Freeswan + Client Windows XP

Forum sur la sécurité des réseaux, la configuration des firewalls, la mise en place de protections contre les attaques, de DMZ, de systèmes anti-intrusion ...

Modérateur: modos Ixus

Publier une réponse

Messagepar mekano » 14 Nov 2003 19:15

Bon voici mon problème. J'ai un serveur Linux sur lequel j'ai installer freeswan et un poste client qui tourne sous windows qui se connecte depuis l'extérieur du réseau sur ma passerelle Linux. J'utilise les certificats pour l'authentification. <BR> <BR>Du côté linux, le démarrage de Ipsec ne semble pas poser de problème. VOici la config du côté serveur: <BR> <BR>#### IPSEC.CONF ### <BR># basic configuration <BR>config setup <BR> interfaces=%defaultroute <BR> klipsdebug=all <BR> plutodebug=all <BR> plutoload=%search <BR> plutostart=%search <BR> uniqueids=yes <BR> <BR>conn %default <BR> keyingtries=0 <BR> compress=yes <BR> disablearrivalcheck=no <BR> authby=rsasig <BR> leftrsasigkey=%cert <BR> rightrsasigkey=%cert <BR> <BR> <BR> <BR>conn distante <BR> right=%any <BR> #rightnexthop=192.168.0.2 <BR> left=%defaultroute <BR> leftsubnet=192.168.0.0/24 <BR> leftcert=router.pem <BR> auto=add <BR> pfs=yes <BR> <BR>#### IPSEC.SECRETS ### <BR> <BR>: RSA router.key "ab234s" <BR> <BR>####Configuration du client roadwarrior### <BR> <BR>Fichier IPSEC.CONF <BR> <BR>conn distante <BR> left=%any <BR> right=64.228.217.20 ---> adresse publique de ma passerelle (ppp0) <BR> rightca="C=CA, ST=Quebec, L=Sherbrooke, O=DmInnovatech CN=innovatek Email=dany.fortier@sympatico.ca <BR> network=auto <BR> auto=start <BR> pfs=yes <BR> <BR> <BR>J'ai créer et installer les certificats autant du cöté serveur que du coté client. Ce qui <BR>ne m'a pas afficher d'erreurs . Mon autorité de certification est <BR>bien installée dans le dossier d'autorité de certification racine de confiance de ma machine windows et le certificat pour le poste client est lui aussi présent sur windows. <BR> <BR>Sur le poste client j'établit la connexion en entrant la commande ipsec. tout se déroule normalement. J'ai regarder le fichier c:/windows/debug/oakley.txt et voici le contenu : <BR> <BR>11-14: 11:28:28:62:780 constructing ISAKMP Header <BR>11-14: 11:28:28:62:780 constructing HASH (null) <BR>11-14: 11:28:28:62:780 constructing DELETE. MM 0011A2A8 <BR>11-14: 11:28:28:62:780 constructing HASH (Notify/Delete) <BR>11-14: 11:28:28:62:780 <BR>11-14: 11:28:28:62:780 Sending: SA = 0x0011A2A8 to 64.228.217.20:Type 1 <BR>11-14: 11:28:28:62:780 ISAKMP Header: (V1.0), len = 84 <BR>11-14: 11:28:28:62:780 I-COOKIE 5a1f2737aff8cdbb <BR>11-14: 11:28:28:62:780 R-COOKIE 4aec10fafc254c4b <BR>11-14: 11:28:28:62:780 exchange: ISAKMP Informational Exchange <BR>11-14: 11:28:28:62:780 flags: 1 ( encrypted ) <BR>11-14: 11:28:28:62:780 next payload: HASH <BR>11-14: 11:28:28:62:780 message ID: 6a6594ba <BR>11-14: 11:33:48:312:468 isadb_schedule_kill_oldPolicy_sas: 082732c5-306a-465c-9d56ab0a6138caf9 4 <BR>11-14: 11:33:48:312:468 isadb_schedule_kill_oldPolicy_sas: 017bd960-b990-4a48-a518ea3987f8b2c5 4 <BR>11-14: 11:33:48:312:468 isadb_schedule_kill_oldPolicy_sas: 3bc37bfd-55e7-4d4b-b5b2d4ba44f4def2 3 <BR>11-14: 11:33:48:312:468 isadb_schedule_kill_oldPolicy_sas: c4a8adc2-5a2c-4e93-8af97c7daf8bcbd8 3 <BR>11-14: 11:33:48:312:468 isadb_schedule_kill_oldPolicy_sas: c6fa88d3-1bc3-4a35-9c6ac054da1a3282 1 <BR>11-14: 11:33:48:312:468 isadb_schedule_kill_oldPolicy_sas: b71ea390-10f1-4fb5-aa1f8003dbdc17fa 2 <BR>11-14: 11:33:48:312:468 isadb_schedule_kill_oldPolicy_sas: 2add04e8-798a-4b94-bc0c090dd2dc2bf7 2 <BR>11-14: 11:33:48:312:128 entered kill_old_policy_sas <BR>11-14: 11:33:48:312:128 entered kill_old_policy_sas <BR>11-14: 11:33:48:312:128 entered kill_old_policy_sas <BR>11-14: 11:33:48:312:128 entered kill_old_policy_sas <BR>11-14: 11:33:48:312:780 entered kill_old_policy_sas <BR>11-14: 11:33:48:312:128 entered kill_old_policy_sas <BR>11-14: 11:33:48:312:780 entered kill_old_policy_sas <BR>11-14: 11:34:09:984:4c4 Acquire from driver: op=82247598 src=206.172.253.48.0 dst=64.228.217.20.