VPN - FO Telecom - IPSec - Simmetrica MC Link



  • Buonasera a tutti,

    riscontro un problema di connessione VPN in IPSec tra:

    Telecom FO  <-> Simmetrica MC Link

    Premetto che ho la medesima VPN tra due Simmetriche MC Link e tutto funziona correttamente.

    In allegato lo schema della configurazione.

    Grazie in anticipo a tutti

    Danilo
    ![Schema VPN.PNG](/public/imported_attachments/1/Schema VPN.PNG)
    ![Schema VPN.PNG_thumb](/public/imported_attachments/1/Schema VPN.PNG_thumb)



  • Ciao,
    Premesso che servirebbero maggiori informazioni, l'unica cosa che mi verrebbe da ipotizzare guardando lo schema, è un problema nel nat sulla connettività telecom.
    Prova a verificare la configurazione del router.
    Ciao



  • Ciao Fabio,

    è la stessa ipotesi che ho fatto io, visto che il router è quello Telecom, comunque sul router Telecom ho aperto la 4500 e la 500 TCP/UDP.

    Nel frattempo ho ordinato un router TP-Link, così provo anche con un altro prodotto.

    Se mi dici di che altre info hai bisogno, te le posto.

    Grazie



  • Nei log c'è qualcosa in merito all'errore?
    Ci sono tentativi di connessione o nemmeno quelli?
    Fabio



  • Ciao Fabio,

    di seguito ti invio i log dal PFSense collegato alla Simmetrica MC Link:

    Time Process PID Message
    Mar 6 14:19:20 charon 05[NET] <con2000|67>sending packet: from 84.YY.YY.NN[500] to 79.XX.XX.XX[500] (180 bytes)
    Mar 6 14:19:20 charon 05[IKE] <con2000|67>sending retransmit 3 of request message ID 0, seq 1
    Mar 6 14:19:07 charon 15[NET] <con2000|67>sending packet: from 84.YY.YY.NN[500] to 79.XX.XX.XX[500] (180 bytes)
    Mar 6 14:19:07 charon 15[IKE] <con2000|67>sending retransmit 2 of request message ID 0, seq 1
    Mar 6 14:19:00 charon 13[NET] <con2000|67>sending packet: from 84.YY.YY.NN[500] to 79.XX.XX.XX[500] (180 bytes)
    Mar 6 14:19:00 charon 13[IKE] <con2000|67>sending retransmit 1 of request message ID 0, seq 1
    Mar 6 14:18:56 charon 07[NET] <con2000|67>sending packet: from 84.YY.YY.NN[500] to 79.XX.XX.XX[500] (180 bytes)
    Mar 6 14:18:56 charon 07[ENC] <con2000|67>generating ID_PROT request 0 [ SA V V V V V ]
    Mar 6 14:18:56 charon 07[IKE] <con2000|67>initiating Main Mode IKE_SA con2000[67] to 79.XX.XX.XX
    Mar 6 14:18:56 charon 09[CFG] received stroke: initiate 'con2000'
    Mar 6 14:18:56 charon 09[CFG] no IKE_SA named 'con2000' found
    Mar 6 14:18:56 charon 09[CFG] received stroke: terminate 'con2000'</con2000|67></con2000|67></con2000|67></con2000|67></con2000|67></con2000|67></con2000|67></con2000|67></con2000|67>



  • Per capire se i pacchetti arrivano forse è più utile il log del firewall su telecom :D
    Fabio



  • Ciao Fabio,

    di seguito i log dei due PfSense:

    SIMMETRICA Mc Link:

