Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Huawei AR161FG-L + PfSense 2.6.0 - ipsec s2s

    Russian
    3
    94
    23.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Konstanti @rnduser
      last edited by

      @rnduser

      Этот пинг доходит до назначения ?
      Запустите tcpdump на PF и посмотрите, что происходит

      R 1 Reply Last reply Reply Quote 0
      • R
        rnduser @Konstanti
        last edited by

        @konstanti said in Huawei AR161FG-L + PfSense 2.6.0 - ipsec s2s:

        Этот пинг доходит до назначения ?

        нет. с другой стороны тоже

        K 1 Reply Last reply Reply Quote 0
        • K
          Konstanti @rnduser
          last edited by Konstanti

          @rnduser
          Вам надо посмотреть , что происходит на PF ( на wan и enc0 интерфейсах)
          Правила на Lan и IPsec интерфейсах PF проверили ?

          1 Reply Last reply Reply Quote 0
          • R
            rnduser @Konstanti
            last edited by

            @konstanti said in Huawei AR161FG-L + PfSense 2.6.0 - ipsec s2s:

            @rnduser
            1 Туннель поднимается ?
            2 проверьте правила на Lan и IPsec интерфейсах PF - должно быть все разрешено ( по умолчанию , все запрещено)
            3 методику локализации поиска я Вам показал

            1. судя по моему скрину - да. в логах ничего нет
            • на wan - разрешено upd 500 + 4500 - any / any
            • на lan дефолтные правила, разрешено any/any
            • на ipsec - разрешено any / any
            1. счас буду пробовать
            1 Reply Last reply Reply Quote 0
            • R
              rnduser @Konstanti
              last edited by

              @konstanti said in Huawei AR161FG-L + PfSense 2.6.0 - ipsec s2s:

              3 методику локализации поиска я Вам показал

              spoiler||1674467801.521438 (authentic,confidential): SPI 0x006eaa62: 10.9.20.220 > 10.9.30.220: ICMP echo request, id 4, seq 1, length 64
              1674467802.535784 (authentic,confidential): SPI 0x006eaa62: 10.9.20.220 > 10.9.30.220: ICMP echo request, id 4, seq 2, length 64
              1674467803.559783 (authentic,confidential): SPI 0x006eaa62: 10.9.20.220 > 10.9.30.220: ICMP echo request, id 4, seq 3, length 64
              1674467804.583749 (authentic,confidential): SPI 0x006eaa62: 10.9.20.220 > 10.9.30.220: ICMP echo request, id 4, seq 4, length 64
              1674467805.607929 (authentic,confidential): SPI 0x006eaa62: 10.9.20.220 > 10.9.30.220: ICMP echo request, id 4, seq 5, length 64
              1674467806.631667 (authentic,confidential): SPI 0x006eaa62: 10.9.20.220 > 10.9.30.220: ICMP echo request, id 4, seq 6, length 64
              1674467807.655656 (authentic,confidential): SPI 0x006eaa62: 10.9.20.220 > 10.9.30.220: ICMP echo request, id 4, seq 7, length 64
              1674467808.679868 (authentic,confidential): SPI 0x006eaa62: 10.9.20.220 > 10.9.30.220: ICMP echo request, id 4, seq 8, length 64
              1674467809.703843 (authentic,confidential): SPI 0x006eaa62: 10.9.20.220 > 10.9.30.220: ICMP echo request, id 4, seq 9, length 64
              1674467810.727675 (authentic,confidential): SPI 0x006eaa62: 10.9.20.220 > 10.9.30.220: ICMP echo request, id 4, seq 10, length 64
              ||spoiler

              K 1 Reply Last reply Reply Quote 0
              • K
                Konstanti @rnduser
                last edited by Konstanti

                @rnduser

                Ага , те IPSec перехватывает этот трафик
                Запрос идет ответа нет
                Если на wan интерфейсе похожая картина , то причину происходящего надо искать на другой стороне туннеля

                Кстати , картинка с установленным соединением это подтверждает ( исходящий трафик есть , входящего нет )