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.255, Tunnel 1, TunnelEndpt=64.228.217.20 Inbound TunnelEndpt=206.172.253.48 <BR>11-14: 11:34:09:984:780 Filter to match: Src 64.228.217.20 Dst 206.172.253.48 <BR>11-14: 11:34:09:984:780 MM PolicyName: 16 <BR>11-14: 11:34:09:984:780 MMPolicy dwFlags 2 SoftSAExpireTime 28800 <BR>11-14: 11:34:09:984:780 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2 <BR>11-14: 11:34:09:984:780 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA <BR>11-14: 11:34:09:984:780 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2 <BR>11-14: 11:34:09:984:780 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5 <BR>11-14: 11:34:09:984:780 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1 <BR>11-14: 11:34:09:984:780 MMOffer[2] Encrypt: DES CBC Hash: SHA <BR>11-14: 11:34:09:984:780 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1 <BR>11-14: 11:34:09:984:780 MMOffer[3] Encrypt: DES CBC Hash: MD5 <BR>11-14: 11:34:09:984:780 Auth[0]:RSA Sig C=CA, S=Quebec, L=Sherbrooke, O="DmInnovatech CN=innovatek Email=dany.fortier@sympatico.ca" <BR>11-14: 11:34:09:984:780 QM PolicyName: Host-distante filter action dwFlags 1 <BR>11-14: 11:34:09:984:780 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600 <BR>11-14: 11:34:09:984:780 QMOffer[0] dwFlags 0 dwPFSGroup 268435456 <BR>11-14: 11:34:09:984:780 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5 <BR>11-14: 11:34:09:984:780 Starting Negotiation: src = 206.172.253.48.0000, dst = 64.228.217.20.0500, proto = 00, context = 82247598, ProxySrc = 206.172.253.48.0000, ProxyDst = 64.228.217.20.0000 SrcMask = 255.255.255.255 DstMask = 255.255.255.255 <BR>11-14: 11:34:09:984:780 constructing ISAKMP Header <BR>11-14: 11:34:09:984:780 constructing SA (ISAKMP) <BR>11-14: 11:34:09:984:780 Constructing Vendor <BR>11-14: 11:34:09:984:780 <BR>11-14: 11:34:09:984:780 Sending: SA = 0x0011A2A8 to 64.228.217.20:Type 2 <BR>11-14: 11:34:09:984:780 ISAKMP Header: (V1.0), len = 216 <BR>11-14: 11:34:09:984:780 I-COOKIE 765d63a5e4795cbe <BR>11-14: 11:34:09:984:780 R-COOKIE 0000000000000000 <BR>11-14: 11:34:09:984:780 exchange: Oakley Main Mode <BR>11-14: 11:34:09:984:780 flags: 0 <BR>11-14: 11:34:09:984:780 next payload: SA <BR>11-14: 11:34:09:984:780 message ID: 00000000 <BR>11-14: 11:34:10:281:780 <BR>11-14: 11:34:10:281:780 Receive: (get) SA = 0x0011a2a8 from 64.228.217.20 <BR>11-14: 11:34:10:281:780 ISAKMP Header: (V1.0), len = 84 <BR>11-14: 11:34:10:281:780 I-COOKIE 765d63a5e4795cbe <BR>11-14: 11:34:10:281:780 R-COOKIE 57235ac0f2a59e4f <BR>11-14: 11:34:10:281:780 exchange: Oakley Main Mode <BR>11-14: 11:34:10:281:780 flags: 0 <BR>11-14: 11:34:10:281:780 next payload: SA <BR>11-14: 11:34:10:281:780 message ID: 00000000 <BR>11-14: 11:34:10:281:780 processing payload SA <BR>11-14: 11:34:10:281:780 Received Phase 1 Transform 1 <BR>11-14: 11:34:10:281:780 Encryption Alg Triple DES CBC(5) <BR>11-14: 11:34:10:281:780 Hash Alg SHA(2) <BR>11-14: 11:34:10:281:780 Oakley Group 2 <BR>11-14: 11:34:10:281:780 Auth Method Signature RSA avec les certificats(3) <BR>11-14: 11:34:10:281:780 Life type in Seconds <BR>11-14: 11:34:10:281:780 Life duration of 28800 <BR>11-14: 11:34:10:281:780 Phase 1 SA accepted: transform=1 <BR>11-14: 11:34:10:281:780 SA - Oakley proposal accepted <BR>11-14: 11:34:10:281:780 constructing ISAKMP Header <BR>11-14: 11:34:10:312:780 constructing KE <BR>11-14: 11:34:10:312:780 constructing NONCE (ISAKMP) <BR>11-14: 11:34:10:312:780 <BR>11-14: 11:34:10:312:780 Sending: SA = 0x0011A2A8 to 64.228.217.20:Type 2 <BR>11-14: 11:34:10:312:780 ISAKMP Header: (V1.0), len = 184 <BR>11-14: 11:34:10:312:780 I-COOKIE 765d63a5e4795cbe <BR>11-14: 11:34:10:312:780 R-COOKIE 57235ac0f2a59e4f <BR>11-14: 11:34:10:312:780 exchange: Oakley Main Mode <BR>11-14: 11:34:10:312:780 flags: 0 <BR>11-14: 11:34:10:312:780 next payload: KE <BR>11-14: 11:34:10:312:780 message ID: 00000000 <BR>11-14: 11:34:10:734:780 <BR>11-14: 11:34:10:734:780 Receive: (get) SA = 0x0011a2a8 from 64.228.217.20 <BR>11-14: 11:34:10:734:780 ISAKMP Header: (V1.0), len = 188 <BR>11-14: 11:34:10:734:780 I-COOKIE 765d63a5e4795cbe <BR>11-14: 11:34:10:734:780 R-COOKIE 57235ac0f2a59e4f <BR>11-14: 11:34:10:734:780 exchange: Oakley Main Mode <BR>11-14: 11:34:10:734:780 flags: 0 <BR>11-14: 11:34:10:734:780 next payload: KE <BR>11-14: 11:34:10:734:780 message ID: 00000000 <BR>11-14: 11:34:10:734:780 processing payload KE <BR>11-14: 11:34:10:750:780 processing payload NONCE <BR>11-14: 11:34:10:750:780 processing payload CRP <BR>11-14: 11:34:10:750:780 constructing ISAKMP Header <BR>11-14: 11:34:10:750:780 constructing ID <BR>11-14: 11:34:10:750:780 Received no valid CRPs. Using all configured <BR>11-14: 11:34:10:750:780 Looking for IPSec only cert <BR>11-14: 11:34:10:750:780 failed to get chain 80092004 <BR>11-14: 11:34:10:750:780 Received no valid CRPs. Using all configured <BR>11-14: 11:34:10:750:780 Looking for any cert <BR>11-14: 11:34:10:750:780 failed to get chain 80092004 <BR>11-14: 11:34:10:750:780 ProcessFailure: sa:0011A2A8 centry:00000000 status:35ee <BR>11-14: 11:34:10:750:780 isadb_set_status sa:0011A2A8 centry:00000000 status 35ee <BR>11-14: 11:34:10:750:780 Mode d'échange de clés (Mode principal) <BR> <BR> <BR>11-14: 11:34:10:750:780 Adresse IP source206.172.253.48 <BR> <BR>Masque d'adresse IP source 255.255.255.255 <BR> <BR>Adresse IP de destination 64.228.217.20 <BR> <BR>Masque d'adresse IP de destination 255.255.255.255 <BR> <BR>Protocole 0 <BR> <BR>Port source 0 <BR> <BR>Port de destination 0 <BR> <BR>Adresse locale IKE <BR> <BR>Adresse homologue IKE <BR> <BR> <BR>11-14: 11:34:10:750:780 Identité basé sur le certificat. <BR> <BR>Adresse IP homologue : 64.228.217.20 <BR> <BR> <BR>11-14: 11:34:10:750:780 Moi <BR> <BR> <BR>11-14: 11:34:10:750:780 IKE n'a pas trouvé de certificat ordinateur valide <BR> <BR> <BR>11-14: 11:34:10:750:780 0x80092004 0x0 <BR>11-14: 11:34:10:750:780 ProcessFailure: sa:0011A2A8 centry:00000000 status:35ee <BR>11-14: 11:34:10:750:780 constructing ISAKMP Header <BR>11-14: 11:34:10:750:780 constructing HASH (null) <BR>11-14: 11:34:10:750:780 constructing NOTIFY 28 <BR>11-14: 11:34:10:750:780 constructing HASH (Notify/Delete) <BR>11-14: 11:34:10:750:780 <BR>11-14: 11:34:10:750:780 Sending: SA = 0x0011A2A8 to 64.228.217.20:Type 1 <BR>11-14: 11:34:10:750:780 ISAKMP Header: (V1.0), len = 84 <BR>11-14: 11:34:10:750:780 I-COOKIE 765d63a5e4795cbe <BR>11-14: 11:34:10:750:780 R-COOKIE 57235ac0f2a59e4f <BR>11-14: 11:34:10:750:780 exchange: ISAKMP Informational Exchange <BR>11-14: 11:34:10:750:780 flags: 1 ( encrypted ) <BR>11-14: 11:34:10:750:780 next payload: HASH <BR>11-14: 11:34:10:750:780 message ID: 95746d5d <BR>11-14: 11:34:20:984:780 <BR>11-14: 11:34:20:984:780 Receive: (get) SA = 0x0011a2a8 from 64.228.217.20 <BR>11-14: 11:34:20:984:780 ISAKMP Header: (V1.0), len = 188 <BR>11-14: 11:34:20:984:780 I-COOKIE 765d63a5e4795cbe <BR>11-14: 11:34:20:984:780 R-COOKIE 57235ac0f2a59e4f <BR>11-14: 11:34:20:984:780 exchange: Oakley Main Mode <BR>11-14: 11:34:20:984:780 flags: 0 <BR>11-14: 11:34:20:984:780 next payload: KE <BR>11-14: 11:34:20:984:780 message ID: 00000000 <BR>11-14: 11:34:20:984:780 received an unencrypted packet when crypto active <BR>11-14: 11:34:20:984:780 GetPacket failed 35ec <BR>11-14: 11:34:40:984:780 <BR>11-14: 11:34:40:984:780 Receive: (get) SA = 0x0011a2a8 from 64.228.217.20 <BR>11-14: 11:34:40:984:780 ISAKMP Header: (V1.0), len = 188 <BR>11-14: 11:34:40:984:780 I-COOKIE 765d63a5e4795cbe <BR>11-14: 11:34:40:984:780 R-COOKIE 57235ac0f2a59e4f <BR>11-14: 11:34:40:984:780 exchange: Oakley Main Mode <BR>11-14: 11:34:40:984:780 flags: 0 <BR>11-14: 11:34:40:984:780 next payload: KE <BR>11-14: 11:34:40:984:780 message ID: 00000000 <BR>11-14: 11:34:40:984:780 received an unencrypted packet when crypto active <BR>11-14: 11:34:40:984:780 GetPacket failed 35ec <BR>11-14: 11:35:58:62:780 SA Dead. sa:0011A2A8 status:35f0 <BR>11-14: 11:35:58:62:780 constructing ISAKMP Header <BR>11-14: 11:35:58:62:780 constructing HASH (null) <BR>11-14: 11:35:58:62:780 constructing DELETE. MM 0011A2A8 <BR>11-14: 11:35:58:62:780 constructing HASH (Notify/Delete) <BR>11-14: 11:35:58:62:780 <BR>11-14: 11:35:58:62:780 Sending: SA = 0x0011A2A8 to 64.228.217.20:Type 1 <BR>11-14: 11:35:58:62:780 ISAKMP Header: (V1.0), len = 84 <BR>11-14: 11:35:58:62:780 I-COOKIE 765d63a5e4795cbe <BR>11-14: 11:35:58:62:780 R-COOKIE 57235ac0f2a59e4f <BR>11-14: 11:35:58:62:780 exchange: ISAKMP Informational Exchange <BR>11-14: 11:35:58:62:780 flags: 1 ( encrypted ) <BR>11-14: 11:35:58:62:780 next payload: HASH <BR>11-14: 11:35:58:62:780 message ID: a9ed2acc <BR> <BR> <BR>On voit bien que les 2 postes communiquent entrent eux. Ce que je ne comprends pas c'est cette ligne la : 11-14: 11:34:10:750:780 IKE n'a pas trouvé de certificat ordinateur valide. Ca doit etre a cause de ca que ca ne fonctionne pas ..mais comment régler ce proibleme ?? Quelqu'un a une idée ??? <BR>
Avatar de l’utilisateur
mekano
Matelot
Matelot
 
