masterle
Goto Top

Ipsec zwischen Bintec r232b und TheGreenBow VPN Client

Bei der Konfiguration der VPN mit IPsec zwischen unseren Bintec r232b und unserem VPN Client stoße ich immer wieder an ein Problem, dass die Verbindung in Phase zwei des Verbindungsaufbau scheitern bzw. nicht komplett zustande kommen lässt.

Die Verbindung baut komplett auf allerdings findet er in Phase 2 nicht die korrekte Verbindung und schaltet in Phase zwei.

Im Konsolenlog des GreenBow kommt es immer zu folgender Ausgabe. Er würde quasi immer so weiter laufen, wenn ich den Tunnel nicht irgendwann schließen würde...

20100813 072517 Default IKE daemon is removing SAs...
20100813 072522 Default Reinitializing IKE daemon
20100813 072522 Default IKE daemon reinitialized
20100813 072525 Default (SA testvpn-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20100813 072526 Default (SA testvpn-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [NAT_D] [NAT_D] [VID] [VID] [VID] [VID] [V
20100813 072526 Default (SA testvpn-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
20100813 072526 Default phase 1 done: initiator id a.schmidt@test.de, responder id a.schmidt@test.de
20100813 072526 Default (SA testvpn-tunneltest-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
20100813 072526 Default (SA testvpn-tunneltest-P2) RECV phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
20100813 072526 Default (SA testvpn-tunneltest-P2) SEND phase 2 Quick Mode [HASH]
20100813 072527 Default (SA <unknown>) RECV phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
20100813 072527 Default Passive connection: IDs do not match
20100813 072527 Default message_negotiate_incoming_sa: no compatible proposal found
20100813 072527 Default (SA <unknown>) RECV phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
20100813 072527 Default Passive connection: IDs do not match
20100813 072527 Default message_negotiate_incoming_sa: no compatible proposal found
20100813 072528 Default (SA <unknown>) RECV phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
20100813 072528 Default Passive connection: IDs do not match
20100813 072528 Default message_negotiate_incoming_sa: no compatible proposal found
20100813 072530 Default (SA <unknown>) RECV phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
20100813 072530 Default Passive connection: IDs do not match
20100813 072530 Default message_negotiate_incoming_sa: no compatible proposal found
20100813 072532 Default (SA testvpn-P1) SEND Informational [HASH] [DELETE]
20100813 072532 Default <testvpn-tunneltest-P2> deleted
20100813 072532 Default (SA testvpn-P1) SEND Informational [HASH] [DELETE]
20100813 072532 Default <testvpn-P1> deleted

Content-Key: 148896

Url: https://administrator.de/contentid/148896

Ausgedruckt am: 29.03.2024 um 13:03 Uhr

Mitglied: ulle2k4
ulle2k4 13.08.2010 um 10:38:58 Uhr
Goto Top
Hi ,mach mal eine Telnetverbindung zur Bintec auf, melde dich an und gin dann mal den Befehl debug all ein. Dann siehts mal auf der anderen Seite schief läuft.
Mitglied: Masterle
Masterle 13.08.2010 um 20:11:36 Uhr
Goto Top
Tja, so richtig schlau werd ich noch nicht was da schief läuft...

Welcome to R232b version V.7.6 Rev. 1 IPSec from 2008/04/17 00:00:00
systemname is brick, location Germany
brick:> debug all
15:29:00 DEBUG/INET: NAT: new incoming session on ifc 10001 prot 17 XXX.XXX.XXX.XXX:500/XXX.XXX.XXX.XXX:500 <- XXX.XXX.XXX.XXX:500
15:29:00 DEBUG/IPSEC: P1: peer 0 () sa 116 (R): new ip XXX.XXX.XXX.XXX <- ip XXX.XXX.XXX.XXX
15:29:00 INFO/IPSEC: P1: peer 0 () sa 116 (R): Vendor ID: XXX.XXX.XXX.XXX:500 (No Id) is 'draft-ietf-ipsec-nat-t-ike-00'
15:29:00 INFO/IPSEC: P1: peer 0 () sa 116 (R): Vendor ID: XXX.XXX.XXX.XXX:500 (No Id) is 'draft-ietf-ipsec-nat-t-ike-02'
15:29:00 INFO/IPSEC: P1: peer 0 () sa 116 (R): Vendor ID: XXX.XXX.XXX.XXX:500 (No Id) is 'draft-ietf-ipsec-nat-t-ike-03'
15:29:00 INFO/IPSEC: P1: peer 0 () sa 116 (R): Vendor ID: XXX.XXX.XXX.XXX:500 (No Id) is '4a131c81070358455c5728f20e95452f'
15:29:00 INFO/IPSEC: P1: peer 0 () sa 116 (R): Vendor ID: XXX.XXX.XXX.XXX:500 (No Id) is 'Dead Peer Detection (DPD, RFC 3706)'
15:29:00 DEBUG/IPSEC: P1: peer 1 (testin) sa 116 (R): identified ip XXX.XXX.XXX.XXX <- ip XXX.XXX.XXX.XXX
15:29:00 DEBUG/INET: NAT: new incoming session on ifc 10001 prot 17 XXX.XXX.XXX.XXX:4500/XXX.XXX.XXX.XXX:4500 <- XXX.XXX.XXX.XXX:4500
15:29:00 DEBUG/IPSEC: P1: peer 1 (testin) sa 116 (R): [Aggr] NAT-T: port change: local: XXX.XXX.XXX.XXX:500->XXX.XXX.XXX.XXX:4500, remote: XXX.XXX.XXX.XXX:500->XXX.XXX.XXX.XXX:4500
15:29:00 INFO/IPSEC: P1: peer 1 (testin) sa 0 (-): reactivated
15:29:00 INFO/IPSEC: P1: peer 1 (testin) sa 116 (R): done id usr@fqdn(any:0,[0..17]=a.schmidt@test.de) <- id usr@fqdn(any:0,[0..16]=a.schmidt@test.de) AG[be1df939 075f5051 : 844e4392 65bfe77f]
15:29:00 INFO/IPSEC: P2: peer 1 (testin) traf 0 bundle 47 (R): created 10.99.1.1/8:0 < any > 192.168.178.33/32:0 rekeyed 0
15:29:01 DEBUG/IPSEC: P2: peer 1 (testin) traf 0 bundle 47 (R): SA 89 established ESP[0f2f4ff7] in Mode transport enc 3des-cbc (192 bit) auth sha (160 bit)
15:29:01 DEBUG/IPSEC: P2: peer 1 (testin) traf 0 bundle 47 (R): SA 90 established ESP[d1d2c33f] out Mode transport enc 3des-cbc (192 bit) auth sha (160 bit)
15:29:01 INFO/IPSEC: Activate Bundle 47 (Peer 1 Traffic -1)
15:29:01 INFO/IPSEC: P2: peer 1 (testin) traf 0 bundle 47 (R): established (XXX.XXX.XXX.XXX<->XXX.XXX.XXX.XXX) with 2 SAs life 3600 Sec/0 Kb rekey 3240 Sec/0 Kb Hb send
15:29:02 DEBUG/INET: NAT: delete session on ifc 10001 prot 17 10.1.1.7:123/XXX.XXX.XXX.XXX:1023 <-> 85.214.29.92:123
15:29:05 INFO/IPSEC: Trigger Bundle -37 (Peer 1 Traffic -2) prot 17 10.1.1.3:5060->212.40.171.17:5060
15:29:05 INFO/IPSEC: P2: peer 1 (testin) traf 0 bundle -37 (I): created 10.0.0.0/8:0 < any > 0.0.0.0/0:0 rekeyed 0
15:29:07 DEBUG/INET: new session, 10.3.1.42:1040->XXX.XXX.XXX.XXX:123 prot: 17 parent: false
15:29:07 DEBUG/INET: SIF: 16 Accept ANY[1000:10.3.1.42:1040] -> ANY[100001:XXX.XXX.XXX.XXX:123] any:17
15:29:07 DEBUG/INET: new session, 10.3.1.16:47808->XXX.XXX.XXX.XXX:123 prot: 17 parent: false
15:29:07 DEBUG/INET: SIF: 16 Accept ANY[1000:10.3.1.16:47808] -> ANY[100001:XXX.XXX.XXX.XXX:123] any:17
15:29:08 DEBUG/INET: new session, 10.3.1.11:26519->XXX.XXX.XXX.XXX:123 prot: 17 parent: false
15:29:08 DEBUG/INET: SIF: 16 Accept ANY[1000:10.3.1.11:26519] -> ANY[100001:XXX.XXX.XXX.XXX:123] any:17
15:29:16 DEBUG/INET: TIMEOUT Session expired: 10.10.1.152:138->10.255.255.255:138 prot=17
15:29:16 DEBUG/INET: destroy session, 10.10.1.152:138->10.255.255.255:138 prot: 17
15:29:16 INFO/IPSEC: P2: peer 1 (testin) traf 0 bundle 47 (R): deleted (Received delete), Pkts: 2/2 Hb: 0/2 Bytes: 112(176)/56(144) rekeyed by 0
15:29:16 DEBUG/IPSEC: P2: peer 1 (testin) traf 0 bundle 47 (R): SA 90 deleted errors 0/0/0
15:29:16 DEBUG/IPSEC: P2: peer 1 (testin) traf 0 bundle 47 (R): SA 89 deleted errors 0/0/0
15:29:16 INFO/IPSEC: Destroy Bundle 47 (Peer 1 Traffic -1)
15:29:16 DEBUG/IPSEC: IKE_DELETE_PAYLOAD_RECEIVED: 20100813152916: Source addr:XXX.XXX.XXX.XXX Destination addr:XXX.XXX.XXX.XXX SPI:0x7fe7bf6592434e8451505f0739f91dbe Description:Received delete notification
15:29:16 DEBUG/IPSEC: P1: peer 1 (testin) sa 0 (-): Automatic dialup
15:29:16 INFO/IPSEC: P2: peer 1 (testin) traf 0 bundle -37 (I): deleted (Lifetime expired), Pkts: 0/0 Hb: 0/0 Bytes: 0(0)/0(0) rekeyed by 0
15:29:16 INFO/IPSEC: Destroy Bundle -37 (Peer 1 Traffic -2)
15:29:16 INFO/IPSEC: P1: peer 1 (testin) sa 116 (R): delete ip XXX.XXX.XXX.XXX <- ip XXX.XXX.XXX.XXX: Received delete
15:29:16 INFO/IPSEC: P1: peer 1 (testin) sa 0 (-): start failed: no address
15:29:16 INFO/IPSEC: P1: peer 1 (testin) sa 0 (-): blocked for 15 seconds
15:29:17 DEBUG/INET: NAT: new outgoing session on ifc 10001 prot 17 10.3.1.42:1040/XXX.XXX.XXX.XXX:35222 -> XXX.XXX.XXX.XXX:123
15:29:17 DEBUG/INET: NAT: new outgoing session on ifc 10001 prot 17 10.3.1.16:47808/XXX.XXX.XXX.XXX:35223 -> XXX.XXX.XXX.XXX:123
15:29:18 DEBUG/INET: NAT: new outgoing session on ifc 10001 prot 17 10.3.1.11:26519/XXX.XXX.XXX.XXX:35224 -> XXX.XXX.XXX.XXX:123
15:29:18 DEBUG/INET: new session, 10.3.1.43:1040->XXX.XXX.XXX.XXX:123 prot: 17 parent: false
15:29:18 DEBUG/INET: SIF: 16 Accept ANY[1000:10.3.1.43:1040] -> ANY[10001:XXX.XXX.XXX.XXX:123] any:17
15:29:18 DEBUG/INET: NAT: new outgoing session on ifc 10001 prot 17 10.3.1.43:1040/XXX.XXX.XXX.XXX:35225 -> XXX.XXX.XXX.XXX:123
15:29:19 DEBUG/INET: new session, 10.3.1.51:1037->XXX.XXX.XXX.XXX:123 prot: 17 parent: false
