IPSEC VPN Watchguard --> Lancom funktioniert nicht

Forum zum Thema allgemeinen Fragen zu VPN

Moderator: Lancom-Systems Moderatoren

Antworten
epidemiq
Beiträge: 1
Registriert: 06 Okt 2006, 14:55

IPSEC VPN Watchguard --> Lancom funktioniert nicht

Beitrag von epidemiq »

Ich habe ein Problem mich mit meiner Watchguard Firewall per IPSEC Tunnel mit dem LANCOM DSL/I-1611 Office zu verbinden.
FW: 6.22.0006 (14.09.2006)
Software Optionen: VPN (25 Verbindungen)

Mein Problem:
Baut der Lancom die Verbindung zur Watchguard auf dann wird der Tunnel aufgebaut. Sobald der Tunnel dann steht wird der Traffic in beide Richtungen übermittelt.

Baut jedoch die Watchguard Firewall den Tunnel zum Lancom auf schlägt der Aufbau fehl. Ich habe beide Vorgänge mittels Trace mitgeschnitten und hier gepostet. Offizielle IP's sind mit xxx.xxx überschrieben.

Ganz unten ist noch das Log der Watchguard vom fehlerhaften Versuch, sofern das irgendwie hilft.

Hoffentlich hat mir jemand einen guten Tipp. Ich habe schon diverse
Typen der Verschlüsselung/Authentifizierung verändert - hat alles nichts geholfen. Sowohl Main-Mode als auch Agressive Mode funktioniert nicht.


**********************************************************
Anbei der Trace Watchguard --> Lancom (tunnel funktioniert nicht)


[VPN-Status] 2006/10/06 13:29:31,180
IKE info: The remote server 62.218.xxx.xxx:500 peer DORNER id <no_id> supports NAT-T in mode draft


[VPN-Status] 2006/10/06 13:29:31,180
IKE info: Phase-1 remote proposal 1 for peer DORNER matched with local proposal 1


[VPN-Status] 2006/10/06 13:29:31,940
IKE info: Phase-1 [responder] for peer DORNER between initiator id vpn.at, responder id vpn.at done
IKE info: SA ISAKMP for peer DORNER encryption 3des-cbc authentication sha1
IKE info: life time ( 28800 sec/ 0 kb)


[VPN-Status] 2006/10/06 13:29:31,950
IKE log: 132931 Default message_validate_hash: invalid hash value for NOTIFY payload
IKE log: 132931 Default dropped message from 62.218.xxx.xxx port 500 due to notification type INVALID_HASH_INFORMATION
IKE info: dropped message from peer DORNER 62.218.xxx.xxx port 500 due to notification type INVALID_HASH_INFORMATION


[VPN-Status] 2006/10/06 13:29:31,960
IKE info: Phase-2 remote proposal 1 for peer DORNER matched with local proposal 1

***********************************************************

Anbei der Trace - Lancom -> Watchguard (tunnel funktioniert)


[VPN-Status] 2006/10/06 13:37:30,970
VPN: connecting to DORNER (62.218.xxx.xxx)

[VPN-Status] 2006/10/06 13:37:30,970
VPN: installing ruleset for DORNER (62.218.xxx.xxx)

[VPN-Status] 2006/10/06 13:37:31,040
VPN: ruleset installed for DORNER (62.218.xxx.xxx)

[VPN-Status] 2006/10/06 13:37:31,040
VPN: start IKE negotiation for DORNER (62.218.xxx.xxx)

[VPN-Status] 2006/10/06 13:37:31,120
IKE info: Phase-1 negotiation started for peer DORNER rule isakmp-peer-DORNER using AGGRESSIVE mode


[VPN-Status] 2006/10/06 13:37:31,430
IKE info: Phase-1 remote proposal 1 for peer DORNER matched with local proposal 1


[VPN-Status] 2006/10/06 13:37:31,750
IKE info: Phase-1 [inititiator] for peer DORNER between initiator id vpn.at, responder id vpn.at done
IKE info: SA ISAKMP for peer DORNER encryption 3des-cbc authentication sha1
IKE info: life time ( 28800 sec/ 0 kb)


[VPN-Status] 2006/10/06 13:37:32,190
IKE info: Phase-2 [inititiator] done with 2 SAS for peer DORNER rule ipsec-6-DORNER-pr0-l0-r0
IKE info: rule:' ipsec 192.168.250.0/255.255.255.0 <-> 172.22.0.0/255.255.0.0 '
IKE info: SA ESP [0x3a3c30d7] alg AES keylength 128 +hmac HMAC_SHA outgoing
IKE info: SA ESP [0x0ed1cfd4] alg AES keylength 128 +hmac HMAC_SHA incoming
IKE info: life soft( 3240 sec/0 kb) hard (3600 sec/0 kb)
IKE info: tunnel between src: 80.154.xxx.xxx dst: 62.218.xxx.xxx


