meinereinerseiner
04.04.03, 18:34
Hallo,
ich habe probleme eine vpn verbindung aufzubauen, anscheinend scheitert das ganze an phase 2 - hier mal meine konfig und ein bissl logfile:
/etc/ipsec.conf
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=no
conn %default
keyingtries=0
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
left=%defaultroute
leftsubnet=192.168.100.0/24
leftid="C=DE, ST=Berlin, L=Berlin, O=CA, OU=private, CN=bonsaiGW, Email=root@plepps.linux-site.net"
conn Roadwarrior
right=%any
type=tunnel
keyexchange=ike
pfs=yes
auto=add
Die Security policy Settings am Client:
Authentification Phase 1:
Authentification Method: RSA Signatures
Encrypt Alg: DES3
Hash Alg: MD5
SA Life: unspecified
Keygroup: Diffie-Hellmann Group 1
Key Exchange Phase 2:
SA Life: unspecified
Compression: none
Encapsulation ESP
Encrypt Alg: DES3
Hash Alg: MD5
Encapsulation: Tunnel
Authentification Protocol AH (is not active)
/var/log/secure
Apr 4 19:08:24 bonsai pluto[15832]: Starting Pluto (FreeS/WAN Version super-freeswan-1.99.6)
Apr 4 19:08:24 bonsai pluto[15832]: including X.509 patch with traffic selectors (Version 0.9.25)
Apr 4 19:08:24 bonsai pluto[15832]: including NAT-Traversal patch (Version 0.5a) [disabled]
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: Changing to directory '/etc/ipsec.d/cacerts'
Apr 4 19:08:24 bonsai pluto[15832]: loaded cacert file 'caCert.pem' (1619 bytes)
Apr 4 19:08:24 bonsai pluto[15832]: Changing to directory '/etc/ipsec.d/crls'
Apr 4 19:08:24 bonsai pluto[15832]: loaded crl file 'crl.pem' (686 bytes)
Apr 4 19:08:24 bonsai pluto[15832]: loaded my default X.509 cert file '/etc/x509cert.der' (1050 bytes)
Apr 4 19:08:24 bonsai pluto[15832]: | from whack: got --esp=3des
Apr 4 19:08:24 bonsai pluto[15832]: | from whack: got --ike=3des
Apr 4 19:08:24 bonsai pluto[15832]: added connection description "Roadwarrior"
Apr 4 19:08:24 bonsai pluto[15832]: listening for IKE messages
Apr 4 19:08:24 bonsai pluto[15832]: adding interface ipsec0/ppp0 213.23.128.162
Apr 4 19:08:24 bonsai pluto[15832]: IP interfaces tun0 and eth0 share address 192.168.100.1!
Apr 4 19:08:24 bonsai pluto[15832]: loading secrets from "/etc/ipsec.secrets"
Apr 4 19:08:25 bonsai pluto[15832]: loaded private key file '/etc/ipsec.d/private/gwKey.pem' (963 bytes)
.
.
.
.
.
Apr 4 19:10:30 bonsai pluto[15832]: packet from 62.80.62.77:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr 4 19:10:30 bonsai pluto[15832]: "Roadwarrior"[3] 62.80.62.77 #9: responding to Main Mode from unknown peer 62.80.62.77
Apr 4 19:10:31 bonsai pluto[15832]: "Roadwarrior"[3] 62.80.62.77 #9: ignoring Vendor ID payload [47bbe7c993f1fc13...]
Apr 4 19:10:31 bonsai pluto[15832]: "Roadwarrior"[3] 62.80.62.77 #9: ignoring Vendor ID payload [da8e937880010000]
Apr 4 19:10:31 bonsai pluto[15832]: "Roadwarrior"[3] 62.80.62.77 #9: ignoring Vendor ID payload [XAUTH]
Apr 4 19:10:31 bonsai pluto[15832]: "Roadwarrior"[3] 62.80.62.77 #9: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Apr 4 19:10:31 bonsai pluto[15832]: "Roadwarrior"[3] 62.80.62.77 #9: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Berlin, O=CA, OU=private, CN=schleppi, E=schleppi@plepps.linux-site.net'
Apr 4 19:10:31 bonsai pluto[15832]: "Roadwarrior"[4] 62.80.62.77 #9: deleting connection "Roadwarrior" instance with peer 62.80.62.77
Apr 4 19:10:31 bonsai pluto[15832]: "Roadwarrior"[4] 62.80.62.77 #9: sent MR3, ISAKMP SA established
Apr 4 19:10:32 bonsai pluto[15832]: "Roadwarrior"[4] 62.80.62.77 #10: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
Apr 4 19:10:32 bonsai pluto[15832]: "Roadwarrior"[4] 62.80.62.77 #10: sending encrypted notification NO_PROPOSAL_CHOSEN to 62.80.62.77:500
Apr 4 19:10:33 bonsai pluto[15832]: "Roadwarrior"[4] 62.80.62.77 #11: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
Apr 4 19:10:33 bonsai pluto[15832]: "Roadwarrior"[4] 62.80.62.77 #11: sending encrypted notification NO_PROPOSAL_CHOSEN to 62.80.62.77:500
das log vom client
19:09:44.598
19:09:44.708 My Connections\New Connection - Initiating IKE Phase 1 (IP ADDR=213.23.128.162)
19:09:44.708 My Connections\New Connection - SENDING>>>> ISAKMP OAK MM (SA, VID)
19:09:44.908 My Connections\New Connection - RECEIVED<<< ISAKMP OAK MM (SA)
19:09:44.928 My Connections\New Connection - SENDING>>>> ISAKMP OAK MM (KE, NON, VID, VID, VID)
19:09:45.118 My Connections\New Connection - RECEIVED<<< ISAKMP OAK MM (KE, NON, CERT_REQ)
19:09:45.159 My Connections\New Connection - Using configured machine certificate "schleppi's CA private ID".