                1 Reply Last reply Reply Quote 0
                • R
                  rnduser
                  last edited by

                  [2.6.0-RELEASE][admin@pfSense.home.arpa]/root: tcpdump -netti em0 host 192.168.22.100
                  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
                  listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
                  1674468288.796251 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5651, length 9
                  1674468288.796946 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5651, length 9
                  1674468289.328515 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5652, length 9
                  1674468289.329240 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5652, length 9
                  1674468289.860701 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5653, length 9
                  1674468289.861123 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5653, length 9
                  1674468290.372706 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5654, length 9
                  1674468290.373401 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5654, length 9
                  1674468290.904234 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5655, length 9
                  1674468290.904658 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5655, length 9
                  1674468291.436434 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5656, length 9
                  1674468291.436848 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5656, length 9
                  1674468291.968706 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5657, length 9
                  1674468291.969393 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5657, length 9
                  1674468292.500967 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5658, length 9
                  1674468292.501385 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5658, length 9
                  1674468293.033213 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5659, length 9
                  1674468293.033630 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5659, length 9
                  1674468293.393816 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 122: 192.168.22.200.500 > 192.168.22.100.500: isakmp: child_sa inf2
                  1674468293.397322 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 122: 192.168.22.100.500 > 192.168.22.200.500: isakmp: child_sa inf2[IR]
                  1674468293.565474 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5660, length 9
                  1674468293.565897 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5660, length 9
                  1674468294.097727 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5661, length 9
                  1674468294.098408 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5661, length 9
                  1674468294.630041 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5662, length 9
                  1674468294.630715 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5662, length 9
                  1674468295.162238 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5663, length 9
                  1674468295.162917 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5663, length 9
                  1674468295.694502 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5664, length 9
                  1674468295.695235 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5664, length 9
                  1674468296.226771 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5665, length 9
                  1674468296.227476 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5665, length 9
                  1674468296.502349 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 170: 192.168.22.200 > 192.168.22.100: ESP(spi=0x006eaa62,seq=0x5a8), length 136
                  1674468296.759032 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5666, length 9
                  1674468296.759720 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5666, length 9
                  1674468297.260336 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5667, length 9
                  1674468297.260765 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5667, length 9
                  1674468297.502828 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 170: 192.168.22.200 > 192.168.22.100: ESP(spi=0x006eaa62,seq=0x5a9), length 136
                  1674468297.792592 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5668, length 9
                  1674468297.793250 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5668, length 9
                  1674468298.295453 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5669, length 9
                  1674468298.295876 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5669, length 9
                  1674468298.526804 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 170: 192.168.22.200 > 192.168.22.100: ESP(spi=0x006eaa62,seq=0x5aa), length 136
                  1674468298.816241 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5670, length 9
                  1674468298.816926 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5670, length 9
                  1674468299.347233 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5671, length 9
                  1674468299.347912 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5671, length 9
                  1674468299.550745 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 170: 192.168.22.200 > 192.168.22.100: ESP(spi=0x006eaa62,seq=0x5ab), length 136
                  1674468299.878610 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5672, length 9
                  1674468299.879079 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5672, length 9
                  1674468300.393215 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5673, length 9
                  1674468300.393900 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5673, length 9
                  1674468300.574737 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 170: 192.168.22.200 > 192.168.22.100: ESP(spi=0x006eaa62,seq=0x5ac), length 136
                  1674468300.924176 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5674, length 9
                  1674468300.924615 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5674, length 9
                  1674468301.455232 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5675, length 9
                  1674468301.455909 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5675, length 9
                  1674468301.598763 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 170: 192.168.22.200 > 192.168.22.100: ESP(spi=0x006eaa62,seq=0x5ad), length 136
                  1674468301.986614 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5676, length 9
                  1674468301.987076 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5676, length 9
