Pb : VPN IPSEC commence a se connecter mais ne va pas au bout
-
Bonjour à tous,
je rencontre un problème lors de la configuration de mon VPN IPsec.
Voici dans un premier temps mon Infrastructure :
-------------Reseau de l'entreprise------------- | --- INTERNET --- | -----------Reseau distant------------
|PC1| --- |PFsense02| --- |routeur1| --- |fortigate| --- {Internet} --- |routeur/box2| --- |PFsense03| --- |PC2|
LAN : 10.1.1.0/24 -------------------------------------------------------------------------------------LAN : 10.200.1.0/24Voici les modifications de mes routeurs/FW:
:
J'ai deja un VPN IPsec avec un de nos éditeurs logiciels donc le sport 500 et 4500 sont déjà utilisés.
Donc j'ai ajouter une VIP dans mon fortigate pour une redirection de mon IP Public vers mon IP WAN du PFsense02 (de IP-Publique:60500 vers IP-WAN:500 et IP-Public:64500 vers IP-WAN:4500)Mon routeur2 étant une BOX sans IP Publique fixe, j'ai configuré un DNS dynamique qui fonctionne correctement.
J'ai également ajouté 2 règles NAT/PAT dans mon routeur2 (de IP-Publique:60500 vers IP-WAN:500 et IP-Public:64500 vers IP-WAN:4500).Je ne sais pas si ça à une incidence mais mon WAN du PFsense02 et PFsense03 sont les mêmes.
Configuration des PFsense :
PFsense02 :
Phase1 :
-IKEv2
-IPv4
-WAN
-mon dynDNS
Proposal authentication:
-Mutual PSK
-My IP address
-Any (pour les tests)
-PSK : XXXX
Proposal encryption :
-AES / 256 / SHA1 / 2
Expiration ... :
-28800
-auto
-auto
-auto
Advanced ... :
tout est par defautPhase2 :
-Tunnel IPV4
-LAN
-None
-Network (Mon LAN PFsense03)
Proposal:
SA ... :
-ESP
-AES auto
-SHA1 SHA256
-PFS key Group :5
Expiration :
tout est par defaut sauf le custom IKE/NAT-T Ports : 60500 et 64500Mon PFsense03 à la même configuration sauf pour L'IP publique de l'entreprise à la place de mon dynDNS.
lors du lancement de la connection VPN, j'ai bien sur le PFsense distant le VPN qui ajoute une ligne "IKEv2 Responder" Mais il ne va pas plus loin.
Voici les logs du PFsense1 (les IP ont été masquées):
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating new tasks
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_VENDOR task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_INIT task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_NATD task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_CERT_PRE task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_AUTH task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_CERT_POST task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_CONFIG task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating CHILD_CREATE task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_AUTH_LIFETIME task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> initiating IKE_SA con100000[13] to 109.219.6.2
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> IKE_SA con100000[13] state change: CREATED => CONNECTING
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[ENC] <con100000|13> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[NET] <con100000|13> sending packet: from WAN-PFsense02[500] to IP-Publique-Routeur2[60500] (336 bytes)
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[NET] <con100000|13> received packet: from IP-Publique-Routeur2[60500] to WAN-PFsense02[500] (344 bytes)
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[ENC] <con100000|13> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> received FRAGMENTATION_SUPPORTED notify
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> received SIGNATURE_HASH_ALGORITHMS notify
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> received CHILDLESS_IKEV2_SUPPORTED notify
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> selecting proposal:
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> proposal matches
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> received supported signature hash algorithms: sha256 sha384 sha512 identity
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> local host is behind NAT, sending keep alives
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> remote host is behind NAT
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> reinitiating already active tasks
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> IKE_CERT_PRE task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> IKE_AUTH task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> authentication of 'WAN-PFsense02' (myself) with pre-shared key
