4. IP Sec vpn pfSense -> Zyxel ZyWall 35

IP Sec vpn pfSense -> Zyxel ZyWall 35

  • A

    Возникла следующая проблема:
    раньше все работало нормально, а теперь VPN туннель падает с периодичностью ровно в 60 секунд

    Лог pfsense

    
Feb 29 17:08:01 	racoon: INFO: caught signal 15
Feb 29 17:08:01 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[0]<=>bbb.bbb.bbb.bbb[0]
Feb 29 17:08:06 	racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
Feb 29 17:08:06 	racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Feb 29 17:08:06 	racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Feb 29 17:08:06 	racoon: [Self]: INFO: aaa.aaa.aaa.aaa [500] used as isakmp port (fd=18)
Feb 29 17:08:06 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=19)
Feb 29 17:08:06 	racoon: [Self]: INFO: 192.168.137.1[500] used as isakmp port (fd=20)
Feb 29 17:08:06 	racoon: INFO: unsupported PF_KEY message REGISTER
Feb 29 17:08:06 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.0/24[0] 192.168.137.1/32[0] proto=any dir=in
Feb 29 17:08:06 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.1/32[0] 192.168.137.0/24[0] proto=any dir=out
Feb 29 17:08:06 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.0/24[0] 192.168.147.0/24[0] proto=any dir=out
Feb 29 17:08:06 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.147.0/24[0] 192.168.137.0/24[0] proto=any dir=in
Feb 29 17:08:06 	racoon: [Self]: INFO: aaa.aaa.aaa.aaa[500] used as isakmp port (fd=18)
Feb 29 17:08:06 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=19)
Feb 29 17:08:06 	racoon: [Self]: INFO: 192.168.137.1[500] used as isakmp port (fd=20)
Feb 29 17:08:06 	racoon: [ServerOK]: INFO: IPsec-SA request for bbb.bbb.bbb.bbbqueued due to no phase1 found.
Feb 29 17:08:06 	racoon: [ServerOK]: INFO: initiate new phase 1 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
Feb 29 17:08:06 	racoon: INFO: begin Identity Protection mode.
Feb 29 17:08:06 	racoon: INFO: received Vendor ID: DPD
Feb 29 17:08:06 	racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Feb 29 17:08:06 	racoon: [ServerOK]: INFO: ISAKMP-SA established aaa.aaa.aaa.aaa[500]-bbb.bbb.bbb.bbb[500] spi:dbb121f78fcbe351:06ee714f435562b4
Feb 29 17:08:07 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
Feb 29 17:08:07 	racoon: WARNING: attribute has been modified.
Feb 29 17:08:07 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP bbb.bbb.bbb.bbb[0]->aaa.aaa.aaa.aaa[0] spi=214188897(0xcc44361)
Feb 29 17:08:07 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP aaa.aaa.aaa.aaa[0]->bbb.bbb.bbb.bbb[0] spi=1679825823(0x64201b9f)
Feb 29 17:08:13 	racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 1a36f06b8e37ffa4:e62ce7ec3fec3511:0000bdc1
Feb 29 17:08:13 	racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, a06b45cae1d3a3ba:0b3b85f84cd3f252:0000853c
Feb 29 17:08:29 	racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 1a36f06b8e37ffa4:e62ce7ec3fec3511:0000bdc1
Feb 29 17:08:29 	racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, a06b45cae1d3a3ba:0b3b85f84cd3f252:0000853c
Feb 29 17:09:00 	racoon: INFO: caught signal 15
Feb 29 17:09:00 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[0]<=>bbb.bbb.bbb.bbb[0]
Feb 29 17:09:05 	racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
Feb 29 17:09:05 	racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Feb 29 17:09:05 	racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Feb 29 17:09:05 	racoon: [Self]: INFO:aaa.aaa.aaa.aaa1[500] used as isakmp port (fd=18)
Feb 29 17:09:05 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=19)
Feb 29 17:09:05 	racoon: [Self]: INFO: 192.168.137.1[500] used as isakmp port (fd=20)
Feb 29 17:09:05 	racoon: INFO: unsupported PF_KEY message REGISTER
Feb 29 17:09:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.0/24[0] 192.168.137.1/32[0] proto=any dir=in
Feb 29 17:09:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.1/32[0] 192.168.137.0/24[0] proto=any dir=out
Feb 29 17:09:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.0/24[0] 192.168.147.0/24[0] proto=any dir=out
Feb 29 17:09:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.147.0/24[0] 192.168.137.0/24[0] proto=any dir=in
Feb 29 17:09:05 	racoon: [Self]: INFO: aaa.aaa.aaa.aaa[500] used as isakmp port (fd=18)
Feb 29 17:09:05 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=19)
Feb 29 17:09:05 	racoon: [Self]: INFO: 192.168.137.1[500] used as isakmp port (fd=20)
Feb 29 17:09:05 	racoon: [ServerOK]: INFO: IPsec-SA request for bbb.bbb.bbb.bbbqueued due to no phase1 found.
Feb 29 17:09:05 	racoon: [ServerOK]: INFO: initiate new phase 1 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
Feb 29 17:09:05 	racoon: INFO: begin Identity Protection mode.
Feb 29 17:09:06 	racoon: INFO: received Vendor ID: DPD
Feb 29 17:09:06 	racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Feb 29 17:09:06 	racoon: [ServerOK]: INFO: ISAKMP-SA established aaa.aaa.aaa.aaa[500]-bbb.bbb.bbb.bbb[500] spi:a0e693f588fbee45:ad60bfe62cbde305
Feb 29 17:09:06 	racoon: [ServerOK]: INFO: phase2 sa expired aaa.aaa.aaa.aaa-bbb.bbb.bbb.bbb
Feb 29 17:09:06 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[0]<=>bbb.bbb.bbb.bbb[0]
Feb 29 17:09:06 	racoon: WARNING: attribute has been modified.
Feb 29 17:09:06 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP bbb.bbb.bbb.bbb[0]->aaa.aaa.aaa.aaa[0] spi=62816176(0x3be7fb0)
Feb 29 17:09:06 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP aaa.aaa.aaa.aaa[0]->bbb.bbb.bbb.bbb[0] spi=2464398657(0x92e3bd41)
Feb 29 17:09:07 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
Feb 29 17:09:07 	racoon: [ServerOK]: INFO: phase2 sa deleted aaa.aaa.aaa.aaa-bbb.bbb.bbb.bbb
Feb 29 17:09:07 	racoon: ERROR: status mismatch (db:9 msg:3)
Feb 29 17:09:13 	racoon: [ServerOK]: INFO: respond new phase 1 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
Feb 29 17:09:13 	racoon: INFO: begin Identity Protection mode.
Feb 29 17:09:13 	racoon: INFO: received Vendor ID: DPD
Feb 29 17:09:13 	racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Feb 29 17:09:13 	racoon: [ServerOK]: INFO: ISAKMP-SA established aaa.aaa.aaa.aaa[500]-bbb.bbb.bbb.bbb[500] spi:2098d5bc47b7f88a:ec1f4b8fee0a5df7
Feb 29 17:09:13 	racoon: [ServerOK]: INFO: respond new phase 2 negotiation: aaa.aaa.aaa.aaa[0]<=>bbb.bbb.bbb.bbb[0]
Feb 29 17:09:13 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP bbb.bbb.bbb.bbb[0]->aaa.aaa.aaa.aaa[0] spi=154089652(0x92f38b4)
Feb 29 17:09:13 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP aaa.aaa.aaa.aaa[0]->bbb.bbb.bbb.bbb[0] spi=1452173945(0x568e6a79)

