Infos:
Standort 1: Karlsruhe
Lancom 1711 VPN Version 6.02
Intranet: 192.168.0.0/255.255.255.0
Wan: KabelBW mit DHCP und dyndns.org
Standort 2: Danzig
Lancom 1711 VPN Version 6.02
Intranet: 192.168.1.0/255.255.255.0
Wan: DSL mit fester IP >83.18.157.130
Aufbau des VPN auf beiden Seiten mit dem Setupassistenten:
1. Beide Seiten fest oder auflösbare IP
2. Agressive Mode
3. PSK
Schicke ich ein Ping baut sich der Tunnel auf, es gehen auch Pakete über die Leitung nur kommen sie nicht an.
Ich habe mal einen Ausschnitt aus einen Aufbau mitgeschnitten ( trace + vpn-status):
Anbei ein Traffic Mitschnitt ( trace + vpn-packet):
root@PDTEC-KARLSRUHE:/
>
[VPN-Status] 1900/01/01 02:42:56,470
VPN: connecting to PDTEC-DANZIG (83.18.157.130)
[VPN-Status] 1900/01/01 02:42:56,470
VPN: start dynamic VPN negotiation for PDTEC-DANZIG (83.18.157.130) via ICMP/UDP
[VPN-Status] 1900/01/01 02:42:56,470
VPN: create dynamic VPN V2 authentication packet for PDTEC-DANZIG (83.18.157.130
)
DNS: 192.168.0.1, 0.0.0.0
NBNS: 192.168.0.1, 0.0.0.0
polling address: 192.168.0.1
[VPN-Status] 1900/01/01 02:42:56,470
VPN: installing ruleset for PDTEC-DANZIG (83.18.157.130)
[VPN-Status] 1900/01/01 02:42:56,500
VPN: ruleset installed for PDTEC-DANZIG (83.18.157.130)
[VPN-Status] 1900/01/01 02:42:56,500
VPN: start IKE negotiation for PDTEC-DANZIG (83.18.157.130)
[VPN-Status] 1900/01/01 02:42:56,510
VPN: rulesets installed
[VPN-Status] 1900/01/01 02:42:56,520
IKE info: Phase-1 negotiation started for peer PDTEC-DANZIG rule isakmp-peer-PDT
EC-DANZIG using AGGRESSIVE mode
[VPN-Status] 1900/01/01 02:42:56,770
VPN: received dynamic VPN V2 authentication packet from PDTEC-DANZIG (83.18.157.
130)
DNS: 192.168.1.1, 0.0.0.0
NBNS: 192.168.1.1, 0.0.0.0
polling address: 192.168.1.1
[VPN-Status] 1900/01/01 02:42:56,960
IKE info: The remote server 83.18.157.130:500 peer PDTEC-DANZIG id <no_id> is En
igmatec IPSEC version 1.5.1
IKE info: The remote server 83.18.157.130:500 peer PDTEC-DANZIG id <no_id> negotiated rfc-3706-dead-peer-detection
[VPN-Status] 1900/01/01 02:42:56,960
IKE info: Phase-1 remote proposal 1 for peer PDTEC-DANZIG matched with local pro
posal 1
[VPN-Status] 1900/01/01 02:42:57,120
IKE info: Phase-1 [inititiator] for peer PDTEC-DANZIG between initiator id 82.2
12.61.88, responder id 83.18.157.130 done
IKE info: SA ISAKMP for peer PDTEC-DANZIG encryption aes-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)
[VPN-Status] 1900/01/01 02:42:57,550
IKE info: Phase-2 [inititiator] done with 2 SAS for peer PDTEC-DANZIG rule ipsec
-0-PDTEC-DANZIG-pr0-l0-r0
IKE info: rule:' ipsec 192.168.0.0/255.255.255.0 <-> 192.168.1.0/255.255.255.0 '
IKE info: SA ESP [0x2ed96efa] alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x397adde0] alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1800 sec/180000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 82.212.61.88 dst: 83.18.157.130
[VPN-Status] 1900/01/01 02:42:58,570
VPN: PDTEC-DANZIG (83.18.157.130) connected, set poll timer to 30 sec
[VPN-Status] 1900/01/01 02:43:28,570
VPN: poll timeout for PDTEC-DANZIG (83.18.157.130)
send poll frame to 192.168.1.1
[VPN-Status] 1900/01/01 02:43:56,670
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer PDTEC-DAN
ZIG Seq-Nr 0x37c2b701, expected 0x37c2b701
[VPN-Status] 1900/01/01 02:43:56,670
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer PDTEC-DANZ
IG, sequence nr 0x37c2b701
[VPN-Status] 1900/01/01 02:43:58,570
VPN: poll timeout for PDTEC-DANZIG (83.18.157.130)
remote site did not answer during interval
setting poll time to 1 sec.
