Probleme de deconnexion VPN-IPCOP avec ADSL dynamique

[papythian]

Bonjour à tous,

Je suis tout nouveau comme membre dans le forum.
Je m'interesse à IPCop depuis 1 an et demi. En mission en Afrique je travaille avec une société qui dispose d'un siège et d'un site distant. L'ADSL est dynamique ici. Les deux sites sont interconnectés par IPCOP-VPN en LAN to LAN. J'ai migré vers laversion 1.4.11 depuis hier soir mais je rencontre des problemes de deconnexion comme pour la version 1.4.10. Mes analyses me poussent à penser à un probleme IPSEC. Les deux sites se trouvent dans deux zones différentes du point de vue ADSL. Ici les adresses du RED changent toutes les 10 heures à peu près et pas en même temps sur les deux sites. J'ai remué terre et ciel je ne comprends pas pourquoi j'ai une perte minimale d'une heure par jour voir plus et ça coincide avec les changement d@ IP de l'ADSL. Par la suite le tuyau a du mal à remonter. J'ai installer le script de reconnexion. ,J'ai fait un extrait des logs IPSEC des deux sites en même temps. A la fin du message il y a une extraction des logs système-IPCOP

Merci de votre retour (rapide si possible)

____________________________________________________________________________________
site 1: Logs IPSEC du site hébergeant un serveur d'application de test attaqué par les users du site distant
____________________________________________________________________________________
11:24:27 pluto[29673] "fwelton2" #7: IPsec SA established
11:46:03 ipsec_setup Stopping Openswan IPsec...
11:46:03 pluto[29673] shutting down
11:46:03 pluto[29673] forgetting secrets
11:46:03 pluto[29673] "fwelton2": deleting connection
11:46:03 pluto[29673] "fwelton2" #8: deleting state (STATE_QUICK_R2)
11:46:03 pluto[29673] "fwelton2" #7: deleting state (STATE_QUICK_R2)
11:46:03 pluto[29673] "fwelton2" #6: deleting state (STATE_MAIN_R3)
11:46:03 pluto[29673] shutting down interface ipsec0/ppp0 196.207.204.38
11:46:03 pluto[29673] shutting down interface ipsec0/ppp0 196.207.204.38
11:46:04 ipsec_setup /usr/lib/ipsec/tncfg: Socket ioctl failed on detach -- No such device. Is the v irtual device valid? The ipsec module may not be linked into the kernel or load ed as a module.
11:46:04 ipsec_setup ipsec: Device or resource busy
11:46:04 ipsec_setup ...Openswan IPsec stopped
11:46:04 ipsec_setup Starting Openswan IPsec U1.0.10/K1.0.10rc2...
11:46:04 ipsec_setup KLIPS debug `none'
11:46:04 ipsec_setup KLIPS ipsec0 on ppp0 196.207.204.38/255.255.255.255 pointopoint 10.3.2.3
11:46:04 ipsec__plutorun Starting Pluto subsystem...
11:46:04 pluto[30324] Starting Pluto (Openswan Version 1.0.10)
11:46:04 pluto[30324] including X.509 patch with traffic selectors (Version 0.9.42)
11:46:04 pluto[30324] including NAT-Traversal patch (Version 0.6)
11:46:04 pluto[30324] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
11:46:04 pluto[30324] ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
11:46:04 pluto[30324] ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
11:46:04 pluto[30324] ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
11:46:04 pluto[30324] ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
11:46:04 pluto[30324] ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
11:46:04 pluto[30324] ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
11:46:04 pluto[30324] ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
11:46:04 pluto[30324] Changing to directory '/etc/ipsec.d/cacerts'
11:46:04 ipsec_setup ...Openswan IPsec started
11:46:04 pluto[30324] loaded cacert file 'fwelton2cert.pem' (1269 bytes)
11:46:04 pluto[30324] loaded cacert file 'cacert.pem' (1269 bytes)
11:46:04 pluto[30324] Changing to directory '/etc/ipsec.d/crls'
11:46:04 pluto[30324] loaded crl file 'cacrl.pem' (564 bytes)
11:46:04 pluto[30324] OpenPGP certificate file '/etc/pgpcert.pgp' not found
11:46:05 pluto[30324] | from whack: got --esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
11:46:05 pluto[30324] | from whack: got --ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1 536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3d es-md5-modp1024
11:46:05 pluto[30324] loaded host cert file '/var/ipcop/certs/hostcert.pem' (1147 bytes)
11:46:05 pluto[30324] loaded host cert file '/var/ipcop/certs/fwelton2cert.pem' (1147 bytes)
11:46:05 pluto[30324] added connection description "fwelton2"
11:46:05 pluto[30324] listening for IKE messages
11:46:05 pluto[30324] adding interface ipsec0/ppp0 196.207.204.38
11:46:05 pluto[30324] adding interface ipsec0/ppp0 196.207.204.38:4500
11:46:05 pluto[30324] loading secrets from "/etc/ipsec.secrets"
11:46:05 pluto[30324] loaded private key file '/var/ipcop/certs/hostkey.pem' (887 bytes)
11:46:05 pluto[30324] "fwelton2" #1: initiating Main Mode
11:46:05 pluto[30324] "fwelton2" #1: received Vendor ID payload [RFC 3947]
11:46:05 pluto[30324] "fwelton2" #1: received Vendor ID payload [Dead Peer Detection]
11:46:05 pluto[30324] "fwelton2" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
11:46:05 pluto[30324] "fwelton2" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
11:46:05 pluto[30324] "fwelton2" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
11:46:05 pluto[30324] "fwelton2" #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=SN, O=elton2, CN=elton2.h omeip.net'
11:46:05 pluto[30324] "fwelton2" #1: Issuer CRL not found
11:46:05 pluto[30324] "fwelton2" #1: Issuer CRL not found
11:46:05 pluto[30324] "fwelton2" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
11:46:05 pluto[30324] "fwelton2" #1: ISAKMP SA established
11:46:05 pluto[30324] "fwelton2" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
11:46:06 pluto[30324] "fwelton2" #2: Dead Peer Detection (RFC3706) enabled
11:46:06 pluto[30324] "fwelton2" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
11:46:06 pluto[30324] "fwelton2" #2: sent QI2, IPsec SA established
11:46:06 ipsec__plutorun 104 "fwelton2" #1: STATE_MAIN_I1: initiate
11:46:06 ipsec__plutorun 003 "fwelton2" #1: received Vendor ID payload [RFC 3947]
11:46:06 ipsec__plutorun 003 "fwelton2" #1: received Vendor ID payload [Dead Peer Detection]
11:46:06 ipsec__plutorun 106 "fwelton2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
11:46:06 ipsec__plutorun 003 "fwelton2" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
11:46:06 ipsec__plutorun 108 "fwelton2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
11:46:06 ipsec__plutorun 004 "fwelton2" #1: STATE_MAIN_I4: ISAKMP SA established
11:46:06 ipsec__plutorun 122 "fwelton2" #2: STATE_QUICK_I1: initiate
11:46:06 ipsec__plutorun 004 "fwelton2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
11:46:24 pluto[30324] "fwelton2" #1: ignoring Delete SA payload: IPSEC SA not found (maybe expired)
11:46:24 pluto[30324] "fwelton2" #1: received and ignored informational message
12:12:14 pluto[30324] "fwelton2" #1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
12:12:14 pluto[30324] "fwelton2" #1: received and ignored informational message
12:12:14 pluto[30324] "fwelton2" #1: received Delete SA payload: deleting ISAKMP State #1
12:12:14 pluto[30324] packet from 196.207.248.125:500: received and ignored informational message
12:12:15 pluto[30324] ERROR: asynchronous network error report on ppp0 for message to 196.207.248.125 port 500, complainant 196.207.248.125: Connection refused [errno 111, origin ICM P type 3 code 3 (not authenticated)]
___
___
___Suite