                  1674468302.517254 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5677, length 9
                  1674468302.517892 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5677, length 9
                  1674468302.622750 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 170: 192.168.22.200 > 192.168.22.100: ESP(spi=0x006eaa62,seq=0x5ae), length 136
                  1674468303.048596 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5678, length 9
                  1674468303.049058 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5678, length 9
                  1674468303.407801 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 122: 192.168.22.200.500 > 192.168.22.100.500: isakmp: child_sa inf2
                  1674468303.412511 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 122: 192.168.22.100.500 > 192.168.22.200.500: isakmp: child_sa inf2[IR]
                  1674468303.579237 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5679, length 9
                  1674468303.579902 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5679, length 9
                  1674468303.646693 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 170: 192.168.22.200 > 192.168.22.100: ESP(spi=0x006eaa62,seq=0x5af), length 136
                  1674468304.110629 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5680, length 9
                  1674468304.111113 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5680, length 9
                  1674468304.641669 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5681, length 9
                  1674468304.642129 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5681, length 9
                  1674468304.670683 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 170: 192.168.22.200 > 192.168.22.100: ESP(spi=0x006eaa62,seq=0x5b0), length 136
                  1674468305.172229 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5682, length 9
                  1674468305.172915 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5682, length 9
                  1674468305.694810 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 170: 192.168.22.200 > 192.168.22.100: ESP(spi=0x006eaa62,seq=0x5b1), length 136
                  1674468305.694913 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5683, length 9
                  1674468305.695505 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5683, length 9
                  1674468306.225170 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5684, length 9
                  1674468306.225596 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5684, length 9
                  1674468306.756231 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5685, length 9
                  1674468306.756641 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5685, length 9
                  1674468307.287236 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5686, length 9
                  1674468307.287903 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5686, length 9
                  1674468307.818675 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5687, length 9
                  1674468307.819210 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5687, length 9
                  1674468308.322263 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5688, length 9
                  1674468308.322722 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5688, length 9
                  1674468308.854178 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5689, length 9
                  1674468308.854888 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5689, length 9
                  1674468309.384230 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5690, length 9
                  1674468309.384714 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5690, length 9
                  1674468309.915179 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5691, length 9
                  1674468309.915636 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5691, length 9
                  1674468310.416968 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5692, length 9
                  1674468310.417704 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5692, length 9
                  1674468310.948232 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5693, length 9
                  1674468310.948931 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5693, length 9
                  1674468311.479619 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5694, length 9
                  1674468311.480078 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5694, length 9
                  1674468312.010229 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5695, length 9
                  1674468312.010874 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5695, length 9
                  1674468312.541652 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5696, length 9
                  1674468312.542112 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5696, length 9
                  1674468313.072181 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5697, length 9
                  1674468313.072604 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5697, length 9
                  1674468313.451790 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 122: 192.168.22.200.500 > 192.168.22.100.500: isakmp: child_sa inf2
                  1674468313.455735 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 122: 192.168.22.100.500 > 192.168.22.200.500: isakmp: child_sa inf2[IR]
                  1674468313.603199 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5698, length 9
                  1674468313.603644 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5698, length 9
                  1674468314.134175 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5699, length 9
                  1674468314.134660 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5699, length 9
                  1674468314.665228 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5700, length 9
                  1674468314.665649 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5700, length 9
                  1674468315.196187 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5701, length 9
                  1674468315.196606 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5701, length 9
                  1674468315.727170 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 43: 192.168.22.200 > 192.168.22.100: ICMP echo request, id 26757, seq 5702, length 9
                  1674468315.727624 4c:f9:5d:20:a8:36 > 68:05:ca:1f:2a:95, ethertype IPv4 (0x0800), length 60: 192.168.22.100 > 192.168.22.200: ICMP echo reply, id 26757, seq 5702, length 9
                  ^C
                  120 packets captured
                  236 packets received by filter
                  0 packets dropped by kernel
                  ||spoiler||

