Problème pour monter un VPN IPSEC



  • Bonjour,

    J'ai un soucis pour monter un VPN IPSEC entre deux routeurs pfsense via internet.
    Je pense que ma config est bonne, mais je n'arrive pas à comprendre dans les logs si le soucis se pose en phase1 ou en phase 2

    Mar 14 10:47:15 charon 05[CFG] vici client 10 connected
    Mar 14 10:47:15 charon 10[CFG] vici client 10 registered for: list-sa
    Mar 14 10:47:15 charon 05[CFG] vici client 10 requests: list-sas
    Mar 14 10:47:15 charon 10[CFG] vici client 10 disconnected
    Mar 14 10:47:17 charon 15[CFG] received stroke: terminate 'con1'
    Mar 14 10:47:17 charon 15[CFG] no IKE_SA named 'con1' found
    Mar 14 10:47:17 charon 10[CFG] received stroke: initiate 'con1'
    Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_VENDOR task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_INIT task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_NATD task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_CERT_PRE task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_AUTH task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_CERT_POST task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_CONFIG task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_AUTH_LIFETIME task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing CHILD_CREATE task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>activating new tasks
    Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_VENDOR task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_INIT task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_NATD task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_CERT_PRE task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_AUTH task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_CERT_POST task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_CONFIG task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>activating CHILD_CREATE task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_AUTH_LIFETIME task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>initiating IKE_SA con1[4] to 46.185.129.207
    Mar 14 10:47:17 charon 15[IKE] <con1|4>IKE_SA con1[4] state change: CREATED => CONNECTING
    Mar 14 10:47:17 charon 15[CFG] <con1|4>configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Mar 14 10:47:17 charon 15[CFG] <con1|4>sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
    Mar 14 10:47:17 charon 15[ENC] <con1|4>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Mar 14 10:47:17 charon 15[NET] <con1|4>sending packet: from 192.168.1.179[500] to 47.195.129.207[500] (338 bytes)
    Mar 14 10:47:17 charon 15[NET] <con1|4>received packet: from 47.195.129.207[500] to 192.168.1.179[500] (338 bytes)
    Mar 14 10:47:17 charon 15[ENC] <con1|4>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Mar 14 10:47:17 charon 15[IKE] <con1|4>received FRAGMENTATION_SUPPORTED notify
    Mar 14 10:47:17 charon 15[IKE] <con1|4>received SIGNATURE_HASH_ALGORITHMS notify
    Mar 14 10:47:17 charon 15[CFG] <con1|4>selecting proposal:
    Mar 14 10:47:17 charon 15[CFG] <con1|4>proposal matches
    Mar 14 10:47:17 charon 15[CFG] <con1|4>received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Mar 14 10:47:17 charon 15[CFG] <con1|4>configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Mar 14 10:47:17 charon 15[CFG] <con1|4>selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Mar 14 10:47:17 charon 15[CFG] <con1|4>received supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
    Mar 14 10:47:17 charon 15[IKE] <con1|4>local host is behind NAT, sending keep alives
    Mar 14 10:47:17 charon 15[IKE] <con1|4>remote host is behind NAT
    Mar 14 10:47:17 charon 15[IKE] <con1|4>reinitiating already active tasks
    Mar 14 10:47:17 charon 15[IKE] <con1|4>IKE_CERT_PRE task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>IKE_AUTH task
    Mar 14 10:47:17 charon 15[IKE] <con1|4>authentication of '192.168.1.179' (myself) with pre-shared key
    Mar 14 10:47:17 charon 15[IKE] <con1|4>successfully created shared key MAC
    Mar 14 10:47:17 charon 15[CFG] <con1|4>proposing traffic selectors for us:
    Mar 14 10:47:17 charon 15[CFG] <con1|4>172.16.1.0/24|/0
    Mar 14 10:47:17 charon 15[CFG] <con1|4>proposing traffic selectors for other:
    Mar 14 10:47:17 charon 15[CFG] <con1|4>172.16.20.0/24|/0
    Mar 14 10:47:17 charon 15[CFG] <con1|4>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Mar 14 10:47:17 charon 15[IKE] <con1|4>establishing CHILD_SA con1{5}
    Mar 14 10:47:17 charon 15[ENC] <con1|4>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    Mar 14 10:47:17 charon 15[NET] <con1|4>sending packet: from 192.168.1.179[4500] to 47.195.129.207[4500] (332 bytes)
    Mar 14 10:47:17 charon 14[CFG] vici client 11 connected
    Mar 14 10:47:17 charon 14[CFG] vici client 11 registered for: list-sa
    Mar 14 10:47:17 charon 06[CFG] vici client 11 requests: list-sas
    Mar 14 10:47:17 charon 15[CFG] vici client 11 disconnected
    Mar 14 10:47:17 charon 15[NET] <con1|4>received packet: from 47.195.129.207[4500] to 192.168.1.179[4500] (76 bytes)
    Mar 14 10:47:17 charon 15[ENC] <con1|4>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Mar 14 10:47:17 charon 15[IKE] <con1|4>received AUTHENTICATION_FAILED notify error
    Mar 14 10:47:17 charon 15[CHD] <con1|4>CHILD_SA con1{5} state change: CREATED => DESTROYING
    Mar 14 10:47:17 charon 15[IKE] <con1|4>IKE_SA con1[4] state change: CONNECTING => DESTROYING
    Mar 14 10:47:22 charon 10[CFG] vici client 12 connected
    Mar 14 10:47:22 charon 14[CFG] vici client 12 registered for: list-sa
    Mar 14 10:47:22 charon 10[CFG] vici client 12 requests: list-sas
    Mar 14 10:47:22 charon 15[CFG] vici client 12 disconnected

    Pouvez-vous m'éclairer?

    merci par avance</con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4>



  • @mehrunes:

    Mar 14 10:47:17 charon 15[NET] <con1|4>received packet: from 47.195.129.207[4500] to 192.168.1.179[4500] (76 bytes)
    Mar 14 10:47:17 charon 15[ENC] <con1|4>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Mar 14 10:47:17 charon 15[IKE] <con1|4>received AUTHENTICATION_FAILED notify error</con1|4></con1|4></con1|4>

    Es-tu certains que tes configurations sont bien alignées, en particulier au niveau de ESP ?



  • Oui, je viens de vérifier et elles sont identiques.

    D'ailleurs je n'ai pas modifié grand chose à la configuration par défaut. Simplement les IP.



  • Mar 14 10:47:17    charon      15[ENC] <con1|4>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Mar 14 10:47:17    charon      15[IKE] <con1|4>received AUTHENTICATION_FAILED notify error
    Mar 14 10:47:17    charon      15[CHD] <con1|4>CHILD_SA con1{5} state change: CREATED => DESTROYING
    Mar 14 10:47:17    charon      15[IKE] <con1|4>IKE_SA con1[4] state change: CONNECTING => DESTROYING

    La phase 1 est en erreur.</con1|4></con1|4></con1|4></con1|4>