12:39:22 ipsec_setup ...Openswan IPsec stopped
12:40:26 ipsec_setup Stopping Openswan IPsec...
12:40:26 ipsec_setup stop ordered, but IPsec does not appear to be running!
12:40:26 ipsec_setup doing cleanup anyway...
12:40:26 ipsec_setup ipsec: Device or resource busy
12:40:26 ipsec_setup ...Openswan IPsec stopped
12:40:26 ipsec_setup Starting Openswan IPsec U1.0.10/K1.0.10rc2...
12:40:26 ipsec_setup KLIPS debug `none'
12:40:26 ipsec_setup KLIPS ipsec0 on ppp0 196.207.245.76/255.255.255.255 pointopoint 10.3.2.3
12:40:26 ipsec__plutorun Starting Pluto subsystem...
12:40:26 ipsec_setup ...Openswan IPsec started
12:40:26 pluto[763] Starting Pluto (Openswan Version 1.0.10)
12:40:26 pluto[763] including X.509 patch with traffic selectors (Version 0.9.42)
12:40:26 pluto[763] including NAT-Traversal patch (Version 0.6)
12:40:26 pluto[763] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
12:40:26 pluto[763] ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
12:40:26 pluto[763] ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
12:40:26 pluto[763] ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
12:40:26 pluto[763] ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
12:40:26 pluto[763] ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
12:40:26 pluto[763] ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
12:40:26 pluto[763] ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
12:40:26 pluto[763] Changing to directory '/etc/ipsec.d/cacerts'
12:40:26 pluto[763] loaded cacert file 'fwelton2cert.pem' (1269 bytes)
12:40:26 pluto[763] loaded cacert file 'cacert.pem' (1269 bytes)
12:40:26 pluto[763] Changing to directory '/etc/ipsec.d/crls'
12:40:26 pluto[763] loaded crl file 'cacrl.pem' (564 bytes)
12:40:27 pluto[763] OpenPGP certificate file '/etc/pgpcert.pgp' not found
12:40:27 pluto[763] | from whack: got --esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
12:40:27 pluto[763] | from whack: got --ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1 536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3d es-md5-modp1024
12:40:27 pluto[763] loaded host cert file '/var/ipcop/certs/hostcert.pem' (1147 bytes)
12:40:27 pluto[763] loaded host cert file '/var/ipcop/certs/fwelton2cert.pem' (1147 bytes)
12:40:27 pluto[763] added connection description "fwelton2"
12:40:27 pluto[763] listening for IKE messages
12:40:27 pluto[763] adding interface ipsec0/ppp0 196.207.245.76
12:40:27 pluto[763] adding interface ipsec0/ppp0 196.207.245.76:4500
12:40:27 pluto[763] loading secrets from "/etc/ipsec.secrets"
12:40:27 pluto[763] loaded private key file '/var/ipcop/certs/hostkey.pem' (887 bytes)
12:40:27 ipsec__plutorun 022 "fwelton2": we have no ipsecN interface for either end of this connection
12:40:27 ipsec__plutorun ...could not route conn "fwelton2"
12:40:27 pluto[763] "fwelton2": we have no ipsecN interface for either end of this connection
12:40:27 ipsec__plutorun 022 "fwelton2": we have no ipsecN interface for either end of this connection
12:40:27 ipsec__plutorun ...could not start conn "fwelton2"
12:42:01 ipsec_setup Stopping Openswan IPsec...
12:42:01 pluto[763] shutting down
12:42:01 pluto[763] forgetting secrets
12:42:01 pluto[763] "fwelton2": deleting connection
12:42:01 pluto[763] shutting down interface ipsec0/ppp0 196.207.245.76
12:42:01 pluto[763] shutting down interface ipsec0/ppp0 196.207.245.76
12:42:02 ipsec_setup /usr/lib/ipsec/tncfg: Socket ioctl failed on detach -- No such device. Is the v irtual device valid? The ipsec module may not be linked into the kernel or load ed as a module.
12:42:02 ipsec_setup ipsec: Device or resource busy
12:42:02 ipsec_setup ...Openswan IPsec stopped
12:42:02 ipsec_setup Starting Openswan IPsec U1.0.10/K1.0.10rc2...
12:42:02 ipsec_setup KLIPS debug `none'
12:42:02 ipsec_setup KLIPS ipsec0 on ppp0 196.207.245.76/255.255.255.255 pointopoint 10.3.2.3
12:42:02 ipsec__plutorun Starting Pluto subsystem...
12:42:02 pluto[1015] Starting Pluto (Openswan Version 1.0.10)
12:42:02 ipsec_setup ...Openswan IPsec started
12:42:02 pluto[1015] including X.509 patch with traffic selectors (Version 0.9.42)
12:42:02 pluto[1015] including NAT-Traversal patch (Version 0.6)
12:42:02 pluto[1015] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
12:42:02 pluto[1015] ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
12:42:02 pluto[1015] ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
12:42:02 pluto[1015] ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
12:42:02 pluto[1015] ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
12:42:02 pluto[1015] ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)