[VPN-Status] 2006/10/06 13:37:33,190
VPN: DORNER (62.218.xxx.xxx) connected


**********************************************************

Anbei noch das Log auf der Watchguard vom Tunnel-Aufbau Watchguard-Lancom, welcher nicht funktioniert:

10-06 15:07:00 iked Starting phase 1 negotiation using [chiemgaubeton] to 80.154.xxx.xxx:500 aggressive mode
10-06 15:07:00 iked Starting phase 1 negotiation using [chiemgaubeton] to 80.154.xxx.xxx:500 aggressive mode
10-06 15:07:01 Found IKE Policy [chiemgaubeton] for peer IP 0x509a027a numXform 1 new_msg=" Found IKE Policy [chiemgaubeton] for peer IP 0x509a027a numXform 1"
10-06 15:07:01 IKE Policy details: 1th xform: grp=1 auth=1 encrypt=5 hash=2 lifeTime=28800 lifeKB=0 new_msg=" IKE Policy details: 1th xform: grp=1 auth=1 encrypt=5 hash=2 lifeTime=28800 lifeKB=0"
10-06 15:07:01 Search IKE Policy ById: find matched policy with id 3 new_msg=" Search IKE Policy ById: find matched policy with id 3"
10-06 15:07:01 iked Received second message with policy [chiemgaubeton] from 80.154.xxx.xxx:500 aggressive mode
10-06 15:07:01 iked Received second message with policy [chiemgaubeton] from 80.154.xxx.xxx:500 aggressive mode
10-06 15:07:01 Process ISAKMP proposal: got the match proposal new_msg=" Process ISAKMP proposal: got the match proposal"
10-06 15:07:01 peer ID type 2 length 6 data0 76 new_msg=" peer ID type 2 length 6 data0 76"
10-06 15:07:01 IkeProcessPayloads : VID_PAYLOAD (first 4)78a3efee new_msg=" IkeProcessPayloads : VID_PAYLOAD (first 4)78a3efee"
10-06 15:07:01 ike_match_proxy_id: ID Mask 4, Type 2, Len 6, Data0 76 new_msg=" ike_match_proxy_id: ID Mask 4, Type 2, Len 6, Data0 76 "
10-06 15:07:01 iked Searching ID: domain name - myData [vpn.at] peerId [vpn.at]
10-06 15:07:01 iked Searching ID: domain name - myData [vpn.at] peerId [vpn.at]
10-06 15:07:01 Search IKE Policy ById: find matched policy with id 3 new_msg=" Search IKE Policy ById: find matched policy with id 3"
10-06 15:07:01 AggrMode (INIT) Set Phase 1 SA Lifetime to 28797 sec (-3) new_msg=" AggrMode (INIT) Set Phase 1 SA Lifetime to 28797 sec (-3)"
10-06 15:07:01 iked Sending third message with policy [chiemgaubeton] to 80.154.xxx.xxx:500 aggressive mode
10-06 15:07:01 iked Sending third message with policy [chiemgaubeton] to 80.154.xxx.xxx:500 aggressive mode
10-06 15:07:01 AggrMode: r2 completed pcy [chiemgaubeton] pcy id 3 src 0x3eda226a dst 0x509a027a:500 (P1SA 4/71) new_msg=" AggrMode: r2 completed pcy [chiemgaubeton] pcy id 3 src 0x3eda226a dst 0x509a027a:500 (P1SA 4/71)"
10-06 15:07:01 iked Phase 1 completed as initiator
10-06 15:07:01 iked Phase 1 completed as initiator
10-06 15:07:01 iked AG hash_alg=2 encr_alg=5 auth_alg=1 dh_group=1 seconds=28797 kbytes=0
10-06 15:07:01 iked AG hash_alg=2 encr_alg=5 auth_alg=1 dh_group=1 seconds=28797 kbytes=0
10-06 15:07:01 (NATT)ike_mia_p1sa_create: id=1968 sPort=500, dPort=500 natTNeg=0 natD=0 new_msg=" (NATT)ike_mia_p1sa_create: id=1968 sPort=500, dPort=500 natTNeg=0 natD=0"
10-06 15:07:01 IkeNotifyPayloadHtoN : net order spi(0x2a 0xf2 0x2c 0x1c) new_msg=" IkeNotifyPayloadHtoN : net order spi(0x2a 0xf2 0x2c 0x1c) "
10-06 15:07:01 iked Sending INITIAL_CONTACT message to 80.154.xxx.xxx:500, mess_id=0x3a864d81
10-06 15:07:01 iked Sending INITIAL_CONTACT message to 80.154.xxx.xxx:500, mess_id=0x3a864d81
10-06 15:07:01 IkeProposalHtoN : net order spi(0x56 0x60 0xffffffc1 0x08) new_msg=" IkeProposalHtoN : net order spi(0x56 0x60 0xffffffc1 0x08) "
10-06 15:07:01 IkeFormIpSecAttribs : encryptAlgo 12 encryptKeyLen 128 new_msg=" IkeFormIpSecAttribs : encryptAlgo 12 encryptKeyLen 128 "
10-06 15:07:01 IkeOutIpsecXform: xformNum = 1, xformId = 12 numAttrib 5 new_msg=" IkeOutIpsecXform: xformNum = 1, xformId = 12 numAttrib 5 "
10-06 15:07:01 IpsecOutAttibute: found key length attrib len 128 new_msg=" IpsecOutAttibute: found key length attrib len 128"
