Troubleshooting VPN server ~Pfsense

Puzzled_Champ · June 12, 2025, 7:33am

Hi Folks,

I have had issues setting up a VPN Server using Pfsense firewall and authenticating using a Radius server. I was hoping if someone have any ideas.

My environment is configured as the following.

suppose LAN: 192.168.78.0/27

Pfsense firewall:

-2 network Adapters, Internal (local network) and NAT (internet). (suppose the ip address is 192.168.78.1)

Server with both AD,DHCP,DNS and NPS Server. (Suppose the ip address is 192.168.78.4)

Configured the Radius client in NPS. No issues with Network Policies and Connection Policies on the NPS server. The certificates for IPSec are well configured. Configured the Radius Server on the firewall. (No issues with Shared Secret or anything related.)

On Firewall I didn’t block any ports all ports are open. And I even disabled Firewall on the Windows server and client PC.

This is the error message

"Can’t connect to [connection name]. The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g. firewalls, NAT, routers, etc.) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.”

I checked the logs from the VPN server see below:

VPN Server Logs

Jan 13 14:20:35 charon 63599 00[DMN] Starting IKE charon daemon (strongSwan 5.9.11, FreeBSD 14.0-CURRENT, amd64)

Jan 13 14:20:35 charon 63599 00[CFG] PKCS11 module ‘’ lacks library path

Jan 13 14:20:35 charon 63599 00[LIB] providers loaded by OpenSSL: legacy default

Jan 13 14:20:35 charon 63599 00[CFG] loaded attribute INTERNAL_IP4_DNS: c0:a8:0d:0e

Jan 13 14:20:35 charon 63599 00[CFG] loaded attribute (27674): xx:xx:xx:xx:xx:xx:xx:xx:xx

Jan 13 14:20:35 charon 63599 00[CFG] using ‘/sbin/resolvconf’ to install DNS servers

Jan 13 14:20:35 charon 63599 00[KNL] unable to set UDP_ENCAP: Invalid argument

Jan 13 14:20:35 charon 63599 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed

Jan 13 14:20:35 charon 63599 00[CFG] loaded 1 RADIUS server configuration

Jan 13 14:20:35 charon 63599 00[CFG] loading unbound resolver config from ‘/etc/resolv.conf’

Jan 13 14:20:35 charon 63599 00[CFG] loading unbound trust anchors from ‘/usr/local/etc/ipsec.d/dnssec.keys’

Jan 13 14:20:35 charon 63599 00[CFG] ipseckey plugin is disabled

Jan 13 14:20:35 charon 63599 00[CFG] loading ca certificates from ‘/usr/local/etc/ipsec.d/cacerts’

Jan 13 14:20:35 charon 63599 00[CFG] loading aa certificates from ‘/usr/local/etc/ipsec.d/aacerts’

Jan 13 14:20:35 charon 63599 00[CFG] loading ocsp signer certificates from ‘/usr/local/etc/ipsec.d/ocspcerts’

Jan 13 14:20:35 charon 63599 00[CFG] loading attribute certificates from ‘/usr/local/etc/ipsec.d/acerts’

Jan 13 14:20:35 charon 63599 00[CFG] loading crls from ‘/usr/local/etc/ipsec.d/crls’

Jan 13 14:20:35 charon 63599 00[CFG] loading secrets from ‘/usr/local/etc/ipsec.secrets’

Jan 13 14:20:35 charon 63599 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory

Jan 13 14:20:35 charon 63599 00[LIB] loaded plugins: charon eap-radius unbound pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey ipseckey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters

Jan 13 14:20:35 charon 63599 00[JOB] spawning 16 worker threads

Jan 13 14:20:36 charon 63599 05[CFG] vici client 1 connected

Jan 13 14:20:36 charon 63599 05[CFG] vici client 1 requests: get-keys

Jan 13 14:20:36 charon 63599 16[CFG] vici client 1 requests: get-shared

Jan 13 14:20:36 charon 63599 15[CFG] vici client 1 requests: load-cert

Jan 13 14:20:36 charon 63599 15[CFG] loaded certificate ‘C=country, ST=State, L=Toronto, O= company, OU= department, CN= firewall-hostname’

Jan 13 14:20:36 charon 63599 15[CFG] vici client 1 requests: load-cert

Jan 13 14:20:36 charon 63599 15[CFG] loaded certificate ‘DC=com, DC=ACME, CN=ACME-ACME-CA’

