Hallo zusammen,
ich sitze hier vor einem merkwürdigen Phänomen.
Die Einwahl per AVC klappt bei einigen Usern nicht immer.
Meldung im AVC:
VPN-Gateway antwortet nicht (Warten auf Msg 2)
Trace im Lancom:
[VPN-Status] 2009/10/21 09:05:26,490
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports draft-ietf-ipsec-isakmp-xauth
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode draft
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode draft
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode draft
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode rfc
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> negotiated rfc-3706-dead-peer-detection
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode rfc
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode rfc
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode rfc
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode rfc
[VPN-Status] 2009/10/21 09:05:26,530
IKE info: phase-1 proposal failed: remote No 1 hash algorithm = SHA <-> local No 1 hash algorithm = MD5
IKE info: Phase-1 remote proposal 1 for peer def-aggr-peer matched with local proposal 2
[VPN-Status] 2009/10/21 09:05:26,540
IKE log: 090526.000000 Default dropped message from xx.xx.xx.xx port 500 due to notification type INVALID_ID_INFORMATION
[VPN-Status] 2009/10/21 09:05:26,540
IKE info: dropped message from peer unknown xx.xx.xx.xx port 500 due to notification type INVALID_ID_INFORMATION
Das Problem bereinigt sich ohne Konfigurationsänderung, wenn eine der nachfolgenden Aktionen durchgeführt wird:
- lange warten und Nichtstun (kann hier keine genaue Zeit angeben)
- die Konfiguration aus dem Lancom auslesen und unverändert wieder einspielen (ohne Neustart)
- Firwareupdate (mit automatischem Neustart)
Wenn es wieder funktioniert, gibts folgenden Trace:
[VPN-Status] 2009/10/21 08:46:21,280
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports draft-ietf-ipsec-isakmp-xauth
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode draft
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode draft
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode draft
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode rfc
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> negotiated rfc-3706-dead-peer-detection
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode rfc
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode rfc
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode rfc
IKE info: The remote server xx.xx.xx.xx:500 peer def-aggr-peer id <no_id> supports NAT-T in mode rfc
[VPN-Status] 2009/10/21 08:46:21,320
IKE info: phase-1 proposal failed: remote No 1 hash algorithm = SHA <-> local No 1 hash algorithm = MD5
IKE info: Phase-1 remote proposal 1 for peer def-aggr-peer matched with local proposal 2
[VPN-Status] 2009/10/21 08:46:22,240
IKE info: Phase-1 [responder] got INITIAL-CONTACT from peer XXXXX-AVPN (xx.xx.xx.xx)
[VPN-Status] 2009/10/21 08:46:22,240
IKE info: Phase-1 [responder] for peer XXXXX-AVPN between initiator id xxxx1@xxxx, responder id xxxx1@xxxx done
IKE info: SA ISAKMP for peer XXXXX-AVPN encryption aes-cbc authentication sha1
IKE info: life time ( 28800 sec/ 0 kb)
[VPN-Status] 2009/10/21 08:46:22,250
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer XXXXX-AVPN set to 25920 seconds (Responder)
[VPN-Status] 2009/10/21 08:46:22,250
IKE info: Phase-1 SA Timeout (Hard-Event) for peer XXXXX-AVPN set to 28800 seconds (Responder)
[VPN-Status] 2009/10/21 08:46:24,080
IKE info: IKE-CFG: Received REQUEST message with id 0 from peer XXXXX-AVPN
IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 0 value (none) received
IKE info: IKE-CFG: Attribute INTERNAL_IP4_DNS len 0 value (none) received
IKE info: IKE-CFG: Attribute INTERNAL_IP4_NBNS len 0 value (none) received
IKE info: IKE-CFG: Attribute APPLICATION_VERSION len 42 value Cisco Systems VPN Client 5.0.03.0560:WinNT received
IKE info: IKE-CFG: Attribute <Unknown 20002> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28672> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28673> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28674> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28675> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28676> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28677> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28678> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28679> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28680> len 12 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28681> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 20003> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 20004> len 0 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 28682> len 10 is private -> ignore
IKE info: IKE-CFG: Attribute <Unknown 20005> len 10 is private -> ignore
[VPN-Status] 2009/10/21 08:46:24,120
IKE info: IKE-CFG: Creating REPLY message with id 0 for peer XXXXX-AVPN
IKE info: IKE-CFG: Attribute APPLICATION_VERSION len 0 skipped
IKE info: IKE-CFG: Attribute INTERNAL_IP4_NBNS len 0 skipped
IKE info: IKE-CFG: Attribute INTERNAL_IP4_DNS len 4 value 10.163.215.1 added
IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 4 value 10.163.215.71 added
IKE info: IKE-CFG: Sending message
[VPN-Status] 2009/10/21 08:46:24,600
IKE info: Phase-2 proposal failed: remote No 1, ipcomp algorithm DEFLATE <-> local No 1, ipcomp algorithm LZS
IKE info: Phase-2 remote proposal 1 failed for peer XXXXX-AVPN
IKE info: Phase-2 proposal failed: remote No 2, esp hmac HMAC_SHA <-> local No 1, esp hmac HMAC_MD5
IKE info: Phase-2 remote proposal 2 failed for peer XXXXX-AVPN
IKE info: Phase-2 proposal failed: remote No 3, esp algorithm 3DES <-> local No 1, esp algorithm AES
IKE info: Phase-2 proposal failed: remote No 3, esp algorithm keylen 0 <-> local No 1, esp algorithm keylen 128,128:256
IKE info: Phase-2 remote proposal 3 failed for peer XXXXX-AVPN
IKE info: Phase-2 proposal failed: remote No 4, esp algorithm 3DES <-> local No 1, esp algorithm AES
IKE info: Phase-2 proposal failed: remote No 4, esp algorithm keylen 0 <-> local No 1, esp algorithm keylen 128,128:256
IKE info: Phase-2 proposal failed: remote No 4, esp hmac HMAC_SHA <-> local No 1, esp hmac HMAC_MD5
IKE info: Phase-2 remote proposal 4 failed for peer XXXXX-AVPN
IKE info: Phase-2 remote proposal 5 for peer XXXXX-AVPN matched with local proposal 1
[VPN-Status] 2009/10/21 08:46:25,370
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer XXXXX-AVPN set to 25920 seconds (Responder)
[VPN-Status] 2009/10/21 08:46:25,380
IKE info: Phase-2 SA Timeout (Hard-Event) for peer XXXXX-AVPN set to 28800 seconds (Responder)
[VPN-Status] 2009/10/21 08:46:25,390
IKE info: Phase-2 [responder] done with 4 SAS for peer XXXXX-AVPN rule ipsec-0-XXXXX-AVPN-pr0-l1-r0
IKE info: rule:' ipsec 10.163.215.0/255.255.255.128 <-> 10.163.215.71/255.255.255.255 '
IKE info: SA ESP [0x1f2ac92d] alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x4898d0cc] alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: SA IPCOMP [0x0003] alg LZS outgoing
IKE info: SA IPCOMP [0x2354] alg LZS incoming
IKE info: life soft( 25920 sec/0 kb) hard (28800 sec/0 kb)
IKE info: tunnel between src: xx.xx.xx.xx dst: xx.xx.xx.xx
[VPN-Status] 2009/10/21 08:46:25,410
VPN: wait for IKE negotiation from XXXXX-AVPN (xx.xx.xx.xx)
[VPN-Status] 2009/10/21 08:46:44,060
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer XXXXX-AVPN Seq-Nr 0x5d5488fe, expected 0x5d5488fe
[VPN-Status] 2009/10/21 08:46:44,060
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer XXXXX-AVPN, sequence nr 0x5d5488fe
[VPN-Status] 2009/10/21 08:47:04,270
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer XXXXX-AVPN Seq-Nr 0x5d5488ff, expected 0x5d5488ff
[VPN-Status] 2009/10/21 08:47:04,270
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer XXXXX-AVPN, sequence nr 0x5d5488ff
[VPN-Status] 2009/10/21 08:47:24,280
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer XXXXX-AVPN Seq-Nr 0x5d548900, expected 0x5d548900
[VPN-Status] 2009/10/21 08:47:24,290
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer XXXXX-AVPN, sequence nr 0x5d548900
Wenn die Verbindung der entsprechenden User wieder funktioniert, kann ich Verbindungen ohne Probleme mehrfach auf- und abbauen. Allerdings nur bis das Gerät neu gestartet wurde (Warmstart oder Kaltstart).
Gruß Clarice
PS: Alle Lancom laufen mit FW 7.70
Einwahlprobleme mit Advanced VPN Client
Moderator: Lancom-Systems Moderatoren