Vuelve a caerse el tunel  :-\ ya no se que hacer. a ver si alguien majo sabe que pasa. 8)

Gracias

Tengo 2 tuneles configurados

Tunel con el que tengo problema, ahora está desconectado túnel 194.xx.xx.xa pero aparece como activo.
Tengo cortado el acceso a la ip 195.xx.xx.xx Pero aparecen intentos de conexión.
Por otro lado tengo otro pfsense al que no le hago los nateos en el router y conecta con el remoto. De hecho cuando falla la conexión desde este firewall tengo que conectar con el otro (si funciona, que no siempre, dejo la conexión así y genero reglas de enrutado. A veces conecta pero sin trafico y deshabilito y vuelvo a conectar desde el primero y entonces vuelve a funcionar durante un tiempo.
Pfsense 2.2.2

May 21 19:43:36 charon: 06[IKE] <59759> 195.xx.xx.xx is initiating a Main Mode IKE_SA May 21 19:43:36 charon: 06[IKE] <59759> 195.xx.xx.xx is initiating a Main Mode IKE_SA May 21 19:43:36 charon: 06[ENC] <59759> generating ID_PROT response 0 [ SA V V V V ] May 21 19:43:36 charon: 06[NET] <59759> sending packet: from 192.168.150.1[500] to 195.xx.xx.xx[500] (152 bytes) May 21 19:43:41 charon: 06[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:43:41 charon: 06[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:44:02 charon: 16[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:44:02 charon: 16[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:44:06 charon: 16[JOB] <59759> deleting half open IKE_SA after timeout May 21 19:44:16 charon: 16[NET] <59760> received packet: from 195.xx.xx.xx[500] to 192.168.150.1[500] (216 bytes) May 21 19:44:16 charon: 16[ENC] <59760> parsed ID_PROT request 0 [ SA V V V V V V V ] May 21 19:44:16 charon: 16[ENC] <59760> received unknown vendor ID: 4f:45:51:7b:4f:7f:6e:65:7a:7b:43:51 May 21 19:44:16 charon: 16[IKE] <59760> received DPD vendor ID May 21 19:44:16 charon: 16[IKE] <59760> received DPD vendor ID May 21 19:44:16 charon: 16[IKE] <59760> received NAT-T (RFC 3947) vendor ID May 21 19:44:16 charon: 16[IKE] <59760> received NAT-T (RFC 3947) vendor ID May 21 19:44:16 charon: 16[IKE] <59760> received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 21 19:44:16 charon: 16[IKE] <59760> received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 21 19:44:16 charon: 16[IKE] <59760> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 21 19:44:16 charon: 16[IKE] <59760> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 21 19:44:16 charon: 16[IKE] <59760> received draft-ietf-ipsec-nat-t-ike-02 vendor ID May 21 19:44:16 charon: 16[IKE] <59760> received draft-ietf-ipsec-nat-t-ike-02 vendor ID May 21 19:44:16 charon: 16[IKE] <59760> received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 21 19:44:16 charon: 16[IKE] <59760> received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 21 19:44:16 charon: 16[IKE] <59760> 195.xx.xx.xx is initiating a Main Mode IKE_SA May 21 19:44:16 charon: 16[IKE] <59760> 195.xx.xx.xx is initiating a Main Mode IKE_SA May 21 19:44:16 charon: 16[ENC] <59760> generating ID_PROT response 0 [ SA V V V V ] May 21 19:44:16 charon: 16[NET] <59760> sending packet: from 192.168.150.1[500] to 195.xx.xx.xx[500] (152 bytes) May 21 19:44:22 charon: 16[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:44:22 charon: 16[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:44:42 charon: 16[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:44:42 charon: 16[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:44:46 charon: 16[JOB] <59760> deleting half open IKE_SA after timeout May 21 19:44:56 charon: 16[NET] <59761> received packet: from 195.xx.xx.xx[500] to 192.168.150.1[500] (216 bytes) May 21 19:44:56 charon: 16[ENC] <59761> parsed ID_PROT request 0 [ SA V V V V V V V ] May 21 19:44:56 charon: 16[ENC] <59761> received unknown vendor ID: 4f:45:51:7b:4f:7f:6e:65:7a:7b:43:51 May 21 19:44:56 charon: 16[IKE] <59761> received DPD vendor ID May 21 19:44:56 charon: 16[IKE] <59761> received DPD vendor ID May 21 19:44:56 charon: 16[IKE] <59761> received NAT-T (RFC 3947) vendor ID May 21 19:44:56 charon: 16[IKE] <59761> received NAT-T (RFC 3947) vendor ID May 21 19:44:56 charon: 16[IKE] <59761> received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 21 19:44:56 charon: 16[IKE] <59761> received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 21 19:44:56 charon: 16[IKE] <59761> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 21 19:44:56 charon: 16[IKE] <59761> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 21 19:44:56 charon: 16[IKE] <59761> received draft-ietf-ipsec-nat-t-ike-02 vendor ID May 21 19:44:56 charon: 16[IKE] <59761> received draft-ietf-ipsec-nat-t-ike-02 vendor ID May 21 19:44:56 charon: 16[IKE] <59761> received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 21 