 |
|
|
|
| Autor |
Nachricht |
OM
Anmeldungsdatum: 09.12.2008
Beiträge: 10
|
 Verfasst am:
So 04 Jan, 2009 17:27 |
  |
|
Hallo liebe Gemeinde,
ich habe an meinem 1722 Router mit Hilfe des 1-Click VPN Setup Assistenten einen VPN Einwahl Zugang bereitgestellt. Nach dem Profil Import und dem Klick auf Verbinden erhalte ich immer den Hinweis "IKE - Fehler (Phase 1) Kontakt zur Gegenstelle verloren".
Folgende Parameter sind gegeben
Windows Vista Business 32 Bit SP1
Vodafone Mobile Connect Software Version 9.3.3.10523 ==> Die berühmte Vodafone Optimierungssoftware habe ich bereits deinstalliert
Merlin XU870 ExpressCard Firewarversion 101.9.00
Der Trace am Router ergab folgendes Ergebnis:
[TraceData]
[TraceStarted] 2009/01/04 16:01:00,000
Used config:
# Trace config
trace + VPN-Packet
trace + VPN-Status
# Show commands
show bootlog
[ShowCmd] 2009/01/04 16:01:00,000
Result of command: "show bootlog "
Boot log (188 Bytes):
****
01/01/1900 00:00:01 System boot after power on
DEVICE: LANCOM 1722 VoIP (Annex B)
HW-RELEASE: A
VERSION: 7.58.0045 / 14.11.2008 / 6.26b/E74.02.54
[Sysinfo] 2009/01/04 16:01:00,000
Result of command: "sysinfo"
DEVICE: LANCOM 1722 VoIP (Annex B)
HW-RELEASE: A
IP-ADDRESS: 192.168.1.254
IP-NETMASK: 255.255.255.0
INTRANET-ADDRESS: 0.0.0.0
INTRANETMASK: 0.0.0.0
VERSION: 7.58.0045 / 14.11.2008 / 6.26b/E74.02.54
NAME: OCT_1722
CONFIG-STATUS: 1056;0
FIRMWARE-STATUS: 0;0.4;0.1;7.58.14112008.4;7.55.16062008.3
HW-MASK: 00000000000000000000000001100011
FEATUREWORD: 01000000001000000000000100011101
REGISTERED-WORD: 01000000001000000000000100011101
FEATURE-LIST: 00/F/00000000
FEATURE-LIST: 02/F/00000000
FEATURE-LIST: 03/F/00000000
FEATURE-LIST: 04/F/00000000
FEATURE-LIST: 08/F/00000000
FEATURE-LIST: 15/F/00000000
FEATURE-LIST: 1e/F/00000000
TIME: 16011104012009
Compatible-IDs: 14:30:31;10:26:31
[VPN-Status] 2009/01/04 16:02:25,990
IKE info: The remote server 77.24.7.247:500 peer def-aggr-peer id <no_id> supports draft-ietf-ipsec-isakmp-xauth
IKE info: The remote server 77.24.7.247:500 peer def-aggr-peer id <no_id> supports NAT-T in mode draft
IKE info: The remote server 77.24.7.247:500 peer def-aggr-peer id <no_id> supports NAT-T in mode draft
IKE info: The remote server 77.24.7.247:500 peer def-aggr-peer id <no_id> supports NAT-T in mode draft
IKE info: The remote server 77.24.7.247:500 peer def-aggr-peer id <no_id> supports NAT-T in mode rfc
IKE info: The remote server 77.24.7.247:500 peer def-aggr-peer id <no_id> negotiated rfc-3706-dead-peer-detection
IKE info: The remote client 77.24.7.247:500 peer def-aggr-peer id <no_id> is NCP LANCOM Serial Number Protocol 1.0 with serial number 21068844
IKE info: The remote server 77.24.7.247:500 peer def-aggr-peer id <no_id> supports NAT-T in mode rfc
IKE info: The remote server 77.24.7.247:500 peer def-aggr-peer id <no_id> supports NAT-T in mode rfc
IKE info: The remote server 77.24.7.247:500 peer def-aggr-peer id <no_id> supports NAT-T in mode rfc
[VPN-Status] 2009/01/04 16:02:25,990
IKE info: phase-1 proposal failed: remote No 1 hash algorithm = SHA <-> local No 1 hash algorithm = MD5
IKE info: Phase-1 remote proposal 1 for peer def-aggr-peer matched with local proposal 2
[VPN-Status] 2009/01/04 16:02:26,290
IKE info: Phase-1 [responder] got initial contact from peer CLIENT_0002 (77.24.7.247)
[VPN-Status] 2009/01/04 16:02:26,290
IKE info: Phase-1 [responder] for peer CLIENT_0002 between initiator id CLIENT_0002@intern, responder id CLIENT_0002@intern done
IKE info: SA ISAKMP for peer CLIENT_0002 encryption aes-cbc authentication sha1
IKE info: life time ( 28800 sec/ 0 kb)
[VPN-Status] 2009/01/04 16:02:26,290
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer CLIENT_0002 set to 25920 seconds (Responder)
[VPN-Status] 2009/01/04 16:02:26,290
IKE info: Phase-1 SA Timeout (Hard-Event) for peer CLIENT_0002 set to 28800 seconds (Responder)
[VPN-Status] 2009/01/04 16:02:27,290
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE sent for Phase-1 SA to peer CLIENT_0002, sequence nr 0x172c394d
[VPN-Status] 2009/01/04 16:02:27,440
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE_ACK for peer CLIENT_0002 Seq-Nr 0x172c394d, expected 0x172c394d
[VPN-Status] 2009/01/04 16:02:28,300
IKE info: IKE-CFG: Received REQUEST message with id 0 from peer CLIENT_0002
IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 0 value (none) received
IKE info: IKE-CFG: Attribute INTERNAL_IP4_DNS len 0 value (none) received
IKE info: IKE-CFG: Attribute INTERNAL_IP4_NBNS len 0 value (none) received
IKE info: IKE-CFG: Attribute <Unknown 20002> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28672> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28673> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28674> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28675> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28676> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28677> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28678> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28679> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28680> len 12 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28681> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 20003> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 20004> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 20005> len 8 is private -> ignore
[VPN-Status] 2009/01/04 16:02:28,310
IKE info: IKE-CFG: Creating REPLY message with id 0 for peer CLIENT_0002
IKE info: IKE-CFG: Attribute INTERNAL_IP4_NBNS len 0 skipped
IKE info: IKE-CFG: Attribute INTERNAL_IP4_DNS len 4 value 192.168.1.254 added
IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 4 value 192.168.1.24 added
IKE info: IKE-CFG: Sending message
[VPN-Status] 2009/01/04 16:02:28,680
IKE info: Phase-2 failed for peer CLIENT_0002: no rule matches the phase-2 ids 192.168.1.24 <-> 0.0.0.0/0.0.0.0
IKE log: 160228 Default message_negotiate_sa: no compatible proposal found
IKE log: 160228 Default dropped message from 77.24.7.247 port 500 due to notification type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer CLIENT_0002 77.24.7.247 port 500 due to notification type NO_PROPOSAL_CHOSEN
[VPN-Status] 2009/01/04 16:02:28,680
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for CLIENT_0002 (77.24.7.247)
[VPN-Status] 2009/01/04 16:02:28,680
VPN: selecting next remote gateway using strategy eFirst for CLIENT_0002
=> no remote gateway selected
[VPN-Status] 2009/01/04 16:02:28,680
VPN: selecting first remote gateway using strategy eFirst for CLIENT_0002
=> no remote gateway selected
[VPN-Status] 2009/01/04 16:02:28,680
VPN: installing ruleset for CLIENT_0002 (0.0.0.0)
[VPN-Status] 2009/01/04 16:02:28,680
VPN: installing ruleset generally
[VPN-Status] 2009/01/04 16:02:28,690
VPN: installing pending rulesets
[VPN-Status] 2009/01/04 16:02:28,700
VPN: rulesets installed
[VPN-Status] 2009/01/04 16:02:33,540
IKE info: Phase-2 failed for peer CLIENT_0002: no rule matches the phase-2 ids 192.168.1.24 <-> 0.0.0.0/0.0.0.0
IKE log: 160233 Default message_negotiate_sa: no compatible proposal found
IKE log: 160233 Default dropped message from 77.24.7.247 port 500 due to notification type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer CLIENT_0002 77.24.7.247 port 500 due to notification type NO_PROPOSAL_CHOSEN
[VPN-Status] 2009/01/04 16:02:33,540
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for CLIENT_0002 (77.24.7.247)
[VPN-Status] 2009/01/04 16:02:33,540
VPN: selecting next remote gateway using strategy eFirst for CLIENT_0002
=> no remote gateway selected
[VPN-Status] 2009/01/04 16:02:33,540
VPN: selecting first remote gateway using strategy eFirst for CLIENT_0002
=> no remote gateway selected
[VPN-Status] 2009/01/04 16:02:33,540
VPN: installing ruleset for CLIENT_0002 (0.0.0.0)
[VPN-Status] 2009/01/04 16:02:33,540
VPN: installing ruleset generally
[VPN-Status] 2009/01/04 16:02:33,550
VPN: installing pending rulesets
[VPN-Status] 2009/01/04 16:02:33,560
VPN: rulesets installed
[VPN-Status] 2009/01/04 16:02:36,580
IKE info: Phase-2 failed for peer CLIENT_0002: no rule matches the phase-2 ids 192.168.1.24 <-> 0.0.0.0/0.0.0.0
IKE log: 160236 Default message_negotiate_sa: no compatible proposal found
