IPSec Problem mit VPN Access 25 und Shrewsoft VPN Client (Phase2)

Hallo,

ich habe ein Problem beim Tunnelaufbau (Phase 2).

Die Konfiguration sieht folgendermaßen aus:

VPN25 steht hinter einer Fritzbox (ind der DMZ vom Speedport 920v geht es genauso wenig) welche im vpn25 als gateway eingetragen ist.

UDP Port 500 und 4500 sowie ESP also auch GRE Protokoll werden durch die FB auf den vpn25 geforwarded.

Hier mal die Log vom VPN Client:

 ## : IKE Daemon, ver 2.2.0
 ## : Copyright 2009 Shrew Soft Inc.
 ## : This product linked OpenSSL 0.9.8h 28 May 2008
 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'  
 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-decrypt.cap'  
 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-encrypt.cap'  
 ii : rebuilding vnet device list ...
 ii : device ROOT\VNET\0000 disabled
 ii : device ROOT\VNET\0001 disabled
 ii : network process thread begin ...
 ii : pfkey process thread begin ...
 ii : ipc server process thread begin ...
 ii : ipc client process thread begin ...
 <A : peer config add message
 <A : proposal config message
 <A : proposal config message
 <A : client config message
 <A : local id 'vpn' message  
 <A : remote id 'vpn25' message  
 <A : preshared key message
 <A : peer tunnel enable message
 DB : peer added ( obj count = 1 )
 ii : local address 192.168.178.48 selected for peer
 DB : tunnel added ( obj count = 1 )
 DB : new phase1 ( ISAKMP initiator )
 DB : exchange type is aggressive
 DB : 192.168.178.48:500 <-> **.***.***.**:500
 DB : 5888744ea3416ed2:0000000000000000
 DB : phase1 added ( obj count = 1 )
 >> : security association payload
 >> : - proposal #1 payload 
 >> : -- transform #1 payload 
 >> : -- transform #2 payload 
 >> : -- transform #3 payload 
 >> : -- transform #4 payload 
 >> : -- transform #5 payload 
 >> : -- transform #6 payload 
 >> : -- transform #7 payload 
 >> : -- transform #8 payload 
 >> : -- transform #9 payload 
 >> : -- transform #10 payload 
 >> : -- transform #11 payload 
 >> : -- transform #12 payload 
 >> : -- transform #13 payload 
 >> : -- transform #14 payload 
 >> : -- transform #15 payload 
 >> : -- transform #16 payload 
 >> : -- transform #17 payload 
 >> : -- transform #18 payload 
 >> : key exchange payload
 >> : nonce payload
 >> : identification payload
 >> : vendor id payload
 ii : local supports nat-t ( draft v00 )
 >> : vendor id payload
 ii : local supports nat-t ( draft v01 )
 >> : vendor id payload
 ii : local supports nat-t ( draft v02 )
 >> : vendor id payload
 ii : local supports nat-t ( draft v03 )
 >> : vendor id payload
 ii : local supports nat-t ( rfc )
 >> : vendor id payload
 ii : local supports FRAGMENTATION
 >> : vendor id payload
 >> : vendor id payload
 ii : local supports DPDv1
 >> : vendor id payload
 ii : local is SHREW SOFT compatible
 >> : vendor id payload
 ii : local is NETSCREEN compatible
 >> : vendor id payload
 ii : local is SIDEWINDER compatible
 >> : vendor id payload
 ii : local is CISCO UNITY compatible
 >= : cookies 5888744ea3416ed2:0000000000000000
 >= : message 00000000
 -> : send IKE packet 192.168.178.48:500 -> **.***.***.**:500 ( 1190 bytes )
 DB : phase1 resend event scheduled ( ref count = 2 )
 <- : recv IKE packet **.***.***.**:500 -> 192.168.178.48:500 ( 461 bytes )
 DB : phase1 found
 ii : processing phase1 packet ( 461 bytes )
 =< : cookies 5888744ea3416ed2:b3305fb57e6c80f0
 =< : message 00000000
 << : security association payload
 << : - propsal #1 payload 
 << : -- transform #1 payload 
 ii : matched isakmp proposal #1 transform #1
 ii : - transform    = ike
 ii : - cipher type  = aes
 ii : - key length   = 256 bits
 ii : - hash type    = md5
 ii : - dh group     = group2 ( modp-1024 )
 ii : - auth type    = psk
 ii : - life seconds = 86400
 ii : - life kbytes  = 0
 << : key exchange payload
 << : nonce payload
 << : identification payload
 ii : phase1 id match 
 ii : received = fqdn vpn25
 << : hash payload
 << : vendor id payload
 ii : unknown vendor id ( 16 bytes )
 0x : 0048e227 0bea8395 ed778d34 3cc2a076
 << : vendor id payload
 ii : unknown vendor id ( 16 bytes )
 0x : 810fa565 f8ab1436 9105d706 fbd57279
 << : vendor id payload
 ii : peer supports nat-t ( draft v03 )
 << : vendor id payload
 ii : peer supports nat-t ( draft v02 )
 << : vendor id payload
 ii : unknown vendor id ( 16 bytes )
 0x : cd604643 35df21f8 7cfdb2fc 68b6a448
 << : vendor id payload
 ii : peer supports nat-t ( draft v00 )
 << : vendor id payload
 ii : peer supports DPDv1
 << : nat discovery payload
 << : nat discovery payload
 ii : nat discovery - local address is translated
 ii : nat discovery - remote address is translated
 ii : switching to src nat-t udp port 4500
 ii : switching to dst nat-t udp port 4500
 == : DH shared secret ( 128 bytes )
 == : SETKEYID ( 16 bytes )
 == : SETKEYID_d ( 16 bytes )
 == : SETKEYID_a ( 16 bytes )
 == : SETKEYID_e ( 16 bytes )
 == : cipher key ( 32 bytes )
 == : cipher iv ( 16 bytes )
 == : phase1 hash_i ( computed ) ( 16 bytes )
