Securepoint Support Forum

Verfasst: **Do 07.07.2011, 10:07**

Moin,

ich habe folgendes Problem mit der securepoint, ich versuche eine VPN Verbindung mit IPSEC IKEv2 mit Zertifikaten einzurichten.

Die VPN Verbindung soll vom smartpohne und von Windows 7 aus möglich sein.

Das zielsystem (Securepoint) wird über dyndns angesteuert.

Fehler:

Die Verbindung wird aufgebaut, und nach 2 sekunden wieder getrennt.

Auszug aus dem Log:

Jul 7 09:59:19 dyndns IPSEC Server pluto[17102]: packet from 109.47.**.**:500: ignoring Vendor ID payload [RFC 3947]
Jul 7 09:59:22 dyndns Firewall ACCEPT kernel: ACCEPT(rule:77) IN=eth1 OUT=ppp0 SRC=192.168.3.60 DST=212.227.**.** LEN=32 TOS=0x00 PREC=0x00 TTL=63 ID=15578 PROTO=UDP SPT=5060 DPT=5060 LEN=12
Jul 7 09:59:22 dyndns Firewall ACCEPT kernel: ACCEPT(rule:77) IN=eth1 OUT=ppp0 SRC=192.168.3.60 DST=212.227.**.** LEN=32 TOS=0x00 PREC=0x00 TTL=63 ID=56965 PROTO=UDP SPT=5060 DPT=5060 LEN=12

Jul 7 09:59:49 dyndns IPSEC Server pluto[17102]: packet from 109.47.**.**:500: ignoring Vendor ID payload [RFC 3947]
Jul 7 09:59:51 dyndns L2TP Server l2tpd[17289]: assigned_tunnel_avp: using peer's tunnel 13460
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: handle_avps: handling avp's for tunnel 27067, call 0
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: message_type_avp: message type 3 (Start-Control-Connection-Connected)
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: control_finish: Connection established to 109.47.**.**, 34306. Local: 27067, Remote: 13460. LNS session is 'default'
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: handle_avps: handling avp's for tunnel 27067, call 0
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: message_type_avp: message type 10 (Incoming-Call-Request)
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: message_type_avp: new incoming call
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: assigned_call_avp: using peer's call 17839
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: call_serno_avp: serial number is 1974220621

Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: handle_avps: handling avp's for tunnel 27067, call 48799
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: message_type_avp: message type 12 (Incoming-Call-Connected)
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: tx_speed_avp: transmit baud rate is 100000000
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: frame_type_avp: peer uses: async frames
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: control_finish: Call established with 109.47.**.**, Local: 48799, Remote: 17839, Serial: 1974220621
Jul 7 09:59:53 dyndns Point-To-Point Server pppd[27490]: pppd 2.4.4 started by root, uid 0
Jul 7 09:59:53 dyndns Point-To-Point Server pppd[27490]: Using interface ppp1
Jul 7 09:59:53 dyndns Point-To-Point Server pppd[27490]: Connect: ppp1 /dev/ttyp0
Jul 7 09:59:54 dyndns Point-To-Point Server pppd[27490]: Cannot determine ethernet address for proxy ARP
Jul 7 09:59:54 dyndns Point-To-Point Server pppd[27490]: local IP address 192.168.203.100
Jul 7 09:59:54 dyndns Point-To-Point Server pppd[27490]: remote IP address 192.168.203.102
Jul 7 09:59:59 dyndns Security Server server: DEBUG: changes on ppp1: -address +address -link +link -interface +interface (tunnel)
Jul 7 10:00:00 dyndns Security Server server: DEBUG: delete old_route = 2
Jul 7 10:00:00 dyndns Security Server server: DEBUG: 'ip route add 192.168.250.0/24 nexthop dev tun0 weight 1' = FAILED
Jul 7 10:00:05 dyndns Point-To-Point Server pppd[27490]: LCP terminated by peer (User request)
Jul 7 10:00:05 dyndns Point-To-Point Server pppd[27490]: Terminating on signal 15