    Mar 8 11:24:16 charon 13[NET] <76> sending packet: from 84.YY.YY.NN[4500] to 79.XX.XX.XX[4500] (92 bytes)
    Mar 8 11:24:16 charon 13[ENC] <76> generating INFORMATIONAL_V1 request 4271193197 [ HASH N(AUTH_FAILED) ]
    Mar 8 11:24:16 charon 13[IKE] <76> found 1 matching config, but none allows pre-shared key authentication using Main Mode
    Mar 8 11:24:16 charon 13[CFG] <76> looking for pre-shared key peer configs matching 84.YY.YY.NN…79.XX.XX.XX[172.16.1.10]
    Mar 8 11:24:16 charon 13[ENC] <76> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    Mar 8 11:24:16 charon 13[NET] <76> received packet: from 79.XX.XX.XX[4500] to 84.YY.YY.NN[4500] (108 bytes)
    Mar 8 11:24:16 charon 13[NET] <76> sending packet: from 84.YY.YY.NN[500] to 79.XX.XX.XX[500] (244 bytes)
    Mar 8 11:24:16 charon 13[ENC] <76> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Mar 8 11:24:16 charon 13[IKE] <76> remote host is behind NAT
    Mar 8 11:24:16 charon 13[ENC] <76> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Mar 8 11:24:16 charon 13[NET] <76> received packet: from 79.XX.XX.XX[500] to 84.YY.YY.NN[500] (244 bytes)
    Mar 8 11:24:16 charon 13[NET] <76> sending packet: from 84.YY.YY.NN[500] to 79.XX.XX.XX[500] (160 bytes)
    Mar 8 11:24:16 charon 13[ENC] <76> generating ID_PROT response 0 [ SA V V V V ]
    Mar 8 11:24:16 charon 13[IKE] <76> 79.XX.XX.XX is initiating a Main Mode IKE_SA
    Mar 8 11:24:16 charon 13[IKE] <76> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 8 11:24:16 charon 13[IKE] <76> received NAT-T (RFC 3947) vendor ID
    Mar 8 11:24:16 charon 13[IKE] <76> received FRAGMENTATION vendor ID
    Mar 8 11:24:16 charon 13[IKE] <76> received DPD vendor ID
    Mar 8 11:24:16 charon 13[IKE] <76> received XAuth vendor ID
    Mar 8 11:24:16 charon 13[ENC] <76> parsed ID_PROT request 0 [ SA V V V V V ]
    Mar 8 11:24:16 charon 13[NET] <76> received packet: from 79.XX.XX.XX[500] to 84.YY.YY.NN[500] (180 bytes)

    FO Telecom:

    Mar 8 11:24:16 charon 05[IKE] <con1000|2>received AUTHENTICATION_FAILED error notify
    Mar 8 11:24:16 charon 05[ENC] <con1000|2>parsed INFORMATIONAL_V1 request 4271193197 [ HASH N(AUTH_FAILED) ]
    Mar 8 11:24:16 charon 05[NET] <con1000|2>received packet: from 84.YY.YY.NN[4500] to 172.16.1.10[4500] (92 bytes)
    Mar 8 11:24:16 charon 07[NET] <con1000|2>sending packet: from 172.16.1.10[4500] to 84.YY.YY.NN[4500] (108 bytes)
    Mar 8 11:24:16 charon 07[ENC] <con1000|2>generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    Mar 8 11:24:16 charon 07[IKE] <con1000|2>local host is behind NAT, sending keep alives
    Mar 8 11:24:16 charon 07[ENC] <con1000|2>parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Mar 8 11:24:16 charon 07[NET] <con1000|2>received packet: from 84.YY.YY.NN[500] to 172.16.1.10[500] (244 bytes)
    Mar 8 11:24:16 charon 07[NET] <con1000|2>sending packet: from 172.16.1.10[500] to 84.YY.YY.NN[500] (244 bytes)
    Mar 8 11:24:16 charon 07[ENC] <con1000|2>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Mar 8 11:24:16 charon 07[IKE] <con1000|2>received NAT-T (RFC 3947) vendor ID
    Mar 8 11:24:16 charon 07[IKE] <con1000|2>received FRAGMENTATION vendor ID
    Mar 8 11:24:16 charon 07[IKE] <con1000|2>received DPD vendor ID
    Mar 8 11:24:16 charon 07[IKE] <con1000|2>received XAuth vendor ID
    Mar 8 11:24:16 charon 07[ENC] <con1000|2>parsed ID_PROT response 0 [ SA V V V V ]
    Mar 8 11:24:16 charon 07[NET] <con1000|2>received packet: from 84.YY.YY.NN[500] to 172.16.1.10[500] (160 bytes)
    Mar 8 11:24:16 charon 07[NET] <con1000|2>sending packet: from 172.16.1.10[500] to 84.YY.YY.NN[500] (180 bytes)
    Mar 8 11:24:16 charon 07[ENC] <con1000|2>generating ID_PROT request 0 [ SA V V V V V ]
    Mar 8 11:24:16 charon 07[IKE] <con1000|2>initiating Main Mode IKE_SA con1000[2] to 84.YY.YY.NN</con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2>

    Grazie per il prezioso supporto.