IPSEC
-
Boa noite Pessoal,
Precisava da ajuda dos senhores, fiz a configuração do IPSEC entre dois PFSense onde os mesmo estão na mesma cidade inclusive a operadora é a mesma e o IPSEC não fecha. Segue abaixo Passos executados
- tracei a rota entre os dois pontos para saber se estavam batendo;
- Coletei os dados necessário para fechar a conexão:
UTILIZAREI ENDREÇOS FICTICIOS POIS, NÃO POSSO EXPOR ENDEREÇAMENTO DO CLIENTE!!
IP WAN FW01 = 100.100.100.254 (Este FW utiliza conexão ADSL com ip fixo)
IP LAN FW01 = 192.168.1.0/24IP WAN FW02 = 200.200.200.254 - fw02.no-ip.org (Este FW utiliza conexão ADSL com ip dinâmico)
IP LAN FW02 = 192.168.2.0/24CONFIGURAÇÕES IPSEC
####### FW01 #######
VPN: IPsec: Editar Fase 1
Internet Protocol: IPv4
Interface: WAN
Remote gateway: fw02.no-ip.org
Authentication method: Mutual PSK
Negotiation mode: aggressive
My identifier: My IP Adress
Peer identifier: Peer IP Adress
Pre-Shared Key: cliente123
Policy generation: Default
Proposal Checking: Default
Encryption algorithm: 3DES
Hash algorithm: SHA1
DH key group: 2 (1024 bit)
Lifetime: 28800
NAT Traversal: Enable
Dead Peer Conection: Enable PDP / 10 seconds / 5 retriesVPN: IPsec: Edit Phase 2
Mode: Tunner IPv4
Local Network: LAN subnet
Remote Network:
Type: Network
Adress: 192.168.2.0/24
Protocol: ESP
Encryption Algorithm:
AES (auto)
Blowfish (auto)
3DES
CAST128
Hash Algorithm
MD5
SHA1
PFS key group: off
Lifetime: 3600####### FW02 #######
VPN: IPsec: Editar Fase 1
Internet Protocol: IPv4
Interface: WAN
Remote gateway: 100.100.100.254
Authentication method: Mutual PSK
Negotiation mode: aggressive
My identifier: My IP Adress
Peer identifier: Peer IP Adress
Pre-Shared Key: cliente123
Policy generation: Default
Proposal Checking: Default
Encryption algorithm: 3DES
Hash algorithm: SHA1
DH key group: 2 (1024 bit)
Lifetime: 28800
NAT Traversal: Enable
Dead Peer Conection: Enable PDP / 10 seconds / 5 retriesVPN: IPsec: Edit Phase 2
Mode: Tunner IPv4
Local Network: LAN subnet
Remote Network:
Type: Network
Adress: 192.168.1.0/24
Protocol: ESP
Encryption Algorithm:
AES (auto)
Blowfish (auto)
3DES
CAST128
Hash Algorithm
MD5
SHA1
PFS key group: off
Lifetime: 3600- Executei as configurações acima retirando o DDNS e colocando direto o ip dinâmico que estava sendo utilizado pelo servidor naquele momento.
SEGUE ABAIXO LOG DE ERRO DE CONEXÃO
LOG DE FALHA DE CONEXAO
Oct 24 01:16:21 racoon: INFO: caught signal 15
Oct 24 01:16:21 racoon: INFO: racoon process 44833 shutdown
Oct 24 01:16:26 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
Oct 24 01:16:26 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
Oct 24 01:16:26 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
Oct 24 01:16:26 racoon: [Self]: INFO: 187.6.215.64[4500] used for NAT-T
Oct 24 01:16:26 racoon: [Self]: INFO: 187.6.215.64[4500] used as isakmp port (fd=14)
Oct 24 01:16:26 racoon: [Self]: INFO: 187.6.215.64[500] used for NAT-T
Oct 24 01:16:26 racoon: [Self]: INFO: 187.6.215.64[500] used as isakmp port (fd=15)
Oct 24 01:16:26 racoon: INFO: unsupported PF_KEY message REGISTER
Oct 24 01:16:26 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.254/32[0] 192.168.1.0/24[0] proto=any dir=out
Oct 24 01:16:26 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.254/32[0] proto=any dir=in
Oct 24 01:16:26 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
Oct 24 01:16:26 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=inAlguem sabe me ajudar o que pode estar acontecendo?
