Contenu | Rechercher | Menus

Annonce

Si vous avez des soucis pour rester connecté, déconnectez-vous puis reconnectez-vous depuis ce lien en cochant la case
Me connecter automatiquement lors de mes prochaines visites.

À propos de l'équipe du forum.

#1 Le 30/03/2017, à 09:19

souheilhb

Création tunnel Ipsec Openswan sous ubuntu 14.04 vers Azure portal

Hello everyone,

i'm trying to connect my openswan ipsec VPN Client to a VPN Gateway in the Azure portal.

Through a deep exploration of the logs, it seems that the problem is occuring in the Phase2 of data encryption.

I'm exploring it for days now, but getting a lot of error messages:

Here is my ipsec configuration :

conn Azure
      ikev2=insist
      phase2=esp
      keyexchange=ike
      authby=secret
      pfs=no
      auto=start
      keyingtries=%forever
      ikelifetime=24h
      salifetime=10000s
      ike=aes128-sha1-modp1024
      phase2alg=aes256-sha1
      type=tunnel
      left=My servers Public IP
      leftid=My Servers Public IP
      leftsourceip=10.0.3.1
      leftsubnet=10.0.3.0/24
      aggrmode=no
      right=AzureGateway Public IP
      rightid=AzureGateway Public IP
      rightsubnet=10.1.0.0/16

My ipsec secrets :

10.0.3.1 AzureGateway PublicIP : PSK 'MyPreSharedKey'

Then my auth Log :

Mar 29 15:02:48 reboundtest pluto[25098]: added connection description "Azure"
Mar 29 15:02:48 reboundtest pluto[25098]: listening for IKE messages
Mar 29 15:02:48 reboundtest pluto[25098]: adding interface lxcbr0/lxcbr0 10.0.3.1:500
Mar 29 15:02:48 reboundtest pluto[25098]: adding interface eth0/eth0 MyPublicIP:500
Mar 29 15:02:48 reboundtest pluto[25098]: adding interface lo/lo 127.0.0.1:500
Mar 29 15:02:48 reboundtest pluto[25098]: adding interface lo/lo ::1:500
Mar 29 15:02:48 reboundtest pluto[25098]: loading secrets from "/etc/ipsec.secrets"
Mar 29 15:02:48 reboundtest pluto[25098]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
Mar 29 15:02:48 reboundtest pluto[25098]: "Azure" #1: initiating v2 parent SA
Mar 29 15:02:48 reboundtest pluto[25098]: "Azure" #1: transition from state STATE_IKEv2_START to state STATE_PARENT_I1
Mar 29 15:02:48 reboundtest pluto[25098]: "Azure" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
Mar 29 15:02:48 reboundtest pluto[25098]: "Azure" #2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2
Mar 29 15:02:48 reboundtest pluto[25098]: "Azure" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp1024}
Mar 29 15:02:48 reboundtest pluto[25098]: packet from AzureIP:500: IKEv2 mode peer ID is ID_IPV4_ADDR: 'AzureIP'
Mar 29 15:02:48 reboundtest pluto[25098]: | Checking TSi(1)/TSr(1) selectors, looking for exact match
Mar 29 15:02:48 reboundtest pluto[25098]: | printing contents struct traffic_selector
Mar 29 15:02:48 reboundtest pluto[25098]: |   ts_type: IKEv2_TS_IPV4_ADDR_RANGE
Mar 29 15:02:48 reboundtest pluto[25098]: |   ipprotoid: 0
Mar 29 15:02:48 reboundtest pluto[25098]: |   startport: 0
Mar 29 15:02:48 reboundtest pluto[25098]: |   endport: 65535
Mar 29 15:02:48 reboundtest pluto[25098]: |   ip low: 10.0.3.0
Mar 29 15:02:48 reboundtest pluto[25098]: |   ip high: 10.0.3.255
Mar 29 15:02:48 reboundtest pluto[25098]: | printing contents struct traffic_selector
Mar 29 15:02:48 reboundtest pluto[25098]: |   ts_type: IKEv2_TS_IPV4_ADDR_RANGE
Mar 29 15:02:48 reboundtest pluto[25098]: |   ipprotoid: 0
Mar 29 15:02:48 reboundtest pluto[25098]: |   startport: 0
Mar 29 15:02:48 reboundtest pluto[25098]: |   endport: 65535
Mar 29 15:02:48 reboundtest pluto[25098]: |   ip low: 10.1.0.0
Mar 29 15:02:48 reboundtest pluto[25098]: |   ip high: 10.1.255.255
Mar 29 15:02:48 reboundtest pluto[25098]: "Azure" #2: transition from state STATE_PARENT_I2 to state STATE_PARENT_I3
Mar 29 15:02:48 reboundtest pluto[25098]: "Azure" #2: negotiated tunnel [10.0.3.0,10.0.3.255:0-65535 0] -> [10.1.0.0,10.1.255.255:0-65535 0]
Mar 29 15:02:48 reboundtest pluto[25098]: "Azure" #2: STATE_PARENT_I3: PARENT SA established tunnel mode {ESP=>0xabe0fd60 <0x00a2de63 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Mar 29 15:02:48 reboundtest pluto[25098]: | releasing whack for #2 (sock=-1)
Mar 29 15:02:48 reboundtest pluto[25098]: | releasing whack for #1 (sock=-1)
Mar 29 15:03:36 reboundtest pluto[25098]: | found connection: Azure
Mar 29 15:03:36 reboundtest pluto[25098]: "Azure" #3: transition from state STATE_IKEv2_START to state STATE_PARENT_R1
Mar 29 15:03:36 reboundtest pluto[25098]: "Azure" #3: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp1024}
Mar 29 15:03:36 reboundtest pluto[25098]: "Azure" #3: IKEv2 mode peer ID is ID_IPV4_ADDR: 'AzureIP'
Mar 29 15:03:36 reboundtest pluto[25098]: | CHILD SA proposals received
Mar 29 15:03:36 reboundtest pluto[25098]: "Azure" #3: PAUL: this is where we have to check the TSi/TSr
Mar 29 15:03:36 reboundtest pluto[25098]: "Azure" #3: transition from state STATE_PARENT_R1 to state STATE_PARENT_R2
Mar 29 15:03:36 reboundtest pluto[25098]: "Azure" #3: STATE_PARENT_R2: received v2I2, PARENT SA established
Mar 29 15:04:21 reboundtest pluto[25098]: packet from AzureIP:500: sending  notification v2N_INVALID_MESSAGE_ID to AzureIP:500
Mar 29 15:04:36 reboundtest pluto[25098]: | found connection: Azure
Mar 29 15:04:36 reboundtest pluto[25098]: "Azure" #4: transition from state STATE_IKEv2_START to state STATE_PARENT_R1
Mar 29 15:04:36 reboundtest pluto[25098]: "Azure" #4: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp1024}
Mar 29 15:04:37 reboundtest pluto[25098]: "Azure" #4: IKEv2 mode peer ID is ID_IPV4_ADDR: 'AzureIP'
Mar 29 15:04:37 reboundtest pluto[25098]: | CHILD SA proposals received
Mar 29 15:04:37 reboundtest pluto[25098]: "Azure" #4: PAUL: this is where we have to check the TSi/TSr
Mar 29 15:04:37 reboundtest pluto[25098]: "Azure" #4: transition from state STATE_PARENT_R1 to state STATE_PARENT_R2
Mar 29 15:04:37 reboundtest pluto[25098]: "Azure" #4: STATE_PARENT_R2: received v2I2, PARENT SA established
Mar 29 15:05:36 reboundtest pluto[25098]: | found connection: Azure
Mar 29 15:05:36 reboundtest pluto[25098]: "Azure" #5: transition from state STATE_IKEv2_START to state STATE_PARENT_R1
Mar 29 15:05:36 reboundtest pluto[25098]: "Azure" #5: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp1024}
Mar 29 15:05:36 reboundtest pluto[25098]: "Azure" #5: IKEv2 mode peer ID is ID_IPV4_ADDR: 'AzureIP'
Mar 29 15:05:36 reboundtest pluto[25098]: | CHILD SA proposals received
Mar 29 15:05:36 reboundtest pluto[25098]: "Azure" #5: PAUL: this is where we have to check the TSi/TSr
Mar 29 15:05:36 reboundtest pluto[25098]: "Azure" #5: transition from state STATE_PARENT_R1 to state STATE_PARENT_R2
Mar 29 15:05:36 reboundtest pluto[25098]: "Azure" #5: STATE_PARENT_R2: received v2I2, PARENT SA established
Mar 29 15:05:37 reboundtest pluto[25098]: | found connection: Azure

I'm using this version of openswan : Openswan IPsec U2.6.38/K3.13.0-100-generic

I'm hoping that a charitable soul can help me with my issue :)

Thanks in advance

Hors ligne