Problème configuration VPN IPsec avec Openswan

blacko974 · 26/01/2011, 11h03

Bonjour,

Je suis actuellement en stage et j'ai à monter un tunnel IPSEC avec Openswan entre deux sites distants. Je dispose d'une machine Linux Debian (mon IPSEC) dérrière un routeur Zyxell d'un coté, et de l'autre côté j'ai un routeur Clavister qui gère les Vpn.

Voici ma config :

fichier ipsec.conf
conn srvfw-clavister
auth=esp
esp=aes128-sha1-96
keyexchange=ike
ike=aes128-sha1-modp1024
keyingtries=0
left=192.168.0.50
leftsubnet=192.168.0.0/24
leftnexthop=81.252.71.125
right=194.1.4.51
rightsubnet=194.1.4.0/23
rightnexthop=193.253.176.43
ikelifetime=86400
authby=secret
auto=start
pfs=no

mon fichier ipsec.secrets

RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005-09-28 13:59:14 paul Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
194.1.4.51 192.168.0.50: PSK "caudan-colombes"

Mon problème est que lorsque je lance mon tunnel, il ne se passe rien.

ipsec auto -status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 194.1.4.51
000 interface eth0/eth0 194.1.4.51
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,540} attrs={0,2,360}
000
000 "srvfw-clavister": 194.1.4.0/23===194.1.4.51---193.253.176.43...81.252.71.125---192.168.0.50===192.168.0.0/24; prospective erouted; eroute owner: #0
000 "srvfw-clavister": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "srvfw-clavister": ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "srvfw-clavister": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,23; interface: eth0; encap: esp;
000 "srvfw-clavister": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "srvfw-clavister": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1024(2); flags=strict
000 "srvfw-clavister": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "srvfw-clavister": ESP algorithms wanted: AES(12)_128-SHA1(2); flags=strict
000 "srvfw-clavister": ESP algorithms loaded: AES(12)_128-SHA1(2); flags=strict
000
000 #4: "srvfw-clavister":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 7s; nodpd
000 #4: pending Phase 2 for "srvfw-clavister" replacing #0
000
administrateur:/home/administrateur#

Pouvez-vous m'aider, le problème principal semble etre la dernière ligne
000 #4: pending Phase 2 for "srvfw-clavister" replacing #0

Je vous remercie par avance.

26/01/2011, 11h03	#1
blacko974 Invité de passage Inscription : janvier 2011 Messages : 1 Détails du profil Informations forums : Inscription : janvier 2011 Messages : 1 Points : 0 Points : 0	Problème configuration VPN IPsec avec Openswan Bonjour, Je suis actuellement en stage et j'ai à monter un tunnel IPSEC avec Openswan entre deux sites distants. Je dispose d'une machine Linux Debian (mon IPSEC) dérrière un routeur Zyxell d'un coté, et de l'autre côté j'ai un routeur Clavister qui gère les Vpn. Voici ma config : fichier ipsec.conf conn srvfw-clavister auth=esp esp=aes128-sha1-96 keyexchange=ike ike=aes128-sha1-modp1024 keyingtries=0 left=192.168.0.50 leftsubnet=192.168.0.0/24 leftnexthop=81.252.71.125 right=194.1.4.51 rightsubnet=194.1.4.0/23 rightnexthop=193.253.176.43 ikelifetime=86400 authby=secret auto=start pfs=no mon fichier ipsec.secrets RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005-09-28 13:59:14 paul Exp $ # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". 194.1.4.51 192.168.0.50: PSK "caudan-colombes" Mon problème est que lorsque je lance mon tunnel, il ne se passe rien. ipsec auto -status 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 194.1.4.51 000 interface eth0/eth0 194.1.4.51 000 %myid = (none) 000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509 000 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 000 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,540} attrs={0,2,360} 000 000 "srvfw-clavister": 194.1.4.0/23===194.1.4.51---193.253.176.43...81.252.71.125---192.168.0.50===192.168.0.0/24; prospective erouted; eroute owner: #0 000 "srvfw-clavister": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "srvfw-clavister": ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "srvfw-clavister": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,23; interface: eth0; encap: esp; 000 "srvfw-clavister": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "srvfw-clavister": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1024(2); flags=strict 000 "srvfw-clavister": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1024(2) 000 "srvfw-clavister": ESP algorithms wanted: AES(12)_128-SHA1(2); flags=strict 000 "srvfw-clavister": ESP algorithms loaded: AES(12)_128-SHA1(2); flags=strict 000 000 #4: "srvfw-clavister":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 7s; nodpd 000 #4: pending Phase 2 for "srvfw-clavister" replacing #0 000 administrateur:/home/administrateur# Pouvez-vous m'aider, le problème principal semble etre la dernière ligne 000 #4: pending Phase 2 for "srvfw-clavister" replacing #0 Je vous remercie par avance.
	00

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email