Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IP Sec vpn pfSense -> Zyxel ZyWall 35

    Scheduled Pinned Locked Moved Russian
    2 Posts 1 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AsaD
      last edited by

      Возникла следующая проблема:
      раньше все работало нормально, а теперь VPN туннель падает с периодичностью ровно в 60 секунд

      Лог pfsense

      
      Feb 29 17:08:01 	racoon: INFO: caught signal 15
      Feb 29 17:08:01 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[0]<=>bbb.bbb.bbb.bbb[0]
      Feb 29 17:08:06 	racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
      Feb 29 17:08:06 	racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
      Feb 29 17:08:06 	racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
      Feb 29 17:08:06 	racoon: [Self]: INFO: aaa.aaa.aaa.aaa [500] used as isakmp port (fd=18)
      Feb 29 17:08:06 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=19)
      Feb 29 17:08:06 	racoon: [Self]: INFO: 192.168.137.1[500] used as isakmp port (fd=20)
      Feb 29 17:08:06 	racoon: INFO: unsupported PF_KEY message REGISTER
      Feb 29 17:08:06 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.0/24[0] 192.168.137.1/32[0] proto=any dir=in
      Feb 29 17:08:06 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.1/32[0] 192.168.137.0/24[0] proto=any dir=out
      Feb 29 17:08:06 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.0/24[0] 192.168.147.0/24[0] proto=any dir=out
      Feb 29 17:08:06 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.147.0/24[0] 192.168.137.0/24[0] proto=any dir=in
      Feb 29 17:08:06 	racoon: [Self]: INFO: aaa.aaa.aaa.aaa[500] used as isakmp port (fd=18)
      Feb 29 17:08:06 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=19)
      Feb 29 17:08:06 	racoon: [Self]: INFO: 192.168.137.1[500] used as isakmp port (fd=20)
      Feb 29 17:08:06 	racoon: [ServerOK]: INFO: IPsec-SA request for bbb.bbb.bbb.bbbqueued due to no phase1 found.
      Feb 29 17:08:06 	racoon: [ServerOK]: INFO: initiate new phase 1 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
      Feb 29 17:08:06 	racoon: INFO: begin Identity Protection mode.
      Feb 29 17:08:06 	racoon: INFO: received Vendor ID: DPD
      Feb 29 17:08:06 	racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
      Feb 29 17:08:06 	racoon: [ServerOK]: INFO: ISAKMP-SA established aaa.aaa.aaa.aaa[500]-bbb.bbb.bbb.bbb[500] spi:dbb121f78fcbe351:06ee714f435562b4
      Feb 29 17:08:07 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
      Feb 29 17:08:07 	racoon: WARNING: attribute has been modified.
      Feb 29 17:08:07 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP bbb.bbb.bbb.bbb[0]->aaa.aaa.aaa.aaa[0] spi=214188897(0xcc44361)
      Feb 29 17:08:07 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP aaa.aaa.aaa.aaa[0]->bbb.bbb.bbb.bbb[0] spi=1679825823(0x64201b9f)
      Feb 29 17:08:13 	racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 1a36f06b8e37ffa4:e62ce7ec3fec3511:0000bdc1
      Feb 29 17:08:13 	racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, a06b45cae1d3a3ba:0b3b85f84cd3f252:0000853c
      Feb 29 17:08:29 	racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 1a36f06b8e37ffa4:e62ce7ec3fec3511:0000bdc1
      Feb 29 17:08:29 	racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, a06b45cae1d3a3ba:0b3b85f84cd3f252:0000853c
      Feb 29 17:09:00 	racoon: INFO: caught signal 15
      Feb 29 17:09:00 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[0]<=>bbb.bbb.bbb.bbb[0]
      Feb 29 17:09:05 	racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
