O pfsense não faz NAT no IPSec. Em 22/10/2012 18:58, "Diego Riera" <[email protected]> escreveu:
> Galera, > > Estou com dificuldades para fechar uma VPN L2L com um Cisco ASA, a empresa > do outro lado diz que as configs estão ok da parte dele, não sei mais o que > fazer, alguém pode ajudar? > > Já procurei sobre este erro NO-PROPOSAL-CHOSEN, mas não ajudou muito. > > > Log após desabilitar o NAT-T: > > Oct 22 19:49:56 racoon: *[ULTRA]*: INFO: ISAKMP-SA deleted > 189.38.253.92[500]-177.67.61.249[500] > spi:a89a260a3be94d4c:1c54135ec7b931e5Oct 22 19:49:56racoon: > *[ULTRA]*: INFO: ISAKMP-SA expired 189.38.253.92[500]-177.67.61.249[500] > spi:a89a260a3be94d4c:1c54135ec7b931e5 Oct 22 19:49:56 racoon: *[ULTRA]*: > [177.67.61.249] ERROR: error message: ''. Oct 22 19:49:56 racoon: *[ULTRA] > *: [177.67.61.249] ERROR: notification NO-PROPOSAL-CHOSEN received in > informational exchange. Oct 22 19:49:56 racoon: *[ULTRA]*: INFO: initiate > new phase 2 negotiation: 189.38.253.92[500]<=>177.67.61.249[500] Oct 22 > 19:49:55 racoon: *[ULTRA]*: INFO: ISAKMP-SA established > 189.38.253.92[500]-177.67.61.249[500] > spi:a89a260a3be94d4c:1c54135ec7b931e5Oct 22 19:49:55racoon: INFO: received > Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txtOct 22 19:49:55racoon: INFO: > received Vendor ID: CISCO-UNITYOct 22 19:49:55racoon: INFO: received broken > Microsoft ID: FRAGMENTATIONOct 22 19:49:55racoon: INFO: begin Identity > Protection mode.Oct 22 19:49:55racoon: > *[ULTRA]*: INFO: initiate new phase 1 negotiation: > 189.38.253.92[500]<=>177.67.61.249[500] Oct 22 19:49:55 racoon: *[ULTRA]*: > INFO: IPsec-SA request for 177.67.61.249 queued due to no phase1 found. > > > Log com o NAT-T Habilitado: > > Oct 22 19:56:24 racoon: *[ULTRA]*: INFO: KA remove: > 189.38.253.92[4500]->177.67.61.249[4500] Oct 22 19:56:24 racoon: *[ULTRA]*: > INFO: ISAKMP-SA deleted 189.38.253.92[4500]-177.67.61.249[4500] > spi:499b069dd9304961:d23888b8d62d2786 Oct 22 19:56:24 racoon: *[ULTRA]*: > INFO: ISAKMP-SA expired 189.38.253.92[4500]-177.67.61.249[4500] > spi:499b069dd9304961:d23888b8d62d2786 Oct 22 19:56:24 racoon: *[ULTRA]*: > [177.67.61.249] ERROR: error message: 'Y z'. Oct 22 19:56:24 racoon: * > [ULTRA]*: [177.67.61.249] ERROR: notification NO-PROPOSAL-CHOSEN received > in informational exchange. Oct 22 19:56:24 racoon: INFO: NAT detected -> > UDP encapsulation (ENC_MODE 1->3). Oct 22 19:56:24 racoon: *[ULTRA]*: > INFO: initiate new phase 2 negotiation: > 189.38.253.92[4500]<=>177.67.61.249[4500] Oct 22 19:56:23 racoon: *[ULTRA] > *: INFO: ISAKMP-SA established 189.38.253.92[4500]-177.67.61.249[4500] > spi:499b069dd9304961:d23888b8d62d2786 Oct 22 19:56:23 racoon: WARNING: > port 4500 expected, but 0 Oct 22 19:56:23 racoon: *[ULTRA]*: INFO: KA > list add: 189.38.253.92[4500]->177.67.61.249[4500] Oct 22 19:56:23racoon: > INFO: NAT detected: MEOct 22 19:56:23racoon: INFO: NAT-D payload #1 > verifiedOct 22 19:56:23racoon: > *[ULTRA]*: [177.67.61.249] INFO: Hashing 177.67.61.249[500] with algo #2Oct > 22 19:56:23racoon: INFO: NAT-D payload #0 doesn't matchOct 22 19:56:23racoon: > *[Self]*: [189.38.253.92] INFO: Hashing 189.38.253.92[500] with algo #2Oct 22 > 19:56:23racoon: INFO: received Vendor ID: > draft-ietf-ipsra-isakmp-xauth-06.txtOct 22 19:56:23racoon: INFO: received > Vendor ID: CISCO-UNITYOct 22 19:56:23racoon: INFO: Adding remote and local > NAT-D payloads.Oct 22 19:56:23racoon: > *[Self]*: [189.38.253.92] INFO: Hashing 189.38.253.92[500] with algo #2Oct 22 > 19:56:23racoon: > *[ULTRA]*: [177.67.61.249] INFO: Hashing 177.67.61.249[500] with algo #2Oct > 22 19:56:23racoon: > *[ULTRA]*: [177.67.61.249] INFO: Selected NAT-T version: RFC 3947 Oct 22 > 19:56:23 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Oct 22 > 19:56:23 racoon: INFO: received Vendor ID: RFC 3947 Oct 22 19:56:23racoon: > INFO: begin Identity Protection mode.Oct 22 19:56:23racoon: > *[ULTRA]*: INFO: initiate new phase 1 negotiation: > 189.38.253.92[500]<=>177.67.61.249[500] Oct 22 19:56:23 racoon: *[ULTRA]*: > INFO: IPsec-SA request for 177.67.61.249 queued due to no phase1 found.Oct 22 > 19:56:22racoon: INFO: unsupported PF_KEY message REGISTEROct 22 > 19:56:22racoon: ERROR: such policy already exists. anyway replace it: > 192.168.254.0/24[0] <http://192.168.254.0/24%5B0%5D> > 192.168.56.8/29[0]<http://192.168.56.8/29%5B0%5D>proto=any dir=out Oct > 22 19:56:22 racoon: ERROR: such policy already exists. anyway replace it: > 192.168.56.8/29[0] <http://192.168.56.8/29%5B0%5D> > 192.168.254.0/24[0]<http://192.168.254.0/24%5B0%5D>proto=any dir=in Oct > 22 19:56:22 racoon: ERROR: no iph2 found: ESP > 177.67.61.249[500]->189.38.253.92[500] spi=263611198(0xfb6633e) Oct 22 > 19:56:22 racoon: INFO: unsupported PF_KEY message REGISTER > -- > > Atenciosamente,**** > > ** ** > > *Diego Riera***** > > [email protected]**** > > 55 (11) 8218-9285 > > > _______________________________________________ > Pfsense-pt mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/pfsense-pt > >
_______________________________________________ Pfsense-pt mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/pfsense-pt
