Problemas IPSec
-
Boa tarde,
Estou tendo problema ao configurar o PfSense natiado a partir de outro firewall como IPSec, segue cenário:
Meu lado:
IP 186.x.x.x
Rede Local: 192.168.0.0/24
PfSense: 192.168.0.10Outro lado:
IP: 187.x.x.x
ID Remoto: 192.168.4.30
Rede remota: 172.25.54.0/29Estou obtendo o seguinte LOG:
3[NET] sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (108 bytes) 13[NET] <con1000|57>sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (108 bytes) 07[NET] received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes) 07[NET] <con1000|57>received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes) 07[ENC] parsed ID_PROT response 0 [ ID HASH V ] 07[ENC] <con1000|57>parsed ID_PROT response 0 [ ID HASH V ] 07[IKE] received DPD vendor ID 07[IKE] <con1000|57>received DPD vendor ID 07[IKE] IKE_SA con1000[57] established between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30] 07[IKE] <con1000|57>IKE_SA con1000[57] established between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30] 07[IKE] IKE_SA con1000[57] state change: CONNECTING => ESTABLISHED 07[IKE] <con1000|57>IKE_SA con1000[57] state change: CONNECTING => ESTABLISHED 07[IKE] scheduling reauthentication in 85704s 07[IKE] <con1000|57>scheduling reauthentication in 85704s 07[IKE] maximum IKE_SA lifetime 86244s 07[IKE] <con1000|57>maximum IKE_SA lifetime 86244s 07[IKE] activating new tasks 07[IKE] <con1000|57>activating new tasks 07[IKE] activating QUICK_MODE task 07[IKE] <con1000|57>activating QUICK_MODE task 07[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ 07[CFG] <con1000|57>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ 07[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ 07[CFG] <con1000|57>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ 07[CFG] proposing traffic selectors for us: 07[CFG] <con1000|57>proposing traffic selectors for us: 07[CFG] 192.168.0.25/32|/0 07[CFG] <con1000|57>192.168.0.25/32|/0 07[CFG] proposing traffic selectors for other: 07[CFG] <con1000|57>proposing traffic selectors for other: 07[CFG] 172.25.54.0/29|/0 07[CFG] <con1000|57>172.25.54.0/29|/0 07[ENC] generating QUICK_MODE request 2716593543 [ HASH SA No KE ID ID ] 07[ENC] <con1000|57>generating QUICK_MODE request 2716593543 [ HASH SA No KE ID ID ] 07[NET] sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (380 bytes) 07[NET] <con1000|57>sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (380 bytes) 07[NET] received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (428 bytes) 07[NET] <con1000|57>received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (428 bytes) 07[ENC] parsed INFORMATIONAL_V1 request 3928564372 [ HASH N(INVAL_ID) ] 07[ENC] <con1000|57>parsed INFORMATIONAL_V1 request 3928564372 [ HASH N(INVAL_ID) ] 07[IKE] received INVALID_ID_INFORMATION error notify 07[IKE] <con1000|57>received INVALID_ID_INFORMATION error notify 13[NET] received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes) 13[NET] <con1000|57>received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes) 13[ENC] parsed INFORMATIONAL_V1 request 1831796261 [ HASH D ] 13[ENC] <con1000|57>parsed INFORMATIONAL_V1 request 1831796261 [ HASH D ] 13[IKE] received DELETE for IKE_SA con1000[57] 13[IKE] <con1000|57>received DELETE for IKE_SA con1000[57] 13[IKE] deleting IKE_SA con1000[57] between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30] 13[IKE] <con1000|57>deleting IKE_SA con1000[57] between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30]</con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57> -
Imagens
-
[HASH SA No KE ID ID ]
[ HASH N(INVAL_ID)
Tenta mudar os identificadores tanto remoto quanto local já que está passando por nat(s)
-
Alterei todos os identificadores e sempre acontece o mesmo problema.
Resolvi colocar um IP válido no PfSense e fechar o tunnel direto com o outro lado. Com as mesmas configurações já avancei bastante, porém agora o IPSec conecta, fica em torno de 30 segundos e cai..