      Feb 29 17:09:05 	racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
      Feb 29 17:09:05 	racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
      Feb 29 17:09:05 	racoon: [Self]: INFO:aaa.aaa.aaa.aaa1[500] used as isakmp port (fd=18)
      Feb 29 17:09:05 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=19)
      Feb 29 17:09:05 	racoon: [Self]: INFO: 192.168.137.1[500] used as isakmp port (fd=20)
      Feb 29 17:09:05 	racoon: INFO: unsupported PF_KEY message REGISTER
      Feb 29 17:09:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.0/24[0] 192.168.137.1/32[0] proto=any dir=in
      Feb 29 17:09:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.1/32[0] 192.168.137.0/24[0] proto=any dir=out
      Feb 29 17:09:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.137.0/24[0] 192.168.147.0/24[0] proto=any dir=out
      Feb 29 17:09:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.147.0/24[0] 192.168.137.0/24[0] proto=any dir=in
      Feb 29 17:09:05 	racoon: [Self]: INFO: aaa.aaa.aaa.aaa[500] used as isakmp port (fd=18)
      Feb 29 17:09:05 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=19)
      Feb 29 17:09:05 	racoon: [Self]: INFO: 192.168.137.1[500] used as isakmp port (fd=20)
      Feb 29 17:09:05 	racoon: [ServerOK]: INFO: IPsec-SA request for bbb.bbb.bbb.bbbqueued due to no phase1 found.
      Feb 29 17:09:05 	racoon: [ServerOK]: INFO: initiate new phase 1 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
      Feb 29 17:09:05 	racoon: INFO: begin Identity Protection mode.
      Feb 29 17:09:06 	racoon: INFO: received Vendor ID: DPD
      Feb 29 17:09:06 	racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
      Feb 29 17:09:06 	racoon: [ServerOK]: INFO: ISAKMP-SA established aaa.aaa.aaa.aaa[500]-bbb.bbb.bbb.bbb[500] spi:a0e693f588fbee45:ad60bfe62cbde305
      Feb 29 17:09:06 	racoon: [ServerOK]: INFO: phase2 sa expired aaa.aaa.aaa.aaa-bbb.bbb.bbb.bbb
      Feb 29 17:09:06 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[0]<=>bbb.bbb.bbb.bbb[0]
      Feb 29 17:09:06 	racoon: WARNING: attribute has been modified.
      Feb 29 17:09:06 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP bbb.bbb.bbb.bbb[0]->aaa.aaa.aaa.aaa[0] spi=62816176(0x3be7fb0)
      Feb 29 17:09:06 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP aaa.aaa.aaa.aaa[0]->bbb.bbb.bbb.bbb[0] spi=2464398657(0x92e3bd41)
      Feb 29 17:09:07 	racoon: [ServerOK]: INFO: initiate new phase 2 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
      Feb 29 17:09:07 	racoon: [ServerOK]: INFO: phase2 sa deleted aaa.aaa.aaa.aaa-bbb.bbb.bbb.bbb
      Feb 29 17:09:07 	racoon: ERROR: status mismatch (db:9 msg:3)
      Feb 29 17:09:13 	racoon: [ServerOK]: INFO: respond new phase 1 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]
      Feb 29 17:09:13 	racoon: INFO: begin Identity Protection mode.
      Feb 29 17:09:13 	racoon: INFO: received Vendor ID: DPD
      Feb 29 17:09:13 	racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
      Feb 29 17:09:13 	racoon: [ServerOK]: INFO: ISAKMP-SA established aaa.aaa.aaa.aaa[500]-bbb.bbb.bbb.bbb[500] spi:2098d5bc47b7f88a:ec1f4b8fee0a5df7
      Feb 29 17:09:13 	racoon: [ServerOK]: INFO: respond new phase 2 negotiation: aaa.aaa.aaa.aaa[0]<=>bbb.bbb.bbb.bbb[0]
      Feb 29 17:09:13 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP bbb.bbb.bbb.bbb[0]->aaa.aaa.aaa.aaa[0] spi=154089652(0x92f38b4)
      Feb 29 17:09:13 	racoon: [ServerOK]: INFO: IPsec-SA established: ESP aaa.aaa.aaa.aaa[0]->bbb.bbb.bbb.bbb[0] spi=1452173945(0x568e6a79)
      

      zyxel zywall log

      
      39
      	2012-02-29 17:12:37	Send:[HASH][NOTFY:R_U_THERE_ACK]	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
      40
      	2012-02-29 17:12:30	IKE Packet Retransmit	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
      41
      	2012-02-29 17:12:30	The cookie pair is : 0xC54AFD2569A9A56C / 0x2F7C495394915DB8	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
      42
      	2012-02-29 17:12:30	IKE Packet Retransmit	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
      43
      	2012-02-29 17:12:30	The cookie pair is : 0x5103E25BC2BA4F06 / 0x996400B086691105	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
      44
      	2012-02-29 17:12:37	The cookie pair is : 0x968C0C57180634C5 / 0x556B69DB20E83E32	bbb.bbb.bbb.bbb	aaa.aaa.aaa.aaa	IKE
      47
      	2012-02-29 17:12:42 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14997 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
      48
      	2012-02-29 17:12:42 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14996 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
      49
      	2012-02-29 17:12:41 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14995 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
      50
      	2012-02-29 17:12:41 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14994 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
      51
      	2012-02-29 17:12:41 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14993 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
      52
      	2012-02-29 17:12:38 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14985 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
      53
      	2012-02-29 17:12:38 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14984 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
      54
      	2012-02-29 17:12:38 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14982 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
      55
      	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14981 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
      56
      	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14980 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
      57
      	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14979 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
      58
      	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14978 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
      59
      	2012-02-29 17:12:37 	Firewall default policy: TCP (W1 to W1/ZW) 	aaa.aaa.aaa.aaa:14976 	bbb.bbb.bbb.bbb:80 	ACCESS PERMITTED
      60
      	2012-02-29 17:12:37 	Successful HTTP login 	aaa.aaa.aaa.aaa:14963 	bbb.bbb.bbb.bbb:80 	User:admin
      61
      	2012-02-29 17:12:33 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      62
      	2012-02-29 17:12:37 	Recv:[HASH][NOTFY:R_U_THERE] 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	IKE
      63
      	2012-02-29 17:12:37 	The cookie pair is : 0x968C0C57180634C5 / 0x556B69DB20E83E32 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	IKE
      64
      	2012-02-29 17:12:38 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      65
      	2012-02-29 17:12:46 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      66
      	2012-02-29 17:12:40 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      67
      	2012-02-29 17:12:44 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      68
      	2012-02-29 17:12:32 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      69
      	2012-02-29 17:12:36 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      70
      	2012-02-29 17:12:45 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      71
      	2012-02-29 17:12:31 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      72
      	2012-02-29 17:12:35 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      73
      	2012-02-29 17:12:30 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      74
      	2012-02-29 17:12:43 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      75
      	2012-02-29 17:12:34 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      76
      	2012-02-29 17:12:41 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      77
      	2012-02-29 17:12:47 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      78
      	2012-02-29 17:12:37 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      79
      	2012-02-29 17:12:29 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      80
      	2012-02-29 17:12:39 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      81
      	2012-02-29 17:12:28 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      82
      	2012-02-29 17:12:42 	Firewall default policy: ICMP (W1 to W1/ZW, Echo) 	aaa.aaa.aaa.aaa	bbb.bbb.bbb.bbb	ACCESS PERMITTED
      
      

      пересоздал туннель, переустанавливал прошивку зухеля - не помогло, перезапуск racoon не помог, помогите плиз разобратся в чём дело

      1 Reply Last reply Reply Quote 0
      • A
        AsaD
        last edited by

        Всё спасибо, переустановил пфсенс теперь работает как надо, причину проблемы не нашёл….

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.