Comportement bizarre du VPN roadwarrior

[kinkey]

Salut,
j'ai monté un VPN en roadwarrior avec le version 1.4.1 d'ipcop. J'ai suivi le tuto donné ici http://forums.fr.ixus.net/viewtopic.php ... 3&start=15 . Ca marche, mais ca marche pas top top, je m'explique. Pour une raison inconnu la connexion avec le serveur ne se fait pas et jusqu'à ce que je me rendre au boulot pour relancer le service VPN les logs ce remplissent avec ce message :

Code: Tout sélectionner

09:16:45 pluto[1136] "mon_user"[4] 82.224.xxx.xxx #4022: initiating Main Mode to replace #4013
09:16:45 pluto[1136] "mon_user"[4] 82.224.xxx.xxx #4013: starting keying attempt 384 of an unlimited number
09:16:45 pluto[1136] "mon_user"[4] 82.224.xxx.xxx #4013: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message

Lorsque je relance le service VPN j'ai les messages suivant (A lire de bas en haut) :

Code: Tout sélectionner

09:27:18 pluto[9818] loaded private key file '/var/ipcop/certs/hostkey.pem' (891 bytes)
09:27:18 pluto[9818] loading secrets from "/etc/ipsec.secrets"
09:27:18 pluto[9818] adding interface ipsec0/eth1 82.232.xxx.xxx:4500
09:27:18 pluto[9818] adding interface ipsec0/eth1 82.232.xxx.xxx
09:27:18 pluto[9818] listening for IKE messages
09:27:18 ipsec__plutorun ...could not add conn "mon_user"
09:27:18 ipsec__plutorun: 003 esp string error pfsgroup "1024" not found
09:27:18 pluto[9818] added connection description "mon_user"
09:27:18 pluto[9818] loaded host cert file '/var/ipcop/certs/mon_usercert.pem' (1330 bytes)
09:27:18 pluto[9818] loaded host cert file '/var/ipcop/certs/hostcert.pem' (1346 bytes)
09:27:18 pluto[9818] | from whack: got --ike=aes128-sha-modp1024,aes128-md5-modp1024,3des-sha-modp1024,3des-md5-modp1024,twofish256-sha-modp1024,twofish256-md5-modp1024,twofish128-sha-modp1024,twofish128-md5-modp1024,blowfish256-sha-modp1024,blowfish256-md5-modp1024,blowfish128-sha-modp1024,blowfish128-md5-modp1024
09:27:18 pluto[9818] esp string error: pfsgroup "1024" not found
09:27:18 pluto[9818] | from whack: got --esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5,twofish256-sha1,twofish256-md5,twofish128-sha1,twofish128-md5,blowfish256-sha1,blowfish256-md5,blowfish128-sha1,blowfish128-md5;1024
09:27:17 pluto[9818] OpenPGP certificate file '/etc/pgpcert.pgp' not found
09:27:17 pluto[9818] loaded crl file 'cacrl.pem' (654 bytes)
09:27:17 pluto[9818] Changing to directory '/etc/ipsec.d/crls'
09:27:17 pluto[9818] loaded cacert file 'cacert.pem' (1537 bytes)
09:27:17 pluto[9818] error in X.509 certificate
09:27:17 pluto[9818] loaded cacert file 'cakey.pem' (1675 bytes)
09:27:17 pluto[9818] Changing to directory '/etc/ipsec.d/cacerts'
09:27:17 pluto[9818] ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
09:27:17 pluto[9818] ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
09:27:17 pluto[9818] ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
09:27:17 pluto[9818] ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
09:27:17 pluto[9818] ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
09:27:17 pluto[9818] ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
09:27:17 pluto[9818] ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
09:27:17 pluto[9818] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
09:27:17 pluto[9818] including NAT-Traversal patch (Version 0.6)
09:27:17 pluto[9818] including X.509 patch with traffic selectors (Version 0.9.42)
09:27:17 pluto[9818] Starting Pluto (Openswan Version 1.0.7)
09:27:17 ipsec_setup ...Openswan IPsec started
09:27:17 ipsec__plutorun Starting Pluto subsystem...
09:27:16 ipsec_setup KLIPS ipsec0 on eth1 82.232.xxx.xxx/255.255.255.0 broadcast 82.232.xxx.xxx
09:27:16 ipsec_setup KLIPS debug `none'
09:27:16 ipsec_setup Starting Openswan IPsec 1.0.7...
09:27:16 ipsec_setup ...Openswan IPsec stopped
09:27:16 ipsec_setup: ipsec Device or resource busy
09:27:16 ipsec_setup doing cleanup anyway...
09:27:16 ipsec_setup stop ordered, but IPsec does not appear to be running!
09:27:16 ipsec_setup Stopping Openswan IPsec...
09:27:03 ipsec_setup ...Openswan IPsec stopped
09:27:03 ipsec_setup: ipsec Device or resource busy
09:27:02 pluto[1136] shutting down interface ipsec0/eth1 82.232.xxx.xxx
09:27:02 pluto[1136] shutting down interface ipsec0/eth1 82.232.xxx.xxx
09:27:02 pluto[1136] "mon_user": deleting connection
09:27:02 pluto[1136] "mon_user" #4026: deleting state (STATE_MAIN_I1)
09:27:02 pluto[1136] "mon_user" #4029: deleting state (STATE_MAIN_I1)
09:27:02 pluto[1136] "mon_user" #4022: deleting state (STATE_MAIN_I1)
09:27:02 pluto[1136] "mon_user" #4025: deleting state (STATE_MAIN_I1)
09:27:02 pluto[1136] "mon_user" #4024: deleting state (STATE_MAIN_I1)
09:27:02 pluto[1136] "mon_user" #4027: deleting state (STATE_MAIN_I1)
09:27:02 pluto[1136] "mon_user" #4028: deleting state (STATE_MAIN_I1)
09:27:02 pluto[1136] "mon_user" #4023: deleting state (STATE_MAIN_I1)
09:27:02 pluto[1136] "mon_user" #4021: deleting state (STATE_MAIN_I1)
09:27:02 pluto[1136] "mon_user"[4] 82.224.xxx.xxx: deleting connection "mon_user" instance with peer 82.224.xxx.xxx
09:27:02 pluto[1136] forgetting secrets
09:27:02 pluto[1136] shutting down
09:27:02 ipsec_setup Stopping Openswan IPsec...

[Elfeclair]

Salut,

Dans les réglages avancés du paramétrage du VPN sur IPCop, je mets maintenant :
- Grouptype ESP : Phase 1 Group
au lieu de :
- Grouptype ESP : MODP-1024

J'ai l'impression que ça marche mieux comme ça.

Sinon, lors des tests, il faut souvent redemarrer les IPCop impliqués (ou les passerelles / firewall). Une fois que la configuration est stabilisée, ça marche nickel.

Et point important, il faut que le routeur coté client soit "VPN Passthrough" !!!

[kinkey]

Le routeur chez mon client est un ipcop aussi en 1.4.1. j'essai ce soir avec les nouveaux paramètres