Jul 7 09:59:19 dyndns IPSEC Server pluto[17102]: packet from 109.47.**.**:500: ignoring Vendor ID payload [RFC 3947]
Jul 7 09:59:22 dyndns Firewall ACCEPT kernel: ACCEPT(rule:77) IN=eth1 OUT=ppp0 SRC=192.168.3.60 DST=212.227.**.** LEN=32 TOS=0x00 PREC=0x00 TTL=63 ID=15578 PROTO=UDP SPT=5060 DPT=5060 LEN=12
Jul 7 09:59:22 dyndns Firewall ACCEPT kernel: ACCEPT(rule:77) IN=eth1 OUT=ppp0 SRC=192.168.3.60 DST=212.227.**.** LEN=32 TOS=0x00 PREC=0x00 TTL=63 ID=56965 PROTO=UDP SPT=5060 DPT=5060 LEN=12

Jul 7 09:59:49 dyndns IPSEC Server pluto[17102]: packet from 109.47.**.**:500: ignoring Vendor ID payload [RFC 3947]
Jul 7 09:59:51 dyndns L2TP Server l2tpd[17289]: assigned_tunnel_avp: using peer's tunnel 13460
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: handle_avps: handling avp's for tunnel 27067, call 0
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: message_type_avp: message type 3 (Start-Control-Connection-Connected)
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: control_finish: Connection established to 109.47.**.**, 34306. Local: 27067, Remote: 13460. LNS session is 'default'
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: handle_avps: handling avp's for tunnel 27067, call 0
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: message_type_avp: message type 10 (Incoming-Call-Request)
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: message_type_avp: new incoming call
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: assigned_call_avp: using peer's call 17839
Jul 7 09:59:52 dyndns L2TP Server l2tpd[17289]: call_serno_avp: serial number is 1974220621

Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: handle_avps: handling avp's for tunnel 27067, call 48799
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: message_type_avp: message type 12 (Incoming-Call-Connected)
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: tx_speed_avp: transmit baud rate is 100000000
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: frame_type_avp: peer uses: async frames
Jul 7 09:59:53 dyndns L2TP Server l2tpd[17289]: control_finish: Call established with 109.47.**.**, Local: 48799, Remote: 17839, Serial: 1974220621
Jul 7 09:59:53 dyndns Point-To-Point Server pppd[27490]: pppd 2.4.4 started by root, uid 0
Jul 7 09:59:53 dyndns Point-To-Point Server pppd[27490]: Using interface ppp1
Jul 7 09:59:53 dyndns Point-To-Point Server pppd[27490]: Connect: ppp1 /dev/ttyp0
Jul 7 09:59:54 dyndns Point-To-Point Server pppd[27490]: Cannot determine ethernet address for proxy ARP
Jul 7 09:59:54 dyndns Point-To-Point Server pppd[27490]: local IP address 192.168.203.100
Jul 7 09:59:54 dyndns Point-To-Point Server pppd[27490]: remote IP address 192.168.203.102
Jul 7 09:59:59 dyndns Security Server server: DEBUG: changes on ppp1: -address +address -link +link -interface +interface (tunnel)
Jul 7 10:00:00 dyndns Security Server server: DEBUG: delete old_route = 2
Jul 7 10:00:00 dyndns Security Server server: DEBUG: 'ip route add 192.168.250.0/24 nexthop dev tun0 weight 1' = FAILED
Jul 7 10:00:05 dyndns Point-To-Point Server pppd[27490]: LCP terminated by peer (User request)
Jul 7 10:00:05 dyndns Point-To-Point Server pppd[27490]: Terminating on signal 15

Verfasst: **Do 07.07.2011, 11:26**

Moin,

also irgend etwas stimmt nicht in Ihren angaben

.

Entweder IKEv1 mit L2TP (worauf der Log hindeutet) oder IKEv2. Aber beides zusammen?

Haben sie bei der Verbindung im Windows den Harken bei: Eigenschaften -> Sicherheit -> Erweiterte Einstellungen -> Die Namen und Verwendungsattribute des Serverzertifikates überprüfen" entfernt?

