Forum |  HardWare.fr | News | Articles | PC | S'identifier | S'inscrire | Shop Recherche
1606 connectés 

  FORUM HardWare.fr
  Systèmes & Réseaux Pro
  Réseaux

  (urgent) Problème vpn IPsec phase 2

 
 


 Mot :   Pseudo :  
 
Bas de page
Auteur Sujet :

(urgent) Problème vpn IPsec phase 2

n°160616
Durabrite
zat is ze question
Posté le 15-02-2019 à 15:54:13  profilanswer
 

Bonjour à tous  :hello: ,
 
Je n'aime pas utiliser le mot urgent, mais la malheureusement ...
 
Dans la boite ou je travail nous devons nous connecter à un vpn, mais malheureusement ça ne passe pas !
 
je vais essayer d'être le plus précis possible :
 
notre entreprise :
 
Routeur Cisco 1900 avec ip publique fix 90.x.x.x
reseau : 10.216.13.0/24
Nat overload.
 

Code :
  1. ! Last configuration change at 22:37:47 UTC Wed Feb 13 2019
  2. version 15.2
  3. service timestamps debug datetime msec
  4. service timestamps log datetime msec
  5. service password-encryption
  6. !
  7. hostname Routeur
  8. !
  9. boot-start-marker
  10. boot-end-marker
  11. !
  12. !
  13. enable secret 5 $1$RbXY$GWpKqBnyfMgEKQhZNg94T0
  14. !
  15. no aaa new-model
  16. !
  17. ip cef
  18. !
  19. !
  20. !
  21. !
  22. !
  23. !
  24. no ip domain lookup
  25. no ipv6 cef
  26. !
  27. multilink bundle-name authenticated
  28. !
  29. !
  30. crypto pki trustpoint TP-self-signed-1332842534
  31. enrollment selfsigned
  32. subject-name cn=IOS-Self-Signed-Certificate-1332842534
  33. revocation-check none
  34. rsakeypair TP-self-signed-1332842534
  35. !
  36. !
  37. crypto pki certificate chain TP-self-signed-1332842534
  38. certificate self-signed 01
  39.   3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  40.   31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  41.   69666963 6174652D 31333332 38343235 3334301E 170D3139 30323133 31313032
  42.   33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  43.   4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33333238
  44.   34323533 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  45.   8100A953 3A3609EC 1A84AFF2 6BF597FE 8ED5E160 626A2F5D C9B2E169 3EBA9FD2
  46.   D5A3C55F B7E4F6DC 032043CB AC6AB0C8 36A39499 06AD0AE8 727B464F CE382983
  47.   EC45B5A4 B9636C16 6626F361 E9212B50 24F51219 3D6BED22 A12AA33C B33C7992
  48.   ED83F1BD 46BF1586 FB3AF792 EE082512 053F5B49 C83874CC A6BAED8E 2E0BBE5C
  49.   CD330203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  50.   551D2304 18301680 1418C460 D5B3E805 B5662809 ACD990EA CE8E97C6 6C301D06
  51.   03551D0E 04160414 18C460D5 B3E805B5 662809AC D990EACE 8E97C66C 300D0609
  52.   2A864886 F70D0101 05050003 81810056 CFE9D2A2 F603B198 90AF34C0 0832F2FB
  53.   6AC31FE4 99C9A69E 5EEDCE4A 972C3FAB C0415477 0E450FF4 60711B91 039F1649
  54.   56391B2B 185DFB2A 9974FD52 41072ED5 D095C1D2 6CD417CD 4AD2D8D1 9DD4F31E
  55.   25E866C3 6A9E5B82 4B13F0A4 6D44C32F C76B31ED 07E971EF A2B842CC BB77CC73
  56.   7DD797CC D42F2DB8 B559BACE 3142F9
  57.         quit
  58. license udi pid CISCO1941/K9 sn FCZ1822918F
  59. license boot module c1900 technology-package securityk9
  60. !
  61. !
  62. !
  63. redundancy
  64. !
  65. !
  66. !
  67. !
  68. !
  69. !
  70. !
  71. crypto isakmp policy 1
  72. encr 3des
  73. authentication pre-share
  74. group 5
  75. lifetime 14400
  76. crypto isakmp key PG!c}Xx@{8Ti address 100.x.x.x
  77. !
  78. !
  79. crypto ipsec transform-set TS esp-3des esp-sha-hmac
  80. mode tunnel
  81. !
  82. !
  83. !
  84. crypto map CMAP 10 ipsec-isakmp
  85. set peer 100.x.x.x
  86. set transform-set TS
  87. set pfs group5
  88. match address VPN-TRAFFIC
  89. !
  90. !
  91. !
  92. !
  93. !
  94. interface Tunnel1
  95. description VOC
  96. ip address y.y.y.y 255.255.255.252
  97. tunnel source 90.x.x.x
  98. tunnel destination y.y.y.y
  99. !
  100. interface Embedded-Service-Engine0/0
  101. no ip address
  102. shutdown
  103. !
  104. interface GigabitEthernet0/0
  105. ip address 90.x.x.x 255.255.255.252
  106. ip nat outside
  107. ip virtual-reassembly in
  108. duplex auto
  109. speed auto
  110. crypto map CMAP
  111. !
  112. interface GigabitEthernet0/1
  113. ip address 10.213.16.1 255.255.255.0
  114. ip nat inside
  115. ip virtual-reassembly in
  116. duplex auto
  117. speed auto
  118. !
  119. ip forward-protocol nd
  120. !
  121. no ip http server
  122. ip http secure-server
  123. !
  124. ip nat inside source list 100 interface GigabitEthernet0/0 overload
  125. ip route 0.0.0.0 0.0.0.0 x.x.x.13
  126. ip route 192.168.76.198 255.255.255.255 Tunnel1
  127. !
  128. ip access-list extended VPN-TRAFFIC
  129. permit ip 10.213.16.0 0.0.0.255 10.16.1.0 0.0.0.255
  130. !
  131. access-list 100 deny   ip 10.213.16.0 0.0.0.255 10.16.1.0 0.0.0.255
  132. access-list 100 permit ip 10.213.16.0 0.0.0.255 any
  133. !
  134. !
  135. !
  136. control-plane
  137. !
  138. !
  139. banner motd ^C Acces reserve aux service technique OG Solution ^C
  140. !
  141. line con 0
  142. password 7 071E34455A0C39071B130807
  143. login
  144. line aux 0
  145. line 2
  146. no activation-character
  147. no exec
  148. transport preferred none
  149. transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  150. stopbits 1
  151. line vty 0 4
  152. access-class 1 in
  153. password 7 15031E05102F0B2624323629
  154. login
  155. transport input all
  156. !
  157. scheduler allocate 20000 1000
  158. !
  159. end


