
received fragment #1 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(2/11) ]
received fragment #2 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(3/11) ]
received fragment #3 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(4/11) ]
received fragment #4 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(5/11) ]
received fragment #5 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(6/11) ]
received fragment #6 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(7/11) ]
received fragment #7 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(8/11) ]
received fragment #8 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(9/11) ]
received fragment #9 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(10/11) ]
received fragment #10 of 11, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 100.110.159.55[4500] (512 bytes)
parsed IKE_AUTH response 1 [ EF(11/11) ]
received fragment #11 of 11, reassembled fragmented IKE message (5308 bytes)
parsed IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH EAP/REQ/ID N(AUTH_FOLLOWS) ]
received end entity cert “CN=*.vyprvpn.com”
received issuer cert “C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com RSA SSL subCA”
received issuer cert “C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority RSA”
no trusted RSA public key found for ‘128.90.96.54’
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 100.110.159.55[4500] to 128.90.96.54[4500] (76 bytes)
establishing connection ‘a’ failed

I did all these operations on Linux lite. As a result, the same error. I am sending you my logs. Is there a problem with the certificate?

/etc/ipsec.conf

conn a
keyexchange=ikev2
keyingtries=%forever
dpdaction=none
dpddelay=300s
inactivity=3600s
rekey=no
leftsourceip=%config4,%config6
leftsendcert=never
leftauth=eap-mschapv2
rightauth=pubkey
right=ro1.vpn.goldenfrog.com
rightid=%any
rightca=/etc/ipsec.d/cacerts/ca.vyprvpn.com.crt
rightsubnet=0.0.0.0/0,::/0
rightsendcert=always
eap_identity=“mylogin”
type=tunnel
auto=add

sudo ipsec up a

initiating IKE_SA a[1] to 128.90.96.54
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.254.132[500] to 128.90.96.54[500] (1128 bytes)
received packet: from 128.90.96.54[500] to 192.168.254.132[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn’t accept DH group ECP_256, it requested MODP_2048
initiating IKE_SA a[1] to 128.90.96.54
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.254.132[500] to 128.90.96.54[500] (1320 bytes)
received packet: from 128.90.96.54[500] to 192.168.254.132[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
local host is behind NAT, sending keep alives
remote host is behind NAT
sending cert request for "C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=Golden Frog GmbH Root CA, E=EMAIL
no IDi configured, fall back on IP address
establishing CHILD_SA a{1}
generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.254.132[4500] to 128.90.96.54[4500] (396 bytes)
received packet: from 128.90.96.54[4500] to 192.168.254.132[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(1/5) ]
received fragment #1 of 5, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 192.168.254.132[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(2/5) ]
received fragment #2 of 5, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 192.168.254.132[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(3/5) ]
received fragment #3 of 5, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 192.168.254.132[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(4/5) ]
received fragment #4 of 5, waiting for complete IKE message
received packet: from 128.90.96.54[4500] to 192.168.254.132[4500] (224 bytes)
parsed IKE_AUTH response 1 [ EF(5/5) ]
received fragment #5 of 5, reassembled fragmented IKE message (2140 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID N(AUTH_FOLLOWS) ]
received end entity cert “CN=*.vyprvpn.com”
no trusted RSA public key found for ‘128.90.96.54’
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 192.168.254.132[4500] to 128.90.96.54[4500] (76 bytes)
establishing connection ‘a’ failed

sudo ipsec listcacerts

List of X.509 CA Certificates
subject: "C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=Golden Frog GmbH Root CA, E=EMAIL
issuer: "C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=Golden Frog GmbH Root CA, E=EMAIL
validity: not before Oct 17 15:14:10 2019, ok
not after Oct 12 15:14:10 2039, ok (expires in 6743 days)
serial: xx:xx:xx:xx:xx:xx:xx:xx
flags: CA CRLSign self-signed
authkeyId: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
subjkeyId: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
pubkey: RSA 4096 bits
keyid: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
subjkey: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

cat /etc/ipsec.d/cacerts/ca.vyprvpn.com.crt

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Well, I tried to establish a connection via IKEv1 using Linux lite following this instruction (AES-NI GCM support?). It provides an RSA KEY which I did not find on the vyprvpn site. Following those instructions, I also received an error parsed INFORMATIONAL_V1 request 1353558285 [ HASH N(AUTH_FAILED) ] received AUTHENTICATION_FAILED error notify. Then I decided to check the authenticity of their certificate, which was indicated on the forum.

Result

sudo ipsec listcacerts

List of X.509 CA Certificates
subject: "C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=GoldenFrog-Inc CA, E=EMAIL
issuer: "C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=GoldenFrog-Inc CA, E=EMAIL
validity: not before Apr 09 16:19:21 2010, ok
not after Apr 06 16:19:21 2020, expired (384 days ago)
serial: d7:76:53:0b:7b:49:a6:ec
flags: CA self-signed
authkeyId: e1:f4:78:8c:87:94:67:45:52:2d:fe:4b:57:75:d8:86:90:39:17:05
subjkeyId: e1:f4:78:8c:87:94:67:45:52:2d:fe:4b:57:75:d8:86:90:39:17:05
pubkey: RSA 2048 bits
keyid: 32:e1:9b:d1:90:6e:2f:c6:4e:bf:07:7c:80:42:d3:04:6d:95:cb:b4
subjkey: e1:f4:78:8c:87:94:67:45:52:2d:fe:4b:57:75:d8:86:90:39:17:05

It turned out to be overdue. When I changed this certificate to a new one, I got the already familiar error (no RSA private key found for '192.168.254.132' generating INFORMATIONAL_V1 request 2397046550 [HASH N (AUTH_FAILED). The problem is that I did not find RSA goldenfrog-client.key anywhere on the site, but what has been expired on the forum for a long time. I also send you my logs

sudo ipsec up vyprvpn

initiating Main Mode IKE_SA vyprvpn[1] to 128.90.96.54
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.254.132[500] to 128.90.96.54[500] (240 bytes)
received packet: from 128.90.96.54[500] to 192.168.254.132[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.254.132[500] to 128.90.96.54[500] (244 bytes)
received packet: from 128.90.96.54[500] to 192.168.254.132[500] (244 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
remote host is behind NAT
sending cert request for "C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=GoldenFrog-Inc CA, E=[EMAIL]
sending cert request for "C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=Golden Frog GmbH Root CA, E=[EMAIL]
authentication of 'C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=goldenfrog-client, E=EMIAL (myself) successful
generating ID_PROT request 0 [ ID SIG CERTREQ CERTREQ N(INITIAL_CONTACT) ]
sending packet: from 192.168.254.132[4500] to 128.90.96.54[4500] (796 bytes)
received packet: from 128.90.96.54[4500] to 192.168.254.132[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 1353558285 [ HASH N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED error notify
establishing connection ‘vyprvpn’ failed

Sorry to see that you’re still having trouble with this. I think you may have better luck using the certificate found here - https://support.vyprvpn.com/hc/en-us/articles/360041273371-Where-can-I-find-your-CA-certificate-

As you can see, when I downloaded the certificate from your link namely https://support.vyprvpn.com/hc/en-us/articles/360041273371-Where-can-I-find-your-CA-certificate- then get the familiar error no trusted RSA public key found for '128.90.96.54'. I have a question, where can I get RSA PRIVATE KEY?

In addition, I wrote in my post, when I changed to a new one, I mean a new certificate