"LCP terminated by peer (User request) "

Dieses deutet nämlich auf einen Abbruch durch den Clienten hin!

Verfasst: **Do 07.07.2011, 14:11**

meinte IEKv1.

Jetzt habe ich IPSEC IKEv1.. neu eingerichtet und erhalte folgende Fehlermeldungen:

Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: "fw2.*****local__GT__l2tp_0"[1] 109.47.**.*** #5: Peer ID is ID_IPV4_ADDR: '109.47.**.***'
Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: "fw2.*****local__GT__l2tp_0"[1] 109.47.**.*** #5: no public key known for '109.47.**.***'
Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: "fw2.*****local__GT__l2tp_0"[1] 109.47.**.*** #5: sending encrypted notification INVALID_KEY_INFORMATION to 109.47.**.***:500
Jul 7 14:04:27 192.168.3.62 L2TP Server l2tpd[3360]: assigned_tunnel_avp: using peer's tunnel 38532
Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: "fw2.*****local__GT__l2tp_0"[1] 109.47.**.*** #5: ERROR: asynchronous network error report on ppp0 for message to 109.47.**.*** port 500, complainant 109.47.**.***: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Jul 7 14:04:27 192.168.3.62 IPSEC Server pluto[14389]: ERROR: asynchronous network error report on ppp0 for message to 109.47.**.*** port 500, complainant 109.47.**.***: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: handle_avps: handling avp's for tunnel 64382, call 33543
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: message_type_avp: message type 12 (Incoming-Call-Connected)
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: tx_speed_avp: transmit baud rate is 100000000
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: frame_type_avp: peer uses: async frames
Jul 7 14:04:28 192.168.3.62 L2TP Server l2tpd[3360]: control_finish: Call established with 109.47.**.***, Local: 33543, Remote: 65300, Serial: -1491541501
Jul 7 14:04:28 192.168.3.62 Point-To-Point Server pppd[30871]: pppd 2.4.4 started by root, uid 0
Jul 7 14:04:28 192.168.3.62 Point-To-Point Server pppd[30871]: Using interface ppp1
Jul 7 14:04:28 192.168.3.62 Point-To-Point Server pppd[30871]: Connect: ppp1 /dev/ttyp0
Jul 7 14:04:29 192.168.3.62 IPSEC Server pluto[14389]: 192.168.203.100 appeared on ppp1
Jul 7 14:04:29 192.168.3.62 IPSEC Server pluto[14389]: 192.168.203.100 disappeared from ppp1
Jul 7 14:04:29 192.168.3.62 IPSEC Server pluto[14389]: 192.168.203.100 appeared on ppp1
Jul 7 14:04:29 192.168.3.62 IPSEC Server pluto[14389]: interface ppp1 activated
Jul 7 14:04:30 192.168.3.62 Point-To-Point Server pppd[30871]: Cannot determine ethernet address for proxy ARP
Jul 7 14:04:30 192.168.3.62 Point-To-Point Server pppd[30871]: local IP address 192.168.203.100
Jul 7 14:04:30 192.168.3.62 Point-To-Point Server pppd[30871]: remote IP address 192.168.203.102

Jul 7 14:04:41 192.168.3.62 Point-To-Point Server pppd[30871]: LCP terminated by peer (User request)
Jul 7 14:04:41 192.168.3.62 IPSEC Server pluto[14389]: 192.168.203.100 disappeared from ppp1
Jul 7 14:04:41 192.168.3.62 Point-To-Point Server pppd[30871]: Terminating on signal 15
Jul 7 14:04:41 192.168.3.62 Point-To-Point Server pppd[30871]: Modem hangup
Jul 7 14:04:41 192.168.3.62 Point-To-Point Server pppd[30871]: Connection terminated.

Was kann das sein ?

Verfasst: **Do 07.07.2011, 15:27**

Haben Sie eine IKEv1-(IPSec)-Verbindung eingerichtet oder eine L2TP-Verbindung? Da bestehen gewisse Unterschiede. Siehe hier: http://wiki.securepoint.de/index.php/L2TP_-_Roadwarrior