10-06 15:07:01 iked Starting phase 2 to 80.154.xxx.xxx:500 quick mode message(id a8255666)
10-06 15:07:01 iked Starting phase 2 to 80.154.xxx.xxx:500 quick mode message(id a8255666)
10-06 15:07:01 IkeLifeTimeout : remove the p1sa struct 81ca2e0 (peer 0x509a027a) in DELETING state new_msg=" IkeLifeTimeout : remove the p1sa struct 81ca2e0 (peer 0x509a027a) in DELETING state"
10-06 15:07:01 IkeDeleteIsakmpSA: try to delete Isakmp SA 81ca2e0 new_msg=" IkeDeleteIsakmpSA: try to delete Isakmp SA 81ca2e0 "
10-06 15:07:01 IkeDeleteIsakmpSA: (DELETING) delete Isakmp SA 81ca2e0 peer 0x509a027a new_msg=" IkeDeleteIsakmpSA: (DELETING) delete Isakmp SA 81ca2e0 peer 0x509a027a"
10-06 15:07:01 Search IKE Policy ById: find matched policy with id 3 new_msg=" Search IKE Policy ById: find matched policy with id 3"
10-06 15:07:01 IkeDeleteIsakmpSA: pcyId 3 numP1SAActive 3 new_msg=" IkeDeleteIsakmpSA: pcyId 3 numP1SAActive 3"
10-06 15:07:01 IkeDeleteIsakmpSA: found it, remove IkeSA 81ca2e0 from IkePolicy new_msg=" IkeDeleteIsakmpSA: found it, remove IkeSA 81ca2e0 from IkePolicy"
10-06 15:07:01 IkeDeleteIsakmpSA: from pcy list, P1SANum created 71, active 3 new_msg=" IkeDeleteIsakmpSA: from pcy list, P1SANum created 71, active 3"
10-06 15:07:01 IkeDropIkeSAByAddr: delete IkeSA from peerTable idx 18 peer1 0x3eda226a peer2 0x509a027a new_msg=" IkeDropIkeSAByAddr: delete IkeSA from peerTable idx 18 peer1 0x3eda226a peer2 0x509a027a"
10-06 15:07:01 (Delete P1SA) rasUserCapacity 50 count 0 new_msg=" (Delete P1SA) rasUserCapacity 50 count 0 "
10-06 15:07:01 (Delete P1SA) maxPendingP2SARequest 128 current 0 new_msg=" (Delete P1SA) maxPendingP2SARequest 128 current 0 "
10-06 15:07:01 Deny 80.154.xxx.xxx 62.218.xxx.xxx icmp-Dest_Unreach code(3) 0-External Firebox icmp error with data src_ip=62.218.xxx.xxx dst_ip=80.154.xxx.xxx pr=ike/udp src_port=500 dst_port=500 src_intf='0-External' dst_intf='0-External' can not match any flow, drop this packet 56 53 (internal policy)
10-06 15:07:01 Found IKE Policy [chiemgaubeton] for peer IP 0x509a027a numXform 1 new_msg=" Found IKE Policy [chiemgaubeton] for peer IP 0x509a027a numXform 1"
10-06 15:07:01 IKE Policy details: 1th xform: grp=1 auth=1 encrypt=5 hash=2 lifeTime=28800 lifeKB=0 new_msg=" IKE Policy details: 1th xform: grp=1 auth=1 encrypt=5 hash=2 lifeTime=28800 lifeKB=0"
10-06 15:07:01 Search IKE Policy ById: find matched policy with id 3 new_msg=" Search IKE Policy ById: find matched policy with id 3"
10-06 15:07:01 IkeNotifyPayloadNtoH : SPI(0xbfffb4b8) new_msg=" IkeNotifyPayloadNtoH : SPI(0xbfffb4b8) "
10-06 15:07:01 Process Notify Payload : NOTIFY TYPE : 23 new_msg=" Process Notify Payload : NOTIFY TYPE : 23 "
10-06 15:07:01 Process ISAKMP Notify : from peer 0x509a027a protocol 1 SPI b8b4ffbf new_msg=" Process ISAKMP Notify : from peer 0x509a027a protocol 1 SPI b8b4ffbf"
10-06 15:07:01 iked Received inform notify : (Invalid Hash Information) from 80.154.xxx.xxx:500. Delete phase 1 SA.
10-06 15:07:01 iked Received inform notify : (Invalid Hash Information) from 80.154.xxx.xxx:500. Delete phase 1 SA.
10-06 15:07:01 IkeDeleteIsakmpSA: try to delete Isakmp SA 81b9de0 new_msg=" IkeDeleteIsakmpSA: try to delete Isakmp SA 81b9de0 "
10-06 15:07:01 IkeDeleteIsakmpSA: try to delete QMState SA 81aa060 new_msg=" IkeDeleteIsakmpSA: try to delete QMState SA 81aa060 "
10-06 15:07:01 IkeDeleteQMState: try to delete QMState 81aa060 (ID a8255666) with IsakmpSA 81b9de0 new_msg=" IkeDeleteQMState: try to delete QMState 81aa060 (ID a8255666) with IsakmpSA 81b9de0 "
10-06 15:07:01 SA Nego Fail: saHandle 0xc753f6e8 InitMode 1 new_msg=" SA Nego Fail: saHandle 0xc753f6e8 InitMode 1"
10-06 15:07:01 (Delete QMState) rasUserCapacity 50 count 0 new_msg=" (Delete QMState) rasUserCapacity 50 count 0 "
