Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec VPN + Cisco VPN Client

    Scheduled Pinned Locked Moved Russian
    13 Posts 2 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dER_MuKCeP
      last edited by

      Доброго времени суток !
      Помогите пожалуйста разобраться. Имеем PfSense 2.1.2, настроен IPsec Mobile Client Support, причем настроен на работу с AD (авторизация по доменной связке логин+пароль). На клиентских ПК используется Cisco VPN Client версии 5.0.07.
      Проблемный момент: первый раз авторизация проходит "на ура", доступ к внутрисетевым ресурсам есть, т.е. все работает ! Отключаемся , и подключаемся еще раз. Соединение с сервером происходит, выходит окно ввода логин+пароль (доменный) авторизация происходит, и "все", т.е. подключение как бы есть , траффик бегает, но доступа к внутрисетевым ресурсам отсутствует, пингов нидокуда нет.

      В чем проблема и где копать не пойму….

      1 Reply Last reply Reply Quote 0
      • werterW
        werter
        last edited by

        Включайте и смотрите логи IPSec, fw.

        P.s. Попробуйте использовать это - https://www.shrew.net/software

        1 Reply Last reply Reply Quote 0
        • D
          dER_MuKCeP
          last edited by

          Вариант с  Shrew Soft VPN Client очень хороший , но авторизация в AD платная (

          1 Reply Last reply Reply Quote 0
          • D
            dER_MuKCeP
            last edited by

            Было замечено , если растартануть racoon все все начинает работать…

            1 Reply Last reply Reply Quote 0
            • D
              dER_MuKCeP
              last edited by

              Лог после перезагрузки racoon и первой попытке соединения Cisco VPN Client

              May 11 12:02:00 	racoon: INFO: caught signal 15
              May 11 12:02:00 	racoon: INFO: racoon process 25517 shutdown
              May 11 12:02:05 	racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
              May 11 12:02:05 	racoon: INFO: @(#)This product linked OpenSSL 1.0.1g 7 Apr 2014 (http://www.openssl.org/)
              May 11 12:02:05 	racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
              May 11 12:02:05 	racoon: INFO: Resize address pool from 0 to 253
              May 11 12:02:05 	racoon: [Self]: INFO: 123.123.123.123[4500] used for NAT-T
              May 11 12:02:05 	racoon: [Self]: INFO: 123.123.123.123[4500] used as isakmp port (fd=14)
              May 11 12:02:05 	racoon: [Self]: INFO: 123.123.123.123[500] used for NAT-T
              May 11 12:02:05 	racoon: [Self]: INFO: 123.123.123.123[500] used as isakmp port (fd=15)
              May 11 12:02:05 	racoon: INFO: unsupported PF_KEY message REGISTER
              May 11 12:02:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.2/32[0] 192.168.1.0/24[0] proto=any dir=out
              May 11 12:02:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.2/32[0] proto=any dir=in
              May 11 12:03:14 	racoon: [Self]: INFO: respond new phase 1 negotiation: 123.123.123.123[500]<=>45.45.45.45[55386]
              May 11 12:03:14 	racoon: INFO: begin Aggressive mode.
              May 11 12:03:14 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
              May 11 12:03:14 	racoon: INFO: received Vendor ID: DPD
              May 11 12:03:14 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
              May 11 12:03:14 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
              May 11 12:03:14 	racoon: INFO: received Vendor ID: CISCO-UNITY
              May 11 12:03:14 	racoon: [45.45.45.45] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
              May 11 12:03:14 	racoon: INFO: Adding remote and local NAT-D payloads.
              May 11 12:03:14 	racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[55386] with algo #2
              May 11 12:03:14 	racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[500] with algo #2
              May 11 12:03:14 	racoon: INFO: Adding xauth VID payload.
              May 11 12:03:14 	racoon: [Self]: INFO: NAT-T: ports changed to: 45.45.45.45[55387]<->123.123.123.123[4500]
              May 11 12:03:14 	racoon: [45.45.45.45] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
              May 11 12:03:14 	racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[4500] with algo #2
              May 11 12:03:14 	racoon: INFO: NAT-D payload #0 doesn't match
              May 11 12:03:14 	racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[55387] with algo #2
              May 11 12:03:14 	racoon: INFO: NAT-D payload #1 doesn't match
              May 11 12:03:14 	racoon: INFO: received Vendor ID: CISCO-UNITY
              May 11 12:03:14 	racoon: INFO: NAT detected: ME PEER
              May 11 12:03:14 	racoon: INFO: Sending Xauth request
              May 11 12:03:14 	racoon: [Self]: INFO: ISAKMP-SA established 123.123.123.123[4500]-45.45.45.45[55387] spi:07f9b5569aa783e7:20e75e7333b5c9b8
              May 11 12:03:28 	racoon: INFO: Using port 0
              May 11 12:03:28 	racoon: user 'test' authenticated
              May 11 12:03:28 	racoon: INFO: login succeeded for user "test"
              May 11 12:03:28 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
              May 11 12:03:28 	racoon: ERROR: Cannot open "/etc/motd"
              May 11 12:03:28 	racoon: WARNING: Ignored attribute 28683
              May 11 12:03:28 	racoon: WARNING: Ignored attribute 28684
              May 11 12:03:28 	racoon: [Self]: INFO: respond new phase 2 negotiation: 123.123.123.123[4500]<=>45.45.45.45[55387]
              May 11 12:03:28 	racoon: INFO: no policy found, try to generate the policy : 10.99.99.1/32[0] 0.0.0.0/0[0] proto=any dir=in
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: ERROR: not matched
              May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:03:28 	racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=27097690(0x19d7a5a)
              May 11 12:03:28 	racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=602786838(0x23edcc16)
              