Messages: 9
Inscrit le: 29 Sep 2003 00:00
Haut

Messagepar mekano » 14 Nov 2003 23:22

J'ai regénérer et réinstaller mon certificat sur ma machine windows et je n'ai maintenant plus l'erreur comme quoi il ne trouve pas de certificat valide. Je démarre la connection sur la machine windows et je lance des ping vers une machine qui est situé sur le réseau distant --> aucune réponse. Je lance alors un ping vers l'adresse publique de ma machie qui a freeswan d'installer et j'ai des messages disant négociating ip security. Je l'ai laisser aller comme ca un bon bout, mais rien ne se passe ensuite. VOici maintenantce quoi a l'air mon fichier de log sur windows oakley.txt. <BR> <BR>1-14: 16:09:12:703:8cc Receive: (get) SA = 0x000be890 from 64.228.217.20 <BR>11-14: 16:09:12:703:8cc ISAKMP Header: (V1.0), len = 84 <BR>11-14: 16:09:12:703:8cc I-COOKIE 97bf71c8a0064960 <BR>11-14: 16:09:12:703:8cc R-COOKIE 71486174e301bd6b <BR>11-14: 16:09:12:703:8cc exchange: ISAKMP Informational Exchange <BR>11-14: 16:09:12:703:8cc flags: 1 ( encrypted ) <BR>11-14: 16:09:12:703:8cc next payload: HASH <BR>11-14: 16:09:12:703:8cc message ID: 1993ff4f <BR>11-14: 16:09:12:703:8cc processing HASH (Notify/Delete) <BR>11-14: 16:09:12:703:8cc processing payload DELETE <BR>11-14: 16:09:12:718:8cc <BR>11-14: 16:09:12:718:8cc Receive: (get) SA = 0x0011a2a8 from 64.228.217.20 <BR>11-14: 16:09:12:718:8cc ISAKMP Header: (V1.0), len = 84 <BR>11-14: 16:09:12:718:8cc I-COOKIE 21610e67cf569fb9 <BR>11-14: 16:09:12:718:8cc R-COOKIE 7a89a5182bc99124 <BR>11-14: 16:09:12:718:8cc exchange: ISAKMP Informational Exchange <BR>11-14: 16:09:12:718:8cc flags: 1 ( encrypted ) <BR>11-14: 16:09:12:718:8cc next payload: HASH <BR>11-14: 16:09:12:718:8cc message ID: f2e304e8 <BR>11-14: 16:09:12:718:8cc processing HASH (Notify/Delete) <BR>11-14: 16:09:12:718:8cc processing payload DELETE <BR>11-14: 16:10:53:640:4c4 Acquire from driver: op=81DB56D8 src=216.209.130.95.0 dst=64.228.217.20.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.255, Tunnel 1, TunnelEndpt=64.228.217.20 Inbound TunnelEndpt=216.209.130.95 <BR>11-14: 16:10:53:640:780 Filter to match: Src 64.228.217.20 Dst 216.209.130.95 <BR>11-14: 16:10:53:640:780 MM PolicyName: 19 <BR>11-14: 16:10:53:640:780 MMPolicy dwFlags 2 SoftSAExpireTime 28800 <BR>11-14: 16:10:53:640:780 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2 <BR>11-14: 16:10:53:640:780 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA <BR>11-14: 16:10:53:640:780 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2 <BR>11-14: 16:10:53:640:780 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5 <BR>11-14: 16:10:53:640:780 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1 <BR>11-14: 16:10:53:640:780 MMOffer[2] Encrypt: DES CBC Hash: SHA <BR>11-14: 16:10:53:640:780 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1 <BR>11-14: 16:10:53:640:780 MMOffer[3] Encrypt: DES CBC Hash: MD5 <BR>11-14: 16:10:53:640:780 Auth[0]:RSA Sig C=CA, S=Quebec, L=Sherbrooke, O=DmInnovatech, CN=Router, E=dany.fortier@sympatico.ca <BR>11-14: 16:10:53:640:780 QM PolicyName: Host-distante filter action dwFlags 1 <BR>11-14: 16:10:53:640:780 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600 <BR>11-14: 16:10:53:640:780 QMOffer[0] dwFlags 0 dwPFSGroup 268435456 <BR>11-14: 16:10:53:640:780 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5 <BR>11-14: 16:10:53:640:780 Starting Negotiation: src = 216.209.130.95.0000, dst = 64.228.217.20.0500, proto = 00, context = 81DB56D8, ProxySrc = 216.209.130.95.0000, ProxyDst = 64.228.217.20.0000 SrcMask = 255.255.255.255 DstMask = 255.255.255.255 <BR>11-14: 16:10:53:640:780 constructing ISAKMP Header <BR>11-14: 16:10:53:640:780 constructing SA (ISAKMP) <BR>11-14: 16:10:53:640:780 Constructing Vendor <BR>11-14: 16:10:53:640:780 <BR>11-14: 16:10:53:640:780 Sending: SA = 0x0011A2A8 to 64.228.217.20:Type 2 <BR>11-14: 16:10:53:640:780 ISAKMP Header: (V1.0), len = 216 <BR>11-14: 16:10:53:640:780 I-COOKIE a0abc08261101e9f <BR>11-14: 16:10:53:640:780 R-COOKIE 0000000000000000 <BR>11-14: 16:10:53:640:780 exchange: Oakley Main Mode <BR>11-14: 16:10:53:640:780 flags: 0 <BR>11-14: 16:10:53:640:780 next payload: SA <BR>11-14: 16:10:53:640:780 message ID: 00000000 <BR>11-14: 16:10:53:875:780 <BR>11-14: 16:10:53:875:780 Receive: (get) SA = 0x0011a2a8 from 64.228.217.20 <BR>11-14: 16:10:53:875:780 ISAKMP Header: (V1.0), len = 84 <BR>11-14: 16:10:53:875:780 I-COOKIE