VPN ROADWARRIOR IPCOP 1.4B6 avec auht par certificat ?

[J_R]

Bonsoir,
Voici plusieurs jours que je veux mettre en place un reseau vpn sur ipcop 1.4B6 avec mon portable wifi.
sur xp sp1(tous les patch nécessaires pour ipsec à jour)
toute la configuration réseaux est ok (green,red,orange,blue).
je ne peux toujours pas me connecter, car j'ai les messages suivants:

packet from 192.168.2.20:500: initial Main Mode message received on 82.67.X.X:500 but no connection has been authorized with policy=RSASIG2:01:08 pluto[7655] packet from 192.168.2.20:500: received and ignored informational message
22:01:08 pluto[7655] packet from 192.168.2.20:500: ignoring Delete SA payload: not encrypted
22:01:02 pluto[7655] added connection description "toshiba"
22:01:02 pluto[7655] loaded host cert file '/var/ipcop/certs/toshibacert.pem' (1614 bytes)
22:01:02 pluto[7655] loaded host cert file '/var/ipcop/certs/hostcert.pem' (1623 bytes)
22:01:02 pluto[7655] | from whack: got --ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
22:01:02 pluto[7655] | from whack: got --esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
22:01:02 pluto[7655] "toshiba": deleting connection
22:01:01 pluto[7655] loaded private key file '/var/ipcop/certs/hostkey.pem' (887 bytes)
22:01:01 pluto[7655] loading secrets from "/etc/ipsec.secrets"
22:01:01 pluto[7655] forgetting secrets

les fichiers de config sont ceux de base sans modif voir les fichiers sur le post suivant

[J_R]

config setup
interfaces="%defaultroute ipsec1=eth1"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/255.255.255.0,%v4:!192.168.3.0/255.255.255.0,%v4:!192.168.2.0/255.255.255.0

conn %default
keyingtries=0
disablearrivalcheck=no

conn toshiba
left=ipcop.host.net
leftnexthop=%defaultroute
leftsubnet=192.168.1.0/255.255.255.0
leftcert=/var/ipcop/certs/hostcert.pem
right=%any
rightsubnet=vhost:%no,%priv
rightcert=/var/ipcop/certs/toshibacert.pem
ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
ikelifetime=1h
keylife=8h
dpddelay=30
dpdtimeout=120
dpdaction=clear
authby=rsasig
auto=add

[J_R]

le fichier ipsec.conf sur le portable xp
(import des certificats ok,le vpn dans les strategies mmc se monte bien)

conn toshiba
left=%any
right=82.67.X.X
rightsubnet=192.168.1.0/24
rightca='C=FR, S=Iles De France, L=Noisy Le Grand, O=Secure www.host.net, OU=Technologie, CN=Secure www.host.net CA, E=test@host.net'
network=auto
auto=start
pfs=yes

j'ai l'impression que le probleme pourrait venir du message d'erreur sur le certificat, ce message apparait lorsque j'enregistre les modifs sur la page vpn de ipcop, voir post suivant concernant le lancement du vpn. Mais même sans passer par les certificats j'ai le même souci.
Au secours !!!

[J_R]

voici les logs lorsque je clique sur enregistrer dans la partie graphique de ipcop 1.4 B6

22:17:32 pluto[8793] loaded private key file '/var/ipcop/certs/hostkey.pem' (887 bytes)
22:17:32 pluto[8793] loading secrets from "/etc/ipsec.secrets"
22:17:32 pluto[8793] adding interface ipsec1/eth1 192.168.2.10:4500
22:17:32 pluto[8793] adding interface ipsec1/eth1 192.168.2.10
22:17:32 pluto[8793] adding interface ipsec0/eth3 82.67.X.X:4500
22:17:32 pluto[8793] adding interface ipsec0/eth3 82.67.X.X
22:17:32 pluto[8793] listening for IKE messages
22:17:32 pluto[8793] added connection description "compaq"
22:17:32 pluto[8793] loaded host cert file '/var/ipcop/certs/compaqcert.pem' (1610 bytes)
22:17:32 pluto[8793] loaded host cert file '/var/ipcop/certs/hostcert.pem' (1623 bytes)
22:17:32 pluto[8793] | from whack: got --ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
22:17:32 pluto[8793] | from whack: got --esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
22:17:32 pluto[8793] added connection description "toshiba"
22:17:32 pluto[8793] loaded host cert file '/var/ipcop/certs/toshibacert.pem' (1614 bytes)
22:17:32 pluto[8793] loaded host cert file '/var/ipcop/certs/hostcert.pem' (1623 bytes)
22:17:32 pluto[8793] | from whack: got --ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
22:17:32 pluto[8793] | from whack: got --esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
22:17:31 pluto[8793] Loaded my OpenPGP certificate file '/etc/pgpcert.pgp' (922 bytes)
22:17:31 pluto[8793] loaded crl file 'cacrl.pem' (755 bytes)
22:17:31 pluto[8793] Changing to directory '/etc/ipsec.d/crls'
22:17:31 pluto[8793] loaded cacert file 'cacert.pem' (1834 bytes)
22:17:31 pluto[8793] error in X.509 certificate
22:17:31 pluto[8793] loaded cacert file 'cakey.pem' (1675 bytes)
22:17:31 ipsec_setup ...Openswan IPsec started
22:17:31 pluto[8793] Changing to directory '/etc/ipsec.d/cacerts'
22:17:31 pluto[8793] ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
22:17:31 pluto[8793] ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
22:17:31 pluto[8793] ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
22:17:31 pluto[8793] ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
22:17:31 pluto[8793] ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
22:17:31 pluto[8793] ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
22:17:31 pluto[8793] ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
22:17:31 pluto[8793] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
22:17:31 pluto[8793] including NAT-Traversal patch (Version 0.6)
22:17:31 pluto[8793] including X.509 patch with traffic selectors (Version 0.9.41)
22:17:31 pluto[8793]