Jan 13 14:20:36 charon 63599 15[CFG] vici client 1 requests: load-key

Jan 13 14:20:36 charon 63599 15[CFG] loaded ANY private key

Jan 13 14:20:36 charon 63599 15[CFG] vici client 1 requests: get-authorities

Jan 13 14:20:36 charon 63599 14[CFG] vici client 1 requests: get-pools

Jan 13 14:20:36 charon 63599 15[CFG] loaded vici pool mobile-pool-v4: 10.9.9.0, 254 entries

Jan 13 14:20:36 charon 63599 14[CFG] vici client 1 requests: get-conns

Jan 13 14:20:36 charon 63599 13[CFG] vici client 1 requests: load-conn

Jan 13 14:20:36 charon 63599 13[CFG] conn bypass:

Jan 13 14:20:36 charon 63599 13[CFG] child bypasslan:

Jan 13 14:20:36 charon 63599 13[CFG] rekey_time = 3600

Jan 13 14:20:36 charon 63599 13[CFG] life_time = 3960

Jan 13 14:20:36 charon 63599 13[CFG] rand_time = 360

Jan 13 14:20:36 charon 63599 13[CFG] rekey_bytes = 0

Jan 13 14:20:36 charon 63599 13[CFG] life_bytes = 0

Jan 13 14:20:36 charon 63599 13[CFG] rand_bytes = 0

Jan 13 14:20:36 charon 63599 13[CFG] rekey_packets = 0

Jan 13 14:20:36 charon 63599 13[CFG] life_packets = 0

Jan 13 14:20:36 charon 63599 13[CFG] rand_packets = 0

Jan 13 14:20:36 charon 63599 13[CFG] updown = (null)

Jan 13 14:20:36 charon 63599 13[CFG] hostaccess = 0

Jan 13 14:20:36 charon 63599 13[CFG] ipcomp = 0

Jan 13 14:20:36 charon 63599 13[CFG] mode = PASS

Jan 13 14:20:36 charon 63599 13[CFG] policies = 1

Jan 13 14:20:36 charon 63599 13[CFG] policies_fwd_out = 0

Jan 13 14:20:36 charon 63599 13[CFG] dpd_action = none

Jan 13 14:20:36 charon 63599 13[CFG] start_action = trap

Jan 13 14:20:36 charon 63599 13[CFG] close_action = none

Jan 13 14:20:36 charon 63599 13[CFG] reqid = 0

Jan 13 14:20:36 charon 63599 13[CFG] tfc = 0

Jan 13 14:20:36 charon 63599 13[CFG] priority = 0

Jan 13 14:20:36 charon 63599 13[CFG] interface = (null)

Jan 13 14:20:36 charon 63599 13[CFG] if_id_in = 0

Jan 13 14:20:36 charon 63599 13[CFG] if_id_out = 0

Jan 13 14:20:36 charon 63599 13[CFG] mark_in = 0/0

Jan 13 14:20:36 charon 63599 13[CFG] mark_in_sa = 0

Jan 13 14:20:36 charon 63599 13[CFG] mark_out = 0/0

Jan 13 14:20:36 charon 63599 13[CFG] set_mark_in = 0/0

Jan 13 14:20:36 charon 63599 13[CFG] set_mark_out = 0/0

Jan 13 14:20:36 charon 63599 13[CFG] label = (null)

Jan 13 14:20:36 charon 63599 13[CFG] label_mode = system

Jan 13 14:20:36 charon 63599 13[CFG] inactivity = 0

Jan 13 14:20:36 charon 63599 13[CFG] proposals = ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ

Jan 13 14:20:36 charon 63599 13[CFG] local_ts = 192.168.78.1/27|/0

Jan 13 14:20:36 charon 63599 13[CFG] remote_ts = 192.168.78.0/27|/0

Jan 13 14:20:36 charon 63599 13[CFG] hw_offload = no

Jan 13 14:20:36 charon 63599 13[CFG] sha256_96 = 0

Jan 13 14:20:36 charon 63599 13[CFG] copy_df = 1

Jan 13 14:20:36 charon 63599 13[CFG] copy_ecn = 1

Jan 13 14:20:36 charon 63599 13[CFG] copy_dscp = out

Jan 13 14:20:36 charon 63599 13[CFG] version = 0

Jan 13 14:20:36 charon 63599 13[CFG] local_addrs = %any

Jan 13 14:20:36 charon 63599 13[CFG] remote_addrs = 127.0.0.1

Jan 13 14:20:36 charon 63599 13[CFG] local_port = 500

Jan 13 14:20:36 charon 63599 13[CFG] remote_port = 500

Jan 13 14:20:36 charon 63599 13[CFG] send_certreq = 1

Jan 13 14:20:36 charon 63599 13[CFG] send_cert = CERT_SEND_IF_ASKED

Jan 13 14:20:36 charon 63599 13[CFG] ppk_id = (null)

Jan 13 14:20:36 charon 63599 13[CFG] ppk_required = 0

Jan 13 14:20:36 charon 63599 13[CFG] mobike = 1

Jan 13 14:20:36 charon 63599 13[CFG] aggressive = 0

Jan 13 14:20:36 charon 63599 13[CFG] dscp = 0x00

Jan 13 14:20:36 charon 63599 13[CFG] encap = 0

Jan 13 14:20:36 charon 63599 13[CFG] dpd_delay = 10

Jan 13 14:20:36 charon 63599 13[CFG] dpd_timeout = 0

Jan 13 14:20:36 charon 63599 13[CFG] fragmentation = 2

Jan 13 14:20:36 charon 63599 13[CFG] childless = 0

Jan 13 14:20:36 charon 63599 13[CFG] unique = UNIQUE_REPLACE

Jan 13 14:20:36 charon 63599 13[CFG] keyingtries = 1

Jan 13 14:20:36 charon 63599 13[CFG] reauth_time = 0

Jan 13 14:20:36 charon 63599 13[CFG] rekey_time = 25920

Jan 13 14:20:36 charon 63599 13[CFG] over_time = 2880

Jan 13 14:20:36 charon 63599 13[CFG] rand_time = 2880

Jan 13 14:20:36 charon 63599 13[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

Jan 13 14:20:36 charon 63599 13[CFG] if_id_in = 0

Jan 13 14:20:36 charon 63599 13[CFG] if_id_out = 0

Jan 13 14:20:36 charon 63599 13[CFG] local:

Jan 13 14:20:36 charon 63599 13[CFG] class = public key

Jan 13 14:20:36 charon 63599 13[CFG] id = 192.168.78.1

Jan 13 14:20:36 charon 63599 13[CFG] cert = C=country, ST=State, L=City, O=Company, OU= department, CN= firewall-hostname

Jan 13 14:20:36 charon 63599 13[CFG] remote:

Jan 13 14:20:36 charon 63599 13[CFG] eap-type = EAP_RADIUS

Jan 13 14:20:36 charon 63599 13[CFG] class = EAP

Jan 13 14:20:36 charon 63599 13[CFG] eap_id = %any

Jan 13 14:20:36 charon 63599 13[CFG] id = %any

Jan 13 14:20:36 charon 63599 13[CFG] added vici connection: con-mobile

Jan 13 14:20:36 charon 63599 13[CFG] vici client 1 disconnected

DigitalReign007 · June 12, 2025, 7:33am

This is in your log:

Jan 13 14:20:35 charon 63599 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory

Puzzled_Champ · June 12, 2025, 7:33am

Hi, thanks for the reply.

Should I create this directory by any chance?

I tried to look into it, and one of the pages suggested changing the encryption algorithm, which I’m not sure it would have caused this. But even though I changed it, nothing happened.

Thank you!

DigitalReign007 · June 12, 2025, 7:33am

Hey,

I am not sure. I haven’t set them up on pfsense. I would guess your using the gateway in bridge mode. Otherwise there would be port restrictions on the gateway (like xfinitys X7 gateway).

Here in this article they have links to configuration instructions for different VPNs. Apparently the setup for pfsense is different depending on the VPN, IPsec use, etc. I am getting ready to deploy a pfsense on at&t fibre and a VPN. I have xfi as well and want to connect a dual wan router. That is why I was reading some of these posts. There are a couple of errors or fails in the logs you posted. Those need corrected first, but I am not familiar with that setup enough to be of much assistance on those errors. Here is the link that has various VPN config instructions for pfSense. Good luck brother!

Best VPNs for pfSense: Plus How to Setup Quickly.

Puzzled_Champ · June 12, 2025, 7:33am

Yeah, I see no problem. I’ll take a look and let you know. Thanks for your help, mate.