10-06 15:07:01 (Delete QMState) maxPendingP2SARequest 128 current 0 new_msg=" (Delete QMState) maxPendingP2SARequest 128 current 0 "
10-06 15:07:01 Totally 1 Pending P2 SA Requests Got Dropped. new_msg=" Totally 1 Pending P2 SA Requests Got Dropped."
10-06 15:07:01 IkeDeleteIsakmpSA: Stop Phase One Retry and Life Timer new_msg=" IkeDeleteIsakmpSA: Stop Phase One Retry and Life Timer"
10-06 15:07:01 IkeDeleteIsakmpSA: (DELETING) delay deletion for IsakmpSA 81b9de0 peer 0x509a027a new_msg=" IkeDeleteIsakmpSA: (DELETING) delay deletion for IsakmpSA 81b9de0 peer 0x509a027a "
10-06 15:07:01 IkeDeleteIsakmpSA: Start Phase One Delay Deletion Timer new_msg=" IkeDeleteIsakmpSA: Start Phase One Delay Deletion Timer"
10-06 15:07:01 Deny 172.22.0.6 192.168.250.150 icmp-Echo 1-Trusted 0-External SA deleted or negotiation failed, firewall drop (chiemgaubeton.tunnel.1-Any-00)
10-06 15:07:01 Found IKE Policy [chiemgaubeton] for peer IP 0x509a027a numXform 1 new_msg=" Found IKE Policy [chiemgaubeton] for peer IP 0x509a027a numXform 1"
10-06 15:07:01 IKE Policy details: 1th xform: grp=1 auth=1 encrypt=5 hash=2 lifeTime=28800 lifeKB=0 new_msg=" IKE Policy details: 1th xform: grp=1 auth=1 encrypt=5 hash=2 lifeTime=28800 lifeKB=0"
10-06 15:07:01 Search IKE Policy ById: find matched policy with id 3 new_msg=" Search IKE Policy ById: find matched policy with id 3"
10-06 15:07:01 Process IKE Packet : rx packet (from 0x509a027a) with SA in DELETING state new_msg=" Process IKE Packet : rx packet (from 0x509a027a) with SA in DELETING state"
10-06 15:07:01 Local SA Req: saHandle 0xc75c3de8, peerIp=0x509a027a, inSPI=0x7455555a new_msg=" Local SA Req: saHandle 0xc75c3de8, peerIp=0x509a027a, inSPI=0x7455555a "
10-06 15:07:01 IPSEC Policy: peerIp = 0x509a027a, pfs = 0, dhGrp =0, numProp 1 new_msg=" IPSEC Policy: peerIp = 0x509a027a, pfs = 0, dhGrp =0, numProp 1"
10-06 15:07:01 IPSEC Selector(Local): srcIp:port=0xac160000:0, dstIp:port=0xc0a8fa00:0, proto=0 new_msg=" IPSEC Selector(Local): srcIp:port=0xac160000:0, dstIp:port=0xc0a8fa00:0, proto=0"
10-06 15:07:01 IPSEC Selector(Local): srcMask(Range)=0xffff0000, dstMask(Range)=0xffffff00 new_msg=" IPSEC Selector(Local): srcMask(Range)=0xffff0000, dstMask(Range)=0xffffff00"
10-06 15:07:01 IPSEC Proposal(0): propNum 1 numXform 1 secProto 3 replay 0 spi 0x7455555a new_msg=" IPSEC Proposal(0): propNum 1 numXform 1 secProto 3 replay 0 spi 0x7455555a"
10-06 15:07:01 IPSEC Transform: xformNum 0 auth 2 encry 12 encap 1 encryLen 128 sec 3600 KB 0 new_msg=" IPSEC Transform: xformNum 0 auth 2 encry 12 encap 1 encryLen 128 sec 3600 KB 0"
10-06 15:07:01 Local SA Req: old SPIs in=0000000000 out=0000000000 new_msg=" Local SA Req: old SPIs in=0000000000 out=0000000000"
10-06 15:07:01 Search IKE Policy ById: find matched policy with id 3 new_msg=" Search IKE Policy ById: find matched policy with id 3"
10-06 15:07:01 IkeFindIsakmpSABySPD: (opCode 1) find in pcy [chiemgaubeton] with src=0x3eda226a dst=0x509a027a new_msg=" IkeFindIsakmpSABySPD: (opCode 1) find in pcy [chiemgaubeton] with src=0x3eda226a dst=0x509a027a"
10-06 15:07:01 CreateQMState: start Cleanup timer for msgId=0, dst=0x509a027a new_msg=" CreateQMState: start Cleanup timer for msgId=0, dst=0x509a027a"
10-06 15:07:01 AggrMode: Start (Ct=5687) pcy [chiemgaubeton] new_msg=" AggrMode: Start (Ct=5687) pcy [chiemgaubeton]"
10-06 15:07:01 IkeProposalHtoN : net order spi(0000 0000 0000 0000) new_msg=" IkeProposalHtoN : net order spi(0000 0000 0000 0000) "
10-06 15:07:01 AggrMode: >>1st PSK ID type 2 len 6 data0-3 76 70 6e 2e new_msg=" AggrMode: >>1st PSK ID type 2 len 6 data0-3 76 70 6e 2e"
10-06 15:07:01 AggrMode: add VPN KEEPALIVE VID (sz 12) new_msg=" AggrMode: add VPN KEEPALIVE VID (sz 12)"
10-06 15:07:01 (NATT)IkeStartAggrMode : added VID for NAT-T (sz 20), total=242 new_msg=" (NATT)IkeStartAggrMode : added VID for NAT-T (sz 20), total=242"



