IPsec VPN + Cisco VPN Client
-
Доброго времени суток !
Помогите пожалуйста разобраться. Имеем PfSense 2.1.2, настроен IPsec Mobile Client Support, причем настроен на работу с AD (авторизация по доменной связке логин+пароль). На клиентских ПК используется Cisco VPN Client версии 5.0.07.
Проблемный момент: первый раз авторизация проходит "на ура", доступ к внутрисетевым ресурсам есть, т.е. все работает ! Отключаемся , и подключаемся еще раз. Соединение с сервером происходит, выходит окно ввода логин+пароль (доменный) авторизация происходит, и "все", т.е. подключение как бы есть , траффик бегает, но доступа к внутрисетевым ресурсам отсутствует, пингов нидокуда нет.В чем проблема и где копать не пойму….
-
Включайте и смотрите логи IPSec, fw.
P.s. Попробуйте использовать это - https://www.shrew.net/software
-
Вариант с Shrew Soft VPN Client очень хороший , но авторизация в AD платная (
-
Было замечено , если растартануть racoon все все начинает работать…
-
Лог после перезагрузки racoon и первой попытке соединения Cisco VPN Client
May 11 12:02:00 racoon: INFO: caught signal 15 May 11 12:02:00 racoon: INFO: racoon process 25517 shutdown May 11 12:02:05 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net) May 11 12:02:05 racoon: INFO: @(#)This product linked OpenSSL 1.0.1g 7 Apr 2014 (http://www.openssl.org/) May 11 12:02:05 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf" May 11 12:02:05 racoon: INFO: Resize address pool from 0 to 253 May 11 12:02:05 racoon: [Self]: INFO: 123.123.123.123[4500] used for NAT-T May 11 12:02:05 racoon: [Self]: INFO: 123.123.123.123[4500] used as isakmp port (fd=14) May 11 12:02:05 racoon: [Self]: INFO: 123.123.123.123[500] used for NAT-T May 11 12:02:05 racoon: [Self]: INFO: 123.123.123.123[500] used as isakmp port (fd=15) May 11 12:02:05 racoon: INFO: unsupported PF_KEY message REGISTER May 11 12:02:05 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.2/32[0] 192.168.1.0/24[0] proto=any dir=out May 11 12:02:05 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.2/32[0] proto=any dir=in May 11 12:03:14 racoon: [Self]: INFO: respond new phase 1 negotiation: 123.123.123.123[500]<=>45.45.45.45[55386] May 11 12:03:14 racoon: INFO: begin Aggressive mode. May 11 12:03:14 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt May 11 12:03:14 racoon: INFO: received Vendor ID: DPD May 11 12:03:14 racoon: INFO: received broken Microsoft ID: FRAGMENTATION May 11 12:03:14 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 May 11 12:03:14 racoon: INFO: received Vendor ID: CISCO-UNITY May 11 12:03:14 racoon: [45.45.45.45] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02 May 11 12:03:14 racoon: INFO: Adding remote and local NAT-D payloads. May 11 12:03:14 racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[55386] with algo #2 May 11 12:03:14 racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[500] with algo #2 May 11 12:03:14 racoon: INFO: Adding xauth VID payload. May 11 12:03:14 racoon: [Self]: INFO: NAT-T: ports changed to: 45.45.45.45[55387]<->123.123.123.123[4500] May 11 12:03:14 racoon: [45.45.45.45] ERROR: notification INITIAL-CONTACT received in aggressive exchange. May 11 12:03:14 racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[4500] with algo #2 May 11 12:03:14 racoon: INFO: NAT-D payload #0 doesn't match May 11 12:03:14 racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[55387] with algo #2 May 11 12:03:14 racoon: INFO: NAT-D payload #1 doesn't match May 11 12:03:14 racoon: INFO: received Vendor ID: CISCO-UNITY May 11 12:03:14 racoon: INFO: NAT detected: ME PEER May 11 12:03:14 racoon: INFO: Sending Xauth request May 11 12:03:14 racoon: [Self]: INFO: ISAKMP-SA established 123.123.123.123[4500]-45.45.45.45[55387] spi:07f9b5569aa783e7:20e75e7333b5c9b8 May 11 12:03:28 racoon: INFO: Using port 0 May 11 12:03:28 racoon: user 'test' authenticated May 11 12:03:28 racoon: INFO: login succeeded for user "test" May 11 12:03:28 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY May 11 12:03:28 racoon: ERROR: Cannot open "/etc/motd" May 11 12:03:28 racoon: WARNING: Ignored attribute 28683 May 11 12:03:28 racoon: WARNING: Ignored attribute 28684 May 11 12:03:28 racoon: [Self]: INFO: respond new phase 2 negotiation: 123.123.123.123[4500]<=>45.45.45.45[55387] May 11 12:03:28 racoon: INFO: no policy found, try to generate the policy : 10.99.99.1/32[0] 0.0.0.0/0[0] proto=any dir=in May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:03:28 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:03:28 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:03:28 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:03:28 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: ERROR: not matched May 11 12:03:28 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:03:28 racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=27097690(0x19d7a5a) May 11 12:03:28 racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=602786838(0x23edcc16)
Соединение установлено , все работает.
