Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pb : VPN IPSEC commence a se connecter mais ne va pas au bout

    Scheduled Pinned Locked Moved Français
    1 Posts 1 Posters 321 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Aymeric
      last edited by Aymeric

      Bonjour à tous,

      je rencontre un problème lors de la configuration de mon VPN IPsec.

      Voici dans un premier temps mon Infrastructure :

      -------------Reseau de l'entreprise------------- | --- INTERNET --- | -----------Reseau distant------------
      |PC1| --- |PFsense02| --- |routeur1| --- |fortigate| --- {Internet} --- |routeur/box2| --- |PFsense03| --- |PC2|
      LAN : 10.1.1.0/24 -------------------------------------------------------------------------------------LAN : 10.200.1.0/24

      Voici les modifications de mes routeurs/FW:
      :
      J'ai deja un VPN IPsec avec un de nos éditeurs logiciels donc le sport 500 et 4500 sont déjà utilisés.
      Donc j'ai ajouter une VIP dans mon fortigate pour une redirection de mon IP Public vers mon IP WAN du PFsense02 (de IP-Publique:60500 vers IP-WAN:500 et IP-Public:64500 vers IP-WAN:4500)

      Mon routeur2 étant une BOX sans IP Publique fixe, j'ai configuré un DNS dynamique qui fonctionne correctement.
      J'ai également ajouté 2 règles NAT/PAT dans mon routeur2 (de IP-Publique:60500 vers IP-WAN:500 et IP-Public:64500 vers IP-WAN:4500).

      Je ne sais pas si ça à une incidence mais mon WAN du PFsense02 et PFsense03 sont les mêmes.

      Configuration des PFsense :

      PFsense02 :

      Phase1 :
      -IKEv2
      -IPv4
      -WAN
      -mon dynDNS
      Proposal authentication:
      -Mutual PSK
      -My IP address
      -Any (pour les tests)
      -PSK : XXXX
      Proposal encryption :
      -AES / 256 / SHA1 / 2
      Expiration ... :
      -28800
      -auto
      -auto
      -auto
      Advanced ... :
      tout est par defaut

      Phase2 :
      -Tunnel IPV4
      -LAN
      -None
      -Network (Mon LAN PFsense03)
      Proposal:
      SA ... :
      -ESP
      -AES auto
      -SHA1 SHA256
      -PFS key Group :5
      Expiration :
      tout est par defaut sauf le custom IKE/NAT-T Ports : 60500 et 64500

      Mon PFsense03 à la même configuration sauf pour L'IP publique de l'entreprise à la place de mon dynDNS.

      lors du lancement de la connection VPN, j'ai bien sur le PFsense distant le VPN qui ajoute une ligne "IKEv2 Responder" Mais il ne va pas plus loin.

