Auteur Sujet: [RESPOU] VPN IPsec qui ne fonctionne pas entre pfSense et une debian 6  (Lu 8668 fois)

0 Membres et 1 Invité sur ce sujet

vincent0

  • Abonné Orange adsl
  • *
  • Messages: 122
  • Montpellier
    • Twitter
Hello,

Dans un cadre pro, je tente de configurer un pfSense pour faire fonctionner un lien IPSEC vers une machine debian 6 (c'est historique, on reprend un projet abandonné et je ne peux pas la mettre à jour) qui utilise un process pluto pour la gestion du VPN. Cela ne fonctionne pas, aucun ping ne passe et aucun serveur distant n'est accessible, même avec un simple requête HTTP.
La debian en question permet l'accès à un groupe de serveur chez OVH au travers d'un vrack.

Nous avons repris la configuration de l'ipsec présente dans le routeur. Le pfSense se connecte et se déconnecte au bout de 3 minutes environ. Aucun trafic réseau ne fonctionne et nous n'avons aucune idée d'où cela vient, ni donc vers où chercher. Nous ne pouvons pas modifier la configuration du routeur actuel ni celle de la debian distante parce que cela est extrêmement legacy.

Voici quelques logs que j'ai dans le pfSense, si cela peut aider quelqu'un à mettre le doigt sur notre problème :
Jan 15 18:49:47 charon 08[CFG] <con1000|28593> selecting proposal:
Jan 15 18:49:47 charon 08[CFG] <con1000|28593> no acceptable ENCRYPTION_ALGORITHM found
Jan 15 18:49:47 charon 08[CFG] <con1000|28593> selecting proposal:
Jan 15 18:49:47 charon 08[CFG] <con1000|28593> no acceptable INTEGRITY_ALGORITHM found
Jan 15 18:49:47 charon 08[CFG] <con1000|28593> selecting proposal:
Jan 15 18:49:47 charon 08[CFG] <con1000|28593> no acceptable DIFFIE_HELLMAN_GROUP found
Jan 15 18:49:47 charon 08[CFG] <con1000|28593> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ
Jan 15 18:49:47 charon 08[CFG] <con1000|28593> configured proposals: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Jan 15 18:49:47 charon 08[IKE] <con1000|28593> received 3600s lifetime, configured 86400s
Jan 15 18:49:47 charon 08[IKE] <con1000|28593> no matching proposal found, sending NO_PROPOSAL_CHOSEN
Jan 15 18:49:47 charon 08[IKE] <con1000|28593> queueing INFORMATIONAL task
Jan 15 18:49:47 charon 08[IKE] <con1000|28593> delaying task initiation, QUICK_MODE exchange in progress
Jan 15 18:49:48 charon 08[IKE] <con1000|28593> sending retransmit 5 of request message ID 3862150220, seq 4
Jan 15 18:49:48 charon 08[NET] <con1000|28593> sending packet: from 95.128.151.109[500] to 178.33.229.232[500] (172 bytes)
Jan 15 18:49:51 charon 12[CFG] vici client 1610 connected
Jan 15 18:49:51 charon 08[CFG] vici client 1610 registered for: list-sa
Jan 15 18:49:51 charon 12[CFG] vici client 1610 requests: list-sas
Jan 15 18:49:51 charon 12[CFG] vici client 1610 disconnected
Jan 15 18:49:51 charon 08[CFG] vici client 1611 connected
Jan 15 18:49:51 charon 12[CFG] vici client 1611 registered for: list-sa
Jan 15 18:49:51 charon 14[CFG] vici client 1611 requests: list-sas
Jan 15 18:49:51 charon 08[CFG] vici client 1611 disconnected
Jan 15 18:49:56 charon 14[CFG] vici client 1612 connected
Jan 15 18:49:56 charon 09[CFG] vici client 1612 registered for: list-sa
Jan 15 18:49:56 charon 09[CFG] vici client 1612 requests: list-sas
Jan 15 18:49:56 charon 08[CFG] vici client 1612 disconnected
Jan 15 18:49:56 charon 08[NET] <con1000|28593> received packet: from 178.33.229.232[500] to 95.128.151.109[500] (380 bytes)
Jan 15 18:49:56 charon 08[ENC] <con1000|28593> invalid HASH_V1 payload length, decryption failed?
Jan 15 18:49:56 charon 08[ENC] <con1000|28593> could not decrypt payloads
Jan 15 18:49:56 charon 08[IKE] <con1000|28593> message parsing failed
Jan 15 18:49:56 charon 08[ENC] <con1000|28593> generating INFORMATIONAL_V1 request 2751809151 [ HASH N(PLD_MAL) ]
Jan 15 18:49:56 charon 08[NET] <con1000|28593> sending packet: from 95.128.151.109[500] to 178.33.229.232[500] (68 bytes)
Jan 15 18:49:56 charon 08[IKE] <con1000|28593> QUICK_MODE request with message ID 338164442 processing failed
Jan 15 18:49:57 charon 08[NET] <con1000|28593> received packet: from 178.33.229.232[500] to 95.128.151.109[500] (380 bytes)
Jan 15 18:49:57 charon 08[IKE] <con1000|28593> received retransmit of request with ID 1144794507, but no response to retransmit
Jan 15 18:49:57 charon 14[NET] <con1000|28593> received packet: from 178.33.229.232[500] to 95.128.151.109[500] (380 bytes)
Jan 15 18:49:57 charon 14[ENC] <con1000|28593> parsed QUICK_MODE request 371417717 [ HASH SA No KE ID ID ]
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> looking for a child config for 10.0.0.0/22|/0 === 172.16.0.0/12|/0
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> proposing traffic selectors for us:
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> 10.0.0.0/22|/0
