Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problemas IPSec

    Portuguese
    2
    6
    2.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nandoiin
      last edited by

      Boa tarde,

      Estou tendo problema ao configurar o PfSense natiado a partir de outro firewall como IPSec, segue cenário:

      Meu lado:
      IP 186.x.x.x
      Rede Local: 192.168.0.0/24
      PfSense: 192.168.0.10

      Outro lado:
      IP: 187.x.x.x
      ID Remoto: 192.168.4.30
      Rede remota: 172.25.54.0/29

      Estou obtendo o seguinte LOG:

      3[NET] sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (108 bytes)
      13[NET] <con1000|57>sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (108 bytes)
      07[NET] received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes)
       07[NET] <con1000|57>received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes)
       07[ENC] parsed ID_PROT response 0 [ ID HASH V ]
       07[ENC] <con1000|57>parsed ID_PROT response 0 [ ID HASH V ]
       07[IKE] received DPD vendor ID
       07[IKE] <con1000|57>received DPD vendor ID
       07[IKE] IKE_SA con1000[57] established between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30]
       07[IKE] <con1000|57>IKE_SA con1000[57] established between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30]
       07[IKE] IKE_SA con1000[57] state change: CONNECTING => ESTABLISHED
       07[IKE] <con1000|57>IKE_SA con1000[57] state change: CONNECTING => ESTABLISHED
       07[IKE] scheduling reauthentication in 85704s
       07[IKE] <con1000|57>scheduling reauthentication in 85704s
       07[IKE] maximum IKE_SA lifetime 86244s
       07[IKE] <con1000|57>maximum IKE_SA lifetime 86244s
       07[IKE] activating new tasks
       07[IKE] <con1000|57>activating new tasks
       07[IKE] activating QUICK_MODE task
       07[IKE] <con1000|57>activating QUICK_MODE task
       07[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
       07[CFG] <con1000|57>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
       07[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
       07[CFG] <con1000|57>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
       07[CFG] proposing traffic selectors for us:
       07[CFG] <con1000|57>proposing traffic selectors for us:
       07[CFG] 192.168.0.25/32|/0
       07[CFG] <con1000|57>192.168.0.25/32|/0
       07[CFG] proposing traffic selectors for other:
       07[CFG] <con1000|57>proposing traffic selectors for other:
       07[CFG] 172.25.54.0/29|/0
       07[CFG] <con1000|57>172.25.54.0/29|/0
       07[ENC] generating QUICK_MODE request 2716593543 [ HASH SA No KE ID ID ]
       07[ENC] <con1000|57>generating QUICK_MODE request 2716593543 [ HASH SA No KE ID ID ]
       07[NET] sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (380 bytes)
       07[NET] <con1000|57>sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (380 bytes)
       07[NET] received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (428 bytes)
       07[NET] <con1000|57>received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (428 bytes)
       07[ENC] parsed INFORMATIONAL_V1 request 3928564372 [ HASH N(INVAL_ID) ]
       07[ENC] <con1000|57>parsed INFORMATIONAL_V1 request 3928564372 [ HASH N(INVAL_ID) ]
       07[IKE] received INVALID_ID_INFORMATION error notify
       07[IKE] <con1000|57>received INVALID_ID_INFORMATION error notify
       13[NET] received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes)
       13[NET] <con1000|57>received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes)
       13[ENC] parsed INFORMATIONAL_V1 request 1831796261 [ HASH D ]
       13[ENC] <con1000|57>parsed INFORMATIONAL_V1 request 1831796261 [ HASH D ]
       13[IKE] received DELETE for IKE_SA con1000[57]
       13[IKE] <con1000|57>received DELETE for IKE_SA con1000[57]
       13[IKE] deleting IKE_SA con1000[57] between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30]
       13[IKE] <con1000|57>deleting IKE_SA con1000[57] between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30]</con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57> 
      
      1 Reply Last reply Reply Quote 0
      • N
        nandoiin
        last edited by

        Imagens

        ![phase 1.jpg](/public/imported_attachments/1/phase 1.jpg)
        ![phase 1.jpg_thumb](/public/imported_attachments/1/phase 1.jpg_thumb)
        geral.jpg
        geral.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          [HASH SA No KE ID ID ]

          [ HASH N(INVAL_ID)

          Tenta mudar os identificadores tanto remoto quanto local já que está passando por nat(s)

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • N
            nandoiin
            last edited by

            Alterei todos os identificadores e sempre acontece o mesmo problema.

            Resolvi colocar um IP válido no PfSense e fechar o tunnel direto com o outro lado. Com as mesmas configurações já avancei bastante, porém agora o IPSec conecta, fica em torno de 30 segundos e cai..

