#101 Le 28/09/2008, à 23:58
- 2fast4u
Re : 3G/EDGE et VPN "business everywhere" d'orange
joli coup, peut-être une lueur d'espoir. j'espère avoir une version assez vieille.
Hors ligne
#102 Le 04/10/2008, à 01:43
- 2fast4u
Re : 3G/EDGE et VPN "business everywhere" d'orange
Bon, je pense que j'ai tout ce qu'il faut.. encore merci pour l'astuce flobb 
Maintenant, d'après mon ancienne discution avec le dev de BE et d'après lui, il faut monter le client vpn avec openswan.
je sais pas si racoon est compatible.
j'ai fait plusieurs tests jusque tard et ça coince, faut dire qu'on manque sérieusement d'info sur les paramètres du vpn, et mes connaissances en vpn sont très limitées, pas évident pour créer le fichier de conf.
enfin d'après ce que j'ai compris, il faut mettre la clé PSK dans le fichier /etc/ipsec.secrets
<ip local> <ip serveur>: PSK "clé psk"et j'ai ça dans mon fichier /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006-10-19 03:49:46 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg: plutodebug="control parsing"
#
# ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
#
# enable this if you see "failed to find any available worker"
plutodebug=control
plutostderrlog=/var/log/pluto.log
nhelpers=0
myid=192.168.0.2
interfaces="ipsec0=eth0"
# Add connections here
conn bue
type=tunnel
authby=secret
keyexchange=ike
auto=add
pfs=yes
aggrmode=no
ike=3des-sha1-modp1024
esp=3des-sha1
# LOCAL
left=192.168.0.2
leftsubnet=192.168.0.0/16
leftnexthop=192.168.0.1
leftid=fvl_remote@<adresse serveur>
# REMOTE
right=<adresse serveur>#l'url vers l'ip statique du routeur VPN
rightid=fvl_local@192.168.0.2 #ce qu'il y a dans la config du routeur
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.confIl doit certainement déjà y avoir des erreurs dans le fichier de conf, j'ai de gros doutes sur la configuration des sections #LOCAL #REMOTE (sur les autres aussi)
voilà les résultats
sudo /etc/init.d/ipsec start
syslog :
Oct 4 00:43:40 octabuntu kernel: [ 8302.647488] NET: Registered protocol family 15
Oct 4 00:43:40 octabuntu kernel: [ 8302.882513] padlock: VIA PadLock Hash Engine not detected.
Oct 4 00:43:40 octabuntu kernel: [ 8302.991606] padlock: VIA PadLock Hash Engine not detected.
Oct 4 00:43:41 octabuntu kernel: [ 8303.263588] padlock: VIA PadLock not detected.
Oct 4 00:43:41 octabuntu kernel: [ 8303.473590] Initializing XFRM netlink socket
Oct 4 00:43:41 octabuntu ipsec_setup: NETKEY on eth0 192.168.0.2/255.255.255.0 broadcast 192.168.0.255
Oct 4 00:43:41 octabuntu ipsec_setup: ...Openswan IPsec started
Oct 4 00:43:41 octabuntu ipsec_setup: Starting Openswan IPsec 2.4.12...sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.12/K2.6.27-4-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]sudo ipsec auto --up bue
sudo ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.0.2
000 interface eth0/eth0 192.168.0.2
000 %myid = 192.168.0.2
000 debug control
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,648} attrs={0,2,432}
000
000 "bue": 192.168.0.0/16===192.168.0.2[fvl_remote@<IP SERVEUR>]---192.168.0.1...<IP SERVEUR>[fvl_local@192.168.0.2]; unrouted; eroute owner: #0
000 "bue": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "bue": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "bue": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 16,32; interface: eth0; encap: esp;
000 "bue": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "bue": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "bue": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "bue": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=strict
000 "bue": ESP algorithms loaded: 3DES(3)_000-SHA1(2); flags=strict
000
000 #2: "bue":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 37s; nodpd
000 #2: pending Phase 2 for "bue" replacing #0
000ça semble bloquer la, j'ai activé les log pour plutot dans le ipsec.conf mais ça me cause dans une langue qui reste floue 
Plutorun started on Sat Oct 4 01:19:18 CEST 2008
Starting Pluto (Openswan Version 2.4.12 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE`lPH|Vbpuu)
Setting NAT-Traversal port-4500 floating to on
port floating activation criteria nat_t=1/port_fload=1
including NAT-Traversal patch (Version 0.6c)
| opening /dev/urandom
| inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
no helpers will be started, all cryptographic operations will be done inline
Using NETKEY IPsec interface code on 2.6.27-4-generic
Changing to directory '/etc/ipsec.d/cacerts'
Changing to directory '/etc/ipsec.d/aacerts'
Changing to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
Warning: empty directory
| inserting event EVENT_LOG_DAILY, timeout in 81640 seconds
| next event EVENT_PENDING_PHASE2 in 119 seconds
|
| *received whack message
loading secrets from "/etc/ipsec.secrets"
| next event EVENT_PENDING_PHASE2 in 119 seconds
|
| *received whack message
| Added new connection bue with policy PSK+ENCRYPT+TUNNEL+PFS
| from whack: got --esp=3des-sha1
| esp string values: 3DES(3)_000-SHA1(2); flags=strict
| from whack: got --ike=3des-sha1-modp1024
| ike string values: 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
| counting wild cards for fvl_remote@<IP SERVEUR> is 0
