ich habe hier eine Konfiguration, die mir Kopfzerbrechen bereitet.
VPN-Endpunkte sind:
- lokal: 1781VA mit LCOS 9.24.0121 beta
- remote: 1781EW+ mit LCOS 9.24.0121 beta
Beide LANCOM-Geräte verwenden externe ISP-Gateways (über Ethernet), eines davon ist ein experimentelles Gerät (TP-Link MR200: ein LTE-Router).
Weil das LTE-Gateway wohl eine kaputte IPSec-Passthru-Funktion hat, wollte ich auf IPSec-o-HTTPS ausweichen, aber das klemmt.
Im Detail:
1. funktionierender VPN-Link
local: 1781VA mit Fritzbox-Cable als ISP-Gateway (Netcologne mit public IPv4) - IPSec responder
remote: 1782EW+ mit Fritzbox-Cable als ISP-Gateway (Netcologne mit public IPv4) - IPSec initiator
Danach ist der IPSec-Tunnel transparent und Daten fließen regulär.Peer <UNKNOWN>: Received an IKE_SA_INIT-REQUEST of 476 bytes
Gateways: 10.1.253.130:500<--78.34.70.233:500
SPIs: 0x9D7EC50F96CB5FCB0000000000000000, Message-ID 0
Peer identified: DEFAULT
Received 3 notifications:
+REDIRECT_SUPPORTED
+STATUS_NAT_DETECTION_SOURCE_IP
+STATUS_NAT_DETECTION_DESTINATION_IP
Peer (initiator) is behind a NAT
NAT-T enabled => switching on port 4500
We (responder) are behind a NAT => sending periodic keep alives every 20 seconds
+IKE_SA:
Proposal 1 Protocol IPSEC_IKE
ENCR : AES_CBC-256
PRF : PRF-HMAC-SHA-256
INTEG: SHA-256
DH : 14
+Received KE-DH-Group 14 (2048 bits)
Peer DEFAULT: Constructing an IKE_SA_INIT-REPLY for send
IKE_SA:
Proposal 1 Protocol IPSEC_IKE:
ENCR : AES_CBC-256
PRF : PRF-HMAC-SHA-256
INTEG: SHA-256
DH : 14
+KE-DH-Group 14 (2048 bits)
Sending an IKE_SA_INIT-RESPONSE of 477 bytes
Gateways: 10.1.253.130:500-->78.34.70.233:500
SPIs: 0x9D7EC50F96CB5FCBA182372AE554F83A, Message-ID 0
IKE_FRAGMENTATION successfully negotiated
IKE_SA_INIT [responder] for peer DEFAULT initiator id <no ipsec id>, responder id <no ipsec id>
initiator cookie: 0x9D7EC50F96CB5FCB, responder cookie: 0xA182372AE554F83A
SA ISAKMP for peer DEFAULT encryption aes-cbc authentication SHA-256 prf SHA-256
life time soft 10/12/2016 12:53:35 (in 97200 sec) / 0 kb
life time hard 10/12/2016 15:53:35 (in 108000 sec) / 0 kb
Negotiated: IKE_FRAGMENTATION
VPN-Status] 2016/10/11 09:53:36,004
Peer DEFAULT: Received an IKE_AUTH-REQUEST of 240 bytes (encrypted)
Gateways: 10.1.253.130:4500<--78.34.70.233:4500
SPIs: 0x9D7EC50F96CB5FCBA182372AE554F83A, Message-ID 1
+Received-ID 10.1.33.1:IPV4_ADDR matches the Expected-ID 10.1.33.1:IPV4_ADDR
+Peer identified: AS03R001
+Peer uses AUTH(PSK)
+Authentication successful
Received 1 notification:
+STATUS_INITIAL_CONTACT
TSi: ( 0, 0-65535, 10.1.33.0-10.1.33.31 )
TSr: ( 0, 0-65535, 10.0.0.0-10.0.0.255 )
+CHILD_SA:
Proposal 1 Protocol IPSEC_ESP SPI=0xAB694F28
ENCR : AES_CBC-256
INTEG: HMAC-SHA-256
ESN : NONE
[VPN-Status] 2016/10/11 09:53:36,010
Peer AS03R001: Constructing an IKE_AUTH-REPLY for send
+Local-ID 10.1.5.1:IPV4_ADDR
+I use AUTH(PSK)
[..]