              Соединение установлено , все работает.

              Отключаюсь. Подключаюсь еще раз…

              Вот что выдал лог:

              May 11 12:24:21 	racoon: [Self]: INFO: respond new phase 1 negotiation: 123.123.123.123[500]<=>45.45.45.45[59617]
              May 11 12:24:21 	racoon: INFO: begin Aggressive mode.
              May 11 12:24:21 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
              May 11 12:24:21 	racoon: INFO: received Vendor ID: DPD
              May 11 12:24:21 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
              May 11 12:24:21 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
              May 11 12:24:21 	racoon: INFO: received Vendor ID: CISCO-UNITY
              May 11 12:24:21 	racoon: [45.45.45.45] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
              May 11 12:24:21 	racoon: INFO: Adding remote and local NAT-D payloads.
              May 11 12:24:21 	racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[59617] with algo #2
              May 11 12:24:21 	racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[500] with algo #2
              May 11 12:24:21 	racoon: INFO: Adding xauth VID payload.
              May 11 12:24:21 	racoon: [Self]: INFO: NAT-T: ports changed to: 45.45.45.45[59618]<->123.123.123.123[4500]
              May 11 12:24:21 	racoon: [45.45.45.45] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
              May 11 12:24:21 	racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[4500] with algo #2
              May 11 12:24:21 	racoon: INFO: NAT-D payload #0 doesn't match
              May 11 12:24:21 	racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[59618] with algo #2
              May 11 12:24:21 	racoon: INFO: NAT-D payload #1 doesn't match
              May 11 12:24:21 	racoon: INFO: received Vendor ID: CISCO-UNITY
              May 11 12:24:21 	racoon: INFO: NAT detected: ME PEER
              May 11 12:24:21 	racoon: INFO: Sending Xauth request
              May 11 12:24:21 	racoon: [Self]: INFO: ISAKMP-SA established 123.123.123.123[4500]-45.45.45.45[59618] spi:06fbe9bf549af3b7:47e137722fc9fa19
              May 11 12:24:24 	racoon: INFO: Using port 0
              May 11 12:24:24 	racoon: user 'test' authenticated
              May 11 12:24:24 	racoon: INFO: login succeeded for user "test"
              May 11 12:24:24 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
              May 11 12:24:24 	racoon: ERROR: Cannot open "/etc/motd"
              May 11 12:24:24 	racoon: WARNING: Ignored attribute 28683
              May 11 12:24:24 	racoon: WARNING: Ignored attribute 28684
              May 11 12:24:24 	racoon: [Self]: INFO: respond new phase 2 negotiation: 123.123.123.123[4500]<=>45.45.45.45[59618]
              May 11 12:24:24 	racoon: INFO: no policy found, try to generate the policy : 10.99.99.1/32[0] 0.0.0.0/0[0] proto=any dir=in
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
              May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: ERROR: not matched
              May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
              May 11 12:24:24 	racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=185558860(0xb0f674c)
              May 11 12:24:24 	racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=1350976079(0x5086424f)
              May 11 12:24:30 	racoon: ERROR: no configuration found for 45.45.45.45.
              May 11 12:24:30 	racoon: ERROR: failed to begin ipsec sa negotication.
              