 >> : hash payload
 >> : nat discovery payload
 >> : nat discovery payload
 >= : cookies 5888744ea3416ed2:b3305fb57e6c80f0
 >= : message 00000000
 >= : encrypt iv ( 16 bytes )
 == : encrypt packet ( 88 bytes )
 == : stored iv ( 16 bytes )
 DB : phase1 resend event canceled ( ref count = 1 )
 -> : send NAT-T:IKE packet 192.168.178.48:4500 -> **.***.***.**:4500 ( 124 bytes )
 == : phase1 hash_r ( computed ) ( 16 bytes )
 == : phase1 hash_r ( received ) ( 16 bytes )
 ii : phase1 sa established
 ii : **.***.***.**:4500 <-> 192.168.178.48:4500
 ii : 5888744ea3416ed2:b3305fb57e6c80f0
 ii : sending peer INITIAL-CONTACT notification
 ii : - 192.168.178.48:4500 -> **.***.***.**:4500
 ii : - isakmp spi = 5888744ea3416ed2:b3305fb57e6c80f0
 ii : - data size 0
 >> : hash payload
 >> : notification payload
 == : new informational hash ( 16 bytes )
 == : new informational iv ( 16 bytes )
 >= : cookies 5888744ea3416ed2:b3305fb57e6c80f0
 >= : message e95bd5ee
 >= : encrypt iv ( 16 bytes )
 == : encrypt packet ( 76 bytes )
 == : stored iv ( 16 bytes )
 -> : send NAT-T:IKE packet 192.168.178.48:4500 -> **.***.***.**:4500 ( 108 bytes )
 DB : config added ( obj count = 1 )
 ii : building config attribute list
 ii : - IP4 Address
 ii : - Address Expiry
 ii : - IP4 Netamask
 ii : - IP4 WINS Server
 ii : - IP4 Subnet
 == : new config iv ( 16 bytes )
 ii : sending config pull request
 >> : hash payload
 >> : attribute payload
 == : new configure hash ( 16 bytes )
 >= : cookies 5888744ea3416ed2:b3305fb57e6c80f0
 >= : message d7af0889
 >= : encrypt iv ( 16 bytes )
 == : encrypt packet ( 76 bytes )
 == : stored iv ( 16 bytes )
 -> : send NAT-T:IKE packet 192.168.178.48:4500 -> **.***.***.**:4500 ( 108 bytes )
 DB : config resend event scheduled ( ref count = 2 )
 DB : phase2 not found
 -> : resend 1 config packet(s) [0/2] 192.168.178.48:4500 -> **.***.***.**:4500
 -> : resend 1 config packet(s) [1/2] 192.168.178.48:4500 -> **.***.***.**:4500
 DB : phase1 found
 ii : sending peer DPDV1-R-U-THERE notification
 ii : - 192.168.178.48:4500 -> **.***.***.**:4500
 ii : - isakmp spi = 5888744ea3416ed2:b3305fb57e6c80f0
 ii : - data size 4
 >> : hash payload
 >> : notification payload
 == : new informational hash ( 16 bytes )
 == : new informational iv ( 16 bytes )
 >= : cookies 5888744ea3416ed2:b3305fb57e6c80f0
 >= : message 8b96ad2d
 >= : encrypt iv ( 16 bytes )
 == : encrypt packet ( 80 bytes )
 == : stored iv ( 16 bytes )
 -> : send NAT-T:IKE packet 192.168.178.48:4500 -> **.***.***.**:4500 ( 124 bytes )
 ii : DPD ARE-YOU-THERE sequence 3ae6735b requested
 DB : phase1 found
 -> : send NAT-T:KEEP-ALIVE packet 192.168.178.48:4500 -> **.***.***.**:4500
 <- : recv NAT-T:IKE packet **.***.***.**:4500 -> 192.168.178.48:4500 ( 92 bytes )
 DB : phase1 found
 ii : processing informational packet ( 92 bytes )
 == : new informational iv ( 16 bytes )
 =< : cookies 5888744ea3416ed2:b3305fb57e6c80f0
 =< : message 4c0f3b5c
 =< : decrypt iv ( 16 bytes )
 == : decrypt packet ( 92 bytes )
 <= : trimmed packet padding ( 12 bytes )
 <= : stored iv ( 16 bytes )
 << : hash payload
 << : notification payload
 == : informational hash_i ( computed ) ( 16 bytes )
 == : informational hash_c ( received ) ( 16 bytes )
 ii : informational hash verified
 ii : received peer DPDV1-R-U-THERE-ACK notification
 ii : - **.***.***.**:4500 -> 192.168.178.48:4500
 ii : - isakmp spi = 5888744ea3416ed2:b3305fb57e6c80f0
 ii : - data size 4
 ii : DPD ARE-YOU-THERE-ACK sequence 3ae6735b accepted
 ii : next tunnel DPD request in 15 secs for peer **.***.***.**:4500
 -> : resend 1 config packet(s) [2/2] 192.168.178.48:4500 -> **.***.***.**:4500
 <A : peer tunnel disable message
 DB : policy not found
 DB : policy not found
 DB : policy not found
 DB : policy not found
 DB : tunnel dpd event canceled ( ref count = 4 )
 DB : tunnel natt event canceled ( ref count = 3 )
 DB : removing tunnel config references
 DB : config resend event canceled ( ref count = 1 )
 DB : config deleted ( obj count = 0 )
 DB : removing tunnel phase2 references
 DB : removing tunnel phase1 references
 DB : phase1 soft event canceled ( ref count = 3 )
 DB : phase1 hard event canceled ( ref count = 2 )
 DB : phase1 dead event canceled ( ref count = 1 )
 ii : sending peer DELETE message
 ii : - 192.168.178.48:4500 -> **.***.***.**:4500
 ii : - isakmp spi = 5888744ea3416ed2:b3305fb57e6c80f0
 ii : - data size 0
 >> : hash payload
 >> : delete payload
 == : new informational hash ( 16 bytes )
 == : new informational iv ( 16 bytes )
 >= : cookies 5888744ea3416ed2:b3305fb57e6c80f0
 >= : message 4bafaaa3
 >= : encrypt iv ( 16 bytes )
 == : encrypt packet ( 76 bytes )
 == : stored iv ( 16 bytes )
 -> : send NAT-T:IKE packet 192.168.178.48:4500 -> **.***.***.**:4500 ( 108 bytes )
 ii : phase1 removal before expire time
 DB : phase1 deleted ( obj count = 0 )
 DB : tunnel deleted ( obj count = 0 )
 DB : removing all peer tunnel refrences
 DB : peer deleted ( obj count = 0 )
 ii : ipc client process thread exit ...