(5 retries left)
send poll frame to 192.168.1.1
[VPN-Status] 1900/01/01 02:43:59,570
VPN: poll timeout for PDTEC-DANZIG (83.18.157.130)
remote site did not answer during interval
(4 retries left)
send poll frame to 192.168.1.1
[VPN-Status] 1900/01/01 02:44:00,570
VPN: poll timeout for PDTEC-DANZIG (83.18.157.130)
remote site did not answer during interval
(3 retries left)
send poll frame to 192.168.1.1
[VPN-Status] 1900/01/01 02:44:01,570
VPN: poll timeout for PDTEC-DANZIG (83.18.157.130)
remote site did not answer during interval
(2 retries left)
send poll frame to 192.168.1.1
[VPN-Status] 1900/01/01 02:44:02,570
VPN: poll timeout for PDTEC-DANZIG (83.18.157.130)
remote site did not answer during interval
(1 retries left)
send poll frame to 192.168.1.1
[VPN-Status] 1900/01/01 02:44:03,570
VPN: poll timeout for PDTEC-DANZIG (83.18.157.130)
remote site did not answer during interval
no retries left, disconnect channel
[VPN-Status] 1900/01/01 02:44:03,580
VPN: Error: IFC-X-Line-polling-failed (0x1307) for PDTEC-DANZIG (83.18.157.130)
[VPN-Status] 1900/01/01 02:44:03,580
VPN: disconnecting PDTEC-DANZIG (83.18.157.130)
[VPN-Status] 1900/01/01 02:44:03,590
IKE info: Delete Notificaton sent for Phase-2 SA ipsec-0-PDTEC-DANZIG-pr0-l0-r0
to peer PDTEC-DANZIG, spi [0x397adde0]
[VPN-Status] 1900/01/01 02:44:03,590
IKE info: Phase-2 SA removed: peer PDTEC-DANZIG rule ipsec-0-PDTEC-DANZIG-pr0-l0
-r0 removed
IKE info: containing Protocol IPSEC_ESP, with spis [2ed96efa ] [397adde0 ]
[VPN-Status] 1900/01/01 02:44:03,600
IKE info: Delete Notificaton sent for Phase-1 SA to peer PDTEC-DANZIG
[VPN-Status] 1900/01/01 02:44:03,600
IKE info: Phase-1 SA removed: peer PDTEC-DANZIG rule PDTEC-DANZIG removed
[VPN-Status] 1900/01/01 02:44:03,620
IKE info: Phase-1 negotiation started for peer PDTEC-DANZIG rule isakmp-peer-PDT
EC-DANZIG using AGGRESSIVE mode
[VPN-Status] 1900/01/01 02:44:03,650
VPN: selecting next remote gateway using strategy eFirst for PDTEC-DANZIG
=> no remote gateway selected
[VPN-Status] 1900/01/01 02:44:03,650
VPN: selecting first remote gateway using strategy eFirst for PDTEC-DANZIG
=> CurrIdx=0, IpStr=>83.18.157.130<, IpAddr=83.18.157.130, IpTtl=0s
[VPN-Status] 1900/01/01 02:44:03,650
VPN: installing ruleset for PDTEC-DANZIG (83.18.157.130)
[VPN-Status] 1900/01/01 02:44:03,650
VPN: PDTEC-DANZIG (83.18.157.130) disconnected
[VPN-Status] 1900/01/01 02:44:03,670
VPN: rulesets installed
[VPN-Status] 1900/01/01 02:44:03,720
IKE log: 024403 Default message_recv: invalid cookie(s) 8034e3bc1a997984 7d445ac
7ce9a6690
[VPN-Status] 1900/01/01 02:44:03,720
IKE log: 024403 Default dropped message from 83.18.157.130 port 500 due to notif
ication type INVALID_COOKIE
[VPN-Status] 1900/01/01 02:44:03,720
