Problemas IPSec

nandoiin

Boa tarde,

Estou tendo problema ao configurar o PfSense natiado a partir de outro firewall como IPSec, segue cenário:

Meu lado:
IP 186.x.x.x
Rede Local: 192.168.0.0/24
PfSense: 192.168.0.10

Outro lado:
IP: 187.x.x.x
ID Remoto: 192.168.4.30
Rede remota: 172.25.54.0/29

Estou obtendo o seguinte LOG:

3[NET] sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (108 bytes)
13[NET] <con1000|57>sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (108 bytes)
07[NET] received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes)
 07[NET] <con1000|57>received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes)
 07[ENC] parsed ID_PROT response 0 [ ID HASH V ]
 07[ENC] <con1000|57>parsed ID_PROT response 0 [ ID HASH V ]
 07[IKE] received DPD vendor ID
 07[IKE] <con1000|57>received DPD vendor ID
 07[IKE] IKE_SA con1000[57] established between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30]
 07[IKE] <con1000|57>IKE_SA con1000[57] established between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30]
 07[IKE] IKE_SA con1000[57] state change: CONNECTING => ESTABLISHED
 07[IKE] <con1000|57>IKE_SA con1000[57] state change: CONNECTING => ESTABLISHED
 07[IKE] scheduling reauthentication in 85704s
 07[IKE] <con1000|57>scheduling reauthentication in 85704s
 07[IKE] maximum IKE_SA lifetime 86244s
 07[IKE] <con1000|57>maximum IKE_SA lifetime 86244s
 07[IKE] activating new tasks
 07[IKE] <con1000|57>activating new tasks
 07[IKE] activating QUICK_MODE task
 07[IKE] <con1000|57>activating QUICK_MODE task
 07[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
 07[CFG] <con1000|57>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
 07[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
 07[CFG] <con1000|57>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
 07[CFG] proposing traffic selectors for us:
 07[CFG] <con1000|57>proposing traffic selectors for us:
 07[CFG] 192.168.0.25/32|/0
 07[CFG] <con1000|57>192.168.0.25/32|/0
 07[CFG] proposing traffic selectors for other:
 07[CFG] <con1000|57>proposing traffic selectors for other:
 07[CFG] 172.25.54.0/29|/0
 07[CFG] <con1000|57>172.25.54.0/29|/0
 07[ENC] generating QUICK_MODE request 2716593543 [ HASH SA No KE ID ID ]
 07[ENC] <con1000|57>generating QUICK_MODE request 2716593543 [ HASH SA No KE ID ID ]
 07[NET] sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (380 bytes)
 07[NET] <con1000|57>sending packet: from 192.168.0.10[4500] to 187.x.x.x[4500] (380 bytes)
 07[NET] received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (428 bytes)
 07[NET] <con1000|57>received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (428 bytes)
 07[ENC] parsed INFORMATIONAL_V1 request 3928564372 [ HASH N(INVAL_ID) ]
 07[ENC] <con1000|57>parsed INFORMATIONAL_V1 request 3928564372 [ HASH N(INVAL_ID) ]
 07[IKE] received INVALID_ID_INFORMATION error notify
 07[IKE] <con1000|57>received INVALID_ID_INFORMATION error notify
 13[NET] received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes)
 13[NET] <con1000|57>received packet: from 187.x.x.x[4500] to 192.168.0.10[4500] (92 bytes)
 13[ENC] parsed INFORMATIONAL_V1 request 1831796261 [ HASH D ]
 13[ENC] <con1000|57>parsed INFORMATIONAL_V1 request 1831796261 [ HASH D ]
 13[IKE] received DELETE for IKE_SA con1000[57]
 13[IKE] <con1000|57>received DELETE for IKE_SA con1000[57]
 13[IKE] deleting IKE_SA con1000[57] between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30]
 13[IKE] <con1000|57>deleting IKE_SA con1000[57] between 192.168.0.10[192.168.0.10]...187.x.x.x[192.168.4.30]</con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57></con1000|57>

nandoiin

Imagens

![phase 1.jpg](/public/imported_attachments/1/phase 1.jpg)
![phase 1.jpg_thumb](/public/imported_attachments/1/phase 1.jpg_thumb)

marcelloc

[HASH SA No KE ID ID ]

[ HASH N(INVAL_ID)

Tenta mudar os identificadores tanto remoto quanto local já que está passando por nat(s)

nandoiin

Alterei todos os identificadores e sempre acontece o mesmo problema.

Resolvi colocar um IP válido no PfSense e fechar o tunnel direto com o outro lado. Com as mesmas configurações já avancei bastante, porém agora o IPSec conecta, fica em torno de 30 segundos e cai..

Jul 11 09:47:43 charon 05[IKE] <con1000|4>sending DPD request
Jul 11 09:47:43 charon 05[IKE] <con1000|4>queueing ISAKMP_DPD task
Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating new tasks
Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating ISAKMP_DPD task
Jul 11 09:47:43 charon 05[ENC] <con1000|4>generating INFORMATIONAL_V1 request 3271703021 [ HASH N(DPD) ]
Jul 11 09:47:43 charon 05[NET] <con1000|4>sending packet: from 186.x.x.x[4500] to 187.x.x.x[4500] (92 bytes)
Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating new tasks
Jul 11 09:47:43 charon 05[IKE] <con1000|4>nothing to initiate
Jul 11 09:47:43 charon 05[NET] <con1000|4>received packet: from 187.x.x.x[4500] to 186.x.x.x.[4500] (92 bytes)
Jul 11 09:47:43 charon 05[ENC] <con1000|4>parsed INFORMATIONAL_V1 request 4240920048 [ HASH N(DPD_ACK) ]
Jul 11 09:47:43 charon 05[IKE] <con1000|4>activating new tasks
Jul 11 09:47:43 charon 05[IKE] <con1000|4>nothing to initiate
Jul 11 09:47:47 charon 05[NET] <con1000|4>received packet: from 187.x.x.x[4500] to 186.x.x.x[4500] (396 bytes)
Jul 11 09:47:47 charon 05[ENC] <con1000|4>parsed QUICK_MODE request 378493840 [ HASH SA No KE ID ID N(INITIAL_CONTACT) ]
Jul 11 09:47:47 charon 05[ENC] <con1000|4>received HASH payload does not match
Jul 11 09:47:47 charon 05[IKE] <con1000|4>integrity check failed
Jul 11 09:47:47 charon 05[ENC] <con1000|4>generating INFORMATIONAL_V1 request 2966470392 [ HASH N(INVAL_HASH) ]
Jul 11 09:47:47 charon 05[NET] <con1000|4>sending packet: from 186.x.x.x[4500] to 187.x.x.x[4500] (76 bytes)
Jul 11 09:47:47 charon 05[IKE] <con1000|4>QUICK_MODE request with message ID 378493840 processing failed
Jul 11 09:47:47 charon 08[CFG] vici client 22 connected
Jul 11 09:47:47 charon 08[CFG] vici client 22 registered for: list-sa
Jul 11 09:47:47 charon 05[CFG] vici client 22 requests: list-sas
Jul 11 09:47:47 charon 05[CFG] vici client 22 disconnected</con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4>

Percebo que ele inicia a requisição do HASH e repois gera/recebe o Inval_Hash…. Então a VPN fica seus 30 segundos Established, cai e reconecta. O que pode ser?

marcelloc

Já pesquisou o erro para ver alternativas de versão de ike, main, agressive, etc?

https://wiki.strongswan.org/issues/819

nandoiin

Boa tarde,

Resolvi o problema alterando a Local Network que estava incorreta. Porém comecei a ter problemas de roteamento, pois como funcionava:

Estação(192.168.0.10)->REDE LOCAL (192.168.0.0) -> IPSEC PFS (172.16.200.25/24) ->TUNNEL<- IPSEC CISCO ASA (172.25.54.0/29) <- Rede CLIENTE (192.168.63.0)<- ECliente (192.168.63.23)
ESTAÇÃO <–----------------------------------------------NAT PORTAS X,Y E Z PARA REDE LOCAL

Mas porque não usa no IPSEC direto a rede local? Pois o cliente já possui outra empresa que tem rota para a rede 192.168.0.0, então tive que criar uma interface e fazer NAT para rede local.

O cliente quando pingava para minha rede local, chegava certinho, pois ele tem uma rota assim: ip route 172.16.200.25/32 via 192.168.63.1.

Do meu lado deixei sem rota, pensando que o IPSEC iria criar automaticamente, sem sucesso. Criei a rota destino -> 172.25.54.0/29 gateway ->172.16.200.25. Parava sempre na imagem a seguir.

Enfim, para resolver, coloquei IP virtual direto no servidor na faixa 172.16.200.x e criei uma rota dizendo que todo pacote para rede 172.25.54.0/29 i gateway seria 172.16.200.25 e resolveu.