19:44:56 charon: 16[IKE] <59761> received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 21 19:44:56 charon: 16[IKE] <59761> 195.xx.xx.xx is initiating a Main Mode IKE_SA May 21 19:44:56 charon: 16[IKE] <59761> 195.xx.xx.xx is initiating a Main Mode IKE_SA May 21 19:44:56 charon: 16[ENC] <59761> generating ID_PROT response 0 [ SA V V V V ] May 21 19:44:56 charon: 16[NET] <59761> sending packet: from 192.168.150.1[500] to 195.xx.xx.xx[500] (152 bytes) May 21 19:44:59 charon: 11[KNL] <con1000|59586>unable to query SAD entry with SPI ca1cb129: No such file or directory (2) May 21 19:44:59 charon: 11[KNL] <con1000|59586>unable to query SAD entry with SPI 8ef432ca: No such file or directory (2) May 21 19:45:00 charon: 11[KNL] <con1000|59586>unable to query SAD entry with SPI ca1cb129: No such file or directory (2) May 21 19:45:00 charon: 11[KNL] <con1000|59586>unable to query SAD entry with SPI 8ef432ca: No such file or directory (2) May 21 19:45:02 charon: 11[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:45:02 charon: 11[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:45:22 charon: 11[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:45:22 charon: 11[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:45:26 charon: 11[JOB] <59761> deleting half open IKE_SA after timeout May 21 19:45:36 charon: 11[NET] <59762> received packet: from 195.xx.xx.xx[500] to 192.168.150.1[500] (216 bytes) May 21 19:45:36 charon: 11[ENC] <59762> parsed ID_PROT request 0 [ SA V V V V V V V ] May 21 19:45:36 charon: 11[ENC] <59762> received unknown vendor ID: 4f:45:51:7b:4f:7f:6e:65:7a:7b:43:51 May 21 19:45:36 charon: 11[IKE] <59762> received DPD vendor ID May 21 19:45:36 charon: 11[IKE] <59762> received DPD vendor ID May 21 19:45:36 charon: 11[IKE] <59762> received NAT-T (RFC 3947) vendor ID May 21 19:45:36 charon: 11[IKE] <59762> received NAT-T (RFC 3947) vendor ID May 21 19:45:36 charon: 11[IKE] <59762> received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 21 19:45:36 charon: 11[IKE] <59762> received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 21 19:45:36 charon: 11[IKE] <59762> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 21 19:45:36 charon: 11[IKE] <59762> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 21 19:45:36 charon: 11[IKE] <59762> received draft-ietf-ipsec-nat-t-ike-02 vendor ID May 21 19:45:36 charon: 11[IKE] <59762> received draft-ietf-ipsec-nat-t-ike-02 vendor ID May 21 19:45:36 charon: 11[IKE] <59762> received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 21 19:45:36 charon: 11[IKE] <59762> received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 21 19:45:36 charon: 11[IKE] <59762> 195.xx.xx.xx is initiating a Main Mode IKE_SA May 21 19:45:36 charon: 11[IKE] <59762> 195.xx.xx.xx is initiating a Main Mode IKE_SA May 21 19:45:36 charon: 11[ENC] <59762> generating ID_PROT response 0 [ SA V V V V ] May 21 19:45:36 charon: 11[NET] <59762> sending packet: from 192.168.150.1[500] to 195.xx.xx.xx[500] (152 bytes) May 21 19:45:42 charon: 11[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:45:42 charon: 11[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:45:47 charon: 11[NET] <59762> received packet: from 195.xx.xx.xx[500] to 192.168.150.1[500] (216 bytes) May 21 19:45:47 charon: 11[IKE] <59762> received retransmit of request with ID 0, retransmitting response May 21 19:45:47 charon: 11[IKE] <59762> received retransmit of request with ID 0, retransmitting response May 21 19:45:47 charon: 11[NET] <59762> sending packet: from 192.168.150.1[500] to 195.xx.xx.xx[500] (152 bytes) May 21 19:46:02 charon: 11[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:46:02 charon: 11[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:46:02 charon: 11[KNL] <con1000|59586>unable to query SAD entry with SPI ca1cb129: No such file or directory (2) May 21 19:46:02 charon: 11[KNL] <con1000|59586>unable to query SAD entry with SPI 8ef432ca: No such file or directory (2) May 21 19:46:03 charon: 11[KNL] <con1000|59586>unable to query SAD entry with SPI ca1cb129: No such file or directory (2) May 21 19:46:03 charon: 11[KNL] <con1000|59586>unable to query SAD entry with SPI 8ef432ca: No such file or directory (2) May 21 19:46:05 charon: 07[KNL] <con1000|59586>unable to query SAD entry with SPI ca1cb129: No such file or directory (2) May 21 19:46:05 charon: 07[KNL] <con1000|59586>unable to query SAD entry with SPI 8ef432ca: No such file or directory (2) May 21 19:46:06 charon: 07[NET] <59762> received packet: from 195.xx.xx.xx[500] to 192.168.150.1[500] (216 bytes) May 21 19:46:06 charon: 07[IKE] <59762> received retransmit of request with ID 0, retransmitting response May 21 19:46:06 charon: 07[IKE] <59762> received retransmit of request with ID 