12:42:02 pluto[1015] ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
12:42:02 pluto[1015] ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
_____________________________________________________________________________________
Site 2 : Site ou se trouvent les testeurs qui doivent attaquer le serveur d'application sur le site 1 _____________________________________________________________________________________
11:24:24 ipsec__plutorun 004 "fwelton1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
11:24:32 pluto[10738] "fwelton1" #1: ignoring Delete SA payload: IPSEC SA not found (maybe expired)
11:24:32 pluto[10738] "fwelton1" #1: received and ignored informational message
11:46:01 pluto[10738] "fwelton1" #1: received Delete SA payload: deleting IPSEC State #3
11:46:01 pluto[10738] "fwelton1" #1: received and ignored informational message
11:46:01 pluto[10738] "fwelton1" #1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
11:46:01 pluto[10738] "fwelton1" #1: received and ignored informational message
11:46:01 pluto[10738] "fwelton1" #1: received Delete SA payload: deleting ISAKMP State #1
11:46:01 pluto[10738] packet from 196.207.204.38:500: received and ignored informational message
11:46:02 pluto[10738] ERROR: asynchronous network error report on ppp0 for message to 196.207.204.38 p ort 500, complainant 196.207.204.38: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
11:46:02 pluto[10738] ERROR: asynchronous network error report on ppp0 for message to 196.207.204.38 p ort 500, complainant 196.207.204.38: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
11:46:02 pluto[10738] packet from 196.207.204.38:500: received Vendor ID payload [RFC 3947]
11:46:02 pluto[10738] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-03]
11:46:02 pluto[10738] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-02]
11:46:02 pluto[10738] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-00]
11:46:02 pluto[10738] packet from 196.207.204.38:500: received Vendor ID payload [Dead Peer Detection]
11:46:02 pluto[10738] "fwelton1" #4: responding to Main Mode
11:46:02 pluto[10738] "fwelton1" #4: transition from state (null) to state STATE_MAIN_R1
11:46:03 pluto[10738] "fwelton1" #4: NAT-Traversal: Result using RFC 3947: no NAT detected
11:46:03 pluto[10738] "fwelton1" #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
11:46:03 pluto[10738] "fwelton1" #4: Main mode peer ID is ID_DER_ASN1_DN: 'C=SN, O=elton1, CN=elton1.h omeip.net'
11:46:03 pluto[10738] "fwelton1" #4: Issuer CRL not found
11:46:03 pluto[10738] "fwelton1" #4: Issuer CRL not found
11:46:03 pluto[10738] "fwelton1" #4: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
11:46:03 pluto[10738] "fwelton1" #4: sent MR3, ISAKMP SA established
11:46:03 pluto[10738] "fwelton1" #5: responding to Quick Mode
11:46:03 pluto[10738] "fwelton1" #5: transition from state (null) to state STATE_QUICK_R1
11:46:03 pluto[10738] "fwelton1" #5: Dead Peer Detection (RFC3706) enabled
11:46:03 pluto[10738] "fwelton1" #5: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
11:46:03 pluto[10738] "fwelton1" #5: IPsec SA established
12:12:12 ipsec_setup Stopping Openswan IPsec...
12:12:12 pluto[10738] shutting down
12:12:12 pluto[10738] forgetting secrets
12:12:12 pluto[10738] "fwelton1": deleting connection
12:12:12 pluto[10738] "fwelton1" #5: deleting state (STATE_QUICK_R2)
12:12:12 pluto[10738] "fwelton1" #4: deleting state (STATE_MAIN_R3)
12:12:12 pluto[10738] shutting down interface ipsec0/ppp0 196.207.248.125
12:12:12 pluto[10738] shutting down interface ipsec0/ppp0 196.207.248.125
12:12:13 ipsec_setup /usr/lib/ipsec/tncfg: Socket ioctl failed on detach -- No such device. Is the v irtual device valid? The ipsec module may not be linked into the kernel or load ed as a module.
12:12:13 ipsec_setup ipsec: Device or resource busy
12:12:13 ipsec_setup ...Openswan IPsec stopped
12:12:13 ipsec_setup Starting Openswan IPsec U1.0.10/K1.0.10rc2...
12:12:13 ipsec_setup KLIPS debug `none'
12:12:13 ipsec_setup KLIPS ipsec0 on ppp0 196.207.248.125/255.255.255.255 pointopoint 196.207.248.1
12:12:13 ipsec__plutorun Starting Pluto subsystem...
12:12:13 pluto[11592] Starting Pluto (Openswan Version 1.0.10)
12:12:13 pluto[11592] including X.509 patch with traffic selectors (Version 0.9.42)
12:12:13 pluto[11592] including NAT-Traversal patch (Version 0.6)
12:12:13 pluto[11592] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
12:12:13 pluto[11592] ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
12:12:13 pluto[11592] ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
12:12:13 pluto[11592] ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
12:12:13 pluto[11592] ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
12:12:13 pluto[11592] ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
12:12:13 pluto[11592] ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
12:12:13 pluto[11592] ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
12:12:13 ipsec_setup ...Openswan IPsec started
12:12:13 pluto[11592] Changing to directory '/etc/ipsec.d/cacerts'
12:12:13 pluto[11592] loaded cacert file 'fwelton1cert.pem' (1269 bytes)
12:12:13 pluto[11592] loaded cacert file 'cacert.pem' (1269 bytes)
12:12:13 pluto[11592] Changing to directory '/etc/ipsec.d/crls'
12:12:13 pluto[11592] loaded crl file 'cacrl.pem' (564 bytes)
12:12:13 pluto[11592] OpenPGP certificate file '/etc/pgpcert.pgp' not found
12:12:19 ipsec__plutorun whack error: "fwelton1" does not look numeric and name lookup failed "elton2.hom eip.net"
12:12:19 ipsec__plutorun ...could not add conn "fwelton1"
12:12:19 pluto[11592] listening for IKE messages