Jul 11 09:47:43 charon 05[IKE] <con1000|4>sending DPD request
Jul 11 09:47:43 charon 05[IKE] <con1000|4>queueing ISAKMP_DPD task
Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating new tasks
Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating ISAKMP_DPD task
Jul 11 09:47:43 charon 05[ENC] <con1000|4>generating INFORMATIONAL_V1 request 3271703021 [ HASH N(DPD) ]
Jul 11 09:47:43 charon 05[NET] <con1000|4>sending packet: from 186.x.x.x[4500] to 187.x.x.x[4500] (92 bytes)
Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating new tasks
Jul 11 09:47:43 charon 05[IKE] <con1000|4>nothing to initiate
Jul 11 09:47:43 charon 05[NET] <con1000|4>received packet: from 187.x.x.x[4500] to 186.x.x.x.[4500] (92 bytes)
Jul 11 09:47:43 charon 05[ENC] <con1000|4>parsed INFORMATIONAL_V1 request 4240920048 [ HASH N(DPD_ACK) ]
Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating new tasks
Jul 11 09:47:43 charon 05[IKE] <con1000|4>nothing to initiate
Jul 11 09:47:47 charon 05[NET] <con1000|4>received packet: from 187.x.x.x[4500] to 186.x.x.x[4500] (396 bytes)
Jul 11 09:47:47 charon 05[ENC] <con1000|4>parsed QUICK_MODE request 378493840 [ HASH SA No KE ID ID N(INITIAL_CONTACT) ]
Jul 11 09:47:47 charon 05[ENC] <con1000|4>received HASH payload does not match
Jul 11 09:47:47 charon 05[IKE] <con1000|4>integrity check failed
Jul 11 09:47:47 charon 05[ENC] <con1000|4>generating INFORMATIONAL_V1 request 2966470392 [ HASH N(INVAL_HASH) ]
Jul 11 09:47:47 charon 05[NET] <con1000|4>sending packet: from 186.x.x.x[4500] to 187.x.x.x[4500] (76 bytes)
Jul 11 09:47:47 charon 05[IKE] <con1000|4>QUICK_MODE request with message ID 378493840 processing failed
Jul 11 09:47:47 charon 08[CFG] vici client 22 connected
Jul 11 09:47:47 charon 08[CFG] vici client 22 registered for: list-sa
Jul 11 09:47:47 charon 05[CFG] vici client 22 requests: list-sas
Jul 11 09:47:47 charon 05[CFG] vici client 22 disconnected</con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4>Percebo que ele inicia a requisição do HASH e repois gera/recebe o Inval_Hash…. Então a VPN fica seus 30 segundos Established, cai e reconecta. O que pode ser?
-
Já pesquisou o erro para ver alternativas de versão de ike, main, agressive, etc?
https://wiki.strongswan.org/issues/819
-
Boa tarde,
Resolvi o problema alterando a Local Network que estava incorreta. Porém comecei a ter problemas de roteamento, pois como funcionava:
Estação(192.168.0.10)->REDE LOCAL (192.168.0.0) -> IPSEC PFS (172.16.200.25/24) ->TUNNEL<- IPSEC CISCO ASA (172.25.54.0/29) <- Rede CLIENTE (192.168.63.0)<- ECliente (192.168.63.23)
ESTAÇÃO <–----------------------------------------------NAT PORTAS X,Y E Z PARA REDE LOCALMas porque não usa no IPSEC direto a rede local? Pois o cliente já possui outra empresa que tem rota para a rede 192.168.0.0, então tive que criar uma interface e fazer NAT para rede local.
O cliente quando pingava para minha rede local, chegava certinho, pois ele tem uma rota assim: ip route 172.16.200.25/32 via 192.168.63.1.
Do meu lado deixei sem rota, pensando que o IPSEC iria criar automaticamente, sem sucesso. Criei a rota destino -> 172.25.54.0/29 gateway ->172.16.200.25. Parava sempre na imagem a seguir.
Enfim, para resolver, coloquei IP virtual direto no servidor na faixa 172.16.200.x e criei uma rota dizendo que todo pacote para rede 172.25.54.0/29 i gateway seria 172.16.200.25 e resolveu.