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> proposing traffic selectors for other:
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> 172.16.0.0/12|/0
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> candidate "con1000" with prio 5+5
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> found matching child config "con1000" with prio 10
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> selecting traffic selectors for other:
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> config: 172.16.0.0/12|/0, received: 172.16.0.0/12|/0 => match: 172.16.0.0/12|/0
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> selecting traffic selectors for us:
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> config: 10.0.0.0/22|/0, received: 10.0.0.0/22|/0 => match: 10.0.0.0/22|/0
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> selecting proposal:
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> no acceptable ENCRYPTION_ALGORITHM found
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> selecting proposal:
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> no acceptable ENCRYPTION_ALGORITHM found
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> selecting proposal:
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> no acceptable INTEGRITY_ALGORITHM found
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> selecting proposal:
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> no acceptable DIFFIE_HELLMAN_GROUP found
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ
Jan 15 18:49:57 charon 14[CFG] <con1000|28593> configured proposals: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Jan 15 18:49:57 charon 14[IKE] <con1000|28593> received 3600s lifetime, configured 86400s
Jan 15 18:49:57 charon 14[IKE] <con1000|28593> no matching proposal found, sending NO_PROPOSAL_CHOSEN
Jan 15 18:49:57 charon 14[IKE] <con1000|28593> queueing INFORMATIONAL task
Jan 15 18:49:57 charon 14[IKE] <con1000|28593> delaying task initiation, QUICK_MODE exchange in progress
Jan 15 18:49:57 charon 08[CFG] vici client 1613 connected
Jan 15 18:49:57 charon 15[CFG] vici client 1613 registered for: list-sa
Jan 15 18:49:57 charon 15[CFG] vici client 1613 requests: list-sas
Jan 15 18:49:57 charon 08[CFG] vici client 1613 disconnected
Jan 15 18:50:01 charon 14[CFG] vici client 1614 connected
Jan 15 18:50:01 charon 08[CFG] vici client 1614 registered for: list-sa
Jan 15 18:50:01 charon 14[CFG] vici client 1614 requests: list-sas
Jan 15 18:50:01 charon 08[CFG] vici client 1614 disconnected
Jan 15 18:50:03 charon 08[NET] <con1000|28593> received packet: from 178.33.229.232[500] to 95.128.151.109[500] (380 bytes)
Jan 15 18:50:03 charon 08[ENC] <con1000|28593> parsed QUICK_MODE request 3852031952 [ HASH SA No KE ID ID ]
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> looking for a child config for 10.0.0.0/22|/0 === 172.16.0.0/12|/0
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> proposing traffic selectors for us:
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> 10.0.0.0/22|/0
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> proposing traffic selectors for other:
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> 172.16.0.0/12|/0
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> candidate "con1000" with prio 5+5
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> found matching child config "con1000" with prio 10
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> selecting traffic selectors for other:
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> config: 172.16.0.0/12|/0, received: 172.16.0.0/12|/0 => match: 172.16.0.0/12|/0
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> selecting traffic selectors for us:
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> config: 10.0.0.0/22|/0, received: 10.0.0.0/22|/0 => match: 10.0.0.0/22|/0
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> selecting proposal:
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> no acceptable ENCRYPTION_ALGORITHM found
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> selecting proposal:
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> no acceptable ENCRYPTION_ALGORITHM found
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> selecting proposal:
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> no acceptable INTEGRITY_ALGORITHM found
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> selecting proposal:
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> no acceptable DIFFIE_HELLMAN_GROUP found
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ
Jan 15 18:50:03 charon 08[CFG] <con1000|28593> configured proposals: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Jan 15 18:50:03 charon 08[IKE] <con1000|28593> received 3600s lifetime, configured 86400s
Jan 15 18:50:03 charon 08[IKE] <con1000|28593> no matching proposal found, sending NO_PROPOSAL_CHOSEN
Jan 15 18:50:03 charon 08[IKE] <con1000|28593> queueing INFORMATIONAL task
Jan 15 18:50:03 charon 08[IKE] <con1000|28593> delaying task initiation, QUICK_MODE exchange in progress
Jan 15 18:50:03 charon 14[CFG] vici client 1615 connected
Jan 15 18:50:03 charon 07[CFG] vici client 1615 registered for: list-sa
Jan 15 18:50:03 charon 07[CFG] vici client 1615 requests: list-sas
Jan 15 18:50:03 charon 14[CFG] vici client 1615 disconnected
Jan 15 18:50:06 charon 07[CFG] vici client 1616 connected
Jan 15 18:50:06 charon 14[CFG] vici client 1616 registered for: list-sa
Jan 15 18:50:06 charon 05[CFG] vici client 1616 requests: list-sas
Jan 15 18:50:06 charon 07[CFG] vici client 1616 disconnected
Jan 15 18:50:09 charon 05[CFG] vici client 1617 connected
Jan 15 18:50:09 charon 07[CFG] vici client 1617 registered for: list-sa
Jan 15 18:50:09 charon 05[CFG] vici client 1617 requests: list-sas
Jan 15 18:50:09 charon 10[CFG] vici client 1617 disconnected
Jan 15 18:50:11 charon 05[CFG] vici client 1618 connected
Jan 15 18:50:11 charon 10[CFG] vici client 1618 registered for: list-sa
Jan 15 18:50:11 charon 10[CFG] vici client 1618 requests: list-sas
Jan 15 18:50:11 charon 10[CFG] vici client 1618 disconnected
Jan 15 18:50:13 charon 05[NET] <con1000|28593> received packet: from 178.33.229.232[500] to 95.128.151.109[500] (380 bytes)
Jan 15 18:50:13 charon 05[IKE] <con1000|28593> received retransmit of request with ID 3852031952, but no response to retransmit
Jan 15 18:50:14 charon 13[CFG] vici client 1619 connected
Jan 15 18:50:14 charon 11[CFG] vici client 1619 registered for: list-sa
Jan 15 18:50:14 charon 11[CFG] vici client 1619 requests: list-sas
Jan 15 18:50:14 charon 13[CFG] vici client 1619 disconnected
Jan 15 18:50:16 charon 13[NET] <con1000|28593> received packet: from 178.33.229.232[500] to 95.128.151.109[500] (380 bytes)
Jan 15 18:50:16 charon 13[ENC] <con1000|28593> parsed QUICK_MODE request 338164442 [ HASH SA No KE ID ID ]
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> looking for a child config for 10.0.0.0/22|/0 === 172.16.0.0/12|/0
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> proposing traffic selectors for us:
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> 10.0.0.0/22|/0
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> proposing traffic selectors for other:
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> 172.16.0.0/12|/0
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> candidate "con1000" with prio 5+5
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> found matching child config "con1000" with prio 10
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> selecting traffic selectors for other:
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> config: 172.16.0.0/12|/0, received: 172.16.0.0/12|/0 => match: 172.16.0.0/12|/0
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> selecting traffic selectors for us:
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> config: 10.0.0.0/22|/0, received: 10.0.0.0/22|/0 => match: 10.0.0.0/22|/0
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> selecting proposal:
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> no acceptable ENCRYPTION_ALGORITHM found
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> selecting proposal:
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> no acceptable ENCRYPTION_ALGORITHM found
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> selecting proposal:
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> no acceptable INTEGRITY_ALGORITHM found
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> selecting proposal:
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> no acceptable DIFFIE_HELLMAN_GROUP found
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ
Jan 15 18:50:16 charon 13[CFG] <con1000|28593> configured proposals: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Jan 15 18:50:16 charon 13[IKE] <con1000|28593> received 3600s lifetime, configured 86400s
Jan 15 18:50:16 charon 13[IKE] <con1000|28593> no matching proposal found, sending NO_PROPOSAL_CHOSEN
Jan 15 18:50:16 charon 13[IKE] <con1000|28593> queueing INFORMATIONAL task
Jan 15 18:50:16 charon 13[IKE] <con1000|28593> delaying task initiation, QUICK_MODE exchange in progress
Jan 15 18:50:16 charon 11[CFG] vici client 1620 connected
Jan 15 18:50:16 charon 05[CFG] vici client 1620 registered for: list-sa
Jan 15 18:50:16 charon 05[CFG] vici client 1620 requests: list-sas
Jan 15 18:50:16 charon 11[CFG] vici client 1620 disconnected

