VPN entre Cisco et Arkoon [Résolu] - Réseaux - Systèmes & Réseaux Pro
Marsh Posté le 27-03-2012 à 14:14:34
Bon ben en fait le tunnel montait bien .... CF dernière ligne du log .... Il me fallait juste arriver à faire comprendre à Orange que je ne voulais pas de nat dessus ...
Marsh Posté le 27-03-2012 à 13:23:27
Bonjour àtous, je suis entrain de voir pour mettre en place un VPN entre un routeur opérateur (Orange) en guinée et notre FW ArKOON sur notre Datacenter à Paris (je précise que ce dernier est géré par notre responsable sécu, que je n'ai pas la main dessus et que par contre il a copié la conf avec un VPN déjà présent vers l'ile maurice)
Donc je monte la conf dans le routeur Cisco (où je ne peux pas trop bidouiller ... Je suis loin et c'est déjà un miracle que j'obtienne des id pour prendre la main dessus).
Voici les logs d'erreurs :
*Mar 27 11:10:29.111: %SYS-5-CONFIG_I: Configured from console by grant on vty0 (88.178.250.133)
*Mar 27 11:10:37.643: ISAKMP (0:134217730): received packet from 217.109.91.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar 27 11:10:37.643: ISAKMP: set new node 161337021 to QM_IDLE
*Mar 27 11:10:37.643: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 161337021
*Mar 27 11:10:37.643: ISAKMP:(0:2:SW:1): processing DELETE payload. message ID = 161337021
*Mar 27 11:10:37.643: ISAKMP:(0:2:SW:1):peer does not do paranoid keepalives.
*Mar 27 11:10:37.647: ISAKMP:(0:2:SW:1):deleting node 161337021 error FALSE reason "Informational (in) state 1"
*Mar 27 11:10:37.647: ISAKMP: Unlocking IPSEC struct 0x63E4789C from delete_siblings, count 0
*Mar 27 11:10:37.871: ISAKMP (0:134217730): received packet from 217.109.91.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar 27 11:10:37.871: ISAKMP: set new node -812659899 to QM_IDLE
*Mar 27 11:10:37.871: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = -812659899
*Mar 27 11:10:37.871: ISAKMP:(0:2:SW:1): processing DELETE payload. message ID = -812659899
*Mar 27 11:10:37.871: ISAKMP:(0:2:SW:1):peer does not do paranoid keepalives.
*Mar 27 11:10:37.875: ISAKMP:(0:2:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 217.109.91.1)
*Mar 27 11:10:37.875: ISAKMP:(0:2:SW:1):deleting node -812659899 error FALSE reason "Informational (in) state 1"
*Mar 27 11:10:37.875: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 27 11:10:37.875: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Mar 27 11:10:37.875: ISAKMP:(0:2:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 217.109.91.1)
*Mar 27 11:10:37.875: ISAKMP: Unlocking IKE struct 0x63E4789C for isadb_mark_sa_deleted(), count 0
*Mar 27 11:10:37.875: ISAKMP: Deleting peer node by peer_reap for 217.109.91.1: 63E4789C
*Mar 27 11:10:37.875: ISAKMP:(0:2:SW:1):deleting node 161337021 error FALSE reason "IKE deleted"
*Mar 27 11:10:37.875: ISAKMP:(0:2:SW:1):deleting node -812659899 error FALSE reason "IKE deleted"
*Mar 27 11:10:37.875: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 27 11:10:37.875: ISAKMP:(0:2:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Mar 27 11:10:40.143: ISAKMP (0:0): received packet from 217.109.91.1 dport 500 sport 500 Global (N) NEW SA
*Mar 27 11:10:40.143: ISAKMP: Created a peer struct for 217.109.91.1, peer port 500
*Mar 27 11:10:40.143: ISAKMP: New peer created peer = 0x6353C690 peer_handle = 0x80000007
*Mar 27 11:10:40.143: ISAKMP: Locking peer struct 0x6353C690, IKE refcount 1 for crypto_isakmp_process_block
*Mar 27 11:10:40.143: ISAKMP: local port 500, remote port 500
*Mar 27 11:10:40.143: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 63FB5F84
*Mar 27 11:10:40.143: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 27 11:10:40.143: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 27 11:10:40.143: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar 27 11:10:40.143: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 27 11:10:40.143: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 27 11:10:40.143: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 27 11:10:40.143: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 27 11:10:40.143: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Mar 27 11:10:40.143: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 27 11:10:40.143: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 164 mismatch
*Mar 27 11:10:40.143: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 27 11:10:40.147: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 221 mismatch
*Mar 27 11:10:40.147: ISAKMP:(0:0:N/A:0):Looking for a matching key for 217.109.91.1 in default
*Mar 27 11:10:40.147: ISAKMP:(0:0:N/A:0): : success
*Mar 27 11:10:40.147: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 217.109.91.1
*Mar 27 11:10:40.147: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar 27 11:10:40.147: ISAKMP : Scanning profiles for xauth ...
