Problemas IPSec



  • Boa tarde,

    Estou tendo problema ao configurar o PfSense natiado a partir de outro firewall como IPSec, segue cenário:

    Meu lado:
    IP 186.x.x.x
    Rede Local: 192.168.0.0/24
    PfSense: 192.168.0.10

    Outro lado:
    IP: 187.x.x.x
    ID Remoto: 192.168.4.30
    Rede remota: 172.25.54.0/29

    Estou obtendo o seguinte LOG:

    3[NET] sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (108 bytes)
    13[NET] <con1000|57>sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (108 bytes)
    07[NET] received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes)
     07[NET] <con1000|57>received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes)
     07[ENC] parsed ID_PROT response 0 [ ID HASH V ]
     07[ENC] <con1000|57>parsed ID_PROT response 0 [ ID HASH V ]
     07[IKE] received DPD vendor ID
     07[IKE] <con1000|57>received DPD vendor ID
     07[IKE] IKE_SA con1000[57] established between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30]
     07[IKE] <con1000|57>IKE_SA con1000[57] established between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30]
     07[IKE] IKE_SA con1000[57] state change: CONNECTING => ESTABLISHED
     07[IKE] <con1000|57>IKE_SA con1000[57] state change: CONNECTING => ESTABLISHED
     07[IKE] scheduling reauthentication in 85704s
     07[IKE] <con1000|57>scheduling reauthentication in 85704s
     07[IKE] maximum IKE_SA lifetime 86244s
     07[IKE] <con1000|57>maximum IKE_SA lifetime 86244s
     07[IKE] activating new tasks
     07[IKE] <con1000|57>activating new tasks
     07[IKE] activating QUICK_MODE task
     07[IKE] <con1000|57>activating QUICK_MODE task
     07[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
     07[CFG] <con1000|57>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
     07[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
     07[CFG] <con1000|57>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
     07[CFG] proposing traffic selectors for us:
     07[CFG] <con1000|57>proposing traffic selectors for us:
     07[CFG] 192.168.0.25/32|/0
     07[CFG] <con1000|57>192.168.0.25/32|/0
     07[CFG] proposing traffic selectors for other:
     07[CFG] <con1000|57>proposing traffic selectors for other:
     07[CFG] 172.25.54.0/29|/0
     07[CFG] <con1000|57>172.25.54.0/29|/0
     07[ENC] generating QUICK_MODE request 2716593543 [ HASH SA No KE ID ID ]
     07[ENC] <con1000|57>generating QUICK_MODE request 2716593543 [ HASH SA No KE ID ID ]
     07[NET] sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (380 bytes)
     07[NET] <con1000|57>sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (380 bytes)
     07[NET] received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (428 bytes)
     07[NET] <con1000|57>received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (428 bytes)
     07[ENC] parsed INFORMATIONAL_V1 request 3928564372 [ HASH N(INVAL_ID) ]
     07[ENC] <con1000|57>parsed INFORMATIONAL_V1 request 3928564372 [ HASH N(INVAL_ID) ]
     07[IKE] received INVALID_ID_INFORMATION error notify
     07[IKE] <con1000|57>received INVALID_ID_INFORMATION error notify
     13[NET] received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes)
     13[NET] <con1000|57>received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes)
     13[ENC] parsed INFORMATIONAL_V1 request 1831796261 [ HASH D ]
     13[ENC] <con1000|57>parsed INFORMATIONAL_V1 request 1831796261 [ HASH D ]
     13[IKE] received DELETE for IKE_SA con1000[57]
     13[IKE] <con1000|57>received DELETE for IKE_SA con1000[57]
     13[IKE] deleting IKE_SA con1000[57] between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30]
     13[IKE] <con1000|57>deleting IKE_SA con1000[57] between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30]</con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57> 
    


  • Imagens

    ![phase 1.jpg](/public/imported_attachments/1/phase 1.jpg)
    ![phase 1.jpg_thumb](/public/imported_attachments/1/phase 1.jpg_thumb)



  • [HASH SA No KE ID ID ]

    [ HASH N(INVAL_ID)

    Tenta mudar os identificadores tanto remoto quanto local já que está passando por nat(s)



  • Alterei todos os identificadores e sempre acontece o mesmo problema.

    Resolvi colocar um IP válido no PfSense e fechar o tunnel direto com o outro lado. Com as mesmas configurações já avancei bastante, porém agora o IPSec conecta, fica em torno de 30 segundos e cai..

