<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2180" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Courier size=2>Bonjour,</FONT></DIV>
<DIV><FONT face=Courier></FONT> </DIV>
<DIV><FONT face=Courier size=2>Etudiant en stage, j'ai une connexion sécurisée à
mettre en place.<BR>Il s'agit d'accéder à un réseau privé à partir d'un nomade
XP, via Internet<BR>et un NAT.<BR>Ci-dessous, mon réseau
d'expérimentation.<BR>La connexion ne s'établit pas quand le NAT est
activé.<BR>La phase 2 (Quick mode) n'aboutit pas et j'obtiens les messages
d'erreur suivants :</FONT></DIV>
<DIV><FONT face=Courier></FONT> </DIV>
<DIV><FONT face=Courier size=2>cannot respond to IPsec SA request because no
connection is known<BR>INVALID_ID_INFORMATION<BR>Quick Mode I1 message is
unacceptable because it uses a previously used Message
ID<BR>INVALID_MESSAGE_ID</FONT></DIV>
<DIV><FONT face=Courier></FONT> </DIV>
<DIV><FONT face=Courier size=2>Ci-dessous, un extrait du fichier
secure.</FONT></DIV>
<DIV><FONT face=Courier></FONT> </DIV>
<DIV><FONT face=Courier size=2>Merci pour vos aides.</FONT></DIV>
<DIV><FONT face=Courier></FONT> </DIV>
<DIV><FONT face=Courier size=2>Etienne.</FONT></DIV>
<DIV><FONT face=Courier></FONT> </DIV>
<DIV><FONT face=Courier size=2>Voici mon réseau expérimental :</FONT></DIV>
<DIV><FONT face=Courier></FONT> </DIV>
<DIV><FONT face=Courier size=2> |10.0.0.0
LAN<BR>--------------<BR>super freeswan
RH9<BR>--------------<BR>
|200.10.10.10<BR> |<BR>
|200.10.10.20<BR>--------------<BR> NAT : PREROUTING -i eth0
-j DNAT --to 200.10.10.10<BR> (Mandrake
9)<BR>--------------<BR>
|192.168.10.20<BR> |<BR>
|<BR>
|192.168.10.30<BR>--------------<BR> roadwarrior XP
SP2<BR>--------------</FONT></DIV>
<DIV><FONT face=Courier></FONT> </DIV><FONT size=2>
<DIV><BR><FONT face=Courier>ipsec.conf pour RH9 :<BR>config
setup<BR> interfaces="ipsec0=eth0"<BR> klipsdebug=all<BR> plutodebug=none<BR> plutoload="nomade"<BR> uniqueids=no<BR> plutostart=nomade<BR> nat_traversal=yes</FONT></DIV>
<DIV><FONT face=Courier></FONT> </DIV>
<DIV><FONT face=Courier>conn
%default<BR> keyingtries=3<BR> #compress=yes<BR> disablearrivalcheck=no<BR> #auto=start<BR> authby=rsasig<BR> leftrsasigkey=%cert<BR> rightrsasigkey=%cert</FONT></DIV>
<DIV><FONT face=Courier></FONT> </DIV>
<DIV><FONT face=Courier>conn
nomade<BR> right=%any<BR> left=200.10.10.10<BR> leftnexthop=200.10.10.20<BR> #rightsubnet=0.0.0.0/0<BR> #left=%defaultroute<BR> </FONT><A
href="mailto:#leftid=@linuxrh9"><FONT
face=Courier>#leftid=@linuxrh9</FONT></A><BR><FONT
face=Courier> leftcert=universite.pem<BR> rightid=<BR> leftid=<BR> auto=add<BR> pfs=no</FONT></DIV>
<DIV><FONT face=Courier></FONT> </DIV>
<DIV><BR><FONT face=Courier>ipsec.conf du client XP :<BR>conn
nomade<BR> left=%any<BR> #right=200.10.10.10<BR> right=192.168.10.20<BR> rightca="C=FR,
S=Orsay, L=Essonne, O=universite,
CN=orsay.fr"<BR> #rightid=<BR> #leftid=<BR> network=auto<BR> auto=start<BR> pfs=no<BR> nat_traversal=yes<BR> compress=yes</FONT></DIV>
<DIV><FONT face=Courier></FONT> </DIV>
<DIV><FONT face=Courier>Et le fichier secure :<BR>ipsec__plutorun: Starting
Pluto subsystem...<BR>pluto[16791]: Starting Pluto (FreeS/WAN Version
super-freeswan-1.99.8)<BR>pluto[16791]: including X.509 patch with
traffic selectors (Version 0.9.32)<BR>pluto[16791]: including
NAT-Traversal patch (Version 0.6)<BR>pluto[16791]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)<BR>pluto[16791]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<BR>pluto[16791]:
ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)<BR>pluto[16791]:
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
(ret=0)<BR>pluto[16791]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
(ret=0)<BR>pluto[16791]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
(ret=0)<BR>pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC:
Ok (ret=0)<BR>pluto[16791]: ike_alg_register_enc(): Activating
OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)<BR>pluto[16791]: Changing to directory
'/etc/ipsec.d/cacerts'<BR>pluto[16791]: loaded cacert file
'cacert.pem' (1107 bytes)<BR>pluto[16791]: Changing to directory
'/etc/ipsec.d/crls'<BR>pluto[16791]: loaded crl file 'crl.pem' (459
bytes)<BR>pluto[16791]: OpenPGP certificate file '/etc/pgpcert.pgp' not
found<BR>pluto[16791]: | from whack: got --esp=3des<BR>pluto[16791]: | from
whack: got --ike=3des<BR>pluto[16791]: loaded host cert file
'/etc/ipsec.d/universite.pem' (3363 bytes)<BR>pluto[16791]: added connection
description "nomade"<BR>pluto[16791]: listening for IKE
messages<BR>pluto[16791]: adding interface ipsec0/eth0
200.10.10.10<BR>pluto[16791]: adding interface ipsec0/eth0
200.10.10.10:4500<BR>pluto[16791]: loading secrets from
"/etc/ipsec.secrets"<BR>pluto[16791]: loaded private key file
'/etc/ipsec.d/private/universite.key' (964 bytes)<BR>pluto[16791]: "nomade":
cannot initiate connection without knowing peer IP address<BR>pluto[16791]:
packet from 192.168.10.30:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]<BR>pluto[16791]: packet from 192.168.10.30:500: ignoring Vendor ID
payload [FRAGMENTATION]<BR>pluto[16791]: packet from 192.168.10.30:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<BR>pluto[16791]: packet from
192.168.10.30:500: ignoring Vendor ID payload
[26244d38eddb61b3...]<BR>pluto[16791]: "nomade"[1] 192.168.10.30 #1: responding
to Main Mode from unknown peer 192.168.10.30<BR>pluto[16791]: "nomade"[1]
192.168.10.30 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
i am NATed<BR>pluto[16791]: "nomade"[1] 192.168.10.30 #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=FR, ST=Orsay, L=Essonne, O=universite,
CN=NomadeXP'<BR>pluto[16791]: "nomade"[2] 192.168.10.30 #1: deleting connection
"nomade" instance with peer 192.168.10.30<BR>pluto[16791]: | NAT-T: new mapping
192.168.10.30:500/4500)<BR>pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sent
MR3, ISAKMP SA established<BR><FONT color=#ff0000>pluto[16791]: "nomade"[2]
192.168.10.30:4500 #1: cannot respond to IPsec SA request because no connection
is known for 192.168.10.20/32===200.10.10.10:4500[C=FR, ST=Orsay, L=Essonne,
O=My Company Ltd, CN=universite]...192.168.10.30:4500[C=FR, ST=Orsay, L=Essonne,
O=universite, CN=NomadeXP]<BR>pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1:
sending encrypted notification INVALID_ID_INFORMATION to
192.168.10.30:4500<BR>pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick
Mode I1 message is unacceptable because it uses a previously used Message ID
0x977a113e (perhaps this is a duplicated packet)<BR>pluto[16791]: "nomade"[2]
192.168.10.30:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to
192.168.10.30:4500<BR></FONT>pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1:
Quick Mode I1 message is unacceptable because it uses a previously used Message
ID 0x977a113e (perhaps this is a duplicated packet)<BR>pluto[16791]: "nomade"[2]
192.168.10.30:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to
192.168.10.30:4500<BR>pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick
Mode I1 message is unacceptable because it uses a previously used Message ID
0x977a113e (perhaps this is a duplicated packet)<BR>pluto[16791]: "nomade"[2]
192.168.10.30:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to
192.168.10.30:4500<BR>pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick
Mode I1 message is unacceptable because it uses a previously used Message ID
0x977a113e (perhaps this is a duplicated packet)<BR>pluto[16791]: "nomade"[2]
192.168.10.30:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to
192.168.10.30:4500<BR>pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick
Mode I1 message is unacceptable because it uses a previously used Message ID
0x977a113e (perhaps this is a duplicated packet)<BR>pluto[16791]: "nomade"[2]
192.168.10.30:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to
192.168.10.30:4500<BR></FONT></FONT></DIV></BODY></HTML>