| counting wild cards for fvl_local@192.168.0.2 is 0
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=2
| alg_info_addref() alg_info->ref_cnt=2
added connection description "bue"
| 192.168.0.0/16===192.168.0.2[fvl_remote@<IP SERVEUR>]---192.168.0.1...<IP SERVEUR>[fvl_local@192.168.0.2]
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS
| next event EVENT_PENDING_PHASE2 in 119 seconds
|
| *received whack message
listening for IKE messages
| found lo with address 127.0.0.1
| found eth0 with address 192.168.0.2
adding interface eth0/eth0 192.168.0.2:500
adding interface eth0/eth0 192.168.0.2:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
| found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
adding interface lo/lo ::1:500
forgetting secrets
loading secrets from "/etc/ipsec.secrets"
| next event EVENT_PENDING_PHASE2 in 119 secondsça reste là jusqu'a ce que j'active la connection (sudo ipsec auto --up bue)
la suite
|
| *received whack message
| processing connection bue
| kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
| kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
| returning new proposal from esp_info
| creating state object #1 at 0x8f9f6a8
| processing connection bue
| ICOOKIE: 55 8e 4f 0a 93 79 ab 34
| RCOOKIE: 00 00 00 00 00 00 00 00
| peer: c2 33 ad 85
| state hash entry 18
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| Queuing pending Quick Mode with <IP SERVEUR> "bue"
"bue" #1: initiating Main Mode
| sending 216 bytes for main_outI1 through eth0:500 to <IP SERVEUR>:500:
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
| next event EVENT_PENDING_PHASE2 in 9 seconds
|
| *received 92 bytes from <IP SERVEUR>:500 on eth0 (port=500)
| processing packet with exchange type=ISAKMP_XCHG_INFO (5)
| ICOOKIE: 55 8e 4f 0a 93 79 ab 34
| RCOOKIE: c9 53 9d 93 28 5a 4a eb
| peer: c2 33 ad 85
| state hash entry 21
| p15 state object not found
packet from 1<IP SERVEUR>:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
| processing informational NO_PROPOSAL_CHOSEN (14)
packet from <IP SERVEUR>:500: received and ignored informational message
| complete state transition with STF_IGNORE
| next event EVENT_PENDING_PHASE2 in 9 seconds
|
| *time to handle event
| handling event EVENT_PENDING_PHASE2
| event after this is EVENT_RETRANSMIT in 1 seconds
| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
| pending review: connection "bue" checked
| next event EVENT_RETRANSMIT in 1 seconds for #1
|
| *time to handle event
| handling event EVENT_RETRANSMIT
| event after this is EVENT_PENDING_PHASE2 in 119 seconds
| processing connection bue
| handling event EVENT_RETRANSMIT for <IP SERVEUR> "bue" #1
| sending 216 bytes for EVENT_RETRANSMIT through eth0:500 to <IP SERVEUR>:500:
| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1
| next event EVENT_RETRANSMIT in 20 seconds for #1Les *time to handle event reviennent en boucle....
J'ai bien l'impression d'avoir une réponse du serveur sur le port 500 mais ignorée,
et je suis étonné de ne pas avoir a saisir mon log/pwd en fr.op, il ne sert pas qu'a la 3G puisque safenet me le demande quand je me connect manuellement par le lan.
Faut que j'épluche un peu plus la configue, les logs etc de safenet pour trouver de l'info, si vous en avez, je suis preneur.
* J'ai remplacé l'IP du serveur vpn trouvée dan le fichier SPD par <IP SERVEUR>
Hors ligne
#103 Le 06/10/2008, à 23:54
- 2fast4u
Re : 3G/EDGE et VPN "business everywhere" d'orange
Un petit état des lieux de l'avancement pour le vpn BE avec openswan.
Je comprend un peu mieux comment ça fonctionne et j'ai remanié mon fichier de conf...
mais ça colle toujours pas 
/etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006-10-19 03:49:46 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg: plutodebug="control parsing"
#
# ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
#
# enable this if you see "failed to find any available worker"
plutodebug=control
plutostderrlog=/var/log/pluto.log
nhelpers=0
myid=192.168.0.2
interfaces=%defaultroute
# Add connections here
conn bue
type=tunnel
authby=secret
keyexchange=ike
auto=add
pfs=yes
aggrmode=no
ike=3des-md5-modp1024
ikelifetime=82800
esp=3des-sha1
# LOCAL
left=%defaultroute
leftxauthclient=yes
# REMOTE
right=<IP SERVEUR>
###############################################################
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.confikelifetime => valeur trouvé dans le client safenet, il s'agit d'un délais de renouvellement de clé qui doit être identique aux deux points
leftxauthclient => paramètre qui doit (je suppose) demander le login fr.op. Mais j'arrive toujours pas jusque là 
pour ce qui est du syslog, il semble ne pas falloir tenir compte lignes suivantes :
Oct 4 00:43:40 octabuntu kernel: [ 8302.882513] padlock: VIA PadLock Hash Engine not detected.
Oct 4 00:43:40 octabuntu kernel: [ 8302.991606] padlock: VIA PadLock Hash Engine not detected.
Oct 4 00:43:41 octabuntu kernel: [ 8303.263588] padlock: VIA PadLock not detected.Cette erreur concernent une fonction qui n'est pas disponible sur ma carte mère pour gérer le cryptage en hard, j'ai constaté une erreur de chargement des moduls padlock.sha et padlock.aes a chaque démarrage.
