J'essaie de monter un tunnel IPSEC entre un IPCOP et un FVS124G.
Le IPCOP est sur une machine virtuelle derrière un NAT Windows 2003, les ports UDP 500 et 4500 sont natés dessus.
Le routeur Netgear est connecté directement au $%#&! d'une Freebox en mode passerelle.
Si je lance un ping vers une adresse de l'autre coté du VPN, le tunnel se lance en quelques secondes, mon ping à des réponses, puis au bout de quelques secondes supplémentaires, le ping retombe.
Au bout d'environ une minute, le ping répond à nouveau et la connexion est stable...
Voici ce que dit le log du Netgear:
WED MAY 30 14:13:14 2007 INFO :: IKE phase-I negotiation started
WED MAY 30 14:13:14 2007 INFO :: Sending phase-I notify of type INITIAL_CONTACT
WED MAY 30 14:13:14 2007 INFO :: IKE phase-I started
WED MAY 30 14:13:14 2007 INFO :: Initiator SPD selectors sent: IP SUBNET, 10.10.10.0, mask 24 proto 0, port 0
WED MAY 30 14:13:14 2007 INFO :: Responder SPD selectors sent: IP SUBNET, 192.168.92.0, mask 24 proto 0, port 0
WED MAY 30 14:13:14 2007 INFO :: IKE phase-II started of message ID 886e5e15
WED MAY 30 14:13:14 2007 INFO :: Quick Mode completed with message ID(0x886e5e15)
///A partir de la, je ping ma machine distante sur le sous-réseau 192.168.92.0///
WED MAY 30 14:13:48 2007 INFO :: Started phase-I negotiation
WED MAY 30 14:13:48 2007 INFO :: IKE phase-I started
WED MAY 30 14:13:48 2007 INFO :: Initiator SPD selectors received: IP SUBNET, 192.168.92.0, mask 24 proto 0, port 0
WED MAY 30 14:13:48 2007 INFO :: Responder SPD selectors received: IP SUBNET, 10.10.10.0, mask 24 proto 0, port 0
WED MAY 30 14:13:48 2007 INFO :: IKE phase-II Started with message ID (0xc7c0196)
WED MAY 30 14:13:48 2007 INFO :: Quick Mode completed with message ID(0xc7c0196)
///Et la, le ping retombe...///
WED MAY 30 14:14:10 2007 INFO :: Sending phase-I notify of type R_U_THERE
WED MAY 30 14:14:14 2007 INFO :: Sending phase-I notify of type R_U_THERE
WED MAY 30 14:14:18 2007 INFO :: received NOTIFY PAYLOAD of notify type R_U_THERE
WED MAY 30 14:14:18 2007 INFO :: Sending phase-I notify of type R_U_THERE_ACK
WED MAY 30 14:14:24 2007 INFO :: Sending phase-I notify of type R_U_THERE
WED MAY 30 14:14:34 2007 INFO :: Sending phase-I notify of type R_U_THERE
WED MAY 30 14:14:43 2007 INFO :: Sending phase-I notify of type R_U_THERE
WED MAY 30 14:14:44 2007 INFO :: Deleting the IsakmpSA
WED MAY 30 14:14:48 2007 INFO :: received NOTIFY PAYLOAD of notify type R_U_THERE
WED MAY 30 14:14:48 2007 INFO :: Sending phase-I notify of type R_U_THERE_ACK
WED MAY 30 14:14:49 2007 INFO :: Initiator SPD selectors sent: IP SUBNET, 10.10.10.0, mask 24 proto 0, port 0
WED MAY 30 14:14:49 2007 INFO :: Responder SPD selectors sent: IP SUBNET, 192.168.92.0, mask 24 proto 0, port 0
WED MAY 30 14:14:49 2007 INFO :: IKE phase-II started of message ID b11d64ee
WED MAY 30 14:14:49 2007 INFO :: Quick Mode completed with message ID(0xb11d64ee)
///Ca y est, le VPN fonctionne pour de bon...///
C'est bizarre non ? La négociation se fait trois fois en tout, et il me faut presque deux minutes pour que mon tunnel soit vraiment monté...
