LC7100+ LCOS 10RU1 - IKE2 no exchange available, failure

[Henri]

Hallo,

ich versuche gerade IKE2 auf einem MBP mit OSX 10.12.4 einzurichten (mit Zertifikaten).
Allerdings erhalte ich die u.g. Meldung, meiner Ansicht nach passte aber die SA (erstes Proposal).
IKEV1 funktioniert.

P.S. Wenn ich DH>14 im LANCONFIG auswähle kann die Konfiguration nicht gespeichert werden.

Vielen Dank im Voraus

Henri

Rule #1 ikev2 0.0.0.0/0.0.0.0:0 <-> 0.0.0.0/255.255.255.255:0 any

Name: MB_IKE2
Unique Id: ipsec-6-MB_IKE2-pr0-l0-r0
Flags: IKE_SA_INIT
Local Network: IPV4_ADDR_SUBNET(any:0, 0.0.0.0/0.0.0.0)
Local Gateway: IPV4_ADDR(any:0, 5.x.x.x)
Remote Gateway: IPV4_ADDR(any:0, 0.0.0.0)
Remote Network: IPV4_ADDR_SUBNET(any:0, 0.0.0.0/255.255.255.255)
IKE Transforms : isakmp-DEFAULT-ikev2
ENCR-Transforms : AES_CBC-256
PRF-Transforms : PRF_HMAC_SHA-256, PRF_HMAC_SHA1
INTEG-Transforms: SHA-256, SHA1
DH-Transforms : MODP_2048 (GROUP 14)
Lifetime (hard) : 0 kb
Lifetime (hard) : 108000 sec
IKE Identities and Keys:
Local Identity : (RSA_SIG, emailAddress=admin@,C=DE:DER_ASN1_DN)
Remote Identity : (RSA_SIG, emailAddress=admin@,C=DE:DER_ASN1_DN)
Local/Remote Keys : *
IPSec Protocol : IPSEC_ESP
ENCR-Transforms : AES_CBC-256
INTEG-Transforms: HMAC-SHA-256, HMAC-SHA1
DH-Transforms :
ESN-Transforms : NONE
Lifetime (hard) : 2000000 kb
Lifetime (hard) : 28800 sec