Aguardo retorno!!
Muito Obrigado!!!
-
Na segunda fase use este valor:
PFS key group: 5
-
Boa Noite neo_X,
eu fiz o que você me sugeriu e continua apresentando o mesmo erro de log.
Inclusive testei todas as opções de PFS key group.
Tem alguma outra sugestão?
Aguardo retorno.
Obrigado!
-
Só para tirar algumas dúvidas:
a) liberou a porta 500 nas regras de firewall?
b) Criou a regra Firewall Rules - Ipec . -
a) a porta 500 não havia liberado mas mesmo assim não resolveu. Ela não é utilizada para VPN em MAC?
b) já havia criado as regras na guia IPSEC.
Mesmo assim não funcionou!
-
coloca ai os logs do ipsec.
-
Oct 25 19:58:48 racoon: [Self]: INFO: 192.168.1.254[500] used as isakmp port (fd=15)
Oct 25 19:58:48 racoon: [Self]: INFO: 192.168.1.254[4500] used for NAT-T
Oct 25 19:58:48 racoon: [Self]: INFO: 192.168.1.254[4500] used as isakmp port (fd=16)
Oct 25 19:58:48 racoon: INFO: fe80:2::21a:3fff:fe8b:e88c[500] used as isakmp port (fd=17)
Oct 25 19:58:48 racoon: INFO: fe80:2::21a:3fff:fe8b:e88c[4500] used as isakmp port (fd=18)
Oct 25 19:58:48 racoon: [Self]: INFO: 10.1.1.254[500] used for NAT-T
Oct 25 19:58:48 racoon: [Self]: INFO: 10.1.1.254[500] used as isakmp port (fd=19)
Oct 25 19:58:48 racoon: [Self]: INFO: 10.1.1.254[4500] used for NAT-T
Oct 25 19:58:48 racoon: [Self]: INFO: 10.1.1.254[4500] used as isakmp port (fd=20)
Oct 25 19:58:48 racoon: INFO: fe80:3::21a:3fff:fe8b:f147[500] used as isakmp port (fd=21)
Oct 25 19:58:48 racoon: INFO: fe80:3::21a:3fff:fe8b:f147[4500] used as isakmp port (fd=22)
Oct 25 19:58:48 racoon: [Self]: INFO: 127.0.0.1[500] used for NAT-T
Oct 25 19:58:48 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=23)
Oct 25 19:58:48 racoon: [Self]: INFO: 127.0.0.1[4500] used for NAT-T
Oct 25 19:58:48 racoon: [Self]: INFO: 127.0.0.1[4500] used as isakmp port (fd=24)
Oct 25 19:58:48 racoon: [Self]: INFO: ::1[500] used as isakmp port (fd=25)
Oct 25 19:58:48 racoon: [Self]: INFO: ::1[4500] used as isakmp port (fd=26)
Oct 25 19:58:48 racoon: [Self]: INFO: fe80:7::1[500] used as isakmp port (fd=27)
Oct 25 19:58:48 racoon: [Self]: INFO: fe80:7::1[4500] used as isakmp port (fd=28)
Oct 25 19:58:48 racoon: INFO: fe80:9::223:54ff:fed2:3ef[500] used as isakmp port (fd=29)
Oct 25 19:58:48 racoon: INFO: fe80:9::223:54ff:fed2:3ef[4500] used as isakmp port (fd=30)
Oct 25 19:58:48 racoon: [Self]: INFO: 187.6.215.64[500] used for NAT-T
Oct 25 19:58:48 racoon: [Self]: INFO: 187.6.215.64[500] used as isakmp port (fd=31)
Oct 25 19:58:48 racoon: [Self]: INFO: 187.6.215.64[4500] used for NAT-T
Oct 25 19:58:48 racoon: [Self]: INFO: 187.6.215.64[4500] used as isakmp port (fd=32)
Oct 25 19:58:54 racoon: INFO: caught signal 15
Oct 25 19:58:54 racoon: INFO: racoon process 39603 shutdown
Oct 25 19:59:00 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
Oct 25 19:59:00 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
Oct 25 19:59:00 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
Oct 25 19:59:00 racoon: [Self]: INFO: 187.6.215.64[4500] used for NAT-T
Oct 25 19:59:00 racoon: [Self]: INFO: 187.6.215.64[4500] used as isakmp port (fd=24)