0, retransmitting response May 21 19:46:06 charon: 07[NET] <59762> sending packet: from 192.168.150.1[500] to 195.xx.xx.xx[500] (152 bytes) May 21 19:46:06 charon: 07[JOB] <59762> deleting half open IKE_SA after timeout May 21 19:46:22 charon: 07[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:46:22 charon: 07[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:46:42 charon: 07[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:46:42 charon: 07[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:46:46 charon: 07[NET] <59763> received packet: from 195.xx.xx.xx[500] to 192.168.150.1[500] (216 bytes) May 21 19:46:46 charon: 07[ENC] <59763> parsed ID_PROT request 0 [ SA V V V V V V V ] May 21 19:46:46 charon: 07[ENC] <59763> received unknown vendor ID: 4f:45:51:7b:4f:7f:6e:65:7a:7b:43:51 May 21 19:46:46 charon: 07[IKE] <59763> received DPD vendor ID May 21 19:46:46 charon: 07[IKE] <59763> received DPD vendor ID May 21 19:46:46 charon: 07[IKE] <59763> received NAT-T (RFC 3947) vendor ID May 21 19:46:46 charon: 07[IKE] <59763> received NAT-T (RFC 3947) vendor ID May 21 19:46:46 charon: 07[IKE] <59763> received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 21 19:46:46 charon: 07[IKE] <59763> received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 21 19:46:46 charon: 07[IKE] <59763> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 21 19:46:46 charon: 07[IKE] <59763> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 21 19:46:46 charon: 07[IKE] <59763> received draft-ietf-ipsec-nat-t-ike-02 vendor ID May 21 19:46:46 charon: 07[IKE] <59763> received draft-ietf-ipsec-nat-t-ike-02 vendor ID May 21 19:46:46 charon: 07[IKE] <59763> received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 21 19:46:46 charon: 07[IKE] <59763> received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 21 19:46:46 charon: 07[IKE] <59763> 195.xx.xx.xx is initiating a Main Mode IKE_SA May 21 19:46:46 charon: 07[IKE] <59763> 195.xx.xx.xx is initiating a Main Mode IKE_SA May 21 19:46:46 charon: 07[ENC] <59763> generating ID_PROT response 0 [ SA V V V V ] May 21 19:46:46 charon: 07[NET] <59763> sending packet: from 192.168.150.1[500] to 195.xx.xx.xx[500] (152 bytes) May 21 19:47:02 charon: 07[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:47:02 charon: 07[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:47:16 charon: 07[JOB] <59763> deleting half open IKE_SA after timeout May 21 19:47:22 charon: 07[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:47:22 charon: 07[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:47:24 charon: 07[KNL] <con1000|59586>unable to query SAD entry with SPI ca1cb129: No such file or directory (2) May 21 19:47:24 charon: 07[KNL] <con1000|59586>unable to query SAD entry with SPI 8ef432ca: No such file or directory (2) May 21 19:47:26 charon: 12[NET] <59764> received packet: from 195.xx.xx.xx[500] to 192.168.150.1[500] (216 bytes) May 21 19:47:26 charon: 12[ENC] <59764> parsed ID_PROT request 0 [ SA V V V V V V V ] May 21 19:47:26 charon: 12[ENC] <59764> received unknown vendor ID: 4f:45:51:7b:4f:7f:6e:65:7a:7b:43:51 May 21 19:47:26 charon: 12[IKE] <59764> received DPD vendor ID May 21 19:47:26 charon: 12[IKE] <59764> received DPD vendor ID May 21 19:47:26 charon: 12[IKE] <59764> received NAT-T (RFC 3947) vendor ID May 21 19:47:26 charon: 12[IKE] <59764> received NAT-T (RFC 3947) vendor ID May 21 19:47:26 charon: 12[IKE] <59764> received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 21 19:47:26 charon: 12[IKE] <59764> received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 21 19:47:26 charon: 12[IKE] <59764> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 21 19:47:26 charon: 12[IKE] <59764> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 21 19:47:26 charon: 12[IKE] <59764> received draft-ietf-ipsec-nat-t-ike-02 vendor ID May 21 19:47:26 charon: 12[IKE] <59764> received draft-ietf-ipsec-nat-t-ike-02 vendor ID May 21 19:47:26 charon: 12[IKE] <59764> received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 21 19:47:26 charon: 12[IKE] <59764> received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 21 19:47:26 charon: 12[IKE] <59764> 195.xx.xx.xx is initiating a Main Mode IKE_SA May 21 19:47:26 charon: 12[IKE] <59764> 195.xx.xx.xx is initiating a Main Mode IKE_SA May 21 19:47:26 charon: 12[ENC] <59764> generating ID_PROT response 0 [ SA V V V V ] May 21 19:47:26 charon: 12[NET] <59764> sending packet: from 192.168.150.1[500] to 195.xx.xx.xx[500] (152 bytes) May 21 19:47:42 charon: 12[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500] May 21 19:47:42 charon: 12[IKE] <con1000|59586>sending keep alive to 194.xx.xx.xa[4500]</con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586></con1000|59586>

conexiones.png
conexiones.png_thumb
conexiones1.png
conexiones1.png_thumb
conexiones2Phase1.png
conexiones2Phase1.png_thumb
conexiones3Phase2.png
conexiones3Phase2.png_thumb

Gracias a todos por el aporte…habia olvidado lo de los cambios del "Policy Routing"

Gracias @ptt @bellera

Muchas gracias, intentaré instalando un radius.

Voy a hacer estos cambios y comento los resultados.

Saludos!

ok
pues en cuanto lo tenga montado , os comento como va
me pongo a ello, lo hare con 2 maquinas físicas  y os comento los resultados
  muchas gracias por vuestra ayuda

saludos

Jesus

Como comentario/ ilustracion adicional, seria algo mas o menos asi .

Se tendria que especificar que el trafico que el trafico de las interfaces MAN no deberan de hacer NAT como lo hace de manera predeterminada.  Y hay que especificar las reglas en cada uno de los firewalls para aceptar o no el trafico que viene de estas interface. Anexo un pequeño diagrama

@bellera:

Arriba, en Documentación o Últimas aportaciones a Documentación tienes una entrada que dice:

squidGuard con squid3

Ahí tienes cómo configurar y diagnosticar tu squidGuard, paso a paso.

Si los procesos squid y squidGuard están correctos postea:

32 bit –-> /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf
64 bit ---> /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf

gracias por la respuesta, soy nuevo por estos lares y quería informarme un poco, por otro lado… es recomendable el almacenamiento extra?

envio ip que sierve aca los chilenos para bloquear el sitio facebook.

atte

ale..

facebook.jpg
facebook.jpg_thumb

Para poder hacer la conexión segura se precisa certificado:

https://www.loggly.com/docs/syslog-ng-tls-configuration/

Estuve leyendo un poco y al parecer necesitas borrar y crear nuevamente los túneles y reiniciar tus pfs

Solucionado

con ayuda de

http://unix.stackexchange.com/questions/117023/expanding-the-disk-size-on-pfsense-under-vmware-esxi
y
https://www.freebsd.org/doc/en/books/handbook/disks-growing.html

un saluo

puedes llegar a la pc con ping ? puedes hacer un traceroute ?

Puedes verificar que tengas las reglas en el firewall de tu pc adecuadas para el acceso ?  Usualmente los firewalls de las pcs restringen el uso solo a las redes locales para recursos compartidos y algunos otros servicios.

un nmap a esa pc que te regresa ?

Puede que queden restos en el config.xml, que es el archivo que tiene toda la configuración de pfSense, paquetes incluídos.

Puedes proceder para squid y squid3 como expliqué en:

https://forum.pfsense.org/index.php?topic=93361.msg518078#msg518078

No no hace falta "reiniciarlo cada cierto tiempo"….

Si utilizas el Buscador del Foro, encuentras:

https://forum.pfsense.org/index.php?topic=72125.msg393461#msg393461

https://forum.pfsense.org/index.php?topic=72284.msg394459#msg394459

https://doc.pfsense.org/index.php/What_are_the_limitations_of_PPTP_in_pfSense

ufs es del pasado, usa aufs

Saludos.

https://doc.pfsense.org/index.php/Lightsquid_Troubleshooting

@josemanuelrm26:

El problema que son estudiantes en una residencia y se le bloquean los juegos y me piden los supervisores que no los bloquee.

Pues creo que tendrán que invertir en más ancho de banda. El tema de los juegos online es así…

Funciono, cambie los puertos y pase a https.

Gracias!