IPSEC



  • Boa noite Pessoal,

    Precisava da ajuda dos senhores, fiz a configuração do IPSEC entre dois PFSense onde os mesmo estão na mesma cidade inclusive a operadora é a mesma e o IPSEC não fecha. Segue abaixo Passos executados

    1. tracei a rota entre os dois pontos para saber se estavam batendo;
    2. Coletei os dados necessário para fechar a conexão:

    UTILIZAREI ENDREÇOS FICTICIOS POIS, NÃO POSSO EXPOR ENDEREÇAMENTO DO CLIENTE!!

    IP WAN FW01 = 100.100.100.254 (Este FW utiliza conexão ADSL com ip fixo)
    IP LAN FW01 =  192.168.1.0/24

    IP WAN FW02 = 200.200.200.254 - fw02.no-ip.org (Este FW utiliza conexão ADSL com ip dinâmico)
    IP LAN FW02 =  192.168.2.0/24

    CONFIGURAÇÕES IPSEC

    ####### FW01 #######

    VPN: IPsec: Editar Fase 1

    Internet Protocol: IPv4
    Interface: WAN
    Remote gateway: fw02.no-ip.org
    Authentication method: Mutual PSK
    Negotiation mode: aggressive
    My identifier: My IP Adress
    Peer identifier: Peer IP Adress
    Pre-Shared Key: cliente123
    Policy generation: Default
    Proposal Checking: Default
    Encryption algorithm: 3DES
    Hash algorithm: SHA1
    DH key group: 2 (1024 bit)
    Lifetime: 28800
    NAT Traversal: Enable
    Dead Peer Conection: Enable PDP / 10 seconds / 5 retries

    VPN: IPsec: Edit Phase 2

    Mode: Tunner IPv4
    Local Network: LAN subnet
    Remote Network:
        Type: Network
        Adress: 192.168.2.0/24
    Protocol: ESP
    Encryption Algorithm:
        AES (auto)
        Blowfish (auto)
        3DES
        CAST128
    Hash Algorithm
        MD5
        SHA1
    PFS key group: off
    Lifetime: 3600

    ####### FW02 #######

    VPN: IPsec: Editar Fase 1

    Internet Protocol: IPv4
    Interface: WAN
    Remote gateway: 100.100.100.254
    Authentication method: Mutual PSK
    Negotiation mode: aggressive
    My identifier: My IP Adress
    Peer identifier: Peer IP Adress
    Pre-Shared Key: cliente123
    Policy generation: Default
    Proposal Checking: Default
    Encryption algorithm: 3DES
    Hash algorithm: SHA1
    DH key group: 2 (1024 bit)
    Lifetime: 28800
    NAT Traversal: Enable
    Dead Peer Conection: Enable PDP / 10 seconds / 5 retries

    VPN: IPsec: Edit Phase 2

    Mode: Tunner IPv4
    Local Network: LAN subnet
    Remote Network:
        Type: Network
        Adress: 192.168.1.0/24
    Protocol: ESP
    Encryption Algorithm:
        AES (auto)
        Blowfish (auto)
        3DES
        CAST128
    Hash Algorithm
        MD5
        SHA1
    PFS key group: off
    Lifetime: 3600

    1. Executei as configurações acima retirando o DDNS e colocando direto o ip dinâmico que estava sendo utilizado pelo servidor naquele momento.

    SEGUE ABAIXO LOG DE ERRO DE CONEXÃO

    LOG DE FALHA DE CONEXAO

    Oct 24 01:16:21 racoon: INFO: caught signal 15
    Oct 24 01:16:21 racoon: INFO: racoon process 44833 shutdown
    Oct 24 01:16:26 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
    Oct 24 01:16:26 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
    Oct 24 01:16:26 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
    Oct 24 01:16:26 racoon: [Self]: INFO: 187.6.215.64[4500] used for NAT-T
    Oct 24 01:16:26 racoon: [Self]: INFO: 187.6.215.64[4500] used as isakmp port (fd=14)
    Oct 24 01:16:26 racoon: [Self]: INFO: 187.6.215.64[500] used for NAT-T
    Oct 24 01:16:26 racoon: [Self]: INFO: 187.6.215.64[500] used as isakmp port (fd=15)
    Oct 24 01:16:26 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 24 01:16:26 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.254/32[0] 192.168.1.0/24[0] proto=any dir=out
    Oct 24 01:16:26 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.254/32[0] proto=any dir=in
    Oct 24 01:16:26 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
    Oct 24 01:16:26 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in

    Alguem sabe me ajudar o que pode estar acontecendo?