Du coup, le travail est fait par un logiciel.
la commande sudo ipsec verify me renvoie toujours des erreurs malgrès que j'ai fait quesqu'y disent
sudo sysctl -w net.ipv4.conf.eth0.accept_redirects="0"
sudo sysctl -w net.ipv4.conf.eth0.send_redirects="0"ou bien pour rendre permanent modifier /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 0cat /proc/sys/net/ipv4/conf/all/accept_redirects
renvoit 0
voilà ce que donne maintenant sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.12/K2.6.27-4-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]ça fait un [FAILED] de moins
la commande sudo ipsec auto --up bue renvoie
104 "bue" #1: STATE_MAIN_I1: initiate
003 "bue" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
106 "bue" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "bue" #1: received Vendor ID payload [Cisco-Unity]
003 "bue" #1: received Vendor ID payload [Dead Peer Detection]
003 "bue" #1: ignoring unknown Vendor ID payload [d2cff4205a68ba82e32ac178b008b09d]
003 "bue" #1: received Vendor ID payload [XAUTH]
003 "bue" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
108 "bue" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "bue" #1: Informational Exchange message is invalid because it has a Message ID of 0
010 "bue" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
010 "bue" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
031 "bue" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
000 "bue" #1: starting keying attempt 2 of an unlimited number, but releasing whacksudo ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.0.2
000 interface eth0/eth0 192.168.0.2
000 %myid = 192.168.0.2
000 debug control
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,36} trans={0,1,648} attrs={0,1,432}
000
000 "bue": 192.168.0.2[XC+S=C]...<IP SERVEUR>; unrouted; eroute owner: #0
000 "bue": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "bue": ike_life: 82800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "bue": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth0; encap: esp;
000 "bue": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "bue": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "bue": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "bue": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=strict
000 "bue": ESP algorithms loaded: 3DES(3)_000-SHA1(2); flags=strict
000
000 #2: "bue":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0)
000 #2: pending Phase 2 for "bue" replacing #0
000on voit que le client propose tout ce qu'il sait faire comme cryptage pour la négociation dans la phase 1, Ils se mettent d'accord sur ce qui est noté dans le fichier de conf (3DES-MD5-MODP1024) mais ensuite, ça coince.
dans /var/log/pluto.log
sudo /etc/init.d/ipsec startChanging to directory '/etc/ipsec.d/cacerts'
Changing to directory '/etc/ipsec.d/aacerts'
Changing to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
Warning: empty directory
| inserting event EVENT_LOG_DAILY, timeout in 8192 seconds
| next event EVENT_PENDING_PHASE2 in 119 seconds
|
| *received whack message
| Added new connection bue with policy PSK+ENCRYPT+TUNNEL+PFS
| from whack: got --esp=3des-sha1
| esp string values: 3DES(3)_000-SHA1(2); flags=strict
| from whack: got --ike=3des-md5-modp1024
| ike string values: 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=2
| alg_info_addref() alg_info->ref_cnt=2
added connection description "bue"
| 192.168.0.2[XC+S=C]...<IP SERVEUR>
| ike_life: 82800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS
| next event EVENT_PENDING_PHASE2 in 119 seconds
|
| *received whack message
listening for IKE messages
| found lo with address 127.0.0.1
| found eth0 with address 192.168.0.2
adding interface eth0/eth0 192.168.0.2:500
adding interface eth0/eth0 192.168.0.2:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
| found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
| next event EVENT_PENDING_PHASE2 in 119 seconds| *received whack message
| processing connection bue
| kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
| kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
| returning new proposal from esp_info
| creating state object #1 at 0x825a610
| processing connection bue
| ICOOKIE: 8b 6d 64 84 63 50 9e d4
| RCOOKIE: 00 00 00 00 00 00 00 00
| peer: c2 ce 0a 85
| state hash entry 20
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| Queuing pending Quick Mode with <IP SERVEUR> "bue"
"bue" #1: initiating Main Mode
| sending 232 bytes for main_outI1 through eth0:500 to <IP SERVEUR>:500:
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
| next event EVENT_RETRANSMIT in 10 seconds for #1
|
| *time to handle event
| handling event EVENT_RETRANSMIT
| event after this is EVENT_PENDING_PHASE2 in 55 seconds
| processing connection bue
| handling event EVENT_RETRANSMIT for <IP SERVEUR> "bue" #1
| sending 232 bytes for EVENT_RETRANSMIT through eth0:500 to <IP SERVEUR>:500:
| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1
| next event EVENT_RETRANSMIT in 20 seconds for #1
|
| *received 104 bytes from <IP SERVEUR>:500 on eth0 (port=500)
| processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)
| ICOOKIE: 8b 6d 64 84 63 50 9e d4
| RCOOKIE: 27 08 53 3d 36 3b 45 b8
| peer: c2 ce 0a 85
| state hash entry 31
| state object not found
| ICOOKIE: 8b 6d 64 84 63 50 9e d4
| RCOOKIE: 00 00 00 00 00 00 00 00
| peer: c2 ce 0a 85
| state hash entry 20
| peer and cookies match on #1, provided msgid 00000000 vs 00000000
| state object #1 found, in STATE_MAIN_I1
| processing connection bue
"bue" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
| started looking for secret for 192.168.0.2-><IP SERVEUR> of kind PPK_PSK
| actually looking for secret for 192.168.0.2-><IP SERVEUR> of kind PPK_PSK
| 1: compared PSK <IP SERVEUR> to 192.168.0.2 / <IP SERVEUR> -> 2
| 2: compared PSK 192.168.0.2 to 192.168.0.2 /<IP SERVEUR> -> 6
| best_match 0>6 best=0x825a528 (line=10)
| concluding with best_match=6 best=0x825a528 (lineno=10)
"bue" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
| helper -1 doing build_kenonce op id: 0
| processing connection bue
| ICOOKIE: 8b 6d 64 84 63 50 9e d4
| RCOOKIE: 00 00 00 00 00 00 00 00
| peer: c2 ce 0a 85
| state hash entry 20
| ICOOKIE: 8b 6d 64 84 63 50 9e d4
| RCOOKIE: 27 08 53 3d 36 3b 45 b8
| peer: c2 ce 0a 85
| state hash entry 31
| complete state transition with STF_OK
"bue" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
| sending reply packet to <IP SERVEUR>:500 (from port=500)
| sending 220 bytes for STATE_MAIN_I1 through eth0:500 to <IP SERVEUR>:500:
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
"bue" #1: STATE_MAIN_I2: sent MI2, expecting MR2
| XAUTH client is not yet authenticated
| complete state transition with STF_INLINE
| next event EVENT_RETRANSMIT in 10 seconds for #1
|
| *received 296 bytes from <IP SERVEUR>:500 on eth0 (port=500)
| processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)
| ICOOKIE: 8b 6d 64 84 63 50 9e d4
| RCOOKIE: 27 08 53 3d 36 3b 45 b8
| peer: c2 ce 0a 85
| state hash entry 31
| peer and cookies match on #1, provided msgid 00000000 vs 00000000
| state object #1 found, in STATE_MAIN_I2
| processing connection bue
"bue" #1: received Vendor ID payload [Cisco-Unity]
"bue" #1: received Vendor ID payload [Dead Peer Detection]
"bue" #1: ignoring unknown Vendor ID payload [d2cff420363a45b8e2533eccc328bf4c]
"bue" #1: received Vendor ID payload [XAUTH]
| thinking about whether to send my certificate:
| I have RSA key: OAKLEY_PRESHARED_KEY cert.type: CERT_NONE
| sendcert: CERT_ALWAYSSEND and I did not get a certificate request
| so do not send cert.
"bue" #1: I did not send a certificate because I do not have one.
| I am not sending a certificate request
| started looking for secret for 192.168.0.2-><IP SERVEUR> of kind PPK_PSK
| actually looking for secret for 192.168.0.2-><IP SERVEUR> of kind PPK_PSK
| 1: compared PSK 194.206.10.133 to 192.168.0.2 / <IP SERVEUR> -> 2
| 2: compared PSK 192.168.0.2 to 192.168.0.2 / <IP SERVEUR> -> 6
| best_match 0>6 best=0x825a528 (line=10)
| concluding with best_match=6 best=0x825a528 (lineno=10)
"bue" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
| inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
| complete state transition with STF_OK
"bue" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
| sending reply packet to <IP SERVEUR>:500 (from port=500)
| sending 60 bytes for STATE_MAIN_I2 through eth0:4500 to <IP SERVEUR>:4500:
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
"bue" #1: STATE_MAIN_I3: sent MI3, expecting MR3
| XAUTH client is not yet authenticated
| next event EVENT_RETRANSMIT in 10 seconds for #1
|
| *received 108 bytes from <IP SERVEUR>:500 on eth0 (port=500)
| processing packet with exchange type=ISAKMP_XCHG_INFO (5)
| ICOOKIE: 8b 6d 64 84 63 50 9e d4
| RCOOKIE: 27 08 53 3d 36 3b 45 b8
| peer: c2 ce 0a 85
| state hash entry 31
| peer and cookies match on #1, provided msgid 00000000 vs 00000000/00000000
| p15 state object #1 found, in STATE_MAIN_I3
| processing connection bue
"bue" #1: Informational Exchange message is invalid because it has a Message ID of 0
| next event EVENT_RETRANSMIT in 10 seconds for #1
|
| *time to handle event
| handling event EVENT_RETRANSMIT
| event after this is EVENT_NAT_T_KEEPALIVE in 10 seconds
| processing connection bue
| handling event EVENT_RETRANSMIT for <IP SERVEUR> "bue" #1
| sending 60 bytes for EVENT_RETRANSMIT through eth0:4500 to <IP SERVEUR>:4500:
| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1
| next event EVENT_NAT_T_KEEPALIVE in 10 secondsfort de ces investigations, deux lignes m'intrigues :
"bue" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"bue" #1: Informational Exchange message is invalid because it has a Message ID of 0
j'ai lu quelque par (j'ai beaucoup lu) que ça pouvait être un problème de passphrase !! En entrant une clé bidon dans ipsec.secret, j'arrive au même stade, je peux donc pas confirmer que la clé récupéré est la bonne
bn8
ci-dessous le log sous de safenet qui fonctionne sous windows
12:07:44.359 Interface added: 192.168.0.5/255.255.255.0 on LAN "VMware Accelerated AMD PCNet Adapter".
