Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSec Caindo Após Atualização

    Portuguese
    3
    14
    1382
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kleitonsoares last edited by

      Olá pessoal, excelente dia.

      Tenho um pfsense rodando a 2 anos 2.1.5-RELEASE (amd64) porém ao atualizar para a nova versão 2.3 minha VPN IPSec não funciona mais.

      Na verdade ela conecta, fica por alguns instantes e cai, a conexão só retorna se eu reiniciar o servidor ou o serviço fora isso não volta mais.

      Estou a 1 semana pesquisando, tentando, testando e nada. Alguém já passou por isso? pode me ajudar?

      1 Reply Last reply Reply Quote 0
      • R
        rlrobs last edited by

        Primeiramente (pode ser q nao tenha relação com seu problema): você ta usando ikev2? Se nao estiver, use, pois é mais rápido.

        Outra coisa… você realizou upgrade?? Upgrade da 2.1 pra 2.2 nao era recomendada devido a atualização do freebsd... Acredito que da 2.1 pra 2.3 é a mesma situação. O ideal era vc instalar um novo pfsense.

        vlw

        1 Reply Last reply Reply Quote 0
        • K
          kleitonsoares last edited by

          Olá, obrigado por ajudar.

          Estou usando o IKEv2 sim.

          Sobre a instalação depois de muito tentar eu resolvi, "começar do zero" instalei um novo servidor baixando a ISO do site.

          Mesmo assim, eu configurando manualmente o serviço, a conexão é estabelecida e logo após cai.

          Meu pfsense está se conectando a um CISCO em um fornecedor.

          Por favor, tem alguma idéia? o que posso ter esquecido no firewall ou NAT?

          Aguardo, grande abraço.

          1 Reply Last reply Reply Quote 0
          • R
            rlrobs last edited by

            Faz o seguinte.. na fase 2 tente inserir um ip da rede remota no campo "Automatically ping host"

            Obs: tive problema em fechar vpn entre um pfsense e um sonicwall em ikev2. Se possível tente ikev1 tbm

            1 Reply Last reply Reply Quote 0
            • K
              kleitonsoares last edited by

              Ele já está com o Automatically ping host o Remote Network.

              Encryption 3DES/SHA1

              1 Reply Last reply Reply Quote 0
              • R
                rlrobs last edited by

                Deu uma olhada nos logs do ipsec? Posta aqui.

                Você tem acesso a esse CISCO?

                1 Reply Last reply Reply Quote 0
                • K
                  kleitonsoares last edited by

                  Uma boa observação que posso fazer também é que quando a conexão é feita, o pouco tempo que ela fica ativa eu não consigo fazer ping.  :-[ :-[

