Moin,
ich habe folgendes Problem mit der securepoint, ich versuche eine VPN Verbindung mit IPSEC IKEv2 mit Zertifikaten einzurichten.
Die VPN Verbindung soll vom smartpohne und von Windows 7 aus möglich sein.
Das zielsystem (Securepoint) wird über dyndns angesteuert.
Fehler:
Die Verbindung wird aufgebaut, und nach 2 sekunden wieder getrennt.
Auszug aus dem Log:
Jul 7 09:59:19 dyndns IPSEC Server pluto[17102]: packet from 109.47.**.**:500: ignoring Vendor ID payload [RFC 3947]
Jul 7 09:59:22 dyndns Firewall ACCEPT kernel: ACCEPT(rule:77) IN=eth1 OUT=ppp0 SRC=192.168.3.60 DST=212.227.**.** LEN=32 TOS=0x00 PREC=0x00 TTL=63 ID=15578 PROTO=UDP SPT=5060 DPT=5060 LEN=12
Jul 7 09:59:22 dyndns Firewall ACCEPT kernel: ACCEPT(rule:77) IN=eth1 OUT=ppp0 SRC=192.168.3.60 DST=212.227.**.** LEN=32 TOS=0x00 PREC=0x00 TTL=63 ID=56965 PROTO=UDP SPT=5060 DPT=5060 LEN=12
Jul 7 09:59:49 dyndns IPSEC Server pluto[17102]: packet from 109.47.**.**:500: ignoring Vendor ID payload [RFC 3947]
Jul 7 09:59:51 dyndns L2TP Server l2tpd[17289]: assigned_tunnel_avp: using peer's tunnel 13460
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: handle_avps: handling avp's for tunnel 27067, call 0
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: message_type_avp: message type 3 (Start-Control-Connection-Connected)
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: control_finish: Connection established to 109.47.**.**, 34306. Local: 27067, Remote: 13460. LNS session is 'default'
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: handle_avps: handling avp's for tunnel 27067, call 0
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: message_type_avp: message type 10 (Incoming-Call-Request)
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: message_type_avp: new incoming call
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: assigned_call_avp: using peer's call 17839
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: call_serno_avp: serial number is 1974220621
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: handle_avps: handling avp's for tunnel 27067, call 48799
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: message_type_avp: message type 12 (Incoming-Call-Connected)
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: tx_speed_avp: transmit baud rate is 100000000
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: frame_type_avp: peer uses: async frames
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: control_finish: Call established with 109.47.**.**, Local: 48799, Remote: 17839, Serial: 1974220621
Jul 7 09:59:53 dyndns Point-To-Point Server pppd[27490]: pppd 2.4.4 started by root, uid 0
Jul 7 09:59:53 dyndns Point-To-Point Server pppd[27490]: Using interface ppp1
Jul 7 09:59:53 dyndns Point-To-Point Server pppd[27490]: Connect: ppp1 /dev/ttyp0
Jul 7 09:59:54 dyndns Point-To-Point Server pppd[27490]: Cannot determine ethernet address for proxy ARP
Jul 7 09:59:54 dyndns Point-To-Point Server pppd[27490]: local IP address 192.168.203.100
Jul 7 09:59:54 dyndns Point-To-Point Server pppd[27490]: remote IP address 192.168.203.102
Jul 7 09:59:59 dyndns Security Server server: DEBUG: changes on ppp1: -address +address -link +link -interface +interface (tunnel)
Jul 7 10:00:00 dyndns Security Server server: DEBUG: delete old_route = 2
Jul 7 10:00:00 dyndns Security Server server: DEBUG: 'ip route add 192.168.250.0/24 nexthop dev tun0 weight 1' = FAILED
Jul 7 10:00:05 dyndns Point-To-Point Server pppd[27490]: LCP terminated by peer (User request)
Jul 7 10:00:05 dyndns Point-To-Point Server pppd[27490]: Terminating on signal 15
Jul 7 09:59:19 dyndns IPSEC Server pluto[17102]: packet from 109.47.**.**:500: ignoring Vendor ID payload [RFC 3947]
Jul 7 09:59:22 dyndns Firewall ACCEPT kernel: ACCEPT(rule:77) IN=eth1 OUT=ppp0 SRC=192.168.3.60 DST=212.227.**.** LEN=32 TOS=0x00 PREC=0x00 TTL=63 ID=15578 PROTO=UDP SPT=5060 DPT=5060 LEN=12
Jul 7 09:59:22 dyndns Firewall ACCEPT kernel: ACCEPT(rule:77) IN=eth1 OUT=ppp0 SRC=192.168.3.60 DST=212.227.**.** LEN=32 TOS=0x00 PREC=0x00 TTL=63 ID=56965 PROTO=UDP SPT=5060 DPT=5060 LEN=12
Jul 7 09:59:49 dyndns IPSEC Server pluto[17102]: packet from 109.47.**.**:500: ignoring Vendor ID payload [RFC 3947]
Jul 7 09:59:51 dyndns L2TP Server l2tpd[17289]: assigned_tunnel_avp: using peer's tunnel 13460
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: handle_avps: handling avp's for tunnel 27067, call 0
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: message_type_avp: message type 3 (Start-Control-Connection-Connected)
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: control_finish: Connection established to 109.47.**.**, 34306. Local: 27067, Remote: 13460. LNS session is 'default'
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: handle_avps: handling avp's for tunnel 27067, call 0
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: message_type_avp: message type 10 (Incoming-Call-Request)
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: message_type_avp: new incoming call
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: assigned_call_avp: using peer's call 17839
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: call_serno_avp: serial number is 1974220621
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: handle_avps: handling avp's for tunnel 27067, call 48799
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: message_type_avp: message type 12 (Incoming-Call-Connected)
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: tx_speed_avp: transmit baud rate is 100000000
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: frame_type_avp: peer uses: async frames
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: control_finish: Call established with 109.47.**.**, Local: 48799, Remote: 17839, Serial: 1974220621
Jul 7 09:59:53 dyndns Point-To-Point Server pppd[27490]: pppd 2.4.4 started by root, uid 0
Jul 7 09:59:53 dyndns Point-To-Point Server pppd[27490]: Using interface ppp1
Jul 7 09:59:53 dyndns Point-To-Point Server pppd[27490]: Connect: ppp1 /dev/ttyp0
Jul 7 09:59:54 dyndns Point-To-Point Server pppd[27490]: Cannot determine ethernet address for proxy ARP
Jul 7 09:59:54 dyndns Point-To-Point Server pppd[27490]: local IP address 192.168.203.100
Jul 7 09:59:54 dyndns Point-To-Point Server pppd[27490]: remote IP address 192.168.203.102
Jul 7 09:59:59 dyndns Security Server server: DEBUG: changes on ppp1: -address +address -link +link -interface +interface (tunnel)
Jul 7 10:00:00 dyndns Security Server server: DEBUG: delete old_route = 2
Jul 7 10:00:00 dyndns Security Server server: DEBUG: 'ip route add 192.168.250.0/24 nexthop dev tun0 weight 1' = FAILED
Jul 7 10:00:05 dyndns Point-To-Point Server pppd[27490]: LCP terminated by peer (User request)
Jul 7 10:00:05 dyndns Point-To-Point Server pppd[27490]: Terminating on signal 15
IPSEC IKEv2 mit Zertifikaten
Moderator: Securepoint
IPSEC IKEv2 mit Zertifikaten
Zuletzt geändert von DDRM am Do 07.07.2011, 10:08, insgesamt 1-mal geändert.
Moin,
also irgend etwas stimmt nicht in Ihren angaben
.
Entweder IKEv1 mit L2TP (worauf der Log hindeutet) oder IKEv2. Aber beides zusammen?
Haben sie bei der Verbindung im Windows den Harken bei: Eigenschaften -> Sicherheit -> Erweiterte Einstellungen -> Die Namen und Verwendungsattribute des Serverzertifikates überprüfen" entfernt?
