Bonjour
J'ai deux IPcop selon le schéma suivant :
192.168.X1.X - IPCOP - CBOX - INTERNET - FREEFOX - IPCOP - 192.168.X2.X
Les deux modems ne sont pas en bridge, mais j'ai transféré les ports 500 UDP et 4500 UDP
Après m'être battu de nombreuses heures avec les tuto mon tunnel est enfin monté, mais au bout de 5 à 8 heures, il tombe et ne redémarre pas, il faut que je clique sur redémarré (contrôle et statut de la connexion) sur les 2 ipcop (merci zerina) et ca repart
Une idée ?
Cordialement
Jérôme
[resolu] Net 2 Net tombe et ne redémare pas
Modérateur: modos Ixus
19 messages
• Page 1 sur 2 • 1, 2
[resolu] Net 2 Net tombe et ne redémare pas
par Yull » 17 Sep 2008 22:46
Dernière édition par Yull le 17 Avr 2009 00:20, édité 2 fois au total.
- Yull
- Second Maître
- Messages: 42
- Inscrit le: 31 Août 2006 00:27
par jdh » 18 Sep 2008 09:36
Il ne faut pas oublier qu'IPSEC utilise les éléments suivants :
- AH : protocole IP de n° 51
- ESP : protocole IP de n° 50
- IKE qui utilise 500/udp
- NAT traversal qui utilise 4500/udp
Donc un routeur qui renvoie 500/udp et 4500/udp ne suffit pas ...
cf l'excellent site http://www.frameip.com/ipsec/
En général, il est implémenté un dispositif de maintien de la liaison IPSEC. Mais je ne connais pas du tout l'implantation IPSEC sur IPCOP ...
- AH : protocole IP de n° 51
- ESP : protocole IP de n° 50
- IKE qui utilise 500/udp
- NAT traversal qui utilise 4500/udp
Donc un routeur qui renvoie 500/udp et 4500/udp ne suffit pas ...
cf l'excellent site http://www.frameip.com/ipsec/
En général, il est implémenté un dispositif de maintien de la liaison IPSEC. Mais je ne connais pas du tout l'implantation IPSEC sur IPCOP ...
-
jdh - Amiral
- Messages: 4741
- Inscrit le: 29 Déc 2002 01:00
- Localisation: Nantes
par jdh » 20 Sep 2008 21:28
Pas de solution ?
Oui, pas d'essai, pas de solution !
Si tu veux avoir des idées des autres, il faudrait plutôt dire LES essais que tu as réalisés et LES résultats que tu as obtenus ! On peut aussi indiquer ce qui apparaît dans les logs. (Bien sur, il faut lire DOIT au lieu de PEUT).
Moi j'ai réussi (plusieurs fois) ce genre de config parce que je procède méthodiquement et par étape. Je réalise d'abord cela avec 2 PC reliés par un câble croisé. Et quand ça fonctionne, je déplace un PC à sa place (avec les 2 routeurs intercalés) : il reste alors juste à faire les renvois nécessaires !
J'ai donné des éléments de piste : qu'est ce que tu en as compris, qu'est ce que tu en as fait ?
Oui, pas d'essai, pas de solution !
Si tu veux avoir des idées des autres, il faudrait plutôt dire LES essais que tu as réalisés et LES résultats que tu as obtenus ! On peut aussi indiquer ce qui apparaît dans les logs. (Bien sur, il faut lire DOIT au lieu de PEUT).
Moi j'ai réussi (plusieurs fois) ce genre de config parce que je procède méthodiquement et par étape. Je réalise d'abord cela avec 2 PC reliés par un câble croisé. Et quand ça fonctionne, je déplace un PC à sa place (avec les 2 routeurs intercalés) : il reste alors juste à faire les renvois nécessaires !
J'ai donné des éléments de piste : qu'est ce que tu en as compris, qu'est ce que tu en as fait ?
-
jdh - Amiral
- Messages: 4741
- Inscrit le: 29 Déc 2002 01:00
- Localisation: Nantes
par Yull » 23 Sep 2008 21:27
Alors j'ai transféré en plus les ports TCP 1723 et UDP 1701
Aucune amélioration, la connexion s'établit pour 5 à 8 heures et tombe
log de ipsec :
09:00:14 ipsec_setup Stopping Openswan IPsec...
09:00:14 pluto[10645] shutting down
09:00:14 pluto[10645] forgetting secrets
09:00:14 pluto[10645] "ctvimnord": deleting connection
09:00:14 pluto[10645] "ctvimnord" #77: deleting state (STATE_MAIN_I1)
09:00:14 pluto[10645] shutting down interface ipsec0/eth2 192.168.30.10
09:00:14 pluto[10645] shutting down interface ipsec0/eth2 192.168.30.10
09:00:15 ipsec_setup /usr/lib/ipsec/tncfg: Socket ioctl failed on detach -- No such device. Is the virtual device valid? The ipsec module may not be linked into the kernel or loaded as a module.
09:00:15 ipsec_setup ipsec: Device or resource busy
09:00:15 ipsec_setup ...Openswan IPsec stopped
09:00:16 ipsec_setup Starting Openswan IPsec 1.0.10...
09:00:16 ipsec_setup KLIPS debug `none'
09:00:16 ipsec_setup KLIPS ipsec0 on eth2 192.168.30.10/255.255.255.0 broadcast 192.168.30.255
09:00:16 ipsec__plutorun Starting Pluto subsystem...
09:00:16 pluto[5794] Starting Pluto (Openswan Version 1.0.10)
09:00:16 pluto[5794] including X.509 patch with traffic selectors (Version 0.9.42)
09:00:16 pluto[5794] including NAT-Traversal patch (Version 0.6)
09:00:16 pluto[5794] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
09:00:16 pluto[5794] ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
09:00:16 pluto[5794] ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
09:00:16 pluto[5794] ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
09:00:16 pluto[5794] ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
09:00:16 pluto[5794] ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
09:00:16 pluto[5794] ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
09:00:16 pluto[5794] ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
09:00:16 pluto[5794] Changing to directory '/etc/ipsec.d/cacerts'
09:00:16 ipsec_setup ...Openswan IPsec started
09:00:16 pluto[5794] loaded cacert file 'ctvimnordcert.pem' (1294 bytes)
09:00:16 pluto[5794] loaded cacert file 'cacert.pem' (1285 bytes)
09:00:16 pluto[5794] Changing to directory '/etc/ipsec.d/crls'
09:00:16 pluto[5794] loaded crl file 'cacrl.pem' (568 bytes)
09:00:16 pluto[5794] OpenPGP certificate file '/etc/pgpcert.pgp' not found
09:00:16 vpn-watch 'ctvimnord': start watching 88.162.xxx.xxx
09:00:16 pluto[5794] | from whack: got --esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
09:00:16 pluto[5794] | from whack: got --ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
09:00:16 pluto[5794] loaded host cert file '/var/ipcop/certs/hostcert.pem' (1172 bytes)
09:00:16 pluto[5794] loaded host cert file '/var/ipcop/certs/ctvimnordcert.pem' (1180 bytes)
09:00:16 pluto[5794] added connection description "ctvimnord"
09:00:16 pluto[5794] listening for IKE messages
09:00:16 pluto[5794] adding interface ipsec0/eth2 192.168.30.10
09:00:16 pluto[5794] adding interface ipsec0/eth2 192.168.30.10:4500
09:00:16 pluto[5794] loading secrets from "/etc/ipsec.secrets"
09:00:16 pluto[5794] loaded private key file '/var/ipcop/certs/hostkey.pem' (887 bytes)
09:00:17 pluto[5794] "ctvimnord" #1: initiating Main Mode
09:00:29 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:00:29 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:00:29 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:00:29 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:00:29 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:00:29 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:00:39 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:00:39 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:00:39 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:00:39 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:00:39 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:00:39 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:01:04 pluto[5794] packet from 88.162.xxx.xxx:500: received Vendor ID payload [RFC 3947]
09:01:04 pluto[5794] packet from 88.162.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:01:04 pluto[5794] packet from 88.162.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:01:04 pluto[5794] packet from 88.162.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:01:04 pluto[5794] packet from 88.162.xxx.xxx:500: received Vendor ID payload [Dead Peer Detection]
09:01:04 pluto[5794] "ctvimnord" #2: responding to Main Mode
09:01:04 pluto[5794] "ctvimnord" #2: transition from state (null) to state STATE_MAIN_R1
09:01:04 pluto[5794] "ctvimnord" #2: NAT-Traversal: Result using RFC 3947: both are NATed
09:01:04 pluto[5794] "ctvimnord" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
09:01:04 pluto[5794] "ctvimnord" #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=FR, O=ctvimnord, CN=serveur-ca95.dyndns.info'
09:01:04 pluto[5794] "ctvimnord" #2: Issuer CRL not found
09:01:04 pluto[5794] "ctvimnord" #2: Issuer CRL not found
09:01:04 pluto[5794] "ctvimnord" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
09:01:04 pluto[5794] | NAT-T: new mapping 88.162.xxx.xxx:500/4500)
09:01:04 pluto[5794] "ctvimnord" #2: sent MR3, ISAKMP SA established
09:01:04 pluto[5794] "ctvimnord" #3: responding to Quick Mode
09:01:04 pluto[5794] "ctvimnord" #3: transition from state (null) to state STATE_QUICK_R1
09:01:04 pluto[5794] "ctvimnord" #3: Dead Peer Detection (RFC3706) enabled
09:01:04 pluto[5794] "ctvimnord" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
09:01:04 pluto[5794] "ctvimnord" #3: IPsec SA established
09:13:27 pluto[5794] "ctvimnord" #1: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message
09:13:27 pluto[5794] "ctvimnord" #1: starting keying attempt 2 of an unlimited number, but releasing whack
09:13:27 pluto[5794] "ctvimnord" #4: initiating Main Mode to replace #1
09:13:27 ipsec__plutorun 104 "ctvimnord" #1: STATE_MAIN_I1: initiate
09:13:27 ipsec__plutorun 010 "ctvimnord" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
09:13:27 ipsec__plutorun 010 "ctvimnord" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
09:13:27 ipsec__plutorun 031 "ctvimnord" #1: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message