IKE log: 160236 Default dropped message from 77.24.7.247 port 500 due to notification type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer CLIENT_0002 77.24.7.247 port 500 due to notification type NO_PROPOSAL_CHOSEN
[VPN-Status] 2009/01/04 16:02:36,580
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for CLIENT_0002 (77.24.7.247)
[VPN-Status] 2009/01/04 16:02:36,580
VPN: selecting next remote gateway using strategy eFirst for CLIENT_0002
=> no remote gateway selected
[VPN-Status] 2009/01/04 16:02:36,580
VPN: selecting first remote gateway using strategy eFirst for CLIENT_0002
=> no remote gateway selected
[VPN-Status] 2009/01/04 16:02:36,580
VPN: installing ruleset for CLIENT_0002 (0.0.0.0)
[VPN-Status] 2009/01/04 16:02:36,580
VPN: installing ruleset generally
[VPN-Status] 2009/01/04 16:02:36,590
VPN: installing pending rulesets
[VPN-Status] 2009/01/04 16:02:36,600
VPN: rulesets installed
[VPN-Status] 2009/01/04 16:02:39,620
IKE info: Phase-2 failed for peer CLIENT_0002: no rule matches the phase-2 ids 192.168.1.24 <-> 0.0.0.0/0.0.0.0
IKE log: 160239 Default message_negotiate_sa: no compatible proposal found
IKE log: 160239 Default dropped message from 77.24.7.247 port 500 due to notification type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer CLIENT_0002 77.24.7.247 port 500 due to notification type NO_PROPOSAL_CHOSEN
[VPN-Status] 2009/01/04 16:02:39,620
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for CLIENT_0002 (77.24.7.247)
[VPN-Status] 2009/01/04 16:02:39,620
VPN: selecting next remote gateway using strategy eFirst for CLIENT_0002
=> no remote gateway selected
[VPN-Status] 2009/01/04 16:02:39,620
VPN: selecting first remote gateway using strategy eFirst for CLIENT_0002
=> no remote gateway selected
[VPN-Status] 2009/01/04 16:02:39,620
VPN: installing ruleset for CLIENT_0002 (0.0.0.0)
[VPN-Status] 2009/01/04 16:02:39,620
VPN: installing ruleset generally
[VPN-Status] 2009/01/04 16:02:39,630
VPN: installing pending rulesets
[VPN-Status] 2009/01/04 16:02:39,640
VPN: rulesets installed
[VPN-Status] 2009/01/04 16:02:42,480
IKE info: Delete Notification received for Phase-1 SA isakmp-peer-CLIENT_0002 peer CLIENT_0002 cookies [6fcb50e41a411a3a e6e6068c9cbccc72]
[VPN-Status] 2009/01/04 16:02:42,490
IKE info: Phase-1 SA removed: peer CLIENT_0002 rule CLIENT_0002 removed
[VPN-Status] 2009/01/04 16:02:42,490
VPN: installing ruleset generally
[VPN-Status] 2009/01/04 16:02:42,510
IKE log: 160242 Default x509_read_from_minifs: File /minifs/vpn_devcert not found
[VPN-Status] 2009/01/04 16:02:42,510
IKE log: 160242 Default x509_read_from_minifs: File /minifs/vpn_rootcert not found
[VPN-Status] 2009/01/04 16:02:42,510
IKE log: 160242 Default PKCS12_lcos_read_file: File /minifs/vpn_pkcs12_int not found
[VPN-Status] 2009/01/04 16:02:42,510
VPN: rulesets installed
[TraceStopped] 2009/01/04 16:04:21,000
Used config:
# Trace config
trace + VPN-Packet
trace + VPN-Status
# Show commands
show bootlog
Erkennt jemand von euch was das schief läuft.
Vielen Dank schon im Voraus.
Tschüß
OM |
|
|
   |
|
Guest
|
| Verfasst am:
|
|
|
|
|
|
backslash
Moderator
Anmeldungsdatum: 08.11.2004
Beiträge: 4571
Wohnort: Aachen
|
| Verfasst am:
So 04 Jan, 2009 20:03 |
|
|
Hi OM,
hier sit das Problem:
| Zitat:
|
|
IKE info: Phase-2 failed for peer CLIENT_0002: no rule matches the phase-2 ids 192.168.1.24 <-> 0.0.0.0/0.0.0.0
|
du mußt entweder im Client angeben, welches Netz er erreichen soll (im Profil unter VPN-IP-Netze) oder du mußt in der Firewall des LANCOMs eine Regel erstellen, die dem Client den Zugriff auf alle Stationen erlaubt:
| Code:
|
[ ] Diese Regel ist für die Fireall aktiv
[x] Diese Regel wird zur Erzeugung von VPN-Regeln herangezogen
Aktion: übertragen
Quelle: alle Stationen
Ziel: Gegenstelle CLIENT_0002
Dienste: alle Dienste
|
Gruß
Backslash |
|
|
|
|
OM
Anmeldungsdatum: 09.12.2008
Beiträge: 10
|
| Verfasst am:
Mo 05 Jan, 2009 09:27 |
|
|
Hallo Backslash,
super ich habe die Firewallregel angepasst und nun wird die Verbindung hergestellt.
Super, vielen Dank.
Dir einen guten Start in die neue Woche.
Tschüß
OM |
|
|
|
|
|
|
|
|
| |
|
|
