Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Отваливается туннель IP Sec

    Scheduled Pinned Locked Moved Russian
    2 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      Zhdanchik
      last edited by

      Много читал про подобные темы, но так и не нашел решения.
      Есть pfSense в главном офисе и pfSense в филиалах.
      Постоянно отваливаются филиалы, причем регулярно. Все они на ADSL, кроме главного офиса. Может дело в MTU? Сейчас MTU по умолчанию стоит везде.
      Вот логи главного pfSense (отвалился филиал kUR_GOR):

      Aug 29 09:28:29 racoon: INFO: purged IPsec-SA spi=8040197.
      Aug 29 09:28:29 racoon: INFO: purged IPsec-SA spi=83895763.
      Aug 29 09:28:29 racoon: INFO: purged ISAKMP-SA spi=f961f1955e3e51d5:4dac60f883674043.
      Aug 29 09:28:29 racoon: [KUR_GOR]: INFO: ISAKMP-SA deleted 77.xxx.xxx.xxx[500]-80.xxx.xxx.xxx[500] spi:f961f1955e3e51d5:4dac60f883674043
      Aug 29 09:29:23 racoon: [KUR_GOR]: INFO: IPsec-SA request for 80.xxx.xxx.xxx queued due to no phase1 found.
      Aug 29 09:29:23 racoon: [KUR_GOR]: INFO: initiate new phase 1 negotiation: 77.xxx.xxx.xxx[500]<=>80.xxx.xxx.xxx[500]
      Aug 29 09:29:23 racoon: INFO: begin Identity Protection mode.
      Aug 29 09:29:54 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 80.xxx.xxx.xxx[0]->77.xxx.xxx.xxx[0]
      Aug 29 09:29:54 racoon: INFO: delete phase 2 handler.
      Aug 29 09:30:13 racoon: ERROR: phase1 negotiation failed due to time up. 7ed265802d8f05d7:0000000000000000
      Aug 29 09:30:26 racoon: [KUR_GOR]: INFO: IPsec-SA request for 80.xxx.xxx.xxx queued due to no phase1 found.
      Aug 29 09:30:26 racoon: [KUR_GOR]: INFO: initiate new phase 1 negotiation: 77.xxx.xxx.xxx[500]<=>80.xxx.xxx.xxx[500]
      Aug 29 09:30:26 racoon: INFO: begin Identity Protection mode.
      Aug 29 09:30:47 racoon: [TMB]: INFO: ISAKMP-SA expired 77.xxx.xxx.xxx[500]-91.xxx.xxx.xxx[500] spi:a2d1032c5554f306:0e50e7e480643ec9
      Aug 29 09:30:47 racoon: [TMB]: INFO: ISAKMP-SA deleted 77.xxx.xxx.xxx[500]-91.xxx.xxx.xxx[500] spi:a2d1032c5554f306:0e50e7e480643ec9
      Aug 29 09:30:47 racoon: [TMB]: INFO: respond new phase 1 negotiation: 77.xxx.xxx.xxx[500]<=>91.xxx.xxx.xxx[500]
      Aug 29 09:30:47 racoon: INFO: begin Identity Protection mode.
      Aug 29 09:30:47 racoon: INFO: received Vendor ID: DPD
      Aug 29 09:30:47 racoon: [TMB]: INFO: ISAKMP-SA established 77.xxx.xxx.xxx[500]-91.xxx.xxx.xxx[500] spi:f01fefb57bbc95aa:eeb618fd8fa08a18
      Aug 29 09:30:47 racoon: [TMB]: INFO: respond new phase 2 negotiation: 77.xxx.xxx.xxx[500]<=>91.xxx.xxx.xxx[500]
      Aug 29 09:30:47 racoon: [TMB]: INFO: IPsec-SA established: ESP 77.xxx.xxx.xxx[500]->91.xxx.xxx.xxx[500] spi=96847815(0x5c5c7c7)