Oct 25 19:59:00 racoon: [Self]: INFO: 187.6.215.64[500] used for NAT-T
Oct 25 19:59:00 racoon: [Self]: INFO: 187.6.215.64[500] used as isakmp port (fd=25)
Oct 25 19:59:00 racoon: INFO: unsupported PF_KEY message REGISTER
Oct 25 19:59:00 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.254/32[0] 192.168.1.0/24[0] proto=any dir=out
Oct 25 19:59:00 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.254/32[0] proto=any dir=in
Oct 25 20:00:17 racoon: INFO: unsupported PF_KEY message REGISTER
Oct 25 20:00:17 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
Oct 25 20:00:17 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
Oct 25 20:00:17 racoon: INFO: unsupported PF_KEY message REGISTER
Oct 25 20:02:17 racoon: INFO: unsupported PF_KEY message REGISTER
Oct 28 10:30:38 racoon: INFO: unsupported PF_KEY message REGISTER
Oct 28 10:32:02 racoon: INFO: unsupported PF_KEY message REGISTER
Oct 28 10:46:08 racoon: INFO: unsupported PF_KEY message REGISTER
Oct 28 10:47:20 racoon: INFO: unsupported PF_KEY message REGISTER
Oct 28 11:06:15 racoon: INFO: unsupported PF_KEY message REGISTER
Oct 28 11:07:04 racoon: INFO: unsupported PF_KEY message REGISTER
Oct 28 11:10:22 racoon: INFO: unsupported PF_KEY message REGISTER
Oct 28 11:13:51 racoon: INFO: unsupported PF_KEY message REGISTER -
Tenho um exemplo aqui.
-
Na filial vc inverte o My identifier.
-
Na filial vc inverte o My identifier.
Tentei e não deu certo. Só que não entendi uma coisa você pediu p eu inverter o My identifier na filial, mas inverter pelo que, Peer identifier?
Se for tentei também e não funfou!!
-
Informa os logs.
-
racoon: [Self]: INFO: 127.0.0.1[4500] used as isakmp port (fd=35)
Oct 29 08:32:08 racoon: [Self]: INFO: ::1[500] used as isakmp port (fd=36)
Oct 29 08:32:08 racoon: [Self]: INFO: ::1[4500] used as isakmp port (fd=37)
Oct 29 08:32:08 racoon: [Self]: INFO: fe80:7::1[500] used as isakmp port (fd=38)
Oct 29 08:32:08 racoon: [Self]: INFO: fe80:7::1[4500] used as isakmp port (fd=39)
Oct 29 08:32:08 racoon: INFO: fe80:9::223:54ff:fed2:3ef[500] used as isakmp port (fd=40)
Oct 29 08:32:08 racoon: INFO: fe80:9::223:54ff:fed2:3ef[4500] used as isakmp port (fd=41)
Oct 29 08:32:08 racoon: [Self]: INFO: 187.6.215.64[500] used for NAT-T
Oct 29 08:32:08 racoon: [Self]: INFO: 187.6.215.64[500] used as isakmp port (fd=42)
Oct 29 08:32:08 racoon: [Self]: INFO: 187.6.215.64[4500] used for NAT-T
Oct 29 08:32:08 racoon: [Self]: INFO: 187.6.215.64[4500] used as isakmp port (fd=43)
Oct 29 08:32:08 racoon: INFO: unsupported PF_KEY message REGISTER
Oct 29 10:14:03 racoon: [Self]: INFO: 187.6.215.64[500] used for NAT-T
Oct 29 10:14:03 racoon: [Self]: INFO: 187.6.215.64[500] used as isakmp port (fd=42)
Oct 29 10:14:03 racoon: [Self]: INFO: 187.6.215.64[4500] used for NAT-T
Oct 29 10:14:03 racoon: [Self]: INFO: 187.6.215.64[4500] used as isakmp port (fd=43)
Oct 29 10:14:06 racoon: INFO: caught signal 15
Oct 29 10:14:06 racoon: INFO: racoon process 92995 shutdown
Oct 29 10:14:11 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
Oct 29 10:14:11 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