                  а вот тут что-то кроме DPD я ничего не вижу

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    Konstanti @rnduser
                    last edited by

                    @rnduser said in Huawei AR161FG-L + PfSense 2.6.0 - ipsec s2s:

                    1674468296.502349 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 170: 192.168.22.200 > 192.168.22.100: ESP(spi=0x006eaa62,seq=0x5a8), length 136

                    это не DPD пакеты , это Ваш пинг запрос , на который нет ответа

                    1674468296.502349 68:05:ca:1f:2a:95 > 4c:f9:5d:20:a8:36, ethertype IPv4 (0x0800), length 170: 192.168.22.200 > 192.168.22.100: ESP(spi=0x006eaa62,seq=0x5a8), length 136

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      rnduser @Konstanti
                      last edited by

                      @konstanti все пинги остановлены

                      K 1 Reply Last reply Reply Quote 0
                      • K
                        Konstanti @rnduser
                        last edited by

                        @rnduser
                        Я не знаю , в какой момент все было остановлено , но вижу , что PF отправляет ESP пакеты в направлении Huawei , ответа на эти пакеты по какой-то причине нет
                        Надо разбираться там .
                        Посмотрите , приходит ли пакет на хост 10.9.30.220 ?
                        что в этот момент происходит ?

                        R 1 Reply Last reply Reply Quote 0
                        • R
                          rnduser @Konstanti
                          last edited by rnduser

                          @konstanti log.txt
                          получается что трафик заворачивает в туннель со стороны ПФсенс правильно

                          K 1 Reply Last reply Reply Quote 0
                          • K
                            Konstanti @rnduser
                            last edited by

                            @rnduser
                            Да , все верно
                            Я Вам повторю, что на данный момент проблема вов торой стороне туннеля . По какой-то причине ответа нет
                            Надо смотреть , что происходит со стороны Huawei
                            Начните с хоста 10.9.30.220
                            Получает ли он пакет , отправляет ли на него запрос
                            Если отправляет , то куда ( какой у него шлюз по умолчанию)
                            И тд и тп

                            R 1 Reply Last reply Reply Quote 0
                            • R
                              rnduser @Konstanti
                              last edited by

                              @konstanti
                              Message: 10:40:45 router001-k85 %%01FW-LOG/5/PACKET_FILTER(l)[586]:Packet filter permit: protocol=1, source-ip=192.168.22.100, source-port=43996,destination-ip=10.9.20.220, destination-port=43996, interzone-Local-wan outbound.
                              NAT пихает запрос наружу в дефолтный GW? мимо туннеля?

                              K 1 Reply Last reply Reply Quote 0
                              • K
                                Konstanti @rnduser
                                last edited by Konstanti

                                @rnduser
                                Это не Nat пихает , а ядро Huawei не находит этот трафик "интересным" . Проверяйте селекторы трафика (ACL) , или в каком виде ответ приходит на GW

                                R 1 Reply Last reply Reply Quote 0
                                • R
                                  rnduser @Konstanti
                                  last edited by rnduser

                                  @konstanti
                                  ||spoiler||
                                  <router001-k85>display acl all
                                  Total quantity of nonempty ACL number is 3

                                  Basic ACL GigabitEthernet0/0/4 2999, 1 rule
                                  Acl's step is 5
                                  rule 5 permit (236 matches)

                                  Advanced ACL 3990, 3 rules
                                  allow ipsec to local
                                  Acl's step is 5
                                  rule 10 permit icmp (36 matches)
                                  rule 30 permit udp destination-port eq 500 (8 matches)
                                  rule 35 permit udp destination-port eq 4500

                                  Advanced ACL p_GigabitEthernet0/0/4_1 3999, 1 rule
                                  Acl's step is 5
                                  rule 5 permit ip source 10.9.30.0 0.0.0.255 destination 10.9.20.0 0.0.0.255
                                  ||spoiler||
                                  ничего не попадает в ACL policy (((

                                  K 1 Reply Last reply Reply Quote 0
                                  • K
                                    Konstanti @rnduser
                                    last edited by Konstanti

                                    @rnduser

                                    Попробуйте добавить со стороны HW в ACL 3999 еще одно правило , только вместо IP поставить ICMP

                                    R 1 Reply Last reply Reply Quote 0
                                    • R
                                      rnduser @Konstanti
                                      last edited by

                                      @konstanti
                                      а смысл? совпадений (match) с ACL - нуль.

                                      K 1 Reply Last reply Reply Quote 0
                                      • K
                                        Konstanti @rnduser
                                        last edited by

                                        @rnduser
                                        попробуйте .
                                        в ACL 3999 будет 2 правила
                                        или в rule 5 убрать ip и оставить одно

                                        R 1 Reply Last reply Reply Quote 0
                                        • R
                                          rnduser @Konstanti
                                          last edited by rnduser

                                          @konstanti
                                          нет. так не работает ))
                                          ||Message: 11:02:26 router001-k85 %%01IKE/5/IKE_NEGO_FAIL(l)[979]:IPSec tunnel negotiation fails. (IfIndex=7, SeqNum=0, PeerAddress=192.168.22.200, PeerPort=500, Reason=receive proposal mismatch or use sm in ikev2)||spoiler||||

                                          K 2 Replies Last reply Reply Quote 0
                                          • K
                                            Konstanti @rnduser
                                            last edited by

                                            @rnduser
                                            не работает как ?
                                            если добавить новое правило или убрать ip из правила 5 ?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post