VPN MNF et IKE

Le MNF (Multi Network Firewall) est un des produits pare-feu les plus richement pourvus en fonctionnalités du marché. Il est basé sur un kernel Linux 2.4 sécurisé. Ce forum est également destiné à accueillir tous les posts concernants les distributions Mandriva (anciennement Mandrake)

Modérateur: modos Ixus

Publier une réponse

Messagepar theman3124 » 02 Jan 2004 14:06

Je rencontre un pb lorsque je crée un vpn en suivant la doc d'éric Faure (v1.02). <BR>Je crée ma zone VPN, je rajoute l'interface réseau, les règles par défaut dans le firewall, je rajoute untunnel VPN au pare-feu et je crée ine exception qui autorise le port UDP 500 du WAN vers le FW. <BR>Je crée l'autorité de certification en ligne de commande, je génère le certif du firewall et le signe. pas de souci. <BR>J'installe le certif de l'autorité sur le FW : pas de souci. <BR>Je configure le certif de l'autorité sur le FW = pas de souci. <BR>De la même façon, je crée un certificat client, le signe, l'exporte et l'importe sur Windows XP en utilisant la console mmc qui va bien = pas de souci. <BR>J'installe ipsec sur XP et configure ipsec.conf sur la MNF et sur mon XP, j'arréte et redémarre ipsec sur la mnf = pas d'erreur dans les logs. <BR>Je lance ipsec.exe et un ping d'un pc sur le lan distant et là pas de réponse ! <BR> <BR>"Réponse de "IP Pub MNF" : impossible de joindre l'hote de destination" <BR> <BR>Etant débutant, je ne sais plus ou regarder... <BR> <BR>Si quelqu'un avait la patience de m'aider... <BR> <BR>Par avance merci
"Ça ne sert à rien tant qu'on n'en a pas besoin..."
Avatar de l’utilisateur
theman3124
Aspirant
Aspirant
 
