IPsec VPN + Cisco VPN Client

dER_MuKCeP

Доброго времени суток !
Помогите пожалуйста разобраться. Имеем PfSense 2.1.2, настроен IPsec Mobile Client Support, причем настроен на работу с AD (авторизация по доменной связке логин+пароль). На клиентских ПК используется Cisco VPN Client версии 5.0.07.
Проблемный момент: первый раз авторизация проходит "на ура", доступ к внутрисетевым ресурсам есть, т.е. все работает ! Отключаемся , и подключаемся еще раз. Соединение с сервером происходит, выходит окно ввода логин+пароль (доменный) авторизация происходит, и "все", т.е. подключение как бы есть , траффик бегает, но доступа к внутрисетевым ресурсам отсутствует, пингов нидокуда нет.

В чем проблема и где копать не пойму….

werter

Включайте и смотрите логи IPSec, fw.

P.s. Попробуйте использовать это - https://www.shrew.net/software

dER_MuKCeP

Вариант с  Shrew Soft VPN Client очень хороший , но авторизация в AD платная (

dER_MuKCeP

Было замечено , если растартануть racoon все все начинает работать…

dER_MuKCeP

Лог после перезагрузки racoon и первой попытке соединения Cisco VPN Client

May 11 12:02:00 	racoon: INFO: caught signal 15
May 11 12:02:00 	racoon: INFO: racoon process 25517 shutdown
May 11 12:02:05 	racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
May 11 12:02:05 	racoon: INFO: @(#)This product linked OpenSSL 1.0.1g 7 Apr 2014 (http://www.openssl.org/)
May 11 12:02:05 	racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
May 11 12:02:05 	racoon: INFO: Resize address pool from 0 to 253
May 11 12:02:05 	racoon: [Self]: INFO: 123.123.123.123[4500] used for NAT-T
May 11 12:02:05 	racoon: [Self]: INFO: 123.123.123.123[4500] used as isakmp port (fd=14)
May 11 12:02:05 	racoon: [Self]: INFO: 123.123.123.123[500] used for NAT-T
May 11 12:02:05 	racoon: [Self]: INFO: 123.123.123.123[500] used as isakmp port (fd=15)
May 11 12:02:05 	racoon: INFO: unsupported PF_KEY message REGISTER
May 11 12:02:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.2/32[0] 192.168.1.0/24[0] proto=any dir=out
May 11 12:02:05 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.2/32[0] proto=any dir=in
May 11 12:03:14 	racoon: [Self]: INFO: respond new phase 1 negotiation: 123.123.123.123[500]<=>45.45.45.45[55386]
May 11 12:03:14 	racoon: INFO: begin Aggressive mode.
May 11 12:03:14 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
May 11 12:03:14 	racoon: INFO: received Vendor ID: DPD
May 11 12:03:14 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
May 11 12:03:14 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 11 12:03:14 	racoon: INFO: received Vendor ID: CISCO-UNITY
May 11 12:03:14 	racoon: [45.45.45.45] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
May 11 12:03:14 	racoon: INFO: Adding remote and local NAT-D payloads.
May 11 12:03:14 	racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[55386] with algo #2
May 11 12:03:14 	racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[500] with algo #2
May 11 12:03:14 	racoon: INFO: Adding xauth VID payload.
May 11 12:03:14 	racoon: [Self]: INFO: NAT-T: ports changed to: 45.45.45.45[55387]<->123.123.123.123[4500]
May 11 12:03:14 	racoon: [45.45.45.45] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
May 11 12:03:14 	racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[4500] with algo #2
May 11 12:03:14 	racoon: INFO: NAT-D payload #0 doesn't match
May 11 12:03:14 	racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[55387] with algo #2
May 11 12:03:14 	racoon: INFO: NAT-D payload #1 doesn't match
May 11 12:03:14 	racoon: INFO: received Vendor ID: CISCO-UNITY
May 11 12:03:14 	racoon: INFO: NAT detected: ME PEER
May 11 12:03:14 	racoon: INFO: Sending Xauth request
May 11 12:03:14 	racoon: [Self]: INFO: ISAKMP-SA established 123.123.123.123[4500]-45.45.45.45[55387] spi:07f9b5569aa783e7:20e75e7333b5c9b8
May 11 12:03:28 	racoon: INFO: Using port 0
May 11 12:03:28 	racoon: user 'test' authenticated
May 11 12:03:28 	racoon: INFO: login succeeded for user "test"
May 11 12:03:28 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
May 11 12:03:28 	racoon: ERROR: Cannot open "/etc/motd"
May 11 12:03:28 	racoon: WARNING: Ignored attribute 28683
May 11 12:03:28 	racoon: WARNING: Ignored attribute 28684
May 11 12:03:28 	racoon: [Self]: INFO: respond new phase 2 negotiation: 123.123.123.123[4500]<=>45.45.45.45[55387]
May 11 12:03:28 	racoon: INFO: no policy found, try to generate the policy : 10.99.99.1/32[0] 0.0.0.0/0[0] proto=any dir=in
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:03:28 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: ERROR: not matched
May 11 12:03:28 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:03:28 	racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=27097690(0x19d7a5a)
May 11 12:03:28 	racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=602786838(0x23edcc16)

Соединение установлено , все работает.