*Mar 27 11:10:40.147: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 0 against priority 10 policy
*Mar 27 11:10:40.147: ISAKMP: life type in seconds
*Mar 27 11:10:40.147: ISAKMP: life duration (basic) of 3600
*Mar 27 11:10:40.147: ISAKMP: encryption 3DES-CBC
*Mar 27 11:10:40.147: ISAKMP: hash SHA
*Mar 27 11:10:40.147: ISAKMP: auth pre-share
*Mar 27 11:10:40.147: ISAKMP: default group 5
*Mar 27 11:10:40.147: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not match policy!
*Mar 27 11:10:40.147: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
*Mar 27 11:10:40.147: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 27 11:10:40.147: ISAKMP: life type in seconds
*Mar 27 11:10:40.147: ISAKMP: life duration (basic) of 3600
*Mar 27 11:10:40.147: ISAKMP: encryption 3DES-CBC
*Mar 27 11:10:40.147: ISAKMP: hash SHA
*Mar 27 11:10:40.147: ISAKMP: auth pre-share
*Mar 27 11:10:40.147: ISAKMP: default group 2
*Mar 27 11:10:40.147: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
*Mar 27 11:10:40.199: ISAKMP:(0:3:SW:1): processing vendor id payload
*Mar 27 11:10:40.199: ISAKMP:(0:3:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 27 11:10:40.199: ISAKMP:(0:3:SW:1): processing vendor id payload
*Mar 27 11:10:40.199: ISAKMP:(0:3:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 27 11:10:40.199: ISAKMP:(0:3:SW:1): vendor ID is NAT-T v3
*Mar 27 11:10:40.199: ISAKMP:(0:3:SW:1): processing vendor id payload
*Mar 27 11:10:40.199: ISAKMP:(0:3:SW:1): vendor ID seems Unity/DPD but major 164 mismatch
*Mar 27 11:10:40.199: ISAKMP:(0:3:SW:1): processing vendor id payload
*Mar 27 11:10:40.199: ISAKMP:(0:3:SW:1): vendor ID seems Unity/DPD but major 221 mismatch
*Mar 27 11:10:40.203: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 27 11:10:40.203: ISAKMP:(0:3:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 27 11:10:40.203: ISAKMP:(0:3:SW:1): constructed NAT-T vendor-03 ID
*Mar 27 11:10:40.203: ISAKMP:(0:3:SW:1): sending packet to 217.109.91.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar 27 11:10:40.203: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 27 11:10:40.203: ISAKMP:(0:3:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Mar 27 11:10:40.587: ISAKMP (0:134217731): received packet from 217.109.91.1 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar 27 11:10:40.587: ISAKMP:(0:3:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 27 11:10:40.587: ISAKMP:(0:3:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Mar 27 11:10:40.587: ISAKMP:(0:3:SW:1): processing KE payload. message ID = 0
*Mar 27 11:10:40.655: ISAKMP:(0:3:SW:1): processing NONCE payload. message ID = 0
*Mar 27 11:10:40.655: ISAKMP:(0:0:N/A:0):Looking for a matching key for 217.109.91.1 in default
*Mar 27 11:10:40.655: ISAKMP:(0:0:N/A:0): : success
*Mar 27 11:10:40.655: ISAKMP:(0:3:SW:1):found peer pre-shared key matching 217.109.91.1
*Mar 27 11:10:40.655: ISAKMP:(0:3:SW:1):SKEYID state generated
*Mar 27 11:10:40.655: ISAKMP:received payload type 20
*Mar 27 11:10:40.655: ISAKMP:received payload type 20
*Mar 27 11:10:40.655: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 27 11:10:40.655: ISAKMP:(0:3:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Mar 27 11:10:40.659: ISAKMP:(0:3:SW:1): sending packet to 217.109.91.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 27 11:10:40.659: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 27 11:10:40.659: ISAKMP:(0:3:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Mar 27 11:10:41.051: ISAKMP (0:134217731): received packet from 217.109.91.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Mar 27 11:10:41.051: ISAKMP:(0:3:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 27 11:10:41.051: ISAKMP:(0:3:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Mar 27 11:10:41.055: ISAKMP:(0:3:SW:1): processing ID payload. message ID = 0
*Mar 27 11:10:41.055: ISAKMP (0:134217731): ID payload
next-payload : 8
type : 1
address : 217.109.91.1
protocol : 0
port : 0
length : 12
*Mar 27 11:10:41.055: ISAKMP:(0:3:SW:1):: peer matches *none* of the profiles
*Mar 27 11:10:41.055: ISAKMP:(0:3:SW:1): processing HASH payload. message ID = 0
*Mar 27 11:10:41.055: ISAKMP:(0:3:SW:1):SA authentication status:
authenticated
*Mar 27 11:10:41.055: ISAKMP:(0:3:SW:1):SA has been authenticated with 217.109.91.1
*Mar 27 11:10:41.055: ISAKMP: Trying to insert a peer 41.82.214.133/217.109.91.1/500/, and inserted successfully 6353C690.