19:09:45.219 My Connections\New Connection - SENDING>>>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT)
19:09:46.210 My Connections\New Connection - RECEIVED<<< ISAKMP OAK MM *(ID, CERT, SIG)
19:09:46.260 My Connections\New Connection - Established IKE SA
19:09:46.260 MY COOKIE 5f 46 b4 8f 7f 8b ed 69
19:09:46.260 HIS COOKIE 0 88 95 51 60 1d 59 28
19:09:46.260 My Connections\New Connection - Initiating IKE Phase 2 with Client IDs (message id: D0D81194)
19:09:46.260 Initiator = IP ADDR=62.80.62.77, prot = 0 port = 0
19:09:46.260 Responder = IP SUBNET/MASK=192.168.100.0/255.255.255.0, prot = 0 port = 0
19:09:46.260 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID)
19:09:46.360 My Connections\New Connection - RECEIVED<<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
19:09:46.360 My Connections\New Connection - Discarding IPSec SA negotiation
19:09:46.981
19:09:47.612 My Connections\New Connection - Initiating IKE Phase 2 with Client IDs (message id: 3D5656AF)
19:09:47.612 Initiator = IP ADDR=62.80.62.77, prot = 0 port = 0
19:09:47.612 Responder = IP SUBNET/MASK=192.168.100.0/255.255.255.0, prot = 0 port = 0
19:09:47.612 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID)
19:09:47.882 My Connections\New Connection - RECEIVED<<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
19:09:47.882 My Connections\New Connection - Discarding IPSec SA negotiation
ich hoffe mal, jemand sieht da durch und findet meinen fehler,
danke
der tom
ich habe probleme eine vpn verbindung aufzubauen, anscheinend scheitert das ganze an phase 2 - hier mal meine konfig und ein bissl logfile:
/etc/ipsec.conf
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=no
conn %default
keyingtries=0
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
left=%defaultroute
leftsubnet=192.168.100.0/24
leftid="C=DE, ST=Berlin, L=Berlin, O=CA, OU=private, CN=bonsaiGW, Email=root@plepps.linux-site.net"
conn Roadwarrior
right=%any
type=tunnel
keyexchange=ike
pfs=yes
auto=add
Die Security policy Settings am Client:
Authentification Phase 1:
Authentification Method: RSA Signatures
Encrypt Alg: DES3
Hash Alg: MD5
SA Life: unspecified
Keygroup: Diffie-Hellmann Group 1
Key Exchange Phase 2:
SA Life: unspecified
Compression: none
Encapsulation ESP
Encrypt Alg: DES3
Hash Alg: MD5
Encapsulation: Tunnel
Authentification Protocol AH (is not active)
/var/log/secure
Apr 4 19:08:24 bonsai pluto[15832]: Starting Pluto (FreeS/WAN Version super-freeswan-1.99.6)
Apr 4 19:08:24 bonsai pluto[15832]: including X.509 patch with traffic selectors (Version 0.9.25)
Apr 4 19:08:24 bonsai pluto[15832]: including NAT-Traversal patch (Version 0.5a) [disabled]
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Apr 4 19:08:24 bonsai pluto[15832]: Changing to directory '/etc/ipsec.d/cacerts'
Apr 4 19:08:24 bonsai pluto[15832]: loaded cacert file 'caCert.pem' (1619 bytes)
Apr 4 19:08:24 bonsai pluto[15832]: Changing to directory '/etc/ipsec.d/crls'
Apr 4 19:08:24 bonsai pluto[15832]: loaded crl file 'crl.pem' (686 bytes)
Apr 4 19:08:24 bonsai pluto[15832]: loaded my default X.509 cert file '/etc/x509cert.der' (1050 bytes)
Apr 4 19:08:24 bonsai pluto[15832]: | from whack: got --esp=3des
Apr 4 19:08:24 bonsai pluto[15832]: | from whack: got --ike=3des
Apr 4 19:08:24 bonsai pluto[15832]: added connection description "Roadwarrior"
Apr 4 19:08:24 bonsai pluto[15832]: listening for IKE messages
Apr 4 19:08:24 bonsai pluto[15832]: adding interface ipsec0/ppp0 213.23.128.162
Apr 4 19:08:24 bonsai pluto[15832]: IP interfaces tun0 and eth0 share address 192.168.100.1!