 
 
VPN configuré par l’entreprise chez qui nous devons nous connecter :
 
Fortinet : 100.x.x.x
 
https://reho.st/self/dd7914dddb7f105a1b906ee7777186ca0813d557.jpg
 
Donc, nous somme censé avoir accès à 3 ip privé chez eux : 10.16.1.110-10.16.1.112
 
 
Voici les log dans notre routeur cisco :
 

Code :
  1. show log
  2. Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 8039 flushes, 0 overruns, xml disabled, filteri
  3. ng disabled)
  5. No Active Message Discriminator.
  9. No Inactive Message Discriminator.
  12.     Console logging: level debugging, 694235 messages logged, xml disabled,
  13.                      filtering disabled
  14.     Monitor logging: level debugging, 0 messages logged, xml disabled,
  15.                      filtering disabled
  16.     Buffer logging:  level debugging, 610665 messages logged, xml disabled,
  17.                     filtering disabled
  18.     Exception Logging: size (4096 bytes)
  19.     Count and timestamp logging messages: disabled
  20.     Persistent logging: disabled
  22. No active filter modules.
  24.     Trap logging: level informational, 70 message lines logged
  25.         Logging Source-Interface:       VRF Name:
  27. Log Buffer (8192 bytes):
  28. posal with error 32
  29. *Feb 14 13:52:34.491: ISAKMP:(1010): phase 2 SA policy not acceptable! (local 41.77.178.14 remote 196.41.231.242)
  30. *Feb 14 13:52:34.491: ISAKMP: set new node 1599116086 to QM_IDLE
  31. *Feb 14 13:52:34.491: crypto_engine: Generate IKE hash
  32. *Feb 14 13:52:34.491: ISAKMP:(1010):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
  33.         spi 712273184, message ID = 1599116086
  34. *Feb 14 13:52:34.491: crypto_engine: Encrypt IKE packet
  35. *Feb 14 13:52:34.491: ISAKMP:(1010): sending packet to 100.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
  36. *Feb 14 13:52:34.491: ISAKMP:(1010):Sending an IKE IPv4 Packet.
  37. *Feb 14 13:52:34.491: ISAKMP:(1010):purging node 1599116086
  38. *Feb 14 13:52:34.491: ISAKMP:(1010):deleting node -774788481 error TRUE reason "QM rejected"
  39. *Feb 14 13:52:34.491: ISAKMP:(1010):Node 3520178815, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  40. *Feb 14 13:52:34.491: ISAKMP:(1010):Old State = IKE_QM_READY  New State = IKE_QM_READY
  41. *Feb 14 13:52:34.539: ISAKMP:(1010):purging node -1889625033
  42. *Feb 14 13:52:39.491: ISAKMP (1010): received packet from 100.x.x.x dport 500 sport 500 Global (R) QM_IDLE
  43. *Feb 14 13:52:39.491: ISAKMP: set new node -1892304685 to QM_IDLE
  44. *Feb 14 13:52:39.491: crypto_engine: Decrypt IKE packet
  45. *Feb 14 13:52:39.491: crypto_engine: Generate IKE hash
  46. *Feb 14 13:52:39.491: ISAKMP:(1010): processing HASH payload. message ID = 2402662611
  47. *Feb 14 13:52:39.491: ISAKMP:(1010): processing SA payload. message ID = 2402662611
  48. *Feb 14 13:52:39.491: ISAKMP:(1010):Checking IPSec proposal 1
  49. *Feb 14 13:52:39.491: ISAKMP: transform 1, ESP_3DES
  50. *Feb 14 13:52:39.491: ISAKMP:   attributes in transform:
  51. *Feb 14 13:52:39.491: ISAKMP:      SA life type in seconds
  52. *Feb 14 13:52:39.491: ISAKMP:      SA life duration (basic) of 3600
  53. *Feb 14 13:52:39.491: ISAKMP:      encaps is 1 (Tunnel)
  54. *Feb 14 13:52:39.491: ISAKMP:      authenticator is HMAC-SHA
  55. *Feb 14 13:52:39.491: ISAKMP:      group is 5
  56. *Feb 14 13:52:39.491: ISAKMP:(1010):atts are acceptable.
  57. *Feb 14 13:52:39.491: IPSEC(validate_proposal_request): proposal part #1
  58. *Feb 14 13:52:39.491: IPSEC(validate_proposal_request): proposal part #1,
  59.   (key eng. msg.) INBOUND local= 90.x.x.x:0, remote= 100.x.x.x.x:0,
  60.     local_proxy= 90.x.x.x/255.255.255.255/256/0,
  61.     remote_proxy= 100.x.x.x/255.255.255.255/256/0,
  62.     protocol= ESP, transform= NONE  (Tunnel),
  63.     lifedur= 0s and 0kb,
  64.     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
  65. *Feb 14 13:52:39.491: IPSEC(ipsec_process_proposal): proxy identities not supported
  66. *Feb 14 13:52:39.491: ISAKMP:(1010): IPSec policy invalidated proposal with error 32
  67. *Feb 14 13:52:39.491: ISAKMP:(1010): phase 2 SA policy not acceptable! (local 90.x.x.x remote 100.x.x.x)
  68. *Feb 14 13:52:39.491: ISAKMP: set new node 1224391017 to QM_IDLE
  69. *Feb 14 13:52:39.491: crypto_engine: Generate IKE hash
  70. *Feb 14 13:52:39.491: ISAKMP:(1010):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
  71.         spi 712273184, message ID = 1224391017
  72. *Feb 14 13:52:39.491: crypto_engine: Encrypt IKE packet
  73. *Feb 14 13:52:39.491: ISAKMP:(1010): sending packet to 100.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
  74. *Feb 14 13:52:39.491: ISAKMP:(1010):Sending an IKE IPv4 Packet.
  75. *Feb 14 13:52:39.491: ISAKMP:(1010):purging node 1224391017
  76. *Feb 14 13:52:39.491: ISAKMP:(1010):deleting node -1892304685 error TRUE reason "QM rejected"
  77. *Feb 14 13:52:39.491: ISAKMP:(1010):Node 2402662611, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  78. *Feb 14 13:52:39.491: ISAKMP:(1010):Old State = IKE_QM_READY  New State = IKE_QM_READY
  79. *Feb 14 13:52:39.499: ISAKMP:(1010):purging node 391422886