Messages: 110
Inscrit le: 01 Fév 2003 01:00
Localisation: Toulouse
Haut

Messagepar theman3124 » 02 Jan 2004 14:20

Je rajoute les entrées de oakley.log : <BR> <BR>1-02: 13:14:40:792:8e4 Initialization OK <BR> 1-02: 13:15:01:26:8e4 isadb_schedule_kill_oldPolicy_sas: 4449d5f1-dd29-4068-a880f6df4a1fe69b 4 <BR> 1-02: 13:15:01:26:8e4 isadb_schedule_kill_oldPolicy_sas: fda87aa7-5a1c-44c6-a0f36e67f7d940c5 4 <BR> 1-02: 13:15:01:26:8e4 isadb_schedule_kill_oldPolicy_sas: 724dbd1f-f9cf-49d7-9164de2ee96335b7 1 <BR> 1-02: 13:15:01:42:a58 entered kill_old_policy_sas <BR> 1-02: 13:15:01:42:a58 entered kill_old_policy_sas <BR> 1-02: 13:15:01:42:a58 entered kill_old_policy_sas <BR> 1-02: 13:15:01:58:8e4 isadb_schedule_kill_oldPolicy_sas: 4449d5f1-dd29-4068-a880f6df4a1fe69b 4 <BR> 1-02: 13:15:01:58:8e4 isadb_schedule_kill_oldPolicy_sas: fda87aa7-5a1c-44c6-a0f36e67f7d940c5 4 <BR> 1-02: 13:15:01:58:8e4 isadb_schedule_kill_oldPolicy_sas: de3dec86-4b32-456b-a3bd0ac851ca352c 3 <BR> 1-02: 13:15:01:58:8e4 isadb_schedule_kill_oldPolicy_sas: e5c0cd1e-efdc-4039-b38ef4443fe60200 3 <BR> 1-02: 13:15:01:58:8e4 isadb_schedule_kill_oldPolicy_sas: efdadf88-f39d-4f99-8a7e550600c48124 3 <BR> 1-02: 13:15:01:58:8e4 isadb_schedule_kill_oldPolicy_sas: 30233196-cf75-4ef5-9927da320a990bf2 1 <BR> 1-02: 13:15:01:58:8e4 isadb_schedule_kill_oldPolicy_sas: 8682b4da-4e5f-42af-8462d7c328456c90 2 <BR> 1-02: 13:15:01:58:8e4 isadb_schedule_kill_oldPolicy_sas: 10602dfe-30dc-4770-b8c46908fe1a2ccc 2 <BR> 1-02: 13:15:01:58:8e4 isadb_schedule_kill_oldPolicy_sas: 1ca95636-4961-4aec-a09ab0a2c90af866 2 <BR> 1-02: 13:15:01:73:24c entered kill_old_policy_sas <BR> 1-02: 13:15:01:73:24c entered kill_old_policy_sas <BR> 1-02: 13:15:01:73:24c entered kill_old_policy_sas <BR> 1-02: 13:15:01:73:24c entered kill_old_policy_sas <BR> 1-02: 13:15:01:73:24c entered kill_old_policy_sas <BR> 1-02: 13:15:01:73:24c entered kill_old_policy_sas <BR> 1-02: 13:15:01:73:24c entered kill_old_policy_sas <BR> 1-02: 13:15:01:73:24c entered kill_old_policy_sas <BR> 1-02: 13:15:01:73:24c entered kill_old_policy_sas <BR> 1-02: 13:15:18:855:8ec Acquire from driver: op=82236998 src=192.168.1.9.0 dst=10.0.0.2.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.0.0.0, Tunnel 1, TunnelEndpt=192.168.1.1 Inbound TunnelEndpt=192.168.1.9 <BR> 1-02: 13:15:18:855:24c Filter to match: Src 192.168.1.1 Dst 192.168.1.9 <BR> 1-02: 13:15:18:855:24c MM PolicyName: 3 <BR> 1-02: 13:15:18:855:24c MMPolicy dwFlags 2 SoftSAExpireTime 28800 <BR> 1-02: 13:15:18:855:24c MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2 <BR> 1-02: 13:15:18:855:24c MMOffer[0] Encrypt: Triple DES CBC Hash: SHA <BR> 1-02: 13:15:18:855:24c MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2 <BR> 1-02: 13:15:18:855:24c MMOffer[1] Encrypt: Triple DES CBC Hash: MD5 <BR> 1-02: 13:15:18:855:24c MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1 <BR> 1-02: 13:15:18:855:24c MMOffer[2] Encrypt: DES CBC Hash: SHA <BR> 1-02: 13:15:18:855:24c MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1 <BR> 1-02: 13:15:18:855:24c MMOffer[3] Encrypt: DES CBC Hash: MD5 <BR> 1-02: 13:15:18:855:24c Auth[0]:RSA Sig C=FR, S=FRANCE, L=RAMONVILLE, O=BCMP, OU=INFORMATIQUE, CN=POSTE_CLIENT <BR> 1-02: 13:15:18:855:24c QM PolicyName: Host-Poste_Client-net filter action dwFlags 1 <BR> 1-02: 13:15:18:855:24c QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600 <BR> 1-02: 13:15:18:855:24c QMOffer[0] dwFlags 0 dwPFSGroup 268435456 <BR> 1-02: 13:15:18:855:24c Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5 <BR> 1-02: 13:15:18:855:24c Starting Negotiation: src = 192.168.1.9.0000, dst = 192.168.1.1.0500, proto = 00, context = 82236998, ProxySrc = 192.168.1.9.0000, ProxyDst = 10.0.0.0.0000 SrcMask = 255.255.255.255 DstMask = 255.0.0.0 <BR> 1-02: 13:15:18:855:24c constructing ISAKMP Header <BR> 1-02: 13:15:18:855:24c constructing SA (ISAKMP) <BR> 1-02: 13:15:18:855:24c Constructing Vendor <BR> 1-02: 13:15:18:855:24c <BR> 1-02: 13:15:18:855:24c Sending: SA = 0x000D6590 to 192.168.1.1:Type 2 <BR> 1-02: 13:15:18:855:24c ISAKMP Header: (V1.0), len = 216 <BR> 1-02: 13:15:18:855:24c I-COOKIE e0d92766d4a83528 <BR> 1-02: 13:15:18:855:24c R-COOKIE 0000000000000000 <BR> 1-02: 13:15:18:855:24c exchange: Oakley Main Mode <BR> 1-02: 13:15:18:855:24c flags: 0 <BR> 1-02: 13:15:18:855:24c next payload: SA <BR> 1-02: 13:15:18:855:24c message ID: 00000000 <BR> 1-02: 13:15:18:855:24c <BR> 1-02: 13:15:18:855:24c Receive: (get) SA = 0x000d6590 from 192.168.1.1 <BR> 1-02: 13:15:18:855:24c ISAKMP Header: (V1.0), len = 84 <BR> 1-02: 13:15:18:855:24c I-COOKIE e0d92766d4a83528 <BR> 1-02: 13:15:18:855:24c R-COOKIE b9a4c614a4a2084b <BR> 1-02: 13:15:18:855:24c exchange: Oakley Main Mode <BR> 1-02: 13:15:18:855:24c flags: 0 <BR> 1-02: 13:15:18:855:24c next payload: SA <BR> 1-02: 13:15:18:855:24c message ID: 00000000 <BR> 1-02: 13:15:18:855:24c processing payload SA <BR> 1-02: 13:15:18:855:24c Received Phase 1 Transform 1 <BR> 1-02: 13:15:18:855:24c Encryption Alg Triple DES CBC(5) <BR> 1-02: 13:15:18:855:24c Hash Alg SHA(2) <BR> 1-02: 13:15:18:855:24c Oakley Group 2 <BR> 1-02: 13:15:18:855:24c Auth Method Signature RSA avec les certificats(3) <BR> 1-02: 13:15:18:855:24c Life type in Seconds <BR> 1-02: 13:15:18:855:24c Life duration of 28800 <BR> 1-02: 13:15:18:855:24c Phase 1 SA accepted: transform=1 <BR> 1-02: 13:15:18:855:24c SA - Oakley proposal accepted <BR> 1-02: 13:15:18:855:24c constructing ISAKMP Header <BR> 1-02: 13:15:18:886:24c constructing KE <BR> 1-02: 13:15:18:886:24c constructing NONCE (ISAKMP) <BR> 1-02: 13:15:18:886:24c <BR> 1-02: 13:15:18:886:24c Sending: SA = 0x000D6590 to 192.168.1.1:Type 2 <BR> 1-02: 13:15:18:886:24c ISAKMP Header: (V1.0), len = 184 <BR> 1-02: 13:15:18:886:24c I-COOKIE e0d92766d4a83528 <BR> 1-02: 13:15:18:886:24c R-COOKIE b9a4c614a4a2084b <BR> 1-02: 13:15:18:886:24c exchange: Oakley Main Mode <BR> 1-02: 13:15:18:886:24c flags: 0 <BR> 1-02: 13:15:18:886:24c next payload: KE <BR> 1-02: 13:15:18:886:24c message ID: 00000000 <BR> 1-02: 13:15:18:886:24c <BR> 1-02: 13:15:18:886:24c Receive: (get) SA = 0x000d6590 from 192.168.1.1 <BR> 1-02: 13:15:18:886:24c ISAKMP Header: (V1.0), len = 188 <BR> 1-02: 13:15:18:886:24c I-COOKIE e0d92766d4a83528 <BR> 1-02: 13:15:18:886:24c R-COOKIE b9a4c614a4a2084b <BR> 1-02: 13:15:18:886:24c exchange: Oakley Main Mode <BR> 1-02: 13:15:18:886:24c flags: 0 <BR> 1-02: 13:15:18:886:24c