Bonjour,
Je débute avec IPSEC et je n'arrive pas à me connecter à ma passerelle (IPSEC/FIREWALL) avec un client XP.
J'utilise Freeswan 2.05 sur une Fedora Core 1 noyau 2.4.26.
Lorsque j'essaye de me connecter j'ai un message : no connection has been authorized (Ipsec barf)
D'où ce problème peut venir ?
Merci de votre aide !
Fred
IPSEC questions bêtes !!!
Modérateur: modos Ixus
3 messages
• Page 1 sur 1
IPSEC questions bêtes !!!
par Fred2004 » 26 Mai 2004 14:32
- Fred2004
- Matelot
- Messages: 5
- Inscrit le: 20 Mai 2004 11:31
par Fesch » 27 Mai 2004 19:41
Le problème peut venir de n'importe où. As-tu regarder la multitude de HOWTO sur Google pour l'implémantation?
Pour le reste, il n'existe pas de questions bêtes ... que des réponses stupides!
Pour le reste, il n'existe pas de questions bêtes ... que des réponses stupides!
Pourquoi lis-tu ceci???
-
Fesch - Amiral
- Messages: 2505
- Inscrit le: 11 Sep 2003 00:00
- Localisation: Luxembourg
IPSEC : no connection is known !!
par Fred2004 » 28 Mai 2004 09:55
Merci pour ta réponse Fesh. J'ai lu pas mal de docs mais je n'ai pas réussi à faire fonctionner mon ipsec !! ;-(
Je suis un peu désespéré ! Y a un truc que je ne pige pas !
J'ai un routeur avec un IP publique 62.161.75.XXX du côté WAN et un IP privé du côté LAN : 193.168.3.254.
Ce routeur est branché sur mon firewall (désactivé lorsque je fais les tests) : 192.168.3.1 (interface ipsec0)
Puis enfin on arrive sur mon LAN au moyen de la carte eth0 de mon firewall. J'ai fait un renvoi de port de mon routeur vers mon interface ipsec0 (192.168.3.1)
J'ai suivi l'aide donnée par nate carslon sur son site (www.natecarlson.com).
Depuis mon client XP lorsque j'essaye de pinger un orinateur sur mon LAN (172.16.0.0/16) j'ai un première fois : Négociation protocole IP puis Délais d'attente dépassé.
Ci joint le message d'erreur :
May 27 21:18:17 gandalf ipsec__plutorun: Starting Pluto subsystem...
May 27 21:18:18 gandalf pluto[27976]: Starting Pluto (FreeS/WAN Version 2.05 X.509-1.5.3 PLUTO_USES_KEYRR)
May 27 21:18:18 gandalf pluto[27976]: Using KLIPS IPsec interface code
May 27 21:18:18 gandalf pluto[27976]: Changing to directory '/etc/ipsec.d/cacerts'
May 27 21:18:18 gandalf pluto[27976]: loaded CA cert file 'cacert.pem' (1696 bytes)
May 27 21:18:18 gandalf pluto[27976]: Could not change to directory '/etc/ipsec.d/aacerts'
May 27 21:18:18 gandalf pluto[27976]: Changing to directory '/etc/ipsec.d/ocspcerts'
May 27 21:18:18 gandalf pluto[27976]: Changing to directory '/etc/ipsec.d/crls'
May 27 21:18:18 gandalf pluto[27976]: loaded crl file 'crl.pem' (711 bytes)
May 27 21:18:18 gandalf pluto[27976]: loaded host cert file '/etc/ipsec.d/certs/gandalf.qualiflow.com.pem' (5112 bytes)
May 27 21:18:18 gandalf pluto[27976]: added connection description "roadwarrior"
May 27 21:18:18 gandalf pluto[27976]: loaded host cert file '/etc/ipsec.d/certs/gandalf.qualiflow.com.pem' (5112 bytes)
May 27 21:18:18 gandalf pluto[27976]: added connection description "roadwarrior-net"
May 27 21:18:18 gandalf pluto[27976]: listening for IKE messages
May 27 21:18:18 gandalf pluto[27976]: adding interface ipsec0/eth2 192.168.3.1
May 27 21:18:18 gandalf pluto[27976]: loading secrets from "/etc/ipsec.secrets"
May 27 21:18:18 gandalf pluto[27976]: loaded private key file '/etc/ipsec.d/private/gandalf.qualiflow.com.key' (1743 bytes)
May 27 21:22:58 gandalf pluto[27976]: packet from 80.170.52.59:500: received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[1] 80.170.52.59 #1: responding to Main Mode from unknown peer 80.170.52.59
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[1] 80.170.52.59 #1: Peer ID is ID_DER_ASN1_DN: 'C=FR, ST=Herault, L=Montpellier, O=XXX, OU=Info, CN=fred, E=postmaster@XXX.com'
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1: deleting connection "roadwarrior" instance with peer 80.170.52.59 {isakmp=#0/ipsec=#0}
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1: sent MR3, ISAKMP SA established
May 27 21:22:59 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #2: responding to Quick Mode
May 27 21:22:59 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #2: IPsec SA established {ESP=>0x18b86252 <0x4a0d5e4d}
May 27 21:23:47 gandalf pluto[27976]: packet from 80.170.52.59:500: received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
May 27 21:23:47 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: responding to Main Mode from unknown peer 80.170.52.59
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: Peer ID is ID_DER_ASN1_DN: 'C=FR, ST=Herault, L=Montpellier, O=XXX, OU=Info, CN=fred, E=postmaster@XXX.com'
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: sent MR3, ISAKMP SA established
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: cannot respond to IPsec SA request because no connection is known for 62.161.75.XXX/32===192.168.3.1[C=FR, ST=Herault, L=Montpellier, O=XXX, OU=Informatique, CN=gandalf, E=postmaster@XXX.com]...80.170.52.59[C=FR, ST=Herault, L=Montpellier, O=XXX, OU=Info, CN=fred, E=postmaster@XXX.com]
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: sending encrypted notification INVALID_ID_INFORMATION to 80.170.52.59:500
May 27 21:23:49 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:23:49 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:23:51 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:23:51 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:23:55 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:23:55 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:24:03 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:24:03 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1: received Delete SA(0x18b86252) payload: deleting IPSEC State #2
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: received Delete SA payload: deleting ISAKMP State #3
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59: deleting connection "roadwarrior-net" instance with peer 80.170.52.59 {isakmp=#0/ipsec=#0}
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1: received Delete SA payload: deleting ISAKMP State #1
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59: deleting connection "roadwarrior" instance with peer 80.170.52.59 {isakmp=#0/ipsec=#0}
NB : 80.170.52.59 est l'adresse IP de mon client XP. Cette adresse change à chaque connection !
**********************************************************************************
Et mon fichier ipsec.conf de mon firewall :
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $
# This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
# http://www.strongsec.com/freeswan/install.htm
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
interfaces=%defaultroute
uniqueids=yes
plutodebug=no
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=172.16.0.0/16
also=roadwarrior
conn roadwarrior
right=%any
left=%defaultroute
leftcert=gandalf.XXX.com.pem
auto=add
pfs=yes
# OE policy groups are disabled by default
conn block
auto=ignore
conn clear
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn packetdefault
auto=ignore
# Add connections here.
# sample VPN connection
#sample# conn sample
#sample# # Left security gateway, subnet behind it, next hop toward right.
#sample# left=%defaultroute
#sample# leftcert=myCert.pem
#sample# leftsubnet=172.16.0.0/24
#sample# # Right security gateway, subnet behind it, next hop toward left.
#sample# right=10.12.12.1
#sample# rightid="<Distinguished name of right security gateway>"
#sample# rightsubnet=192.168.0.0/24
#sample# # To authorize this connection, but not actually start it, at startup,
#sample# # uncomment this.
#sample# #auto=start
Voilà si une bonne âme pouvait m'aider un peu....
Merci d'avance
Fred
Je suis un peu désespéré ! Y a un truc que je ne pige pas !
J'ai un routeur avec un IP publique 62.161.75.XXX du côté WAN et un IP privé du côté LAN : 193.168.3.254.
Ce routeur est branché sur mon firewall (désactivé lorsque je fais les tests) : 192.168.3.1 (interface ipsec0)
Puis enfin on arrive sur mon LAN au moyen de la carte eth0 de mon firewall. J'ai fait un renvoi de port de mon routeur vers mon interface ipsec0 (192.168.3.1)
J'ai suivi l'aide donnée par nate carslon sur son site (www.natecarlson.com).
Depuis mon client XP lorsque j'essaye de pinger un orinateur sur mon LAN (172.16.0.0/16) j'ai un première fois : Négociation protocole IP puis Délais d'attente dépassé.
Ci joint le message d'erreur :
May 27 21:18:17 gandalf ipsec__plutorun: Starting Pluto subsystem...
May 27 21:18:18 gandalf pluto[27976]: Starting Pluto (FreeS/WAN Version 2.05 X.509-1.5.3 PLUTO_USES_KEYRR)
May 27 21:18:18 gandalf pluto[27976]: Using KLIPS IPsec interface code
May 27 21:18:18 gandalf pluto[27976]: Changing to directory '/etc/ipsec.d/cacerts'
May 27 21:18:18 gandalf pluto[27976]: loaded CA cert file 'cacert.pem' (1696 bytes)
May 27 21:18:18 gandalf pluto[27976]: Could not change to directory '/etc/ipsec.d/aacerts'
May 27 21:18:18 gandalf pluto[27976]: Changing to directory '/etc/ipsec.d/ocspcerts'
May 27 21:18:18 gandalf pluto[27976]: Changing to directory '/etc/ipsec.d/crls'
May 27 21:18:18 gandalf pluto[27976]: loaded crl file 'crl.pem' (711 bytes)
May 27 21:18:18 gandalf pluto[27976]: loaded host cert file '/etc/ipsec.d/certs/gandalf.qualiflow.com.pem' (5112 bytes)
May 27 21:18:18 gandalf pluto[27976]: added connection description "roadwarrior"
May 27 21:18:18 gandalf pluto[27976]: loaded host cert file '/etc/ipsec.d/certs/gandalf.qualiflow.com.pem' (5112 bytes)
May 27 21:18:18 gandalf pluto[27976]: added connection description "roadwarrior-net"
May 27 21:18:18 gandalf pluto[27976]: listening for IKE messages
May 27 21:18:18 gandalf pluto[27976]: adding interface ipsec0/eth2 192.168.3.1
May 27 21:18:18 gandalf pluto[27976]: loading secrets from "/etc/ipsec.secrets"
May 27 21:18:18 gandalf pluto[27976]: loaded private key file '/etc/ipsec.d/private/gandalf.qualiflow.com.key' (1743 bytes)
May 27 21:22:58 gandalf pluto[27976]: packet from 80.170.52.59:500: received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[1] 80.170.52.59 #1: responding to Main Mode from unknown peer 80.170.52.59
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[1] 80.170.52.59 #1: Peer ID is ID_DER_ASN1_DN: 'C=FR, ST=Herault, L=Montpellier, O=XXX, OU=Info, CN=fred, E=postmaster@XXX.com'
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1: deleting connection "roadwarrior" instance with peer 80.170.52.59 {isakmp=#0/ipsec=#0}
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1: sent MR3, ISAKMP SA established
May 27 21:22:59 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #2: responding to Quick Mode
May 27 21:22:59 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #2: IPsec SA established {ESP=>0x18b86252 <0x4a0d5e4d}
May 27 21:23:47 gandalf pluto[27976]: packet from 80.170.52.59:500: received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
May 27 21:23:47 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: responding to Main Mode from unknown peer 80.170.52.59
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: Peer ID is ID_DER_ASN1_DN: 'C=FR, ST=Herault, L=Montpellier, O=XXX, OU=Info, CN=fred, E=postmaster@XXX.com'
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: sent MR3, ISAKMP SA established
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: cannot respond to IPsec SA request because no connection is known for 62.161.75.XXX/32===192.168.3.1[C=FR, ST=Herault, L=Montpellier, O=XXX, OU=Informatique, CN=gandalf, E=postmaster@XXX.com]...80.170.52.59[C=FR, ST=Herault, L=Montpellier, O=XXX, OU=Info, CN=fred, E=postmaster@XXX.com]
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: sending encrypted notification INVALID_ID_INFORMATION to 80.170.52.59:500
May 27 21:23:49 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:23:49 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:23:51 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:23:51 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:23:55 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:23:55 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:24:03 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:24:03 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1: received Delete SA(0x18b86252) payload: deleting IPSEC State #2
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 #3: received Delete SA payload: deleting ISAKMP State #3
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59: deleting connection "roadwarrior-net" instance with peer 80.170.52.59 {isakmp=#0/ipsec=#0}
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1: received Delete SA payload: deleting ISAKMP State #1
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59: deleting connection "roadwarrior" instance with peer 80.170.52.59 {isakmp=#0/ipsec=#0}
NB : 80.170.52.59 est l'adresse IP de mon client XP. Cette adresse change à chaque connection !
**********************************************************************************
Et mon fichier ipsec.conf de mon firewall :
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $
# This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
# http://www.strongsec.com/freeswan/install.htm
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
interfaces=%defaultroute
uniqueids=yes
plutodebug=no
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=172.16.0.0/16
also=roadwarrior
conn roadwarrior
right=%any
left=%defaultroute
leftcert=gandalf.XXX.com.pem
auto=add
pfs=yes
# OE policy groups are disabled by default
conn block
auto=ignore
conn clear
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn packetdefault
auto=ignore
# Add connections here.
# sample VPN connection
#sample# conn sample
#sample# # Left security gateway, subnet behind it, next hop toward right.
#sample# left=%defaultroute
#sample# leftcert=myCert.pem
#sample# leftsubnet=172.16.0.0/24
#sample# # Right security gateway, subnet behind it, next hop toward left.
#sample# right=10.12.12.1
#sample# rightid="<Distinguished name of right security gateway>"
#sample# rightsubnet=192.168.0.0/24
#sample# # To authorize this connection, but not actually start it, at startup,
#sample# # uncomment this.
#sample# #auto=start
Voilà si une bonne âme pouvait m'aider un peu....
Merci d'avance
Fred
- Fred2004
- Matelot
- Messages: 5
- Inscrit le: 20 Mai 2004 11:31
3 messages
• Page 1 sur 1
Retour vers Linux et BSD (forum généraliste)
Qui est en ligne ?
Utilisateur(s) parcourant actuellement ce forum : Aucun utilisateur inscrit et 1 invité