a0abc08261101e9f <BR>11-14: 16:10:53:875:780 R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:10:53:875:780 exchange: Oakley Main Mode <BR>11-14: 16:10:53:875:780 flags: 0 <BR>11-14: 16:10:53:875:780 next payload: SA <BR>11-14: 16:10:53:875:780 message ID: 00000000 <BR>11-14: 16:10:53:875:780 processing payload SA <BR>11-14: 16:10:53:875:780 Received Phase 1 Transform 1 <BR>11-14: 16:10:53:875:780 Encryption Alg Triple DES CBC(5) <BR>11-14: 16:10:53:875:780 Hash Alg SHA(2) <BR>11-14: 16:10:53:875:780 Oakley Group 2 <BR>11-14: 16:10:53:875:780 Auth Method Signature RSA avec les certificats(3) <BR>11-14: 16:10:53:875:780 Life type in Seconds <BR>11-14: 16:10:53:875:780 Life duration of 28800 <BR>11-14: 16:10:53:875:780 Phase 1 SA accepted: transform=1 <BR>11-14: 16:10:53:875:780 SA - Oakley proposal accepted <BR>11-14: 16:10:53:875:780 constructing ISAKMP Header <BR>11-14: 16:10:53:906:780 constructing KE <BR>11-14: 16:10:53:906:780 constructing NONCE (ISAKMP) <BR>11-14: 16:10:53:906:780 <BR>11-14: 16:10:53:906:780 Sending: SA = 0x0011A2A8 to 64.228.217.20:Type 2 <BR>11-14: 16:10:53:906:780 ISAKMP Header: (V1.0), len = 184 <BR>11-14: 16:10:53:906:780 I-COOKIE a0abc08261101e9f <BR>11-14: 16:10:53:906:780 R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:10:53:906:780 exchange: Oakley Main Mode <BR>11-14: 16:10:53:906:780 flags: 0 <BR>11-14: 16:10:53:906:780 next payload: KE <BR>11-14: 16:10:53:906:780 message ID: 00000000 <BR>11-14: 16:10:54:328:780 <BR>11-14: 16:10:54:328:780 Receive: (get) SA = 0x0011a2a8 from 64.228.217.20 <BR>11-14: 16:10:54:328:780 ISAKMP Header: (V1.0), len = 188 <BR>11-14: 16:10:54:328:780 I-COOKIE a0abc08261101e9f <BR>11-14: 16:10:54:328:780 R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:10:54:328:780 exchange: Oakley Main Mode <BR>11-14: 16:10:54:328:780 flags: 0 <BR>11-14: 16:10:54:328:780 next payload: KE <BR>11-14: 16:10:54:328:780 message ID: 00000000 <BR>11-14: 16:10:54:328:780 processing payload KE <BR>11-14: 16:10:54:343:780 processing payload NONCE <BR>11-14: 16:10:54:343:780 processing payload CRP <BR>11-14: 16:10:54:343:780 constructing ISAKMP Header <BR>11-14: 16:10:54:343:780 constructing ID <BR>11-14: 16:10:54:343:780 Received no valid CRPs. Using all configured <BR>11-14: 16:10:54:343:780 Looking for IPSec only cert <BR>11-14: 16:10:54:343:780 Cert Trustes. 0 100 <BR>11-14: 16:10:54:343:780 CertFindExtenstion failed with 0 <BR> <BR>11-14: 16:10:54:343:780 Entered CRL check <BR>11-14: 16:10:54:343:780 Left CRL check <BR>11-14: 16:10:54:343:780 Cert SHA Thumbprint f6ce2f9befaa58161378791be9093681 <BR>11-14: 16:10:54:343:780 f94e4c6e <BR>11-14: 16:10:54:343:780 SubjectName: C=CA, S=Quebec, L=Sherbrooke, O=DmInnovatech, CN=Dany, E=dany.fortier@sympatico.ca <BR>11-14: 16:10:54:343:780 Cert Serialnumber 02 <BR>11-14: 16:10:54:343:780 Cert SHA Thumbprint f6ce2f9befaa58161378791be9093681 <BR>11-14: 16:10:54:343:780 f94e4c6e <BR>11-14: 16:10:54:343:780 SubjectName: C=CA, S=Quebec, L=Sherbrooke, O=DmInnovatech, CN=Router, E=dany.fortier@sympatico.ca <BR>11-14: 16:10:54:343:780 Cert Serialnumber 00 <BR>11-14: 16:10:54:343:780 Cert SHA Thumbprint 58c0aa1d44a0a76ccf6a57507d3c008c <BR>11-14: 16:10:54:343:780 1d55b0c6 <BR>11-14: 16:10:54:343:780 constructing CERT <BR>11-14: 16:10:54:343:780 Construct SIG <BR>11-14: 16:10:54:375:780 Constructing Cert Request <BR>11-14: 16:10:54:375:780 C=CA, S=Quebec, L=Sherbrooke, O=DmInnovatech, CN=Router, E=dany.fortier@sympatico.ca <BR>11-14: 16:10:54:375:780 <BR>11-14: 16:10:54:375:780 Sending: SA = 0x0011A2A8 to 64.228.217.20:Type 2 <BR>11-14: 16:10:54:375:780 ISAKMP Header: (V1.0), len = 1756 <BR>11-14: 16:10:54:375:780 I-COOKIE a0abc08261101e9f <BR>11-14: 16:10:54:375:780 R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:10:54:375:780 exchange: Oakley Main Mode <BR>11-14: 16:10:54:375:780 flags: 1 ( encrypted ) <BR>11-14: 16:10:54:375:780 next payload: ID <BR>11-14: 16:10:54:375:780 message ID: 00000000 <BR>11-14: 16:10:55:375:4cc retransmit: sa = 0011A2A8 centry 00000000 , count = 1 <BR>11-14: 16:10:55:375:4cc <BR>11-14: 16:10:55:375:4cc Sending: SA = 0x0011A2A8 to 64.228.217.20:Type 2 <BR>11-14: 16:10:55:375:4cc ISAKMP Header: (V1.0), len = 1756 <BR>11-14: 16:10:55:375:4cc I-COOKIE a0abc08261101e9f <BR>11-14: 16:10:55:375:4cc R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:10:55:375:4cc exchange: Oakley Main Mode <BR>11-14: 16:10:55:375:4cc