IPsec VPN + Cisco VPN Client



  • Доброго времени суток !
    Помогите пожалуйста разобраться. Имеем PfSense 2.1.2, настроен IPsec Mobile Client Support, причем настроен на работу с AD (авторизация по доменной связке логин+пароль). На клиентских ПК используется Cisco VPN Client версии 5.0.07.
    Проблемный момент: первый раз авторизация проходит "на ура", доступ к внутрисетевым ресурсам есть, т.е. все работает ! Отключаемся , и подключаемся еще раз. Соединение с сервером происходит, выходит окно ввода логин+пароль (доменный) авторизация происходит, и "все", т.е. подключение как бы есть , траффик бегает, но доступа к внутрисетевым ресурсам отсутствует, пингов нидокуда нет.

    В чем проблема и где копать не пойму….



  • Включайте и смотрите логи IPSec, fw.

    P.s. Попробуйте использовать это - https://www.shrew.net/software



  • Вариант с  Shrew Soft VPN Client очень хороший , но авторизация в AD платная (



  • Было замечено , если растартануть racoon все все начинает работать…



  • Лог после перезагрузки racoon и первой попытке соединения Cisco VPN Client

    May 11 12:02:00 	racoon: INFO: caught signal 15
    May 11 12:02:00 	racoon: INFO: racoon process 25517 shutdown
    May 11 12:02:05 	racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
    May 11 12:02:05 	racoon: INFO: @(#)This product linked OpenSSL 1.0.1g 7 Apr 2014 (http://www.openssl.org/)
    May 11 12:02:05 	racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
    May 11 12:02:05 	racoon: INFO: Resize address pool from 0 to 253
    May 11 12:02:05 	racoon: [Self]: INFO: 123.123.123.123[4500] used for NAT-T
    May 11 12:02:05 	racoon: [Self]: INFO: 123.123.123.123[4500] used as isakmp port (fd=14)
    May 11 12:02:05 	racoon: [Self]: INFO: 123.123.123.123[500] used for NAT-T
    May 11 12:02:05 	racoon: [Self]: INFO: 123.123.123.123[500] used as isakmp port (fd=15)
    May 11 12:02:05 	racoon: INFO: unsupported PF_KEY message REGISTER
    May 11 12:02:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.2/32[0] 192.168.1.0/24[0] proto=any dir=out
    May 11 12:02:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.2/32[0] proto=any dir=in
    May 11 12:03:14 	racoon: [Self]: INFO: respond new phase 1 negotiation: 123.123.123.123[500]<=>45.45.45.45[55386]
    May 11 12:03:14 	racoon: INFO: begin Aggressive mode.
    May 11 12:03:14 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    May 11 12:03:14 	racoon: INFO: received Vendor ID: DPD
    May 11 12:03:14 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    May 11 12:03:14 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    May 11 12:03:14 	racoon: INFO: received Vendor ID: CISCO-UNITY
    May 11 12:03:14 	racoon: [45.45.45.45] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
    May 11 12:03:14 	racoon: INFO: Adding remote and local NAT-D payloads.
    May 11 12:03:14 	racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[55386] with algo #2
    May 11 12:03:14 	racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[500] with algo #2
    May 11 12:03:14 	racoon: INFO: Adding xauth VID payload.
    May 11 12:03:14 	racoon: [Self]: INFO: NAT-T: ports changed to: 45.45.45.45[55387]<->123.123.123.123[4500]
    May 11 12:03:14 	racoon: [45.45.45.45] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    May 11 12:03:14 	racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[4500] with algo #2
    May 11 12:03:14 	racoon: INFO: NAT-D payload #0 doesn't match
    May 11 12:03:14 	racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[55387] with algo #2
    May 11 12:03:14 	racoon: INFO: NAT-D payload #1 doesn't match
    May 11 12:03:14 	racoon: INFO: received Vendor ID: CISCO-UNITY
    May 11 12:03:14 	racoon: INFO: NAT detected: ME PEER
    May 11 12:03:14 	racoon: INFO: Sending Xauth request
    May 11 12:03:14 	racoon: [Self]: INFO: ISAKMP-SA established 123.123.123.123[4500]-45.45.45.45[55387] spi:07f9b5569aa783e7:20e75e7333b5c9b8
    May 11 12:03:28 	racoon: INFO: Using port 0
    May 11 12:03:28 	racoon: user 'test' authenticated
    May 11 12:03:28 	racoon: INFO: login succeeded for user "test"
    May 11 12:03:28 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    May 11 12:03:28 	racoon: ERROR: Cannot open "/etc/motd"
    May 11 12:03:28 	racoon: WARNING: Ignored attribute 28683
    May 11 12:03:28 	racoon: WARNING: Ignored attribute 28684
    May 11 12:03:28 	racoon: [Self]: INFO: respond new phase 2 negotiation: 123.123.123.123[4500]<=>45.45.45.45[55387]
    May 11 12:03:28 	racoon: INFO: no policy found, try to generate the policy : 10.99.99.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: ERROR: not matched
    May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:03:28 	racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=27097690(0x19d7a5a)
    May 11 12:03:28 	racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=602786838(0x23edcc16)
    

    Соединение установлено , все работает.