    Aguardo retorno!!

    Muito Obrigado!!!



  • Na segunda fase use este valor:

    PFS key group: 5



  • Boa Noite neo_X,

    eu fiz o que você me sugeriu e continua apresentando o mesmo erro de log.

    Inclusive testei todas as opções de PFS key group.

    Tem alguma outra sugestão?

    Aguardo retorno.

    Obrigado!



  • Só para tirar algumas dúvidas:
    a) liberou a porta 500 nas regras de firewall?
    b) Criou a regra Firewall Rules  - Ipec .



  • a) a porta 500 não havia liberado mas mesmo assim não resolveu. Ela não é utilizada para VPN em MAC?

    b) já havia criado as regras na guia IPSEC.

    Mesmo assim não funcionou!



  • coloca ai os logs do ipsec.



  • Oct 25 19:58:48 racoon: [Self]: INFO: 192.168.1.254[500] used as isakmp port (fd=15)
    Oct 25 19:58:48 racoon: [Self]: INFO: 192.168.1.254[4500] used for NAT-T
    Oct 25 19:58:48 racoon: [Self]: INFO: 192.168.1.254[4500] used as isakmp port (fd=16)
    Oct 25 19:58:48 racoon: INFO: fe80:2::21a:3fff:fe8b:e88c[500] used as isakmp port (fd=17)
    Oct 25 19:58:48 racoon: INFO: fe80:2::21a:3fff:fe8b:e88c[4500] used as isakmp port (fd=18)
    Oct 25 19:58:48 racoon: [Self]: INFO: 10.1.1.254[500] used for NAT-T
    Oct 25 19:58:48 racoon: [Self]: INFO: 10.1.1.254[500] used as isakmp port (fd=19)
    Oct 25 19:58:48 racoon: [Self]: INFO: 10.1.1.254[4500] used for NAT-T
    Oct 25 19:58:48 racoon: [Self]: INFO: 10.1.1.254[4500] used as isakmp port (fd=20)
    Oct 25 19:58:48 racoon: INFO: fe80:3::21a:3fff:fe8b:f147[500] used as isakmp port (fd=21)
    Oct 25 19:58:48 racoon: INFO: fe80:3::21a:3fff:fe8b:f147[4500] used as isakmp port (fd=22)
    Oct 25 19:58:48 racoon: [Self]: INFO: 127.0.0.1[500] used for NAT-T
    Oct 25 19:58:48 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=23)
    Oct 25 19:58:48 racoon: [Self]: INFO: 127.0.0.1[4500] used for NAT-T
    Oct 25 19:58:48 racoon: [Self]: INFO: 127.0.0.1[4500] used as isakmp port (fd=24)
    Oct 25 19:58:48 racoon: [Self]: INFO: ::1[500] used as isakmp port (fd=25)
    Oct 25 19:58:48 racoon: [Self]: INFO: ::1[4500] used as isakmp port (fd=26)
    Oct 25 19:58:48 racoon: [Self]: INFO: fe80:7::1[500] used as isakmp port (fd=27)
    Oct 25 19:58:48 racoon: [Self]: INFO: fe80:7::1[4500] used as isakmp port (fd=28)
    Oct 25 19:58:48 racoon: INFO: fe80:9::223:54ff:fed2:3ef[500] used as isakmp port (fd=29)
    Oct 25 19:58:48 racoon: INFO: fe80:9::223:54ff:fed2:3ef[4500] used as isakmp port (fd=30)
    Oct 25 19:58:48 racoon: [Self]: INFO: 187.6.215.64[500] used for NAT-T
    Oct 25 19:58:48 racoon: [Self]: INFO: 187.6.215.64[500] used as isakmp port (fd=31)
    Oct 25 19:58:48 racoon: [Self]: INFO: 187.6.215.64[4500] used for NAT-T
    Oct 25 19:58:48 racoon: [Self]: INFO: 187.6.215.64[4500] used as isakmp port (fd=32)
    Oct 25 19:58:54 racoon: INFO: caught signal 15
    Oct 25 19:58:54 racoon: INFO: racoon process 39603 shutdown
    Oct 25 19:59:00 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
    Oct 25 19:59:00 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
    Oct 25 19:59:00 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
    Oct 25 19:59:00 racoon: [Self]: INFO: 187.6.215.64[4500] used for NAT-T
    Oct 25 19:59:00 racoon: [Self]: INFO: 187.6.215.64[4500] used as isakmp port (fd=24)
    Oct 25 19:59:00 racoon: [Self]: INFO: 187.6.215.64[500] used for NAT-T
    Oct 25 19:59:00 racoon: [Self]: INFO: 187.6.215.64[500] used as isakmp port (fd=25)
    Oct 25 19:59:00 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 25 19:59:00 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.254/32[0] 192.168.1.0/24[0] proto=any dir=out
    Oct 25 19:59:00 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.254/32[0] proto=any dir=in
    Oct 25 20:00:17 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 25 20:00:17 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    Oct 25 20:00:17 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
    Oct 25 20:00:17 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 25 20:02:17 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 28 10:30:38 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 28 10:32:02 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 28 10:46:08 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 28 10:47:20 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 28 11:06:15 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 28 11:07:04 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 28 11:10:22 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 28 11:13:51 racoon: INFO: unsupported PF_KEY message REGISTER