22:30:56.781
22:30:56.921 My Connections\VPN-IPSEC - Initiating IKE Phase 1 (IP ADDR=<IP SERVEUR>)
22:30:56.921 My Connections\VPN-IPSEC - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
22:30:56.968 My Connections\VPN-IPSEC - RECEIVED<<< ISAKMP OAK MM (SA, VID)
22:30:58.093 My Connections\VPN-IPSEC - Peer is NAT-T draft-02 capable
22:30:58.328 My Connections\VPN-IPSEC - SENDING>>>> ISAKMP OAK MM (KE, NON, NAT-D 2x, VID 3x)
22:30:58.531 My Connections\VPN-IPSEC - RECEIVED<<< ISAKMP OAK MM (KE, NON, VID 4x, NAT-D 2x)
22:30:58.531 My Connections\VPN-IPSEC - NAT is detected for Client
22:30:58.531 My Connections\VPN-IPSEC - Floating to IKE non-500 port
22:30:59.656 My Connections\VPN-IPSEC - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
22:30:59.718 My Connections\VPN-IPSEC - RECEIVED<<< ISAKMP OAK MM *(ID, HASH)
22:30:59.718 My Connections\VPN-IPSEC - Established IKE SA
22:30:59.718 MY COOKIE 16 9d 9c 90 17 4a b 6
22:30:59.718 HIS COOKIE 27 8 53 3d dd 98 11 1e
22:30:59.781 My Connections\VPN-IPSEC - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR)
22:31:14.515 My Connections\VPN-IPSEC - RECEIVED<<< ISAKMP OAK TRANS *(Retransmission)
22:31:29.281 My Connections\VPN-IPSEC - RECEIVED<<< ISAKMP OAK TRANS *(Retransmission)
22:31:37.968 My Connections\VPN-IPSEC - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR)
22:31:38.046 My Connections\VPN-IPSEC - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR)
22:31:38.046 My Connections\VPN-IPSEC - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR)
22:31:39.421 My Connections\VPN-IPSEC - Initiating IKE Phase 2 with Client IDs (message id: B29A9206)
22:31:39.421 Initiator = IP ADDR=192.168.0.5, prot = 0 port = 0
22:31:39.421 Responder = IP SUBNET/MASK=0.0.0.0/0.0.0.0, prot = 0 port = 0
22:31:39.421 My Connections\VPN-IPSEC - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
22:31:39.421 My Connections\VPN-IPSEC - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR)
22:31:39.421 My Connections\VPN-IPSEC - Received Private DNS Address = IP ADDR=10.2.0.2
22:31:39.421 My Connections\VPN-IPSEC - Received Private Alt DNS Address = IP ADDR=10.65.0.52
22:31:39.421 My Connections\VPN-IPSEC - Received Private IP Address = IP ADDR=10.128.0.2
22:31:39.421 My Connections\VPN-IPSEC - Abandoning IPSec SA negotiation (message id: B29A9206)
22:31:39.421 Virtual Interface configured to use Def GW
22:31:39.828 Virtual Interface constructed for local interface 10.128.0.2
22:31:40.078 Virtual Interface added: 10.128.0.2/255.0.0.0 on ISDN "SafeNet VA miniport".
22:31:40.203 Route <IP SERVEUR>->192.168.0.1 added.
22:31:40.203 My Connections\VPN-IPSEC - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR)
22:31:40.250 My Connections\VPN-IPSEC - Initiating IKE Phase 2 with Client IDs (message id: 919FDBB)
22:31:40.250 Initiator = IP ADDR=10.128.0.2, prot = 0 port = 0
22:31:40.250 Responder = IP SUBNET/MASK=0.0.0.0/0.0.0.0, prot = 0 port = 0
22:31:40.250 My Connections\VPN-IPSEC - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
22:31:40.250 My Connections\VPN-IPSEC - RECEIVED<<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
22:31:40.406 My Connections\VPN-IPSEC - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x, NOTIFY:STATUS_RESP_LIFETIME)
22:31:40.484 Route 0.0.0.0/0.0.0.0->10.128.0.2 added.
22:31:40.484 My Connections\VPN-IPSEC - SENDING>>>> ISAKMP OAK QM *(HASH)
22:31:40.500 My Connections\VPN-IPSEC - Loading IPSec SA (Message ID = 919FDBB OUTBOUND SPI = 8789C3A7 INBOUND SPI = A0C1A793)
22:31:40.500Dernière modification par 2fast4u (Le 07/10/2008, à 00:01)
Hors ligne
#104 Le 20/11/2008, à 17:04
- Godness3
Re : 3G/EDGE et VPN "business everywhere" d'orange
C'est pas encore ça!!!
#105 Le 28/11/2008, à 13:01
- driden91
Re : 3G/EDGE et VPN "business everywhere" d'orange
le pb c'est que la clé que tu entres est crypté en md5 ...
Hors ligne
#106 Le 10/12/2008, à 11:58
- lui79
Re : 3G/EDGE et VPN "business everywhere" d'orange
allez hop :
un petit lien sur une faille de securité de safenet juqu'a la version 10.7.2 :
http://www.nta-monitor.com/posts/2005/02/safenet.html
Avec ca vous pouvez retrouver votre clef de securité IPSEC.
pour openswan :
fichier ipsec.conf(/etc/ipsec.conf):
version 2
config setup
interfaces=%defaultroute
nat_traversal=yes
conn WIFI
type=tunnel
keyexchange=ike
ah="hmac-md5-96"
auth=esp
esp="3des-md5-96"
pfs=yes
right= adresse ip loopback wifi
rightsubnet=0.0.0.0/0
rightxauthserver=yes
rightmodecfgserver=yes
left=%defaultroute
leftxauthclient=yes
leftmodecfgclient=yes
authby=secret
keylife=23h
conn GPRS
type=tunnel
keyexchange=ike
ah="hmac-md5-96"
auth=esp
esp="3des-md5-96"
pfs=yes
right= adresse ip loopback GPRS
rightsubnet=0.0.0.0/0
rightxauthserver=yes
rightmodecfgserver=yes
left=%defaultroute
#leftnexthop=%defaultroute
leftxauthclient=yes
leftmodecfgclient=yes
authby=secret
keylife=23h
conn VPNIPSec
type=tunnel
keyexchange=ike
ah="hmac-md5-96"
auth=esp
esp="3des-md5-96"
pfs=yes
right= adresse ip loopback Internet
rightsubnet=0.0.0.0/0
rightxauthserver=yes
rightmodecfgserver=yes
left=%defaultroute
leftnexthop=%defaultroute
leftxauthclient=yes
leftmodecfgclient=yes
authby=secret
keylife=23hFichier ipsec.secret (/etc/ipsec.secret)
@IP : PSK « clé prépartagée »Bon courage
#107 Le 11/12/2008, à 23:36
- 2fast4u
Re : 3G/EDGE et VPN "business everywhere" d'orange
allez hop :
un petit lien sur une faille de securité de safenet juqu'a la version 10.7.2 :