    Отключаюсь. Подключаюсь еще раз…

    Вот что выдал лог:

    May 11 12:24:21 	racoon: [Self]: INFO: respond new phase 1 negotiation: 123.123.123.123[500]<=>45.45.45.45[59617]
    May 11 12:24:21 	racoon: INFO: begin Aggressive mode.
    May 11 12:24:21 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    May 11 12:24:21 	racoon: INFO: received Vendor ID: DPD
    May 11 12:24:21 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    May 11 12:24:21 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    May 11 12:24:21 	racoon: INFO: received Vendor ID: CISCO-UNITY
    May 11 12:24:21 	racoon: [45.45.45.45] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
    May 11 12:24:21 	racoon: INFO: Adding remote and local NAT-D payloads.
    May 11 12:24:21 	racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[59617] with algo #2
    May 11 12:24:21 	racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[500] with algo #2
    May 11 12:24:21 	racoon: INFO: Adding xauth VID payload.
    May 11 12:24:21 	racoon: [Self]: INFO: NAT-T: ports changed to: 45.45.45.45[59618]<->123.123.123.123[4500]
    May 11 12:24:21 	racoon: [45.45.45.45] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    May 11 12:24:21 	racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[4500] with algo #2
    May 11 12:24:21 	racoon: INFO: NAT-D payload #0 doesn't match
    May 11 12:24:21 	racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[59618] with algo #2
    May 11 12:24:21 	racoon: INFO: NAT-D payload #1 doesn't match
    May 11 12:24:21 	racoon: INFO: received Vendor ID: CISCO-UNITY
    May 11 12:24:21 	racoon: INFO: NAT detected: ME PEER
    May 11 12:24:21 	racoon: INFO: Sending Xauth request
    May 11 12:24:21 	racoon: [Self]: INFO: ISAKMP-SA established 123.123.123.123[4500]-45.45.45.45[59618] spi:06fbe9bf549af3b7:47e137722fc9fa19
    May 11 12:24:24 	racoon: INFO: Using port 0
    May 11 12:24:24 	racoon: user 'test' authenticated
    May 11 12:24:24 	racoon: INFO: login succeeded for user "test"
    May 11 12:24:24 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    May 11 12:24:24 	racoon: ERROR: Cannot open "/etc/motd"
    May 11 12:24:24 	racoon: WARNING: Ignored attribute 28683
    May 11 12:24:24 	racoon: WARNING: Ignored attribute 28684
    May 11 12:24:24 	racoon: [Self]: INFO: respond new phase 2 negotiation: 123.123.123.123[4500]<=>45.45.45.45[59618]
    May 11 12:24:24 	racoon: INFO: no policy found, try to generate the policy : 10.99.99.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: ERROR: not matched
    May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    May 11 12:24:24 	racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=185558860(0xb0f674c)
    May 11 12:24:24 	racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=1350976079(0x5086424f)
    May 11 12:24:30 	racoon: ERROR: no configuration found for 45.45.45.45.
    May 11 12:24:30 	racoon: ERROR: failed to begin ipsec sa negotication.
    


  • Ошибка происходит на 2-ой фазе. Попробуйте сменить настройки с Aggressive mode на main

    Пробуйте сперва это  - https://forum.pfsense.org/index.php?topic=46917.0, https://forum.pfsense.org/index.php?topic=41631.15

    Еще :

    To resolve this issue disable NAT-T (when pfsense holds the public IP). If that still does not help disable DPD and set 'Negotiation Mode' in Phase 1 to main (pfsense is at both ends in my scenario).

    И еще :

    _on the pfsense side, try setting the P1 Policy Generation to "unique"

    i was having similar issues for subequent reconnects for the Shrew client where restarting the pfsense ipsec process would clear the issue

    i did NOT need to disable NAT-T or DPD, just changing the P1 Policy Generation setting from "default" to "unique" was the only change i made_

    P.s. Люди пишут, что проблема с цисковским клиентом. Вы последнюю версию этого клиента пользуете? Если у Вас 64-битная версия (если такая есть, я не в курсе  :-), то смените ее на 32-х.



  • При смене с "Aggressive" на "main"

    
    May 11 14:48:04 	racoon: [213.142.62.211] ERROR: exchange Aggressive not allowed in any applicable rmconf.
    


  • @werter:

    P.s. Люди пишут, что проблема с цисковским клиентом. Вы последнюю версию этого клиента пользуете? Если у Вас 64-битная версия (если такая есть, я не в курсе  :-), то смените ее на 32-х.

    Я бы не проч использовать другой клиент , главное что бы была поддержка авторизации в AD



  • Попробуйте сделать точно по инс-ции :

    https://sites.google.com/a/vorkbaard.nl/dekapitein/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors

    P.s. Включите дебаг ракуна и смотрите лог :

    You can enable debug mode for racoon by checking the option for it under System > Advanced on the Miscellaneous tab.



  • Сделал все по мануалу + установил ShrewSoft VPN Client … все работает отлично!!!



  • Т.е. авторизация с AD работает стабильно и при переподключении? Не рвется? А с клиентом от Cisco ?

    P.s. Поставьте, пож-та, в название темы [РЕШЕНО].



  • Пробовал с ПК несколько раз рвать соединение, все отлично работает! и авторизация через АД тоже проходит. НО…

    если попробовать подключиться еще раз с другого устройства (я использую iPad) то на ПК все прекращает работать , соединение есть, но доступа никуда нет . На планшете тоже самое, ВПН поднимается но никуда доступа нет, пинги пропадают и на ПК и на планшете.



  • @werter:

    А с клиентом от Cisco ?

    с параметрами из мануала Cisco VPN Client не  подключается


Log in to reply