Peer AS03R001: Received an CREATE_CHILD_SA-REQUEST of 480 bytes (encrypted)
Gateways: 10.1.253.130:4500<--78.34.70.233:4500
SPIs: 0x9D7EC50F96CB5FCBA182372AE554F83A, Message-ID 2
TSi: ( 0, 0-65535, 10.1.33.0-10.1.33.31 )
TSr: ( 0, 0-65535, 10.3.0.0-10.3.255.255 )
+CHILD_SA:
Proposal 1 Protocol IPSEC_ESP SPI=0xDE3E4D43
ENCR : AES_CBC-256
INTEG: HMAC-SHA-256
DH : 14
ESN : NONE
+Received KE-DH-Group 14 (2048 bits)
CHILD_SA [responder] done with 2 SAS for peer AS03R001 rule ipsec-1-AS03R001-pr0-l0-r0
10.1.253.130:4500<--78.34.70.233:4500, VLAN-ID 0, HW switch port 0, Routing tag 0, Com-channel 11
rule:' ipsec 10.3.0.0/16 <-> 10.1.33.0/27
SA ESP [0xDE3E4D43] alg AES_CBC keylength 256 +hmac HMAC-SHA-256 outgoing
SA ESP [0x3FF2C071] alg AES_CBC keylength 256 +hmac HMAC-SHA-256 incoming
life time soft 10/11/2016 17:05:36 (in 25920 sec) / 1800000 kb
life time hard 10/11/2016 17:53:36 (in 28800 sec) / 2000000 kb
tunnel between src: 10.1.253.130 dst: 78.34.70.233
[..]
2. Konfiguration über LTE
local: 1781VA mit Fritzbox-Cable als ISP-Gateway (Netcologne mit public IPv4)
remote: 1782EW+ mit ISP-Gateway TP-Link MR200 LTE-Router (T-Mobile private IPv4)
- TP MR200: IPSec-VPN passthru ist aktiviert
Die Verbindungsanfragen vom Initiator (remote) kommen lokal an
Antworten werden vom Responder verschickt:[VPN-Debug] 2016/10/11 09:40:34,101
Peer <UNKNOWN>: Received an IKE_SA_INIT-REQUEST of 476 bytes
Gateways: 10.1.253.130:500<--80.187.101.75:500
SPIs: 0xBD8A582C65FF57480000000000000000, Message-ID 0
VLAN-ID 0, HW switch port 0, Routing tag 0, Com-channel 11
Payloads: SA, KE, NONCE, NOTIFY(REDIRECT_SUPPORTED), NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), VENDOR(FRAGMENTATION)
Looking for payload VENDOR (43)...Found 1 payload.
+FRAGMENTATION
Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload.
+Computing SHA1(0xBD8A582C65FF57480000000000000000|80.187.101.75:500)
+Computing SHA1(0xBD8A582C65FF5748000000000000000050BB654B01F4)
+Computed: 0xF23061B200AE9805993182200E98EB3F22FAB98E
+Received: 0x02671AC757878D0C5C2C3FBBBEC624DD035491A9
+Not equal => NAT-T enabled => switching on port 4500
Looking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload.
+Computing SHA1(0xBD8A582C65FF57480000000000000000|10.1.253.130:500)
+Computing SHA1(0xBD8A582C65FF574800000000000000000A01FD8201F4)
+Computed: 0x93E2C4A91F6614AB836013AC49B7CDAE19EED492
+Received: 0x61724603B78341C7F4CBD9543621E96E42E5E019
+Not equal. NAT-T already enabled
IKE_SA:
+ENCR : comparing received AES_CBC (12) with config AES_CBC
+Valid ENCR AES_CBC with key length 256 found
+INTEG: comparing received SHA-256 (12) with config SHA-256
+Valid INTEG SHA-256 found
+Valid DH-Group 14 found
+Valid PRF found 5 (SHA-256)
Looking for payload IKE_SA (33)...Found 1 payload.
Die Antworten kommen remote nicht an.[VPN-Status] 2016/10/11 09:40:34,101
Peer <UNKNOWN>: Received an IKE_SA_INIT-REQUEST of 476 bytes
Gateways: 10.1.253.130:500<--80.187.101.75:500
SPIs: 0xBD8A582C65FF57480000000000000000, Message-ID 0
Peer identified: DEFAULT
Received 3 notifications:
+REDIRECT_SUPPORTED
+STATUS_NAT_DETECTION_SOURCE_IP
+STATUS_NAT_DETECTION_DESTINATION_IP
Peer (initiator) is behind a NAT
NAT-T enabled => switching on port 4500
We (responder) are behind a NAT => sending periodic keep alives every 20 seconds
+IKE_SA:
Proposal 1 Protocol IPSEC_IKE
ENCR : AES_CBC-256
PRF : PRF-HMAC-SHA-256
INTEG: SHA-256
DH : 14
+Received KE-DH-Group 14 (2048 bits)
Vermutung IPSec-Passthrough fehlerhaft (gestützt durch andere Aussagen im TP-Link Forum)
3. Geplante Abhilfe: Nutzung von IPSec-over-HTTPS
- an beiden ISP-Gateway-Routern ist der jeweiligen LANCOM VPN-Endpunkt als exposed host, bzw. als Ziel für Portweiterleitung 443/tcp eingetragen.
- Auf beiden LCOS-Geräten wurde der IKEv2-Verbindungsparameter TN-o-HTTPS definiert: IPSec-over-HTTPS ja, IPCOMP nein, Tunnel und für die Verbindung aktiviert
[VPN-Status] 2016/10/11 19:46:07,155
Peer <UNKNOWN>: Received an IKE_SA_INIT-REQUEST of 476 bytes
Gateways: 10.1.253.130:443<--80.187.111.55:10801
SPIs: 0x179D0746DD5D8E810000000000000000, Message-ID 0
Peer identified: DEFAULT
Received 3 notifications:
+REDIRECT_SUPPORTED
+STATUS_NAT_DETECTION_SOURCE_IP
+STATUS_NAT_DETECTION_DESTINATION_IP
Peer (initiator) is behind a NAT
NAT-T enabled => switching on port 4500
We (responder) are behind a NAT => sending periodic keep alives every 20 seconds
+IKE_SA:
Proposal 1 Protocol IPSEC_IKE
ENCR : AES_CBC-256
PRF : PRF-HMAC-SHA-256
INTEG: SHA-256
DH : 14
+Received KE-DH-Group 14 (2048 bits)
[VPN-Status] 2016/10/11 19:46:07,207
Peer DEFAULT: Constructing an IKE_SA_INIT-REPLY for send
IKE_SA:
Proposal 1 Protocol IPSEC_IKE:
ENCR : AES_CBC-256
PRF : PRF-HMAC-SHA-256
INTEG: SHA-256
DH : 14
+KE-DH-Group 14 (2048 bits)
Sending an IKE_SA_INIT-RESPONSE of 477 bytes
Gateways: 10.1.253.130:443-->80.187.111.55:10801
SPIs: 0x179D0746DD5D8E81C16A3409B30BC5D7, Message-ID 0
IKE_FRAGMENTATION successfully negotiated
IKE_SA_INIT [responder] for peer DEFAULT initiator id <no ipsec id>, responder id <no ipsec id>
initiator cookie: 0x179D0746DD5D8E81, responder cookie: 0xC16A3409B30BC5D7
SA ISAKMP for peer DEFAULT encryption aes-cbc authentication SHA-256 prf SHA-256
life time soft 10/12/2016 22:46:07 (in 97200 sec) / 0 kb
life time hard 10/13/2016 01:46:07 (in 108000 sec) / 0 kb
TCP/SSL encapsulation enabled
Negotiated: IKE_FRAGMENTATION
Peer DEFAULT: Received an IKE_AUTH-REQUEST of 240 bytes (encrypted)
Gateways: 10.1.253.130:443<--80.187.111.55:10801
SPIs: 0x179D0746DD5D8E81C16A3409B30BC5D7, Message-ID 1
+Received-ID 10.1.33.1:IPV4_ADDR matches the Expected-ID 10.1.33.1:IPV4_ADDR
+Peer identified: AS03R001
+Peer uses AUTH(PSK)
+Authentication successful
Received 1 notification:
+STATUS_INITIAL_CONTACT
TSi: ( 0, 0-65535, 10.1.33.0-10.1.33.31 )
TSr: ( 0, 0-65535, 10.0.0.0-10.0.0.255 )
+CHILD_SA:
Proposal 1 Protocol IPSEC_ESP SPI=0x61100EC0
ENCR : AES_CBC-256
INTEG: HMAC-SHA-256
ESN : NONE
Peer AS03R001: Constructing an IKE_AUTH-REPLY for send
+Local-ID 10.1.5.1:IPV4_ADDR
+I use AUTH(PSK)
IKE_SA_INIT [responder] for peer AS03R001 initiator id 10.1.33.1, responder id 10.1.5.1
initiator cookie: 0x179D0746DD5D8E81, responder cookie: 0xC16A3409B30BC5D7
NAT-T enabled. We are behind a nat, the remote side is not behind a nat
SA ISAKMP for peer AS03R001 encryption aes-cbc authentication SHA-256 prf SHA-256
life time soft 10/12/2016 22:46:07 (in 97200 sec) / 0 kb
life time hard 10/13/2016 01:46:07 (in 108000 sec) / 0 kb
TCP/SSL encapsulation enabled
Negotiated: IKE_FRAGMENTATION
+TSi 0: ( 0, 0-65535, 10.1.33.0-10.1.33.31 )
+TSr 0: ( 0, 0-65535, 10.0.0.0-10.0.0.255 )
CHILD_SA:
Proposal 1 Protocol IPSEC_ESP:
New Responder's-SPI: 0xECB0368D
ENCR : AES_CBC-256
ESN : NONE
INTEG: SHA-256
Sending an IKE_AUTH-RESPONSE of 224 bytes (encrypted)
Gateways: 10.1.253.130:443-->80.187.111.55:10801
SPIs: 0x179D0746DD5D8E81C16A3409B30BC5D7, Message-ID 1
CHILD_SA [responder] done with 2 SAS for peer AS03R001 rule ipsec-1-AS03R001-pr0-l0-r0
10.1.253.130:443<--80.187.111.55:10801, VLAN-ID 0, HW switch port 0, Routing tag 0, Com-channel 11
rule:' ipsec 10.0.0.0/24 <-> 10.1.33.0/27
SA ESP [0x61100EC0] alg AES_CBC keylength 256 +hmac HMAC-SHA-256 outgoing
SA ESP [0xECB0368D] alg AES_CBC keylength 256 +hmac HMAC-SHA-256 incoming
life time soft 10/12/2016 02:58:07 (in 25920 sec) / 1800000 kb
life time hard 10/12/2016 03:46:07 (in 28800 sec) / 2000000 kb
tunnel between src: 10.1.253.130 dst: 80.187.111.55
[.. weitere CHILD-SAs]
Es sieht ganz gut aus, aber der Tunnel wird nicht transparent für Daten.
Der Responder (local) meldet "ICMP Verbindungsfehler 0x0113"[VPN-Status] 2016/10/11 19:54:44,591
IKE info: Delete Notification for Phase-2 SA spi [0x3ada01bb] could not be sent: no phase-1 sa exists to peer 80.187.111.55
Der Initiator (remote) meldet "Zeitüberschreitung .. (Aktiver Verbindungsaufbau) 0x1106"
Auch bei Umschaltung auf die Ausgangskonfiguration, die unter IPSec funktioniert (local: 1781VA mit Fritzbox-Cable als ISP-Gateway (Netcologne mit public IPv4) - IPSec responder; remote: 1782EW+ mit Fritzbox-Cable als ISP-Gateway (Netcologne mit public IPv4) - IPSec initiator), kommt keine IPSec-over-HTTPS-Verbindung zustande.
ICMP-Verbindungsfehler 0x0113 auf beiden Seiten.
Was läuft hier falsch? Habe ich bei der Umschaltung auf IPSec-over-HTTPS etwas falsch gemacht?
Gruß,
Rougu