Ich vermute mal dass ich den Wald vor lauter Bäumen nicht sehe

Bin für jede Hilfe dankbar!

Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben

Content-ID: 184981

Url: https://administrator.de/contentid/184981

Ausgedruckt am: 26.11.2024 um 07:11 Uhr

2 Kommentare

Neuester Kommentar

Fehlermeldung lesen...
Du hast einen Policy Mismatch oder besser eine fehlende Policy. D.h. das eine Ende schlägt was vor was das andere Tunnelende nicht kann.
Irgendwas stimmt also in deinen IP Adressen, FQDNs oder Schlüsselalgorythmen nicht.
Du solltest akribisch überprüfen ob beide Enden die gleichen Settings haben !

Zitat von @aqui:

Du solltest akribisch überprüfen ob beide Enden die gleichen Settings haben !

Danke für deinen Tipp. Ich habe vor längerer Zeit ein bintect Geräte eingerichtet und schon damals einen ähnlichen Fehler gemacht.

Es lag an der IP Adresse.
Damlas beim r232 habe die Vergabe mit IKE Config Mode welcher bei diesem Gerät so scheinbar nicht vorhanden ist (oder ich bin zu .... wenig mit der Materie vertraut) gelöst.

Hier mal eine hilfreiche Anleitung (vll. hat ja irgendwann jmd anders ein ähnliches Problem):
http://faq.teldat.de/faq_bintec_212_ipsec_verbindung_r3000_ipsecclient_ ...

gelöst Frage Netzwerke Router, Routing

Mehr von lastminute

Zugriff auf Netzwerk nur Vormittags möglichlastminute - 11 Kommentare

Bintec VPN Access 25 auf Werkseinstellungen zurücksetzenlastminute - 10 Kommentare

Mehrere Firmen in einer Domänelastminute - 2 Kommentare

Kein Internetzugriff (http und email) ping jedoch möglichlastminute - 7 Kommentare

Heiß diskutiert