      Aug 29 09:30:47 racoon: [TMB]: INFO: IPsec-SA established: ESP 77.xxx.xxx.xxx[500]->91.xxx.xxx.xxx[500] spi=3066214642(0xb6c2b8f2)
      Aug 29 09:30:57 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 80.xxx.xxx.xxx[0]->77.xxx.xxx.xxx[0]
      Aug 29 09:30:57 racoon: INFO: delete phase 2 handler.
      Aug 29 09:31:09 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
      Aug 29 09:31:13 racoon: [TMB]: [91.xxx.xxx.xxx] ERROR: unknown Informational exchange received.
      Aug 29 09:31:16 racoon: ERROR: phase1 negotiation failed due to time up. fd133323d7821871:0000000000000000
      Aug 29 09:31:40 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 80.xxx.xxx.xxx[0]->77.xxx.xxx.xxx[0]
      Aug 29 09:31:40 racoon: INFO: delete phase 2 handler.
      Aug 29 09:31:54 racoon: [KUR_GOR]: INFO: IPsec-SA request for 80.xxx.xxx.xxx queued due to no phase1 found.
      Aug 29 09:31:54 racoon: [KUR_GOR]: INFO: initiate new phase 1 negotiation: 77.xxx.xxx.xxx[500]<=>80.xxx.xxx.xxx[500]
      Aug 29 09:31:54 racoon: INFO: begin Identity Protection mode.
      Aug 29 09:32:25 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 80.xxx.xxx.xxx[0]->77.xxx.xxx.xxx[0]
      Aug 29 09:32:25 racoon: INFO: delete phase 2 handler.
      Aug 29 09:32:25 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
      Aug 29 09:32:44 racoon: ERROR: phase1 negotiation failed due to time up. 985123db48a020a6:0000000000000000
      Aug 29 09:32:56 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 80.xxx.xxx.xxx[0]->77.xxx.xxx.xxx[0]
      Aug 29 09:32:56 racoon: INFO: delete phase 2 handler.
      Aug 29 09:33:00 racoon: [KUR_GOR]: INFO: IPsec-SA request for 80.xxx.xxx.xxx queued due to no phase1 found.
      Aug 29 09:33:00 racoon: [KUR_GOR]: INFO: initiate new phase 1 negotiation: 77.xxx.xxx.xxx[500]<=>80.xxx.xxx.xxx[500]
      Aug 29 09:33:00 racoon: INFO: begin Identity Protection mode.
      Aug 29 09:33:31 racoon: [KUR_GOR]: [80.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 80.xxx.xxx.xxx[0]->77.xxx.xxx.xxx[0]
      Aug 29 09:33:31 racoon: INFO: delete phase 2 handler.
      Aug 29 09:33:50 racoon: ERROR: phase1 negotiation failed due to time up. 2b4ecc1193bac078:0000000000000000
      Aug 29 09:34:03 racoon: [KUR_SUD]: [80.xxx.xxx.xxx] INFO: DPD: remote (ISAKMP-SA spi=bdfb9bf78a850f11:35e28ef4bb7e2779) seems to be dead.
      Aug 29 09:34:03 racoon: INFO: purging ISAKMP-SA spi=bdfb9bf78a850f11:35e28ef4bb7e2779.
      Aug 29 09:34:03 racoon: INFO: purged IPsec-SA spi=110611473.
      Aug 29 09:34:03 racoon: INFO: purged IPsec-SA spi=72966387.
      Aug 29 09:34:03 racoon: INFO: purged ISAKMP-SA spi=bdfb9bf78a850f11:35e28ef4bb7e2779.
      Aug 29 09:34:03 racoon: [KUR_SUD]: INFO: ISAKMP-SA deleted 77.xxx.xxx.xxx[500]-80.xxx.xxx.xxx[500] spi:bdfb9bf78a850f11:35e28ef4bb7e2779

