[RESOLU]pfSense 2.0RC1 ipsec/mobile client avec shrew

guiparm

Bonjour à tous,

je rencontre des soucis avec ipsec. Le tunnel ne se monte pas (echec phase 1). J'ai suivi le même type de configuration que ce tuto : http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

J'ai testé avec openvpn et le tunnel se monte sans probleme.
Quelqu'un aurait-il réussi ? Si oui je suis preneur.

client mobile –----->>>WAN (modem @ip public fixe) pfsense ------>>>> LAN

Dans les règles du pare-feu j'ai ouvert le port 500(ISAKMP) sur la parti ipsec et le port 500(ISAKMP) et 4500(IPsec NAT-T) sur le WAN.

Et voici un extrait de mes logs :```
Last 50 IPsec log entries
Apr 5 13:49:48 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 5 13:49:48 racoon: INFO: received Vendor ID: DPD
Apr 5 13:49:48 racoon: INFO: received Vendor ID: CISCO-UNITY
Apr 5 13:49:48 racoon: [62.X.X.X] INFO: Selected NAT-T version: RFC 3947
Apr 5 13:49:48 racoon: INFO: Adding remote and local NAT-D payloads.
Apr 5 13:49:48 racoon: [62.X.X.X] INFO: Hashing 62.X.X.X[59816] with algo #2
Apr 5 13:49:48 racoon: [109.X.X.X] INFO: Hashing 109.X.X.X[500] with algo #2
Apr 5 13:49:48 racoon: ERROR: sendto (No buffer space available)
Apr 5 13:49:48 racoon: ERROR: sendfromto failed
Apr 5 13:49:48 racoon: ERROR: phase1 negotiation failed due to send error. 6b495174c8bb56aa:f15bd98cdab648c6
Apr 5 13:49:48 racoon: [62.X.X.X] ERROR: failed to process ph1 packet (side: 1, status: 2).
Apr 5 13:49:48 racoon: [62.X.X.X] ERROR: phase1 negotiation failed.
Apr 5 13:49:53 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 109.X.X.X[500]<=>62.X.X.X[59816]
Apr 5 13:49:53 racoon: INFO: begin Aggressive mode.
Apr 5 13:49:53 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 5 13:49:53 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Apr 5 13:49:53 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 5 13:49:53 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr 5 13:49:53 racoon: INFO: received Vendor ID: RFC 3947
Apr 5 13:49:53 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 5 13:49:53 racoon: INFO: received Vendor ID: DPD
Apr 5 13:49:53 racoon: INFO: received Vendor ID: CISCO-UNITY
Apr 5 13:49:53 racoon: [62.X.X.X] INFO: Selected NAT-T version: RFC 3947
Apr 5 13:49:53 racoon: INFO: Adding remote and local NAT-D payloads.
Apr 5 13:49:53 racoon: [62.X.X.X] INFO: Hashing 62.X.X.X[59816] with algo #2
Apr 5 13:49:53 racoon: [109.X.X.X] INFO: Hashing 109.X.X.X[500] with algo #2
Apr 5 13:49:53 racoon: ERROR: sendto (No buffer space available)
Apr 5 13:49:53 racoon: ERROR: sendfromto failed
Apr 5 13:49:53 racoon: ERROR: phase1 negotiation failed due to send error. 6b495174c8bb56aa:f9f40775eb1a471d
Apr 5 13:49:53 racoon: [62.X.X.X] ERROR: failed to process ph1 packet (side: 1, status: 2).
Apr 5 13:49:53 racoon: [62.X.X.X] ERROR: phase1 negotiation failed.
Apr 5 13:49:58 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 109.X.X.X[500]<=>62.X.X.X[59816]
Apr 5 13:49:58 racoon: INFO: begin Aggressive mode.
Apr 5 13:49:58 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 5 13:49:58 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Apr 5 13:49:58 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 5 13:49:58 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr 5 13:49:58 racoon: INFO: received Vendor ID: RFC 3947
Apr 5 13:49:58 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 5 13:49:58 racoon: INFO: received Vendor ID: DPD
Apr 5 13:49:58 racoon: INFO: received Vendor ID: CISCO-UNITY
Apr 5 13:49:58 racoon: [62.X.X.X] INFO: Selected NAT-T version: RFC 3947
Apr 5 13:49:58 racoon: INFO: Adding remote and local NAT-D payloads.
Apr 5 13:49:58 racoon: [62.X.X.X] INFO: Hashing 62.X.X.X[59816] with algo #2
Apr 5 13:49:58 racoon: [109.X.X.X] INFO: Hashing 109.X.X.X[500] with algo #2
Apr 5 13:49:58 racoon: ERROR: sendto (No buffer space available)
Apr 5 13:49:58 racoon: ERROR: sendfromto failed
Apr 5 13:49:58 racoon: ERROR: phase1 negotiation failed due to send error. 6b495174c8bb56aa:513bac151d520047
Apr 5 13:49:58 racoon: [62.X.X.X] ERROR: failed to process ph1 packet (side: 1, status: 2).
Apr 5 13:49:58 racoon: [62.X.X.X] ERROR: phase1 negotiation failed

Merci pour votre aide.

guiparm

problème résolu.

La réponse était dans les logs….

Unknown Gateway/Dynamic. Et comme j'ai 2 liens WAN dont la passerelle par défaut était la WAN1 que j'ai coupé pour effectuer mes test. J'ai donc mis WAN2 comme passerelle par défaut dans system->routing.

ccnet

Commençons par les vérifications de base :
Vous utilisez une PSK ou des certificats ?
Y a t il des erreurs sur l'interface Wan ?
Les logs de Pfsense permettent ils de vous voir arriver sur l'interface wan ?

Edit : message posté sans avoir vu le précédent.

guiparm

J'utilise PSK.
Je ne pense qu'il y est d'erreur sur l'interface WAN…
Et en regardant mes logs on voir bien que du trafic arrive sur le WAN.

Mais c'est bon, maintenant sa fonctionne. L’erreur se situé par rapport à ma passerelle par défaut.