IPSec Pfsense avec Citrix Netscaler



  • Bonjour,

    Je dois mettre en place un VPN IPsec entre 2 sites.
    Un site avec un pfsense :

    System Netgate SG-8860
    Version 2.4.3-RELEASE-p1 (amd64)

    Et de l'autre côté un Citrix Netscaler (qui n'est pas géré par mes soins)

    Voici la logs que j'obtiens :

    Aug 9 17:01:45 charon 06[CFG] vici client 941 disconnected
    Aug 9 17:01:45 charon 06[CFG] vici client 941 requests: list-sas
    Aug 9 17:01:45 charon 07[CFG] vici client 941 registered for: list-sa
    Aug 9 17:01:45 charon 10[CFG] vici client 941 connected
    Aug 9 17:01:40 charon 04[NET] sending packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500]
    Aug 9 17:01:40 charon 09[NET] <479> sending packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500] (36 bytes)
    Aug 9 17:01:40 charon 09[ENC] <479> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
    Aug 9 17:01:40 charon 09[IKE] <479> received proposals inacceptable
    Aug 9 17:01:40 charon 09[IKE] received proposals inacceptable
    Aug 9 17:01:40 charon 09[IKE] <479> remote host is behind NAT
    Aug 9 17:01:40 charon 09[IKE] remote host is behind NAT
    Aug 9 17:01:40 charon 09[CFG] <479> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Aug 9 17:01:40 charon 09[CFG] <479> received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_MD5/MODP_1024
    Aug 9 17:01:40 charon 09[CFG] <479> no acceptable PSEUDO_RANDOM_FUNCTION found
    Aug 9 17:01:40 charon 09[CFG] <479> selecting proposal:
    Aug 9 17:01:40 charon 09[IKE] <479> xx.xx.xx.xx is initiating an IKE_SA
    Aug 9 17:01:40 charon 09[IKE] xx.xx.xx.xx is initiating an IKE_SA
    Aug 9 17:01:40 charon 09[CFG] <479> found matching ike config: xx.xx.xx.xx...xx.xx.xx.xx with prio 3100
    Aug 9 17:01:40 charon 09[CFG] <479> candidate: xx.xx.xx.xx...xx.xx.xx.xx, prio 3100
    Aug 9 17:01:40 charon 09[CFG] <479> looking for an ike config for xx.xx.xx.xx...xx.xx.xx.xx
    Aug 9 17:01:40 charon 09[ENC] <479> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
    Aug 9 17:01:40 charon 09[NET] <479> received packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500] (312 bytes)
    Aug 9 17:01:40 charon 03[NET] waiting for data on sockets
    Aug 9 17:01:40 charon 03[NET] received packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500]
    Aug 9 17:01:40 charon 03[NET] 304: A5 56 2F 35 AF E4 67 20 .V/5..g
    Aug 9 17:01:40 charon 03[NET] 288: 00 00 40 05 19 D5 94 36 6B 97 BF ED 8B D3 08 52 ..@....6k......R
    Aug 9 17:01:40 charon 03[NET] 272: A0 B4 1F 02 1A 82 A7 5B 37 B1 E1 B7 00 00 00 1C .......[7.......
    Aug 9 17:01:40 charon 03[NET] 256: 29 00 00 1C 00 00 40 04 06 40 CE 3F B2 46 F4 14 ).....@..@.?.F..
    Aug 9 17:01:40 charon 03[NET] 240: DB 5C 3B CB 58 EF 8F DD 3C 95 E7 2A E8 76 B5 AD .;.X...<..*.v..
    Aug 9 17:01:40 charon 03[NET] 224: FB E9 B2 DC 94 F8 1E 42 8C 86 75 BC E4 F6 0D 26 .......B..u....&
    Aug 9 17:01:40 charon 03[NET] 208: 2C C5 0A 1B C7 B6 22 5A 81 C8 C6 F4 29 00 00 24 ,....."Z....)..$
    Aug 9 17:01:40 charon 03[NET] 192: 4D 42 26 59 63 79 BA 07 B3 37 00 E5 41 DF 14 58 MB&Ycy...7..A..X
    Aug 9 17:01:40 charon 03[NET] 176: A1 3A 21 4C B0 BB 25 31 00 A2 46 2D DC 54 EA 6D .:!L..%1..F-.T.m
    Aug 9 17:01:40 charon 03[NET] 160: 96 60 C9 A3 FD F7 C7 87 1F 41 15 1B 27 82 9C 88 ........A..'... Aug 9 17:01:40 charon 03[NET] 144: 62 20 C3 6C 46 4E 1D F4 D1 1C 9C 43 99 21 C2 F6 b .lFN.....C.!.. Aug 9 17:01:40 charon 03[NET] 128: 0B F2 37 06 9E 31 70 EC 81 E0 57 58 23 83 20 E7 ..7..1p...WX#. . Aug 9 17:01:40 charon 03[NET] 112: 87 C5 D2 D8 30 F6 33 61 CE 79 A3 B2 03 7A 4B DF ....0.3a.y...zK. Aug 9 17:01:40 charon 03[NET] 96: AF 1F CC EC C7 8A B2 05 AC 92 84 90 2F 75 1C 94 ............/u.. Aug 9 17:01:40 charon 03[NET] 80: 04 00 00 02 28 00 00 88 00 02 00 00 04 5C D5 B5 ....(........\.. Aug 9 17:01:40 charon 03[NET] 64: 03 00 00 0C 03 00 00 08 03 00 00 02 00 00 00 08 ................ Aug 9 17:01:40 charon 03[NET] 48: 80 0E 00 80 03 00 00 08 02 00 00 01 03 00 00 08 ................ Aug 9 17:01:40 charon 03[NET] 32: 00 00 00 34 01 01 00 05 03 00 00 0C 01 00 00 0C ...4............ Aug 9 17:01:40 charon 03[NET] 16: 21 20 22 08 00 00 00 00 00 00 01 38 22 00 00 38 ! "........8"..8 Aug 9 17:01:40 charon 03[NET] 0: 65 C2 F6 EF 60 C1 C2 CF 00 00 00 00 00 00 00 00 e..............
    Aug 9 17:01:40 charon 03[NET] received packet => 312 bytes @ 0x7fffdfdfa5e0



  • received proposals inacceptable

    Êtes vous certain d'avoir des configurations cohérentes à chaque extrémité (c'est dire strictement identiques dans les moindres détails) ? Paramètre DH peut-être ?
    Les configurations IPSec entre des équipements différents peuvent s'avérer définitivement incompatibles.



  • @infra-tnb said in IPSec Pfsense avec Citrix Netscaler:

    KE: AES_CBC_128 / HMAC_SHA2_256_128 / HMAC_SHA1_96 / PRF_HMAC_MD5 / MODP_102

    Le paramètre DH semble correcte car il y a MODP_1024 pour les 2

    J'ai essayé de passé le pfsense en MD5 mais dans ce cas j'arrive à cette configuration: IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy