Christophe-Rouen
Messages postés15Date d'inscriptionmardi 10 novembre 2015StatutMembreDernière intervention10 mars 2018
-
10 mars 2018 à 02:34
Christophe-Rouen
Messages postés15Date d'inscriptionmardi 10 novembre 2015StatutMembreDernière intervention10 mars 2018
-
10 mars 2018 à 20:02
Bonjour,
L'erreur en entier c'est ça :
CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 62.160.XXX.XXX
Je veux faire un client pour un routeur Cisco existant. d'adresse comme ci-dessus : 62.160.XXX.XXX
Alors je lui ai mis cette config (au client VPN) :
! NVRAM config last updated at 01:02:23 CET Sat Mar 10 2018
! NVRAM config last updated at 01:02:23 CET Sat Mar 10 2018
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname C860-Paysage
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login vpn_client local
aaa authorization network vpn_client local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone CET 1 0
clock summer-time CEST recurring
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3453975763
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3453975763
revocation-check none
rsakeypair TP-self-signed-3453975763
!
!
crypto pki certificate chain TP-self-signed-3453975763
certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
ip source-route
!
!
!
ip dhcp pool MonDHCP
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.240
dns-server 8.8.8.8
lease 0 2
!
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
!
license udi pid CISCO861-K9 sn FCZ1706C2N6
!
!
username toto privilege 15 password 0 tutu
username lseclient privilege 15 password 0 Graorr
!
!
!
policy-map TSE
class class-default
!
!
crypto keyring vpnL2L
pre-shared-key address 0.0.0.0 0.0.0.0 key blabla-1
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
!
crypto isakmp client configuration group vpn_client
key blabla-1
pool vpn_pool
acl 120
include-local-lan
crypto isakmp profile L2L
keyring vpnL2L
match identity address 0.0.0.0
crypto isakmp profile VPNNomade
match identity group vpn_client
client authentication list vpn_client
isakmp authorization list vpn_client
client configuration address respond
!
!
crypto ipsec transform-set Strong esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile vpntunnel
set security-association lifetime seconds 120
set isakmp-profile L2L
!
!
crypto dynamic-map dynmap 10
set transform-set Strong
set isakmp-profile VPNNomade
reverse-route
!
!
crypto map dynmap 2 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 172.16.1.2 255.255.255.0
ip mtu 1440
no ip split-horizon
tunnel destination 62.160.XXX.XXX
tunnel key 100000
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description To Internet
ip address 192.168.1.240 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map dynmap
!
interface Vlan1
description to lan
ip address 192.168.2.240 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
router odr
network 172.16.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.7.0
network 192.168.8.0
!
ip local pool vpn_pool 192.168.210.1 192.168.210.50
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 110 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.15.1.0 255.255.255.0 Tunnel0
!
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.210.0 0.0.0.255
access-list 110 deny ip 192.168.2.0 0.0.0.255 192.168.210.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 10.15.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 any
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.210.0 0.0.0.255
access-list 150 permit tcp any eq 3389 any eq 3389
no cdp run
!
!
banner exec ^C
ET LE CISCO que je veux atteindre, il a cette config (le serveur, quoi...) :
C871-siemo#sh conf
Using 2275 out of 262136 bytes, uncompressed size = 3852 bytes
Uncompressed configuration from 2275 bytes to 3852 bytes
!
! Last configuration change at 13:27:56 CET Mon Jan 2 2006
! NVRAM config last updated at 13:28:01 CET Mon Jan 2 2006
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname C871-Toto
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PfrL$Q9SnMsuSpuVoIZUll5eyH0
!
aaa new-model
!
!
aaa authentication login vpn_client local
aaa authorization network vpn_client local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone CET 1
clock summer-time CEST recurring
!
!
ip source-route
!
!
!
ip cef
!
!
license udi pid CISCO861-K9 sn FCZ1533C0PL
!
!
archive
log config
hidekeys
username toto privilege 15 password 0 blabla-2
! etc...
!
!
!
class-map match-all TSE
match access-group 150
!
!
policy-map TSE
class class-default
bandwith 60
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
!
crypto isakmp client configuration group vpn_client
key blabla-1
pool vpn_pool
acl 120
include-local-lan
crypto isakmp profile VPNNomade
match identity group vpn_client
client authentication list vpn_client
isakmp authorization list vpn_client
client configuration address respond
!
!
crypto ipsec transform-set Strong esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile vpntunnel
set security-association lifetime seconds 120
set transform-set Strong
!
!
crypto dynamic-map dynmap 10
set transform-set Strong
set isakmp-profile VPNNomade
reverse-route
!
!
crypto map dynmap 2 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description To Internet
ip address 62.160.XXX.XXX 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe-client dial-pool-number 1
crypto map dynmap
service-policy output TSE
!
interface Vlan1
description to lan
ip address 10.43.59.240 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool vpn_pool 192.168.200.1 192.168.200.50
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 110 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 217.167.140.50
!
access-list 10 permit 10.43.59.0 0.0.0.255
access-list 110 deny ip 10.43.59.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 110 permit ip 10.43.59.0 0.0.0.255 any
access-list 120 permit ip 10.43.59.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 150 permit tcp any eq 3389 any eq 3389
!
control-plane
!
banner exec ^CCCCC
-----
-------------------------------------------------
^C
banner login ^CCCCC
-------------------------------------------------
console d'administration du Routeur
societe TOTO site
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end
et si je fais ...