    Jul 11 09:47:43 charon 05[IKE] <con1000|4>sending DPD request
    Jul 11 09:47:43 charon 05[IKE] <con1000|4>queueing ISAKMP_DPD task
    Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating new tasks
    Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating ISAKMP_DPD task
    Jul 11 09:47:43 charon 05[ENC] <con1000|4>generating INFORMATIONAL_V1 request 3271703021 [ HASH N(DPD) ]
    Jul 11 09:47:43 charon 05[NET] <con1000|4>sending packet: from 186.x.x.x[4500] to 187.x.x.x[4500] (92 bytes)
    Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating new tasks
    Jul 11 09:47:43 charon 05[IKE] <con1000|4>nothing to initiate
    Jul 11 09:47:43 charon 05[NET] <con1000|4>received packet: from 187.x.x.x[4500] to 186.x.x.x.[4500] (92 bytes)
    Jul 11 09:47:43 charon 05[ENC] <con1000|4>parsed INFORMATIONAL_V1 request 4240920048 [ HASH N(DPD_ACK) ]
    Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating new tasks
    Jul 11 09:47:43 charon 05[IKE] <con1000|4>nothing to initiate
    Jul 11 09:47:47 charon 05[NET] <con1000|4>received packet: from 187.x.x.x[4500] to 186.x.x.x[4500] (396 bytes)
    Jul 11 09:47:47 charon 05[ENC] <con1000|4>parsed QUICK_MODE request 378493840 [ HASH SA No KE ID ID N(INITIAL_CONTACT) ]
    Jul 11 09:47:47 charon 05[ENC] <con1000|4>received HASH payload does not match
    Jul 11 09:47:47 charon 05[IKE] <con1000|4>integrity check failed
    Jul 11 09:47:47 charon 05[ENC] <con1000|4>generating INFORMATIONAL_V1 request 2966470392 [ HASH N(INVAL_HASH) ]
    Jul 11 09:47:47 charon 05[NET] <con1000|4>sending packet: from 186.x.x.x[4500] to 187.x.x.x[4500] (76 bytes)
    Jul 11 09:47:47 charon 05[IKE] <con1000|4>QUICK_MODE request with message ID 378493840 processing failed
    Jul 11 09:47:47 charon 08[CFG] vici client 22 connected
    Jul 11 09:47:47 charon 08[CFG] vici client 22 registered for: list-sa
    Jul 11 09:47:47 charon 05[CFG] vici client 22 requests: list-sas
    Jul 11 09:47:47 charon 05[CFG] vici client 22 disconnected</con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4>

    Percebo que ele inicia a requisição do HASH e repois gera/recebe o Inval_Hash…. Então a VPN fica seus 30 segundos Established, cai e reconecta. O que pode ser?



  • Já pesquisou o erro para ver alternativas de versão de ike, main, agressive, etc?

    https://wiki.strongswan.org/issues/819



  • Boa tarde,

    Resolvi o problema alterando a Local Network que estava incorreta. Porém comecei a ter problemas de roteamento, pois como funcionava:

    Estação(192.168.0.10)->REDE LOCAL (192.168.0.0) -> IPSEC PFS (172.16.200.25/24) ->TUNNEL<- IPSEC CISCO ASA (172.25.54.0/29) <- Rede CLIENTE (192.168.63.0)<- ECliente (192.168.63.23)
    ESTAÇÃO <–----------------------------------------------NAT PORTAS X,Y E Z PARA REDE LOCAL

    Mas porque não usa no IPSEC direto a rede local? Pois o cliente já possui outra empresa que tem rota para a rede 192.168.0.0, então tive que criar uma interface e fazer NAT para rede local.

    O cliente quando pingava para minha rede local, chegava certinho, pois ele tem uma rota assim: ip route 172.16.200.25/32 via 192.168.63.1.

    Do meu lado deixei sem rota, pensando que o IPSEC iria criar automaticamente, sem sucesso. Criei a rota destino -> 172.25.54.0/29 gateway ->172.16.200.25. Parava sempre na imagem a seguir.

    Enfim, para resolver, coloquei IP virtual direto no servidor na faixa 172.16.200.x e criei uma rota dizendo que todo pacote para rede 172.25.54.0/29 i gateway seria 172.16.200.25 e resolveu.



Log in to reply