[VPN-IKE] 2017/04/23 07:47:09,798 Devicetime: 2017/04/23 07:46:55,849
[<UNKNOWN>] Received packet:
IKE 2.0 Header:
Source/Port : 80.187.118.25:500
Destination/Port : 5.x.x.x:500
VLAN-ID : 0
HW switch port : 0
Routing-tag : 0
Com-channel : 3
Loopback : NO
| Initiator cookie : 4C 31 13 79 91 1D 43 35
| Responder cookie : 00 00 00 00 00 00 00 00
| Next Payload : SA
| Version : 2.0
| Exchange type : IKE_SA_INIT
| Flags : 0x08 Initiator
| Msg-ID : 0
| Length : 604 Bytes
SA Payload
| Next Payload : KE
| CRITICAL : NO
| Reserved : 0x00
| Length : 220 Bytes
| PROPOSAL Payload
| | Next Payload : PROPOSAL
| | Reserved : 0x00
| | Length : 44 Bytes
| | Proposal number : 1
| | Protocol ID : IPSEC_IKE
| | SPI size : 0
| | #Transforms : 4
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 12 Bytes
| | | Transform Type: ENCR
| | | Reserved2 : 0x00
| | | Transform ID : AES_CBC
| | | Attribute 0
| | | | Type : Basic, KEYLENGTH
| | | | Value : 256
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: PRF
| | | Reserved2 : 0x00
| | | Transform ID : PRF-HMAC-SHA-256
| | | Attributes : NONE
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: INTEG
| | | Reserved2 : 0x00
| | | Transform ID : SHA-256
| | | Attributes : NONE
| | TRANSFORM Payload
| | | Next Payload : NONE
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: DH
| | | Reserved2 : 0x00
| | | Transform ID : 14
| | | Attributes : NONE
| PROPOSAL Payload
| | Next Payload : PROPOSAL
| | Reserved : 0x00
| | Length : 44 Bytes
| | Proposal number : 2
| | Protocol ID : IPSEC_IKE
| | SPI size : 0
| | #Transforms : 4
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 12 Bytes
| | | Transform Type: ENCR
| | | Reserved2 : 0x00
| | | Transform ID : AES_CBC
| | | Attribute 0
| | | | Type : Basic, KEYLENGTH
| | | | Value : 256
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: PRF
| | | Reserved2 : 0x00
| | | Transform ID : PRF-HMAC-SHA-256
| | | Attributes : NONE
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: INTEG
| | | Reserved2 : 0x00
| | | Transform ID : SHA-256
| | | Attributes : NONE
| | TRANSFORM Payload
| | | Next Payload : NONE
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: DH
| | | Reserved2 : 0x00
| | | Transform ID : <Unknown 19>
| | | Attributes : NONE
| PROPOSAL Payload
| | Next Payload : PROPOSAL
| | Reserved : 0x00
| | Length : 44 Bytes
| | Proposal number : 3
| | Protocol ID : IPSEC_IKE
| | SPI size : 0
| | #Transforms : 4
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 12 Bytes
| | | Transform Type: ENCR
| | | Reserved2 : 0x00
| | | Transform ID : AES_CBC
| | | Attribute 0
| | | | Type : Basic, KEYLENGTH
| | | | Value : 256
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: PRF
| | | Reserved2 : 0x00
| | | Transform ID : PRF-HMAC-SHA-256
| | | Attributes : NONE
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: INTEG
| | | Reserved2 : 0x00
| | | Transform ID : SHA-256
| | | Attributes : NONE
| | TRANSFORM Payload
| | | Next Payload : NONE
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: DH
| | | Reserved2 : 0x00
| | | Transform ID : 5
| | | Attributes : NONE
| PROPOSAL Payload
| | Next Payload : PROPOSAL
| | Reserved : 0x00
| | Length : 44 Bytes
| | Proposal number : 4
| | Protocol ID : IPSEC_IKE
| | SPI size : 0
| | #Transforms : 4
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 12 Bytes
| | | Transform Type: ENCR
| | | Reserved2 : 0x00
| | | Transform ID : AES_CBC
| | | Attribute 0
| | | | Type : Basic, KEYLENGTH
| | | | Value : 128
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: PRF
| | | Reserved2 : 0x00
| | | Transform ID : PRF-HMAC-SHA1
| | | Attributes : NONE
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: INTEG
| | | Reserved2 : 0x00
| | | Transform ID : SHA1
| | | Attributes : NONE
| | TRANSFORM Payload
| | | Next Payload : NONE
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: DH
| | | Reserved2 : 0x00
| | | Transform ID : 2
| | | Attributes : NONE
| PROPOSAL Payload
| | Next Payload : NONE
| | Reserved : 0x00
| | Length : 40 Bytes
| | Proposal number : 5
| | Protocol ID : IPSEC_IKE
| | SPI size : 0
| | #Transforms : 4
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: ENCR
| | | Reserved2 : 0x00
| | | Transform ID : 3DES
| | | Attributes : NONE
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: PRF
| | | Reserved2 : 0x00
| | | Transform ID : PRF-HMAC-SHA1
| | | Attributes : NONE
| | TRANSFORM Payload
| | | Next Payload : TRANSFORM
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: INTEG
| | | Reserved2 : 0x00
| | | Transform ID : SHA1
| | | Attributes : NONE
| | TRANSFORM Payload
| | | Next Payload : NONE
| | | Reserved : 0x00
| | | Length : 8 Bytes
| | | Transform Type: DH
| | | Reserved2 : 0x00
| | | Transform ID : 2
| | | Attributes : NONE
KE Payload
| Next Payload : NONCE
| CRITICAL : NO
| Reserved : 0x00
| Length : 264 Bytes
| DH Group : 14
| Reserved2 : 0x0000
| DH-Key(2048 bits) : F1 32 35 52 A1 9C 42 E6 A7 F4 E5 9C A4 84 1D A1
NONCE Payload
| Next Payload : NOTIFY
| CRITICAL : NO
| Reserved : 0x00
| Length : 20 Bytes
| Nonce(128 bits) : 4F 48 47 AA 9F AF 8C B0 AF 76 0A BA 37 06 59 A0
NOTIFY Payload
| Next Payload : NOTIFY
| CRITICAL : NO
| Reserved : 0x00
| Length : 8 Bytes
| Protocol ID : <Unknown 0>
| SPI size : 0
| Message type : REDIRECT_SUPPORTED
NOTIFY Payload
| Next Payload : NOTIFY
| CRITICAL : NO
| Reserved : 0x00
| Length : 28 Bytes
| Protocol ID : <Unknown 0>
| SPI size : 0
| Message type : STATUS_NAT_DETECTION_SOURCE_IP
NOTIFY Payload
| Next Payload : NOTIFY
| CRITICAL : NO
| Reserved : 0x00
| Length : 28 Bytes
| Protocol ID : <Unknown 0>
| SPI size : 0
| Message type : STATUS_NAT_DETECTION_DESTINATION_IP
NOTIFY Payload
| Next Payload : NONE
| CRITICAL : NO
| Reserved : 0x00
| Length : 8 Bytes
| Protocol ID : <Unknown 0>
| SPI size : 0
| Message type : IKEV2_FRAGMENTATION_SUPPORTED