  80. *Feb 14 13:52:44.487: ISAKMP (1010): received packet from 100.x.x.x dport 500 sport 500 Global (R) QM_IDLE
  81. *Feb 14 13:52:44.487: ISAKMP: set new node 343419453 to QM_IDLE
  82. *Feb 14 13:52:44.487: crypto_engine: Decrypt IKE packet
  83. *Feb 14 13:52:44.487: crypto_engine: Generate IKE hash
  84. *Feb 14 13:52:44.487: ISAKMP:(1010): processing HASH payload. message ID = 343419453
  85. *Feb 14 13:52:44.487: ISAKMP:(1010): processing SA payload. message ID = 343419453
  86. *Feb 14 13:52:44.487: ISAKMP:(1010):Checking IPSec proposal 1
  87. *Feb 14 13:52:44.487: ISAKMP: transform 1, ESP_3DES
  88. *Feb 14 13:52:44.487: ISAKMP:   attributes in transform:
  89. *Feb 14 13:52:44.487: ISAKMP:      SA life type in seconds
  90. *Feb 14 13:52:44.487: ISAKMP:      SA life duration (basic) of 3600
  91. *Feb 14 13:52:44.487: ISAKMP:      encaps is 1 (Tunnel)
  92. *Feb 14 13:52:44.487: ISAKMP:      authenticator is HMAC-SHA
  93. *Feb 14 13:52:44.487: ISAKMP:      group is 5
  94. *Feb 14 13:52:44.487: ISAKMP:(1010):atts are acceptable.
  95. *Feb 14 13:52:44.487: IPSEC(validate_proposal_request): proposal part #1
  96. *Feb 14 13:52:44.487: IPSEC(validate_proposal_request): proposal part #1,
  97.   (key eng. msg.) INBOUND local= 90.x.x.x:0, remote= 196.41.231.242:0,
  98.     local_proxy= 90.x.x.x/255.255.255.255/256/0,
  99.     remote_proxy= 100.x.x.x/255.255.255.255/256/0,
  100.     protocol= ESP, transform= NONE  (Tunnel),
  101.     lifedur= 0s and 0kb,
  102.     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
  103. *Feb 14 13:52:44.487: IPSEC(ipsec_process_proposal): proxy identities not supported
  104. *Feb 14 13:52:44.487: ISAKMP:(1010): IPSec policy invalidated proposal with error 32
  105. *Feb 14 13:52:44.487: ISAKMP:(1010): phase 2 SA policy not acceptable! (local 41.77.178.14 remote 196.41.231.242)
  106. *Feb 14 13:52:44.487: ISAKMP: set new node -46551546 to QM_IDLE
  107. *Feb 14 13:52:44.491: crypto_engine: Generate IKE hash
  108. *Feb 14 13:52:44.491: ISAKMP:(1010):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
  109.         spi 712273184, message ID = 4248415750
  110. *Feb 14 13:52:44.491: crypto_engine: Encrypt IKE packet
  111. *Feb 14 13:52:44.491: ISAKMP:(1010): sending packet to 100.xx.xx.xx my_port 500 peer_port 500 (R) QM_IDLE
  112. *Feb 14 13:52:44.491: ISAKMP:(1010):Sending an IKE IPv4 Packet.
  113. *Feb 14 13:52:44.491: ISAKMP:(1010):purging node -46551546
  114. *Feb 14 13:52:44.491: ISAKMP:(1010):deleting node 343419453 error TRUE reason "QM rejected"
  115. *Feb 14 13:52:44.491: ISAKMP:(1010):Node 343419453, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  116. *Feb 14 13:52:44.491: ISAKMP:(1010):Old State = IKE_QM_READY  New State = IKE_QM_READY
  117. *Feb 14 13:52:44.499: ISAKMP:(1010):purging node -50944185
  118. *Feb 14 13:52:49.487: ISAKMP (1010): received packet from 100.x.x.x dport 500 sport 500 Global (R) QM_IDLE
  119. *Feb 14 13:52:49.487: ISAKMP: set new node 169481630 to QM_IDLE
  120. *Feb 14 13:52:49.487: crypto_engine: Decrypt IKE packet
  121. *Feb 14 13:52:49.487: crypto_engine: Generate IKE hash
  122. *Feb 14 13:52:49.487: ISAKMP:(1010): processing HASH payload. message ID = 169481630
  123. *Feb 14 13:52:49.487: ISAKMP:(1010): processing SA payload. message ID = 169481630
  124. *Feb 14 13:52:49.487: ISAKMP:(1010):Checking IPSec proposal 1
  125. *Feb 14 13:52:49.487: ISAKMP: transform 1, ESP_3DES
  126. *Feb 14 13:52:49.487: ISAKMP:   attributes in transform:
  127. *Feb 14 13:52:49.487: ISAKMP:      SA life type in seconds
  128. *Feb 14 13:52:49.487: ISAKMP:      SA life duration (basic) of 3600
  129. *Feb 14 13:52:49.487: ISAKMP:      encaps is 1 (Tunnel)
  130. *Feb 14 13:52:49.487: ISAKMP:      authenticator is HMAC-SHA
  131. *Feb 14 13:52:49.487: ISAKMP:      group is 5
  132. *Feb 14 13:52:49.487: ISAKMP:(1010):atts are acceptable.
  133. *Feb 14 13:52:49.487: IPSEC(validate_proposal_request): proposal part #1
  134. *Feb 14 13:52:49.487: IPSEC(validate_proposal_request): proposal part #1,
  135.   (key eng. msg.) INBOUND local= 90.x.x.x:0, remote=100.x.x.x:0,
  136.     local_proxy= 90.x.x.x/255.255.255.255/256/0,
  137.     remote_proxy= 100.x.x.x/255.255.255.255/256/0,
  138.     protocol= ESP, transform= NONE  (Tunnel),
  139.     lifedur= 0s and 0kb,
  140.     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
  141. *Feb 14 13:52:49.487: IPSEC(ipsec_process_proposal): proxy identities not supported
  142. *Feb 14 13:52:49.487: ISAKMP:(1010): IPSec policy invalidated proposal with error 32
  143. *Feb 14 13:52:49.487: ISAKMP:(1010): phase 2 SA policy not acceptable! (local 90.x.x.x remote 100.x.x.x)
  144. *Feb 14 13:52:49.491: ISAKMP: set new node -1440426921 to QM_IDLE
  145. *Feb 14 13:52:49.491: crypto_engine: Generate IKE hash
  146. *Feb 14 13:52:49.491: ISAKMP:(1010):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
  147.         spi 712273184, message ID = 2854540375


 
 
Je vous remercie d'avance pour toute idée, éclaircissement que vous pourrez m'apporter, et si vous voulez plus d'informations  :jap: .
 
