Alguém sabe porquê quando habilito o NAT-T ele tenta fechar a segunda fase na porta 4500? Tenho uma outra VPN igual que não fecha na porta 4500.
Diego Riera On Oct 23, 2012 1:09 PM, "Diogo Dalfovo" <[email protected]> wrote: > Boa Tarde pessoal... > > tenho NAT-T ativado e PFS desativado. Funcionado 100% > > 2012/10/23 Fernando Henrique Neves <[email protected]> > >> O asa eh quem inicia a conexao? >> Controle pfs esta ativado ou desativado? Tem um cliente que usa uma vpn >> cisco / pfsense e funciona petfeito tbm >> Em 22/10/2012 21:59, "Diego Riera" <[email protected]> escreveu: >> >> Então não posso habilitar o NAT-T para fechar a VPN com ASA, é isso? >>> >>> 2012/10/22 Diogo Dalfovo <[email protected]> >>> >>>> Boa noite pessoal... >>>> >>>> Felipe, Pfsense faz sim VPN com IPSec no ASA >>>> >>>> http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_a_Cisco_PIX >>>> http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS >>>> >>>> Tenho isso para alguns clientes e ate agora funcionando >>>> maravilhosamente bem, usando NAT-T. >>>> >>>> Diogo Dalfovo >>>> >>>> >>>> 2012/10/22 Felipe Lima <[email protected]> >>>> >>>>> O pfsense não faz NAT no IPSec. >>>>> Em 22/10/2012 18:58, "Diego Riera" <[email protected]> escreveu: >>>>> >>>>>> Galera, >>>>>> >>>>>> Estou com dificuldades para fechar uma VPN L2L com um Cisco ASA, a >>>>>> empresa do outro lado diz que as configs estão ok da parte dele, não sei >>>>>> mais o que fazer, alguém pode ajudar? >>>>>> >>>>>> Já procurei sobre este erro NO-PROPOSAL-CHOSEN, mas não ajudou muito. >>>>>> >>>>>> >>>>>> Log após desabilitar o NAT-T: >>>>>> >>>>>> Oct 22 19:49:56 racoon: *[ULTRA]*: INFO: ISAKMP-SA deleted >>>>>> 189.38.253.92[500]-177.67.61.249[500] >>>>>> spi:a89a260a3be94d4c:1c54135ec7b931e5Oct 22 19:49:56racoon: >>>>>> *[ULTRA]*: INFO: ISAKMP-SA expired >>>>>> 189.38.253.92[500]-177.67.61.249[500] >>>>>> spi:a89a260a3be94d4c:1c54135ec7b931e5Oct 22 19:49:56racoon: >>>>>> *[ULTRA]*: [177.67.61.249] ERROR: error message: ''. Oct 22 >>>>>> 19:49:56racoon: >>>>>> *[ULTRA]*: [177.67.61.249] ERROR: notification NO-PROPOSAL-CHOSEN >>>>>> received in informational exchange. Oct 22 19:49:56 racoon: *[ULTRA]*: >>>>>> INFO: initiate new phase 2 negotiation: >>>>>> 189.38.253.92[500]<=>177.67.61.249[500] Oct 22 19:49:55 racoon: * >>>>>> [ULTRA]*: INFO: ISAKMP-SA established >>>>>> 189.38.253.92[500]-177.67.61.249[500] >>>>>> spi:a89a260a3be94d4c:1c54135ec7b931e5Oct 22 19:49:55racoon: INFO: >>>>>> received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txtOct 22 >>>>>> 19:49:55racoon: INFO: received Vendor ID: CISCO-UNITYOct 22 >>>>>> 19:49:55racoon: INFO: received broken Microsoft ID: FRAGMENTATIONOct 22 >>>>>> 19:49:55racoon: INFO: begin Identity Protection mode.Oct 22 >>>>>> 19:49:55racoon: >>>>>> *[ULTRA]*: INFO: initiate new phase 1 negotiation: >>>>>> 189.38.253.92[500]<=>177.67.61.249[500] Oct 22 19:49:55 racoon: * >>>>>> [ULTRA]*: INFO: IPsec-SA request for 177.67.61.249 queued due to no >>>>>> phase1 found. >>>>>> >>>>>> >>>>>> Log com o NAT-T Habilitado: >>>>>> >>>>>> Oct 22 19:56:24 racoon: *[ULTRA]*: INFO: KA remove: >>>>>> 189.38.253.92[4500]->177.67.61.249[4500] Oct 22 19:56:24 racoon: * >>>>>> [ULTRA]*: INFO: ISAKMP-SA deleted >>>>>> 189.38.253.92[4500]-177.67.61.249[4500] >>>>>> spi:499b069dd9304961:d23888b8d62d2786 Oct 22 19:56:24 racoon: * >>>>>> [ULTRA]*: INFO: ISAKMP-SA expired >>>>>> 189.38.253.92[4500]-177.67.61.249[4500] >>>>>> spi:499b069dd9304961:d23888b8d62d2786 Oct 22 19:56:24 racoon: * >>>>>> [ULTRA]*: [177.67.61.249] ERROR: error message: 'Y z'. Oct 22 >>>>>> 19:56:24 racoon: *[ULTRA]*: [177.67.61.249] ERROR: notification >>>>>> NO-PROPOSAL-CHOSEN received in informational exchange. Oct 22 >>>>>> 19:56:24 racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE >>>>>> 1->3). Oct 22 19:56:24 racoon: *[ULTRA]*: INFO: initiate new phase 2 >>>>>> negotiation: 189.38.253.92[4500]<=>177.67.61.249[4500] Oct 22 >>>>>> 19:56:23 racoon: *[ULTRA]*: INFO: ISAKMP-SA established >>>>>> 189.38.253.92[4500]-177.67.61.249[4500] >>>>>> spi:499b069dd9304961:d23888b8d62d2786 Oct 22 19:56:23 racoon: >>>>>> WARNING: port 4500 expected, but 0 Oct 22 19:56:23 racoon: *[ULTRA]*: >>>>>> INFO: KA list add: 189.38.253.92[4500]->177.67.61.249[4500] Oct 22 >>>>>> 19:56:23 racoon: INFO: NAT detected: ME Oct 22 19:56:23 racoon: >>>>>> INFO: NAT-D payload #1 verified Oct 22 19:56:23 racoon: *[ULTRA]*: >>>>>> [177.67.61.249] INFO: Hashing 177.67.61.249[500] with algo #2 Oct 22 >>>>>> 19:56:23 racoon: INFO: NAT-D payload #0 doesn't match Oct 22 >>>>>> 19:56:23racoon: >>>>>> *[Self]*: [189.38.253.92] INFO: Hashing 189.38.253.92[500] with algo >>>>>> #2 Oct 22 19:56:23 racoon: INFO: received Vendor ID: >>>>>> draft-ietf-ipsra-isakmp-xauth-06.txt Oct 22 19:56:23 racoon: INFO: >>>>>> received Vendor ID: CISCO-UNITY Oct 22 19:56:23 racoon: INFO: Adding >>>>>> remote and local NAT-D payloads. Oct 22 19:56:23 racoon: *[Self]*: >>>>>> [189.38.253.92] INFO: Hashing 189.38.253.92[500] with algo #2 Oct 22 >>>>>> 19:56:23 racoon: *[ULTRA]*: [177.67.61.249] INFO: Hashing >>>>>> 177.67.61.249[500] with algo #2 Oct 22 19:56:23 racoon: *[ULTRA]*: >>>>>> [177.67.61.249] INFO: Selected NAT-T version: RFC 3947 Oct 22 >>>>>> 19:56:23 racoon: INFO: received broken Microsoft ID: FRAGMENTATIONOct 22 >>>>>> 19:56:23racoon: INFO: received Vendor ID: RFC 3947Oct 22 19:56:23racoon: >>>>>> INFO: begin Identity Protection mode.Oct 22 19:56:23racoon: >>>>>> *[ULTRA]*: INFO: initiate new phase 1 negotiation: >>>>>> 189.38.253.92[500]<=>177.67.61.249[500] Oct 22 19:56:23 racoon: * >>>>>> [ULTRA]*: INFO: IPsec-SA request for 177.67.61.249 queued due to no >>>>>> phase1 found. Oct 22 19:56:22 racoon: INFO: unsupported PF_KEY >>>>>> message REGISTER Oct 22 19:56:22 racoon: ERROR: such policy already >>>>>> exists. anyway replace it: >>>>>> 192.168.254.0/24[0]<http://192.168.254.0/24%5B0%5D> >>>>>> 192.168.56.8/29[0] <http://192.168.56.8/29%5B0%5D> proto=any dir=out Oct >>>>>> 22 19:56:22racoon: ERROR: such policy already exists. anyway replace it: >>>>>> 192.168.56.8/29[0] <http://192.168.56.8/29%5B0%5D> >>>>>> 192.168.254.0/24[0] <http://192.168.254.0/24%5B0%5D> proto=any dir=in >>>>>> Oct 22 19:56:22racoon: ERROR: no iph2 found: ESP >>>>>> 177.67.61.249[500]->189.38.253.92[500] >>>>>> spi=263611198(0xfb6633e) Oct 22 19:56:22 racoon: INFO: unsupported >>>>>> PF_KEY message REGISTER >>>>>> -- >>>>>> >>>>>> Atenciosamente,**** >>>>>> >>>>>> ** ** >>>>>> >>>>>> *Diego Riera***** >>>>>> >>>>>> [email protected]**** >>>>>> >>>>>> 55 (11) 8218-9285 >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Pfsense-pt mailing list >>>>>> [email protected] >>>>>> http://lists.pfsense.org/mailman/listinfo/pfsense-pt >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> Pfsense-pt mailing list >>>>> [email protected] >>>>> http://lists.pfsense.org/mailman/listinfo/pfsense-pt >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Pfsense-pt mailing list >>>> [email protected] >>>> http://lists.pfsense.org/mailman/listinfo/pfsense-pt >>>> >>>> >>> >>> >>> -- >>> >>> Atenciosamente,**** >>> >>> ** ** >>> >>> *Diego Riera***** >>> >>> [email protected]**** >>> >>> 55 (11) 8218-9285 >>> >>> >>> _______________________________________________ >>> Pfsense-pt mailing list >>> [email protected] >>> http://lists.pfsense.org/mailman/listinfo/pfsense-pt >>> >>> >> _______________________________________________ >> Pfsense-pt mailing list >> [email protected] >> http://lists.pfsense.org/mailman/listinfo/pfsense-pt >> >> > > _______________________________________________ > Pfsense-pt mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/pfsense-pt > >
_______________________________________________ Pfsense-pt mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/pfsense-pt
