Problème de reconnexion VPN IPCOP VERS IPCOP

par **jipechibi** » 06 Juil 2009 17:40

Bonjour,

Informations générales :

IPCOP 1.4.21
Configuration Type RED+GREEN
FAI ORANGE

J'ai quelques problèmes lors de la reconnexion VPN entre deux ipcop distants.

Lorsque que la connexion internet "tombe" pour diverses raisons puis se reconnecte, la connexion vpn entre les deux sites reste fermée. Je suis obligé de redémarrer manuellement (flèche redémarré) la connexion vpn pour enfin avoir le statue OUVERT.

J'ai installer le script de reconnexion présent dans le wiki, le script fonctionne, mais la connexion reste fermé sans action de ma part.

Log :

16:56:02 ipsec_setup ...Openswan IPsec stopped
16:56:02 ipsec_setup ipsec: Device or resource busy
16:56:02 ipsec_setup /usr/lib/ipsec/tncfg: Socket ioctl failed on detach -- No such device. Is the v irtual device valid? The ipsec module may not be linked into the kernel or load ed as a module.
16:56:01 pluto[23937] shutting down interface ipsec0/ppp0 86.193.170.238
16:56:01 pluto[23937] shutting down interface ipsec0/ppp0 86.193.170.238
16:56:01 pluto[23937] "XXX3631" #2: deleting state (STATE_MAIN_R3)
16:56:01 pluto[23937] "XXX3631" #1: deleting state (STATE_MAIN_I4)
16:56:01 pluto[23937] "XXX3631" #3: deleting state (STATE_QUICK_R2)
16:56:01 pluto[23937] "XXX3631" #4: deleting state (STATE_QUICK_I2)
16:56:01 pluto[23937] "XXX3631" #5: deleting state (STATE_QUICK_I2)
16:56:01 pluto[23937] "XXX3631": deleting connection
16:56:01 pluto[23937] forgetting secrets
16:56:01 pluto[23937] shutting down
16:56:01 ipsec_setup Stopping Openswan IPsec...
16:49:42 ipsec__plutorun 004 "XXX3631" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
16:49:42 ipsec__plutorun 122 "XXX3631" #5: STATE_QUICK_I1: initiate
16:49:42 ipsec__plutorun 004 "XXX3631" #1: STATE_MAIN_I4: ISAKMP SA established
16:49:42 ipsec__plutorun 108 "XXX3631" #1: STATE_MAIN_I3: sent MI3, expecting MR3
16:49:42 ipsec__plutorun 003 "XXX3631" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
16:49:42 ipsec__plutorun 106 "XXX3631" #1: STATE_MAIN_I2: sent MI2, expecting MR2
16:49:42 ipsec__plutorun 003 "XXX3631" #1: received Vendor ID payload [Dead Peer Detection]
16:49:42 ipsec__plutorun 003 "XXX3631" #1: received Vendor ID payload [RFC 3947]
16:49:42 ipsec__plutorun 010 "XXX3631" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
16:49:42 ipsec__plutorun 010 "XXX3631" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
16:49:42 ipsec__plutorun 104 "XXX3631" #1: STATE_MAIN_I1: initiate
16:49:42 pluto[23937] "XXX3631" #5: sent QI2, IPsec SA established
16:49:42 pluto[23937] "XXX3631" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
16:49:42 pluto[23937] "XXX3631" #5: Dead Peer Detection (RFC3706) enabled
16:49:42 pluto[23937] "XXX3631" #4: sent QI2, IPsec SA established
16:49:42 pluto[23937] "XXX3631" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
16:49:42 pluto[23937] "XXX3631" #4: Dead Peer Detection (RFC3706) enabled
16:49:42 pluto[23937] "XXX3631" #5: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
16:49:42 pluto[23937] "XXX3631" #4: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
16:49:42 pluto[23937] "XXX3631" #1: ISAKMP SA established
16:49:42 pluto[23937] "XXX3631" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
16:49:42 pluto[23937] "XXX3631" #1: Issuer CRL not found
16:49:42 pluto[23937] "XXX3631" #1: Issuer CRL not found
16:49:42 pluto[23937] "XXX3631" #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=FR, O=XXX3631, CN=XXX3631. zapto.org'
16:49:42 pluto[23937] "XXX3631" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
16:49:42 pluto[23937] "XXX3631" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
16:49:41 pluto[23937] "XXX3631" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
16:49:41 pluto[23937] "XXX3631" #1: received Vendor ID payload [Dead Peer Detection]
16:49:41 pluto[23937] "XXX3631" #1: received Vendor ID payload [RFC 3947]
16:49:33 pluto[23937] "XXX3631" #3: IPsec SA established
16:49:33 pluto[23937] "XXX3631" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
16:49:33 pluto[23937] "XXX3631" #3: Dead Peer Detection (RFC3706) enabled
16:49:33 pluto[23937] "XXX3631" #3: transition from state (null) to state STATE_QUICK_R1
16:49:33 pluto[23937] "XXX3631" #3: responding to Quick Mode
16:49:33 pluto[23937] "XXX3631" #2: sent MR3, ISAKMP SA established
16:49:33 pluto[23937] "XXX3631" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
16:49:33 pluto[23937] "XXX3631" #2: Issuer CRL not found
16:49:33 pluto[23937] "XXX3631" #2: Issuer CRL not found
16:49:33 pluto[23937] "XXX3631" #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=FR, O=XXX3631, CN=XXX3631. zapto.org'
16:49:33 pluto[23937] "XXX3631" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
16:49:33 pluto[23937] "XXX3631" #2: NAT-Traversal: Result using RFC 3947: no NAT detected
16:49:33 pluto[23937] "XXX3631" #2: transition from state (null) to state STATE_MAIN_R1
16:49:33 pluto[23937] "XXX3631" #2: responding to Main Mode
16:49:33 pluto[23937] packet from 193.251.64.143:500: received Vendor ID payload [Dead Peer Detection]
16:49:33 pluto[23937] packet from 193.251.64.143:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-00]
16:49:33 pluto[23937] packet from 193.251.64.143:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-02]
16:49:33 pluto[23937] packet from 193.251.64.143:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-03]
16:49:33 pluto[23937] packet from 193.251.64.143:500: received Vendor ID payload [RFC 3947]
16:49:11 pluto[23937] "XXX3631" #1: initiating Main Mode
16:49:11 pluto[23937] loaded private key file '/var/ipcop/certs/hostkey.pem' (887 bytes)
16:49:11 pluto[23937] loading secrets from "/etc/ipsec.secrets"
16:49:11 pluto[23937] adding interface ipsec0/ppp0 86.193.170.238:4500
16:49:11 pluto[23937] adding interface ipsec0/ppp0 86.193.170.238
16:49:11 pluto[23937] listening for IKE messages
16:49:11 pluto[23937] added connection description "XXX3631"
16:49:11 pluto[23937] loaded host cert file '/var/ipcop/certs/XXX3631cert.pem' (1155 bytes)
16:49:11 pluto[23937] loaded host cert file '/var/ipcop/certs/hostcert.pem' (1155 bytes)
16:49:11 pluto[23937] | from whack: got --ike=aes256-sha-modp1536,aes256-sha-modp1024,aes256-md5-modp1 536,aes256-md5-modp1024,aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1 536,aes128-md5-modp1024!
16:49:11 pluto[23937] | from whack: got --esp=aes256-sha1,aes256-md5,aes128-sha1,aes128-md5!
16:49:07 vpn-watch 'XXX3631': start watching 193.251.64.143
16:49:07 pluto[23937] OpenPGP certificate file '/etc/pgpcert.pgp' not found
16:49:07 pluto[23937] loaded crl file 'cacrl.pem' (564 bytes)
16:49:07 pluto[23937] Changing to directory '/etc/ipsec.d/crls'
16:49:07 pluto[23937] loaded cacert file 'cacert.pem' (1277 bytes)
16:49:07 pluto[23937] loaded cacert file 'XXX3631cert.pem' (1277 bytes)
16:49:07 pluto[23937] Changing to directory '/etc/ipsec.d/cacerts'
16:49:07 ipsec_setup ...Openswan IPsec started
16:49:07 pluto[23937] ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
16:49:07 pluto[23937] ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
16:49:07 pluto[23937] ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
16:49:07 pluto[23937] ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
16:49:07 pluto[23937] ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
16:49:07 pluto[23937] ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
16:49:07 pluto[23937] ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
16:49:07 pluto[23937] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
16:49:07 pluto[23937] including NAT-Traversal patch (Version 0.6)
16:49:07 pluto[23937] including X.509 patch with traffic selectors (Version 0.9.42)
16:49:07 pluto[23937] Starting Pluto (Openswan Version 1.0.10)
16:49:07 ipsec__plutorun Starting Pluto subsystem...
16:49:07 ipsec_setup KLIPS ipsec0 on ppp0 86.193.170.238/255.255.255.255 pointopoint 193.253.160.3
16:49:07 ipsec_setup KLIPS debug `none'
16:49:07 ipsec_setup Starting Openswan IPsec 1.0.10...

