Jump to content
Калькуляторы

pfsense 2.3 l2tp ipsec mobile clients

Доброго дня. Обращаюсь к Вам за помощью. Чтение WiKi, мануалов на протяжении недели не помогло. Вы моя последняя надежда в понимании происходящего.

Пытаюсь настроить VPN подключение l2tp ipsec для уделенных сотрудников(mobile clients).

Настройка производится на pfsense 2.3.3-RELEASE.

Клиентом выступает Windows 10.

 

Лог ipsec:

Mar 17 10:01:30 charon 07[NET] <8> received packet: from 194.1.156.30[500] to 178.70.69.71[500] (408 bytes)

Mar 17 10:01:30 charon 07[ENC] <8> parsed ID_PROT request 0 [ SA V V V V V V V V ]

Mar 17 10:01:30 charon 07[ENC] <8> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01

Mar 17 10:01:30 charon 07[iKE] <8> received MS NT5 ISAKMPOAKLEY vendor ID

Mar 17 10:01:30 charon 07[iKE] <8> received NAT-T (RFC 3947) vendor ID

Mar 17 10:01:30 charon 07[iKE] <8> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

Mar 17 10:01:30 charon 07[iKE] <8> received FRAGMENTATION vendor ID

Mar 17 10:01:30 charon 07[ENC] <8> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20

Mar 17 10:01:30 charon 07[ENC] <8> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19

Mar 17 10:01:30 charon 07[ENC] <8> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52

Mar 17 10:01:30 charon 07[iKE] <8> 194.1.156.30 is initiating a Main Mode IKE_SA

Mar 17 10:01:30 charon 07[ENC] <8> generating ID_PROT response 0 [ SA V V V V ]

Mar 17 10:01:30 charon 07[NET] <8> sending packet: from 178.70.69.71[500] to 194.1.156.30[500] (160 bytes)

Mar 17 10:01:30 charon 06[NET] <8> received packet: from 194.1.156.30[500] to 178.70.69.71[500] (388 bytes)

Mar 17 10:01:30 charon 06[ENC] <8> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]

Mar 17 10:01:30 charon 06[iKE] <8> remote host is behind NAT

Mar 17 10:01:30 charon 06[ENC] <8> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]

Mar 17 10:01:30 charon 06[NET] <8> sending packet: from 178.70.69.71[500] to 194.1.156.30[500] (372 bytes)

Mar 17 10:01:30 charon 06[NET] <8> received packet: from 194.1.156.30[4500] to 178.70.69.71[4500] (76 bytes)

Mar 17 10:01:30 charon 06[ENC] <8> parsed ID_PROT request 0 [ ID HASH ]

Mar 17 10:01:30 charon 06[CFG] <8> looking for pre-shared key peer configs matching 178.70.69.71...194.1.156.30[192.168.5.130]

Mar 17 10:01:30 charon 06[CFG] <8> selected peer config "con1"

Mar 17 10:01:30 charon 06[iKE] <con1|8> IKE_SA con1[8] established between 178.70.69.71[178.70.69.71]...194.1.156.30[192.168.5.130]

Mar 17 10:01:30 charon 06[iKE] <con1|8> scheduling reauthentication in 28258s

Mar 17 10:01:30 charon 06[iKE] <con1|8> maximum IKE_SA lifetime 28798s

Mar 17 10:01:30 charon 06[iKE] <con1|8> DPD not supported by peer, disabled

Mar 17 10:01:30 charon 06[ENC] <con1|8> generating ID_PROT response 0 [ ID HASH ]

Mar 17 10:01:30 charon 06[NET] <con1|8> sending packet: from 178.70.69.71[4500] to 194.1.156.30[4500] (76 bytes)

Mar 17 10:01:30 charon 11[NET] <con1|8> received packet: from 194.1.156.30[4500] to 178.70.69.71[4500] (444 bytes)

Mar 17 10:01:30 charon 11[ENC] <con1|8> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]

Mar 17 10:01:30 charon 11[iKE] <con1|8> received 250000000 lifebytes, configured 0

Mar 17 10:01:30 charon 11[ENC] <con1|8> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]

Mar 17 10:01:30 charon 11[NET] <con1|8> sending packet: from 178.70.69.71[4500] to 194.1.156.30[4500] (204 bytes)

Mar 17 10:01:30 charon 11[NET] <con1|8> received packet: from 194.1.156.30[4500] to 178.70.69.71[4500] (60 bytes)

Mar 17 10:01:30 charon 11[ENC] <con1|8> parsed QUICK_MODE request 1 [ HASH ]

Mar 17 10:01:30 charon 11[iKE] <con1|8> CHILD_SA con1{3} established with SPIs cc9595da_i 34d6240a_o and TS 178.70.69.71/32|/0[udp/l2f] === 194.1.156.30/32|/0[udp/l2f]

Mar 17 10:02:06 charon 08[NET] <con1|8> received packet: from 194.1.156.30[4500] to 178.70.69.71[4500] (76 bytes)

Mar 17 10:02:06 charon 08[ENC] <con1|8> parsed INFORMATIONAL_V1 request 3625319790 [ HASH D ]

Mar 17 10:02:06 charon 08[iKE] <con1|8> received DELETE for ESP CHILD_SA with SPI 34d6240a

Mar 17 10:02:06 charon 08[iKE] <con1|8> closing CHILD_SA con1{3} with SPIs cc9595da_i (876 bytes) 34d6240a_o (0 bytes) and TS 178.70.69.71/32|/0[udp/l2f] === 194.1.156.30/32|/0[udp/l2f]

Mar 17 10:02:06 charon 13[NET] <con1|8> received packet: from 194.1.156.30[4500] to 178.70.69.71[4500] (92 bytes)

Mar 17 10:02:06 charon 13[ENC] <con1|8> parsed INFORMATIONAL_V1 request 1181827563 [ HASH D ]

Mar 17 10:02:06 charon 13[iKE] <con1|8> received DELETE for IKE_SA con1[8]

Mar 17 10:02:06 charon 13[iKE] <con1|8> deleting IKE_SA con1[8] between 178.70.69.71[178.70.69.71]...194.1.156.30[192.168.5.130]

 

Просьба не ругать сильно. Пытаюсь разобраться и понять принцип работы. Хочется научиться.

По возможности объясните пожалуйста в чем я не прав. Спасибо за понимание.

post-140989-031752100 1489734341_thumb.png

post-140989-092461400 1489734344_thumb.png

Share this post


Link to post
Share on other sites

При попытках подключения клиентов в Status IPsec Overview отображается информация (см вложенный скрин). Я так понимаю pfsense по какой-то причине не хочет отправлять информацию клиенту.

post-140989-096865700 1489735058_thumb.png

Share this post


Link to post
Share on other sites

Мобильные операторы очень часто фильтруют GRE и ESP. Поэтому это вечная боль.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this