                  1 Reply Last reply Reply Quote 0
                  • K
                    kleitonsoares last edited by

                    Veja o LOG

                    May 13 22:03:38 charon 01[ENC] <con1000|3>generating QUICK_MODE request 864875732 [ HASH ]
                    May 13 22:03:38 charon 01[NET] <con1000|3>sending packet: from 210.119.23.151[500] to 210.26.68.22[500] (60 bytes)
                    May 13 22:03:38 charon 04[NET] sending packet: from 210.119.23.151[500] to 210.26.68.22[500]
                    May 13 22:03:38 charon 01[ENC] <con1000|3>generating QUICK_MODE request 3128749469 [ HASH SA No ID ID ]
                    May 13 22:03:38 charon 01[NET] <con1000|3>sending packet: from 210.119.23.151[500] to 210.26.68.22[500] (172 bytes)
                    May 13 22:03:38 charon 04[NET] sending packet: from 210.119.23.151[500] to 210.26.68.22[500]
                    May 13 22:03:38 charon 03[NET] received packet: from 210.26.68.22[500] to 210.119.23.151[500]
                    May 13 22:03:38 charon 03[NET] waiting for data on sockets
                    May 13 22:03:38 charon 10[NET] <con1000|3>received packet: from 210.26.68.22[500] to 210.119.23.151[500] (156 bytes)
                    May 13 22:03:38 charon 10[ENC] <con1000|3>parsed QUICK_MODE response 3128749469 [ HASH SA No ID ID ]
                    May 13 22:03:38 charon 10[IKE] <con1000|3>CHILD_SA con10017{63} established with SPIs c14224eb_i 5c973745_o and TS 10.200.0.0/23|/0 === 10.91.8.0/21|/0
                    May 13 22:03:38 charon 10[ENC] <con1000|3>generating QUICK_MODE request 3128749469 [ HASH ]
                    May 13 22:03:38 charon 10[NET] <con1000|3>sending packet: from 210.119.23.151[500] to 210.26.68.22[500] (60 bytes)
                    May 13 22:03:38 charon 04[NET] sending packet: from 210.119.23.151[500] to 210.26.68.22[500]
                    May 13 22:03:38 charon 10[ENC] <con1000|3>generating QUICK_MODE request 1411318312 [ HASH SA No ID ID ]
                    May 13 22:03:38 charon 10[NET] <con1000|3>sending packet: from 210.119.23.151[500] to 210.26.68.22[500] (172 bytes)
                    May 13 22:03:38 charon 04[NET] sending packet: from 210.119.23.151[500] to 210.26.68.22[500]
                    May 13 22:03:39 charon 10[KNL] creating acquire job for policy 210.119.23.151/32|/0 === 210.26.68.22/32|/0 with reqid {17}
                    May 13 22:03:39 charon 14[KNL] <con1000|3>unable to query SAD entry with SPI 756a592f: No such file or directory (2)
                    May 13 22:03:42 charon 14[KNL] creating acquire job for policy 210.119.23.151/32|/0 === 210.26.68.22/32|/0 with reqid {26}
                    May 13 22:03:42 charon 09[IKE] <con1000|3>sending retransmit 1 of request message ID 1411318312, seq 14
                    May 13 22:03:42 charon 09[NET] <con1000|3>sending packet: from 210.119.23.151[500] to 210.26.68.22[500] (172 bytes)
                    May 13 22:03:42 charon 04[NET] sending packet: from 210.119.23.151[500] to 210.26.68.22[500]
                    May 13 22:03:46 charon 15[KNL] <con1000|3>unable to query SAD entry with SPI 756a592f: No such file or directory (2)
                    May 13 22:03:49 charon 14[IKE] <con1000|3>sending retransmit 2 of request message ID 1411318312, seq 14
                    May 13 22:03:49 charon 14[NET] <con1000|3>sending packet: from 210.119.23.151[500] to 210.26.68.22[500] (172 bytes)
                    May 13 22:03:49 charon 04[NET] sending packet: from 210.119.23.151[500] to 210.26.68.22[500]
                    May 13 22:03:52 charon 14[KNL] <con1000|3>unable to query SAD entry with SPI 756a592f: No such file or directory (2)
                    May 13 22:03:53 charon 11[KNL] creating acquire job for policy 210.119.23.151/32|/0 === 210.26.68.22/32|/0 with reqid {31}
                    May 13 22:03:58 charon 07[KNL] <con1000|3>unable to query SAD entry with SPI 756a592f: No such file or directory (2)
                    May 13 22:04:02 charon 07[IKE] <con1000|3>sending retransmit 3 of request message ID 1411318312, seq 14
                    May 13 22:04:02 charon 07[NET] <con1000|3>sending packet: from 210.119.23.151[500] to 210.26.68.22[500] (172 bytes)
                    May 13 22:04:02 charon 04[NET] sending packet: from 210.119.23.151[500] to 210.26.68.22[500]
                    May 13 22:04:02 charon 05[KNL] creating acquire job for policy 210.119.23.151/32|/0 === 210.26.68.22/32|/0 with reqid {17}
                    May 13 22:04:02 charon 06[CFG] ignoring acquire, connection attempt pending
                    May 13 22:04:04 charon 07[KNL] <con1000|3>unable to query SAD entry with SPI 756a592f: No such file or directory (2)
                    May 13 22:04:07 charon 06[KNL] creating acquire job for policy 210.119.23.151/32|/0 === 210.26.68.22/32|/0 with reqid {27}
                    May 13 22:04:07 charon 07[KNL] creating acquire job for policy 210.119.23.151/32|/0 === 210.26.68.22/32|/0 with reqid {19}</con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3>

                    1 Reply Last reply Reply Quote 0
                    • K
                      kleitonsoares last edited by

                      Estas são as configurações avançadas


                      1 Reply Last reply Reply Quote 0
                      • R
                        rlrobs last edited by

                        Testa com Configure Unique IDs = keep

                        1 Reply Last reply Reply Quote 0
                        • R
                          rlrobs last edited by

                          A versão 2.3 tem bastante bug ainda –> https://redmine.pfsense.org/projects/pfsense/issues?set_filter=1&tracker_id=1

                          Talvez seria interessante vc tentar fechar essa vpn na 2.2.6 (+estável)

                          1 Reply Last reply Reply Quote 0
                          • K
                            kleitonsoares last edited by

                            Por incrível que pareça a 2.2.6 apresentava o mesmo problema, por isso atualizei para a 2.3.

                            Não sei se estou esquecendo algo no firewall, nat, configuração, já comparei os firewalls e nada….

                            Só está funcionando na 2.1.5.

                            Estou quase jogando isso pela janela.

                            Coloquei os prints do fw e do ipsec






                            1 Reply Last reply Reply Quote 0
                            • R
                              rlrobs last edited by

                              Seu pfsense ta atrás de NAT?

                              me adiciona no skype ai rlustosa1

                              1 Reply Last reply Reply Quote 0
                              • J
                                JorgeOliveira last edited by

                                Existem alguns bugs com o IPSec na release 2.3.0 que provavelmente estarão resolvidos na 2.3.1.

                                Experimenta usar um snapshot de desenvolvimento (snapshots.pfsense.org) numa máquina de testes, e verifica se o problema ainda ocorre.

                                Adicionalmente a versão 2.3.1 deverá sair nos próximos dias.

                                Boa sorte!

                                Cumprimentos,
                                Jorge M. Oliveira

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post

                                Products

                                • Platform Overview
                                • TNSR
                                • pfSense
                                • Appliances

                                Services

                                • Training
                                • Professional Services

                                Support

                                • Subscription Plans
                                • Contact Support
                                • Product Lifecycle
                                • Documentation

                                News

                                • Media Coverage
                                • Press
                                • Events

                                Resources

                                • Blog
                                • FAQ
                                • Find a Partner
                                • Resource Library
                                • Security Information

                                Company

                                • About Us
                                • Careers
                                • Partners
                                • Contact Us
                                • Legal
                                Our Mission

                                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                Subscribe to our Newsletter

                                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                © 2021 Rubicon Communications, LLC | Privacy Policy