flags: 1 ( encrypted ) <BR>11-14: 16:10:55:375:4cc next payload: ID <BR>11-14: 16:10:55:375:4cc message ID: 00000000 <BR>11-14: 16:10:55:843:780 <BR>11-14: 16:10:55:843:780 Receive: (get) SA = 0x0011a2a8 from 64.228.217.20 <BR>11-14: 16:10:55:843:780 ISAKMP Header: (V1.0), len = 1620 <BR>11-14: 16:10:55:843:780 I-COOKIE a0abc08261101e9f <BR>11-14: 16:10:55:843:780 R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:10:55:843:780 exchange: Oakley Main Mode <BR>11-14: 16:10:55:843:780 flags: 1 ( encrypted ) <BR>11-14: 16:10:55:843:780 next payload: ID <BR>11-14: 16:10:55:843:780 message ID: 00000000 <BR>11-14: 16:10:55:843:780 processing payload ID <BR>11-14: 16:10:55:843:780 processing payload CERT <BR>11-14: 16:10:55:843:780 processing payload SIG <BR>11-14: 16:10:55:843:780 Verifying CertStore <BR>11-14: 16:10:55:843:780 SubjectName: C=CA, S=Quebec, L=Sherbrooke, O=DmInnovatech, CN=Router, E=dany.fortier@sympatico.ca <BR>11-14: 16:10:55:843:780 Cert Serialnumber 01 <BR>11-14: 16:10:55:843:780 Cert SHA Thumbprint e7ebb075adbaa3f92535206bd5bde894 <BR>11-14: 16:10:55:843:780 f042930c <BR>11-14: 16:10:55:843:780 Cert Trustes. 0 100 <BR>11-14: 16:10:55:843:780 SubjectName: C=CA, S=Quebec, L=Sherbrooke, O=DmInnovatech, CN=Router, E=dany.fortier@sympatico.ca <BR>11-14: 16:10:55:843:780 Cert Serialnumber 01 <BR>11-14: 16:10:55:843:780 Cert SHA Thumbprint e7ebb075adbaa3f92535206bd5bde894 <BR>11-14: 16:10:55:843:780 f042930c <BR>11-14: 16:10:55:843:780 SubjectName: C=CA, S=Quebec, L=Sherbrooke, O=DmInnovatech, CN=Router, E=dany.fortier@sympatico.ca <BR>11-14: 16:10:55:843:780 Cert Serialnumber 00 <BR>11-14: 16:10:55:843:780 Cert SHA Thumbprint 58c0aa1d44a0a76ccf6a57507d3c008c <BR>11-14: 16:10:55:843:780 1d55b0c6 <BR>11-14: 16:10:55:843:780 Cert SHA Thumbprint e7ebb075adbaa3f92535206bd5bde894 <BR>11-14: 16:10:55:843:780 f042930c <BR>11-14: 16:10:55:843:780 Entered CRL check <BR>11-14: 16:10:55:843:780 Left CRL check <BR>11-14: 16:10:55:843:780 CertFindExtenstion failed with 0 <BR> <BR>11-14: 16:10:55:843:780 Signature validated <BR> <BR>11-14: 16:10:55:843:780 MM established. SA: 0011A2A8 <BR>11-14: 16:10:55:843:780 GetSpi: src = 64.228.217.20.0000, dst = 216.209.130.95.0000, proto = 00, context = 81DB56D8, srcMask = 255.255.255.255, destMask = 255.255.255.255, TunnelFilter 1 <BR>11-14: 16:10:55:843:780 Setting SPI 4049426892 <BR>11-14: 16:10:55:843:780 constructing ISAKMP Header <BR>11-14: 16:10:55:843:780 constructing HASH (null) <BR>11-14: 16:10:55:843:780 constructing SA (IPSEC) <BR>11-14: 16:10:55:843:780 Sending Tunnelling Attribute <BR>11-14: 16:10:55:843:780 constructing QM KE <BR>11-14: 16:10:55:875:780 constructing NONCE (IPSEC) <BR>11-14: 16:10:55:875:780 constructing ID (proxy) <BR>11-14: 16:10:55:875:780 constructing ID (proxy) <BR>11-14: 16:10:55:875:780 constructing HASH (QM) <BR>11-14: 16:10:55:875:780 <BR>11-14: 16:10:55:875:780 Sending: SA = 0x0011A2A8 to 64.228.217.20:Type 2 <BR>11-14: 16:10:55:875:780 ISAKMP Header: (V1.0), len = 300 <BR>11-14: 16:10:55:875:780 I-COOKIE a0abc08261101e9f <BR>11-14: 16:10:55:875:780 R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:10:55:875:780 exchange: Oakley Quick Mode <BR>11-14: 16:10:55:875:780 flags: 1 ( encrypted ) <BR>11-14: 16:10:55:875:780 next payload: HASH <BR>11-14: 16:10:55:875:780 message ID: ca8c68e5 <BR>11-14: 16:10:56:640:780 <BR>11-14: 16:10:56:640:780 Receive: (get) SA = 0x0011a2a8 from 64.228.217.20 <BR>11-14: 16:10:56:640:780 ISAKMP Header: (V1.0), len = 1620 <BR>11-14: 16:10:56:640:780 I-COOKIE a0abc08261101e9f <BR>11-14: 16:10:56:640:780 R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:10:56:640:780 exchange: Oakley Main Mode <BR>11-14: 16:10:56:640:780 flags: 1 ( encrypted ) <BR>11-14: 16:10:56:640:780 next payload: ID <BR>11-14: 16:10:56:640:780 message ID: 00000000 <BR>11-14: 16:10:56:640:780 invalid payload received <BR>11-14: 16:10:56:640:780 GetPacket failed 3613 <BR>11-14: 16:10:56:656:780 <BR>11-14: 16:10:56:656:780 Receive: (get) SA = 0x0011a2a8 from 64.228.217.20 <BR>11-14: 16:10:56:656:780 ISAKMP Header: (V1.0), len = 68 <BR>11-14: 16:10:56:656:780 I-COOKIE a0abc08261101e9f <BR>11-14: 16:10:56:656:780 R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:10:56:656:780 exchange: ISAKMP Informational Exchange <BR>11-14: 16:10:56:656:780 flags: 1 ( encrypted ) <BR>11-14: 16:10:56:656:780 next payload: HASH <BR>11-14: 16:10:56:656:780 message ID: cd53bbfe <BR>11-14: 16:10:56:656:780 processing HASH (Notify/Delete) <BR>11-14: 16:10:56:656:780 processing payload NOTIFY <BR>11-14: 16:10:56:656:780 notify: INVALID-ID-INFORMATION <BR>11-14: 16:10:56:656:780 isadb_set_status sa:0011A2A8 centry:00000000 status 3601 <BR>11-14: 16:10:56:875:4cc retransmit: sa = 0011A2A8 centry 000C3870 , count = 1 <BR>11-14: 16:10:56:875:4cc <BR>11-14: 16:10:56:875:4cc Sending: SA = 0x0011A2A8 to 64.228.217.20:Type 2 <BR>11-14: 16:10:56:875:4cc ISAKMP Header: (V1.0), len = 300 <BR>11-14: 16:10:56:875:4cc I-COOKIE a0abc08261101e9f <BR>11-14: 16:10:56:875:4cc R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:10:56:875:4cc exchange: Oakley Quick Mode <BR>11-14: 16:10:56:875:4cc flags: 1 ( encrypted ) <BR>11-14: 16:10:56:875:4cc next payload: HASH <BR>11-14: 16:10:56:875:4cc message ID: ca8c68e5 <BR>11-14: 16:10:57:250:780 <BR>11-14: 16:10:57:250:780 Receive: (get) SA = 0x0011a2a8 from 64.228.217.20 <BR>11-14: 16:10:57:250:780 ISAKMP Header: (V1.0), len = 68 <BR>11-14: 16:10:57:250:780 I-COOKIE a0abc08261101e9f <BR>11-14: 16:10:57:250:780 R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:10:57:250:780 exchange: ISAKMP Informational Exchange <BR>11-14: 16:10:57:250:780 flags: 1 ( encrypted ) <BR>11-14: 16:10:57:250:780 next payload: HASH <BR>11-14: 16:10:57:250:780 message ID: acb68cff <BR>11-14: 16:10:57:250:780 processing HASH (Notify/Delete) <BR>11-14: 16:10:57:250:780 processing payload NOTIFY <BR>11-14: 16:10:57:250:780 notify: INVALID-MESSAGE-ID <BR>11-14: 16:10:57:250:780 Unknown Notify Message 9 <BR> <BR>11-14: 16:10:58:875:4cc retransmit: sa = 0011A2A8 centry 000C3870 , count = 2 <BR>11-14: 16:10:58:875:4cc <BR>11-14: 16:10:58:875:4cc Sending: SA = 0x0011A2A8 to 64.228.217.20:Type 2 <BR>11-14: 16:10:58:875:4cc ISAKMP Header: (V1.0), len = 300 <BR>11-14: 16:10:58:875:4cc I-COOKIE a0abc08261101e9f <BR>11-14: 16:10:58:875:4cc R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:10:58:875:4cc exchange: Oakley Quick Mode <BR>11-14: 16:10:58:875:4cc flags: 1 ( encrypted ) <BR>11-14: 16:10:58:875:4cc next payload: HASH <BR>11-14: 16:10:58:875:4cc message ID: ca8c68e5 <BR>11-14: 16:10:59:281:780 <BR>11-14: 16:10:59:281:780 Receive: (get) SA = 0x0011a2a8 from 64.228.217.20 <BR>11-14: 16:10:59:281:780 ISAKMP Header: (V1.0), len = 68 <BR>11-14: 16:10:59:281:780 I-COOKIE a0abc08261101e9f <BR>11-14: 16:10:59:281:780 R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:10:59:281:780 exchange: ISAKMP Informational Exchange <BR>11-14: 16:10:59:281:780 flags: 1 ( encrypted ) <BR>11-14: 16:10:59:281:780 next payload: HASH <BR>11-14: 16:10:59:281:780 message ID: 6e691b47 <BR>11-14: 16:10:59:281:780 processing HASH (Notify/Delete) <BR>11-14: 16:10:59:281:780 processing payload NOTIFY <BR>11-14: 16:10:59:281:780 notify: INVALID-MESSAGE-ID <BR>11-14: 16:10:59:281:780 Unknown Notify Message 9 <BR> <BR>11-14: 16:11:02:875:4cc retransmit: sa = 0011A2A8 centry 000C3870 , count = 3 <BR>11-14: 16:11:02:875:4cc <BR>11-14: 16:11:02:875:4cc Sending: SA = 0x0011A2A8 to 64.228.217.20:Type 2 <BR>11-14: 16:11:02:875:4cc ISAKMP Header: (V1.0), len = 300 <BR>11-14: 16:11:02:875:4cc I-COOKIE a0abc08261101e9f <BR>11-14: 16:11:02:875:4cc R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:11:02:875:4cc exchange: Oakley Quick Mode <BR>11-14: 16:11:02:875:4cc flags: 1 ( encrypted ) <BR>11-14: 16:11:02:875:4cc next payload: HASH <BR>11-14: 16:11:02:875:4cc message ID: ca8c68e5 <BR>11-14: 16:11:03:109:780 <BR>11-14: 16:11:03:109:780 Receive: (get) SA = 0x0011a2a8 from 64.228.217.20 <BR>11-14: 16:11:03:109:780 ISAKMP Header: (V1.0), len = 68 <BR>11-14: 16:11:03:109:780 I-COOKIE a0abc08261101e9f <BR>11-14: 16:11:03:109:780 R-COOKIE 57c59456b9cb9075 <BR>11-14: 16:11:03:109:780 exchange: ISAKMP Informational Exchange <BR>11-14: 16:11:03:109:780 flags: 1 ( encrypted ) <BR>11-14: 16:11:03:109:780 next payload: HASH <BR>11-14: 16:11:03:109:780 message ID: fbf7ed6a <BR>11-14: 16:11:03:109:780 processing HASH (Notify/Delete) <BR>11-14: 16:11:03:109:780 processing payload NOTIFY <BR>11-14: 16:11:03:109:780 notify: INVALID-MESSAGE-ID <BR>11-14: 16:11:03:109:780 Unknown Notify Message 9 <BR> <BR>J'ai toujours les mêmes message d'erreurs qui reviennent soit: <BR> <BR>processing payload NOTIFY <BR>notify: INVALID-MESSAGE-ID <BR> <BR>Je ne sais plus quoi faire. <BR> <BR> Quelqu'un a une idée du problème ?? <BR>
Avatar de l’utilisateur
mekano
Matelot
Matelot
 