[J_R]

Bonsoir,
Je reviens pour faire le point concernant la connexion VPN nomade avec ipcop 1.4B6.
Le souci demeure sur le certifivat x509 de Ipcop. La connexion avec le mot de passe fonctionne tres bien (sans modifier les fichiers ipsec.conf, tous se fait sur l'interface graphique. Le ping et les connexions sur les services (tels que ssh à partir de l'adresse privé Ok) La connexion est ouverte quand les connexions sont établies.

Ipcop 1.4B7
connexion par mot de passe ok
Pour la connexion avec certificat toujours nok mais je note une tres grande progression, puisque les connexions avec le port udp 500 sont ok. ci-joint les logs:

21:09:28 pluto[1387] "TOSHIBA"[2] 192.168.2.20: deleting connection "TOSHIBA" instance with peer 192.168.2.20
21:09:28 pluto[1387] "TOSHIBA"[2] 192.168.2.20 #4: max number of retransmissions (2) reached STATE_MAIN_R2
21:08:40 pluto[1387] "TOSHIBA"[2] 192.168.2.20 #4: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA
21:08:18 pluto[1387] "TOSHIBA"[2] 192.168.2.20 #4: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA
21:08:18 pluto[1387] "TOSHIBA"[2] 192.168.2.20 #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
21:08:18 pluto[1387] "TOSHIBA"[2] 192.168.2.20 #4: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
21:08:18 pluto[1387] "TOSHIBA"[2] 192.168.2.20 #4: transition from state (null) to state STATE_MAIN_R1
21:08:18 pluto[1387] "TOSHIBA"[2] 192.168.2.20 #4: responding to Main Mode from unknown peer 192.168.2.20
21:08:18 pluto[1387] packet from 192.168.2.20:500: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
21:08:18 pluto[1387] packet from 192.168.2.20:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
21:08:18 pluto[1387] packet from 192.168.2.20:500: ignoring Vendor ID payload [FRAGMENTATION]
21:08:18 pluto[1387] packet from 192.168.2.20:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
21:07:11 pluto[1387] buffer space exhausted in alg_info_snprint_ike(), buflen=-9
21:06:52 pluto[1387] "TOSHIBA"[1] 192.168.2.20: deleting connection "TOSHIBA" instance with peer 192.168.2.20
21:06:52 pluto[1387] "TOSHIBA"[1] 192.168.2.20 #3: max number of retransmissions (2) reached STATE_MAIN_R2
21:05:53 pluto[1387] "TOSHIBA"[1] 192.168.2.20 #3: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA
21:05:42 pluto[1387] "TOSHIBA"[1] 192.168.2.20 #3: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA
21:05:42 pluto[1387] "TOSHIBA"[1] 192.168.2.20 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
21:05:42 pluto[1387] "TOSHIBA"[1] 192.168.2.20 #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
21:05:42 pluto[1387] "TOSHIBA"[1] 192.168.2.20 #3: transition from state (null) to state STATE_MAIN_R1
21:05:42 pluto[1387] "TOSHIBA"[1] 192.168.2.20 #3: responding to Main Mode from unknown peer 192.168.2.20

[J_R]

Ipcop 1.4B09 VPN NOK, tant par certificat x509 ou par PSK, toujours avec l'erreur acces refuse sur le port 500, je reste sur la B08 en attendant mieux puisque ça fonctionne bien avec le mot de passe partagé.