IPSEC (pfsense 2.1.4) + mobile clientes



  • Olá a toods, estou com um pfsense 2.1.4-RELEASE (i386)  utilizei esse link de apoio para a configuração https://sites.google.com/a/vorkbaard.nl/dekapitein/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors and we have multi wan running ok there's no problem with this.

    tentei o setup do IPSEC para mobile clientes nos 2 links WAN (interfaces) mesmo erro "Aug 19 21:53:13  racoon: ERROR: phase1 negotiation failed due to time up. 5b96ad517895d3ae:c63d8ac780cdb551"

    Mas decidi deixar no gateway padrão do firewall o IPSEC habilitado já que li artigos no fórum sobre essa questão quando se tem 2 links wan

    LAN–----[PFSENSE]–-WAN1(adsl1)---router1------INTERNET
                                  ---WAN2(adsl2)---router2------INTERNET

    O NAT para a porta UDP 500 foi testado em cada roteador ADSL (router1 e router2) encaminhando para WAN1, WAN2 interfaces do pfsense

    racoon esta no modo debug

    Aug 19 21:52:53  racoon: DEBUG: resend phase1 packet 5b96ad517895d3ae:c63d8ac780cdb551
    Aug 19 21:53:03  racoon: DEBUG: 388 bytes from 192.168.3.4[500] to 187.21.17.63[500]
    Aug 19 21:53:03  racoon: DEBUG: sockname 192.168.3.4[500]
    Aug 19 21:53:03  racoon: DEBUG: send packet from 192.168.3.4[500]
    Aug 19 21:53:03  racoon: DEBUG: send packet to 187.21.17.63[500]
    Aug 19 21:53:03  racoon: DEBUG: 1 times of 388 bytes message will be sent to 187.21.17.63[500]
    Aug 19 21:53:03  racoon: DEBUG: 5b96ad51 7895d3ae c63d8ac7 80cdb551 01100400 00000000 00000184 0400003c 00000001 00000001 00000030 01010001 00000028 01010000 80010007 800e0100 80020002 80040002 80030001 800b0001 000c0004 00000e10 0a000084 43b9ab3a 7139d265 84b43c8e 19ce563c 2ac8b945 a989b5ee 295c9eef e37b4ba3 a17746ec 156c2d89 ad5d9858 6148a581 89749a26 065cd632 caf28793 3eadaa47 91e0f90a ea6955ae cdbe5391 42834c26 9dab7264 4099d8cb 8ebbbcc6 d56f72c3 7c41db68 dfd5c715 d69fd0a4 2e60dfb5 ceb5125b 4bec8a75 b025e671 224f5fb3 05000014 e6f8f329 40140f5e 67b43a8a cd642e81 0800000c 011101f4 c0a80304 0d000018 b8a84d9f 9a793eef a6550d5b c89c77b4 f9dcdc24 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 14000014 4a131c81 07035845 5c5728f2 0e95452f 14000018 7678a363 66455471 f460485d ca10c2d3 b6b78480 0d000018 7678a363 66455471 f460485d ca10c2d3 b6b78480 00000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000
    Aug 19 21:53:03  racoon: DEBUG: resend phase1 packet 5b96ad517895d3ae:c63d8ac780cdb551
    Aug 19 21:53:13  racoon: ERROR: phase1 negotiation failed due to time up. 5b96ad517895d3ae:c63d8ac780cdb551
    Aug 19 21:53:13  racoon: DEBUG: IV freed

    segue o dump/captura que fiz

    22:05:47.295295 IP 187.21.17.63.500 > 192.168.3.4.500: isakmp: phase 1 I agg
    22:05:47.303331 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg
    22:05:57.306604 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg
    22:06:07.336766 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg
    22:06:17.361490 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg
    22:06:27.385014 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg

    obrigado,

    Thiago



  • Aparentemente os pacotes não voltam ou são rejeitados

    Aug 19 21:53:13  racoon: ERROR: phase1 negotiation failed due to time up. 5b96ad517895d3ae:c63d8ac780cdb551

    22:05:47.303331 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg
    22:05:57.306604 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg
    22:06:07.336766 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg
    22:06:17.361490 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg
    22:06:27.385014 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg