Bonjour, j'ai un problème pour faire monter un VPN. Voilà ma config:
Sur le Site1:
IPCop1
IP WAN (RED) : 192.168.5.254
IP LAN (GREEN): 172.17.1.1
Sur le Site2:
Routeur-Parefeu de Type Zyxel(Zywal10w)
IP WAN: 192.168.5.1
IP LAN: 192.168.1.252
IPCop2:
IP WAN (RED): 192.168.1.254
IP LAN (GREEN): 172.16.1.1
J'ai déjà tester de créer un VPN IPCop1 au Routeur-Parefeu il n'y a pas de pb. J'essaye donc de monter un VPN d'IPCop1 à IPCop2 voilà la config des VPNs:
Site 1
IPCop1:
IP hote locale: 192.168.5.254
Serveur IP distant: 192.168.5.1
Sous réseau local: 172.17.0.0/255.255.0.0
Sous réseau distant: 172.16.0.0/255.255.0.0
(AES-MD5-MODP1024)
cf ipsec.conf:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.17.0.0/255.255.0.0,%v4:!10.0.1.0/255.0.0.0,%v4:!172.16.0.0/255.255.0.0,%v4:!172.16.0.0/255.255.0.0,%v4:!172.16.0.0/255.255.0.0
conn %default
keyingtries=0
disablearrivalcheck=no
conn TestNS
left=192.168.5.254
leftnexthop=%defaultroute
leftsubnet=172.17.0.0/255.255.0.0
right=192.168.5.1
rightsubnet=172.16.0.0/255.255.0.0
rightnexthop=%defaultroute
ike=aes128-md5-modp1024
esp=aes128-md5
ikelifetime=1h
keylife=8h
dpddelay=30
dpdtimeout=120
dpdaction=hold
authby=secret
auto=start
Site 2
Sur le Zywall
NAT IKE(port 500) sur 192.168.1.254
NAT port 4500 sur 192.168.1.254
plus règle en WAN to LAN pour laisser passer
les flux IKE, 4500, ESP
IPCop2:
IP hote locale: 192.168.1.254
Serveur IP distant: 192.168.5.254
Sous réseau local: 172.16.0.0/255.255.0.0
Sous réseau distant: 172.17.0.0/255.255.0.0
(AES-MD5-MODP1024)
cf ipsec.conf:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.16.0.0/255.255.0.0,%v4:!11.0.0.0/255.0.0.0,%v4:!172.17.0.0/255.255.0.0
conn %default
keyingtries=0
disablearrivalcheck=no
conn test
left=192.168.1.254
leftnexthop=%defaultroute
leftsubnet=172.16.0.0/255.255.0.0
right=192.168.5.254
rightsubnet=172.17.0.0/255.255.0.0
rightnexthop=%defaultroute
ike=aes128-md5-modp1024
esp=aes128-md5
ikelifetime=1h
keylife=8h
dpddelay=30
dpdtimeout=120
dpdaction=hold
authby=secret
auto=start
lorsque j'essaye de faire monter le VPN voici les logs que j'obtiens:
IPCop1:
...Openswan IPsec stopped
Starting Openswan IPsec 1.0.7...
KLIPS debug `none'
KLIPS ipsec0 on eth2 192.168.5.254/255.255.255.0 broadcast 192.168.5.255
Starting Pluto subsystem...
Starting Pluto (Openswan Version 1.0.7)
including X.509 patch with traffic selectors (Version 0.9.42)
including NAT-Traversal patch (Version 0.6)
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Changing to directory '/etc/ipsec.d/cacerts'
...Openswan IPsec started
Warning: empty directory
Changing to directory '/etc/ipsec.d/crls'
Warning: empty directory
OpenPGP certificate file '/etc/pgpcert.pgp' not found
| from whack: got --esp=aes128-md5
| from whack: got --ike=aes128-md5-modp1024
added connection description "TestNS"
listening for IKE messages
adding interface ipsec0/eth2 192.168.5.254
adding interface ipsec0/eth2 192.168.5.254:4500
loading secrets from "/etc/ipsec.secrets"
"TestNS" #1: initiating Main Mode
"TestNS" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
"TestNS" #1: received Vendor ID payload [Dead Peer Detection]
"TestNS" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
packet from 192.168.5.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
packet from 192.168.5.1:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
packet from 192.168.5.1:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
packet from 192.168.5.1:500: received Vendor ID payload [Dead Peer Detection]
"TestNS" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
"TestNS" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
"TestNS" #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
"TestNS" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
| NAT-T: new mapping 192.168.5.1:4500/500)
"TestNS" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.254'
"TestNS" #1: we require peer to have ID '192.168.5.1', but peer declares '192.168.1.254'
"TestNS" #1: sending notification INVALID_ID_INFORMATION to 192.168.5.1:500
"TestNS" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.254'
"TestNS" #2: no suitable connection for peer '192.168.1.254'
"TestNS" #2: sending notification INVALID_ID_INFORMATION to 192.168.5.1:500
"TestNS" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.254'
"TestNS" #2: no suitable connection for peer '192.168.1.254'
"TestNS" #2: sending notification INVALID_ID_INFORMATION to 192.168.5.1:500
"TestNS" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.254'
"TestNS" #1: we require peer to have ID '192.168.5.1', but peer declares '192.168.1.254'
"TestNS" #1: sending notification INVALID_ID_INFORMATION to 192.168.5.1:500
"TestNS" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.254'
"TestNS" #2: no suitable connection for peer '192.168.1.254'
"TestNS" #2: sending notification INVALID_ID_INFORMATION to 192.168.5.1:500
"TestNS" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.254'
"TestNS" #1: we require peer to have ID '192.168.5.1', but peer declares '192.168.1.254'
"TestNS" #1: sending notification INVALID_ID_INFORMATION to 192.168.5.1:500
"TestNS" #2: max number of retransmissions (2) reached STATE_MAIN_R2
"TestNS" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
"TestNS" #1: starting keying attempt 2 of an unlimited number, but releasing whack
"TestNS" #3: initiating Main Mode to replace #1
"TestNS" #1: STATE_MAIN_I1: initiate
"TestNS" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
"TestNS" #1: received Vendor ID payload [Dead Peer Detection]
"TestNS" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"TestNS" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
"TestNS" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"TestNS" #1: we require peer to have ID '192.168.5.1', but peer declares '192.168.1.254'
"TestNS" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
packet from 192.168.5.1:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
packet from 192.168.5.1:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
"TestNS" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
packet from 192.168.5.1:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
"TestNS" #1: we require peer to have ID '192.168.5.1', but peer declares '192.168.1.254'
packet from 192.168.5.1:4500: received Vendor ID payload [Dead Peer Detection]
"TestNS" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
packet from 192.168.5.1:4500: initial Main Mode message received on 192.168.5.254:4500 but no connection has been authorized with policy=PSK
IPCop2:
...Openswan IPsec stopped
Starting Openswan IPsec 1.0.7...
KLIPS debug `none'
KLIPS ipsec0 on eth2 192.168.1.254/255.255.255.0 broadcast 192.168.1.255
Starting Pluto subsystem...
Starting Pluto (Openswan Version 1.0.7)
including X.509 patch with traffic selectors (Version 0.9.42)
including NAT-Traversal patch (Version 0.6)
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Changing to directory '/etc/ipsec.d/cacerts'
...Openswan IPsec started
Warning: empty directory
Changing to directory '/etc/ipsec.d/crls'
Warning: empty directory
OpenPGP certificate file '/etc/pgpcert.pgp' not found
| from whack: got --esp=aes128-md5
| from whack: got --ike=aes128-md5-modp1024
added connection description "test"
listening for IKE messages
adding interface ipsec0/eth2 192.168.1.254
adding interface ipsec0/eth2 192.168.1.254:4500
loading secrets from "/etc/ipsec.secrets"
"test" #1: initiating Main Mode
packet from 192.168.5.254:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
packet from 192.168.5.254:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
packet from 192.168.5.254:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
packet from 192.168.5.254:500: received Vendor ID payload [Dead Peer Detection]
"test" #2: responding to Main Mode
"test" #2: transition from state (null) to state STATE_MAIN_R1
"test" #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
"test" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
"test" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
"test" #1: received Vendor ID payload [Dead Peer Detection]
"test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
"test" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.5.254'
"test" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
| NAT-T: new mapping 192.168.5.254:500/4500)
"test" #2: sent MR3, ISAKMP SA established
"test" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
"test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
| NAT-T: new mapping 192.168.5.254:4500/500)
"test" #2: Informational Exchange message for an established ISAKMP SA must be encrypted
"test" #1: ignoring informational payload, type INVALID_ID_INFORMATION
"test" #1: received and ignored informational message
"test" #1: discarding duplicate packet; already STATE_MAIN_I3
"test" #2: retransmitting in response to duplicate packet; already STATE_MAIN_R3
"test" #1: ignoring informational payload, type INVALID_ID_INFORMATION
"test" #1: received and ignored informational message
"test" #2: Informational Exchange message for an established ISAKMP SA must be encrypted
"test" #1: ignoring informational payload, type INVALID_ID_INFORMATION
"test" #1: received and ignored informational message
"test" #2: retransmitting in response to duplicate packet; already STATE_MAIN_R3
"test" #1: discarding duplicate packet; already STATE_MAIN_I3
"test" #2: Informational Exchange message for an established ISAKMP SA must be encrypted
"test" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
"test" #1: starting keying attempt 2 of an unlimited number, but releasing whack
"test" #3: initiating Main Mode to replace #1
packet from 192.168.5.254:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
packet from 192.168.5.254:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
packet from 192.168.5.254:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
packet from 192.168.5.254:500: received Vendor ID payload [Dead Peer Detection]
packet from 192.168.5.254:500: initial Main Mode message received on 192.168.1.254:500 but no connection has been authorized with policy=PSK
Pour moi le soucis il est sur le NAT traversal.
Si quelqu'un à une solution à ce problème, merci d'avance.
VPN entre 2 IPCop + un Firewall
Modérateur: modos Ixus
1 message
• Page 1 sur 1
VPN entre 2 IPCop + un Firewall
par Didier51_ » 02 Déc 2005 11:26
- Didier51_
- Matelot
- Messages: 2
- Inscrit le: 30 Nov 2005 10:30
1 message
• Page 1 sur 1
Qui est en ligne ?
Utilisateur(s) parcourant actuellement ce forum : Aucun utilisateur inscrit et 1 invité