Quelques infos :
  • Réseau local : 10.0.0.0/22
  • Réseau distant OVH : 172.16.0.0/12
  • IP publique routeur  : 95.128.151.109
  • IP publique OVH : 178.33.229.232

La conf actuelle coté debian /etc/ipsec.conf :
conn XXXXX
type=tunnel
pfs=yes
salifetime=3600s
#       phase2alg=3des-md5;dh23
authby=secret
left=178.33.229.232
leftsubnet=172.16.0.0/12
leftnexthop=%defaultroute
right=95.128.151.109
rightsubnet=10.0.0.0/22
rightnexthop=178.33.229.232
auto=start

La conf de notre pfSense : voir les captures d'écran

Merci à tous pour vos lumières. Je suis un peu sec sur l'ipsec,  bien m'avoir beaucoup jeté à l'eeau
« Modifié: 16 janvier 2018 à 12:05:34 par vincent0 »

zoc

  • Abonné Orange Fibre
  • *
  • Messages: 4 258
  • Antibes (06) / Mercury (73)
VPN IPsec qui ne fonctionne pas entre pfSense et une debian 6
« Réponse #1 le: 16 janvier 2018 à 09:25:19 »
Well, je ne suis pas un spécialiste d'IPSEC, mais les 2 lignes ci-dessous me paraissent assez explicite:
Jan 15 18:49:47 charon 08[CFG] <con1000|28593> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ
Jan 15 18:49:47 charon 08[CFG] <con1000|28593> configured proposals: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Le pfSense est configuré pour n'accepter uniquement la méthode de transport/chiffrement/authentification "ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ", mais la debian en face ne ne supporte pas. Il va falloir changer la config d'un coté ou de l'autre...

vincent0

  • Abonné Orange adsl
  • *
  • Messages: 122
  • Montpellier
    • Twitter
VPN IPsec qui ne fonctionne pas entre pfSense et une debian 6
« Réponse #2 le: 16 janvier 2018 à 10:14:05 »
Merci !

On va regarder ça.

EDIT : on vient de faire le test avec le bon paramètre DH sur la phase 2 et la liaison fonctionne.
Merci pour le coup de main
« Modifié: 16 janvier 2018 à 12:05:13 par vincent0 »