Отключаюсь. Подключаюсь еще раз…
Вот что выдал лог:
May 11 12:24:21 racoon: [Self]: INFO: respond new phase 1 negotiation: 123.123.123.123[500]<=>45.45.45.45[59617] May 11 12:24:21 racoon: INFO: begin Aggressive mode. May 11 12:24:21 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt May 11 12:24:21 racoon: INFO: received Vendor ID: DPD May 11 12:24:21 racoon: INFO: received broken Microsoft ID: FRAGMENTATION May 11 12:24:21 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 May 11 12:24:21 racoon: INFO: received Vendor ID: CISCO-UNITY May 11 12:24:21 racoon: [45.45.45.45] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02 May 11 12:24:21 racoon: INFO: Adding remote and local NAT-D payloads. May 11 12:24:21 racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[59617] with algo #2 May 11 12:24:21 racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[500] with algo #2 May 11 12:24:21 racoon: INFO: Adding xauth VID payload. May 11 12:24:21 racoon: [Self]: INFO: NAT-T: ports changed to: 45.45.45.45[59618]<->123.123.123.123[4500] May 11 12:24:21 racoon: [45.45.45.45] ERROR: notification INITIAL-CONTACT received in aggressive exchange. May 11 12:24:21 racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[4500] with algo #2 May 11 12:24:21 racoon: INFO: NAT-D payload #0 doesn't match May 11 12:24:21 racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[59618] with algo #2 May 11 12:24:21 racoon: INFO: NAT-D payload #1 doesn't match May 11 12:24:21 racoon: INFO: received Vendor ID: CISCO-UNITY May 11 12:24:21 racoon: INFO: NAT detected: ME PEER May 11 12:24:21 racoon: INFO: Sending Xauth request May 11 12:24:21 racoon: [Self]: INFO: ISAKMP-SA established 123.123.123.123[4500]-45.45.45.45[59618] spi:06fbe9bf549af3b7:47e137722fc9fa19 May 11 12:24:24 racoon: INFO: Using port 0 May 11 12:24:24 racoon: user 'test' authenticated May 11 12:24:24 racoon: INFO: login succeeded for user "test" May 11 12:24:24 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY May 11 12:24:24 racoon: ERROR: Cannot open "/etc/motd" May 11 12:24:24 racoon: WARNING: Ignored attribute 28683 May 11 12:24:24 racoon: WARNING: Ignored attribute 28684 May 11 12:24:24 racoon: [Self]: INFO: respond new phase 2 negotiation: 123.123.123.123[4500]<=>45.45.45.45[59618] May 11 12:24:24 racoon: INFO: no policy found, try to generate the policy : 10.99.99.1/32[0] 0.0.0.0/0[0] proto=any dir=in May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:24:24 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:24:24 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:24:24 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel May 11 12:24:24 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: ERROR: not matched May 11 12:24:24 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) May 11 12:24:24 racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=185558860(0xb0f674c) May 11 12:24:24 racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=1350976079(0x5086424f) May 11 12:24:30 racoon: ERROR: no configuration found for 45.45.45.45. May 11 12:24:30 racoon: ERROR: failed to begin ipsec sa negotication.
-
Ошибка происходит на 2-ой фазе. Попробуйте сменить настройки с Aggressive mode на main
Пробуйте сперва это - https://forum.pfsense.org/index.php?topic=46917.0, https://forum.pfsense.org/index.php?topic=41631.15
Еще :
To resolve this issue disable NAT-T (when pfsense holds the public IP). If that still does not help disable DPD and set 'Negotiation Mode' in Phase 1 to main (pfsense is at both ends in my scenario).
И еще :
_on the pfsense side, try setting the P1 Policy Generation to "unique"
i was having similar issues for subequent reconnects for the Shrew client where restarting the pfsense ipsec process would clear the issue
i did NOT need to disable NAT-T or DPD, just changing the P1 Policy Generation setting from "default" to "unique" was the only change i made_
P.s. Люди пишут, что проблема с цисковским клиентом. Вы последнюю версию этого клиента пользуете? Если у Вас 64-битная версия (если такая есть, я не в курсе :-), то смените ее на 32-х.
-
При смене с "Aggressive" на "main"
May 11 14:48:04 racoon: [213.142.62.211] ERROR: exchange Aggressive not allowed in any applicable rmconf.
-
P.s. Люди пишут, что проблема с цисковским клиентом. Вы последнюю версию этого клиента пользуете? Если у Вас 64-битная версия (если такая есть, я не в курсе :-), то смените ее на 32-х.
Я бы не проч использовать другой клиент , главное что бы была поддержка авторизации в AD
-
Попробуйте сделать точно по инс-ции :
https://sites.google.com/a/vorkbaard.nl/dekapitein/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors
P.s. Включите дебаг ракуна и смотрите лог :
You can enable debug mode for racoon by checking the option for it under System > Advanced on the Miscellaneous tab.
-
Сделал все по мануалу + установил ShrewSoft VPN Client … все работает отлично!!!
-
Т.е. авторизация с AD работает стабильно и при переподключении? Не рвется? А с клиентом от Cisco ?
P.s. Поставьте, пож-та, в название темы [РЕШЕНО].
-
Пробовал с ПК несколько раз рвать соединение, все отлично работает! и авторизация через АД тоже проходит. НО…
если попробовать подключиться еще раз с другого устройства (я использую iPad) то на ПК все прекращает работать , соединение есть, но доступа никуда нет . На планшете тоже самое, ВПН поднимается но никуда доступа нет, пинги пропадают и на ПК и на планшете.
-