09:13:27 ipsec__plutorun 000 "ctvimnord" #1: starting keying attempt 2 of an unlimited number, but releasing whack
09:13:27 ipsec__plutorun ...could not start conn "ctvimnord"
09:26:37 pluto[5794] "ctvimnord" #4: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message
09:26:37 pluto[5794] "ctvimnord" #4: starting keying attempt 3 of an unlimited number
09:26:37 pluto[5794] "ctvimnord" #5: initiating Main Mode to replace #4
09:39:47 pluto[5794] "ctvimnord" #5: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message
09:39:47 pluto[5794] "ctvimnord" #5: starting keying attempt 4 of an unlimited number
09:39:47 pluto[5794] "ctvimnord" #6: initiating Main Mode to replace #5
09:49:02 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:49:02 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:49:02 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:49:02 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:49:02 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:49:02 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:49:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:49:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:49:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:49:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:49:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:49:12 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:49:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:49:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:49:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:49:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:49:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:49:32 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:50:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:50:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:50:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:50:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:50:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:50:12 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:50:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:50:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:50:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:50:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:50:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:50:52 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:51:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:51:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:51:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:51:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:51:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:51:32 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:52:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:52:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:52:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:52:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:52:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:52:12 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:52:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:52:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:52:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:52:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:52:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:52:52 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:52:57 pluto[5794] "ctvimnord" #6: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message
09:52:57 pluto[5794] "ctvimnord" #6: starting keying attempt 5 of an unlimited number
09:52:57 pluto[5794] "ctvimnord" #7: initiating Main Mode to replace #6
09:53:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:53:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:53:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:53:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:53:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:53:32 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:54:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:54:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:54:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:54:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:54:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:54:12 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:54:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:54:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:54:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:54:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:54:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:54:52 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:55:31 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:55:31 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:55:31 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:55:31 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:55:31 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:55:31 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:56:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:56:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:56:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:56:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:56:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:56:12 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:56:34 pluto[5794] "ctvimnord" #8: initiating Main Mode to replace #2
09:56:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:56:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:56:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:56:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:56:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:56:52 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:57:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:57:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:57:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:57:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:57:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
Aucune amélioration, la connexion s'établit pour 5 à 8 heures et tombe
log de ipsec :
09:00:14 ipsec_setup Stopping Openswan IPsec...
