Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [RESOLU]pfSense 2.0RC1 ipsec/mobile client avec shrew

    Français
    2
    4
    3315
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      guiparm
      last edited by

      Bonjour à tous,

      je rencontre des soucis avec ipsec. Le tunnel ne se monte pas (echec phase 1). J'ai suivi le même type de configuration que ce tuto : http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

      J'ai testé avec openvpn et le tunnel se monte sans probleme.
      Quelqu'un aurait-il réussi ? Si oui je suis preneur.

      client mobile –----->>>WAN (modem @ip public fixe) pfsense ------>>>> LAN

      Dans les règles du pare-feu j'ai ouvert le port 500(ISAKMP) sur la parti ipsec et le port 500(ISAKMP) et 4500(IPsec NAT-T) sur le WAN.

      Et voici un extrait de mes logs :```
      Last 50 IPsec log entries
      Apr 5 13:49:48 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Apr 5 13:49:48 racoon: INFO: received Vendor ID: DPD
      Apr 5 13:49:48 racoon: INFO: received Vendor ID: CISCO-UNITY
      Apr 5 13:49:48 racoon: [62.X.X.X] INFO: Selected NAT-T version: RFC 3947
      Apr 5 13:49:48 racoon: INFO: Adding remote and local NAT-D payloads.
      Apr 5 13:49:48 racoon: [62.X.X.X] INFO: Hashing 62.X.X.X[59816] with algo #2
      Apr 5 13:49:48 racoon: [109.X.X.X] INFO: Hashing 109.X.X.X[500] with algo #2
      Apr 5 13:49:48 racoon: ERROR: sendto (No buffer space available)
      Apr 5 13:49:48 racoon: ERROR: sendfromto failed
      Apr 5 13:49:48 racoon: ERROR: phase1 negotiation failed due to send error. 6b495174c8bb56aa:f15bd98cdab648c6
      Apr 5 13:49:48 racoon: [62.X.X.X] ERROR: failed to process ph1 packet (side: 1, status: 2).
      Apr 5 13:49:48 racoon: [62.X.X.X] ERROR: phase1 negotiation failed.
      Apr 5 13:49:53 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 109.X.X.X[500]<=>62.X.X.X[59816]
      Apr 5 13:49:53 racoon: INFO: begin Aggressive mode.
      Apr 5 13:49:53 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
      Apr 5 13:49:53 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
      Apr 5 13:49:53 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Apr 5 13:49:53 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Apr 5 13:49:53 racoon: INFO: received Vendor ID: RFC 3947
      Apr 5 13:49:53 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Apr 5 13:49:53 racoon: INFO: received Vendor ID: DPD
      Apr 5 13:49:53 racoon: INFO: received Vendor ID: CISCO-UNITY
      Apr 5 13:49:53 racoon: [62.X.X.X] INFO: Selected NAT-T version: RFC 3947
      Apr 5 13:49:53 racoon: INFO: Adding remote and local NAT-D payloads.
      Apr 5 13:49:53 racoon: [62.X.X.X] INFO: Hashing 62.X.X.X[59816] with algo #2
      Apr 5 13:49:53 racoon: [109.X.X.X] INFO: Hashing 109.X.X.X[500] with algo #2
      Apr 5 13:49:53 racoon: ERROR: sendto (No buffer space available)
      Apr 5 13:49:53 racoon: ERROR: sendfromto failed
      Apr 5 13:49:53 racoon: ERROR: phase1 negotiation failed due to send error. 6b495174c8bb56aa:f9f40775eb1a471d
      Apr 5 13:49:53 racoon: [62.X.X.X] ERROR: failed to process ph1 packet (side: 1, status: 2).
      Apr 5 13:49:53 racoon: [62.X.X.X] ERROR: phase1 negotiation failed.
      Apr 5 13:49:58 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 109.X.X.X[500]<=>62.X.X.X[59816]
      Apr 5 13:49:58 racoon: INFO: begin Aggressive mode.
      Apr 5 13:49:58 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
      Apr 5 13:49:58 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
      Apr 5 13:49:58 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Apr 5 13:49:58 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Apr 5 13:49:58 racoon: INFO: received Vendor ID: RFC 3947
      Apr 5 13:49:58 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Apr 5 13:49:58 racoon: INFO: received Vendor ID: DPD
      Apr 5 13:49:58 racoon: INFO: received Vendor ID: CISCO-UNITY
      Apr 5 13:49:58 racoon: [62.X.X.X] INFO: Selected NAT-T version: RFC 3947
      Apr 5 13:49:58 racoon: INFO: Adding remote and local NAT-D payloads.
      Apr 5 13:49:58 racoon: [62.X.X.X] INFO: Hashing 62.X.X.X[59816] with algo #2
      Apr 5 13:49:58 racoon: [109.X.X.X] INFO: Hashing 109.X.X.X[500] with algo #2
      Apr 5 13:49:58 racoon: ERROR: sendto (No buffer space available)
      Apr 5 13:49:58 racoon: ERROR: sendfromto failed
      Apr 5 13:49:58 racoon: ERROR: phase1 negotiation failed due to send error. 6b495174c8bb56aa:513bac151d520047
      Apr 5 13:49:58 racoon: [62.X.X.X] ERROR: failed to process ph1 packet (side: 1, status: 2).
      Apr 5 13:49:58 racoon: [62.X.X.X] ERROR: phase1 negotiation failed

      
Merci pour votre aide.
      1 Reply Last reply Reply Quote 0
      • G
        guiparm
        last edited by

        problème résolu.

        La réponse était dans les logs….

        Unknown Gateway/Dynamic. Et comme j'ai 2 liens WAN dont la passerelle par défaut était la WAN1 que j'ai coupé pour effectuer mes test. J'ai donc mis WAN2 comme passerelle par défaut dans system->routing.

        1 Reply Last reply Reply Quote 0
        • C
          ccnet
          last edited by

          Commençons par les vérifications de base :
          Vous utilisez une PSK ou des certificats ?
          Y a t il des erreurs sur l'interface Wan ?
          Les logs de Pfsense permettent ils de vous voir arriver sur l'interface wan ?

          Edit : message posté sans avoir vu le précédent.

          1 Reply Last reply Reply Quote 0
          • G
            guiparm
            last edited by

            J'utilise PSK.
            Je ne pense qu'il y est d'erreur sur l'interface WAN…
            Et en regardant mes logs on voir bien que du trafic arrive sur le WAN.

            Mais c'est bon, maintenant sa fonctionne. L’erreur se situé par rapport à ma passerelle par défaut.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post