Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN - FO Telecom - IPSec - Simmetrica MC Link

    Scheduled Pinned Locked Moved Italiano
    7 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danilofailli
      last edited by

      Buonasera a tutti,

      riscontro un problema di connessione VPN in IPSec tra:

      Telecom FO  <-> Simmetrica MC Link

      Premetto che ho la medesima VPN tra due Simmetriche MC Link e tutto funziona correttamente.

      In allegato lo schema della configurazione.

      Grazie in anticipo a tutti

      Danilo
      ![Schema VPN.PNG](/public/imported_attachments/1/Schema VPN.PNG)
      ![Schema VPN.PNG_thumb](/public/imported_attachments/1/Schema VPN.PNG_thumb)

      1 Reply Last reply Reply Quote 0
      • fabio.viganoF
        fabio.vigano
        last edited by

        Ciao,
        Premesso che servirebbero maggiori informazioni, l'unica cosa che mi verrebbe da ipotizzare guardando lo schema, è un problema nel nat sulla connettività telecom.
        Prova a verificare la configurazione del router.
        Ciao

        ===============================
        pfSenseItaly.com
        La risorsa italiana per pfSense

        Se il post o la risposta ti sono stati utili clicca su 👍

        1 Reply Last reply Reply Quote 0
        • D
          danilofailli
          last edited by

          Ciao Fabio,

          è la stessa ipotesi che ho fatto io, visto che il router è quello Telecom, comunque sul router Telecom ho aperto la 4500 e la 500 TCP/UDP.

          Nel frattempo ho ordinato un router TP-Link, così provo anche con un altro prodotto.

          Se mi dici di che altre info hai bisogno, te le posto.

          Grazie

          1 Reply Last reply Reply Quote 0
          • fabio.viganoF
            fabio.vigano
            last edited by

            Nei log c'è qualcosa in merito all'errore?
            Ci sono tentativi di connessione o nemmeno quelli?
            Fabio

            ===============================
            pfSenseItaly.com
            La risorsa italiana per pfSense

            Se il post o la risposta ti sono stati utili clicca su 👍

            1 Reply Last reply Reply Quote 0
            • D
              danilofailli
              last edited by

              Ciao Fabio,

              di seguito ti invio i log dal PFSense collegato alla Simmetrica MC Link:

              Time Process PID Message
              Mar 6 14:19:20 charon 05[NET] <con2000|67>sending packet: from 84.YY.YY.NN[500] to 79.XX.XX.XX[500] (180 bytes)
              Mar 6 14:19:20 charon 05[IKE] <con2000|67>sending retransmit 3 of request message ID 0, seq 1
              Mar 6 14:19:07 charon 15[NET] <con2000|67>sending packet: from 84.YY.YY.NN[500] to 79.XX.XX.XX[500] (180 bytes)
              Mar 6 14:19:07 charon 15[IKE] <con2000|67>sending retransmit 2 of request message ID 0, seq 1
              Mar 6 14:19:00 charon 13[NET] <con2000|67>sending packet: from 84.YY.YY.NN[500] to 79.XX.XX.XX[500] (180 bytes)
              Mar 6 14:19:00 charon 13[IKE] <con2000|67>sending retransmit 1 of request message ID 0, seq 1
              Mar 6 14:18:56 charon 07[NET] <con2000|67>sending packet: from 84.YY.YY.NN[500] to 79.XX.XX.XX[500] (180 bytes)
              Mar 6 14:18:56 charon 07[ENC] <con2000|67>generating ID_PROT request 0 [ SA V V V V V ]
              Mar 6 14:18:56 charon 07[IKE] <con2000|67>initiating Main Mode IKE_SA con2000[67] to 79.XX.XX.XX
              Mar 6 14:18:56 charon 09[CFG] received stroke: initiate 'con2000'
              Mar 6 14:18:56 charon 09[CFG] no IKE_SA named 'con2000' found
              Mar 6 14:18:56 charon 09[CFG] received stroke: terminate 'con2000'</con2000|67></con2000|67></con2000|67></con2000|67></con2000|67></con2000|67></con2000|67></con2000|67></con2000|67>

              1 Reply Last reply Reply Quote 0
              • fabio.viganoF
                fabio.vigano
                last edited by

                Per capire se i pacchetti arrivano forse è più utile il log del firewall su telecom :D
                Fabio

                ===============================
                pfSenseItaly.com
                La risorsa italiana per pfSense

                Se il post o la risposta ti sono stati utili clicca su 👍

                1 Reply Last reply Reply Quote 0
                • D
                  danilofailli
                  last edited by

                  Ciao Fabio,

                  di seguito i log dei due PfSense:

                  SIMMETRICA Mc Link:

                  Mar 8 11:24:16 charon 13[NET] <76> sending packet: from 84.YY.YY.NN[4500] to 79.XX.XX.XX[4500] (92 bytes)
                  Mar 8 11:24:16 charon 13[ENC] <76> generating INFORMATIONAL_V1 request 4271193197 [ HASH N(AUTH_FAILED) ]
                  Mar 8 11:24:16 charon 13[IKE] <76> found 1 matching config, but none allows pre-shared key authentication using Main Mode
                  Mar 8 11:24:16 charon 13[CFG] <76> looking for pre-shared key peer configs matching 84.YY.YY.NN…79.XX.XX.XX[172.16.1.10]
                  Mar 8 11:24:16 charon 13[ENC] <76> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
                  Mar 8 11:24:16 charon 13[NET] <76> received packet: from 79.XX.XX.XX[4500] to 84.YY.YY.NN[4500] (108 bytes)
                  Mar 8 11:24:16 charon 13[NET] <76> sending packet: from 84.YY.YY.NN[500] to 79.XX.XX.XX[500] (244 bytes)
                  Mar 8 11:24:16 charon 13[ENC] <76> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
                  Mar 8 11:24:16 charon 13[IKE] <76> remote host is behind NAT
                  Mar 8 11:24:16 charon 13[ENC] <76> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
                  Mar 8 11:24:16 charon 13[NET] <76> received packet: from 79.XX.XX.XX[500] to 84.YY.YY.NN[500] (244 bytes)
                  Mar 8 11:24:16 charon 13[NET] <76> sending packet: from 84.YY.YY.NN[500] to 79.XX.XX.XX[500] (160 bytes)
                  Mar 8 11:24:16 charon 13[ENC] <76> generating ID_PROT response 0 [ SA V V V V ]
                  Mar 8 11:24:16 charon 13[IKE] <76> 79.XX.XX.XX is initiating a Main Mode IKE_SA
                  Mar 8 11:24:16 charon 13[IKE] <76> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
                  Mar 8 11:24:16 charon 13[IKE] <76> received NAT-T (RFC 3947) vendor ID
                  Mar 8 11:24:16 charon 13[IKE] <76> received FRAGMENTATION vendor ID
                  Mar 8 11:24:16 charon 13[IKE] <76> received DPD vendor ID
                  Mar 8 11:24:16 charon 13[IKE] <76> received XAuth vendor ID
                  Mar 8 11:24:16 charon 13[ENC] <76> parsed ID_PROT request 0 [ SA V V V V V ]
                  Mar 8 11:24:16 charon 13[NET] <76> received packet: from 79.XX.XX.XX[500] to 84.YY.YY.NN[500] (180 bytes)

                  FO Telecom:

                  Mar 8 11:24:16 charon 05[IKE] <con1000|2>received AUTHENTICATION_FAILED error notify
                  Mar 8 11:24:16 charon 05[ENC] <con1000|2>parsed INFORMATIONAL_V1 request 4271193197 [ HASH N(AUTH_FAILED) ]
                  Mar 8 11:24:16 charon 05[NET] <con1000|2>received packet: from 84.YY.YY.NN[4500] to 172.16.1.10[4500] (92 bytes)
                  Mar 8 11:24:16 charon 07[NET] <con1000|2>sending packet: from 172.16.1.10[4500] to 84.YY.YY.NN[4500] (108 bytes)
                  Mar 8 11:24:16 charon 07[ENC] <con1000|2>generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
                  Mar 8 11:24:16 charon 07[IKE] <con1000|2>local host is behind NAT, sending keep alives
                  Mar 8 11:24:16 charon 07[ENC] <con1000|2>parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
                  Mar 8 11:24:16 charon 07[NET] <con1000|2>received packet: from 84.YY.YY.NN[500] to 172.16.1.10[500] (244 bytes)
                  Mar 8 11:24:16 charon 07[NET] <con1000|2>sending packet: from 172.16.1.10[500] to 84.YY.YY.NN[500] (244 bytes)
                  Mar 8 11:24:16 charon 07[ENC] <con1000|2>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
                  Mar 8 11:24:16 charon 07[IKE] <con1000|2>received NAT-T (RFC 3947) vendor ID
                  Mar 8 11:24:16 charon 07[IKE] <con1000|2>received FRAGMENTATION vendor ID
                  Mar 8 11:24:16 charon 07[IKE] <con1000|2>received DPD vendor ID
                  Mar 8 11:24:16 charon 07[IKE] <con1000|2>received XAuth vendor ID
                  Mar 8 11:24:16 charon 07[ENC] <con1000|2>parsed ID_PROT response 0 [ SA V V V V ]
                  Mar 8 11:24:16 charon 07[NET] <con1000|2>received packet: from 84.YY.YY.NN[500] to 172.16.1.10[500] (160 bytes)
                  Mar 8 11:24:16 charon 07[NET] <con1000|2>sending packet: from 172.16.1.10[500] to 84.YY.YY.NN[500] (180 bytes)
                  Mar 8 11:24:16 charon 07[ENC] <con1000|2>generating ID_PROT request 0 [ SA V V V V V ]
                  Mar 8 11:24:16 charon 07[IKE] <con1000|2>initiating Main Mode IKE_SA con1000[2] to 84.YY.YY.NN</con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2>

                  Grazie per il prezioso supporto.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.