IP Sec vpn pfSense -> Zyxel ZyWall 35



  • Возникла следующая проблема:
    раньше все работало нормально, а теперь VPN туннель падает с периодичностью ровно в 60 секунд

    Лог pfsense

    
    Feb 29 17:08:01 	racoon: INFO: caught signal 15
    Feb 29 17:08:01 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[0]<=>bbb.bbb.bbb.bbb[0]
    Feb 29 17:08:06 	racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
    Feb 29 17:08:06 	racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
    Feb 29 17:08:06 	racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Feb 29 17:08:06 	racoon: [Self]: INFO: aaa.aaa.aaa.aaa [500] used as isakmp port (fd=18)
    Feb 29 17:08:06 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=19)
    Feb 29 17:08:06 	racoon: [Self]: INFO: 192.168.137.1[500] used as isakmp port (fd=20)
    Feb 29 17:08:06 	racoon: INFO: unsupported PF_KEY message REGISTER
    Feb 29 17:08:06 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.0/24[0] 192.168.137.1/32[0] proto=any dir=in
    Feb 29 17:08:06 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.1/32[0] 192.168.137.0/24[0] proto=any dir=out
    Feb 29 17:08:06 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.0/24[0] 192.168.147.0/24[0] proto=any dir=out
    Feb 29 17:08:06 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.147.0/24[0] 192.168.137.0/24[0] proto=any dir=in
    Feb 29 17:08:06 	racoon: [Self]: INFO: aaa.aaa.aaa.aaa[500] used as isakmp port (fd=18)
    Feb 29 17:08:06 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=19)
    Feb 29 17:08:06 	racoon: [Self]: INFO: 192.168.137.1[500] used as isakmp port (fd=20)
    Feb 29 17:08:06 	racoon: [ServerOK]: INFO: IPsec-SA request for bbb.bbb.bbb.bbbqueued due to no phase1 found.
    Feb 29 17:08:06 	racoon: [ServerOK]: INFO: initiate new phase 1 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
    Feb 29 17:08:06 	racoon: INFO: begin Identity Protection mode.
    Feb 29 17:08:06 	racoon: INFO: received Vendor ID: DPD
    Feb 29 17:08:06 	racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    Feb 29 17:08:06 	racoon: [ServerOK]: INFO: ISAKMP-SA established aaa.aaa.aaa.aaa[500]-bbb.bbb.bbb.bbb[500] spi:dbb121f78fcbe351:06ee714f435562b4
    Feb 29 17:08:07 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
    Feb 29 17:08:07 	racoon: WARNING: attribute has been modified.
    Feb 29 17:08:07 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP bbb.bbb.bbb.bbb[0]->aaa.aaa.aaa.aaa[0] spi=214188897(0xcc44361)
    Feb 29 17:08:07 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP aaa.aaa.aaa.aaa[0]->bbb.bbb.bbb.bbb[0] spi=1679825823(0x64201b9f)
    Feb 29 17:08:13 	racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 1a36f06b8e37ffa4:e62ce7ec3fec3511:0000bdc1
    Feb 29 17:08:13 	racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, a06b45cae1d3a3ba:0b3b85f84cd3f252:0000853c
    Feb 29 17:08:29 	racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 1a36f06b8e37ffa4:e62ce7ec3fec3511:0000bdc1
    Feb 29 17:08:29 	racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, a06b45cae1d3a3ba:0b3b85f84cd3f252:0000853c
    Feb 29 17:09:00 	racoon: INFO: caught signal 15
    Feb 29 17:09:00 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[0]<=>bbb.bbb.bbb.bbb[0]
    Feb 29 17:09:05 	racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
    Feb 29 17:09:05 	racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
    Feb 29 17:09:05 	racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Feb 29 17:09:05 	racoon: [Self]: INFO:aaa.aaa.aaa.aaa1[500] used as isakmp port (fd=18)
    Feb 29 17:09:05 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=19)
    Feb 29 17:09:05 	racoon: [Self]: INFO: 192.168.137.1[500] used as isakmp port (fd=20)
    Feb 29 17:09:05 	racoon: INFO: unsupported PF_KEY message REGISTER
    Feb 29 17:09:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.0/24[0] 192.168.137.1/32[0] proto=any dir=in
    Feb 29 17:09:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.1/32[0] 192.168.137.0/24[0] proto=any dir=out
    Feb 29 17:09:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.0/24[0] 192.168.147.0/24[0] proto=any dir=out
    Feb 29 17:09:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.147.0/24[0] 192.168.137.0/24[0] proto=any dir=in
    Feb 29 17:09:05 	racoon: [Self]: INFO: aaa.aaa.aaa.aaa[500] used as isakmp port (fd=18)
    Feb 29 17:09:05 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=19)
    Feb 29 17:09:05 	racoon: [Self]: INFO: 192.168.137.1[500] used as isakmp port (fd=20)
    Feb 29 17:09:05 	racoon: [ServerOK]: INFO: IPsec-SA request for bbb.bbb.bbb.bbbqueued due to no phase1 found.
    Feb 29 17:09:05 	racoon: [ServerOK]: INFO: initiate new phase 1 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
    Feb 29 17:09:05 	racoon: INFO: begin Identity Protection mode.
    Feb 29 17:09:06 	racoon: INFO: received Vendor ID: DPD
    Feb 29 17:09:06 	racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    Feb 29 17:09:06 	racoon: [ServerOK]: INFO: ISAKMP-SA established aaa.aaa.aaa.aaa[500]-bbb.bbb.bbb.bbb[500] spi:a0e693f588fbee45:ad60bfe62cbde305
    Feb 29 17:09:06 	racoon: [ServerOK]: INFO: phase2 sa expired aaa.aaa.aaa.aaa-bbb.bbb.bbb.bbb
    Feb 29 17:09:06 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[0]<=>bbb.bbb.bbb.bbb[0]
    Feb 29 17:09:06 	racoon: WARNING: attribute has been modified.
    Feb 29 17:09:06 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP bbb.bbb.bbb.bbb[0]->aaa.aaa.aaa.aaa[0] spi=62816176(0x3be7fb0)
    Feb 29 17:09:06 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP aaa.aaa.aaa.aaa[0]->bbb.bbb.bbb.bbb[0] spi=2464398657(0x92e3bd41)
    Feb 29 17:09:07 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
    Feb 29 17:09:07 	racoon: [ServerOK]: INFO: phase2 sa deleted aaa.aaa.aaa.aaa-bbb.bbb.bbb.bbb
    Feb 29 17:09:07 	racoon: ERROR: status mismatch (db:9 msg:3)
    Feb 29 17:09:13 	racoon: [ServerOK]: INFO: respond new phase 1 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
    Feb 29 17:09:13 	racoon: INFO: begin Identity Protection mode.
    Feb 29 17:09:13 	racoon: INFO: received Vendor ID: DPD
    Feb 29 17:09:13 	racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    Feb 29 17:09:13 	racoon: [ServerOK]: INFO: ISAKMP-SA established aaa.aaa.aaa.aaa[500]-bbb.bbb.bbb.bbb[500] spi:2098d5bc47b7f88a:ec1f4b8fee0a5df7
    Feb 29 17:09:13 	racoon: [ServerOK]: INFO: respond new phase 2 negotiation: aaa.aaa.aaa.aaa[0]<=>bbb.bbb.bbb.bbb[0]
    Feb 29 17:09:13 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP bbb.bbb.bbb.bbb[0]->aaa.aaa.aaa.aaa[0] spi=154089652(0x92f38b4)
    Feb 29 17:09:13 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP aaa.aaa.aaa.aaa[0]->bbb.bbb.bbb.bbb[0] spi=1452173945(0x568e6a79)
    