 
 
 
 

mood
Publicité
Posté le 15-02-2019 à 15:54:13  profilanswer
 

n°160618
Charon_
Posté le 15-02-2019 à 16:17:13  profilanswer
 

Il te manque de la configuration sur ton interface tunnel.
Il faut ajouter la partie tunnel protection (ta config ipsec)

n°160620
Charon_
Posté le 15-02-2019 à 16:29:22  profilanswer
 

Il te faut un truc genre :
 
crypto ipsec transform-set ipsec-prop-tun1 esp-3des esp-sha-hmac  
  mode tunnel
exit
 
 
 
crypto ipsec profile ipsec-vpn-prof-tun1
  set pfs group5
  set security-association lifetime seconds 3600
  set transform-set ipsec-prop-tun1
exit
 
interface Tunnel1
  ip address x.x.x.x x.x.x.x
  ip virtual-reassembly
  tunnel source x.x.x.x
  tunnel destination x.x.x.x
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile ipsec-vpn-prof-tun1

Message cité 1 fois
n°160623
Je@nb
Modérateur
Kindly give dime
Posté le 15-02-2019 à 16:46:07  profilanswer
 

si c'est urgent le mieux est surement de faire appel au support ...
et ça veut dire quoi nat overload ? :/

n°160624
Charon_
Posté le 15-02-2019 à 16:47:00  profilanswer
 

nat overload c'est du PAT, mais rien à voir avec son VPN là ;)

n°160628
Durabrite
zat is ze question
Posté le 15-02-2019 à 17:08:32  profilanswer
 

Charon_ a écrit :

Il te faut un truc genre :
 
crypto ipsec transform-set ipsec-prop-tun1 esp-3des esp-sha-hmac  
  mode tunnel
exit
 
 
 
crypto ipsec profile ipsec-vpn-prof-tun1
  set pfs group5
  set security-association lifetime seconds 3600
  set transform-set ipsec-prop-tun1
exit
 
interface Tunnel1
  ip address x.x.x.x x.x.x.x
  ip virtual-reassembly
  tunnel source x.x.x.x
  tunnel destination x.x.x.x
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile ipsec-vpn-prof-tun1


 
Bonjour Charon_, je te remercie pour ta réponse :)  
 
L'interface Tunnel1 est utilisé pour un autre service enfaîte, dois-je créer un nouveau tunnel pour le vpn? j'ai déja entrer les commandes que tu m'a donner, je me suis arreter au tunnel du coup  :??: .
 
Merci encore!
 
@Je@nb, je suis entièrement d'accord avec toi, sauf que la le support à décider de prendre son temps et n'est pas du tout coopératif  :( .

n°160632
Charon_
Posté le 15-02-2019 à 17:25:54  profilanswer
 

Oui, dans ce cas, il faut une nouvelle interface tunnel.
dans ton cas, tunnel2 par exemple.
Il n'y a que la session IPSEC qui pose problème pour l'instant.
ensuite il te faudra la route pour le remote subnet via tunnel2
Pour la phase isakmp tout est bon d'après les log.

Message cité 1 fois
n°160640
Durabrite
zat is ze question
Posté le 15-02-2019 à 17:52:36  profilanswer
 

Charon_ a écrit :

Oui, dans ce cas, il faut une nouvelle interface tunnel.
dans ton cas, tunnel2 par exemple.
Il n'y a que la session IPSEC qui pose problème pour l'instant.
ensuite il te faudra la route pour le remote subnet via tunnel2
Pour la phase isakmp tout est bon d'après les log.


 
 
Merci pour ta réponse, j'ai créer l'interface tunnel2, pour ip address je n'ai pas su quoi mettre, j'ai donc rien mis pour l'instant ...
 
Sinon il y'a du changement on dirait :
 

