Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problème pour monter un VPN IPSEC

    Scheduled Pinned Locked Moved Français
    4 Posts 3 Posters 565 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mehrunes
      last edited by

      Bonjour,

      J'ai un soucis pour monter un VPN IPSEC entre deux routeurs pfsense via internet.
      Je pense que ma config est bonne, mais je n'arrive pas à comprendre dans les logs si le soucis se pose en phase1 ou en phase 2

      Mar 14 10:47:15 charon 05[CFG] vici client 10 connected
      Mar 14 10:47:15 charon 10[CFG] vici client 10 registered for: list-sa
      Mar 14 10:47:15 charon 05[CFG] vici client 10 requests: list-sas
      Mar 14 10:47:15 charon 10[CFG] vici client 10 disconnected
      Mar 14 10:47:17 charon 15[CFG] received stroke: terminate 'con1'
      Mar 14 10:47:17 charon 15[CFG] no IKE_SA named 'con1' found
      Mar 14 10:47:17 charon 10[CFG] received stroke: initiate 'con1'
      Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_VENDOR task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_INIT task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_NATD task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_CERT_PRE task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_AUTH task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_CERT_POST task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_CONFIG task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_AUTH_LIFETIME task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing CHILD_CREATE task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>activating new tasks
      Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_VENDOR task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_INIT task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_NATD task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_CERT_PRE task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_AUTH task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_CERT_POST task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_CONFIG task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>activating CHILD_CREATE task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_AUTH_LIFETIME task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>initiating IKE_SA con1[4] to 46.185.129.207
      Mar 14 10:47:17 charon 15[IKE] <con1|4>IKE_SA con1[4] state change: CREATED => CONNECTING
      Mar 14 10:47:17 charon 15[CFG] <con1|4>configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Mar 14 10:47:17 charon 15[CFG] <con1|4>sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
      Mar 14 10:47:17 charon 15[ENC] <con1|4>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Mar 14 10:47:17 charon 15[NET] <con1|4>sending packet: from 192.168.1.179[500] to 47.195.129.207[500] (338 bytes)
      Mar 14 10:47:17 charon 15[NET] <con1|4>received packet: from 47.195.129.207[500] to 192.168.1.179[500] (338 bytes)
      Mar 14 10:47:17 charon 15[ENC] <con1|4>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
      Mar 14 10:47:17 charon 15[IKE] <con1|4>received FRAGMENTATION_SUPPORTED notify
      Mar 14 10:47:17 charon 15[IKE] <con1|4>received SIGNATURE_HASH_ALGORITHMS notify
      Mar 14 10:47:17 charon 15[CFG] <con1|4>selecting proposal:
      Mar 14 10:47:17 charon 15[CFG] <con1|4>proposal matches
      Mar 14 10:47:17 charon 15[CFG] <con1|4>received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Mar 14 10:47:17 charon 15[CFG] <con1|4>configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Mar 14 10:47:17 charon 15[CFG] <con1|4>selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Mar 14 10:47:17 charon 15[CFG] <con1|4>received supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
      Mar 14 10:47:17 charon 15[IKE] <con1|4>local host is behind NAT, sending keep alives
      Mar 14 10:47:17 charon 15[IKE] <con1|4>remote host is behind NAT
      Mar 14 10:47:17 charon 15[IKE] <con1|4>reinitiating already active tasks
      Mar 14 10:47:17 charon 15[IKE] <con1|4>IKE_CERT_PRE task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>IKE_AUTH task
      Mar 14 10:47:17 charon 15[IKE] <con1|4>authentication of '192.168.1.179' (myself) with pre-shared key
      Mar 14 10:47:17 charon 15[IKE] <con1|4>successfully created shared key MAC
      Mar 14 10:47:17 charon 15[CFG] <con1|4>proposing traffic selectors for us:
      Mar 14 10:47:17 charon 15[CFG] <con1|4>172.16.1.0/24|/0
      Mar 14 10:47:17 charon 15[CFG] <con1|4>proposing traffic selectors for other:
      Mar 14 10:47:17 charon 15[CFG] <con1|4>172.16.20.0/24|/0
      Mar 14 10:47:17 charon 15[CFG] <con1|4>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
      Mar 14 10:47:17 charon 15[IKE] <con1|4>establishing CHILD_SA con1{5}
      Mar 14 10:47:17 charon 15[ENC] <con1|4>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      Mar 14 10:47:17 charon 15[NET] <con1|4>sending packet: from 192.168.1.179[4500] to 47.195.129.207[4500] (332 bytes)
      Mar 14 10:47:17 charon 14[CFG] vici client 11 connected
      Mar 14 10:47:17 charon 14[CFG] vici client 11 registered for: list-sa
      Mar 14 10:47:17 charon 06[CFG] vici client 11 requests: list-sas
      Mar 14 10:47:17 charon 15[CFG] vici client 11 disconnected
      Mar 14 10:47:17 charon 15[NET] <con1|4>received packet: from 47.195.129.207[4500] to 192.168.1.179[4500] (76 bytes)
      Mar 14 10:47:17 charon 15[ENC] <con1|4>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Mar 14 10:47:17 charon 15[IKE] <con1|4>received AUTHENTICATION_FAILED notify error
      Mar 14 10:47:17 charon 15[CHD] <con1|4>CHILD_SA con1{5} state change: CREATED => DESTROYING
      Mar 14 10:47:17 charon 15[IKE] <con1|4>IKE_SA con1[4] state change: CONNECTING => DESTROYING
      Mar 14 10:47:22 charon 10[CFG] vici client 12 connected
      Mar 14 10:47:22 charon 14[CFG] vici client 12 registered for: list-sa
      Mar 14 10:47:22 charon 10[CFG] vici client 12 requests: list-sas
      Mar 14 10:47:22 charon 15[CFG] vici client 12 disconnected

      Pouvez-vous m'éclairer?

      merci par avance</con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4>

      1 Reply Last reply Reply Quote 0
      • C
        chris4916
        last edited by

        @mehrunes:

        Mar 14 10:47:17 charon 15[NET] <con1|4>received packet: from 47.195.129.207[4500] to 192.168.1.179[4500] (76 bytes)
        Mar 14 10:47:17 charon 15[ENC] <con1|4>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
        Mar 14 10:47:17 charon 15[IKE] <con1|4>received AUTHENTICATION_FAILED notify error</con1|4></con1|4></con1|4>

        Es-tu certains que tes configurations sont bien alignées, en particulier au niveau de ESP ?

        Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

        1 Reply Last reply Reply Quote 0
        • M
          mehrunes
          last edited by

          Oui, je viens de vérifier et elles sont identiques.

          D'ailleurs je n'ai pas modifié grand chose à la configuration par défaut. Simplement les IP.

          1 Reply Last reply Reply Quote 0
          • J
            Juve
            last edited by

            Mar 14 10:47:17    charon      15[ENC] <con1|4>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
            Mar 14 10:47:17    charon      15[IKE] <con1|4>received AUTHENTICATION_FAILED notify error
            Mar 14 10:47:17    charon      15[CHD] <con1|4>CHILD_SA con1{5} state change: CREATED => DESTROYING
            Mar 14 10:47:17    charon      15[IKE] <con1|4>IKE_SA con1[4] state change: CONNECTING => DESTROYING

            La phase 1 est en erreur.</con1|4></con1|4></con1|4></con1|4>

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.