http://www.nta-monitor.com/posts/2005/02/safenet.html
Avec ca vous pouvez retrouver votre clef de securité IPSEC.pour openswan :
fichier ipsec.conf(/etc/ipsec.conf):version 2 config setup interfaces=%defaultroute nat_traversal=yes conn WIFI type=tunnel keyexchange=ike ah="hmac-md5-96" auth=esp esp="3des-md5-96" pfs=yes right= adresse ip loopback wifi rightsubnet=0.0.0.0/0 rightxauthserver=yes rightmodecfgserver=yes left=%defaultroute leftxauthclient=yes leftmodecfgclient=yes authby=secret keylife=23h conn GPRS type=tunnel keyexchange=ike ah="hmac-md5-96" auth=esp esp="3des-md5-96" pfs=yes right= adresse ip loopback GPRS rightsubnet=0.0.0.0/0 rightxauthserver=yes rightmodecfgserver=yes left=%defaultroute #leftnexthop=%defaultroute leftxauthclient=yes leftmodecfgclient=yes authby=secret keylife=23h conn VPNIPSec type=tunnel keyexchange=ike ah="hmac-md5-96" auth=esp esp="3des-md5-96" pfs=yes right= adresse ip loopback Internet rightsubnet=0.0.0.0/0 rightxauthserver=yes rightmodecfgserver=yes left=%defaultroute leftnexthop=%defaultroute leftxauthclient=yes leftmodecfgclient=yes authby=secret keylife=23hFichier ipsec.secret (/etc/ipsec.secret)
@IP : PSK « clé prépartagée »Bon courage
Salut,
C'est le même hack que nous a fourni flobb, je pense donc avoir récupéré ma clé correctement. D'après le site nta-monitor
The IreIKE.exe process decrypts the pre-shared key as soon as it starts up, so there is no need to attempt to connect to the VPN server in order to obtain the password from the client
et
The vulnerability allows anyone with access to the client system to obtain the password. It also allows anyone who has access to the obfuscated password in the client registry or in a policy file (.spd) to use the VPN client to obtain the corresponding plain-text password.
Donc driden, tu dois te tromper ou alors j'ai raté quelque chose.
lui79, tu confirmes que tu as fait foncitonner une connection BE cette manière ?
J'ai testé la conf que tu donnes en adaptant, j'ai un beau message d'erreur disant "021 no connectionnamed "VPNIPSec"
Hors ligne
#108 Le 12/12/2008, à 10:12
- lui79
Re : 3G/EDGE et VPN "business everywhere" d'orange
oui je vien de le test avec openswan vers 2.4.12 ( debian lennny )
connexion :
ipsec auto --add VPNIPSec
ipsec whack --name VPNIPSec --xauthuser=userid@clientid.fr.op --xauthpass=password --listen --initiatelog :
002 listening for IKE messages
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loading group "/etc/ipsec.d/policies/private-or-clear"
002 loading group "/etc/ipsec.d/policies/clear"
002 loading group "/etc/ipsec.d/policies/private"
002 loading group "/etc/ipsec.d/policies/clear-or-private"
002 loading group "/etc/ipsec.d/policies/block"
002 "VPNIPSec" #1: initiating Main Mode
104 "VPNIPSec" #1: STATE_MAIN_I1: initiate
003 "VPNIPSec" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
002 "VPNIPSec" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
002 "VPNIPSec" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "VPNIPSec" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "VPNIPSec" #1: received Vendor ID payload [Cisco-Unity]
003 "VPNIPSec" #1: received Vendor ID payload [Dead Peer Detection]
003 "VPNIPSec" #1: ignoring unknown Vendor ID payload [ee724d24d2b567cdd153bda679f46f8d]
003 "VPNIPSec" #1: received Vendor ID payload [XAUTH]
002 "VPNIPSec" #1: I did not send a certificate because I do not have one.
003 "VPNIPSec" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
002 "VPNIPSec" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "VPNIPSec" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "VPNIPSec" #1: Main mode peer ID is ID_IPV4_ADDR: 'XXX.XXX.XXX.XXX'
002 "VPNIPSec" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "VPNIPSec" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
041 "VPNIPSec" #1: VPNIPSec prompt for Username:
040 "VPNIPSec" #1: VPNIPSec prompt for Password:
002 "VPNIPSec" #1: XAUTH: Answering XAUTH challenge with user='XXXXXX@XXXXXX.fr.op'
002 "VPNIPSec" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "VPNIPSec" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "VPNIPSec" #1: XAUTH: Successfully Authenticated
002 "VPNIPSec" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "VPNIPSec" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "VPNIPSec" #1: setting client address to XXX.XXX.XXX.XXX/32
002 "VPNIPSec" #1: setting ip source address to XXX.XXX.XXX.XXX/32
002 "VPNIPSec" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "VPNIPSec" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "VPNIPSec" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
117 "VPNIPSec" #2: STATE_QUICK_I1: initiate
003 "VPNIPSec" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
002 "VPNIPSec" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "VPNIPSec" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x5e82761c <0xbfa8864f xfrm=3DES_0-HMAC_MD5 NATD=XXX.XXX.XXX.XXX:4500 DPD=none}#109 Le 12/12/2008, à 22:49
- 2fast4u
Re : 3G/EDGE et VPN "business everywhere" d'orange
Merci lui pour ta réponse pleine d'encouragement
J'ai l'impression de voir le bout du tunnel.
Malheureusement , je n'arrive toujours pas à me connecter...
déjà la commande
ipsec auto --add VPNIPSeca fait disparaitre mon erreur "021 no connection named "VPNIPSec"
Comme j'ai du lire la doc un peu tard dans la soirée j'ai raté plusieurs chapitres.
Mon log diffère du tien après la ligne
108 "VPNIPSec" #1: STATE_MAIN_I3: sent MI3, expecting MR3après chez moi j'ai
003 "VPNIPSec" #1: Informational Exchange message is invalid because it has a Message ID of 0
010 "VPNIPSec" #1: STATE_MAIN_I3: retransmission; will wait 20s for responseJe n'ai pas non plus ces lignes au début
002 loading group "/etc/ipsec.d/policies/private-or-clear"
002 loading group "/etc/ipsec.d/policies/clear"
002 loading group "/etc/ipsec.d/policies/private"
002 loading group "/etc/ipsec.d/policies/clear-or-private"
002 loading group "/etc/ipsec.d/policies/block"
Hors ligne
#110 Le 15/12/2008, à 09:03
- lui79
Re : 3G/EDGE et VPN "business everywhere" d'orange
es que ton firewall est bien configuré pour laisser sortir les flux ( PC + box ) ?
tu doit avoir en port ouvert :
500 UDP
4500 UDP
#111 Le 15/12/2008, à 14:15
- 2fast4u
Re : 3G/EDGE et VPN "business everywhere" d'orange
Mon fw box laisse tout sortir, mais c'est filtré en entrée
J'ai fait aucune modif du fw sur le pc (ubuntu intrepid), je pense qu'il est tout ouvert
Hors ligne
#112 Le 07/01/2009, à 16:33
- lui79
Re : 3G/EDGE et VPN "business everywhere" d'orange
salut,
tu peut me poster ton log logs en entier stp ?
#113 Le 11/01/2009, à 22:56
- 2fast4u
Re : 3G/EDGE et VPN "business everywhere" d'orange
Voici mon log après la commande
ipsec whack --name VPNIPSec --xauthuser=xxxxx@xxxxx.fr.op --xauthpass=XXXXXX --listen --initiate
002 listening for IKE messages
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loading group "/etc/ipsec.d/policies/private"
002 loading group "/etc/ipsec.d/policies/private-or-clear"
002 loading group "/etc/ipsec.d/policies/clear"
002 loading group "/etc/ipsec.d/policies/clear-or-private"
002 loading group "/etc/ipsec.d/policies/block"
002 "VPNIPSec" #1: initiating Main Mode
104 "VPNIPSec" #1: STATE_MAIN_I1: initiate
003 "VPNIPSec" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
002 "VPNIPSec" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
002 "VPNIPSec" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "VPNIPSec" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "VPNIPSec" #1: received Vendor ID payload [Cisco-Unity]
003 "VPNIPSec" #1: received Vendor ID payload [Dead Peer Detection]
003 "VPNIPSec" #1: ignoring unknown Vendor ID payload [02e4e65c1c51f784974c98ad1e3df375]
003 "VPNIPSec" #1: received Vendor ID payload [XAUTH]
002 "VPNIPSec" #1: I did not send a certificate because I do not have one.
003 "VPNIPSec" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
002 "VPNIPSec" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "VPNIPSec" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "VPNIPSec" #1: Informational Exchange message is invalid because it has a Message ID of 0
010 "VPNIPSec" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
010 "VPNIPSec" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
031 "VPNIPSec" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
000 "VPNIPSec" #1: starting keying attempt 2 of an unlimited number, but releasing whack
En bonus la commande
sudo ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.0.2
000 interface eth0/eth0 192.168.0.2
000 %myid = (none)
000 debug control
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,36} trans={0,1,648} attrs={0,1,432}
000
000 "VPNIPSec": 192.168.0.2[MC+XC+S=C]---192.168.0.1...xxx.xxx.xxx.xxx[MS+XS+S=C]===0.0.0.0/0; unrouted; eroute owner: #0
000 "VPNIPSec": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "VPNIPSec": ike_life: 3600s; ipsec_life: 82800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "VPNIPSec": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,0; interface: eth0; encap: esp;
000 "VPNIPSec": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "VPNIPSec": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "VPNIPSec": ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000
000 #5: "VPNIPSec":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 12s; lastdpd=-1s(seq in:0 out:0)
000 #5: pending Phase 2 for "VPNIPSec" replacing #0
000
et aussi
sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.12/K(no kernel code presently loaded)
Checking for IPsec support in kernel [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Two or more interfaces found, checking IP forwarding [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking NAT and MASQUERADEing [N/A]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: octabuntu [MISSING]
Does the machine have at least one non-private address? [FAILED]
Merci pour ton intérêt
Hors ligne
#114 Le 29/05/2009, à 21:22
- albino2025
Re : 3G/EDGE et VPN "business everywhere" d'orange
salut tout le monde,
j'avais perdu espoir de pouvoir établir ma connexion sous Linux.
Et voila que je retombe sur ce poste et je m'aperçois que les choses ont bien évolué.
Merci à vous d'avoir persévéré
Je me suis donc jeté sur la faille d'un vieux safenet (non sans mal) et j'ai récupéré ma PSK.
Mais voila, je bloque au même point que toi 2fast.
As tu réussi à régler ton problème ?
Hors ligne
#115 Le 30/05/2009, à 13:25
- albino2025
Re : 3G/EDGE et VPN "business everywhere" d'orange
c'est bon ca fonctionne,
ca aide de recopier correctement la PSK
reste plus qu'à essayer avec la carte 3G
Hors ligne
#116 Le 28/07/2009, à 11:08
- hercule12
Re : 3G/EDGE et VPN "business everywhere" d'orange
Salut tout le monde,
Quelle version de safenet avez-vous utilisé ?
#117 Le 31/07/2009, à 08:39
- franck_
Re : 3G/EDGE et VPN "business everywhere" d'orange
salut !
moi j'ai essayé avec la version safenet 10.0.0
je sais pas si 'ai récupéré la PSK correctement.
Ce que je voudrais faire déjà, c'est créer une nouvelle connexion dans Safenet et je n'y arrive pas. Il me dit :
This Policy is Locked
et je ne peux cliquer nulle part, tout est grisé.
Merci.
Hors ligne
#118 Le 31/07/2009, à 10:23
- franck_
Re : 3G/EDGE et VPN "business everywhere" d'orange
lui79, est-ce que tu as réussi à te connecter sur un VPN Orange?
c'est ce que je cherche à faire avec une clé 3G Huawei (parfaitement reconnue et grâce à ce post, j'ai une adresse IP)
Mais la config ipsec openswan m'est vraiment obscure.
Il y a pourtant un bon wiki sur www.openswan.org
Voici où j'en suis concernant ipsec :
/etc/ipsec.conf
config setup
nat_traversal=yes
nhelpers=0
interfaces=%defaultroute
conn RPV
left=<ip_locale>
leftsubnet=255.255.255.255/24
leftnexthop=%defaultroute
right=<ip_serveur>
rightsubnet=10.0.0.0/24
rightnexthop=%defaultroute
auto=add/etc/sysctl.conf
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.secure_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.secure_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.wmaster0.accept_redirects = 0
net.ipv4.conf.wmaster0.secure_redirects = 0
net.ipv4.conf.wmaster0.send_redirects = 0
net.ipv4.conf.wlan1.accept_redirects = 0
net.ipv4.conf.wlan1.secure_redirects = 0
net.ipv4.conf.wlan1.send_redirects = 0
net.ipv4.conf.pan0.accept_redirects = 0
net.ipv4.conf.pan0.secure_redirects = 0
net.ipv4.conf.pan0.send_redirects = 0voici maintenant les commandes que je fais (peut-être fais-je mal...)
sudo service ipsec start renvoie :
ipsec_setup: Starting Openswan IPsec U2.4.12/K2.6.28-14-generic...sudo ipsec verify renvoie :
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.12/K2.6.28-14-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]A+ et merci pour vos indications éventuelles...
Dernière modification par franck_ (Le 31/07/2009, à 13:59)
Hors ligne
#119 Le 01/08/2009, à 19:01
- franck_
Re : 3G/EDGE et VPN "business everywhere" d'orange
bonjour,
j'ai avancé, mais maintenant je pense que je bloque sur l'utilisation de la PSK.
Je sais pas si mon kit BE utilise une PSK, mais dans le petit topo sur la faille de SafeNet, je repère bien dans mon fichier SPD un mot de passe à l'endroit indiqué avec les deux derniers caractères qui se répètent.
Si ma config doit prendre en compte une clé RSA et non PSK, que dois-je faire ?
Merci.
Hors ligne
#120 Le 29/01/2010, à 16:21
- msense
Re : 3G/EDGE et VPN "business everywhere" d'orange
Bonjour,
pour ma part j'essaie de faire fonctionner une connexion Orange Business Everywhere avec une clé usb Huawei E270 sur ubuntu 9.10 à jour.
J'ai parcouru tous les posts depuis 2006 (!), mais au final, quelqu'un comme 2Fast ou lui79 qui aurait réussi cet exploit aurait-il l'amabilité de poster ici une récap' complète de ce qu'il faut faire? ce serait carrément le pied!
Par ailleurs, est-ce qu'il existe un lien où l'on peut récupérer la "bonne" version de spdedit.exe? mon plus vieux kit orange a déjà une version patchée... hélas!
Merci par avance pour votre aide précieuse!
Cdlt,
MSense
PS : disons que pour avancer un peu plus loin, il me faudrait au moins le spdedit.exe de SoftRemote de version inférieure à 10.7.2 -> merci par avance 2Fast4U!
Dernière modification par msense (Le 01/02/2010, à 10:03)
Hors ligne
#121 Le 31/01/2010, à 16:31
- 2fast4u
Re : 3G/EDGE et VPN "business everywhere" d'orange
Salut msense,
désolé, mais je n'ai jamais réussi a me connecter avec le kit BE, tout au plus j'arrive à me connecter a la passerelle orange mais je ne suis jamais parvenu à monter le vpn, même en exploitant la faille. Je vais regardé ou j'ai pu garder le safenet non patche et je te le passe si tu as plus de chance que moi.
@+
Hors ligne
#122 Le 02/06/2010, à 10:23
- msense
Re : 3G/EDGE et VPN "business everywhere" d'orange
Salut 2fast4u,
pas de nouvelle, mauvaise nouvelle? ;-)
@+
Hors ligne
#123 Le 14/12/2010, à 20:18
- master79
Re : 3G/EDGE et VPN "business everywhere" d'orange
Salut 2fast4u & msense,
Je déterre le post 
Tout est disponible maintenant pour moi, même avec les cartes pcmcia de l'époque.
Moi j'ai accès à tout au faite avec plusieurs tunnels.
Si besoins de solutions network, vous m'envoyer un MP.
Hors ligne
#124 Le 31/10/2012, à 12:42
- sangfroid
Re : 3G/EDGE et VPN "business everywhere" d'orange
Bonjour,
Je déterre à nouveau le Post, il semble que l'exploit ait été réussi :
http://blog.jknet.org/post/2010/08/23/Gnou-Orange
Quelqu'un ici l'a tenté ?
Le site NTA n'a plus le billet sur la manière de récupérer le PSK dans le dump mémoire, quelqu'un a ces informations ?
Dernière modification par sangfroid (Le 31/10/2012, à 12:42)
Hors ligne
#125 Le 31/10/2012, à 20:06
- cep33
Re : 3G/EDGE et VPN "business everywhere" d'orange
Si ça peut aider :
de mémoire, à part l'outil pour dumper le process, faut juste repérer l'offset...
Je n'ai hélas rien gardé, j'ai jeté l'éponge...
Hors ligne