Bonjour A tous.
Je suis désolé de venir grossir les rangs à propos du VPN. Mais cela fais plusieurs semaines que j'épluche les doc et les forum en vain.
Je tente de réaliser un VPN entre un reseau privé et un RoadWarrior, en utilisant pour l'instant PSK comme authentification.
Voici un ptit plan.
---10.69.0.0/24 --------[10.69.0.1 (eth verte) IPCOP/VPN (eth rouge)134.214.76.219]--------INTERNET
Rien de compliqué.
Mon Roadwarrior est une sation sous XP (SP2) avec le client de Mr Muller.
Lorsque je ping depuis mon reseau vert (10.69.0.) mon RW, pas de pb cela fonctionne. Mon Rw ping aussi sans pb eth rouge (134.214.76.219).
En revanche lorsque j'essaie de monter le tunnel c'est la cata. J'obtiens dans les logs Initial Main Mode message received on 134.214.76.219 but no connexion has been authorized with policy=psk.
Si vous avez une idee, ou mieux un remède j'avoue que je suis preneur.
Voici le détail de mes conf.
Client XP avec client Marcus Muller.
----------------------------------------------------------------
conn travail
left=tc-l2tp.insa-lyon.fr
leftsubnet=20.69.0.0/255.255.255.0
presharedkey=testvpn
right=%any
network=auto
auto=start
pfs=yes
Voici le resultat quand je tape ipsec
IPSec Version 2.2.0 (c) 2001-2003 Marcus Mueller
Getting running Config ...
Microsoft's Windows XP identified
Setting up IPSec ...
Deactivating old policy...
Removing old policy...
Connection travail:
MyTunnel : 134.214.76.66
MyNet : 134.214.76.66/255.255.255.255
PartnerTunnel: tc-l2tp.insa-lyon.fr
PartnerNet : 20.69.0.0/255.255.255.0
CA (ID) : Preshared Key ******************
PFS : y
Auto : start
Auth.Mode : MD5
Rekeying : 3600S/50000K
Activating policy...
Apparemment pas de pb.
Conf ipcop
------------------------------
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!20.69.0.0/255.255.255.0
conn %default
keyingtries=0
disablearrivalcheck=no
conn bidule
left=tc-l2tp.insa-lyon.fr
leftnexthop=%defaultroute
leftsubnet=20.69.0.0/255.255.255.0
right=%any
rightsubnet=vhost:%no,%priv
dpddelay=30
dpdtimeout=120
dpdaction=clear
authby=secret
auto=add
---------------------------------------------------------
Voici ce que me donne ipsec barf
---------------------------------------------------------
tc-l2tp.insa-lyon.fr
Fri Jan 7 09:55:40 CET 2005
+ _________________________ version
+ ipsec --version
Linux Openswan 1.0.7
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.27 (root@localhost.localdomain) (gcc version 2.95.3 20010315 (release)) #1 Tue Dec 14 22:30:49 GMT 2004
+ _________________________ proc/net/ipsec_eroute
+ sort +3 /proc/net/ipsec_eroute
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
20.69.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
134.214.76.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1
134.214.76.0 0.0.0.0 255.255.252.0 U 0 0 0 ipsec0
0.0.0.0 134.214.76.1 0.0.0.0 UG 0 0 0 eth1
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth1 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
ipsec4 -> NULL mtu=0(0) -> 0
ipsec5 -> NULL mtu=0(0) -> 0
ipsec6 -> NULL mtu=0(0) -> 0
ipsec7 -> NULL mtu=0(0) -> 0
ipsec8 -> NULL mtu=0(0) -> 0
ipsec9 -> NULL mtu=0(0) -> 0
ipsec10 -> NULL mtu=0(0) -> 0
ipsec11 -> NULL mtu=0(0) -> 0
ipsec12 -> NULL mtu=0(0) -> 0
ipsec13 -> NULL mtu=0(0) -> 0
ipsec14 -> NULL mtu=0(0) -> 0
ipsec15 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
c6904b30 2315 c5f9e1a4 0 0 0 0 2 107520 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c5f9e1a4 2315 c6904b30
pf_key_registered: 3 c5f9e1a4 2315 c6904b30
pf_key_registered: 9 c5f9e1a4 2315 c6904b30
pf_key_registered: 10 c5f9e1a4 2315 c6904b30
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 253 128 128 256
pf_key_supported: 3 14 7 0 512 512
pf_key_supported: 3 14 5 0 256 256
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 15 252 128 128 256
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 3 15 7 64 96 448
pf_key_supported: 3 15 12 128 128 256
pf_key_supported: 3 15 3 64 168 168
pf_key_supported: 3 15 3 64 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth1 134.214.76.219
000 interface ipsec0/eth1 134.214.76.219
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64, keysizemin=96, keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000
000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=6, name=OAKLEY_CAST_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "bidule": 20.69.0.0/24===20.69.0.1---134.214.76.1...%virtual
000 "bidule": CAs: '%any'...'%any'
000 "bidule": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "bidule": policy: PSK+ENCRYPT+TUNNEL+PFS; interface: ; unrouted
000 "bidule": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "bidule": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "bidule": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "bidule": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "bidule": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:0A:5E:45:23:62
inet addr:20.69.0.1 Bcast:20.69.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1273 (1.2 Kb) TX bytes:1310 (1.2 Kb)
Interrupt:12 Base address:0xc400
eth1 Link encap:Ethernet HWaddr 00:10:B5:A7:6F:D6