Messages: 9
Inscrit le: 29 Sep 2003 00:00
Haut

Messagepar mekano » 15 Nov 2003 22:07

Personne n'a de solutions ou ne peut m'aider?? <IMG SRC="images/smiles/icon_confused.gif">
Avatar de l’utilisateur
mekano
Matelot
Matelot
 
Messages: 9
Inscrit le: 29 Sep 2003 00:00
Haut

Messagepar tomtom » 16 Nov 2003 00:50

Il me semble que tu dois avoir le right et le left qui signifient la même chose des deux cotes.. <BR>Donc, dans une de tes deux configs, tu devrais inverser left et right... <BR> <BR>Mais je ne suis pas sur que le problème vienne de là.... <BR> <BR>T.
One hundred thousand lemmings can't be wrong...
Avatar de l’utilisateur
tomtom
Amiral
Amiral
 
Messages: 6035
Inscrit le: 26 Avr 2002 00:00
Localisation: Paris
Haut

Messagepar mekano » 16 Nov 2003 01:48

Ok, Si je comprends bien, dans le cas d'un client Itinérant, le "left" voudrait dire le réseau sur lequel est située la passerelle et le right represente le client itinérant ? <BR>Est-ce que je comprend bien ? <BR> <BR>Ex: <BR> <BR>Adresse passerelle VPN = 67.68.69.70 <BR> <BR>Config IPSEC Coté client <BR> <BR>conn distante <BR> left=66.68.67.40 <BR> right=%any <BR> rightca="C=CA, S=Quebec, L=Sherbrooke, O=DmInnovatech,CN=Router, Email=dany.fortier@sympatico.ca" <BR> network=ras <BR> auto=start <BR> pfs=yes <BR> <BR>Config ipsec passerelle <BR> <BR># basic configuration <BR>config setup <BR> interfaces=%defaultroute <BR> klipsdebug=all <BR> plutodebug=all <BR> plutoload=%search <BR> plutostart=%search <BR> uniqueids=yes <BR> <BR>conn %default <BR> keyingtries=0 <BR> compress=yes <BR> authby=rsasig <BR> disablearrivalcheck=no <BR> <BR>conn distante <BR> right=%any <BR> rightnexthop=%defaultroute <BR> rightrsasigkey=%cert <BR> left=%defaultroute <BR> leftsubnet=192.168.0.0/24 //adresse de mon sous-reseau derriere la passerelle <BR> leftrsasigkey=%cert <BR> leftcert=router.pem <BR> auto=add <BR> pfs=yes <BR> <BR> <BR>Est-ce que j'ai bien compris ?? <BR>
Avatar de l’utilisateur
mekano
Matelot
Matelot
 
Messages: 9
Inscrit le: 29 Sep 2003 00:00
Haut
Publier une réponse

Retour vers Sécurité et réseaux

Qui est en ligne ?

Utilisateur(s) parcourant actuellement ce forum : Aucun utilisateur inscrit et 1 invité

Powered by boolaz
cron