  • Tenho um exemplo aqui.






  • Na filial vc inverte o My identifier.






  • @neo_X:

    Na filial vc inverte o My identifier.

    Tentei e não deu certo. Só que não entendi uma coisa você pediu p eu inverter o My identifier na filial, mas inverter pelo que, Peer identifier?

    Se for tentei também e não funfou!!



  • Informa os logs.



  • racoon: [Self]: INFO: 127.0.0.1[4500] used as isakmp port (fd=35)
    Oct 29 08:32:08 racoon: [Self]: INFO: ::1[500] used as isakmp port (fd=36)
    Oct 29 08:32:08 racoon: [Self]: INFO: ::1[4500] used as isakmp port (fd=37)
    Oct 29 08:32:08 racoon: [Self]: INFO: fe80:7::1[500] used as isakmp port (fd=38)
    Oct 29 08:32:08 racoon: [Self]: INFO: fe80:7::1[4500] used as isakmp port (fd=39)
    Oct 29 08:32:08 racoon: INFO: fe80:9::223:54ff:fed2:3ef[500] used as isakmp port (fd=40)
    Oct 29 08:32:08 racoon: INFO: fe80:9::223:54ff:fed2:3ef[4500] used as isakmp port (fd=41)
    Oct 29 08:32:08 racoon: [Self]: INFO: 187.6.215.64[500] used for NAT-T
    Oct 29 08:32:08 racoon: [Self]: INFO: 187.6.215.64[500] used as isakmp port (fd=42)
    Oct 29 08:32:08 racoon: [Self]: INFO: 187.6.215.64[4500] used for NAT-T
    Oct 29 08:32:08 racoon: [Self]: INFO: 187.6.215.64[4500] used as isakmp port (fd=43)
    Oct 29 08:32:08 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 29 10:14:03 racoon: [Self]: INFO: 187.6.215.64[500] used for NAT-T
    Oct 29 10:14:03 racoon: [Self]: INFO: 187.6.215.64[500] used as isakmp port (fd=42)
    Oct 29 10:14:03 racoon: [Self]: INFO: 187.6.215.64[4500] used for NAT-T
    Oct 29 10:14:03 racoon: [Self]: INFO: 187.6.215.64[4500] used as isakmp port (fd=43)
    Oct 29 10:14:06 racoon: INFO: caught signal 15
    Oct 29 10:14:06 racoon: INFO: racoon process 92995 shutdown
    Oct 29 10:14:11 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
    Oct 29 10:14:11 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
    Oct 29 10:14:11 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
    Oct 29 10:14:11 racoon: INFO: fe80:1::223:54ff:fed2:3ef[500] used as isakmp port (fd=16)
    Oct 29 10:14:11 racoon: INFO: fe80:1::223:54ff:fed2:3ef[4500] used as isakmp port (fd=17)
    Oct 29 10:14:11 racoon: [Self]: INFO: 192.168.1.254[500] used for NAT-T
    Oct 29 10:14:11 racoon: [Self]: INFO: 192.168.1.254[500] used as isakmp port (fd=18)
    Oct 29 10:14:11 racoon: [Self]: INFO: 192.168.1.254[4500] used for NAT-T
    Oct 29 10:14:11 racoon: [Self]: INFO: 192.168.1.254[4500] used as isakmp port (fd=19)
    Oct 29 10:14:11 racoon: INFO: fe80:2::21a:3fff:fe8b:e88c[500] used as isakmp port (fd=22)