*Mar 27 11:10:41.055: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 27 11:10:41.055: ISAKMP:(0:3:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Mar 27 11:10:41.055: ISAKMP:(0:3:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 27 11:10:41.055: ISAKMP (0:134217731): ID payload
next-payload : 8
type : 1
address : 41.82.214.133
protocol : 17
port : 500
length : 12
*Mar 27 11:10:41.055: ISAKMP:(0:3:SW:1):Total payload length: 12
*Mar 27 11:10:41.059: ISAKMP:(0:3:SW:1): sending packet to 217.109.91.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 27 11:10:41.059: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 27 11:10:41.059: ISAKMP:(0:3:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Mar 27 11:10:41.059: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 27 11:10:41.059: ISAKMP:(0:3:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 27 11:10:41.439: ISAKMP (0:134217731): received packet from 217.109.91.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar 27 11:10:41.439: ISAKMP: set new node -133433525 to QM_IDLE
*Mar 27 11:10:41.439: ISAKMP:(0:3:SW:1): processing HASH payload. message ID = -133433525
*Mar 27 11:10:41.439: ISAKMP:(0:3:SW:1): processing SA payload. message ID = -133433525
*Mar 27 11:10:41.439: ISAKMP:(0:3:SW:1):Checking IPSec proposal 0
*Mar 27 11:10:41.439: ISAKMP: transform 0, ESP_3DES
*Mar 27 11:10:41.439: ISAKMP: attributes in transform:
*Mar 27 11:10:41.439: ISAKMP: encaps is 1 (Tunnel)
*Mar 27 11:10:41.439: ISAKMP: SA life type in seconds
*Mar 27 11:10:41.439: ISAKMP: SA life duration (basic) of 28800
*Mar 27 11:10:41.439: ISAKMP: authenticator is HMAC-SHA
*Mar 27 11:10:41.439: ISAKMP:(0:3:SW:1):atts are acceptable.
*Mar 27 11:10:41.439: ISAKMP:(0:3:SW:1): processing NONCE payload. message ID = -133433525
*Mar 27 11:10:41.439: ISAKMP:(0:3:SW:1): processing ID payload. message ID = -133433525
*Mar 27 11:10:41.439: ISAKMP:(0:3:SW:1): processing ID payload. message ID = -133433525
*Mar 27 11:10:41.439: ISAKMP:(0:3:SW:1): asking for 1 spis from ipsec
*Mar 27 11:10:41.439: ISAKMP:(0:3:SW:1):Node -133433525, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 27 11:10:41.439: ISAKMP:(0:3:SW:1):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Mar 27 11:10:41.443: ISAKMP: received ke message (2/1)
*Mar 27 11:10:41.443: ISAKMP: Locking peer struct 0x6353C690, IPSEC refcount 1 for for stuff_ke
*Mar 27 11:10:41.443: ISAKMP:(0:3:SW:1): Creating IPSec SAs
*Mar 27 11:10:41.443: inbound SA from 217.109.91.1 to 41.82.214.133 (f/i) 0/ 0
(proxy 10.0.0.0 to 192.168.60.0)
*Mar 27 11:10:41.443: has spi 0xCB265DED and conn_id 0 and flags 2
*Mar 27 11:10:41.443: lifetime of 28800 seconds
*Mar 27 11:10:41.443: has client flags 0x0
*Mar 27 11:10:41.443: outbound SA from 41.82.214.133 to 217.109.91.1 (f/i) 0/0
(proxy 192.168.60.0 to 10.0.0.0)
*Mar 27 11:10:41.443: has spi -1086348077 and conn_id 0 and flags A
*Mar 27 11:10:41.443: lifetime of 28800 seconds
*Mar 27 11:10:41.443: has client flags 0x0
*Mar 27 11:10:41.447: ISAKMP:(0:3:SW:1): sending packet to 217.109.91.1 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 27 11:10:41.447: ISAKMP:(0:3:SW:1):Node -133433525, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
*Mar 27 11:10:41.447: ISAKMP:(0:3:SW:1):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Mar 27 11:10:41.447: ISAKMP: Locking peer struct 0x6353C690, IPSEC refcount 2 for from create_transforms
*Mar 27 11:10:41.447: ISAKMP: Unlocking IPSEC struct 0x6353C690 from create_transforms, count 1
*Mar 27 11:10:41.907: ISAKMP (0:134217731): received packet from 217.109.91.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar 27 11:10:41.911: ISAKMP:(0:3:SW:1):deleting node -133433525 error FALSE reason "QM done (await)"
*Mar 27 11:10:41.911: ISAKMP:(0:3:SW:1):Node -133433525, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 27 11:10:41.911: ISAKMP:(0:3:SW:1):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
une première chose vous donne une idée ? Je pourrais mettre la conf, mais par petit bout pour ne pas trop polluer ...
Merci de votre aide.
Message édité par ChaTTon2 le 27-03-2012 à 14:14:59
---------------
Mon feed-back : http://forum.hardware.fr/hfr/Achat [...] 1974_1.htm