[VPN-Status] 2017/04/23 07:47:09,845 Devicetime: 2017/04/23 07:46:55,850
IKE info: message_v2_validate_sa: no exchange available, failure

[VPN-Status] 2017/04/23 07:47:09,892 Devicetime: 2017/04/23 07:46:55,850
IKE info: ikev2: dropped message from 80.187.118.25 port 500 due to notification type INVALID_SYNTAX

[VPN-Debug] 2017/04/23 07:47:09,892 Devicetime: 2017/04/23 07:46:55,850
Peer <UNKNOWN>: Received an IKE_SA_INIT-REQUEST of 604 bytes
Gateways: 5.x.x.x:500<--80.187.118.25:500
SPIs: 0x4C311379911D43350000000000000000, Message-ID 0
VLAN-ID 0, HW switch port 0, Routing tag 0, Com-channel 3
Payloads: SA, KE, NONCE, NOTIFY(REDIRECT_SUPPORTED), NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)

[VPN-Status] 2017/04/23 07:47:09,892 Devicetime: 2017/04/23 07:46:55,850
Peer <UNKNOWN>: Received an IKE_SA_INIT-REQUEST of 604 bytes
Gateways: 5.x.x.x:500<--80.187.118.25:500
SPIs: 0x4C311379911D43350000000000000000, Message-ID 0
-[ISAKMP-PEER-DEFAULT].VPN-ID is empty
-Message could not be validated => dropping

[GrandDixence]

Der Grund für:

Code: Alles auswählen

[VPN-Status] 2017/04/23 07:47:09,845 Devicetime: 2017/04/23 07:46:55,850
IKE info: message_v2_validate_sa: no exchange available, failure

ist unter:

http://www.lancom-forum.de/fragen-zum-t ... 15441.html

oder

http://www.lancom-forum.de/fragen-zum-t ... 15581.html

beschrieben. Siehe auch:
https://wiki.strongswan.org/projects/st ... pleClients

http://www.lancom-forum.de/fragen-zum-t ... 15905.html

https://www.bsi.bund.de/DE/Publikatione ... x_htm.html

https://www.heise.de/security/artikel/E ... 70056.html

https://www.heise.de/security/artikel/V ... 70796.html

Viel Glück!