VPN : cannot respond to IPsec SA request ...

[nl]

Hello, <BR> <BR>Désolé, mais j'ai cherché sur google et sur ixus, rien trouvé qui pourrait m'aider. <BR> <BR>Message d'erreur : <BR>"cannot respond to IPsec SA request because no connection is known for " <BR> <BR>Normalement ce message apparait lorsque le sous-réseau est faux, mais j'ai déjà controlé et si je change ma config, je perd l'interface ipsecN. <BR> <BR>Ma config est un peu particulière car j'ai 2 ipcop 1.3 fix 8 derrière des nat, donc je n'ai pas une configuration ipsec.conf symétrique. <BR> <BR>J'ai dû activer nat_traversal=yes dans ipsec.conf, de même que pfs=no et utiliser rsa. <BR> <BR>Mes deux nat supportent le vpn-passthrought. <BR> <BR> <BR>Est-ce que quelqu'un aurait une solution ? Ca fait des mois que j'essaye de mettre en place ce vpn <IMG SRC="images/smiles/icon_bawling.gif"> <BR> <BR> <BR> <BR>################################### <BR>########## Architecture réseau : <BR>################################### <BR> <BR>Local : Left : LAN 1 <BR>/ Lan 1 / / Ipcop 1.3 fix 8 / / Modem ADSL Zyxel Prestige 642ME / <BR>10.0.0.0/24 --> 10.0.0.100 / 192.168.1.2 --> 192.168.1.1 / ip_dynamique ( <!-- BBcode auto-mailto start --><a href="mailto:lan1@dyndns.org)">lan1@dyndns.org)</a><!-- BBCode auto-mailto end --> --> INTERNET <BR> <BR>Remote : Right : LAN 2 <BR>/ Lan 2 / / Ipcop 1.3 fix 8 / / modem ADSL RNIS Cayman 3351 - Netopia / <BR>10.0.1.0/24 --> 10.0.1.100 / 192.168.2.2 --> 192.168.2.1 / ip_dynamique ( <!-- BBcode auto-mailto start --><a href="mailto:lan2@dyndns.org)">lan2@dyndns.org)</a><!-- BBCode auto-mailto end --> --> INTERNET <BR> <BR> <BR>################################### <BR>################# /ipsec.conf côté lan 2 <BR>################################### <BR> <BR>conn MGI <BR> left=192.168.2.2 <BR> compress=no <BR> leftsubnet=10.0.1.0/24 <BR> leftnexthop=192.168.2.1 <BR> right=lan1.dyndns.org <BR> rightsubnet=10.0.0.0/24 <BR> rightnexthop=192.168.1.2 <BR> auto=start <BR> authby=rsasig <BR> leftid=@lan2.dyndns.org <BR> rightid=@lan1.dyndns.org <BR> rightrsasigkey=0sA1.... <BR> leftrsasigkey=0sA2.... <BR> pfs=no <BR> <BR> <BR>################################### <BR>################# /ipsec.conf côté lan 1 <BR>################################### <BR> <BR>conn MGI <BR> left=192.168.1.2 <BR> compress=no <BR> leftsubnet=10.0.1.0/24 <BR> leftnexthop=192.168.1.1 <BR> right=lan2.dyndns.org <BR> rightsubnet=10.0.1.0/24 <BR> rightnexthop=192.168.2.2 <BR> auto=start <BR> authby=rsasig <BR> leftid=@lan1.dyndns.org <BR> rightid=@lan2.dyndns.org <BR> leftrsasigkey=0sA2...... <BR> rightrsasigkey=0sA1..... <BR> <BR> <BR>################################### <BR>################# /var/logs/secure <BR>################################### <BR> <BR> <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: Starting Pluto (FreeS/WAN Version super-freeswan-1.99_kb2c) <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: including X.509 patch (Version 0.9.15) <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: including NAT-Traversal patch (Version 0.5a) <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: ike_alg_register_enc: Activating OAKLEY_AES_CBC: Ok (ret=0) <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: ike_alg_register_enc: Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0) <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: ike_alg_register_enc: Activating OAKLEY_CAST_CBC: Ok (ret=0) <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: ike_alg_register_enc: Activating OAKLEY_SERPENT_CBC: Ok (ret=0) <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: ike_alg_register_hash: Activating OAKLEY_SHA2_256: Ok (ret=0) <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: ike_alg_register_hash: Activating OAKLEY_SHA2_512: Ok (ret=0) <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: ike_alg_register_enc: Activating OAKLEY_TWOFISH_CBC: Ok (ret=0) <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: ike_alg_register_enc: Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0) <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: Changing to directory '/etc/ipsec.d/cacerts' <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: Warning: empty directory <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: Changing to directory '/etc/ipsec.d/crls' <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: Warning: empty directory <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: could not open my default X.509 cert file '/etc/x509cert.der' <BR>Mar 16 15:29:31 VPN-Chatel pluto[18797]: OpenPGP certificate file '/etc/pgpcert.pgp' not found <BR>Mar 16 15:29:33 VPN-Chatel pluto[18797]: | from whack: got --esp=3des <BR>Mar 16 15:29:33 VPN-Chatel pluto[18797]: | from whack: got --ike=3des <BR>Mar 16 15:29:33 VPN-Chatel pluto[18797]: added connection description "MGI" <BR>Mar 16 15:29:34 VPN-Chatel pluto[18797]: listening for IKE messages <BR>Mar 16 15:29:34 VPN-Chatel pluto[18797]: adding interface ipsec0/eth1 192.168.1.2 <BR>Mar 16 15:29:34 VPN-Chatel pluto[18797]: adding interface ipsec0/eth1 192.168.1.2:4500 <BR>Mar 16 15:29:34 VPN-Chatel pluto[18797]: loading secrets from "/etc/ipsec.secrets" <BR>Mar 16 15:29:34 VPN-Chatel pluto[18797]: "MGI" #1: initiating Main Mode <BR>Mar 16 15:29:41 VPN-Chatel pluto[18797]: packet from 83.76.118.40:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] <BR>Mar 16 15:29:41 VPN-Chatel pluto[18797]: packet from 83.76.118.40:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] <BR>Mar 16 15:29:41 VPN-Chatel pluto[18797]: packet from 83.76.118.40:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] <BR>Mar 16 15:29:41 VPN-Chatel pluto[18797]: "MGI" #2: responding to Main Mode <BR>Mar 16 15:29:42 VPN-Chatel pluto[18797]: "MGI" #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed <BR>Mar 16 15:29:42 VPN-Chatel pluto[18797]: "MGI" #2: Peer ID is ID_FQDN: '@lan2.dyndns.org' <BR>Mar 16 15:29:42 VPN-Chatel pluto[18797]: | NAT-T: new mapping 83.76.118.40:500/4500) <BR>Mar 16 15:29:42 VPN-Chatel pluto[18797]: "MGI" #2: sent MR3, ISAKMP SA established <BR>Mar 16 15:29:42 VPN-Chatel pluto[18797]: "MGI" #2: cannot respond to IPsec SA request because no connection is known for 10.0.0.0/24===192.168.1.2:4500[@lan1.dyndns.org]...83.76.118.40:4500[@lan2.dyndns.org]===10.0.1.0/24 <BR>Mar 16 15:29:42 VPN-Chatel pluto[18797]: "MGI" #2: sending encrypted notification INVALID_ID_INFORMATION to 83.76.118.40:4500 <BR>Mar 16 15:29:52 VPN-Chatel pluto[18797]: "MGI" #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xc9851615 (perhaps this is a duplicated packet) <BR>Mar 16 15:29:52 VPN-Chatel pluto[18797]: "MGI" #2: sending encrypted notification INVALID_MESSAGE_ID to 83.76.118.40:4500 <BR>

[milo_guy]

a mon humble avis je crois que tu devrais essaye d'inverser dans un des deux fichier de conf le cote de la connection : <BR>le left doit etre le left dans les deux connections , c'est pareil pour le right. <BR> <BR>en esperant que cela puisse t'aider. <BR> <BR>@micalement <IMG SRC="images/smiles/icon_biggrin.gif">

[nl]

oh, tu sais, j'ai essayer à peu près toutes les configurations possibles, mais je t'assure que celle-la est la bonne (en tout cas au niveau du left /right). <BR> <BR>C'est le seul moyen de faire comprendre au vpn de traverser les nat. <BR>De plus, ISAKMP SA established est la preuve que les 2 ipcops communiquent correctement. <BR> <BR>A mon avis, il faut que je regarde du côté des nats, j'ai entendu dire que l'on ne pouvais pas faire du vpn-passthrought sur 2 sites, mais uniquement sur 1 des côté du vpn.