Apr 4 19:08:24 bonsai pluto[15832]: loading secrets from "/etc/ipsec.secrets"
Apr 4 19:08:25 bonsai pluto[15832]: loaded private key file '/etc/ipsec.d/private/gwKey.pem' (963 bytes)
.
.
.
.
.
Apr 4 19:10:30 bonsai pluto[15832]: packet from 62.80.62.77:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr 4 19:10:30 bonsai pluto[15832]: "Roadwarrior"[3] 62.80.62.77 #9: responding to Main Mode from unknown peer 62.80.62.77
Apr 4 19:10:31 bonsai pluto[15832]: "Roadwarrior"[3] 62.80.62.77 #9: ignoring Vendor ID payload [47bbe7c993f1fc13...]
Apr 4 19:10:31 bonsai pluto[15832]: "Roadwarrior"[3] 62.80.62.77 #9: ignoring Vendor ID payload [da8e937880010000]
Apr 4 19:10:31 bonsai pluto[15832]: "Roadwarrior"[3] 62.80.62.77 #9: ignoring Vendor ID payload [XAUTH]
Apr 4 19:10:31 bonsai pluto[15832]: "Roadwarrior"[3] 62.80.62.77 #9: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Apr 4 19:10:31 bonsai pluto[15832]: "Roadwarrior"[3] 62.80.62.77 #9: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Berlin, O=CA, OU=private, CN=schleppi, E=schleppi@plepps.linux-site.net'
Apr 4 19:10:31 bonsai pluto[15832]: "Roadwarrior"[4] 62.80.62.77 #9: deleting connection "Roadwarrior" instance with peer 62.80.62.77
Apr 4 19:10:31 bonsai pluto[15832]: "Roadwarrior"[4] 62.80.62.77 #9: sent MR3, ISAKMP SA established
Apr 4 19:10:32 bonsai pluto[15832]: "Roadwarrior"[4] 62.80.62.77 #10: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
Apr 4 19:10:32 bonsai pluto[15832]: "Roadwarrior"[4] 62.80.62.77 #10: sending encrypted notification NO_PROPOSAL_CHOSEN to 62.80.62.77:500
Apr 4 19:10:33 bonsai pluto[15832]: "Roadwarrior"[4] 62.80.62.77 #11: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
Apr 4 19:10:33 bonsai pluto[15832]: "Roadwarrior"[4] 62.80.62.77 #11: sending encrypted notification NO_PROPOSAL_CHOSEN to 62.80.62.77:500
das log vom client
19:09:44.598
19:09:44.708 My Connections\New Connection - Initiating IKE Phase 1 (IP ADDR=213.23.128.162)
19:09:44.708 My Connections\New Connection - SENDING>>>> ISAKMP OAK MM (SA, VID)
19:09:44.908 My Connections\New Connection - RECEIVED<<< ISAKMP OAK MM (SA)
19:09:44.928 My Connections\New Connection - SENDING>>>> ISAKMP OAK MM (KE, NON, VID, VID, VID)
19:09:45.118 My Connections\New Connection - RECEIVED<<< ISAKMP OAK MM (KE, NON, CERT_REQ)
19:09:45.159 My Connections\New Connection - Using configured machine certificate "schleppi's CA private ID".
19:09:45.219 My Connections\New Connection - SENDING>>>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT)
19:09:46.210 My Connections\New Connection - RECEIVED<<< ISAKMP OAK MM *(ID, CERT, SIG)
19:09:46.260 My Connections\New Connection - Established IKE SA
19:09:46.260 MY COOKIE 5f 46 b4 8f 7f 8b ed 69
19:09:46.260 HIS COOKIE 0 88 95 51 60 1d 59 28
19:09:46.260 My Connections\New Connection - Initiating IKE Phase 2 with Client IDs (message id: D0D81194)
19:09:46.260 Initiator = IP ADDR=62.80.62.77, prot = 0 port = 0
19:09:46.260 Responder = IP SUBNET/MASK=192.168.100.0/255.255.255.0, prot = 0 port = 0
19:09:46.260 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID)
19:09:46.360 My Connections\New Connection - RECEIVED<<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
19:09:46.360 My Connections\New Connection - Discarding IPSec SA negotiation
19:09:46.981
19:09:47.612 My Connections\New Connection - Initiating IKE Phase 2 with Client IDs (message id: 3D5656AF)
19:09:47.612 Initiator = IP ADDR=62.80.62.77, prot = 0 port = 0
19:09:47.612 Responder = IP SUBNET/MASK=192.168.100.0/255.255.255.0, prot = 0 port = 0
19:09:47.612 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID)
19:09:47.882 My Connections\New Connection - RECEIVED<<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
19:09:47.882 My Connections\New Connection - Discarding IPSec SA negotiation
ich hoffe mal, jemand sieht da durch und findet meinen fehler,
danke
der tom