next payload: KE <BR> 1-02: 13:15:18:886:24c message ID: 00000000 <BR> 1-02: 13:15:18:886:24c processing payload KE <BR> 1-02: 13:15:18:886:24c processing payload NONCE <BR> 1-02: 13:15:18:886:24c processing payload CRP <BR> 1-02: 13:15:18:886:24c constructing ISAKMP Header <BR> 1-02: 13:15:18:886:24c constructing ID <BR> 1-02: 13:15:18:886:24c Received no valid CRPs. Using all configured <BR> 1-02: 13:15:18:886:24c Looking for IPSec only cert <BR> 1-02: 13:15:18:901:24c failed to get chain 80092004 <BR> 1-02: 13:15:18:901:24c Received no valid CRPs. Using all configured <BR> 1-02: 13:15:18:901:24c Looking for any cert <BR> 1-02: 13:15:18:901:24c failed to get chain 80092004 <BR> 1-02: 13:15:18:901:24c ProcessFailure: sa:000D6590 centry:00000000 status:35ee <BR> 1-02: 13:15:18:901:24c isadb_set_status sa:000D6590 centry:00000000 status 35ee <BR> 1-02: 13:15:18:901:24c Mode d'échange de clés (Mode principal) <BR> 1-02: 13:15:18:901:24c Adresse IP source192.168.1.9 Masque d'adresse IP source 255.255.255.255 Adresse IP de destination 192.168.1.1 Masque d'adresse IP de destination 255.255.255.255 Protocole 0 Port source 0 Port de destination 0 Adresse locale IKE Adresse homologue IKE <BR> 1-02: 13:15:18:901:24c Identité basé sur le certificat. Adresse IP homologue : 192.168.1.1 <BR> 1-02: 13:15:18:901:24c Moi <BR> 1-02: 13:15:18:901:24c IKE n'a pas trouvé de certificat ordinateur valide <BR> 1-02: 13:15:18:901:24c 0x80092004 0x0 <BR> 1-02: 13:15:18:901:24c ProcessFailure: sa:000D6590 centry:00000000 status:35ee <BR> 1-02: 13:15:18:901:24c constructing ISAKMP Header <BR> 1-02: 13:15:18:901:24c constructing HASH (null) <BR> 1-02: 13:15:18:901:24c constructing NOTIFY 28 <BR> 1-02: 13:15:18:901:24c constructing HASH (Notify/Delete) <BR> 1-02: 13:15:18:901:24c <BR> 1-02: 13:15:18:901:24c Sending: SA = 0x000D6590 to 192.168.1.1:Type 1 <BR> 1-02: 13:15:18:901:24c ISAKMP Header: (V1.0), len = 84 <BR> 1-02: 13:15:18:901:24c I-COOKIE e0d92766d4a83528 <BR> 1-02: 13:15:18:901:24c R-COOKIE b9a4c614a4a2084b <BR> 1-02: 13:15:18:901:24c exchange: ISAKMP Informational Exchange <BR> 1-02: 13:15:18:901:24c flags: 1 ( encrypted ) <BR> 1-02: 13:15:18:901:24c next payload: HASH <BR> 1-02: 13:15:18:901:24c message ID: fff19af2 <BR> 1-02: 13:15:28:886:24c <BR> 1-02: 13:15:28:886:24c Receive: (get) SA = 0x000d6590 from 192.168.1.1 <BR> 1-02: 13:15:28:886:24c ISAKMP Header: (V1.0), len = 188 <BR> 1-02: 13:15:28:886:24c I-COOKIE e0d92766d4a83528 <BR> 1-02: 13:15:28:886:24c R-COOKIE b9a4c614a4a2084b <BR> 1-02: 13:15:28:886:24c exchange: Oakley Main Mode <BR> 1-02: 13:15:28:886:24c flags: 0 <BR> 1-02: 13:15:28:886:24c next payload: KE <BR> 1-02: 13:15:28:886:24c message ID: 00000000 <BR> 1-02: 13:15:28:886:24c received an unencrypted packet when crypto active <BR> 1-02: 13:15:28:886:24c GetPacket failed 35ec <BR>
"Ça ne sert à rien tant qu'on n'en a pas besoin..."
Avatar de l’utilisateur
theman3124
Aspirant
Aspirant
 
Messages: 110
Inscrit le: 01 Fév 2003 01:00
Localisation: Toulouse
Haut
Publier une réponse

Retour vers Mandriva MNF & SNF

Qui est en ligne ?

Utilisateur(s) parcourant actuellement ce forum : Aucun utilisateur inscrit et 1 invité

Powered by boolaz
cron