12:12:19 pluto[11592] adding interface ipsec0/ppp0 196.207.248.125
12:12:19 pluto[11592] adding interface ipsec0/ppp0 196.207.248.125:4500
12:12:19 pluto[11592] loading secrets from "/etc/ipsec.secrets"
12:12:19 pluto[11592] loaded private key file '/var/ipcop/certs/hostkey.pem' (887 bytes)
12:12:19 ipsec__plutorun 021 no connection named "fwelton1"
12:12:19 ipsec__plutorun ...could not route conn "fwelton1"
12:12:19 ipsec__plutorun 021 no connection named "fwelton1"
12:12:19 ipsec__plutorun ...could not start conn "fwelton1"
12:12:21 pluto[11592] packet from 196.207.204.38:500: received Vendor ID payload [RFC 3947]
12:12:21 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-03]
12:12:21 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-02]
12:12:21 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-00]
12:12:21 pluto[11592] packet from 196.207.204.38:500: received Vendor ID payload [Dead Peer Detection]
12:12:21 pluto[11592] packet from 196.207.204.38:500: initial Main Mode message received on 196.207.24 8.125:500 but no connection has been authorized with policy=RSASIG
12:12:31 pluto[11592] packet from 196.207.204.38:500: received Vendor ID payload [RFC 3947]
12:12:31 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-03]
12:12:31 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-02]
12:12:31 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-00]
12:12:31 pluto[11592] packet from 196.207.204.38:500: received Vendor ID payload [Dead Peer Detection]
12:12:31 pluto[11592] packet from 196.207.204.38:500: initial Main Mode message received on 196.207.24 8.125:500 but no connection has been authorized with policy=RSASIG
12:12:51 pluto[11592] packet from 196.207.204.38:500: received Vendor ID payload [RFC 3947]
12:12:51 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-03]
12:12:51 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-02]
12:12:51 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-00]
12:12:51 pluto[11592] packet from 196.207.204.38:500: received Vendor ID payload [Dead Peer Detection]
12:12:51 pluto[11592] packet from 196.207.204.38:500: initial Main Mode message received on 196.207.24 8.125:500 but no connection has been authorized with policy=RSASIG
12:13:31 pluto[11592] packet from 196.207.204.38:500: received Vendor ID payload [RFC 3947]
12:13:31 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-03]
12:13:31 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-02]
12:13:31 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-00]
12:13:31 pluto[11592] packet from 196.207.204.38:500: received Vendor ID payload [Dead Peer Detection]
12:13:31 pluto[11592] packet from 196.207.204.38:500: initial Main Mode message received on 196.207.24 8.125:500 but no connection has been authorized with policy=RSASIG
12:14:00 pluto[11592] packet from 196.207.204.38:500: received Vendor ID payload [RFC 3947]
12:14:00 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-03]
12:14:00 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-02]
12:14:00 pluto[11592] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-00]
12:14:00 pluto[11592] packet from 196.207.204.38:500: received Vendor ID payload [Dead Peer Detection]
12:14:00 pluto[11592] packet from 196.207.204.38:500: initial Main Mode message received on 196.207.24 8.125:500 but no connection has been authorized with policy=RSASIG
12:14:01 ipsec_setup Stopping Openswan IPsec...
12:14:01 pluto[11592] shutting down
____
____
____Suite
12:39:11 pluto[15410] packet from 196.207.204.38:500: received Vendor ID payload [RFC 3947]
12:39:11 pluto[15410] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-03]
12:39:11 pluto[15410] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-02]
12:39:11 pluto[15410] packet from 196.207.204.38:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-00]
12:39:11 pluto[15410] packet from 196.207.204.38:500: received Vendor ID payload [Dead Peer Detection]
12:39:11 pluto[15410] packet from 196.207.204.38:500: initial Main Mode message received on 196.207.24 8.125:500 but no connection has been authorized with policy=RSASIG
12:40:01 ipsec_setup Stopping Openswan IPsec...
12:40:01 pluto[15410] shutting down
12:40:01 pluto[15410] forgetting secrets
12:40:01 pluto[15410] shutting down interface ipsec0/ppp0 196.207.248.125
12:40:01 pluto[15410] shutting down interface ipsec0/ppp0 196.207.248.125
12:40:02 ipsec_setup /usr/lib/ipsec/tncfg: Socket ioctl failed on detach -- No such device. Is the v irtual device valid? The ipsec module may not be linked into the kernel or load ed as a module.
12:40:02 ipsec_setup ipsec: Device or resource busy
12:40:02 ipsec_setup ...Openswan IPsec stopped
12:40:02 ipsec_setup Starting Openswan IPsec U1.0.10/K1.0.10rc2...
12:40:02 ipsec_setup KLIPS debug `none'
12:40:02 ipsec_setup KLIPS ipsec0 on ppp0 196.207.248.125/255.255.255.255 pointopoint 196.207.248.1
12:40:02 ipsec__plutorun Starting Pluto subsystem...
12:40:02 pluto[15682] Starting Pluto (Openswan Version 1.0.10)
12:40:02 pluto[15682] including X.509 patch with traffic selectors (Version 0.9.42)
12:40:02 pluto[15682] including NAT-Traversal patch (Version 0.6)
12:40:02 pluto[15682] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
12:40:02 pluto[15682] ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
12:40:02 pluto[15682] ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
12:40:02 pluto[15682] ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
12:40:02 pluto[15682] ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
12:40:02 pluto[15682] ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
12:40:02 pluto[15682] ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
12:40:02 pluto[15682] ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
12:40:02 pluto[15682] Changing to directory '/etc/ipsec.d/cacerts'
12:40:02 ipsec_setup ...Openswan IPsec started
12:40:02 pluto[15682] loaded cacert file 'fwelton1cert.pem' (1269 bytes)
12:40:02 pluto[15682] loaded cacert file 'cacert.pem' (1269 bytes)
12:40:02 pluto[15682] Changing to directory '/etc/ipsec.d/crls'
12:40:02 pluto[15682] loaded crl file 'cacrl.pem' (564 bytes)
12:40:02 pluto[15682] OpenPGP certificate file '/etc/pgpcert.pgp' not found
12:40:13 ipsec__plutorun whack error: "fwelton1" does not look numeric and name lookup failed "elton2.hom eip.net"
12:40:13 ipsec__plutorun ...could not add conn "fwelton1"
12:40:13 pluto[15682] listening for IKE messages
12:40:13 pluto[15682] adding interface ipsec0/ppp0 196.207.248.125
12:40:13 pluto[15682] adding interface ipsec0/ppp0 196.207.248.125:4500
12:40:13 pluto[15682] loading secrets from "/etc/ipsec.secrets"
12:40:13 pluto[15682] loaded private key file '/var/ipcop/certs/hostkey.pem' (887 bytes)
12:40:13 ipsec__plutorun 021 no connection named "fwelton1"
12:40:13 ipsec__plutorun ...could not route conn "fwelton1"
12:40:13 ipsec__plutorun 021 no connection named "fwelton1"
12:40:13 ipsec__plutorun ...could not start conn "fwelton1"
12:40:38 ipsec_setup Stopping Openswan IPsec...
12:40:38 pluto[15682] shutting down
12:40:38 pluto[15682] forgetting secrets
12:40:38 pluto[15682] shutting down interface ipsec0/ppp0 196.207.248.125
12:40:38 pluto[15682] shutting down interface ipsec0/ppp0 196.207.248.125
12:40:39 ipsec_setup /usr/lib/ipsec/tncfg: Socket ioctl failed on detach -- No such device. Is the v irtual device valid? The ipsec module may not be linked into the kernel or load ed as a module.
12:40:39 ipsec_setup ipsec: Device or resource busy
12:40:39 ipsec_setup ...Openswan IPsec stopped
12:41:59 ipsec_setup Stopping Openswan IPsec...
12:41:59 ipsec_setup stop ordered, but IPsec does not appear to be running!
12:41:59 ipsec_setup doing cleanup anyway...
12:41:59 ipsec_setup ipsec: Device or resource busy
12:41:59 ipsec_setup ...Openswan IPsec stopped
12:41:59 ipsec_setup Starting Openswan IPsec U1.0.10/K1.0.10rc2...
12:41:59 ipsec_setup KLIPS debug `none'
12:41:59 ipsec_setup KLIPS ipsec0 on ppp0 196.207.197.173/255.255.255.255 pointopoint 196.207.197.1
12:42:00 ipsec__plutorun Starting Pluto subsystem...
12:42:00 ipsec_setup ...Openswan IPsec started
12:42:00 pluto[744] Starting Pluto (Openswan Version 1.0.10)
12:42:00 pluto[744] including X.509 patch with traffic selectors (Version 0.9.42)
12:42:00 pluto[744] including NAT-Traversal patch (Version 0.6)
12:42:00 pluto[744] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)


12:42:00 pluto[744] ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
12:42:00 pluto[744] ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
12:42:00 pluto[744] ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
12:42:00 pluto[744] ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
12:42:00 pluto[744] ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
12:42:00 pluto[744] ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
12:42:00 pluto[744] ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
12:42:00 pluto[744] Changing to directory '/etc/ipsec.d/cacerts'
12:42:00 pluto[744] loaded cacert file 'fwelton1cert.pem' (1269 bytes)
12:42:00 pluto[744] loaded cacert file 'cacert.pem' (1269 bytes)
12:42:00 pluto[744] Changing to directory '/etc/ipsec.d/crls'
12:42:00 pluto[744] loaded crl file 'cacrl.pem' (564 bytes)
12:42:00 pluto[744] OpenPGP certificate file '/etc/pgpcert.pgp' not found
12:42:05 ipsec_setup Stopping Openswan IPsec...
12:42:05 pluto[744] shutting down
12:42:05 ipsec__plutorun whack: Pluto is not running (no "/var/run/pluto.ctl")
12:42:05 ipsec__plutorun ...could not add conn "fwelton1"
12:42:05 ipsec__plutorun whack: Pluto is not running (no "/var/run/pluto.ctl")
12:42:05 ipsec__plutorun whack: Pluto is not running (no "/var/run/pluto.ctl")
12:42:05 ipsec__plutorun ...could not route conn "fwelton1"
12:42:05 ipsec__plutorun whack: Pluto is not running (no "/var/run/pluto.ctl")
12:42:05 ipsec__plutorun ...could not start conn "fwelton1"
12:42:06 ipsec_setup /usr/lib/ipsec/tncfg: Socket ioctl failed on detach -- No such device. Is the v irtual device valid? The ipsec module may not be linked into the kernel or load ed as a module.
12:42:06 ipsec_setup ipsec: Device or resource busy
12:42:06 ipsec_setup ...Openswan IPsec stopped
12:42:06 ipsec_setup Starting Openswan IPsec U1.0.10/K1.0.10rc2...
12:42:06 ipsec_setup KLIPS debug `none'
12:42:06 ipsec_setup KLIPS ipsec0 on ppp0 196.207.197.173/255.255.255.255 pointopoint 196.207.197.1
12:42:06 ipsec__plutorun Starting Pluto subsystem...
12:42:06 pluto[999] Starting Pluto (Openswan Version 1.0.10)
12:42:06 pluto[999] including X.509 patch with traffic selectors (Version 0.9.42)
12:42:06 pluto[999] including NAT-Traversal patch (Version 0.6)
12:42:06 pluto[999] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
12:42:06 pluto[999] ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
12:42:06 pluto[999] ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
12:42:06 pluto[999] ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
12:42:06 pluto[999] ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
12:42:06 pluto[999] ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
12:42:06 pluto[999] ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
12:42:06 pluto[999] ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
12:42:06 pluto[999] Changing to directory '/etc/ipsec.d/cacerts'
12:42:06 ipsec_setup ...Openswan IPsec started
12:42:06 pluto[999] loaded cacert file 'fwelton1cert.pem' (1269 bytes)
12:42:06 pluto[999] loaded cacert file 'cacert.pem' (1269 bytes)
12:42:06 pluto[999] Changing to directory '/etc/ipsec.d/crls'
12:42:06 pluto[999] loaded crl file 'cacrl.pem' (564 bytes)
12:42:06 pluto[999] OpenPGP certificate file '/etc/pgpcert.pgp' not found
12:42:06 pluto[999] | from whack: got --esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
12:42:06 pluto[999] | from whack: got --ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1 536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3d es-md5-modp1024
12:42:06 pluto[999] loaded host cert file '/var/ipcop/certs/fwelton1cert.pem' (1147 bytes)
12:42:06 pluto[999] loaded host cert file '/var/ipcop/certs/hostcert.pem' (1147 bytes)
12:42:06 pluto[999] added connection description "fwelton1"
12:42:06 pluto[999] listening for IKE messages
12:42:06 pluto[999] adding interface ipsec0/ppp0 196.207.197.173
12:42:06 pluto[999] adding interface ipsec0/ppp0 196.207.197.173:4500
12:42:06 pluto[999] loading secrets from "/etc/ipsec.secrets"
12:42:06 pluto[999] loaded private key file '/var/ipcop/certs/hostkey.pem' (887 bytes)
12:42:06 ipsec__plutorun 022 "fwelton1": we have no ipsecN interface for either end of this connection
12:42:06 ipsec__plutorun ...could not route conn "fwelton1"
12:42:06 pluto[999] "fwelton1": we have no ipsecN interface for either end of this connection
12:42:06 ipsec__plutorun 022 "fwelton1": we have no ipsecN interface for either end of this connection
12:42:06 ipsec__plutorun ...could not start conn "fwelton1"
12:44:00 pluto[999] packet from 196.207.245.76:500: received Vendor ID payload [RFC 3947]
12:44:00 pluto[999] packet from 196.207.245.76:500: ignoring Vendor ID payload [draft-ietf-ipsec-______________________________________________________________________________
LOGS SYSTEMES IPCOP : logs systeme du site 2
_________________________________________________________________________________