Merci pour votre aide.

par **jipechibi** » 06 Juil 2009 18:05

Complément :

J'ai ce message sur l'autre ipcop :

but no connection has been authorized with policy=RSASIG

par **Franck78** » 06 Juil 2009 22:29

Tu as un coté qui change d'IP ?

193.251.64.143 <=>

ipsec_setup KLIPS ipsec0 on ppp0 86.193.170.238/255.255.255.255 pointopoint 193.253.160.3

sans doute ton dyndns pas mis à jour assez rapidement

Lit bien ce commentaire sur la page de config du VPN:
Si nécéssaire, ce délai permet aux modifications Dynamic DNS de se propager. 60 est un délai commun quand ROUGE possède une IP dynamique.

par **jipechibi** » 07 Juil 2009 11:10

Bonjour,

Merci d'avoir répondu.

Effectivement l'adresse IP des deux ipcop est dynamique. (FAI orange)

Je vais configurer les deux ipcop avec ce délais de 60 sec, on verra bien.

par **Yull** » 12 Juil 2009 22:06

Bonjour

J'ai essayé pendant des mois avec ip dynamique, et un jour je me suis lancé avec ZERINA-0.9.7a14 (net2net), c'est une béta et j'hésitais un peu en prod, et depuis, je ne suis plus obliger de faire la manip de redémarrage pour la reconnexion tous les jours, très stable, aucun problème en 6 mois

Cordialement

Jérôme

Problème de reconnexion VPN IPCOP VERS IPCOP

Problème de reconnexion VPN IPCOP VERS IPCOP

Qui est en ligne ?