            Jul 11 09:47:43 charon 05[IKE] <con1000|4>sending DPD request
            Jul 11 09:47:43 charon 05[IKE] <con1000|4>queueing ISAKMP_DPD task
            Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating new tasks
            Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating ISAKMP_DPD task
            Jul 11 09:47:43 charon 05[ENC] <con1000|4>generating INFORMATIONAL_V1 request 3271703021 [ HASH N(DPD) ]
            Jul 11 09:47:43 charon 05[NET] <con1000|4>sending packet: from 186.x.x.x[4500] to 187.x.x.x[4500] (92 bytes)
            Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating new tasks
            Jul 11 09:47:43 charon 05[IKE] <con1000|4>nothing to initiate
            Jul 11 09:47:43 charon 05[NET] <con1000|4>received packet: from 187.x.x.x[4500] to 186.x.x.x.[4500] (92 bytes)
            Jul 11 09:47:43 charon 05[ENC] <con1000|4>parsed INFORMATIONAL_V1 request 4240920048 [ HASH N(DPD_ACK) ]
            Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating new tasks
            Jul 11 09:47:43 charon 05[IKE] <con1000|4>nothing to initiate
            Jul 11 09:47:47 charon 05[NET] <con1000|4>received packet: from 187.x.x.x[4500] to 186.x.x.x[4500] (396 bytes)
            Jul 11 09:47:47 charon 05[ENC] <con1000|4>parsed QUICK_MODE request 378493840 [ HASH SA No KE ID ID N(INITIAL_CONTACT) ]
            Jul 11 09:47:47 charon 05[ENC] <con1000|4>received HASH payload does not match
            Jul 11 09:47:47 charon 05[IKE] <con1000|4>integrity check failed
            Jul 11 09:47:47 charon 05[ENC] <con1000|4>generating INFORMATIONAL_V1 request 2966470392 [ HASH N(INVAL_HASH) ]
            Jul 11 09:47:47 charon 05[NET] <con1000|4>sending packet: from 186.x.x.x[4500] to 187.x.x.x[4500] (76 bytes)
            Jul 11 09:47:47 charon 05[IKE] <con1000|4>QUICK_MODE request with message ID 378493840 processing failed
            Jul 11 09:47:47 charon 08[CFG] vici client 22 connected
            Jul 11 09:47:47 charon 08[CFG] vici client 22 registered for: list-sa
            Jul 11 09:47:47 charon 05[CFG] vici client 22 requests: list-sas
            Jul 11 09:47:47 charon 05[CFG] vici client 22 disconnected</con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4>

            Percebo que ele inicia a requisição do HASH e repois gera/recebe o Inval_Hash…. Então a VPN fica seus 30 segundos Established, cai e reconecta. O que pode ser?

            1 Reply Last reply Reply Quote 0
            • marcellocM
              marcelloc
              last edited by

              Já pesquisou o erro para ver alternativas de versão de ike, main, agressive, etc?

              https://wiki.strongswan.org/issues/819

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • N
                nandoiin
                last edited by

                Boa tarde,

                Resolvi o problema alterando a Local Network que estava incorreta. Porém comecei a ter problemas de roteamento, pois como funcionava:

                Estação(192.168.0.10)->REDE LOCAL (192.168.0.0) -> IPSEC PFS (172.16.200.25/24) ->TUNNEL<- IPSEC CISCO ASA (172.25.54.0/29) <- Rede CLIENTE (192.168.63.0)<- ECliente (192.168.63.23)
                ESTAÇÃO <–----------------------------------------------NAT PORTAS X,Y E Z PARA REDE LOCAL

                Mas porque não usa no IPSEC direto a rede local? Pois o cliente já possui outra empresa que tem rota para a rede 192.168.0.0, então tive que criar uma interface e fazer NAT para rede local.

                O cliente quando pingava para minha rede local, chegava certinho, pois ele tem uma rota assim: ip route 172.16.200.25/32 via 192.168.63.1.

                Do meu lado deixei sem rota, pensando que o IPSEC iria criar automaticamente, sem sucesso. Criei a rota destino -> 172.25.54.0/29 gateway ->172.16.200.25. Parava sempre na imagem a seguir.

                Enfim, para resolver, coloquei IP virtual direto no servidor na faixa 172.16.200.x e criei uma rota dizendo que todo pacote para rede 172.25.54.0/29 i gateway seria 172.16.200.25 e resolveu.

                i90^cimgpsh_orig.png
                i90^cimgpsh_orig.png_thumb

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.