"LCP terminated by peer (User request) "
Dieses deutet nämlich auf einen Abbruch durch den Clienten hin!
also irgend etwas stimmt nicht in Ihren angaben
.Entweder IKEv1 mit L2TP (worauf der Log hindeutet) oder IKEv2. Aber beides zusammen?
Haben sie bei der Verbindung im Windows den Harken bei: Eigenschaften -> Sicherheit -> Erweiterte Einstellungen -> Die Namen und Verwendungsattribute des Serverzertifikates überprüfen" entfernt?
"LCP terminated by peer (User request) "
Dieses deutet nämlich auf einen Abbruch durch den Clienten hin!
Zuletzt geändert von carsten am Do 07.07.2011, 11:26, insgesamt 1-mal geändert.
There are 10 types of people in the world... those who understand binary and those who don\'t.
meinte IEKv1.
Jetzt habe ich IPSEC IKEv1.. neu eingerichtet und erhalte folgende Fehlermeldungen:
Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: "fw2.*****local__GT__l2tp_0"[1] 109.47.**.*** #5: Peer ID is ID_IPV4_ADDR: '109.47.**.***'
Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: "fw2.*****local__GT__l2tp_0"[1] 109.47.**.*** #5: no public key known for '109.47.**.***'
Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: "fw2.*****local__GT__l2tp_0"[1] 109.47.**.*** #5: sending encrypted notification INVALID_KEY_INFORMATION to 109.47.**.***:500
Jul 7 14:04:27 192.168.3.62 L2TP Server l2tpd[3360]: assigned_tunnel_avp: using peer's tunnel 38532
Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: "fw2.*****local__GT__l2tp_0"[1] 109.47.**.*** #5: ERROR: asynchronous network error report on ppp0 for message to 109.47.**.*** port 500, complainant 109.47.**.***: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: ERROR: asynchronous network error report on ppp0 for message to 109.47.**.*** port 500, complainant 109.47.**.***: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: handle_avps: handling avp's for tunnel 64382, call 33543
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: message_type_avp: message type 12 (Incoming-Call-Connected)
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: tx_speed_avp: transmit baud rate is 100000000
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: frame_type_avp: peer uses: async frames
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: control_finish: Call established with 109.47.**.***, Local: 33543, Remote: 65300, Serial: -1491541501
Jul 7 14:04:28 192.168.3.62 Point-To-Point Server pppd[30871]: pppd 2.4.4 started by root, uid 0
Jul 7 14:04:28 192.168.3.62 Point-To-Point Server pppd[30871]: Using interface ppp1
Jul 7 14:04:28 192.168.3.62 Point-To-Point Server pppd[30871]: Connect: ppp1 /dev/ttyp0
Jul 7 14:04:29 192.168.3.62 IPSEC Server pluto[14389]: 192.168.203.100 appeared on ppp1
Jul 7 14:04:29 192.168.3.62 IPSEC Server pluto[14389]: 192.168.203.100 disappeared from ppp1
Jul 7 14:04:29 192.168.3.62 IPSEC Server pluto[14389]: 192.168.203.100 appeared on ppp1
Jul 7 14:04:29 192.168.3.62 IPSEC Server pluto[14389]: interface ppp1 activated
Jul 7 14:04:30 192.168.3.62 Point-To-Point Server pppd[30871]: Cannot determine ethernet address for proxy ARP
Jul 7 14:04:30 192.168.3.62 Point-To-Point Server pppd[30871]: local IP address 192.168.203.100
Jul 7 14:04:30 192.168.3.62 Point-To-Point Server pppd[30871]: remote IP address 192.168.203.102
Jul 7 14:04:41 192.168.3.62 Point-To-Point Server pppd[30871]: LCP terminated by peer (User request)
Jul 7 14:04:41 192.168.3.62 IPSEC Server pluto[14389]: 192.168.203.100 disappeared from ppp1
Jul 7 14:04:41 192.168.3.62 Point-To-Point Server pppd[30871]: Terminating on signal 15
Jul 7 14:04:41 192.168.3.62 Point-To-Point Server pppd[30871]: Modem hangup
Jul 7 14:04:41 192.168.3.62 Point-To-Point Server pppd[30871]: Connection terminated.
