[Resolvido] Configuração VPN IPsec Pfsense > CISCO ASA



  • Pessoal, estou tentando facher VPN com um fornecedor, ele utiliza um Cisco ASA IOS 7.4, fase um não conecta, mas ele esta alegando que não viu nenhuma negociação do meu per.

    Segue abaixo os log de negociação no meu pfsense.

    
    May 17 12:14:39	charon		14[NET] <con1000|2>sending packet: from 187.75.y.y[4500] to 200.196.x.x[4500] (172 bytes)
    May 17 12:14:39	charon		14[NET] <con1000|2>received packet: from 200.196.x.x[4500] to 187.75.y.y[4500] (60 bytes)
    May 17 12:14:39	charon		14[ENC] <con1000|2>parsed QUICK_MODE request 1127600998 [ HASH ]
    May 17 12:14:39	charon		14[CHD] <con1000|2>CHILD_SA con1001{5} state change: CREATED => INSTALLING
    May 17 12:14:39	charon		14[CHD] <con1000|2>using 3DES_CBC for encryption
    May 17 12:14:39	charon		14[CHD] <con1000|2>using HMAC_SHA1_96 for integrity
    May 17 12:14:39	charon		14[CHD] <con1000|2>adding inbound ESP SA
    May 17 12:14:39	charon		14[CHD] <con1000|2>SPI 0xc373134f, src 200.196.x.x dst 187.75.y.y
    May 17 12:14:39	charon		14[CHD] <con1000|2>adding outbound ESP SA
    May 17 12:14:39	charon		14[CHD] <con1000|2>SPI 0xc0c4cf49, src 187.75.y.y dst 200.196.x.x
    May 17 12:14:39	charon		14[IKE] <con1000|2>CHILD_SA con1001{5} established with SPIs c373134f_i c0c4cf49_o and TS 192.168.45.0/24|/0 === 192.168.54.0/23|/0
    May 17 12:14:39	charon		14[CHD] <con1000|2>CHILD_SA con1001{5} state change: INSTALLING => INSTALLED
    May 17 12:14:39	charon		12[NET] <con1000|2>received packet: from 200.196.x.x[4500] to 187.75.y.y[4500] (172 bytes)
    May 17 12:14:39	charon		12[ENC] <con1000|2>parsed QUICK_MODE request 2148602807 [ HASH SA No ID ID ]
    May 17 12:14:39	charon		12[CFG] <con1000|2>looking for a child config for 192.168.40.0/22|/0 === 192.168.54.0/23|/0
    May 17 12:14:39	charon		12[CFG] <con1000|2>proposing traffic selectors for us:
    May 17 12:14:39	charon		12[CFG] <con1000|2>192.168.40.0/22|/0
    May 17 12:14:39	charon		12[CFG] <con1000|2>proposing traffic selectors for other:
    May 17 12:14:39	charon		12[CFG] <con1000|2>192.168.54.0/23|/0
    May 17 12:14:39	charon		12[CFG] <con1000|2>candidate "con1000" with prio 5+5
    May 17 12:14:39	charon		12[CFG] <con1000|2>proposing traffic selectors for us:
    May 17 12:14:39	charon		12[CFG] <con1000|2>192.168.45.0/24|/0
    May 17 12:14:39	charon		12[CFG] <con1000|2>proposing traffic selectors for other:
    May 17 12:14:39	charon		12[CFG] <con1000|2>192.168.54.0/23|/0
    May 17 12:14:39	charon		12[CFG] <con1000|2>found matching child config "con1000" with prio 10
    May 17 12:14:39	charon		12[CFG] <con1000|2>selecting traffic selectors for other:
    May 17 12:14:39	charon		12[CFG] <con1000|2>config: 192.168.54.0/23|/0, received: 192.168.54.0/23|/0 => match: 192.168.54.0/23|/0
    May 17 12:14:39	charon		12[CFG] <con1000|2>selecting traffic selectors for us:
    May 17 12:14:39	charon		12[CFG] <con1000|2>config: 192.168.40.0/22|/0, received: 192.168.40.0/22|/0 => match: 192.168.40.0/22|/0
    May 17 12:14:39	charon		12[CFG] <con1000|2>selecting proposal:
    May 17 12:14:39	charon		12[CFG] <con1000|2>proposal matches
    May 17 12:14:39	charon		12[CFG] <con1000|2>received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
    May 17 12:14:39	charon		12[CFG] <con1000|2>configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
    May 17 12:14:39	charon		12[CFG] <con1000|2>selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
    May 17 12:14:39	charon		12[CHD] <con1000|2>CHILD_SA con1000{4} state change: INSTALLED => REKEYING
    May 17 12:14:39	charon		12[IKE] <con1000|2>detected rekeying of CHILD_SA con1000{4}
    May 17 12:14:39	charon		12[ENC] <con1000|2>generating QUICK_MODE response 2148602807 [ HASH SA No ID ID ]
    May 17 12:14:39	charon		12[NET] <con1000|2>sending packet: from 187.75.y.y[4500] to 200.196.x.x[4500] (172 bytes)
    May 17 12:14:39	charon		12[NET] <con1000|2>received packet: from 200.196.x.x[4500] to 187.75.y.y[4500] (60 bytes)
    May 17 12:14:39	charon		12[ENC] <con1000|2>parsed QUICK_MODE request 2148602807 [ HASH ]
    May 17 12:14:39	charon		12[CHD] <con1000|2>CHILD_SA con1000{6} state change: CREATED => INSTALLING
    May 17 12:14:39	charon		12[CHD] <con1000|2>using 3DES_CBC for encryption
    May 17 12:14:39	charon		12[CHD] <con1000|2>using HMAC_SHA1_96 for integrity
    May 17 12:14:39	charon		12[CHD] <con1000|2>adding inbound ESP SA
    May 17 12:14:39	charon		12[CHD] <con1000|2>SPI 0xc6b4f896, src 200.196.x.x dst 187.75.y.y
    May 17 12:14:39	charon		12[CHD] <con1000|2>adding outbound ESP SA
    May 17 12:14:39	charon		12[CHD] <con1000|2>SPI 0xcccf15a7, src 187.75.y.y dst 200.196.x.x
    May 17 12:14:39	charon		12[IKE] <con1000|2>CHILD_SA con1000{6} established with SPIs c6b4f896_i cccf15a7_o and TS 192.168.40.0/22|/0 === 192.168.54.0/23|/0
    May 17 12:14:39	charon		12[CHD] <con1000|2>CHILD_SA con1000{6} state change: INSTALLING => INSTALLED
    May 17 12:14:39	charon		12[CHD] <con1000|2>CHILD_SA con1000{4} state change: REKEYING => REKEYED</con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2> 
    ```![VPN-3.png](/public/_imported_attachments_/1/VPN-3.png)
    ![VPN-3.png_thumb](/public/_imported_attachments_/1/VPN-3.png_thumb)
    ![VPN-4.png](/public/_imported_attachments_/1/VPN-4.png)
    ![VPN-4.png_thumb](/public/_imported_attachments_/1/VPN-4.png_thumb)


  • wesleylc1,

    Tomei a liberdade de mascarar os ips reais do seu log mas ainda tem imagem mostrando o ip real.

    O log que postou, mostra troca de mensagem entre os dois peers, isso deveria estar aparecendo no log da outra ponta da vpn também.

    Como tem negociação de fase2 (esp ), tem certeza que a fase1 não está fechanado?



  • Olá, boa noite Marcello.
    Obrigado pela iniciativa de fazer o mascaramento nos ips que estavam nos meus logs.

    Com relação a sua resposta a onde voce informa que  nos meus log's existe a troca entre dois peers, mas porem esqueci de mencionar que eu já tenho um outro tunel que esta fechado entre a minha matriz e filial, essa troca entre peers deve ser entre essas duas pontas, agora para facilitar o entendimento, eu desabilitei o meu tunel entre matriz e filial e deixei habilitado apenas o tunel que estou tentando fechar com meu fornecedor.

    E com relação ao seu questionamento se esta com negociação com fase2 (esp) esta comunicação se refere ao tunel que já esta OK, matriz e filial.

    May 17 20:57:55	charon		09[NET] <75> sending packet: from 187.75.209.xxx[500] to 200.196.59.yyy[500] (56 bytes)
    May 17 20:57:55	charon		09[IKE] <75> IKE_SA (unnamed)[75] state change: CONNECTING => DESTROYING
    May 17 20:57:57	charon		10[CFG] vici client 50 connected
    May 17 20:57:57	charon		09[CFG] vici client 50 registered for: list-sa
    May 17 20:57:57	charon		09[CFG] vici client 50 requests: list-sas
    May 17 20:57:57	charon		10[CFG] vici client 50 disconnected
    May 17 20:57:57	charon		12[CFG] vici client 51 connected
    May 17 20:57:57	charon		12[CFG] vici client 51 registered for: list-sa
    May 17 20:57:57	charon		10[CFG] vici client 51 requests: list-sas
    May 17 20:57:57	charon		13[CFG] vici client 51 disconnected
    May 17 20:57:58	charon		10[CFG] vici client 52 connected
    May 17 20:57:58	charon		12[CFG] vici client 52 registered for: list-sa
    May 17 20:57:58	charon		12[CFG] vici client 52 requests: list-sas
    May 17 20:57:58	charon		13[CFG] vici client 52 disconnected
    May 17 20:58:00	charon		13[NET] <76> received packet: from 200.196.59.yyy500] to 187.75.209.xxx[500] (176 bytes)
    May 17 20:58:00	charon		13[ENC] <76> parsed ID_PROT request 0 [ SA V V V V V ]
    May 17 20:58:00	charon		13[CFG] <76> looking for an ike config for 187.75.209.xxx...200.196.59.yyy
    May 17 20:58:00	charon		13[CFG] <76> candidate: %any...%any, prio 24
    May 17 20:58:00	charon		13[CFG] <76> found matching ike config: %any...%any with prio 24
    May 17 20:58:00	charon		13[IKE] <76> received XAuth vendor ID
    May 17 20:58:00	charon		13[IKE] <76> received DPD vendor ID
    May 17 20:58:00	charon		13[IKE] <76> received FRAGMENTATION vendor ID
    May 17 20:58:00	charon		13[IKE] <76> received NAT-T (RFC 3947) vendor ID
    May 17 20:58:00	charon		13[IKE] <76> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 17 20:58:00	charon		13[IKE] <76> 200.196.59.yyy is initiating a Main Mode IKE_SA
    May 17 20:58:00	charon		13[IKE] <76> IKE_SA (unnamed)[76] state change: CREATED => CONNECTING
    May 17 20:58:00	charon		13[CFG] <76> selecting proposal:
    May 17 20:58:00	charon		13[CFG] <76> no acceptable ENCRYPTION_ALGORITHM found
    May 17 20:58:00	charon		13[CFG] <76> selecting proposal:
    May 17 20:58:00	charon		13[CFG] <76> proposal matches
    May 17 20:58:00	charon		13[CFG] <76> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    May 17 20:58:00	charon		13[CFG] <76> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024
    May 17 20:58:00	charon		13[CFG] <76> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    May 17 20:58:00	charon		13[IKE] <76> sending XAuth vendor ID
    May 17 20:58:00	charon		13[IKE] <76> sending DPD vendor ID
    May 17 20:58:00	charon		13[IKE] <76> sending FRAGMENTATION vendor ID
    May 17 20:58:00	charon		13[IKE] <76> sending NAT-T (RFC 3947) vendor ID
    May 17 20:58:00	charon		13[ENC] <76> generating ID_PROT response 0 [ SA V V V V ]
    May 17 20:58:00	charon		13[NET] <76> sending packet: from 187.75.209.xxx[500] to 200.196.59.yyy[500] (156 bytes)
    May 17 20:58:00	charon		13[NET] <76> received packet: from 200.196.59.yyy[500] to 187.75.209.xxx[500] (244 bytes)
    May 17 20:58:00	charon		13[ENC] <76> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    May 17 20:58:00	charon		13[IKE] <76> remote host is behind NAT
    May 17 20:58:00	charon		13[CFG] <76> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    May 17 20:58:00	charon		13[IKE] <76> no shared key found for 187.75.209.xxx - 200.196.59.yyy
    May 17 20:58:00	charon		13[IKE] <76> queueing INFORMATIONAL task
    May 17 20:58:00	charon		13[IKE] <76> activating new tasks
    May 17 20:58:00	charon		13[IKE] <76> activating INFORMATIONAL task
    May 17 20:58:00	charon		13[ENC] <76> generating INFORMATIONAL_V1 request 564840140 [ N(INVAL_KE) ]
    May 17 20:58:00	charon		13[NET] <76> sending packet: from 187.75.209.xxx[500] to 200.196.59.yyy[500] (56 bytes)
    May 17 20:58:00	charon		13[IKE] <76> IKE_SA (unnamed)[76] state change: CONNECTING => DESTROYING
    

    Mesmo desativando os tuneis entre minha matriz e filiais eu observei que as negociações ainda continua sendo feito, conforme informações no log, nesse log eu não consigo encontrar negociações da ponta Matriz –> Fornecedor.