              1 Reply Last reply Reply Quote 0
              • werterW
                werter
                last edited by

                Ошибка происходит на 2-ой фазе. Попробуйте сменить настройки с Aggressive mode на main

                Пробуйте сперва это  - https://forum.pfsense.org/index.php?topic=46917.0, https://forum.pfsense.org/index.php?topic=41631.15

                Еще :

                To resolve this issue disable NAT-T (when pfsense holds the public IP). If that still does not help disable DPD and set 'Negotiation Mode' in Phase 1 to main (pfsense is at both ends in my scenario).

                И еще :

                _on the pfsense side, try setting the P1 Policy Generation to "unique"

                i was having similar issues for subequent reconnects for the Shrew client where restarting the pfsense ipsec process would clear the issue

                i did NOT need to disable NAT-T or DPD, just changing the P1 Policy Generation setting from "default" to "unique" was the only change i made_

                P.s. Люди пишут, что проблема с цисковским клиентом. Вы последнюю версию этого клиента пользуете? Если у Вас 64-битная версия (если такая есть, я не в курсе  :-), то смените ее на 32-х.

                1 Reply Last reply Reply Quote 0
                • D
                  dER_MuKCeP
                  last edited by

                  При смене с "Aggressive" на "main"

                  
                  May 11 14:48:04 	racoon: [213.142.62.211] ERROR: exchange Aggressive not allowed in any applicable rmconf.
                  
                  1 Reply Last reply Reply Quote 0
                  • D
                    dER_MuKCeP
                    last edited by

                    @werter:

                    P.s. Люди пишут, что проблема с цисковским клиентом. Вы последнюю версию этого клиента пользуете? Если у Вас 64-битная версия (если такая есть, я не в курсе  :-), то смените ее на 32-х.

                    Я бы не проч использовать другой клиент , главное что бы была поддержка авторизации в AD

                    1 Reply Last reply Reply Quote 0
                    • werterW
                      werter
                      last edited by

                      Попробуйте сделать точно по инс-ции :

                      https://sites.google.com/a/vorkbaard.nl/dekapitein/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors

                      P.s. Включите дебаг ракуна и смотрите лог :

                      You can enable debug mode for racoon by checking the option for it under System > Advanced on the Miscellaneous tab.

                      1 Reply Last reply Reply Quote 0
                      • D
                        dER_MuKCeP
                        last edited by

                        Сделал все по мануалу + установил ShrewSoft VPN Client … все работает отлично!!!

                        1 Reply Last reply Reply Quote 0
                        • werterW
                          werter
                          last edited by

                          Т.е. авторизация с AD работает стабильно и при переподключении? Не рвется? А с клиентом от Cisco ?

                          P.s. Поставьте, пож-та, в название темы [РЕШЕНО].

                          1 Reply Last reply Reply Quote 0
                          • D
                            dER_MuKCeP
                            last edited by

                            Пробовал с ПК несколько раз рвать соединение, все отлично работает! и авторизация через АД тоже проходит. НО…

                            если попробовать подключиться еще раз с другого устройства (я использую iPad) то на ПК все прекращает работать , соединение есть, но доступа никуда нет . На планшете тоже самое, ВПН поднимается но никуда доступа нет, пинги пропадают и на ПК и на планшете.

                            1 Reply Last reply Reply Quote 0
                            • D
                              dER_MuKCeP
                              last edited by

                              @werter:

                              А с клиентом от Cisco ?

                              с параметрами из мануала Cisco VPN Client не  подключается

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.