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> successfully created shared key MAC
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> proposing traffic selectors for us:
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> 10.1.1.0/24|/0
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> proposing traffic selectors for other:
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> 10.200.1.0/24|/0
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> configured proposals: AH:HMAC_SHA1_96/NO_EXT_SEQ, AH:HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> establishing CHILD_SA con100000{12}
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[ENC] <con100000|13> generating IKE_AUTH request 1 [ IDi AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[NET] <con100000|13> sending packet: from WAN-PFsense02[4500] to IP-Publique-Routeur2[4500] (252 bytes)
Sep 8 09:49:37 pfSense-02 charon[93010]: 11[CFG] vici client 394 connected
Sep 8 09:49:37 pfSense-02 charon[93010]: 09[CFG] vici client 394 registered for: list-sa
Sep 8 09:49:37 pfSense-02 charon[93010]: 09[CFG] vici client 394 requests: list-sas
Sep 8 09:49:37 pfSense-02 charon[93010]: 09[CFG] vici client 394 disconnected
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[NET] <14> received packet: from IP-Publique-Routeur2[1024] to WAN-PFsense02[500] (336 bytes)
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[ENC] <14> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> looking for an IKEv2 config for WAN-PFsense02...IP-Publique-Routeur2
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> candidate: WAN-PFsense02...monddns, prio 3100
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> found matching ike config: WAN-PFsense02...monddns with prio 3100
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[IKE] <14> IP-Publique-Routeur2 is initiating an IKE_SA
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[IKE] <14> IKE_SA (unnamed)[14] state change: CREATED => CONNECTING
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> selecting proposal:
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> proposal matches
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> received supported signature hash algorithms: sha256 sha384 sha512 identity
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[IKE] <14> local host is behind NAT, sending keep alives
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[IKE] <14> remote host is behind NAT
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[ENC] <14> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[NET] <14> sending packet: from WAN-PFsense02[500] to IP-Publique-Routeur2[1024] (344 bytes)
Sep 8 09:49:40 pfSense-02 charon[93010]: 09[IKE] <con100000|13> retransmit 1 of request with message ID 1
Sep 8 09:49:40 pfSense-02 charon[93010]: 09[NET] <con100000|13> sending packet: from WAN-PFsense02[4500] to IP-Publique-Routeur2[4500] (252 bytes)
Sep 8 09:49:42 pfSense-02 charon[93010]: 09[CFG] vici client 395 connected
Sep 8 09:49:42 pfSense-02 charon[93010]: 14[CFG] vici client 395 registered for: list-sa
Sep 8 09:49:42 pfSense-02 charon[93010]: 14[CFG] vici client 395 requests: list-sas
Sep 8 09:49:42 pfSense-02 charon[93010]: 08[CFG] vici client 395 disconnected
Sep 8 09:49:47 pfSense-02 charon[93010]: 14[CFG] vici client 396 connected
Sep 8 09:49:47 pfSense-02 charon[93010]: 08[CFG] vici client 396 registered for: list-sa
Sep 8 09:49:47 pfSense-02 charon[93010]: 08[CFG] vici client 396 requests: list-sas
Sep 8 09:49:47 pfSense-02 charon[93010]: 08[CFG] vici client 396 disconnected
Sep 8 09:49:48 pfSense-02 charon[93010]: 08[IKE] <con100000|13> retransmit 2 of request with message ID 1
...Mon hypothèse est que l'erreur survient a ce moment la :
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[ENC] <14> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]J'ai essayé de passer en IKEv1, en mettant 1 des 2 PFsense en "Responde Only", j'ai essayé de rediriger les ports 1024 ou 1011 mais a chaque fois, la même chose, l'autre PFsense reçois les informations mais bloque a un moment que je ne connais pas.
Je ne connais pas assez le VPN IPsec pour trouver la solution et l'étape posant problème.
Je fais donc appel a toute personne ayant déjà eu se problème ou ayant des connaissances sur le sujet, pour réussir a le mettre en place et permettre a de futures personnes de se débloquer.Si vous avez besoin de plus d'information, n'hésitez pas à me demander.
Merci d'avance.