200H IPSec VPN remote access authorization failure

bbp

200H firmware V1.21(ABWV.0)ITS-24WK37-0909-240801054

On 1.21 series firmware I'm getting IPSecVPN authorization failure. It worked on 1.20 with same settings.

From 200H logs:

generating INFORMATIONAL response 2 [ N(AUTH_FAILED) ]
parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V V ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072
configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072
received proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072
xxx.xxx.xxx.xxx is initiating an IKE_SA xxx.xxx.xxx.xxx 500 xxx.xxx.xxx.xxx
parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

strongSwan Android client logs:

Starting IKE service (strongSwan 5.9.14, Android 14 Linux 5.10.198-android12-9-o-g9879b9c8974a, aarch64, org.strongswan.android)
providers loaded by OpenSSL: default legacy
loaded plugins: androidbridge charon android-log socket-default openssl nonce pkcs1 pem x509 xcbc kdf revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
spawning 16 worker threads
all OCSP validation disabled
all CRL validation disabled
initiating IKE_SA android[4] to xxx.xxx.xxx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from xxx.xxx.xxx.xxx[45546] to xxx.xxx.xxx.xxx[500] (592 bytes)
received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[45546] (665 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V V ]
received strongSwan vendor ID
received unknown vendor ID: 8a:3b:5b:d4:b8:94:b2:f3:37:0c:1e:65:67:2e:ec:44
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072
local host is behind NAT, sending keep alives
received cert request for "CN=USG_FLEX_200H_FC22F4BE3C31"
sending cert request for "CN=USG_FLEX_200H_FC22F4BE3C31"
establishing CHILD_SA android{4}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from xxx.xxx.xxx.xxx[38888] to xxx.xxx.xxx.xxx[4500] (384 bytes)
received packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[38888] (1232 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "CN=USG_FLEX_200H_FC22F4BE3C31"
no trusted RSA public key found for 'xxx.xxx.xxx.xxx'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from xxx.xxx.xxx.xxx[38888] to xxx.xxx.xxx.xxx[4500] (96 bytes)

bbp

It seems if "Certificate for VPN Validation" is set to "Auto" it gets confused if there are more than few generated certificates.

Manually selecting certificate solves that issue.

bbp

It seems if "Certificate for VPN Validation" is set to "Auto" it gets confused if there are more than few generated certificates.

Manually selecting certificate solves that issue.