      Voici les logs du PFsense1 (les IP ont été masquées):
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating new tasks
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_VENDOR task
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_INIT task
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_NATD task
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_CERT_PRE task
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_AUTH task
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_CERT_POST task
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_CONFIG task
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating CHILD_CREATE task
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_AUTH_LIFETIME task
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> initiating IKE_SA con100000[13] to 109.219.6.2
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> IKE_SA con100000[13] state change: CREATED => CONNECTING
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> sending supported signature hash algorithms: sha256 sha384 sha512 identity
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[ENC] <con100000|13> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[NET] <con100000|13> sending packet: from WAN-PFsense02[500] to IP-Publique-Routeur2[60500] (336 bytes)
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[NET] <con100000|13> received packet: from IP-Publique-Routeur2[60500] to WAN-PFsense02[500] (344 bytes)
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[ENC] <con100000|13> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> received FRAGMENTATION_SUPPORTED notify
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> received SIGNATURE_HASH_ALGORITHMS notify
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> received CHILDLESS_IKEV2_SUPPORTED notify
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> selecting proposal:
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> proposal matches
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> received supported signature hash algorithms: sha256 sha384 sha512 identity
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> local host is behind NAT, sending keep alives
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> remote host is behind NAT
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> reinitiating already active tasks
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> IKE_CERT_PRE task
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> IKE_AUTH task
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> authentication of 'WAN-PFsense02' (myself) with pre-shared key
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> successfully created shared key MAC
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> proposing traffic selectors for us:
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> 10.1.1.0/24|/0
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> proposing traffic selectors for other:
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> 10.200.1.0/24|/0
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> configured proposals: AH:HMAC_SHA1_96/NO_EXT_SEQ, AH:HMAC_SHA2_256_128/NO_EXT_SEQ
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> establishing CHILD_SA con100000{12}
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[ENC] <con100000|13> generating IKE_AUTH request 1 [ IDi AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      Sep 8 09:49:36 pfSense-02 charon[93010]: 09[NET] <con100000|13> sending packet: from WAN-PFsense02[4500] to IP-Publique-Routeur2[4500] (252 bytes)
      Sep 8 09:49:37 pfSense-02 charon[93010]: 11[CFG] vici client 394 connected
      Sep 8 09:49:37 pfSense-02 charon[93010]: 09[CFG] vici client 394 registered for: list-sa
      Sep 8 09:49:37 pfSense-02 charon[93010]: 09[CFG] vici client 394 requests: list-sas
      Sep 8 09:49:37 pfSense-02 charon[93010]: 09[CFG] vici client 394 disconnected
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[NET] <14> received packet: from IP-Publique-Routeur2[1024] to WAN-PFsense02[500] (336 bytes)
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[ENC] <14> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> looking for an IKEv2 config for WAN-PFsense02...IP-Publique-Routeur2
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> candidate: WAN-PFsense02...monddns, prio 3100
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> found matching ike config: WAN-PFsense02...monddns with prio 3100
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[IKE] <14> IP-Publique-Routeur2 is initiating an IKE_SA
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[IKE] <14> IKE_SA (unnamed)[14] state change: CREATED => CONNECTING
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> selecting proposal:
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> proposal matches
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> received supported signature hash algorithms: sha256 sha384 sha512 identity
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[IKE] <14> local host is behind NAT, sending keep alives
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[IKE] <14> remote host is behind NAT
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> sending supported signature hash algorithms: sha256 sha384 sha512 identity
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[ENC] <14> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[NET] <14> sending packet: from WAN-PFsense02[500] to IP-Publique-Routeur2[1024] (344 bytes)
      Sep 8 09:49:40 pfSense-02 charon[93010]: 09[IKE] <con100000|13> retransmit 1 of request with message ID 1
      Sep 8 09:49:40 pfSense-02 charon[93010]: 09[NET] <con100000|13> sending packet: from WAN-PFsense02[4500] to IP-Publique-Routeur2[4500] (252 bytes)
      Sep 8 09:49:42 pfSense-02 charon[93010]: 09[CFG] vici client 395 connected
      Sep 8 09:49:42 pfSense-02 charon[93010]: 14[CFG] vici client 395 registered for: list-sa
      Sep 8 09:49:42 pfSense-02 charon[93010]: 14[CFG] vici client 395 requests: list-sas
      Sep 8 09:49:42 pfSense-02 charon[93010]: 08[CFG] vici client 395 disconnected
      Sep 8 09:49:47 pfSense-02 charon[93010]: 14[CFG] vici client 396 connected
      Sep 8 09:49:47 pfSense-02 charon[93010]: 08[CFG] vici client 396 registered for: list-sa
      Sep 8 09:49:47 pfSense-02 charon[93010]: 08[CFG] vici client 396 requests: list-sas
      Sep 8 09:49:47 pfSense-02 charon[93010]: 08[CFG] vici client 396 disconnected
      Sep 8 09:49:48 pfSense-02 charon[93010]: 08[IKE] <con100000|13> retransmit 2 of request with message ID 1
      ...

      Mon hypothèse est que l'erreur survient a ce moment la :
      Sep 8 09:49:38 pfSense-02 charon[93010]: 09[ENC] <14> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]

      J'ai essayé de passer en IKEv1, en mettant 1 des 2 PFsense en "Responde Only", j'ai essayé de rediriger les ports 1024 ou 1011 mais a chaque fois, la même chose, l'autre PFsense reçois les informations mais bloque a un moment que je ne connais pas.

      Je ne connais pas assez le VPN IPsec pour trouver la solution et l'étape posant problème.
      Je fais donc appel a toute personne ayant déjà eu se problème ou ayant des connaissances sur le sujet, pour réussir a le mettre en place et permettre a de futures personnes de se débloquer.

      Si vous avez besoin de plus d'information, n'hésitez pas à me demander.
      Merci d'avance.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.