IKE info: dropped message from peer unknown 83.18.157.130 port 500 due to notifi
cation type INVALID_COOKIE
[VPN-Status] 1900/01/01 02:44:03,720
IKE log: 024403 Default message_recv: invalid cookie(s) 8034e3bc1a997984 7d445ac
7ce9a6690
[VPN-Status] 1900/01/01 02:44:03,730
IKE log: 024403 Default dropped message from 83.18.157.130 port 500 due to notif
ication type INVALID_COOKIE
[VPN-Status] 1900/01/01 02:44:03,730
IKE info: dropped message from peer unknown 83.18.157.130 port 500 due to notifi
cation type INVALID_COOKIE
[VPN-Status] 1900/01/01 02:44:04,060
IKE info: The remote server 83.18.157.130:500 peer PDTEC-DANZIG id <no_id> is Enigmatec IPSEC version 1.5.1
IKE info: The remote server 83.18.157.130:500 peer PDTEC-DANZIG id <no_id> negotiated rfc-3706-dead-peer-detection
[VPN-Status] 1900/01/01 02:44:04,060
IKE info: Phase-1 remote proposal 1 for peer PDTEC-DANZIG matched with local pro
posal 1
[VPN-Status] 1900/01/01 02:44:04,220
IKE info: Phase-1 [inititiator] for peer PDTEC-DANZIG between initiator id 82.2
12.61.88, responder id 83.18.157.130 done
IKE info: SA ISAKMP for peer PDTEC-DANZIG encryption aes-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)
[VPN-Status] 1900/01/01 02:44:04,650
IKE info: Phase-2 [inititiator] done with 2 SAS for peer PDTEC-DANZIG rule ipsec
-0-PDTEC-DANZIG-pr0-l0-r0
IKE info: rule:' ipsec 192.168.0.0/255.255.255.0 <-> 192.168.1.0/255.255.255.0 '
IKE info: SA ESP [0x3523f4df] alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x3eb1a829] alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1800 sec/180000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 82.212.61.88 dst: 83.18.157.130
[VPN-Status] 1900/01/01 02:44:04,650
VPN: wait for IKE negotiation from PDTEC-DANZIG (83.18.157.130)
[VPN-Status] 1900/01/01 02:44:05,680
VPN: PDTEC-DANZIG (83.18.157.130) connected, set poll timer to 30 sec
Hat jemand eine Idee, warum auf beiden Seiten die Pakete einfach im Nirvana verschwinden?[VPN-Packet] 1900/01/01 04:03:29,560
encrypted: 82.212.61.88->83.18.157.130 168 ESP SPI[01c67d61]
[VPN-Packet] 1900/01/01 04:03:29,660
for send: 192.168.0.1->192.168.1.1 96 UDP port 137->137
[VPN-Packet] 1900/01/01 04:03:29,660
encap: 192.168.0.1->192.168.1.1 96 UDP port 137->137
[VPN-Packet] 1900/01/01 04:03:29,660
encrypted: 82.212.61.88->83.18.157.130 168 ESP SPI[01c67d61]
[VPN-Packet] 1900/01/01 04:03:29,760
for send: 192.168.0.1->192.168.1.1 96 UDP port 137->137
[VPN-Packet] 1900/01/01 04:03:29,760
encap: 192.168.0.1->192.168.1.1 96 UDP port 137->137
Firewall trace zeigt keine Blockierten Packete.
Ich bin am verzweifeln, da ich keinerlei Ansatzpunkt finde, woran es scheitert.
Gruss
Marc
.
, auch wenn ich jetzt noch nicht genau weiss warum. Damit aber Leute, die ähnliche Probleme haben, einen Anhaltspunkt finden noch ein paar Infos:
