Conversation
precedente ou
suivante
problème vpn strongswan
Envoyé par:
slickers
on, donc j'ai deux machines linux M1 et M2 : des debian lenny (2.6.26). une en VM, une sur un poste, mais osef elle ont chacune une ip et peuvent communiquer avec le lan.
- j'installe un vpn ipsec entre les deux via strongswan.
- comme je veux pas utiliser leur adresse ip, je leur attribue une adresse virtuelle ipv6 :
ip -6 route add 2a01:e0b:2:2::/64 dev eth0 (M2)
et
ip -6 route add 2a01:e0b:1:1::/32 dev eth0 (M1)
voici la conf ipsec.conf de M1 a qui j'ai attribué la deuxième ip :
...
leftsourceip=2a01:e0b:1:1:1:1:1:1
leftsubnet=2a01:e0b:1:1::/32
rightfirewall=yes
right=%any
rightsubnetwithin=2a01:e0b:2:2::/64
rightsourceip=2a01:e0b:2:2:2:2:2:2
...
et la conf de M2 :
...
leftsubnet=2a01:e0b:2:2::/64
leftsourceip=2a01:e0b:2:2:2:2:2:2
right=10.194.3.173
rightfirewall=yes
rightsubnet=2a01:e0b:1:1::/32
...
bon donc ensuite je lance mon ipsec ...
ipsec start --debug --nofork, et là la connection s'établie.
voila le problème :
si je monte le VPN, et que je fais, sur un M1, un ping6 2a01:e0b:2:2:2:2:2:2
rien ne passe
et si je fais en meme temps un tcpdump -ni eth0 ou meme lo, je ne vois rien du tout
par contre je fais tomber le vpn, le ping passe
et lors de l'etablissement du VPN j'ai un message d'erreur :
...
Using Linux 2.6 IPsec interface code
| pluto (22752) started
| Attempting to start charon...
01[DMN] starting charon (strongSwan Version 4.2.4)
01[KNL] listening on interfaces:
01[KNL] eth0
01[KNL] 10.194.3.173
01[KNL] 2a01:e0b:1:1:1:1:1:1
01[KNL] fe80::21a:64ff:fe99:6928
01[KNL] eth1
01[KNL] fe80::21a:64ff:fe99:692a
01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/cacert.pem'
01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
01[CFG] loading crls from '/etc/ipsec.d/crls'
01[CFG] loading secrets from '/etc/ipsec.secrets'
01[CFG] loaded private key file '/etc/ipsec.d/private/ims2.warly.org.key'
01[JOB] spawning 16 worker threads
| charon (22755) started
03[CFG] received stroke: add connection 'rw4'
03[LIB] loaded certificate file '/etc/ipsec.d/certs/ims2.warly.org.pem'
03[CFG] peerid C=FR, ST=France, O=Warly, OU=ims2, CN=ims2.warly.org, E=warly@warly.org not confirmed by certificate, defaulting to subject DN
03[CFG] added configuration 'rw4': 10.194.3.173[C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org]...0.0.0.0[C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org]
03[CFG] adding virtual IP address pool 'rw4': 2a01:e0b:2:2:2:2:2:2/128
Changing to directory '/etc/ipsec.d/cacerts'
loaded CA cert file 'cacert.pem' (3374 bytes)
Changing to directory '/etc/ipsec.d/aacerts'
Changing to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
Changing to directory '/etc/ipsec.d/acerts'
listening for IKE messages
adding interface eth0/eth0 10.194.3.173:500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo ::1:500
adding interface eth0/eth0 2a01:e0b:1:1:1:1:1:1:500
loading secrets from "/etc/ipsec.secrets"
loaded private key file '/etc/ipsec.d/private/ims2.warly.org.key' (891 bytes)
loaded host cert file '/etc/ipsec.d/certs/ims2.warly.org.pem' (3195 bytes)
added connection description "rw4"
08[NET] received packet: from 10.194.3.225[500] to 10.194.3.173[500]
08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
08[AUD] 10.194.3.225 is initiating an IKE_SA
08[IKE] IKE_SA '(unnamed)' state change: CREATED => CONNECTING
08[IKE] sending cert request for "C=FR, ST=France, O=Warly, OU=admin, CN=Warly, E=warly@warly.org"
08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
08[NET] sending packet: from 10.194.3.173[500] to 10.194.3.225[500]
09[NET] received packet: from 10.194.3.225[500] to 10.194.3.173[500]
09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr ]
09[IKE] received cert request for "C=FR, ST=France, O=Warly, OU=admin, CN=Warly, E=warly@warly.org"
09[IKE] received end entity cert "C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org"
09[CFG] using certificate "C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org"
09[CFG] using trusted ca certificate "C=FR, ST=France, O=Warly, OU=admin, CN=Warly, E=warly@warly.org"
09[CFG] checking certificate status of "C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org"
09[CFG] certificate status is not available
09[IKE] authentication of 'C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org' with RSA signature successful
09[CFG] found matching config "rw4": C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org...C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org, prio 40
09[IKE] authentication of 'C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org' (myself) with RSA signature successful
09[IKE] IKE_SA 'rw4' state change: CONNECTING => ESTABLISHED
09[IKE] scheduling reauthentication in 9875s
09[IKE] maximum IKE_SA lifetime 10475s
09[AUD] IKE_SA 'rw4' established between 10.194.3.173[C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org]...[C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org]10.194.3.225
09[IKE] sending end entity cert "C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org"
09[IKE] peer requested virtual IP 2a01:e0b:2:2:2:2:2:2
09[IKE] assigning virtual IP 2a01:e0b:2:2:2:2:2:2 to peer
09[KNL] received netlink error: Numerical result out of range (34)
09[KNL] unable to install source route for 2a01:e0b:1:1:1:1:1:1
09[AUD] CHILD_SA 'rw4' established successfully
09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr N(AUTH_LFT) ]
09[NET] sending packet: from 10.194.3.173[500] to 10.194.3.225[500]
11[NET] received packet: from 10.194.3.225[500] to 10.194.3.173[500]
....
voila
09[IKE] assigning virtual IP 2a01:e0b:2:2:2:2:2:2 to peer
09[KNL] received netlink error: Numerical result out of range (34)
09[KNL] unable to install source route for 2a01:e0b:1:1:1:1:1:1
je ne comprends absolument pas d'ou peut venir le problème... j'ai le message des deux cotes.
au cas ou ca peut aider, voici un route -6 :
g-orangepc# route -6
Table de routage IPv6 du noyau
Destination Next Hop Flag Met Ref Use If
2a01:e0b:2:2::/64 :: U 1024 0 0 eth0
fe80::/64 :: U 256 0 0 eth1
::/0 :: !n -1 1 54825 lo
::1/128 :: Un 0 1 95 lo
2a01:e0b:1:1:1:1:1:1/128 :: Un 0 1 54232 lo
fe80::21a:64ff:fe99:6928/128 :: Un 0 1 2385 lo
fe80::21a:64ff:fe99:692a/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 eth0
::/0 :: !n -1 1 54825 lo
g-orangepc#
un dpkg :
g-orangepc# dpkg -l | grep linux-image
ii linux-image-2.6-686 2.6.26+16 Linux 2.6 image on PPro/Celeron/PII/PIII/P4
ii linux-image-2.6.26-1-686 2.6.26-4 Linux 2.6.26 image on PPro/Celeron/PII/PIII/
g-orangepc#
et aussi les deux modules esp4 et xfrm4_tunnel sont bien chargés :
g-orangepc# lsmod | grep esp4
esp4 5600 0
aead 6400 2 authenc,esp4
g-orangepc# lsmod | grep xfrm4_tunnel
xfrm4_tunnel 2304 0
tunnel4 3016 1 xfrm4_tunnel
g-orangepc#
si quelqu'un a une idée, ca me sauverais la vie.
- j'installe un vpn ipsec entre les deux via strongswan.
- comme je veux pas utiliser leur adresse ip, je leur attribue une adresse virtuelle ipv6 :
ip -6 route add 2a01:e0b:2:2::/64 dev eth0 (M2)
et
ip -6 route add 2a01:e0b:1:1::/32 dev eth0 (M1)
voici la conf ipsec.conf de M1 a qui j'ai attribué la deuxième ip :
...
leftsourceip=2a01:e0b:1:1:1:1:1:1
leftsubnet=2a01:e0b:1:1::/32
rightfirewall=yes
right=%any
rightsubnetwithin=2a01:e0b:2:2::/64
rightsourceip=2a01:e0b:2:2:2:2:2:2
...
et la conf de M2 :
...
leftsubnet=2a01:e0b:2:2::/64
leftsourceip=2a01:e0b:2:2:2:2:2:2
right=10.194.3.173
rightfirewall=yes
rightsubnet=2a01:e0b:1:1::/32
...
bon donc ensuite je lance mon ipsec ...
ipsec start --debug --nofork, et là la connection s'établie.
voila le problème :
si je monte le VPN, et que je fais, sur un M1, un ping6 2a01:e0b:2:2:2:2:2:2
rien ne passe
et si je fais en meme temps un tcpdump -ni eth0 ou meme lo, je ne vois rien du tout
par contre je fais tomber le vpn, le ping passe
et lors de l'etablissement du VPN j'ai un message d'erreur :
...
Using Linux 2.6 IPsec interface code
| pluto (22752) started
| Attempting to start charon...
01[DMN] starting charon (strongSwan Version 4.2.4)
01[KNL] listening on interfaces:
01[KNL] eth0
01[KNL] 10.194.3.173
01[KNL] 2a01:e0b:1:1:1:1:1:1
01[KNL] fe80::21a:64ff:fe99:6928
01[KNL] eth1
01[KNL] fe80::21a:64ff:fe99:692a
01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/cacert.pem'
01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
01[CFG] loading crls from '/etc/ipsec.d/crls'
01[CFG] loading secrets from '/etc/ipsec.secrets'
01[CFG] loaded private key file '/etc/ipsec.d/private/ims2.warly.org.key'
01[JOB] spawning 16 worker threads
| charon (22755) started
03[CFG] received stroke: add connection 'rw4'
03[LIB] loaded certificate file '/etc/ipsec.d/certs/ims2.warly.org.pem'
03[CFG] peerid C=FR, ST=France, O=Warly, OU=ims2, CN=ims2.warly.org, E=warly@warly.org not confirmed by certificate, defaulting to subject DN
03[CFG] added configuration 'rw4': 10.194.3.173[C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org]...0.0.0.0[C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org]
03[CFG] adding virtual IP address pool 'rw4': 2a01:e0b:2:2:2:2:2:2/128
Changing to directory '/etc/ipsec.d/cacerts'
loaded CA cert file 'cacert.pem' (3374 bytes)
Changing to directory '/etc/ipsec.d/aacerts'
Changing to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
Changing to directory '/etc/ipsec.d/acerts'
listening for IKE messages
adding interface eth0/eth0 10.194.3.173:500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo ::1:500
adding interface eth0/eth0 2a01:e0b:1:1:1:1:1:1:500
loading secrets from "/etc/ipsec.secrets"
loaded private key file '/etc/ipsec.d/private/ims2.warly.org.key' (891 bytes)
loaded host cert file '/etc/ipsec.d/certs/ims2.warly.org.pem' (3195 bytes)
added connection description "rw4"
08[NET] received packet: from 10.194.3.225[500] to 10.194.3.173[500]
08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
08[AUD] 10.194.3.225 is initiating an IKE_SA
08[IKE] IKE_SA '(unnamed)' state change: CREATED => CONNECTING
08[IKE] sending cert request for "C=FR, ST=France, O=Warly, OU=admin, CN=Warly, E=warly@warly.org"
08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
08[NET] sending packet: from 10.194.3.173[500] to 10.194.3.225[500]
09[NET] received packet: from 10.194.3.225[500] to 10.194.3.173[500]
