Отваливается туннель IP Sec



  • Много читал про подобные темы, но так и не нашел решения.
    Есть pfSense в главном офисе и pfSense в филиалах.
    Постоянно отваливаются филиалы, причем регулярно. Все они на ADSL, кроме главного офиса. Может дело в MTU? Сейчас MTU по умолчанию стоит везде.
    Вот логи главного pfSense (отвалился филиал kUR_GOR):

    Aug 29 09:28:29 racoon: INFO: purged IPsec-SA spi=8040197.
    Aug 29 09:28:29 racoon: INFO: purged IPsec-SA spi=83895763.
    Aug 29 09:28:29 racoon: INFO: purged ISAKMP-SA spi=f961f1955e3e51d5:4dac60f883674043.
    Aug 29 09:28:29 racoon: [KUR_GOR]: INFO: ISAKMP-SA deleted 77.xxx.xxx.xxx[500]-80.xxx.xxx.xxx[500] spi:f961f1955e3e51d5:4dac60f883674043
    Aug 29 09:29:23 racoon: [KUR_GOR]: INFO: IPsec-SA request for 80.xxx.xxx.xxx queued due to no phase1 found.
    Aug 29 09:29:23 racoon: [KUR_GOR]: INFO: initiate new phase 1 negotiation: 77.xxx.xxx.xxx[500]<=>80.xxx.xxx.xxx[500]
    Aug 29 09:29:23 racoon: INFO: begin Identity Protection mode.
    Aug 29 09:29:54 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 80.xxx.xxx.xxx[0]->77.xxx.xxx.xxx[0]
    Aug 29 09:29:54 racoon: INFO: delete phase 2 handler.
    Aug 29 09:30:13 racoon: ERROR: phase1 negotiation failed due to time up. 7ed265802d8f05d7:0000000000000000
    Aug 29 09:30:26 racoon: [KUR_GOR]: INFO: IPsec-SA request for 80.xxx.xxx.xxx queued due to no phase1 found.
    Aug 29 09:30:26 racoon: [KUR_GOR]: INFO: initiate new phase 1 negotiation: 77.xxx.xxx.xxx[500]<=>80.xxx.xxx.xxx[500]
    Aug 29 09:30:26 racoon: INFO: begin Identity Protection mode.
    Aug 29 09:30:47 racoon: [TMB]: INFO: ISAKMP-SA expired 77.xxx.xxx.xxx[500]-91.xxx.xxx.xxx[500] spi:a2d1032c5554f306:0e50e7e480643ec9
    Aug 29 09:30:47 racoon: [TMB]: INFO: ISAKMP-SA deleted 77.xxx.xxx.xxx[500]-91.xxx.xxx.xxx[500] spi:a2d1032c5554f306:0e50e7e480643ec9
    Aug 29 09:30:47 racoon: [TMB]: INFO: respond new phase 1 negotiation: 77.xxx.xxx.xxx[500]<=>91.xxx.xxx.xxx[500]
    Aug 29 09:30:47 racoon: INFO: begin Identity Protection mode.
    Aug 29 09:30:47 racoon: INFO: received Vendor ID: DPD
    Aug 29 09:30:47 racoon: [TMB]: INFO: ISAKMP-SA established 77.xxx.xxx.xxx[500]-91.xxx.xxx.xxx[500] spi:f01fefb57bbc95aa:eeb618fd8fa08a18
    Aug 29 09:30:47 racoon: [TMB]: INFO: respond new phase 2 negotiation: 77.xxx.xxx.xxx[500]<=>91.xxx.xxx.xxx[500]
    Aug 29 09:30:47 racoon: [TMB]: INFO: IPsec-SA established: ESP 77.xxx.xxx.xxx[500]->91.xxx.xxx.xxx[500] spi=96847815(0x5c5c7c7)
    Aug 29 09:30:47 racoon: [TMB]: INFO: IPsec-SA established: ESP 77.xxx.xxx.xxx[500]->91.xxx.xxx.xxx[500] spi=3066214642(0xb6c2b8f2)
    Aug 29 09:30:57 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 80.xxx.xxx.xxx[0]->77.xxx.xxx.xxx[0]
    Aug 29 09:30:57 racoon: INFO: delete phase 2 handler.
    Aug 29 09:31:09 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Aug 29 09:31:13 racoon: [TMB]: [91.xxx.xxx.xxx] ERROR: unknown Informational exchange received.
    Aug 29 09:31:16 racoon: ERROR: phase1 negotiation failed due to time up. fd133323d7821871:0000000000000000
    Aug 29 09:31:40 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 80.xxx.xxx.xxx[0]->77.xxx.xxx.xxx[0]
    Aug 29 09:31:40 racoon: INFO: delete phase 2 handler.
    Aug 29 09:31:54 racoon: [KUR_GOR]: INFO: IPsec-SA request for 80.xxx.xxx.xxx queued due to no phase1 found.
    Aug 29 09:31:54 racoon: [KUR_GOR]: INFO: initiate new phase 1 negotiation: 77.xxx.xxx.xxx[500]<=>80.xxx.xxx.xxx[500]
    Aug 29 09:31:54 racoon: INFO: begin Identity Protection mode.
    Aug 29 09:32:25 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 80.xxx.xxx.xxx[0]->77.xxx.xxx.xxx[0]
    Aug 29 09:32:25 racoon: INFO: delete phase 2 handler.
    Aug 29 09:32:25 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Aug 29 09:32:44 racoon: ERROR: phase1 negotiation failed due to time up. 985123db48a020a6:0000000000000000
    Aug 29 09:32:56 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 80.xxx.xxx.xxx[0]->77.xxx.xxx.xxx[0]
    Aug 29 09:32:56 racoon: INFO: delete phase 2 handler.
    Aug 29 09:33:00 racoon: [KUR_GOR]: INFO: IPsec-SA request for 80.xxx.xxx.xxx queued due to no phase1 found.
    Aug 29 09:33:00 racoon: [KUR_GOR]: INFO: initiate new phase 1 negotiation: 77.xxx.xxx.xxx[500]<=>80.xxx.xxx.xxx[500]
    Aug 29 09:33:00 racoon: INFO: begin Identity Protection mode.
    Aug 29 09:33:31 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 80.xxx.xxx.xxx[0]->77.xxx.xxx.xxx[0]
    Aug 29 09:33:31 racoon: INFO: delete phase 2 handler.
    Aug 29 09:33:50 racoon: ERROR: phase1 negotiation failed due to time up. 2b4ecc1193bac078:0000000000000000
    Aug 29 09:34:03 racoon: [KUR_SUD]: [80.xxx.xxx.xxx] INFO: DPD: remote (ISAKMP-SA spi=bdfb9bf78a850f11:35e28ef4bb7e2779) seems to be dead.
    Aug 29 09:34:03 racoon: INFO: purging ISAKMP-SA spi=bdfb9bf78a850f11:35e28ef4bb7e2779.
    Aug 29 09:34:03 racoon: INFO: purged IPsec-SA spi=110611473.
    Aug 29 09:34:03 racoon: INFO: purged IPsec-SA spi=72966387.
    Aug 29 09:34:03 racoon: INFO: purged ISAKMP-SA spi=bdfb9bf78a850f11:35e28ef4bb7e2779.
    Aug 29 09:34:03 racoon: [KUR_SUD]: INFO: ISAKMP-SA deleted 77.xxx.xxx.xxx[500]-80.xxx.xxx.xxx[500] spi:bdfb9bf78a850f11:35e28ef4bb7e2779