09:00:14 pluto[10645] shutting down
09:00:14 pluto[10645] forgetting secrets
09:00:14 pluto[10645] "ctvimnord": deleting connection
09:00:14 pluto[10645] "ctvimnord" #77: deleting state (STATE_MAIN_I1)
09:00:14 pluto[10645] shutting down interface ipsec0/eth2 192.168.30.10
09:00:14 pluto[10645] shutting down interface ipsec0/eth2 192.168.30.10
09:00:15 ipsec_setup /usr/lib/ipsec/tncfg: Socket ioctl failed on detach -- No such device. Is the virtual device valid? The ipsec module may not be linked into the kernel or loaded as a module.
09:00:15 ipsec_setup ipsec: Device or resource busy
09:00:15 ipsec_setup ...Openswan IPsec stopped
09:00:16 ipsec_setup Starting Openswan IPsec 1.0.10...
09:00:16 ipsec_setup KLIPS debug `none'
09:00:16 ipsec_setup KLIPS ipsec0 on eth2 192.168.30.10/255.255.255.0 broadcast 192.168.30.255
09:00:16 ipsec__plutorun Starting Pluto subsystem...
09:00:16 pluto[5794] Starting Pluto (Openswan Version 1.0.10)
09:00:16 pluto[5794] including X.509 patch with traffic selectors (Version 0.9.42)
09:00:16 pluto[5794] including NAT-Traversal patch (Version 0.6)
09:00:16 pluto[5794] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
09:00:16 pluto[5794] ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
09:00:16 pluto[5794] ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
09:00:16 pluto[5794] ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
09:00:16 pluto[5794] ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
09:00:16 pluto[5794] ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
09:00:16 pluto[5794] ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
09:00:16 pluto[5794] ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
09:00:16 pluto[5794] Changing to directory '/etc/ipsec.d/cacerts'
09:00:16 ipsec_setup ...Openswan IPsec started
09:00:16 pluto[5794] loaded cacert file 'ctvimnordcert.pem' (1294 bytes)
09:00:16 pluto[5794] loaded cacert file 'cacert.pem' (1285 bytes)
09:00:16 pluto[5794] Changing to directory '/etc/ipsec.d/crls'
09:00:16 pluto[5794] loaded crl file 'cacrl.pem' (568 bytes)
09:00:16 pluto[5794] OpenPGP certificate file '/etc/pgpcert.pgp' not found
09:00:16 vpn-watch 'ctvimnord': start watching 88.162.xxx.xxx
09:00:16 pluto[5794] | from whack: got --esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
09:00:16 pluto[5794] | from whack: got --ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
09:00:16 pluto[5794] loaded host cert file '/var/ipcop/certs/hostcert.pem' (1172 bytes)
09:00:16 pluto[5794] loaded host cert file '/var/ipcop/certs/ctvimnordcert.pem' (1180 bytes)
09:00:16 pluto[5794] added connection description "ctvimnord"
09:00:16 pluto[5794] listening for IKE messages
09:00:16 pluto[5794] adding interface ipsec0/eth2 192.168.30.10
09:00:16 pluto[5794] adding interface ipsec0/eth2 192.168.30.10:4500
09:00:16 pluto[5794] loading secrets from "/etc/ipsec.secrets"
09:00:16 pluto[5794] loaded private key file '/var/ipcop/certs/hostkey.pem' (887 bytes)
09:00:17 pluto[5794] "ctvimnord" #1: initiating Main Mode
09:00:29 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:00:29 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:00:29 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:00:29 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:00:29 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:00:29 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:00:39 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:00:39 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:00:39 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:00:39 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:00:39 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:00:39 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:01:04 pluto[5794] packet from 88.162.xxx.xxx:500: received Vendor ID payload [RFC 3947]
09:01:04 pluto[5794] packet from 88.162.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:01:04 pluto[5794] packet from 88.162.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:01:04 pluto[5794] packet from 88.162.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:01:04 pluto[5794] packet from 88.162.xxx.xxx:500: received Vendor ID payload [Dead Peer Detection]
09:01:04 pluto[5794] "ctvimnord" #2: responding to Main Mode
09:01:04 pluto[5794] "ctvimnord" #2: transition from state (null) to state STATE_MAIN_R1
09:01:04 pluto[5794] "ctvimnord" #2: NAT-Traversal: Result using RFC 3947: both are NATed
09:01:04 pluto[5794] "ctvimnord" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
09:01:04 pluto[5794] "ctvimnord" #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=FR, O=ctvimnord, CN=serveur-ca95.dyndns.info'
09:01:04 pluto[5794] "ctvimnord" #2: Issuer CRL not found
09:01:04 pluto[5794] "ctvimnord" #2: Issuer CRL not found
09:01:04 pluto[5794] "ctvimnord" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
09:01:04 pluto[5794] | NAT-T: new mapping 88.162.xxx.xxx:500/4500)
09:01:04 pluto[5794] "ctvimnord" #2: sent MR3, ISAKMP SA established
09:01:04 pluto[5794] "ctvimnord" #3: responding to Quick Mode
09:01:04 pluto[5794] "ctvimnord" #3: transition from state (null) to state STATE_QUICK_R1
09:01:04 pluto[5794] "ctvimnord" #3: Dead Peer Detection (RFC3706) enabled
09:01:04 pluto[5794] "ctvimnord" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
09:01:04 pluto[5794] "ctvimnord" #3: IPsec SA established
09:13:27 pluto[5794] "ctvimnord" #1: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message
09:13:27 pluto[5794] "ctvimnord" #1: starting keying attempt 2 of an unlimited number, but releasing whack
09:13:27 pluto[5794] "ctvimnord" #4: initiating Main Mode to replace #1
09:13:27 ipsec__plutorun 104 "ctvimnord" #1: STATE_MAIN_I1: initiate
09:13:27 ipsec__plutorun 010 "ctvimnord" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
09:13:27 ipsec__plutorun 010 "ctvimnord" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
09:13:27 ipsec__plutorun 031 "ctvimnord" #1: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message
09:13:27 ipsec__plutorun 000 "ctvimnord" #1: starting keying attempt 2 of an unlimited number, but releasing whack
09:13:27 ipsec__plutorun ...could not start conn "ctvimnord"
09:26:37 pluto[5794] "ctvimnord" #4: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message