Was kann das sein ?
Jetzt habe ich IPSEC IKEv1.. neu eingerichtet und erhalte folgende Fehlermeldungen:
Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: "fw2.*****local__GT__l2tp_0"[1] 109.47.**.*** #5: Peer ID is ID_IPV4_ADDR: '109.47.**.***'
Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: "fw2.*****local__GT__l2tp_0"[1] 109.47.**.*** #5: no public key known for '109.47.**.***'
Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: "fw2.*****local__GT__l2tp_0"[1] 109.47.**.*** #5: sending encrypted notification INVALID_KEY_INFORMATION to 109.47.**.***:500
Jul 7 14:04:27 192.168.3.62 L2TP Server l2tpd[3360]: assigned_tunnel_avp: using peer's tunnel 38532
Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: "fw2.*****local__GT__l2tp_0"[1] 109.47.**.*** #5: ERROR: asynchronous network error report on ppp0 for message to 109.47.**.*** port 500, complainant 109.47.**.***: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: ERROR: asynchronous network error report on ppp0 for message to 109.47.**.*** port 500, complainant 109.47.**.***: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: handle_avps: handling avp's for tunnel 64382, call 33543
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: message_type_avp: message type 12 (Incoming-Call-Connected)
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: tx_speed_avp: transmit baud rate is 100000000
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: frame_type_avp: peer uses: async frames
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: control_finish: Call established with 109.47.**.***, Local: 33543, Remote: 65300, Serial: -1491541501
Jul 7 14:04:28 192.168.3.62 Point-To-Point Server pppd[30871]: pppd 2.4.4 started by root, uid 0
Jul 7 14:04:28 192.168.3.62 Point-To-Point Server pppd[30871]: Using interface ppp1
Jul 7 14:04:28 192.168.3.62 Point-To-Point Server pppd[30871]: Connect: ppp1 /dev/ttyp0
Jul 7 14:04:29 192.168.3.62 IPSEC Server pluto[14389]: 192.168.203.100 appeared on ppp1
Jul 7 14:04:29 192.168.3.62 IPSEC Server pluto[14389]: 192.168.203.100 disappeared from ppp1
Jul 7 14:04:29 192.168.3.62 IPSEC Server pluto[14389]: 192.168.203.100 appeared on ppp1
Jul 7 14:04:29 192.168.3.62 IPSEC Server pluto[14389]: interface ppp1 activated
Jul 7 14:04:30 192.168.3.62 Point-To-Point Server pppd[30871]: Cannot determine ethernet address for proxy ARP
Jul 7 14:04:30 192.168.3.62 Point-To-Point Server pppd[30871]: local IP address 192.168.203.100
Jul 7 14:04:30 192.168.3.62 Point-To-Point Server pppd[30871]: remote IP address 192.168.203.102
Jul 7 14:04:41 192.168.3.62 Point-To-Point Server pppd[30871]: LCP terminated by peer (User request)
Jul 7 14:04:41 192.168.3.62 IPSEC Server pluto[14389]: 192.168.203.100 disappeared from ppp1
Jul 7 14:04:41 192.168.3.62 Point-To-Point Server pppd[30871]: Terminating on signal 15
Jul 7 14:04:41 192.168.3.62 Point-To-Point Server pppd[30871]: Modem hangup
Jul 7 14:04:41 192.168.3.62 Point-To-Point Server pppd[30871]: Connection terminated.
Was kann das sein ?
Haben Sie eine IKEv1-(IPSec)-Verbindung eingerichtet oder eine L2TP-Verbindung? Da bestehen gewisse Unterschiede. Siehe hier: http://wiki.securepoint.de/index.php/L2TP_-_Roadwarrior