    Вот логи pfSense в удаленном офисе: (отвалился Kur_GW)

    Aug 29 09:35:17 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Aug 29 09:35:17 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Aug 29 09:35:17 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Aug 29 09:35:17 racoon: INFO: received Vendor ID: DPD
    Aug 29 09:35:17 racoon: [Kur_GW]: [77.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947
    Aug 29 09:35:27 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
    Aug 29 09:35:37 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
    Aug 29 09:35:44 racoon: [Kur_GW]: [77.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 77.xxx.xxx.xxx[0]->80.xxx.xxx.xxx[0]
    Aug 29 09:35:44 racoon: INFO: delete phase 2 handler.
    Aug 29 09:35:47 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
    Aug 29 09:35:57 racoon: [Kur_GW]: [77.xxx.xxx.xxx] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Aug 29 09:35:57 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
    Aug 29 09:36:03 racoon: ERROR: phase1 negotiation failed due to time up. a055c1664e627f5e:0000000000000000
    Aug 29 09:36:07 racoon: ERROR: phase1 negotiation failed due to time up. bdfe4ff109bc6624:b849718112402bfa
    Aug 29 09:36:22 racoon: [PNZ_VPN]: INFO: IPsec-SA request for 85.xxx.xxx.xxxqueued due to no phase1 found.
    Aug 29 09:36:22 racoon: [PNZ_VPN]: INFO: initiate new phase 1 negotiation: 80.xxx.xxx.xxx[500]<=>85.234.36.129[500]
    Aug 29 09:36:22 racoon: INFO: begin Identity Protection mode.
    Aug 29 09:36:28 racoon: [Kur_GW]: [77.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 77.xxx.xxx.xxx[0]->80.xxx.xxx.xxx[0]
    Aug 29 09:36:28 racoon: INFO: delete phase 2 handler.
    Aug 29 09:36:30 racoon: [Kur_GW]: INFO: respond new phase 1 negotiation: 80.xxx.xxx.xxx[500]<=>77.xxx.xxx.xxx[500]
    Aug 29 09:36:30 racoon: INFO: begin Identity Protection mode.
    Aug 29 09:36:30 racoon: INFO: received Vendor ID: RFC 3947
    Aug 29 09:36:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Aug 29 09:36:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Aug 29 09:36:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Aug 29 09:36:30 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Aug 29 09:36:30 racoon: INFO: received Vendor ID: DPD
    Aug 29 09:36:30 racoon: [Kur_GW]: [77.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947
    Aug 29 09:36:40 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
    Aug 29 09:36:43 racoon: [Kur_GW]: [77.xxx.xxx.xxx] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Aug 29 09:36:50 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
    Aug 29 09:36:53 racoon: [PNZ_VPN]: [85.234.36.129] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 85.234.36.129[0]->80.xxx.xxx.xxx[0]
    Aug 29 09:36:53 racoon: INFO: delete phase 2 handler.
    Aug 29 09:37:00 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
    Aug 29 09:37:10 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
    Aug 29 09:37:12 racoon: ERROR: phase1 negotiation failed due to time up. a11803e54c44066b:0000000000000000
    Aug 29 09:37:14 racoon: [Kur_GW]: [77.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 77.xxx.xxx.xxx[0]->80.xxx.xxx.xxx[0]
    Aug 29 09:37:14 racoon: INFO: delete phase 2 handler.
    Aug 29 09:37:17 racoon: [Kur_GW]: [77.xxx.xxx.xxx] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Aug 29 09:37:20 racoon: ERROR: phase1 negotiation failed due to time up. 7d920c2b034ff9bf:11605749be4cdad7
    Aug 29 09:37:33 racoon: [Kur_GW]: INFO: respond new phase 1 negotiation: 80.xxx.xxx.xxx[500]<=>77.xxx.xxx.xxx[500]
    Aug 29 09:37:33 racoon: INFO: begin Identity Protection mode.
    Aug 29 09:37:33 racoon: INFO: received Vendor ID: RFC 3947
    Aug 29 09:37:33 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Aug 29 09:37:33 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Aug 29 09:37:33 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Aug 29 09:37:33 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Aug 29 09:37:33 racoon: INFO: received Vendor ID: DPD
    Aug 29 09:37:33 racoon: [Kur_GW]: [77.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947
    Aug 29 09:37:43 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).



  • Проблема в английской ветке присутствует тоже.
    Тут английские товарищи туториал предлагают
    Проверьте все настройки еще раз


Locked