    zyxel zywall log

    
39
	2012-02-29 17:12:37	Send:[HASH][NOTFY:R_U_THERE_ACK]	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
40
	2012-02-29 17:12:30	IKE Packet Retransmit	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
41
	2012-02-29 17:12:30	The cookie pair is : 0xC54AFD2569A9A56C / 0x2F7C495394915DB8	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
42
	2012-02-29 17:12:30	IKE Packet Retransmit	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
43
	2012-02-29 17:12:30	The cookie pair is : 0x5103E25BC2BA4F06 / 0x996400B086691105	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
44
	2012-02-29 17:12:37	The cookie pair is : 0x968C0C57180634C5 / 0x556B69DB20E83E32	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
47
	2012-02-29 17:12:42 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14997 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
48
	2012-02-29 17:12:42 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14996 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
49
	2012-02-29 17:12:41 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14995 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
50
	2012-02-29 17:12:41 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14994 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
51
	2012-02-29 17:12:41 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14993 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
52
	2012-02-29 17:12:38 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14985 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
53
	2012-02-29 17:12:38 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14984 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
54
	2012-02-29 17:12:38 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14982 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
55
	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14981 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
56
	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14980 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
57
	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14979 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
58
	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14978 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
59
	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14976 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
60
	2012-02-29 17:12:37 	Successful HTTP login 	aaa.aaa.aaa.aaa:14963 	bbb.bbb.bbb.bbb:80 	User:admin
61
	2012-02-29 17:12:33 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
62
	2012-02-29 17:12:37 	Recv:[HASH][NOTFY:R_U_THERE] 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	IKE
63
	2012-02-29 17:12:37 	The cookie pair is : 0x968C0C57180634C5 / 0x556B69DB20E83E32 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	IKE
64
	2012-02-29 17:12:38 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
65
	2012-02-29 17:12:46 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
66
	2012-02-29 17:12:40 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
67
	2012-02-29 17:12:44 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
68
	2012-02-29 17:12:32 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
69
	2012-02-29 17:12:36 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
70
	2012-02-29 17:12:45 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
71
	2012-02-29 17:12:31 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
72
	2012-02-29 17:12:35 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
73
	2012-02-29 17:12:30 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
74
	2012-02-29 17:12:43 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
75
	2012-02-29 17:12:34 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
76
	2012-02-29 17:12:41 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
77
	2012-02-29 17:12:47 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
78
	2012-02-29 17:12:37 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
79
	2012-02-29 17:12:29 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
80
	2012-02-29 17:12:39 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
81
	2012-02-29 17:12:28 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
82
	2012-02-29 17:12:42 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED

    пересоздал туннель, переустанавливал прошивку зухеля - не помогло, перезапуск racoon не помог, помогите плиз разобратся в чём дело

    0
  • A

    Всё спасибо, переустановил пфсенс теперь работает как надо, причину проблемы не нашёл….

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy