Tunel Ipsec aparentemente establecido pero sin trafico Pfsense
-
Tengo instalado Pfsense 2.2.
Necesito establecer un tunel IPSEC con un proveedor que me paso los parametros:Sitio 1 Sitio 2
IP Publica IP Publica 1 IP Publica 1
Red Privada 10.0.0.0/24 10.50.0.0/24
Phase 1
Authentication Method reshare Preshare
DH Group Grupo 2 Grupo 2
Encryption Algorithm 3DES-CBC 3DES-CBC
Hash Algorithm SHA1 SHA1
Lifetime 28800 28800
Phase 2
Perfect Forward Secrecy Group2 Group2
Encryption Algorithm 3DES-CBC 3DES-CBC
Authentication Algorithm SHA1 SHA1
Life Time 3600 3600
Preshared Key xxxxxx xxxxxxxConfiguré todo y la pantalla de estado de IPSEC figura status established, pero no puedo traficar entre las redes privadas.
Pareciera que el tunel termina e establecerse.
Salida del comando ipsec status all :Status of IKE charon daemon (strongSwan 5.2.1, FreeBSD 10.1-RELEASE-p4, i386):
uptime: 84 minutes, since Feb 20 15:58:49 2015
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 61
loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity
Listening IP addresses:
IP-Publica-1
Connections:
con1000: IP-Publica-1…IP-Publica-2 IKEv1
con1000: local: [ IP-Publica-1] uses pre-shared key authentication
con1000: remote: [IP-Publica-2] uses pre-shared key authentication
con1000: child: 10.50.0.0/24|/0 === 10.0.0.0/24|/0 TUNNEL
Routed Connections:
con1000{1}: ROUTED, TUNNEL
con1000{1}: 10.50.0.0/24|/0 === 10.0.0.0/24|/0
Security Associations (1 up, 0 connecting):
con1000[30]: ESTABLISHED 2 minutes ago, IP-Publica-1 IP-Publica-1]…1IP-Publica-2[IP-Publica-2]
con1000[30]: IKEv1 SPIs: 88583f4b249b8587_i* 79dbd5ef88f85006_r, pre-shared key reauthentication in 7 hours
con1000[30]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
con1000[30]: Tasks queued: QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE
con1000[30]: Tasks active: QUICK_MODESoy nuevo con IPSEC, alguien podrá darme una mano por favor
muchas gracias
JM -
¿Hay permisos para el tráfico en Rules?
-
Las reglas de firewall que agregué son:
WAN IPV4 Pass UDP from any to WAN address port 500
IPV4 Pass UDP from any to WAN address port 4500
IPV4 Pass ESP from any to WAN addressLAN Pass from Any To 10.0.0.0/24 ( Es la red privada del otro lado )
IPSEC IPV4 Pass from any to any
Me parece extraño que al ejecutar el ipsec statusall. Tengo en Task queued QUICK_MODE repetido.
con1000[98]: Tasks queued: QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE
Me parece que el tunel no termina de establecerse.
muchas gracias
Jorge -
Con la 2.2 se cambió de racoon a strongswan…
https://blog.pfsense.org/?p=1546
Google asks queued: QUICK_MODE QUICK_MODE
para tener información y auditar qué esté haciendo strongswan
Desgraciadamente no me he metido con esta nueva versión de ipsec todavía. Siento no poder decir más.