    Eu anexei alguns print's com status da VPNS.








  • foca nesta parte aqui:

    May 17 20:58:00 charon 13[IKE] <76> 200.196.59.yyy is initiating a Main Mode IKE_SA
    May 17 20:58:00 charon 13[IKE] <76> IKE_SA (unnamed)[76] state change: CREATED => CONNECTING
    May 17 20:58:00 charon 13[CFG] <76> selecting proposal:
    May 17 20:58:00 charon 13[CFG] <76> no acceptable ENCRYPTION_ALGORITHM found



  • @marcelloc:

    foca nesta parte aqui:

    May 17 20:58:00 charon 13[IKE] <76> 200.196.59.yyy is initiating a Main Mode IKE_SA
    May 17 20:58:00 charon 13[IKE] <76> IKE_SA (unnamed)[76] state change: CREATED => CONNECTING
    May 17 20:58:00 charon 13[CFG] <76> selecting proposal:
    May 17 20:58:00 charon 13[CFG] <76> no acceptable ENCRYPTION_ALGORITHM found

    Marcello, bom dia.

    Então essa parte faze referência ao tunel que já esta funcionando, eu fiz uma outra coleta de log a onde tem a tentativa de troca entre as pontas que estão com problemas.

    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>queueing ISAKMP_VENDOR task
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>queueing ISAKMP_CERT_PRE task
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>queueing MAIN_MODE task
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>queueing ISAKMP_CERT_POST task
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>queueing ISAKMP_NATD task
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>queueing QUICK_MODE task
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>activating new tasks
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>activating ISAKMP_VENDOR task
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>activating ISAKMP_CERT_PRE task
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>activating MAIN_MODE task
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>activating ISAKMP_CERT_POST task
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>activating ISAKMP_NATD task
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>sending XAuth vendor ID
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>sending DPD vendor ID
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>sending FRAGMENTATION vendor ID
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>sending NAT-T (RFC 3947) vendor ID
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>initiating Main Mode IKE_SA con2000[7] to 201.77.217.70
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>IKE_SA con2000[7] state change: CREATED => CONNECTING
    May 18 09:23:53 PRJGWSP charon: 11[CFG] <con2000|7>configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    May 18 09:23:53 PRJGWSP charon: 11[ENC] <con2000|7>generating ID_PROT request 0 [ SA V V V V V ]
    May 18 09:23:53 PRJGWSP charon: 11[NET] <con2000|7>sending packet: from 187.75.209.XXX[500] to 201.77.217.YY[500] (176 bytes)
    May 18 09:23:53 PRJGWSP charon: 07[NET] <con2000|7>received packet: from 201.77.217.YY[500] to 187.75.209.XXX[500] (116 bytes)
    May 18 09:23:53 PRJGWSP charon: 07[ENC] <con2000|7>parsed ID_PROT response 0 [ SA V V ]
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>received NAT-T (RFC 3947) vendor ID
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>received FRAGMENTATION vendor ID
    May 18 09:23:53 PRJGWSP charon: 07[CFG] <con2000|7>selecting proposal:
    May 18 09:23:53 PRJGWSP charon: 07[CFG] <con2000|7>proposal matches55.248
    May 18 09:23:53 PRJGWSP charon: 07[CFG] <con2000|7>received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    May 18 09:23:53 PRJGWSP charon: 07[CFG] <con2000|7>configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    May 18 09:23:53 PRJGWSP charon: 07[CFG] <con2000|7>selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>reinitiating already active tasks
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>ISAKMP_VENDOR task
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>MAIN_MODE task
    May 18 09:23:53 PRJGWSP charon: 07[ENC] <con2000|7>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    May 18 09:23:53 PRJGWSP charon: 07[NET] <con2000|7>sending packet: from 187.75.209.XXX[500] to 201.77.217.YY[500] (244 bytes)
    May 18 09:23:53 PRJGWSP charon: 07[NET] <con2000|7>received packet: from 201.77.217.YY[500] to 187.75.209.XXX[500] (304 bytes)
    May 18 09:23:53 PRJGWSP charon: 07[ENC] <con2000|7>parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>received Cisco Unity vendor ID
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>received XAuth vendor ID
    May 18 09:23:53 PRJGWSP charon: 07[ENC] <con2000|7>received unknown vendor ID: fb:21:43:f4:06:1f:2b:6f:f0:1b:c0:61:cb:f7:43:df
    May 18 09:23:53 PRJGWSP charon: 07[ENC] <con2000|7>received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>reinitiating already active tasks
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>ISAKMP_VENDOR task
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>MAIN_MODE task
    May 18 09:23:53 PRJGWSP charon: 07[ENC] <con2000|7>generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    May 18 09:23:53 PRJGWSP charon: 07[NET] <con2000|7>sending packet: from 187.75.209.XXX[500] to 201.77.217.YY[500] (100 bytes)
    May 18 09:23:53 PRJGWSP charon: 07[NET] <con2000|7>received packet: from 201.77.217.YY[500] to 187.75.209.XXX[500] (84 bytes)
    May 18 09:23:53 PRJGWSP charon: 07[ENC] <con2000|7>parsed ID_PROT response 0 [ ID HASH V ]
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>received DPD vendor ID
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>IKE_SA con2000[7] established between 187.75.209.246[187.75.209.246]…201.77.217.70[201.77.217.70]
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>IKE_SA con2000[7] state change: CONNECTING => ESTABLISHED
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>activating new tasks
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>activating QUICK_MODE task
    May 18 09:23:53 PRJGWSP charon: 07[CFG] <con2000|7>configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ
    May 18 09:23:53 PRJGWSP charon: 07[CFG] <con2000|7>configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ
    May 18 09:23:53 PRJGWSP charon: 07[CFG] <con2000|7>configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ
    May 18 09:23:53 PRJGWSP charon: 07[CFG] <con2000|7>proposing traffic selectors for us:
    May 18 09:23:53 PRJGWSP charon: 07[CFG] <con2000|7>192.168.40.0/22|/0
    May 18 09:23:53 PRJGWSP charon: 07[CFG] <con2000|7>proposing traffic selectors for other:
    May 18 09:23:53 PRJGWSP charon: 07[CFG] <con2000|7>172.20.3.224/29|/0
    May 18 09:23:53 PRJGWSP charon: 07[ENC] <con2000|7>generating QUICK_MODE request 2020508884 [ HASH SA No KE ID ID ]
    May 18 09:23:53 PRJGWSP charon: 07[NET] <con2000|7>sending packet: from 187.75.209.XXX[500] to 201.77.217.YY[500] (268 bytes)
    May 18 09:23:53 PRJGWSP charon: 11[NET] <con2000|7>received packet: from 201.77.217.YY[500] to 187.75.209.XXX[500] (92 bytes)
    May 18 09:23:53 PRJGWSP charon: 11[ENC] <con2000|7>parsed INFORMATIONAL_V1 request 2948734236 [ HASH N((24576)) ]
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>received (24576) notify
    May 18 09:23:53 PRJGWSP charon: 11[NET] <con2000|7>received packet: from 201.77.217.YY[500] to 187.75.209.XXX[500] (308 bytes)
    May 18 09:23:53 PRJGWSP charon: 11[ENC] <con2000|7>parsed INFORMATIONAL_V1 request 2489781574 [ HASH N(INVAL_ID) ]
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>received INVALID_ID_INFORMATION error notify
    May 18 09:23:53 PRJGWSP charon: 11[CHD] <con2000|7>CHILD_SA con2000{47} state change: CREATED => DESTROYING
    May 18 09:23:53 PRJGWSP charon: 07[NET] <con2000|7>received packet: from 201.77.217.YY[500] to 187.75.209.XXX[500] (84 bytes)
    May 18 09:23:53 PRJGWSP charon: 07[ENC] <con2000|7>parsed INFORMATIONAL_V1 request 2777439799 [ HASH D ]
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>received DELETE for IKE_SA con2000[7]
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>deleting IKE_SA con2000[7] between 187.75.209.XXX[187.75.209.XXX]…201.77.217.YY[201.77.217.YY]
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>IKE_SA con2000[7] state change: ESTABLISHED => DELETING
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>IKE_SA con2000[7] state change: DELETING => DELETING
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>IKE_SA con2000[7] state change: DELETING => DESTROYING
    May 18 09:23:53 PRJGWSP charon: 07[CFG] vici client 213 connected
    May 18 09:23:53 PRJGWSP charon: 11[CFG] vici client 213 registered for: list-sa
    May 18 09:23:53 PRJGWSP charon: 11[CFG] vici client 213 requests: list-sas
    May 18 09:23:53 PRJGWSP charon: 11[CFG] vici client 213 disconnected
    May 18 09:23:58 PRJGWSP charon: 11[CFG] vici client 214 connected
    May 18 09:23:58 PRJGWSP charon: 06[CFG] vici client 214 registered for: list-sa
    May 18 09:23:58 PRJGWSP charon: 06[CFG] vici client 214 requests: list-sas
    May 18 09:23:58 PRJGWSP charon: 06[CFG] vici client 214 disconnected
    May 18 09:24:03 PRJGWSP charon: 15[CFG] vici client 215 connected
    May 18 09:24:03 PRJGWSP charon: 06[CFG] vici client 215 registered for: list-sa
    May 18 09:24:03 PRJGWSP charon: 16[CFG] vici client 215 requests: list-sas
    May 18 09:24:03 PRJGWSP charon: 16[CFG] vici client 215 disconnected
    May 18 09:24:08 PRJGWSP charon: 15[CFG] vici client 216 connected
    May 18 09:24:08 PRJGWSP charon: 10[CFG] vici client 216 registered for: list-sa
    May 18 09:24:08 PRJGWSP charon: 10[CFG] vici client 216 requests: list-sas
    May 18 09:24:08 PRJGWSP charon: 15[CFG] vici client 216 disconnected
    May 18 09:24:13 PRJGWSP charon: 10[CFG] vici client 217 connected
    May 18 09:24:13 PRJGWSP charon: 12[CFG] vici client 217 registered for: list-sa
    May 18 09:24:13 PRJGWSP charon: 12[CFG] vici client 217 requests: list-sas
    May 18 09:24:13 PRJGWSP charon: 12[CFG] vici client 217 disconnected
    May 18 09:24:18 PRJGWSP charon: 10[CFG] vici client 218 connected
    May 18 09:24:18 PRJGWSP charon: 15[CFG] vici client 218 registered for: list-sa
    May 18 09:24:18 PRJGWSP charon: 10[CFG] vici client 218 requests: list-sas
    May 18 09:24:18 PRJGWSP charon: 10[CFG] vici client 218 disconnected
    May 18 09:24:23 PRJGWSP charon: 15[CFG] vici client 219 connected
    May 18 09:24:23 PRJGWSP charon: 09[CFG] vici client 219 registered for: list-sa
    May 18 09:24:23 PRJGWSP charon: 09[CFG] vici client 219 requests: list-sas
    May 18 09:24:23 PRJGWSP charon: 10[CFG] vici client 219 disconnected</con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7>



  • Olá, boa noite pessoal.
    Estou muito precisando de uma solução para esta caso, alguem pode tentar me ajudar.

    At.te
    Wesley



  • 
    May 18 09:23:53 PRJGWSP charon: 11[NET] <con2000|7>received packet: from 201.77.217.YY[500] to 187.75.209.XXX[500] (308 bytes)
    May 18 09:23:53 PRJGWSP charon: 11[ENC] <con2000|7>parsed INFORMATIONAL_V1 request 2489781574 [ HASH N(INVAL_ID) ]
    May 18 09:23:53 PRJGWSP charon: 11[IKE] <con2000|7>received INVALID_ID_INFORMATION error notify
    May 18 09:23:53 PRJGWSP charon: 11[CHD] <con2000|7>CHILD_SA con2000{47} state change: CREATED => DESTROYING
    May 18 09:23:53 PRJGWSP charon: 07[NET] <con2000|7>received packet: from 201.77.217.YY[500] to 187.75.209.XXX[500] (84 bytes)
    May 18 09:23:53 PRJGWSP charon: 07[ENC] <con2000|7>parsed INFORMATIONAL_V1 request 2777439799 [ HASH D ]
    May 18 09:23:53 PRJGWSP charon: 07[IKE] <con2000|7>received DELETE for IKE_SA con2000[7]</con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7></con2000|7> 
    

    Se este trecho faz parte do túnel com problema, veja estes erros de HASH Invalido



  • Marcello, bom dia.