10:33:18 ipcop Nom d'hôte de DNS dynamique modifié
11:00:32 ipcop PPP has gone down on ppp0
11:00:35 ipcop Dialling eltonsiege.
11:00:37 ipcop PPP has gone up on ppp0
11:00:39 ipcop Dynamic DNS ip-update for elton2.homeip.net: success
12:40:35 ipcop Redémarrage d'IPCop
12:40:36 ipcop PPP has gone down on ppp0
12:41:18 ipcop Dialling eltonsiege.
12:41:48 ipcop IPCop started.
12:41:55 ipcop PPP has gone up on ppp0
12:41:58 ipcop Dynamic DNS ip-update for elton2.homeip.net: success

[Franck78]

Salut,
Tu n'utilises pas le script intégré à la 1.4.11.... Je vois pas les 'vpn_watch'. Avec une "PSK", il manque un appel à "rereadsecrets" dedans. Mais comme tu es en x509, c'est bon.
Tu as bien spécifié un délai ~60 secondes ou plus (dépend du TTL de ton entrée dyndns) avant la reconnxion?
Tu as bien mis aussi le nom dns dynamique de ton IPCop dans le champ "Nom d'hôte ou IP locale du RPV"?

Les erreurs 'we ... no ipsec interface...' sont dues à ce genre de problème. Des noms pas résolus, pas d'interface sur la machine pour atteindre une IP, ..... Du réseau quoi!


bye

[papythian]

Merci pour ton retour et ta disponibilité. Je commence à m'habituer à ton nom...
Oui j'ai bien déclaré le nom d'hôte du RPV là ou il faut !
Non j'étais à 0 sur le délai avant de lancer le VPN !

Je suis passé à 60 secondes et j'ai inhibé le script de reconnexion dans le crontab, mais je ne peux connaitre le résultat avant le prochain changement d'adresse.

Penses tu que je dois quand même me servir de VPN-watch ?

Merci d'avance

[Franck78]

Penses tu que je dois quand même me servir de VPN-watch ?

Merci d'avance

Oui surtout si tu es en IP dynamiques.

[papythian]

Merci de ce retour

Je testerai le script et te tiendrais au courant

cdlt
Papythian

[papythian]

Bonjour,

J'avais promis de faire un retour sur mes expériences, le voici.

J'étais sur la version 1.4.10 que j'ai upgrader vers la version 1.4.11 et j'avais malgré tout des pertes de connexion intempestives. Je soupçonnais le protocole IPSEC et j'ai eu raison. J'ai mis en place un petit script pour grepper la ligne (l'@IP) renvoyée par la commande /usr/sbin/ipsec eroute. Je recevais une alarme dés que cette ligne n'apparait plus ce qui correspond effectivement à la deconnexion du VPN. J'ai réinstallé les deux serveurs en partant d'une version iso vierge 1.4.11 et depuis plus de deconnexion du moins jusqu'ici. Y'aurait t-il un probleme de persistance sur le protocole IPSEC de la version 1.4.10 voire de la1.4.11.

Cela dit un de mes réseaux locaux était assez saturé au niveau du GREEN est ce une explication ?
Que signifie ce log (les lignes Issuer CRL not found) ?

09:26:10 pluto[20620] "fweltonh" #57: sent MR3, ISAKMP SA established
09:26:10 pluto[20620] "fweltonh" #57: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
09:26:10 pluto[20620] "fweltonh" #57: Issuer CRL not found
09:26:10 pluto[20620] "fweltonh" #57: Issuer CRL not found
09:26:10 pluto[20620] "fweltonh" #57: Main mode peer ID is ID_DER_ASN1_DN: 'C=SN, O=eltonhann, CN=elto nhann.myvnc.com'
09:26:10 pluto[20620] "fweltonh" #57: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
09:26:10 pluto[20620] "fweltonh" #57: NAT-Traversal: Result using RFC 3947: no NAT detected
09:26:09 pluto[20620] "fweltonh" #57: transition from state (null) to state STATE_MAIN_R1
09:26:09 pluto[20620] "fweltonh" #57: responding to Main Mode
09:26:09 pluto[20620] packet from 196.207.245.26:500: received Vendor ID payload [Dead Peer Detection]
09:26:09 pluto[20620] packet from 196.207.245.26:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-00]
09:26:09 pluto[20620] packet from 196.207.245.26:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-02]
09:26:09 pluto[20620] packet from 196.207.245.26:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat -t-ike-03]
09:26:09 pluto[20620] packet from 196.207.245.26:500: received Vendor ID payload [RFC 3947]
08:43:10 pluto[20620] "fweltonh" #56: IPsec SA established
08:43:10 pluto[20620] "fweltonh" #56: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
08:43:10 pluto[20620] "fweltonh" #56: Dead Peer Detection (RFC3706) enabled
08:43:10 pluto[20620] "fweltonh" #55: IPsec SA established

cordialement
Merci de votre retour

[Franck78]

Bonjour,

J'avais promis de faire un retour sur mes expériences, le voici.


Cela dit un de mes réseaux locaux était assez saturé au niveau du GREEN est ce une explication ?
Que signifie ce log (les lignes Issuer CRL not found) ?

Pas très grave le CRL. Enfin pas tout à fait mais.

Je comprend rien à ton compte rendu.
Tout est au passé.
Au présent, ca donne quoi?
Avec le script intégré ou un autre?

[papythian]

Au présent, ca donne quoi? Ca tourne correctement depuis Samedi sans aucune deconnexion depuis la réinstallation des serveurs avec la version 1.4.11

Avec le script intégré ou un autre? Avec le script integré (vpn-watch) en ayant inhibé le reconnec.sh dans le crontab sur les deux serveurs. Sans aucun autre script rajouté.

En résumé la solution réinstallée de la version 1.4.11 en écrasant l'ancienne version fonctionne différemment et mieux que la version 1.4.10 upgradée en 1.4.11.

Pour rappel : J'avais 3 à 4 deconnexions par jour avec la version 1.4.10 upgradée en 1.4.11. Déconnexions que je ne constate plus depuis l'installation de la version 1.4.11 ISO (serveurs formattés).

cordialement

[Franck78]

en ayant inhibé le reconnec.sh dans le crontab sur les deux serveurs.

Hum, il n'y a pas de reconnect.sh dans la crontab:!:

Bon enfin tu n'a plus ou ne t'aperçois plus des coupures. Pour cela il faut consulter le log du vpn. A la recherche des evts 'vpn-watch'.

[papythian]

Bonjour,

Je confirme que mon réseau d'interconnexion est devenu stable (presque). En dix jours je n'ai constaté qu'une deconnexion. Il faut dire que mon réseau local (GREEN) sur un des sites est assez $%#&! car la messagerie de l'autre site y passe et elle dépend d'une autre passerelle. De plus elle bouffe 80% des ressources du réseau RPV. C'est une explication, d'ailleurs je vais changer la config en rajoutant une zone ORANGE et faire en sorte que le site distant attaque la messagerie en passant par le net. De cette façon le réseau RPV sera exclusivement dédié à l'exploitation des serveurs d'application à distance.
Ainsi mon réseau sera soulagé (de 80%) !!! Je ne devrais plus constaté de deconnexions (A priori).

Je vous tiens informés !

cordialement

[Franck78]

Bonjour,

Ainsi mon réseau sera soulagé (de 80%) !!! Je ne devrais plus constaté de deconnexions (A priori).

Pas convaincu que cela change quelquechose. A part réduire la charge de calcul (crypto) pour les processeurs, voit pas vraiment en quoi cela changera la qualité de la liaison.