10.44.0.0/16=DG834--internet--ipcop(natteur)--ipcopTest
Le vpn monte, reste monté et renégocie parfaitement la phase ike.
Je n'ai pas de log équivalents à IPCop sur le DG834. Comme je le dis, tout ce joue sur essentiellement sur l'indentification du peer.
Ici, c'est fait avec les 'ID'
Le DG834 propose deux types d'ID: 'user' ou 'fqdn'. Cela marche avec 'user' seulement. Il faut remettre les mêmes bien évidenment (n'importe quel mot suffit, j'ai mis les noms des villes).
Le réglage du peer Natté:
RED=10.0.0.50 et aussi interface de sortie
GREEN=10.1.0.0/255.255.0.0
Sur l'IPCop qui natte: rien de particulier à faire.
Note:j'ai pas tester à fond quand c'est le DG834 qui initie. Logiquement ca devrait échoué sans transferts des ports adéquats. La deuxième chose qui me chagrinne en peu est que tcpdump devrait me montrer les paquets udp...si le nat traversal est actif (donc détecté). J'ai direcment du ESP
Voila le log du démarrage sur l'IPCop natté (renégo IKE à 120 secondes).
- Code: Tout sélectionner
IPCop diagnostics
Section: ipsec
Date: Avril 15, 2007
01:48:26 pluto[7633] "baule" #10: sent QI2, IPsec SA established
01:48:26 pluto[7633] "baule" #10: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
01:48:26 pluto[7633] "baule" #10: Dead Peer Detection (RFC3706) enabled
01:48:25 pluto[7633] "baule" #5: received and ignored informational message
01:48:25 pluto[7633] "baule" #5: ignoring Delete SA payload: IPSEC SA not found (maybe expired)
01:48:25 pluto[7633] "baule" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS
01:48:25 pluto[7633] "baule" #9: IPsec SA expired (LATEST!)
01:46:25 pluto[7633] "baule" #9: IPsec SA established
01:46:25 pluto[7633] "baule" #9: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
01:46:25 pluto[7633] "baule" #9: Dead Peer Detection (RFC3706) enabled
01:46:24 pluto[7633] "baule" #5: received and ignored informational message
01:46:24 pluto[7633] "baule" #5: received Delete SA payload: replace IPSEC State #8 in 10 seconds
01:46:24 pluto[7633] "baule" #9: transition from state (null) to state STATE_QUICK_R1
01:46:24 pluto[7633] "baule" #9: responding to Quick Mode
01:44:23 pluto[7633] "baule" #8: sent QI2, IPsec SA established
01:44:23 pluto[7633] "baule" #8: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
01:44:23 pluto[7633] "baule" #8: Dead Peer Detection (RFC3706) enabled
01:44:22 pluto[7633] "baule" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS
01:44:22 pluto[7633] "baule" #5: received and ignored informational message
01:44:22 pluto[7633] "baule" #5: ignoring Delete SA payload: IPSEC SA not found (maybe expired)
01:44:21 pluto[7633] "baule" #7: IPsec SA expired (LATEST!)
01:42:21 pluto[7633] "baule" #7: IPsec SA established
01:42:21 pluto[7633] "baule" #7: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
01:42:21 pluto[7633] "baule" #7: Dead Peer Detection (RFC3706) enabled
01:42:21 pluto[7633] "baule" #5: received and ignored informational message
01:42:21 pluto[7633] "baule" #5: received Delete SA payload: replace IPSEC State #6 in 10 seconds
01:42:21 pluto[7633] "baule" #7: transition from state (null) to state STATE_QUICK_R1
01:42:21 pluto[7633] "baule" #7: responding to Quick Mode
01:40:20 pluto[7633] "baule" #6: sent QI2, IPsec SA established
01:40:20 pluto[7633] "baule" #6: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
01:40:20 pluto[7633] "baule" #6: Dead Peer Detection (RFC3706) enabled
01:40:20 pluto[7633] "baule" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS
01:40:20 pluto[7633] "baule" #5: ISAKMP SA established
01:40:20 pluto[7633] "baule" #5: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
01:40:20 pluto[7633] "baule" #5: Main mode peer ID is ID_FQDN: '@baule'
01:40:20 pluto[7633] "baule" #5: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
01:40:19 pluto[7633] "baule" #5: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
01:40:19 pluto[7633] "baule" #5: received Vendor ID payload [Dead Peer Detection]
01:40:19 pluto[7633] "baule" #5: initiating Main Mode
01:40:09 pluto[7633] packet from 90.144.67.128:500: received and ignored informational message
01:40:09 pluto[7633] "baule" #3: received Delete SA payload: deleting ISAKMP State #3
01:40:09 pluto[7633] "baule" #3: received and ignored informational message
01:40:09 pluto[7633] "baule" #3: received Delete SA payload: replace IPSEC State #4 in 10 seconds
01:39:19 pluto[7633] "baule" #4: sent QI2, IPsec SA established
01:39:19 pluto[7633] "baule" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