    Os erros de HASH mencionado por você na ultima interação se refere as configurações desse print anexado?




  • Após realizar alteração para IKEv2 minha internet caiu e ele começou a gerar um monte logar.

    May 21 11:04:23 PRJGWSP charon: 14[IKE] <con2|51>retransmit 4 of request with message ID 0
    May 21 11:04:23 PRJGWSP charon: 14[NET] <con2|51>sending packet: from 187.75.209.XXX[500] to 201.77.217.YY[500] (334 bytes)
    May 21 11:05:05 PRJGWSP charon: 16[IKE] <con2|51>retransmit 5 of request with message ID 0
    May 21 11:05:05 PRJGWSP charon: 16[NET] <con2|51>sending packet: from 187.75.209.XXX[500] to 201.77.217.YY[500] (334 bytes)
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>giving up after 5 retransmits
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>peer not responding, trying again (3/3)
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>IKE_SA con2[51] state change: CONNECTING => CREATED
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>activating new tasks
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>activating IKE_VENDOR task
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>activating IKE_INIT task
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>activating IKE_NATD task
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>activating IKE_CERT_PRE task
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>activating IKE_AUTH task
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>activating IKE_CERT_POST task
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>activating IKE_CONFIG task
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>activating CHILD_CREATE task
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>activating IKE_AUTH_LIFETIME task
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>initiating IKE_SA con2[51] to 201.77.217.YY
    May 21 11:06:21 PRJGWSP charon: 16[IKE] <con2|51>IKE_SA con2[51] state change: CREATED => CONNECTING
    May 21 11:06:21 PRJGWSP charon: 16[CFG] <con2|51>configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    May 21 11:06:21 PRJGWSP charon: 16[CFG] <con2|51>sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
    May 21 11:06:21 PRJGWSP charon: 16[ENC] <con2|51>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    May 21 11:06:21 PRJGWSP charon: 16[NET] <con2|51>sending packet: from 187.75.209.XX[500] to 201.77.217.YY[500] (334 bytes)
    May 21 11:06:25 PRJGWSP charon: 12[IKE] <con2|51>retransmit 1 of request with message ID 0
    May 21 11:06:25 PRJGWSP charon: 12[NET] <con2|51>sending packet: from 187.75.209.XXX[500] to 201.77.217.YY[500] (334 bytes)
    May 21 11:06:32 PRJGWSP charon: 12[IKE] <con2|51>retransmit 2 of request with message ID 0
    May 21 11:06:32 PRJGWSP charon: 12[NET] <con2|51>sending packet: from 187.75.209.XXX[500] to 201.77.217.YY[500] (334 bytes)
    May 21 11:06:45 PRJGWSP charon: 12[IKE] <con2|51>retransmit 3 of request with message ID 0
    May 21 11:06:45 PRJGWSP charon: 12[NET] <con2|51>sending packet: from 187.75.209.XXX[500] to 201.77.217.YY[500] (334 bytes)
    May 21 11:07:08 PRJGWSP charon: 12[IKE] <con2|51>retransmit 4 of request with message ID 0
    May 21 11:07:08 PRJGWSP charon: 12[NET] <con2|51>sending packet: from 187.75.209.XXX[500] to 201.77.217.YY[500] (334 bytes)
    May 21 11:07:34 PRJGWSP charon: 12[KNL] creating rekey job for CHILD_SA ESP/0xc5eb5eae/200.196.59.134
    May 21 11:07:34 PRJGWSP charon: 12[IKE] <con1000|27>activating new tasks
    May 21 11:07:34 PRJGWSP charon: 12[IKE] <con1000|27>nothing to initiate</con1000|27></con1000|27></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51>



  • @wesleylc1:

    May 21 11:06:21 PRJGWSP charon: 16[NET] <con2|51>sending packet: from 187.75.209.XX[500] to 201.77.217.YY[500] (334 bytes)
    May 21 11:06:25 PRJGWSP charon: 12[IKE] <con2|51>retransmit 1 of request with message ID 0
    May 21 11:06:25 PRJGWSP charon: 12[NET] <con2|51>sending packet: from 187.75.209.XXX[500] to 201.77.217.YY[500] (334 bytes)
    May 21 11:06:32 PRJGWSP charon: 12[IKE] <con2|51>retransmit 2 of request with message ID 0
    May 21 11:06:32 PRJGWSP charon: 12[NET] <con2|51>sending packet: from 187.75.209.XXX[500] to 201.77.217.YY[500] (334 bytes)
    May 21 11:06:45 PRJGWSP charon: 12[IKE] <con2|51>retransmit 3 of request with message ID 0
    May 21 11:06:45 PRJGWSP charon: 12[NET] <con2|51>sending packet: from 187.75.209.XXX[500] to 201.77.217.YY[500] (334 bytes)
    May 21 11:07:08 PRJGWSP charon: 12[IKE] <con2|51>retransmit 4 of request with message ID 0
    May 21 11:07:08 PRJGWSP charon: 12[NET] <con2|51>sending packet: from 187.75.209.XXX[500] to 201.77.217.YY[500] (334 bytes)
    May 21 11:07:34 PRJGWSP charon: 12[KNL] creating rekey job for CHILD_SA ESP/0xc5eb5eae/200.196.59.134</con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51></con2|51>

    Neste trecho do log, aparentemente a outra ponta está te ignorando. 4 transmissões sem nenhuma resposta.



  • Agora esta com comunicação porem a ponta dele por algum motivo de regra não retorna a minha solicitação?

    Agora por qual motivo que esta caindo a minha internet?



  • Marcelo, agora quando eu habilito o túnel ele retorna com os logs abaixo e minha conexão para internet fica indisponível.

    May 21 11:33:08 charon 08[KNL] creating acquire job for policy 187.75.209.XXX/32|/0 === 201.77.217.YY/32|/0 with reqid {31}
    May 21 11:33:08 charon 12[CFG] ignoring acquire, connection attempt pending
    May 21 11:33:08 charon 12[KNL] creating acquire job for policy 187.75.209.XXX/32|/0 === 201.77.217.YY/32|/0 with reqid {31}
    May 21 11:33:08 charon 12[CFG] ignoring acquire, connection attempt pending
    May 21 11:33:08 charon 12[KNL] creating acquire job for policy 187.75.209.XXX/32|/0 === 201.77.217.YY/32|/0 with reqid {31}
    May 21 11:33:08 charon 08[CFG] ignoring acquire, connection attempt pending
    May 21 11:33:08 charon 12[KNL] creating acquire job for policy 187.75.209.XXX/32|/0 === 201.77.217.YY/32|/0 with reqid {31}
    May 21 11:33:08 charon 16[CFG] ignoring acquire, connection attempt pending
    May 21 11:33:08 charon 16[KNL] creating acquire job for policy 187.75.209.XXX/32|/0 === 201.77.217.YY/32|/0 with reqid {31}
    May 21 11:33:08 charon 16[CFG] ignoring acquire, connection attempt pending
    May 21 11:33:09 charon 16[KNL] creating acquire job for policy 187.75.209.XXX/32|/0 === 201.77.217.YY/32|/0 with reqid {31}



  • Marcelo, boa tarde.

    você me sugere fazer mais algum procedimento?



  • Eu particularmente nunca vi a internet cair quanto habilita o ipsec.



  • Não está caindo quando habilitou o ipsec, está ficando sem conexão quando eu habilito esse túnel, eu estou com ipsec habilitado.



  • Prezados, boa tarde.

    Alguém tem mais alguma dica para tentar me ajudaR?



  • ![@marcelloc said in Configuração VPN IPsec Pfsense > CISCO ASA:

    ascarar os ips reais do seu log

    Marcello, boa tarde.
    Hoje consegui resolver este problema da VPN.
    Segue um print em anexo com os passos que realizei para obter exito.

    Agradeço pela sua atenção.
    0_1527277775746_NAT.png



  • Precisou fazer nat no túnel?



  • @marcelloc Sim, só funcionou após a configuração do NAT.



  • @wesleylc1, só necessidade de configuração de nat quanto a sua faixa de rede também existe na outra ponta do túnel.



  • @marcelloc Sim na outra ponta do tunel tbm tem.