Problème pour monter un VPN IPSEC
-
Bonjour,
J'ai un soucis pour monter un VPN IPSEC entre deux routeurs pfsense via internet.
Je pense que ma config est bonne, mais je n'arrive pas à comprendre dans les logs si le soucis se pose en phase1 ou en phase 2Mar 14 10:47:15 charon 05[CFG] vici client 10 connected
Mar 14 10:47:15 charon 10[CFG] vici client 10 registered for: list-sa
Mar 14 10:47:15 charon 05[CFG] vici client 10 requests: list-sas
Mar 14 10:47:15 charon 10[CFG] vici client 10 disconnected
Mar 14 10:47:17 charon 15[CFG] received stroke: terminate 'con1'
Mar 14 10:47:17 charon 15[CFG] no IKE_SA named 'con1' found
Mar 14 10:47:17 charon 10[CFG] received stroke: initiate 'con1'
Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_VENDOR task
Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_INIT task
Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_NATD task
Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_CERT_PRE task
Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_AUTH task
Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_CERT_POST task
Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_CONFIG task
Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing IKE_AUTH_LIFETIME task
Mar 14 10:47:17 charon 15[IKE] <con1|4>queueing CHILD_CREATE task
Mar 14 10:47:17 charon 15[IKE] <con1|4>activating new tasks
Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_VENDOR task
Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_INIT task
Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_NATD task
Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_CERT_PRE task
Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_AUTH task
Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_CERT_POST task
Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_CONFIG task
Mar 14 10:47:17 charon 15[IKE] <con1|4>activating CHILD_CREATE task
Mar 14 10:47:17 charon 15[IKE] <con1|4>activating IKE_AUTH_LIFETIME task
Mar 14 10:47:17 charon 15[IKE] <con1|4>initiating IKE_SA con1[4] to 46.185.129.207
Mar 14 10:47:17 charon 15[IKE] <con1|4>IKE_SA con1[4] state change: CREATED => CONNECTING
Mar 14 10:47:17 charon 15[CFG] <con1|4>configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 14 10:47:17 charon 15[CFG] <con1|4>sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
Mar 14 10:47:17 charon 15[ENC] <con1|4>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 14 10:47:17 charon 15[NET] <con1|4>sending packet: from 192.168.1.179[500] to 47.195.129.207[500] (338 bytes)
Mar 14 10:47:17 charon 15[NET] <con1|4>received packet: from 47.195.129.207[500] to 192.168.1.179[500] (338 bytes)
Mar 14 10:47:17 charon 15[ENC] <con1|4>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar 14 10:47:17 charon 15[IKE] <con1|4>received FRAGMENTATION_SUPPORTED notify
Mar 14 10:47:17 charon 15[IKE] <con1|4>received SIGNATURE_HASH_ALGORITHMS notify
Mar 14 10:47:17 charon 15[CFG] <con1|4>selecting proposal:
Mar 14 10:47:17 charon 15[CFG] <con1|4>proposal matches
Mar 14 10:47:17 charon 15[CFG] <con1|4>received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 14 10:47:17 charon 15[CFG] <con1|4>configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 14 10:47:17 charon 15[CFG] <con1|4>selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 14 10:47:17 charon 15[CFG] <con1|4>received supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
Mar 14 10:47:17 charon 15[IKE] <con1|4>local host is behind NAT, sending keep alives
Mar 14 10:47:17 charon 15[IKE] <con1|4>remote host is behind NAT
Mar 14 10:47:17 charon 15[IKE] <con1|4>reinitiating already active tasks
Mar 14 10:47:17 charon 15[IKE] <con1|4>IKE_CERT_PRE task
Mar 14 10:47:17 charon 15[IKE] <con1|4>IKE_AUTH task
Mar 14 10:47:17 charon 15[IKE] <con1|4>authentication of '192.168.1.179' (myself) with pre-shared key
Mar 14 10:47:17 charon 15[IKE] <con1|4>successfully created shared key MAC
Mar 14 10:47:17 charon 15[CFG] <con1|4>proposing traffic selectors for us:
Mar 14 10:47:17 charon 15[CFG] <con1|4>172.16.1.0/24|/0
Mar 14 10:47:17 charon 15[CFG] <con1|4>proposing traffic selectors for other:
Mar 14 10:47:17 charon 15[CFG] <con1|4>172.16.20.0/24|/0
Mar 14 10:47:17 charon 15[CFG] <con1|4>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Mar 14 10:47:17 charon 15[IKE] <con1|4>establishing CHILD_SA con1{5}
Mar 14 10:47:17 charon 15[ENC] <con1|4>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 14 10:47:17 charon 15[NET] <con1|4>sending packet: from 192.168.1.179[4500] to 47.195.129.207[4500] (332 bytes)
Mar 14 10:47:17 charon 14[CFG] vici client 11 connected
Mar 14 10:47:17 charon 14[CFG] vici client 11 registered for: list-sa
Mar 14 10:47:17 charon 06[CFG] vici client 11 requests: list-sas
Mar 14 10:47:17 charon 15[CFG] vici client 11 disconnected
Mar 14 10:47:17 charon 15[NET] <con1|4>received packet: from 47.195.129.207[4500] to 192.168.1.179[4500] (76 bytes)
Mar 14 10:47:17 charon 15[ENC] <con1|4>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Mar 14 10:47:17 charon 15[IKE] <con1|4>received AUTHENTICATION_FAILED notify error
Mar 14 10:47:17 charon 15[CHD] <con1|4>CHILD_SA con1{5} state change: CREATED => DESTROYING
Mar 14 10:47:17 charon 15[IKE] <con1|4>IKE_SA con1[4] state change: CONNECTING => DESTROYING
Mar 14 10:47:22 charon 10[CFG] vici client 12 connected
Mar 14 10:47:22 charon 14[CFG] vici client 12 registered for: list-sa
Mar 14 10:47:22 charon 10[CFG] vici client 12 requests: list-sas
Mar 14 10:47:22 charon 15[CFG] vici client 12 disconnectedPouvez-vous m'éclairer?
merci par avance</con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4>
-
Mar 14 10:47:17 charon 15[NET] <con1|4>received packet: from 47.195.129.207[4500] to 192.168.1.179[4500] (76 bytes)
Mar 14 10:47:17 charon 15[ENC] <con1|4>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Mar 14 10:47:17 charon 15[IKE] <con1|4>received AUTHENTICATION_FAILED notify error</con1|4></con1|4></con1|4>Es-tu certains que tes configurations sont bien alignées, en particulier au niveau de ESP ?
-
Oui, je viens de vérifier et elles sont identiques.
D'ailleurs je n'ai pas modifié grand chose à la configuration par défaut. Simplement les IP.
-
Mar 14 10:47:17 charon 15[ENC] <con1|4>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Mar 14 10:47:17 charon 15[IKE] <con1|4>received AUTHENTICATION_FAILED notify error
Mar 14 10:47:17 charon 15[CHD] <con1|4>CHILD_SA con1{5} state change: CREATED => DESTROYING
Mar 14 10:47:17 charon 15[IKE] <con1|4>IKE_SA con1[4] state change: CONNECTING => DESTROYINGLa phase 1 est en erreur.</con1|4></con1|4></con1|4></con1|4>