Oct 29 10:14:11 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
Oct 29 10:14:11 racoon: INFO: fe80:1::223:54ff:fed2:3ef[500] used as isakmp port (fd=16)
Oct 29 10:14:11 racoon: INFO: fe80:1::223:54ff:fed2:3ef[4500] used as isakmp port (fd=17)
Oct 29 10:14:11 racoon: [Self]: INFO: 192.168.1.254[500] used for NAT-T
Oct 29 10:14:11 racoon: [Self]: INFO: 192.168.1.254[500] used as isakmp port (fd=18)
Oct 29 10:14:11 racoon: [Self]: INFO: 192.168.1.254[4500] used for NAT-T
Oct 29 10:14:11 racoon: [Self]: INFO: 192.168.1.254[4500] used as isakmp port (fd=19)
Oct 29 10:14:11 racoon: INFO: fe80:2::21a:3fff:fe8b:e88c[500] used as isakmp port (fd=22)
Oct 29 10:14:11 racoon: INFO: fe80:2::21a:3fff:fe8b:e88c[4500] used as isakmp port (fd=23)
Oct 29 10:14:11 racoon: [Self]: INFO: 10.1.1.254[500] used for NAT-T
Oct 29 10:14:11 racoon: [Self]: INFO: 10.1.1.254[500] used as isakmp port (fd=24)
Oct 29 10:14:11 racoon: [Self]: INFO: 10.1.1.254[4500] used for NAT-T
Oct 29 10:14:11 racoon: [Self]: INFO: 10.1.1.254[4500] used as isakmp port (fd=25)
Oct 29 10:14:11 racoon: INFO: fe80:3::21a:3fff:fe8b:f147[500] used as isakmp port (fd=26)
Oct 29 10:14:11 racoon: INFO: fe80:3::21a:3fff:fe8b:f147[4500] used as isakmp port (fd=27)
Oct 29 10:14:11 racoon: [Self]: INFO: 127.0.0.1[500] used for NAT-T
Oct 29 10:14:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=28)
Oct 29 10:14:11 racoon: [Self]: INFO: 127.0.0.1[4500] used for NAT-T
Oct 29 10:14:11 racoon: [Self]: INFO: 127.0.0.1[4500] used as isakmp port (fd=29)
Oct 29 10:14:11 racoon: [Self]: INFO: ::1[500] used as isakmp port (fd=30)
Oct 29 10:14:11 racoon: [Self]: INFO: ::1[4500] used as isakmp port (fd=31)
Oct 29 10:14:11 racoon: [Self]: INFO: fe80:7::1[500] used as isakmp port (fd=32)
Oct 29 10:14:11 racoon: [Self]: INFO: fe80:7::1[4500] used as isakmp port (fd=33)
Oct 29 10:14:11 racoon: INFO: fe80:9::223:54ff:fed2:3ef[500] used as isakmp port (fd=34)
Oct 29 10:14:11 racoon: INFO: fe80:9::223:54ff:fed2:3ef[4500] used as isakmp port (fd=35)
Oct 29 10:14:11 racoon: [Self]: INFO: 187.6.215.64[500] used for NAT-T
Oct 29 10:14:11 racoon: [Self]: INFO: 187.6.215.64[500] used as isakmp port (fd=36)
Oct 29 10:14:11 racoon: [Self]: INFO: 187.6.215.64[4500] used for NAT-T
Oct 29 10:14:11 racoon: [Self]: INFO: 187.6.215.64[4500] used as isakmp port (fd=37)
Oct 29 10:14:11 racoon: INFO: unsupported PF_KEY message REGISTER -
João tem coisa errada aí srsr….mas as telas para eu dar uma olhada. quero ver onde vc informou a rede 10.x na configuração.
-
Camarada a rede 10 é outra interface que eu tenho no firewall que libera acesso para visitantes.
A minha rede funciona o seguinte:
FW01
WAN - IP VALIDO (FIXO)
LAN - 192.168.1.0/24
WLAN - 10.1.1.0/24FW02
WAN - IP VALIDO (DYNAMIC)
LAN - 192.168.2.0/24
WLAN - 10.1.1.0/24 -
Boa noite Senhores,
Podem fechar o Tópico, consegui resolver o problema. Estava na Operadora (Telemar). Fiz alguns testes mais avançados e descobri que as portas para conexão com a VPN estavam sendo barradas. Entrei em contato com a operadora e os mesmos liberaram.
Obrigado a todos que me ajudaram!
Atenciosamente,
João Batista da Rocha Neto
-
Que bom ! :)