Code :
  1. time(k/sec)= (4608000/3600)
  2. *Feb 14 16:53:46.874:  ISAKMP: Failed to find peer index node to update peer_info_list
  3. *Feb 14 16:53:46.874: ISAKMP:(1015):Received IPSec Install callback... proceeding with the negotiation
  4. *Feb 14 16:53:46.874: crypto engine: deleting DH phase 2 SW:39
  5. *Feb 14 16:53:46.874: crypto_engine: Delete DH shared secret
  6. *Feb 14 16:53:46.874: crypto engine: deleting DH SW:38
  7. *Feb 14 16:53:46.878: crypto_engine: Encrypt IKE packet
  8. *Feb 14 16:53:46.878: ISAKMP:(1015): sending packet to 100.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
  9. *Feb 14 16:53:46.878: ISAKMP:(1015):Sending an IKE IPv4 Packet.
  10. *Feb 14 16:53:46.878: ISAKMP:(1015):Node 2053256311, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
  11. *Feb 14 16:53:46.878: ISAKMP:(1015):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
  12. *Feb 14 16:53:46.878: crypto_engine: Delete DH
  13. *Feb 14 16:53:46.902: ISAKMP (1015): received packet from 90.x.x.x dport 500 sport 500 Global (R) QM_IDLE
  14. *Feb 14 16:53:46.902: crypto_engine: Decrypt IKE packet
  15. *Feb 14 16:53:46.902: crypto_engine: Generate IKE hash
  16. *Feb 14 16:53:46.902: ISAKMP:(1015):deleting node 2053256311 error FALSE reason "QM done (await)"
  17. *Feb 14 16:53:46.902: ISAKMP:(1015):Node 2053256311, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  18. *Feb 14 16:53:46.902: ISAKMP:(1015):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
  19. *Feb 14 16:53:46.902: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  20. *Feb 14 16:53:46.902: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
  21. *Feb 14 16:53:46.906: crypto engine: updating MTU size of IPSec SA Onboard VPN:10
  22. *Feb 14 16:53:46.906: crypto_engine: Set IPSec MTU
  23. *Feb 14 16:53:46.906: IPSEC: Expand action denied, notify RP
  24. *Feb 14 16:53:46.906: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up
  25. *Feb 14 16:53:56.482: IPSEC(key_engine): request timer fired: count = 2,
  26.   (identity) local= 90.x.x.x:0, remote= 196.41.231.242:0,
  27.     local_proxy= 0.0.0.0/0.0.0.0/256/0,
  28.     remote_proxy= 0.0.0.0/0.0.0.0/256/0
  29. *Feb 14 16:53:56.490: IPSEC(sa_request): ,
  30.   (key eng. msg.) OUTBOUND local= 90.x.x.x:500, remote= 100.x.x.x:500,
  31.     local_proxy= 0.0.0.0/0.0.0.0/256/0,
  32.     remote_proxy= 0.0.0.0/0.0.0.0/256/0,
  33.     protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
  34.     lifedur= 3600s and 4608000kb,
  35.     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
  36. *Feb 14 16:53:56.494: ISAKMP: set new node 0 to QM_IDLE
  37. *Feb 14 16:53:56.494: SA has outstanding requests  (local 50.71.46.68 port 500, remote 50.71.46.96 port 500)
  38. *Feb 14 16:53:56.494: ISAKMP:(1015): sitting IDLE. Starting QM immediately (QM_IDLE      )
  39. *Feb 14 16:53:56.494: ISAKMP:(1015):beginning Quick Mode exchange, M-ID of 3736233021
  40. *Feb 14 16:53:56.494: crypto_engine: Create DH
  41. *Feb 14 16:53:56.554: ISAKMP:(1015):QM Initiator gets spi
  42. *Feb 14 16:53:56.554: crypto_engine: Generate IKE hash
  43. *Feb 14 16:53:56.554: crypto_engine: Encrypt IKE packet
  44. *Feb 14 16:53:56.554: ISAKMP:(1015): sending packet to 100.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
  45. *Feb 14 16:53:56.554: ISAKMP:(1015):Sending an IKE IPv4 Packet.
  46. *Feb 14 16:53:56.554: ISAKMP:(1015):Node 3736233021, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  47. *Feb 14 16:53:56.554: ISAKMP:(1015):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  48. *Feb 14 16:54:01.690: crypto_engine: Create signature
  49. *Feb 14 16:54:06.554: ISAKMP:(1015): retransmitting phase 2 QM_IDLE       -558734275 ...
  50. *Feb 14 16:54:06.554: ISAKMP (1015): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
  51. *Feb 14 16:54:06.554: ISAKMP (1015): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
  52. *Feb 14 16:54:06.554: ISAKMP:(1015): retransmitting phase 2 -558734275 QM_IDLE
  53. *Feb 14 16:54:06.554: ISAKMP:(1015): sending packet to 100.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
  54. *Feb 14 16:54:06.554: ISAKMP:(1015):Sending an IKE IPv4 Packet.
  55. *Feb 14 16:54:16.554: ISAKMP:(1015): retransmitting phase 2 QM_IDLE       -558734275 ...
  56. *Feb 14 16:54:16.554: ISAKMP (1015): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
  57. *Feb 14 16:54:16.554: ISAKMP (1015): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
  58. *Feb 14 16:54:16.554: ISAKMP:(1015): retransmitting phase 2 -558734275 QM_IDLE
  59. *Feb 14 16:54:16.554: ISAKMP:(1015): sending packet to 100.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
  60. *Feb 14 16:54:16.554: ISAKMP:(1015):Sending an IKE IPv4 Packet.
  61. *Feb 14 16:54:26.490: IPSEC(key_engine): request timer fired: count = 1,
  62.   (identity) local= 90.x.x.x:0, remote= 100.x.x.x:0,
  63.     local_proxy= 0.0.0.0/0.0.0.0/256/0,
  64.     remote_proxy= 0.0.0.0/0.0.0.0/256/0
  65. *Feb 14 16:54:26.490: IPSEC(sa_request): ,
  66.   (key eng. msg.) OUTBOUND local= 90.x.x.x:500, remote= 100.x.x.x:500,
  67.     local_proxy= 0.0.0.0/0.0.0.0/256/0,
  68.     remote_proxy= 0.0.0.0/0.0.0.0/256/0,
  69.     protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
  70.     lifedur= 3600s and 4608000kb,
  71.     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
  72. *Feb 14 16:54:26.490: ISAKMP: set new node 0 to QM_IDLE
  73. *Feb 14 16:54:26.490: SA has outstanding requests  (local 50.71.46.68 port 500, remote 50.71.46.96 port 500)
  74. *Feb 14 16:54:26.490: ISAKMP:(1015): sitting IDLE. Starting QM immediately (QM_IDLE      )
  75. *Feb 14 16:54:26.490: ISAKMP:(1015):beginning Quick Mode exchange, M-ID of 4052664712
  76. *Feb 14 16:54:26.490: crypto_engine: Create DH
  77. *Feb 14 16:54:26.554: ISAKMP:(1015):QM Initiator gets spi
  78. *Feb 14 16:54:26.554: crypto_engine: Generate IKE hash
  79. *Feb 14 16:54:26.554: crypto_engine: Encrypt IKE packet
  80. *Feb 14 16:54:26.554: ISAKMP:(1015): sending packet to 100.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
  81. *Feb 14 16:54:26.554: ISAKMP:(1015):Sending an IKE IPv4 Packet.
  82. *Feb 14 16:54:26.554: ISAKMP:(1015):Node 4052664712, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  83. *Feb 14 16:54:26.554: ISAKMP:(1015):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  84. *Feb 14 16:54:26.554: ISAKMP:(1015): retransmitting phase 2 QM_IDLE       -558734275 ...
  85. *Feb 14 16:54:26.554: ISAKMP (1015): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
  86. *Feb 14 16:54:26.554: ISAKMP (1015): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
  87. *Feb 14 16:54:26.554: ISAKMP:(1015): retransmitting phase 2 -558734275 QM_IDLE
  88. *Feb 14 16:54:26.554: ISAKMP:(1015): sending packet to 100.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
  89. *Feb 14 16:54:26.554: ISAKMP:(1015):Sending an IKE IPv4 Packet.
  90. *Feb 14 16:54:36.546: ISAKMP:(1014):purging node 99437216
  91. *Feb 14 16:54:36.546: crypto engine: deleting DH SW:35
  92. *Feb 14 16:54:36.546: crypto_engine: Delete DH
  93. *Feb 14 16:54:36.546: ISAKMP:(1014):purging node -1549729238
  94. *Feb 14 16:54:36.546: crypto engine: deleting DH SW:36
  95. *Feb 14 16:54:36.546: crypto_engine: Delete DH
  96. *Feb 14 16:54:36.554: ISAKMP:(1015): retransmitting phase 2 QM_IDLE       -242302584 ...
  97. *Feb 14 16:54:36.554: ISAKMP (1015): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
  98. *Feb 14 16:54:36.554: ISAKMP (1015): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
  99. *Feb 14 16:54:36.554: ISAKMP:(1015): retransmitting phase 2 -242302584 QM_IDLE
  100. *Feb 14 16:54:36.554: ISAKMP:(1015): sending packet to 100.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
  101. *Feb 14 16:54:36.554: ISAKMP:(1015):Sending an IKE IPv4 Packet.
  102. *Feb 14 16:54:36.554: ISAKMP:(1015): retransmitting phase 2 QM_IDLE       -558734275 ...
  103. *Feb 14 16:54:36.554: ISAKMP (1015): incrementing error counter on node, attempt 4 of 5: retransmit phase 2
  104. *Feb 14 16:54:36.554: ISAKMP (1015): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2
  105. *Feb 14 16:54:36.554: ISAKMP:(1015): retransmitting phase 2 -558734275 QM_IDLE
  106. *Feb 14 16:54:36.554: ISAKMP:(1015): sending packet to 100.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
  107. *Feb 14 16:54:36.554: ISAKMP:(1015):Sending an IKE IPv4 Packet.
  108. *Feb 14 16:54:36.902: ISAKMP:(1015):purging node 2053256311
  109. *Feb 14 16:54:36.902: crypto engine: deleting DH phase 2 SW:39


