[Openswan Users] De l'aide svp ! Super Fresswan.

Etienne etienne.montoute at worldonline.fr
Tue Jun 7 22:49:48 CEST 2005 

Bonjour,

Etudiant en stage, j'ai une connexion sécurisée à mettre en place.
Il s'agit d'accéder à un réseau privé à partir d'un nomade XP, via Internet
et un NAT.
Ci-dessous, mon réseau d'expérimentation.
La connexion ne s'établit pas quand le NAT est activé.
La phase 2 (Quick mode) n'aboutit pas et j'obtiens les messages d'erreur suivants :

cannot respond to IPsec SA request because no connection is known
INVALID_ID_INFORMATION
Quick Mode I1 message is unacceptable because it uses a previously used Message ID
INVALID_MESSAGE_ID

Ci-dessous, un extrait du fichier secure.

Merci pour vos aides.

Etienne.

Voici mon réseau expérimental :

     |10.0.0.0 LAN
--------------
super freeswan RH9
--------------
     |200.10.10.10
     |
     |200.10.10.20
--------------
    NAT : PREROUTING -i eth0 -j DNAT --to 200.10.10.10
 (Mandrake 9)
--------------
     |192.168.10.20
     |
     |
     |192.168.10.30
--------------
 roadwarrior XP SP2
--------------


ipsec.conf pour RH9 :
config setup
 interfaces="ipsec0=eth0"
 klipsdebug=all
 plutodebug=none
 plutoload="nomade"
 uniqueids=no
 plutostart=nomade
 nat_traversal=yes

conn %default
 keyingtries=3
 #compress=yes
 disablearrivalcheck=no
 #auto=start
 authby=rsasig
 leftrsasigkey=%cert
 rightrsasigkey=%cert

conn nomade
 right=%any
 left=200.10.10.10
 leftnexthop=200.10.10.20
 #rightsubnet=0.0.0.0/0
 #left=%defaultroute
 #leftid=@linuxrh9
 leftcert=universite.pem
 rightid=
 leftid=
 auto=add
 pfs=no


ipsec.conf du client XP :
conn nomade
 left=%any
 #right=200.10.10.10
 right=192.168.10.20
 rightca="C=FR, S=Orsay, L=Essonne, O=universite, CN=orsay.fr"
 #rightid=
 #leftid=
 network=auto
 auto=start
 pfs=no
 nat_traversal=yes
 compress=yes

Et le fichier secure :
ipsec__plutorun: Starting Pluto subsystem...
pluto[16791]: Starting Pluto (FreeS/WAN Version super-freeswan-1.99.8)
pluto[16791]:   including X.509 patch with traffic selectors (Version 0.9.32)
pluto[16791]:   including NAT-Traversal patch (Version 0.6)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
pluto[16791]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
pluto[16791]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
pluto[16791]: Changing to directory '/etc/ipsec.d/cacerts'
pluto[16791]:   loaded cacert file 'cacert.pem' (1107 bytes)
pluto[16791]: Changing to directory '/etc/ipsec.d/crls'
pluto[16791]:   loaded crl file 'crl.pem' (459 bytes)
pluto[16791]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
pluto[16791]: | from whack: got --esp=3des
pluto[16791]: | from whack: got --ike=3des
pluto[16791]:   loaded host cert file '/etc/ipsec.d/universite.pem' (3363 bytes)
pluto[16791]: added connection description "nomade"
pluto[16791]: listening for IKE messages
pluto[16791]: adding interface ipsec0/eth0 200.10.10.10
pluto[16791]: adding interface ipsec0/eth0 200.10.10.10:4500
pluto[16791]: loading secrets from "/etc/ipsec.secrets"
pluto[16791]:   loaded private key file '/etc/ipsec.d/private/universite.key' (964 bytes)
pluto[16791]: "nomade": cannot initiate connection without knowing peer IP address
pluto[16791]: packet from 192.168.10.30:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
pluto[16791]: packet from 192.168.10.30:500: ignoring Vendor ID payload [FRAGMENTATION]
pluto[16791]: packet from 192.168.10.30:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[16791]: packet from 192.168.10.30:500: ignoring Vendor ID payload [26244d38eddb61b3...]
pluto[16791]: "nomade"[1] 192.168.10.30 #1: responding to Main Mode from unknown peer 192.168.10.30
pluto[16791]: "nomade"[1] 192.168.10.30 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
pluto[16791]: "nomade"[1] 192.168.10.30 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=FR, ST=Orsay, L=Essonne, O=universite, CN=NomadeXP'
pluto[16791]: "nomade"[2] 192.168.10.30 #1: deleting connection "nomade" instance with peer 192.168.10.30
pluto[16791]: | NAT-T: new mapping 192.168.10.30:500/4500)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sent MR3, ISAKMP SA established
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: cannot respond to IPsec SA request because no connection is known for 192.168.10.20/32===200.10.10.10:4500[C=FR, ST=Orsay, L=Essonne, O=My Company Ltd, CN=universite]...192.168.10.30:4500[C=FR, ST=Orsay, L=Essonne, O=universite, CN=NomadeXP]
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted notification INVALID_ID_INFORMATION to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x977a113e (perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x977a113e (perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x977a113e (perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x977a113e (perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x977a113e (perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.10.30:4500
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050607/6bed23ce/attachment.htm

More information about the Users mailing list