      Вот логи pfSense в удаленном офисе: (отвалился Kur_GW)

      Aug 29 09:35:17 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Aug 29 09:35:17 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
      Aug 29 09:35:17 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Aug 29 09:35:17 racoon: INFO: received Vendor ID: DPD
      Aug 29 09:35:17 racoon: [Kur_GW]: [77.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947
      Aug 29 09:35:27 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
      Aug 29 09:35:37 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
      Aug 29 09:35:44 racoon: [Kur_GW]: [77.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 77.xxx.xxx.xxx[0]->80.xxx.xxx.xxx[0]
      Aug 29 09:35:44 racoon: INFO: delete phase 2 handler.
      Aug 29 09:35:47 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
      Aug 29 09:35:57 racoon: [Kur_GW]: [77.xxx.xxx.xxx] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
      Aug 29 09:35:57 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
      Aug 29 09:36:03 racoon: ERROR: phase1 negotiation failed due to time up. a055c1664e627f5e:0000000000000000
      Aug 29 09:36:07 racoon: ERROR: phase1 negotiation failed due to time up. bdfe4ff109bc6624:b849718112402bfa
      Aug 29 09:36:22 racoon: [PNZ_VPN]: INFO: IPsec-SA request for 85.xxx.xxx.xxxqueued due to no phase1 found.
      Aug 29 09:36:22 racoon: [PNZ_VPN]: INFO: initiate new phase 1 negotiation: 80.xxx.xxx.xxx[500]<=>85.234.36.129[500]
      Aug 29 09:36:22 racoon: INFO: begin Identity Protection mode.
      Aug 29 09:36:28 racoon: [Kur_GW]: [77.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 77.xxx.xxx.xxx[0]->80.xxx.xxx.xxx[0]
      Aug 29 09:36:28 racoon: INFO: delete phase 2 handler.
      Aug 29 09:36:30 racoon: [Kur_GW]: INFO: respond new phase 1 negotiation: 80.xxx.xxx.xxx[500]<=>77.xxx.xxx.xxx[500]
      Aug 29 09:36:30 racoon: INFO: begin Identity Protection mode.
      Aug 29 09:36:30 racoon: INFO: received Vendor ID: RFC 3947
      Aug 29 09:36:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Aug 29 09:36:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Aug 29 09:36:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
      Aug 29 09:36:30 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Aug 29 09:36:30 racoon: INFO: received Vendor ID: DPD
      Aug 29 09:36:30 racoon: [Kur_GW]: [77.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947
      Aug 29 09:36:40 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
      Aug 29 09:36:43 racoon: [Kur_GW]: [77.xxx.xxx.xxx] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
      Aug 29 09:36:50 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
      Aug 29 09:36:53 racoon: [PNZ_VPN]: [85.234.36.129] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 85.234.36.129[0]->80.xxx.xxx.xxx[0]
      Aug 29 09:36:53 racoon: INFO: delete phase 2 handler.
      Aug 29 09:37:00 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
      Aug 29 09:37:10 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).
      Aug 29 09:37:12 racoon: ERROR: phase1 negotiation failed due to time up. a11803e54c44066b:0000000000000000
      Aug 29 09:37:14 racoon: [Kur_GW]: [77.xxx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 77.xxx.xxx.xxx[0]->80.xxx.xxx.xxx[0]
      Aug 29 09:37:14 racoon: INFO: delete phase 2 handler.
      Aug 29 09:37:17 racoon: [Kur_GW]: [77.xxx.xxx.xxx] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
      Aug 29 09:37:20 racoon: ERROR: phase1 negotiation failed due to time up. 7d920c2b034ff9bf:11605749be4cdad7
      Aug 29 09:37:33 racoon: [Kur_GW]: INFO: respond new phase 1 negotiation: 80.xxx.xxx.xxx[500]<=>77.xxx.xxx.xxx[500]
      Aug 29 09:37:33 racoon: INFO: begin Identity Protection mode.
      Aug 29 09:37:33 racoon: INFO: received Vendor ID: RFC 3947
      Aug 29 09:37:33 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Aug 29 09:37:33 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Aug 29 09:37:33 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
      Aug 29 09:37:33 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Aug 29 09:37:33 racoon: INFO: received Vendor ID: DPD
      Aug 29 09:37:33 racoon: [Kur_GW]: [77.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947
      Aug 29 09:37:43 racoon: NOTIFY: the packet is retransmitted by 77.xxx.xxx.xxx[500] (1).

      1 Reply Last reply Reply Quote 0
      • D
        dvserg
        last edited by

        Проблема в английской ветке присутствует тоже.
        Тут английские товарищи туториал предлагают
        Проверьте все настройки еще раз

        SquidGuardDoc EN  RU Tutorial
        Localization ru_PFSense

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.