 
 
Merci encore !

n°160644
Durabrite
zat is ze question
Posté le 16-02-2019 à 00:51:36  profilanswer
 

Bonsoir,

 

j'ai changer à nouveau la config :

 
Code :
  1. boot-start-marker
  2. boot-end-marker
  3. !
  4. !
  5. enable secret 5 $1$RbXY$GWpKqBnyfMgEKQhZNg94T0
  6. !
  7. no aaa new-model
  8. !
  9. ip cef
  10. !
  11. !
  12. !
  13. !
  14. !
  15. !
  16. no ipv6 cef
  17. !
  18. multilink bundle-name authenticated
  19. !
  20. !
  21. !
  22. license udi pid CISCO1941/K9 sn FCZ1822918F
  23. license boot module c1900 technology-package securityk9
  24. !
  25. !
  26. !
  27. redundancy
  28. !
  29. !
  30. !
  31. !
  32. !
  33. !
  34. !
  35. crypto isakmp policy 10
  36. encr 3des
  37. authentication pre-share
  38. group 5
  39. lifetime 14400
  40. crypto isakmp key (codepsk) address 100.41.221.142
  41. !
  42. !
  43. crypto ipsec transform-set HQBRANCH esp-3des esp-sha-hmac
  44. mode tunnel
  45. !
  46. crypto ipsec profile HQBRANCH
  47. set transform-set HQBRANCH
  48. set pfs group5
  49. !
  50. !
  51. !
  52. crypto map HQMAP 10 ipsec-isakmp
  53. set peer 100.41.221.142
  54. set transform-set HQBRANCH
  55. --More--
  64. set pfs group5
  65. match address 120
  66. !
  67. !
  68. !
  69. !
  70. interface Tunnel2
  71. no ip address
  72. ip virtual-reassembly in
  73. tunnel source 90.210.32.5
  74. tunnel mode ipsec ipv4
  75. tunnel destination 100.41.221.142
  76. tunnel protection ipsec profile HQBRANCH
  77. !
  78. interface Embedded-Service-Engine0/0
  79. no ip address
  80. shutdown
  81. !
  82. interface GigabitEthernet0/0
  83. ip address 90.210.32.5 255.255.255.252
  84. ip nat outside
  85. ip virtual-reassembly in
  86. duplex auto
  87. speed auto
  88. crypto map HQMAP
  89. !
  90. interface GigabitEthernet0/1
  91. ip address 10.213.16.1 255.255.255.0
  92. ip nat inside
  93. ip virtual-reassembly in
  94. duplex auto
  95. speed auto
  96. !
  97. ip forward-protocol nd
  98. !
  99. no ip http server
  100. no ip http secure-server
  101. !
  102. ip nat inside source list 100 interface GigabitEthernet0/0 overload
  103. ip route 0.0.0.0 0.0.0.0 90.210.32.4
  104. ip route 10.16.1.0 255.255.255.0 Tunnel2
  105. !
  106. access-list 1 permit 10.213.16.0 0.0.0.255
  107. access-list 100 deny   ip 10.213.16.0 0.0.0.255 10.16.1.0 0.0.0.255
  108. access-list 100 permit ip 10.213.16.0 0.0.0.255 any
  109. access-list 101 permit ahp host 100.41.221.142 host 90.210.32.5
  110. access-list 101 permit esp host 100.41.221.142 host 90.210.32.5
  111. access-list 101 permit udp host 100.41.221.142 host 90.210.32.5 eq isakmp
  112. access-list 101 permit udp host 100.41.221.142 host 90.210.32.5 eq non500-isakmp
  113. access-list 120 permit ip 10.213.16.0 0.0.0.255 10.16.1.0 0.0.0.255
  114. !
  115. !
  116. !
  117. control-plane
  118. !
  119. !
  120. banner motd ^C Acces reserve aux service technique OG Solution ^C
  121. !
  122. line con 0
  123. password 7 071E34455A0C39071B130807
  124. login
  125. line aux 0
  126. line 2
  127. no activation-character
  128. no exec
  129. transport preferred none
  130. transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  131. stopbits 1
  132. line vty 0 4
  133. password 7 15031E0200290B2624323329
  134. login
  135. transport input all
  136. !
  137. scheduler allocate 20000 1000
  138. !
  139. end
 

Voici le debug :

 
Code :
  1. Routeur-OGS#show log
  2. Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
  4. No Active Message Discriminator.
  8. No Inactive Message Discriminator.
  11.     Console logging: level debugging, 13887 messages logged, xml disabled,
  12.                      filtering disabled
  13.     Monitor logging: level debugging, 0 messages logged, xml disabled,
  14.                      filtering disabled
  15.     Buffer logging:  level debugging, 13887 messages logged, xml disabled,
  16.                     filtering disabled
  17.     Exception Logging: size (4096 bytes)
  18.     Count and timestamp logging messages: disabled
  19.     Persistent logging: disabled
  21. No active filter modules.
  23.     Trap logging: level informational, 90 message lines logged
  24.         Logging Source-Interface:       VRF Name:
  26. Log Buffer (8192 bytes):
  27. 1.782: ISAKMP:(1023): processing NOTIFY INITIAL_CONTACT protocol 1
  28.         spi 0, message ID = 0, sa = 0x2AF7BBA8
  29. *Feb 14 23:54:31.782: ISAKMP:(1023):SA authentication status:
  30.         authenticated
  31. *Feb 14 23:54:31.782: ISAKMP:(1023):SA has been authenticated with 100.41.221.142
  32. *Feb 14 23:54:31.782: ISAKMP:(1023):SA authentication status:
  33.         authenticated
  34. *Feb 14 23:54:31.782: ISAKMP:(1023): Process initial contact,
  35. bring down existing phase 1 and 2 SA's with local 90.210.32.5 remote 100.41.221.142 remote port 500
  36. *Feb 14 23:54:31.782: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  37. *Feb 14 23:54:31.782: ISAKMP:(1023):Old State = IKE_R_MM5  New State = IKE_R_MM5
  39. *Feb 14 23:54:31.782: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  40. *Feb 14 23:54:31.782: Delete IPsec SA by IC, local 90.210.32.5 remote 100.41.221.142 peer port 500
  41. *Feb 14 23:54:31.782: ISAKMP:(1023):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
  42. *Feb 14 23:54:31.782: ISAKMP (1023): ID payload
  43.         next-payload : 8
  44.         type         : 1
  45.         address      : 90.210.32.5
  46.         protocol     : 17
  47.         port         : 500
  48.         length       : 12
  49. *Feb 14 23:54:31.782: ISAKMP:(1023):Total payload length: 12
  50. *Feb 14 23:54:31.782: ISAKMP:(1023): sending packet to 100.41.221.142 my_port 500 peer_port 500 (R) MM_KEY_EXCH
  51. *Feb 14 23:54:31.782: ISAKMP:(1023):Sending an IKE IPv4 Packet.
  52. *Feb 14 23:54:31.782: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  53. *Feb 14 23:54:31.782: ISAKMP:(1023):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE
  55. *Feb 14 23:54:31.782: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  56. *Feb 14 23:54:31.782: ISAKMP:(1023):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  58. *Feb 14 23:54:31.782:  ISAKMP: Failed to find peer index node to update peer_info_list
  59. *Feb 14 23:54:31.786: IPSEC(update_current_outbound_sa): updated peer 100.41.221.142 current outbound sa to SPI 0
  60. *Feb 14 23:54:31.786: IPSEC(delete_sa): deleting SA,
  61.   (sa) sa_dest= 90.210.32.5, sa_proto= 50,
  62.     sa_spi= 0x41662FBF(1097215935),
  63.     sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2043
  64.     sa_lifetime(k/sec)= (4608000/3600),
  65.   (identity) local= 90.210.32.5:0, remote= 100.41.221.142:0,
  66.     local_proxy= 90.210.32.5/255.255.255.255/256/0,
  67.     remote_proxy= 100.41.221.142/255.255.255.255/256/0
  68. *Feb 14 23:54:31.786: IPSEC(update_current_outbound_sa): updated peer 100.41.221.142 current outbound sa to SPI 0
  69. *Feb 14 23:54:31.786: IPSEC(delete_sa): deleting SA,
  70.   (sa) sa_dest= 100.41.221.142, sa_proto= 50,
  71.     sa_spi= 0x1D52DE7D(491970173),
  72.     sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2044
  73.     sa_lifetime(k/sec)= (4608000/3600),
  74.   (identity) local= 90.210.32.5:0, remote= 100.41.221.142:0,
  75.     local_proxy= 90.210.32.5/255.255.255.255/256/0,
  76.     remote_proxy= 100.41.221.142/255.255.255.255/256/0
  77. *Feb 14 23:54:31.786: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down
  78. *Feb 14 23:54:31.786: ISAKMP: set new node -616210424 to QM_IDLE
  79. *Feb 14 23:54:31.786: ISAKMP:(1023): sending packet to 100.41.221.142 my_port 500 peer_port 500 (R) QM_IDLE
  80. *Feb 14 23:54:31.786: ISAKMP:(1023):Sending an IKE IPv4 Packet.
  81. *Feb 14 23:54:31.786: ISAKMP:(1023):purging node -616210424
  82. *Feb 14 23:54:31.786: ISAKMP:(1023):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
  83. *Feb 14 23:54:31.786: ISAKMP:(1023):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  85. *Feb 14 23:54:31.814: ISAKMP (1023): received packet from 100.41.221.142 dport 500 sport 500 Global (R) QM_IDLE
  86. *Feb 14 23:54:31.814: ISAKMP: set new node -2123739895 to QM_IDLE
  87. *Feb 14 23:54:31.814: ISAKMP:(1023): processing HASH payload. message ID = 2171227401
  88. *Feb 14 23:54:31.814: ISAKMP:(1023): processing SA payload. message ID = 2171227401
  89. *Feb 14 23:54:31.814: ISAKMP:(1023):Checking IPSec proposal 1
  90. *Feb 14 23:54:31.814: ISAKMP: transform 1, ESP_3DES
  91. *Feb 14 23:54:31.814: ISAKMP:   attributes in transform:
  92. *Feb 14 23:54:31.814: ISAKMP:      SA life type in seconds
  93. *Feb 14 23:54:31.814: ISAKMP:      SA life duration (basic) of 3600
  94. *Feb 14 23:54:31.814: ISAKMP:      encaps is 1 (Tunnel)
  95. *Feb 14 23:54:31.814: ISAKMP:      authenticator is HMAC-SHA
  96. *Feb 14 23:54:31.814: ISAKMP:      group is 5
  97. *Feb 14 23:54:31.814: ISAKMP:(1023):atts are acceptable.
  98. *Feb 14 23:54:31.814: IPSEC(validate_proposal_request): proposal part #1
  99. *Feb 14 23:54:31.814: IPSEC(validate_proposal_request): proposal part #1,
  100.   (key eng. msg.) INBOUND local= 90.210.32.5:0, remote= 100.41.221.142:0,
  101.     local_proxy= 90.210.32.5/255.255.255.255/256/0,
  102.     remote_proxy= 100.41.221.142/255.255.255.255/256/0,
  103.     protocol= ESP, transform= NONE  (Tunnel),
  104.     lifedur= 0s and 0kb,
  105.     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
  106. *Feb 14 23:54:31.814: Crypto mapdb : proxy_match
  107.         src addr     : 90.210.32.5
  108.         dst addr     : 100.41.221.142
  109.         protocol     : 0
  110.         src port     : 0
  111.         dst port     : 0
  112. *Feb 14 23:54:31.874: ISAKMP:(1023): processing NONCE payload. message ID = 2171227401
  113. *Feb 14 23:54:31.874: ISAKMP:(1023): processing KE payload. message ID = 2171227401
  114. *Feb 14 23:54:31.950: ISAKMP:(1023): processing ID payload. message ID = 2171227401
  115. *Feb 14 23:54:31.950: ISAKMP:(1023): processing ID payload. message ID = 2171227401
  116. *Feb 14 23:54:31.950: ISAKMP:(1023):QM Responder gets spi
  117. *Feb 14 23:54:31.950: ISAKMP:(1023):Node 2171227401, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  118. *Feb 14 23:54:31.950: ISAKMP:(1023):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
  119. *Feb 14 23:54:31.950: ISAKMP:(1023):Node 2171227401, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
  120. *Feb 14 23:54:31.950: ISAKMP:(1023):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT
  121. *Feb 14 23:54:31.950: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  122. *Feb 14 23:54:31.950: Crypto mapdb : proxy_match
  123.         src addr     : 90.210.32.5
  124.         dst addr     : 100.41.221.142
  125.         protocol     : 256
  126.         src port     : 0
  127.         dst port     : 0
  128. *Feb 14 23:54:31.950: IPSEC(crypto_ipsec_create_ipsec_sas): Map found Tunnel2-head-0
  129. *Feb 14 23:54:31.954: IPSEC(create_sa): sa created,
  130.   (sa) sa_dest= 90.210.32.5, sa_proto= 50,
  131.     sa_spi= 0x663F42A0(1715421856),
  132.     sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2045
  133.     sa_lifetime(k/sec)= (4608000/3600)
  134. *Feb 14 23:54:31.954: IPSEC(create_sa): sa created,
  135.   (sa) sa_dest= 100.41.221.142, sa_proto= 50,
  136.     sa_spi= 0x1D52DE85(491970181),
  137.     sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2046
  138.     sa_lifetime(k/sec)= (4608000/3600)
  139. *Feb 14 23:54:31.954:  ISAKMP: Failed to find peer index node to update peer_info_list
  140. *Feb 14 23:54:31.954: ISAKMP:(1023):Received IPSec Install callback... proceeding with the negotiation
  141. *Feb 14 23:54:31.954: ISAKMP:(1023): sending packet to 100.41.221.142 my_port 500 peer_port 500 (R) QM_IDLE
  142. *Feb 14 23:54:31.954: ISAKMP:(1023):Sending an IKE IPv4 Packet.
  143. *Feb 14 23:54:31.954: ISAKMP:(1023):Node 2171227401, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
  144. *Feb 14 23:54:31.954: ISAKMP:(1023):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
  145. *Feb 14 23:54:31.970: ISAKMP (1023): received packet from 100.41.221.142 dport 500 sport 500 Global (R) QM_IDLE
  146. *Feb 14 23:54:31.970: ISAKMP:(1023):deleting node -2123739895 error FALSE reason "QM done (await)"
  147. *Feb 14 23:54:31.970: ISAKMP:(1023):Node 2171227401, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  148. *Feb 14 23:54:31.970: ISAKMP:(1023):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
  149. *Feb 14 23:54:31.970: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  150. *Feb 14 23:54:31.970: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
  151. *Feb 14 23:54:31.970: IPSEC: Expand action denied, notify RP
  152. *Feb 14 23:54:31.970: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up
  153. *Feb 14 23:54:41.574: IPSEC(key_engine): request timer fired: count = 2,
  154.   (identity) local= 90.210.32.5:0, remote= 100.41.221.142:0,
  155.     local_proxy= 0.0.0.0/0.0.0.0/256/0,
  156.     remote_proxy= 0.0.0.0/0.0.0.0/256/0
  157. *Feb 14 23:55:21.634: ISAKMP:(1022):purging node 1545711744
  158. *Feb 14 23:55:21.634: ISAKMP:(1022):purging node 1120107884
  159. *Feb 14 23:55:21.970: ISAKMP:(1023):purging node -2123739895
 