15:29:19 DEBUG/INET: SIF: 16 Accept ANY[1000:10.3.1.51:1037] -> ANY[10001:XXX.XXX.XXX.XXX:123] any:17
15:29:19 DEBUG/INET: NAT: new outgoing session on ifc 10001 prot 17 10.3.1.51:1037/XXX.XXX.XXX.XXX:35226 -> XXX.XXX.XXX.XXX:123
15:29:21 DEBUG/INET: new session, XXX.XXX.XXX.XXX:500->XXX.XXX.XXX.XXX:500 prot: 17 parent: false
15:29:21 DEBUG/IPSEC: IKE_UNEQUAL_PAYLOAD_LENGTHS: 20100813152921: Source addr:0.0.0.0 Destination addr:XXX.XXX.XXX.XXX Description:UDP packet does not contain enough data for generic ISAKMP packet header
15:29:25 DEBUG/INET: new session, 10.3.1.52:1037->XXX.XXX.XXX.XXX:123 prot: 17 parent: false
15:29:25 DEBUG/INET: SIF: 16 Accept ANY[1000:10.3.1.52:1037] -> ANY[10001:XXX.XXX.XXX.XXX:123] any:17
15:29:25 DEBUG/INET: NAT: new outgoing session on ifc 10001 prot 17 10.3.1.52:1037/XXX.XXX.XXX.XXX:35227 -> XXX.XXX.XXX.XXX:123
15:29:30 DEBUG/INET: TIMEOUT Session expired: 10.10.1.152:1784->XXX.XXX.XXX.XXX:80 prot=6
15:29:30 DEBUG/INET: TIMEOUT Session expired: 10.10.1.152:1783->XXX.XXX.XXX.XXX:80 prot=6
15:29:30 DEBUG/INET: TIMEOUT Session expired: 10.10.1.152:1785->XXX.XXX.XXX.XXX:80 prot=6
15:29:30 DEBUG/INET: TIMEOUT Session expired: 10.10.1.152:1782->XXX.XXX.XXX.XXX:80 prot=6
15:29:30 DEBUG/INET: destroy session, 10.10.1.152:1782->XXX.XXX.XXX.XXX:80 prot: 6
15:29:30 DEBUG/INET: destroy session, 10.10.1.152:1785->XXX.XXX.XXX.XXX:80 prot: 6
15:29:30 DEBUG/INET: destroy session, 10.10.1.152:1783->XXX.XXX.XXX.XXX:80 prot: 6
15:29:30 DEBUG/INET: destroy session, 10.10.1.152:1784->XXX.XXX.XXX.XXX:80 prot: 6
15:29:30 INFO/IPSEC: P1: peer 1 (testin) sa 0 (-): reactivated
15:29:30 DEBUG/IPSEC: P1: peer 1 (testin) sa 0 (-): Automatic dialup
15:29:30 INFO/IPSEC: P1: peer 1 (testin) sa 0 (-): start failed: no address
15:29:30 INFO/IPSEC: P1: peer 1 (testin) sa 0 (-): blocked for 15 seconds
15:29:31 DEBUG/INET: new session, 10.3.1.14:55367->XXX.XXX.XXX.XXX:123 prot: 17 parent: false
15:29:31 DEBUG/INET: SIF: 16 Accept ANY[1000:10.3.1.14:55367] -> ANY[10001:XXX.XXX.XXX.XXX:123] any:17
15:29:31 DEBUG/INET: NAT: new outgoing session on ifc 10001 prot 17 10.3.1.14:55367/XXX.XXX.XXX.XXX:35228 -> XXX.XXX.XXX.XXX:123
15:29:33 DEBUG/INET: new session, 10.3.1.47:1031->XXX.XXX.XXX.XXX:123 prot: 17 parent: false
15:29:33 DEBUG/INET: SIF: 16 Accept ANY[1000:10.3.1.47:1031] -> ANY[10001:XXX.XXX.XXX.XXX:123] any:17
15:29:33 DEBUG/INET: NAT: new outgoing session on ifc 10001 prot 17 10.3.1.47:1031/XXX.XXX.XXX.XXX:35229 -> XXX.XXX.XXX.XXX:123
quit
Mitglied: ulle2k4
ulle2k4 15.08.2010 um 06:17:21 Uhr
Goto Top
Schalte mal bitte die SIF aus.Unter Setup -> Security und dann versuchs nochmal.