09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr ]
09[IKE] received cert request for "C=FR, ST=France, O=Warly, OU=admin, CN=Warly, E=warly@warly.org"
09[IKE] received end entity cert "C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org"
09[CFG] using certificate "C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org"
09[CFG] using trusted ca certificate "C=FR, ST=France, O=Warly, OU=admin, CN=Warly, E=warly@warly.org"
09[CFG] checking certificate status of "C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org"
09[CFG] certificate status is not available
09[IKE] authentication of 'C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org' with RSA signature successful
09[CFG] found matching config "rw4": C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org...C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org, prio 40
09[IKE] authentication of 'C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org' (myself) with RSA signature successful
09[IKE] IKE_SA 'rw4' state change: CONNECTING => ESTABLISHED
09[IKE] scheduling reauthentication in 9875s
09[IKE] maximum IKE_SA lifetime 10475s
09[AUD] IKE_SA 'rw4' established between 10.194.3.173[C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org]...[C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org]10.194.3.225
09[IKE] sending end entity cert "C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org"
09[IKE] peer requested virtual IP 2a01:e0b:2:2:2:2:2:2
09[IKE] assigning virtual IP 2a01:e0b:2:2:2:2:2:2 to peer
09[KNL] received netlink error: Numerical result out of range (34)
09[KNL] unable to install source route for 2a01:e0b:1:1:1:1:1:1
09[AUD] CHILD_SA 'rw4' established successfully
09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr N(AUTH_LFT) ]
09[NET] sending packet: from 10.194.3.173[500] to 10.194.3.225[500]
11[NET] received packet: from 10.194.3.225[500] to 10.194.3.173[500]
....
voila
09[IKE] assigning virtual IP 2a01:e0b:2:2:2:2:2:2 to peer
09[KNL] received netlink error: Numerical result out of range (34)
09[KNL] unable to install source route for 2a01:e0b:1:1:1:1:1:1
je ne comprends absolument pas d'ou peut venir le problème... j'ai le message des deux cotes.
au cas ou ca peut aider, voici un route -6 :
g-orangepc# route -6
Table de routage IPv6 du noyau
Destination Next Hop Flag Met Ref Use If
2a01:e0b:2:2::/64 :: U 1024 0 0 eth0
fe80::/64 :: U 256 0 0 eth1
::/0 :: !n -1 1 54825 lo
::1/128 :: Un 0 1 95 lo
2a01:e0b:1:1:1:1:1:1/128 :: Un 0 1 54232 lo
fe80::21a:64ff:fe99:6928/128 :: Un 0 1 2385 lo
fe80::21a:64ff:fe99:692a/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 eth0
::/0 :: !n -1 1 54825 lo
g-orangepc#
un dpkg :
g-orangepc# dpkg -l | grep linux-image
ii linux-image-2.6-686 2.6.26+16 Linux 2.6 image on PPro/Celeron/PII/PIII/P4
ii linux-image-2.6.26-1-686 2.6.26-4 Linux 2.6.26 image on PPro/Celeron/PII/PIII/
g-orangepc#
et aussi les deux modules esp4 et xfrm4_tunnel sont bien chargés :
g-orangepc# lsmod | grep esp4
esp4 5600 0
aead 6400 2 authenc,esp4
g-orangepc# lsmod | grep xfrm4_tunnel
xfrm4_tunnel 2304 0
tunnel4 3016 1 xfrm4_tunnel
g-orangepc#
si quelqu'un a une idée, ca me sauverais la vie.
Poste le Tuesday 30 September 2008 07:51:47
Ce forum !
problème vpn strongswan
Aide sur les distributions Debian, Ubuntu et leurs dérivées : Mepis, Mint, Knoppix, Kubuntu, Lubuntu, Xandros
Sauf mention contraire, les documentations publiées sont sous licence Creative-Commons