    zyxel zywall log

    
    39
    	2012-02-29 17:12:37	Send:[HASH][NOTFY:R_U_THERE_ACK]	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
    40
    	2012-02-29 17:12:30	IKE Packet Retransmit	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
    41
    	2012-02-29 17:12:30	The cookie pair is : 0xC54AFD2569A9A56C / 0x2F7C495394915DB8	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
    42
    	2012-02-29 17:12:30	IKE Packet Retransmit	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
    43
    	2012-02-29 17:12:30	The cookie pair is : 0x5103E25BC2BA4F06 / 0x996400B086691105	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
    44
    	2012-02-29 17:12:37	The cookie pair is : 0x968C0C57180634C5 / 0x556B69DB20E83E32	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
    47
    	2012-02-29 17:12:42 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14997 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
    48
    	2012-02-29 17:12:42 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14996 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
    49
    	2012-02-29 17:12:41 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14995 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
    50
    	2012-02-29 17:12:41 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14994 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
    51
    	2012-02-29 17:12:41 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14993 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
    52
    	2012-02-29 17:12:38 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14985 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
    53
    	2012-02-29 17:12:38 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14984 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
    54
    	2012-02-29 17:12:38 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14982 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
    55
    	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14981 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
    56
    	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14980 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
    57
    	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14979 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
    58
    	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14978 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
    59
    	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14976 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
    60
    	2012-02-29 17:12:37 	Successful HTTP login 	aaa.aaa.aaa.aaa:14963 	bbb.bbb.bbb.bbb:80 	User:admin
    61
    	2012-02-29 17:12:33 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    62
    	2012-02-29 17:12:37 	Recv:[HASH][NOTFY:R_U_THERE] 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	IKE
    63
    	2012-02-29 17:12:37 	The cookie pair is : 0x968C0C57180634C5 / 0x556B69DB20E83E32 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	IKE
    64
    	2012-02-29 17:12:38 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    65
    	2012-02-29 17:12:46 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    66
    	2012-02-29 17:12:40 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    67
    	2012-02-29 17:12:44 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    68
    	2012-02-29 17:12:32 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    69
    	2012-02-29 17:12:36 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    70
    	2012-02-29 17:12:45 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    71
    	2012-02-29 17:12:31 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    72
    	2012-02-29 17:12:35 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    73
    	2012-02-29 17:12:30 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    74
    	2012-02-29 17:12:43 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    75
    	2012-02-29 17:12:34 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    76
    	2012-02-29 17:12:41 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    77
    	2012-02-29 17:12:47 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    78
    	2012-02-29 17:12:37 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    79
    	2012-02-29 17:12:29 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    80
    	2012-02-29 17:12:39 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    81
    	2012-02-29 17:12:28 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    82
    	2012-02-29 17:12:42 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
    
    

    пересоздал туннель, переустанавливал прошивку зухеля - не помогло, перезапуск racoon не помог, помогите плиз разобратся в чём дело



  • Всё спасибо, переустановил пфсенс теперь работает как надо, причину проблемы не нашёл….


Log in to reply