C860-Paysage>en
C860-Paysage#debug crypto isakmp
Crypto ISAKMP debugging is on
C860-Paysage#ping 10.15.1.240
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.15.1.240, timeout is 2 seconds:
Mar 10 01:16:34.083: ISAKMP:(0): SA request profile is L2L
Mar 10 01:16:34.083: ISAKMP: Created a peer struct for 62.160.XXX.XXX, peer port 500
Mar 10 01:16:34.083: ISAKMP: New peer created peer = 0x8453F55C peer_handle = 0x8000000D
Mar 10 01:16:34.083: ISAKMP: Locking peer struct 0x8453F55C, refcount 1 for isakmp_initiator
Mar 10 01:16:34.083: ISAKMP: local port 500, remote port 500
Mar 10 01:16:34.083: ISAKMP: set new node 0 to QM_IDLE
Mar 10 01:16:34.087: ISAKMP:(0):insert sa successfully sa = 85FC2A60
Mar 10 01:16:34.087: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Mar 10 01:16:34.087: ISAKMP:(0):Found ADDRESS key in keyring vpnL2L
Mar 10 01:16:34.087: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 10 01:16:34.087: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 10 01:16:34.087: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 10 01:16:34.087: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 10 01:16:34.087: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 10 01:16:34.087: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Mar 10 01:16:34.087: ISAKMP:(0): beginning Main Mode exchange
Mar 10 01:16:34.087: ISAKMP:(0): sending packet to 62.160.XXX.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 10 01:16:34.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 10 01:16:34.171: ISAKMP (0): received packet from 62.160.XXX.XXX dport 500 sport 500 Global (I) MM_NO_STATE
Mar 10 01:16:34.175: ISAKMP:(0):Notify has no hash. Rejected.
Mar 10 01:16:34.175: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
Mar 10 01:16:34.175: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Mar 10 01:16:34.175: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
Mar 10 01:16:34.175: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 62.160..195.169....
Success rate is 0 percent (0/5)
C860-Paysage#
Mar 10 01:16:44.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 10 01:16:44.087: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 10 01:16:44.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 10 01:16:44.087: ISAKMP:(0): sending packet to 62.160.XXX.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 10 01:16:44.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 10 01:16:54.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 10 01:16:54.087: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 10 01:16:54.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 10 01:16:54.087: ISAKMP:(0): sending packet to 62.160.XXX.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 10 01:16:54.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 10 01:17:04.083: ISAKMP: set new node 0 to QM_IDLE
Mar 10 01:17:04.083: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.168.1.240, remote 62.160.195.169)
Mar 10 01:17:04.083: ISAKMP: Error while processing SA request: Failed to initialize SA
Mar 10 01:17:04.083: ISAKMP: Error while processing KMI message 0, error 2.
Mar 10 01:17:04.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 10 01:17:04.087: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Mar 10 01:17:04.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 10 01:17:04.087: ISAKMP:(0): sending packet to 62.160.XXX.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 10 01:17:04.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 10 01:17:14.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 10 01:17:14.087: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Mar 10 01:17:14.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 10 01:17:14.087: ISAKMP:(0): sending packet to 62.160.XXX.XXXmy_port 500 peer_port 500 (I) MM_NO_STATE
Mar 10 01:17:14.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 10 01:17:24.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 10 01:17:24.087: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Mar 10 01:17:24.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 10 01:17:24.087: ISAKMP:(0): sending packet to 62.160.XXX.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 10 01:17:24.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
AU S'COUUUUUUUUURS !!!!!
ça fait des jours, des heures, que je fais des essais, que je cherche... rien à faire ! (j'en peux plus en fait...)
Si quelqu'un peut m'aider, ce serait super. Je ne suis pas très bon en Cisco. non. Je suis mauvais. Oui, voilà. Mais je le sais ! Et sans des sites pour aider, je pourrais rester bloqué sans jamais trouver jusqu'à la fin de ma vie.
Pour quelqu'un qui n'est pas bon en Cisco, tu t'attaques à du lourd là,
Bon, je te recopie la réponse de Cisco.. En gros, il y a un problème dans la négociation des paramètres IPSEC /IKE qui échoue entre les deux peers (le 62.160.x.x et l'autre), tu devrais reverifier ces paramètres sur les deux côtés et s'assurer qu'ils sont compatibles
Christophe-Rouen
Messages postés15Date d'inscriptionmardi 10 novembre 2015StatutMembreDernière intervention10 mars 2018 10 mars 2018 à 11:55
Le problème est que je ne vois pas comment vérifier s'ils sont compatibles. .. j'ai recopié un routeur 'client' existant en l'adaptant, j'ail mis tout pareil en adaptant l'adressage... J'ai regardé les forums, les réponses sont celles-ci en effet. Et le début en fin de message premier, il ne dit rien à personne alors ? Je ne sais pas où ni comment vérifier. .. C'est désespérant. .. au secours, vraiment. ..
Christophe-Rouen
Messages postés15Date d'inscriptionmardi 10 novembre 2015StatutMembreDernière intervention10 mars 2018 10 mars 2018 à 11:56
Et en plus je manque de temps maintenant vis à vis du client et l'installation . Je suis mal...
10 mars 2018 à 11:55
10 mars 2018 à 11:56