    Oct 29 10:14:11 racoon: INFO: fe80:2::21a:3fff:fe8b:e88c[4500] used as isakmp port (fd=23)
    Oct 29 10:14:11 racoon: [Self]: INFO: 10.1.1.254[500] used for NAT-T
    Oct 29 10:14:11 racoon: [Self]: INFO: 10.1.1.254[500] used as isakmp port (fd=24)
    Oct 29 10:14:11 racoon: [Self]: INFO: 10.1.1.254[4500] used for NAT-T
    Oct 29 10:14:11 racoon: [Self]: INFO: 10.1.1.254[4500] used as isakmp port (fd=25)
    Oct 29 10:14:11 racoon: INFO: fe80:3::21a:3fff:fe8b:f147[500] used as isakmp port (fd=26)
    Oct 29 10:14:11 racoon: INFO: fe80:3::21a:3fff:fe8b:f147[4500] used as isakmp port (fd=27)
    Oct 29 10:14:11 racoon: [Self]: INFO: 127.0.0.1[500] used for NAT-T
    Oct 29 10:14:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=28)
    Oct 29 10:14:11 racoon: [Self]: INFO: 127.0.0.1[4500] used for NAT-T
    Oct 29 10:14:11 racoon: [Self]: INFO: 127.0.0.1[4500] used as isakmp port (fd=29)
    Oct 29 10:14:11 racoon: [Self]: INFO: ::1[500] used as isakmp port (fd=30)
    Oct 29 10:14:11 racoon: [Self]: INFO: ::1[4500] used as isakmp port (fd=31)
    Oct 29 10:14:11 racoon: [Self]: INFO: fe80:7::1[500] used as isakmp port (fd=32)
    Oct 29 10:14:11 racoon: [Self]: INFO: fe80:7::1[4500] used as isakmp port (fd=33)
    Oct 29 10:14:11 racoon: INFO: fe80:9::223:54ff:fed2:3ef[500] used as isakmp port (fd=34)
    Oct 29 10:14:11 racoon: INFO: fe80:9::223:54ff:fed2:3ef[4500] used as isakmp port (fd=35)
    Oct 29 10:14:11 racoon: [Self]: INFO: 187.6.215.64[500] used for NAT-T
    Oct 29 10:14:11 racoon: [Self]: INFO: 187.6.215.64[500] used as isakmp port (fd=36)
    Oct 29 10:14:11 racoon: [Self]: INFO: 187.6.215.64[4500] used for NAT-T
    Oct 29 10:14:11 racoon: [Self]: INFO: 187.6.215.64[4500] used as isakmp port (fd=37)
    Oct 29 10:14:11 racoon: INFO: unsupported PF_KEY message REGISTER



  • João tem coisa errada aí srsr….mas as telas para eu dar uma olhada. quero ver onde vc informou a rede 10.x na configuração.



  • Camarada a rede 10 é outra interface que eu tenho no firewall que libera acesso para visitantes.

    A minha rede funciona o seguinte:

    FW01
    WAN - IP VALIDO (FIXO)
    LAN - 192.168.1.0/24
    WLAN - 10.1.1.0/24

    FW02
    WAN - IP VALIDO (DYNAMIC)
    LAN - 192.168.2.0/24
    WLAN - 10.1.1.0/24



  • Boa noite Senhores,

    Podem fechar o Tópico, consegui resolver o problema. Estava na Operadora (Telemar). Fiz alguns testes mais avançados e descobri que as portas para conexão com a VPN estavam sendo barradas. Entrei em contato com a operadora e os mesmos liberaram.

    Obrigado a todos que me ajudaram!

    Atenciosamente,

    João Batista da Rocha Neto



  • Que bom ! :)


Log in to reply