IPSec VPN Gateway VPN
Verfasst: Fr 15.05.2009, 21:58
Hallo Gruppe,
ich möchte ein VPN zw. einer Phirania (dynamisch) und einer RC300 (statische IP) aufbauen. Ich habe mir hierzu das Howto herunter geladen, gelesen, ev. Verstandenm nachvollzogen und abgearbeitet. Es liegt wohl nicht an der Gateway-ID der Pirnaja, die Fehlermeldung kenne ich schon
Ich komme bis zu einem gewissen Punkt und dann nicht weiter. Ich habe mein Log mal gesichert und rein gepastet..
Habt Ihr ne Idee was ich falsch mache?
Logauszug, Filter gesetzt auf IPSEC Dienst
----------------------------------------
....
May 15;21:47:01;172.16.252.250;IPSEC Server;Starting strongSwan IPsec 2.8.9 [starter]...;
May 15;21:47:01;172.16.252.250;IPSEC Server;Starting Pluto (strongSwan Version 2.8.9 THREADS VENDORID KEYRR);
May 15;21:47:01;172.16.252.250;IPSEC Server;including NAT-Traversal patch (Version 0.6c);
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_AES_CBC encryption: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_BLOWFISH_CBC encryption: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_SERPENT_CBC encryption: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_SHA2_256 hash: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_SHA2_384 hash: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_SHA2_512 hash: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_TWOFISH_CBC encryption: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_TWOFISH_CBC_SSH encryption: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;Testing registered IKE encryption algorithms:;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_BLOWFISH_CBC self-test not available;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_3DES_CBC self-test not available;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_AES_CBC self-test not available;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SERPENT_CBC self-test not available;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_TWOFISH_CBC self-test not available;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_TWOFISH_CBC_SSH self-test not available;
May 15;21:47:01;172.16.252.250;IPSEC Server;Testing registered IKE hash algorithms:;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_MD5 hash self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_MD5 hmac self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA hash self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA hmac self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA2_256 hash self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA2_256 hmac self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA2_384 hash self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA2_384 hmac self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA2_512 hash self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA2_512 hmac self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;All crypto self-tests passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;Using Linux 2.6 IPsec interface code;
May 15;21:47:01;172.16.252.250;IPSEC Server;Changing to directory '/etc/ipsec.d/cacerts';
May 15;21:47:01;172.16.252.250;IPSEC Server;Changing to directory '/etc/ipsec.d/aacerts';
May 15;21:47:01;172.16.252.250;IPSEC Server;Changing to directory '/etc/ipsec.d/ocspcerts';
May 15;21:47:01;172.16.252.250;IPSEC Server;Changing to directory '/etc/ipsec.d/crls';
May 15;21:47:01;172.16.252.250;IPSEC Server;Changing to directory '/etc/ipsec.d/acerts';
May 15;21:47:01;172.16.252.250;IPSEC Server;listening for IKE messages;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface ppp0/ppp0 84.163.70.185:500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface ppp0/ppp0 84.163.70.185:4500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface eth2/eth2 10.10.200.254:500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface eth2/eth2 10.10.200.254:4500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface eth1/eth1 172.16.252.150:500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface eth1/eth1 172.16.252.150:4500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface eth1/eth1 172.16.252.250:500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface eth1/eth1 172.16.252.250:4500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface lo/lo 127.0.0.1:500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface lo/lo 127.0.0.1:4500;
May 15;21:47:01;172.16.252.250;IPSEC Server;loading secrets from "/etc/ipsec.secrets";
May 15;21:47:01;172.16.252.250;IPSEC Server;added connection description "RW1.drk-rw1.local__GT__DRKKronprinzen_3";
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: initiating Main Mode;
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ignoring Vendor ID payload [strongSwan 2.8.9];
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: received Vendor ID payload [XAUTH];
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: received Vendor ID payload [Dead Peer Detection];
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: received Vendor ID payload [RFC 3947];
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: enabling possible NAT-traversal with method 3;
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: NAT-Traversal: Result using RFC 3947: no NAT detected;
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: Peer ID is ID_IPV4_ADDR: '217.7.229.93';
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ISAKMP SA established;
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1};
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ignoring informational payload, type INVALID_ID_INFORMATION;
May 15;21:47:12;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ignoring informational payload, type INVALID_MESSAGE_ID;
May 15;21:47:31;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ignoring informational payload, type INVALID_MESSAGE_ID;
May 15;21:47:34;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1};
May 15;21:47:34;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ignoring informational payload, type INVALID_ID_INFORMATION;
May 15;21:47:44;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ignoring informational payload, type INVALID_MESSAGE_ID;
May 15;21:48:04;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ignoring informational payload, type INVALID_MESSAGE_ID;
May 15;21:48:11;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal;
May 15;21:48:44;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #3: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal;
-------------------------------------------------
Mit verlaub mir gehen die Ideen und die Lust aus. Hätte ich nen Vigor Router einsetzten dürfen, dann wäre ich jetzt nen Bier trinken....
Gruesse
Georg
ich möchte ein VPN zw. einer Phirania (dynamisch) und einer RC300 (statische IP) aufbauen. Ich habe mir hierzu das Howto herunter geladen, gelesen, ev. Verstandenm nachvollzogen und abgearbeitet. Es liegt wohl nicht an der Gateway-ID der Pirnaja, die Fehlermeldung kenne ich schon
Ich komme bis zu einem gewissen Punkt und dann nicht weiter. Ich habe mein Log mal gesichert und rein gepastet..
Habt Ihr ne Idee was ich falsch mache?
Logauszug, Filter gesetzt auf IPSEC Dienst
----------------------------------------
....
May 15;21:47:01;172.16.252.250;IPSEC Server;Starting strongSwan IPsec 2.8.9 [starter]...;
May 15;21:47:01;172.16.252.250;IPSEC Server;Starting Pluto (strongSwan Version 2.8.9 THREADS VENDORID KEYRR);
May 15;21:47:01;172.16.252.250;IPSEC Server;including NAT-Traversal patch (Version 0.6c);
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_AES_CBC encryption: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_BLOWFISH_CBC encryption: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_SERPENT_CBC encryption: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_SHA2_256 hash: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_SHA2_384 hash: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_SHA2_512 hash: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_TWOFISH_CBC encryption: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;ike_alg: Activating OAKLEY_TWOFISH_CBC_SSH encryption: Ok;
May 15;21:47:01;172.16.252.250;IPSEC Server;Testing registered IKE encryption algorithms:;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_BLOWFISH_CBC self-test not available;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_3DES_CBC self-test not available;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_AES_CBC self-test not available;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SERPENT_CBC self-test not available;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_TWOFISH_CBC self-test not available;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_TWOFISH_CBC_SSH self-test not available;
May 15;21:47:01;172.16.252.250;IPSEC Server;Testing registered IKE hash algorithms:;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_MD5 hash self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_MD5 hmac self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA hash self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA hmac self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA2_256 hash self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA2_256 hmac self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA2_384 hash self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA2_384 hmac self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA2_512 hash self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;OAKLEY_SHA2_512 hmac self-test passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;All crypto self-tests passed;
May 15;21:47:01;172.16.252.250;IPSEC Server;Using Linux 2.6 IPsec interface code;
May 15;21:47:01;172.16.252.250;IPSEC Server;Changing to directory '/etc/ipsec.d/cacerts';
May 15;21:47:01;172.16.252.250;IPSEC Server;Changing to directory '/etc/ipsec.d/aacerts';
May 15;21:47:01;172.16.252.250;IPSEC Server;Changing to directory '/etc/ipsec.d/ocspcerts';
May 15;21:47:01;172.16.252.250;IPSEC Server;Changing to directory '/etc/ipsec.d/crls';
May 15;21:47:01;172.16.252.250;IPSEC Server;Changing to directory '/etc/ipsec.d/acerts';
May 15;21:47:01;172.16.252.250;IPSEC Server;listening for IKE messages;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface ppp0/ppp0 84.163.70.185:500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface ppp0/ppp0 84.163.70.185:4500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface eth2/eth2 10.10.200.254:500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface eth2/eth2 10.10.200.254:4500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface eth1/eth1 172.16.252.150:500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface eth1/eth1 172.16.252.150:4500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface eth1/eth1 172.16.252.250:500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface eth1/eth1 172.16.252.250:4500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface lo/lo 127.0.0.1:500;
May 15;21:47:01;172.16.252.250;IPSEC Server;adding interface lo/lo 127.0.0.1:4500;
May 15;21:47:01;172.16.252.250;IPSEC Server;loading secrets from "/etc/ipsec.secrets";
May 15;21:47:01;172.16.252.250;IPSEC Server;added connection description "RW1.drk-rw1.local__GT__DRKKronprinzen_3";
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: initiating Main Mode;
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ignoring Vendor ID payload [strongSwan 2.8.9];
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: received Vendor ID payload [XAUTH];
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: received Vendor ID payload [Dead Peer Detection];
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: received Vendor ID payload [RFC 3947];
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: enabling possible NAT-traversal with method 3;
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: NAT-Traversal: Result using RFC 3947: no NAT detected;
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: Peer ID is ID_IPV4_ADDR: '217.7.229.93';
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ISAKMP SA established;
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1};
May 15;21:47:01;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ignoring informational payload, type INVALID_ID_INFORMATION;
May 15;21:47:12;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ignoring informational payload, type INVALID_MESSAGE_ID;
May 15;21:47:31;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ignoring informational payload, type INVALID_MESSAGE_ID;
May 15;21:47:34;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1};
May 15;21:47:34;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ignoring informational payload, type INVALID_ID_INFORMATION;
May 15;21:47:44;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ignoring informational payload, type INVALID_MESSAGE_ID;
May 15;21:48:04;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #1: ignoring informational payload, type INVALID_MESSAGE_ID;
May 15;21:48:11;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal;
May 15;21:48:44;172.16.252.250;IPSEC Server;"RW1.drk-rw1.local__GT__DRKKronprinzen_3" #3: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal;
-------------------------------------------------
Mit verlaub mir gehen die Ideen und die Lust aus. Hätte ich nen Vigor Router einsetzten dürfen, dann wäre ich jetzt nen Bier trinken....
Gruesse
Georg