inet addr:134.214.76.219 Bcast:134.214.79.255 Mask:255.255.252.0
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:8013 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:946231 (924.0 Kb) TX bytes:1086 (1.0 Kb)
Interrupt:11 Base address:0x5d00
ipsec0 Link encap:Ethernet HWaddr 00:10:B5:A7:6F:D6
inet addr:134.214.76.219 Mask:255.255.252.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[--------------]
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
tc-l2tp.insa-lyon.fr
+ _________________________ hostname/ipaddress
+ hostname --ip-address
20.69.0.1
+ _________________________ uptime
+ uptime
09:55:40 up 10 min, 1 user, load average: 0.44, 0.20, 0.07
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 2620 736 9 0 3768 1200 wait4 S+ tty1 0:00 \_ /bin/sh /usr/sbin/ipsec barf
0 0 2621 2620 16 0 3796 1256 wait4 S+ tty1 0:00 \_ /bin/sh /usr/lib/ipsec/barf
1 0 2666 2621 15 0 3796 1256 - R+ tty1 0:00 \_ /bin/sh /usr/lib/ipsec/barf
1 0 2309 1 9 0 2428 1144 wait4 S tty1 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes --nocrsend --strictcrlpolicy --crlcheckinterval "" --nat_traversal yes --keep_alive --force_keepalive --disable_port_floating --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!20.69.0.0/255.255.255.0 --dump --load %search --start %search --wait --pre --post --log daemon.error --pid /var/run/pluto.pid
1 0 2311 2309 9 0 2428 1144 wait4 S tty1 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes --nocrsend --strictcrlpolicy --crlcheckinterval "" --nat_traversal yes --keep_alive --force_keepalive --disable_port_floating --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!20.69.0.0/255.255.255.0 --dump --load %search --start %search --wait --pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 2315 2311 9 0 2912 1168 select S tty1 0:00 | \_ /usr/lib/ipsec/pluto --nofork --debug-none --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!20.69.0.0/255.255.255.0
0 0 2318 2315 9 0 1608 376 select S tty1 0:00 | \_ _pluto_adns 7 10
0 0 2314 2309 8 0 2412 1128 pipe_w S tty1 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --load %search --start %search --wait --post
0 0 2310 1 9 0 1540 432 pipe_w S tty1 0:00 logger -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth1
routephys=eth1
routevirt=ipsec0
routevirt=ipsec0
routeaddr=134.214.76.219
routeaddr=134.214.76.219
routenexthop=134.214.76.1
routenexthop=134.214.76.1
defaultroutephys=eth1
defaultroutevirt=ipsec0
defaultrouteaddr=134.214.76.219
defaultroutenexthop=134.214.76.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!20.69.0.0/255.255.255.0
conn %default
keyingtries=0
disablearrivalcheck=no
conn bidule
left=tc-l2tp.insa-lyon.fr
leftnexthop=%defaultroute
leftsubnet=20.69.0.0/255.255.255.0
right=%any
rightsubnet=vhost:%no,%priv
dpddelay=30
dpdtimeout=120
dpdaction=clear
authby=secret
auto=add
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
tc-l2tp.insa-lyon.fr %any : PSK "[sums to 7195...]"
[-------------]
Jan 6 08:01:13 tc-l2tp pluto[741]: packet from 134.214.76.66:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 6 08:01:13 tc-l2tp pluto[741]: packet from 134.214.76.66:500: ignoring Vendor ID payload [FRAGMENTATION]
Jan 6 08:01:13 tc-l2tp pluto[741]: packet from 134.214.76.66:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jan 6 08:01:13 tc-l2tp pluto[741]: packet from 134.214.76.66:500: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Jan 6 08:01:13 tc-l2tp pluto[741]: packet from 134.214.76.66:500: initial Main Mode message received on 134.214.76.219:500 but no connection has been authorized with policy=PSK
Jan 6 08:01:14 tc-l2tp pluto[741]: packet from 134.214.76.66:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 6 08:01:14 tc-l2tp pluto[741]: packet from 134.214.76.66:500: ignoring Vendor ID payload [FRAGMENTATION]
Jan 6 08:01:14 tc-l2tp pluto[741]: packet from 134.214.76.66:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jan 6 08:01:14 tc-l2tp pluto[741]: packet from 134.214.76.66:500: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Jan 6 08:01:14 tc-l2tp pluto[741]: packet from 134.214.76.66:500: initial Main Mode message received on 134.214.76.219:500 but no connection has been authorized with policy=PSK
Jan 6 08:01:16 tc-l2tp pluto[741]: packet from 134.214.76.66:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 6 08:01:16 tc-l2tp pluto[741]: packet from 134.214.76.66:500: ignoring Vendor ID payload [FRAGMENTATION]
Jan 6 08:01:16 tc-l2tp pluto[741]: packet from 134.214.76.66:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jan 6 08:01:16 tc-l2tp pluto[741]: packet from 134.214.76.66:500: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Jan 6 08:01:16 tc-l2tp pluto[741]: packet from 134.214.76.66:500: initial Main Mode message received on 134.214.76.219:500 but no connection has been authorized with policy=PSK
Jan 6 08:01:20 tc-l2tp pluto[741]: packet from 134.214.76.66:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 6 08:01:20 tc-l2tp pluto[741]: packet from 134.214.76.66:500: ignoring Vendor ID payload [FRAGMENTATION]
D'avance je vous remercie tous pour l'aide que vous pourrez m'apporter.
A bientot.