01:39:19 pluto[7633] "baule" #4: Dead Peer Detection (RFC3706) enabled
01:39:19 pluto[7633] "baule" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS
01:39:19 pluto[7633] "baule" #3: ISAKMP SA established
01:39:19 pluto[7633] "baule" #3: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
01:39:19 pluto[7633] "baule" #3: Main mode peer ID is ID_FQDN: '@baule'
01:39:18 pluto[7633] "baule" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
01:39:18 pluto[7633] "baule" #3: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
01:39:18 pluto[7633] "baule" #3: received Vendor ID payload [Dead Peer Detection]
01:39:18 pluto[7633] "baule" #3: initiating Main Mode
01:39:08 pluto[7633] packet from 90.144.67.128:500: Informational Exchange is for an unknown (expired?) SA
01:39:08 pluto[7633] packet from 90.144.67.128:500: Informational Exchange is for an unknown (expired?) SA
01:39:08 pluto[7633] packet from 90.144.67.128:500: received and ignored informational message
01:39:08 pluto[7633] "baule" #1: received Delete SA payload: deleting ISAKMP State #1
01:39:08 pluto[7633] "baule" #1: received and ignored informational message
01:39:08 pluto[7633] "baule" #1: ignoring Delete SA payload: IPSEC SA not found (maybe expired)
01:39:08 pluto[7633] "baule" #1: received and ignored informational message
01:39:08 pluto[7633] "baule" #1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
01:39:03 ipsec__plutorun 004 "baule" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
01:39:03 ipsec__plutorun 122 "baule" #2: STATE_QUICK_I1: initiate
01:39:03 ipsec__plutorun 004 "baule" #1: STATE_MAIN_I4: ISAKMP SA established
01:39:03 ipsec__plutorun 108 "baule" #1: STATE_MAIN_I3: sent MI3, expecting MR3
01:39:03 ipsec__plutorun 106 "baule" #1: STATE_MAIN_I2: sent MI2, expecting MR2
01:39:03 ipsec__plutorun 003 "baule" #1: received Vendor ID payload [Dead Peer Detection]
01:39:03 ipsec__plutorun 104 "baule" #1: STATE_MAIN_I1: initiate
01:39:03 pluto[7633] "baule" #2: sent QI2, IPsec SA established
01:39:03 pluto[7633] "baule" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
01:39:03 pluto[7633] "baule" #2: Dead Peer Detection (RFC3706) enabled
01:39:03 pluto[7633] "baule" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS
01:39:03 pluto[7633] "baule" #1: ISAKMP SA established
01:39:03 pluto[7633] "baule" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
01:39:03 pluto[7633] "baule" #1: Main mode peer ID is ID_FQDN: '@baule'
01:39:03 pluto[7633] "baule" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
01:39:02 pluto[7633] "baule" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
01:39:02 pluto[7633] "baule" #1: received Vendor ID payload [Dead Peer Detection]
01:39:02 pluto[7633] "baule" #1: initiating Main Mode
01:39:02 pluto[7633] loading secrets from "/etc/ipsec.secrets"
01:39:02 pluto[7633] adding interface ipsec0/eth1 10.0.0.50:4500
01:39:02 pluto[7633] adding interface ipsec0/eth1 10.0.0.50
01:39:02 pluto[7633] listening for IKE messages
01:39:02 pluto[7633] added connection description "baule"
01:39:02 pluto[7633] | from whack: got --ike=3des-sha-modp1536,3des-sha-modp1024
01:39:02 pluto[7633] | from whack: got --esp=3des-sha1
01:39:02 pluto[7633] OpenPGP certificate file '/etc/pgpcert.pgp' not found
01:39:02 pluto[7633] Warning: empty directory
01:39:02 pluto[7633] Changing to directory '/etc/ipsec.d/crls'
01:39:02 pluto[7633] Warning: empty directory
01:39:02 ipsec_setup ...Openswan IPsec started
01:39:02 pluto[7633] Changing to directory '/etc/ipsec.d/cacerts'
01:39:02 pluto[7633] ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
01:39:02 pluto[7633] ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
01:39:02 pluto[7633] ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
01:39:02 pluto[7633] ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
01:39:02 pluto[7633] ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
01:39:02 pluto[7633] ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
01:39:02 pluto[7633] ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
01:39:02 pluto[7633] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
01:39:02 pluto[7633] including NAT-Traversal patch (Version 0.6)
01:39:02 pluto[7633] including X.509 patch with traffic selectors (Version 0.9.42)
01:39:02 pluto[7633] Starting Pluto (Openswan Version 1.0.10)
01:39:02 ipsec__plutorun Starting Pluto subsystem...
01:39:01 ipsec_setup KLIPS ipsec0 on eth1 10.0.0.50/255.255.0.0 broadcast 10.0.255.255
01:39:01 ipsec_setup KLIPS debug `none'
01:39:01 ipsec_setup Starting Openswan IPsec 1.0.10...