09:26:37 pluto[5794] "ctvimnord" #4: starting keying attempt 3 of an unlimited number
09:26:37 pluto[5794] "ctvimnord" #5: initiating Main Mode to replace #4
09:39:47 pluto[5794] "ctvimnord" #5: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message
09:39:47 pluto[5794] "ctvimnord" #5: starting keying attempt 4 of an unlimited number
09:39:47 pluto[5794] "ctvimnord" #6: initiating Main Mode to replace #5
09:49:02 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:49:02 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:49:02 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:49:02 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:49:02 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:49:02 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:49:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:49:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:49:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:49:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:49:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:49:12 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:49:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:49:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:49:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:49:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:49:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:49:32 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:50:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:50:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:50:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:50:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:50:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:50:12 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:50:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:50:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:50:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:50:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:50:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:50:52 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:51:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:51:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:51:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:51:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:51:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:51:32 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:52:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:52:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:52:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:52:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:52:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:52:12 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:52:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:52:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:52:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:52:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:52:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:52:52 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:52:57 pluto[5794] "ctvimnord" #6: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message
09:52:57 pluto[5794] "ctvimnord" #6: starting keying attempt 5 of an unlimited number
09:52:57 pluto[5794] "ctvimnord" #7: initiating Main Mode to replace #6
09:53:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:53:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:53:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:53:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:53:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:53:32 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:54:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:54:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:54:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:54:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:54:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:54:12 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:54:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:54:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:54:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:54:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:54:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:54:52 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:55:31 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:55:31 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:55:31 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:55:31 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:55:31 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:55:31 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:56:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:56:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:56:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:56:12 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:56:12 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:56:12 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:56:34 pluto[5794] "ctvimnord" #8: initiating Main Mode to replace #2
09:56:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:56:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:56:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:56:52 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:56:52 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
09:56:52 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
09:57:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [RFC 3947]
09:57:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
09:57:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
09:57:32 pluto[5794] packet from 88.162.xxx.xxx:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
09:57:32 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
- Yull
- Second Maître
- Messages: 42
- Inscrit le: 31 Août 2006 00:27
par Franck78 » 24 Sep 2008 20:36
Yull a écrit:Alors j'ai transféré en plus les ports TCP 1723 et UDP 1701
Ma foi, pourquoi pas. Au fait, quel rapport avec IPsec......