Voici le log IPCOP:
16:13:25 pluto[533] packet from aaa.aaa.aaa.aaa:500: received Vendor ID payload [draft-ietf-ipsec-nat- t-ike-00]
16:13:25 pluto[533] packet from aaa.aaa.aaa.aaa:500: received Vendor ID payload [draft-ietf-ipsec-nat- t-ike-02_n]
16:13:25 pluto[533] packet from aaa.aaa.aaa.aaa:500: ignoring Vendor ID payload [1fb99487b303b5e6c4695 c0f98074ff4]
16:13:25 pluto[533] packet from aaa.aaa.aaa.aaa:500: received Vendor ID payload [Dead Peer Detection]
16:13:25 pluto[533] packet from aaa.aaa.aaa.aaa:500: ignoring Vendor ID payload [648982785bedbdd66a6dd 356f0e160fd]
16:13:25 pluto[533] "Vallauris1" #70: responding to Main Mode
16:13:25 pluto[533] "Vallauris1" #70: transition from state (null) to state STATE_MAIN_R1
16:13:26 pluto[533] "Vallauris1" #70: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
16:13:26 pluto[533] "Vallauris1" #70: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
16:13:28 pluto[533] "Vallauris1" #70: ignoring informational payload, type IPSEC_INITIAL_CONTACT
16:13:28 pluto[533] "Vallauris1" #70: Main mode peer ID is ID_FQDN: '@vallauris1.vpn'
16:13:28 pluto[533] "Vallauris1" #70: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
16:13:28 pluto[533] | NAT-T: new mapping aaa.aaa.aaa.aaa:500/4500)
16:13:28 pluto[533] "Vallauris1" #70: sent MR3, ISAKMP SA established
16:13:28 pluto[533] "Vallauris1" #71: responding to Quick Mode
16:13:28 pluto[533] "Vallauris1" #71: transition from state (null) to state STATE_QUICK_R1
16:13:28 pluto[533] "Vallauris1" #71: Dead Peer Detection (RFC3706) enabled
16:13:28 pluto[533] "Vallauris1" #71: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
16:13:28 pluto[533] "Vallauris1" #71: IPsec SA established
16:14:02 pluto[533] "Vallauris1" #69: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
16:14:02 pluto[533] "Vallauris1" #69: received Vendor ID payload [Dead Peer Detection]
16:14:02 pluto[533] "Vallauris1" #69: ignoring Vendor ID payload [648982785bedbdd66a6dd356f0e160fd]
16:14:02 pluto[533] "Vallauris1" #69: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
16:14:03 pluto[533] "Vallauris1" #69: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00/01: i am NATed
16:14:03 pluto[533] "Vallauris1" #69: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
16:14:05 pluto[533] "Vallauris1" #69: Main mode peer ID is ID_FQDN: '@vallauris1.vpn'
16:14:05 pluto[533] "Vallauris1" #69: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
16:14:05 pluto[533] "Vallauris1" #69: ISAKMP SA established
16:14:05 pluto[533] "Vallauris1" #72: initiating Quick Mode PSK+ENCRYPT+TUNNEL
16:14:05 pluto[533] "Vallauris1" #72: Dead Peer Detection (RFC3706) enabled
16:14:05 pluto[533] "Vallauris1" #72: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
16:14:05 pluto[533] "Vallauris1" #72: sent QI2, IPsec SA established
16:14:10 pluto[533] packet from aaa.aaa.aaa.aaa:4500: next payload type of ISAKMP Message has an unkno wn value: 217
16:14:16 pluto[533] packet from aaa.aaa.aaa.aaa:4500: next payload type of ISAKMP Message has an unkno wn value: 36
16:14:21 pluto[533] packet from aaa.aaa.aaa.aaa:4500: next payload type of ISAKMP Message has an unkno wn value: 86
16:14:27 pluto[533] packet from aaa.aaa.aaa.aaa:4500: next payload type of ISAKMP Message has an unkno wn value: 180
16:14:31 pluto[533] "Vallauris1" #71: discarding duplicate packet; already STATE_QUICK_R2
16:14:32 pluto[533] packet from aaa.aaa.aaa.aaa:4500: next payload type of ISAKMP Message has an unkno wn value: 67
16:14:38 pluto[533] packet from aaa.aaa.aaa.aaa:4500: next payload type of ISAKMP Message has an unkno wn value: 205
16:14:39 pluto[533] "Vallauris1" #70: Informational Exchange message is invalid because it has a pre viously used Message ID (0x0f4023d5)
16:14:43 pluto[533] packet from aaa.aaa.aaa.aaa:4500: next payload type of ISAKMP Message has an unkno wn value: 243
16:14:43 pluto[533] "Vallauris1" #70: Informational Exchange message is invalid because it has a pre viously used Message ID (0x0f4023d5)
16:14:49 pluto[533] packet from aaa.aaa.aaa.aaa:4500: next payload type of ISAKMP Message has an unkno wn value: 149
16:14:54 pluto[533] packet from aaa.aaa.aaa.aaa:4500: next payload type of ISAKMP Message has an unkno wn value: 73
16:15:00 pluto[533] packet from aaa.aaa.aaa.aaa:4500: next payload type of ISAKMP Message has an unkno wn value: 91
16:15:06 pluto[533] "Vallauris1" #73: responding to Quick Mode
16:15:06 pluto[533] "Vallauris1" #73: transition from state (null) to state STATE_QUICK_R1
16:15:06 pluto[533] "Vallauris1" #73: Dead Peer Detection (RFC3706) enabled
16:15:06 pluto[533] "Vallauris1" #73: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
16:15:06 pluto[533] "Vallauris1" #73: IPsec SA established
16:15:09 pluto[533] "Vallauris1" #70: Informational Exchange message is invalid because it has a pre viously used Message ID (0x8e21b7e9)
16:15:31 pluto[533] "Vallauris1" #71: discarding duplicate packet; already STATE_QUICK_R2
16:15:39 pluto[533] "Vallauris1" #70: Informational Exchange message is invalid because it has a pre viously used Message ID (0x10f277c0)
16:16:06 pluto[533] "Vallauris1" #73: discarding duplicate packet; already STATE_QUICK_R2
16:16:08 pluto[533] "Vallauris1" #70: Informational Exchange message is invalid because it has a pre viously used Message ID (0x1da408d7)
16:16:31 pluto[533] "Vallauris1" #71: discarding duplicate packet; already STATE_QUICK_R2
16:16:39 pluto[533] "Vallauris1" #70: Informational Exchange message is invalid because it has a pre viously used Message ID (0xb93f3bcb)
16:17:06 pluto[533] "Vallauris1" #73: discarding duplicate packet; already STATE_QUICK_R2
16:17:09 pluto[533] "Vallauris1" #70: Informational Exchange message is invalid because it has a pre viously used Message ID (0x423299ab)
A noter, une fois le VPN fonctionnel, je continue à avoir de temps en temps des messages d'erreur, avec des pertes de paquet à la clé...
Autre problème: en cas de perte de connexion, le VPN ne remonte pas une fois la connexion rétablie, je suis obligé de faire un "Redémarrer" sur le tunnel concerné... J'ai essayé sans succés les trois 'actions' du DPD (hold, clear et reset)...
Est ce que quelqu'un a une idée, un conseil, une aide à m'apporter ???
Merci d'avance...
Joris