J'ai l'impression que y'a de l’évolution mais bon ...

 

Merci encore  :jap: .


Message édité par Durabrite le 16-02-2019 à 00:53:38
n°160660
Charon_
Posté le 18-02-2019 à 09:22:33  profilanswer
 

Hello,
 
Il te faut une addresse IP valable sous l'interface tunnel2.
Elle peut être du type 169.254.x.x/30 (idem de l'autre côté).
Tes access-list ne filtrent rien pour le moment, il faut les "mapper" avec une interface ou autre.
 
Fais aussi attention lorsque tu partage ta configuration, il y a des données sensibles ainsi que des mots de passe facilement décryptable
 
Autrement, une fois l'address IP virtuelle configurée des 2 côtés, cela devrait fonctionner.


Aller à :
Ajouter une réponse
  FORUM HardWare.fr
  Systèmes & Réseaux Pro
  Réseaux

  (urgent) Problème vpn IPsec phase 2

 

Sujets relatifs
[WSE2016] Problème pour rejoindre le domaine + problème serveur DNSProblème sur borne wifi fraichement installée
Problème script Powershell pour AD[WIFI CISCO] problème de déconnexion
Problème d'adressage ip sur PC WIN 7[Que Choisir] VPN mpls vs. ipsec ?
probleme de connectivie local et DHCPProblème affichage outlook web access
Problème borne expiration CISCO - URGENT 
Plus de sujets relatifs à : (urgent) Problème vpn IPsec phase 2

Forum MesDiscussions.Net, Version 2010.2
(c) 2000-2011 Doctissimo
Page générée en 0.206 secondes

Copyright © 1997-2022 Hardware.fr SARL (Signaler un contenu illicite / Données personnelles) / Groupe LDLC / Shop HFR