Yull a écrit:
Aucune amélioration, la connexion s'établit pour 5 à 8 heures et tombe
c'est ballot ça. D'un autre coté, comme rien n'a changé pour le traitement IPSec, ca n'étonne que toi
-
Franck78 - Amiral
- Messages: 5625
- Inscrit le: 20 Fév 2004 01:00
- Localisation: Paris
par Dorian Gray » 25 Sep 2008 09:34
As tu bien regardé si les protocole d'identifications était symétriques interfaces de configurations?
Vérifie bien les paramètres avancés notement au niveau cochage
des cases IKE+ESP et compression du payload.
On dirait que soit ta freebox soit ta cbox n'est pas configuré en mode transparent. Les VPN sont stables généralement quand l'ipcop reçoit l'adresse ip externe de tes connexion.
En ce qui concerne les freebox c'est simple ça se gère dans l'interface, pour la cbox a toi de chercher.
Bon courage[/b]
09:00:39 pluto[5794] packet from 88.162.xxx.xxx:4500: received Vendor ID payload [Dead Peer Detection]
Vérifie bien les paramètres avancés notement au niveau cochage
des cases IKE+ESP et compression du payload.
09:00:39 pluto[5794] packet from 88.162.xxx.xxx:4500: initial Main Mode message received on 192.168.30.10:4500 but no connection has been authorized with policy=RSASIG
On dirait que soit ta freebox soit ta cbox n'est pas configuré en mode transparent. Les VPN sont stables généralement quand l'ipcop reçoit l'adresse ip externe de tes connexion.
En ce qui concerne les freebox c'est simple ça se gère dans l'interface, pour la cbox a toi de chercher.
Bon courage[/b]
- Dorian Gray
- Quartier Maître
- Messages: 13
- Inscrit le: 21 Mai 2008 14:14
par Franck78 » 25 Sep 2008 22:02
J'adore l'humour en général, mais là ca me laisse froid, donc si vous avez une solution, ce serait cool de la donner, et pas de m'envoyer des liens avec des dizaines de pages à lire qui ne me font pas avancer
1)mais il ne tient qu'a toi d'expliquer ta démarche. Elle apparait totalement inutile en regard du problème posé.
2)on pose une solution quand on a diagnostiqué correctement. Un extrait de log ne suffira jamais avec IPSec.
5 à 8 heures: bien trop vague comme info. 8 heures, c'est la durée de vie de clé encryptant ESP. Cela ce règle dans IPCop. Suffisant pour affirmer clairement que c'est ou non ce délai.
Le message " but no connection has been authorized with policy" fait clairement référence à tout un domaine d'erreurs possibles qui met en jeu la source et la destination du vpn.
En général, une IP à changé et cela est passé inaperçu pour IPSEC. D'ou l'utilité de vpn-watch dont je ne vois trace dans le log.
FYI:toutes les associations sont écrites dans le fichiers "etc/ipsec.secrets" . Regarde le quand ça 'marche' et quand ça marche plus....et cherche un peu.
-
Franck78 - Amiral
- Messages: 5625
- Inscrit le: 20 Fév 2004 01:00
- Localisation: Paris
par Yull » 08 Oct 2008 19:44
Bonjour
Je m'y remets
Alors pour recadrer : mes modems sont en routeur
Lorsque je redémarre le vpn je dois le faire en même temps de chaque coté à quelques secondes près
Le vpn tombe au bout de 8 heures
Et pour le fichier "etc/ipsec.secrets" que ça marche ou pas :
: RSA /var/ipcop/certs/hostkey.pem
Et pour le "cherche un peu", je n'y connais pas grand chose en linux, mais j'utilise un serveur smeserver, trixbox et ipcop depuis 2 ans, j'y ai passé de nombreuses heures (a mon avis quelques centaines), j'ai même envoyé un fichier de correction (traduction en fr) d'un addon d'ipcop. Lorsque j’écris sur les forums, c'est que je ne trouve pas par moi même, ou lorsque je peu aider quelqu'un (ce qui est assez rare vu mon niveau)
Cordialement
Je m'y remets
Alors pour recadrer : mes modems sont en routeur
Lorsque je redémarre le vpn je dois le faire en même temps de chaque coté à quelques secondes près
Le vpn tombe au bout de 8 heures
Et pour le fichier "etc/ipsec.secrets" que ça marche ou pas :
: RSA /var/ipcop/certs/hostkey.pem
Et pour le "cherche un peu", je n'y connais pas grand chose en linux, mais j'utilise un serveur smeserver, trixbox et ipcop depuis 2 ans, j'y ai passé de nombreuses heures (a mon avis quelques centaines), j'ai même envoyé un fichier de correction (traduction en fr) d'un addon d'ipcop. Lorsque j’écris sur les forums, c'est que je ne trouve pas par moi même, ou lorsque je peu aider quelqu'un (ce qui est assez rare vu mon niveau)
Cordialement
- Yull
- Second Maître
- Messages: 42
- Inscrit le: 31 Août 2006 00:27
par ccnet » 08 Oct 2008 20:34
je n'y connais pas grand chose en linux
Je lis très souvent cette phrase, ou quelque qui signifie la même chose, dès lors qu'il est question de protocoles, de sécurité, de technologies TCP/IP. Le problème n'est pas vos connaissances Linux mais bien celle des protocoles et des technologies TCPIP. Ipsec n'est pas spécifiquement une question Linux. Pas plus que SSL ou PPTP.
- ccnet
- Amiral
- Messages: 2687
- Inscrit le: 27 Mai 2006 12:09
- Localisation: Paris
par Yull » 10 Oct 2008 23:43
Coté cbox changeante - coté freebox fixe
l'ip de la cbox ne change que lors des déco, cad quelques fois par mois
Je ne sais pas ou on réduit le délai de négociation ESP
Je crois que je vais m'orienter vers une des 2 solutions (plutôt bricolage) :
1) un prog vb6 qui tourne sur 2 machines (une sur chaque réseau) qui redémarre le VPN toute les 8 heures ou si il y a une déco
2) ZERINA avec la fonction net2net en béta, mais je ne suis pas très chaud, car si je pers le roadwarior là je suis mal...
l'ip de la cbox ne change que lors des déco, cad quelques fois par mois
Je ne sais pas ou on réduit le délai de négociation ESP
Je crois que je vais m'orienter vers une des 2 solutions (plutôt bricolage) :
1) un prog vb6 qui tourne sur 2 machines (une sur chaque réseau) qui redémarre le VPN toute les 8 heures ou si il y a une déco
2) ZERINA avec la fonction net2net en béta, mais je ne suis pas très chaud, car si je pers le roadwarior là je suis mal...
- Yull
- Second Maître
- Messages: 42
- Inscrit le: 31 Août 2006 00:27
19 messages
• Page 1 sur 2 • 1, 2
Qui est en ligne ?
Utilisateur(s) parcourant actuellement ce forum : Google [Bot] et 1 invité