Отключаюсь. Подключаюсь еще раз…

Вот что выдал лог:

May 11 12:24:21 	racoon: [Self]: INFO: respond new phase 1 negotiation: 123.123.123.123[500]<=>45.45.45.45[59617]
May 11 12:24:21 	racoon: INFO: begin Aggressive mode.
May 11 12:24:21 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
May 11 12:24:21 	racoon: INFO: received Vendor ID: DPD
May 11 12:24:21 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
May 11 12:24:21 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 11 12:24:21 	racoon: INFO: received Vendor ID: CISCO-UNITY
May 11 12:24:21 	racoon: [45.45.45.45] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
May 11 12:24:21 	racoon: INFO: Adding remote and local NAT-D payloads.
May 11 12:24:21 	racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[59617] with algo #2
May 11 12:24:21 	racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[500] with algo #2
May 11 12:24:21 	racoon: INFO: Adding xauth VID payload.
May 11 12:24:21 	racoon: [Self]: INFO: NAT-T: ports changed to: 45.45.45.45[59618]<->123.123.123.123[4500]
May 11 12:24:21 	racoon: [45.45.45.45] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
May 11 12:24:21 	racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[4500] with algo #2
May 11 12:24:21 	racoon: INFO: NAT-D payload #0 doesn't match
May 11 12:24:21 	racoon: [45.45.45.45] INFO: Hashing 45.45.45.45[59618] with algo #2
May 11 12:24:21 	racoon: INFO: NAT-D payload #1 doesn't match
May 11 12:24:21 	racoon: INFO: received Vendor ID: CISCO-UNITY
May 11 12:24:21 	racoon: INFO: NAT detected: ME PEER
May 11 12:24:21 	racoon: INFO: Sending Xauth request
May 11 12:24:21 	racoon: [Self]: INFO: ISAKMP-SA established 123.123.123.123[4500]-45.45.45.45[59618] spi:06fbe9bf549af3b7:47e137722fc9fa19
May 11 12:24:24 	racoon: INFO: Using port 0
May 11 12:24:24 	racoon: user 'test' authenticated
May 11 12:24:24 	racoon: INFO: login succeeded for user "test"
May 11 12:24:24 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
May 11 12:24:24 	racoon: ERROR: Cannot open "/etc/motd"
May 11 12:24:24 	racoon: WARNING: Ignored attribute 28683
May 11 12:24:24 	racoon: WARNING: Ignored attribute 28684
May 11 12:24:24 	racoon: [Self]: INFO: respond new phase 2 negotiation: 123.123.123.123[4500]<=>45.45.45.45[59618]
May 11 12:24:24 	racoon: INFO: no policy found, try to generate the policy : 10.99.99.1/32[0] 0.0.0.0/0[0] proto=any dir=in
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: WARNING: trns_id mismatched: my:DEFLATE peer:LZS
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 11 12:24:24 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: ERROR: not matched
May 11 12:24:24 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
May 11 12:24:24 	racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=185558860(0xb0f674c)
May 11 12:24:24 	racoon: [Self]: INFO: IPsec-SA established: ESP 123.123.123.123[500]->45.45.45.45[500] spi=1350976079(0x5086424f)
May 11 12:24:30 	racoon: ERROR: no configuration found for 45.45.45.45.
May 11 12:24:30 	racoon: ERROR: failed to begin ipsec sa negotication.

werter

Ошибка происходит на 2-ой фазе. Попробуйте сменить настройки с Aggressive mode на main

Пробуйте сперва это  - https://forum.pfsense.org/index.php?topic=46917.0, https://forum.pfsense.org/index.php?topic=41631.15

Еще :

To resolve this issue disable NAT-T (when pfsense holds the public IP). If that still does not help disable DPD and set 'Negotiation Mode' in Phase 1 to main (pfsense is at both ends in my scenario).

И еще :

_on the pfsense side, try setting the P1 Policy Generation to "unique"

i was having similar issues for subequent reconnects for the Shrew client where restarting the pfsense ipsec process would clear the issue

i did NOT need to disable NAT-T or DPD, just changing the P1 Policy Generation setting from "default" to "unique" was the only change i made_

P.s. Люди пишут, что проблема с цисковским клиентом. Вы последнюю версию этого клиента пользуете? Если у Вас 64-битная версия (если такая есть, я не в курсе  :-), то смените ее на 32-х.

dER_MuKCeP

При смене с "Aggressive" на "main"

May 11 14:48:04 	racoon: [213.142.62.211] ERROR: exchange Aggressive not allowed in any applicable rmconf.

dER_MuKCeP

@werter:

P.s. Люди пишут, что проблема с цисковским клиентом. Вы последнюю версию этого клиента пользуете? Если у Вас 64-битная версия (если такая есть, я не в курсе  :-), то смените ее на 32-х.

Я бы не проч использовать другой клиент , главное что бы была поддержка авторизации в AD

werter

Попробуйте сделать точно по инс-ции :

https://sites.google.com/a/vorkbaard.nl/dekapitein/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors

P.s. Включите дебаг ракуна и смотрите лог :

You can enable debug mode for racoon by checking the option for it under System > Advanced on the Miscellaneous tab.

dER_MuKCeP

Сделал все по мануалу + установил ShrewSoft VPN Client … все работает отлично!!!

werter

Т.е. авторизация с AD работает стабильно и при переподключении? Не рвется? А с клиентом от Cisco ?

P.s. Поставьте, пож-та, в название темы [РЕШЕНО].

dER_MuKCeP

Пробовал с ПК несколько раз рвать соединение, все отлично работает! и авторизация через АД тоже проходит. НО…

если попробовать подключиться еще раз с другого устройства (я использую iPad) то на ПК все прекращает работать , соединение есть, но доступа никуда нет . На планшете тоже самое, ВПН поднимается но никуда доступа нет, пинги пропадают и на ПК и на планшете.

dER_MuKCeP

@werter:

А с клиентом от Cisco ?

с параметрами из мануала Cisco VPN Client не  подключается