So, hoffentlich schaut sich das jemand an und ist auch noch schlauer als ich ;-)

Wo liegt das Problem dass die Watchguard den Tunnel zum Lancom nicht aufbauen kann?


mfg
Manfred Strasser
Nach oben
dmx-1
Beiträge: 1
Registriert: 11 Nov 2006, 11:13

Watchguard zu Lancom

Beitrag von dmx-1 »

Hallo,

ich habe zur Zeit das gleiche Problem. Sollten Sie eine Lösung für das Problem finden wäre ich für eine kurze Info sehr dankbar.

Viele Grüße

DMX-1
Nach oben
ittk
Beiträge: 1244
Registriert: 27 Apr 2006, 09:56

Beitrag von ittk »

Hallo zusammen,

vielleicht kann ich bei diesem Thema bald mitreden, eine Watchguardbox ist jedenfalls bestellt und Sie sollte demnächst bei mir eintreffen, sodass ich das Ganze mal auch ausprobieren könnte.

Hat jemand von euch shcon die Watchguard erfolgreich mit Sonicwalls im Einsatz?
12x 1621 Anx. B-21x 1711 VPN-3x 1722 Anx. B-7x 1723 VoIP-1x 1811 DSL, 1x 7011 VPN-1 x 7111 VPN-1x 8011 VPN-10er Pack Adv. VPN Client (2x V1.3-3x 2.0)-Hotspot Option-Adv. VoIP Client/P250 Handset-Adv.VoIP Option-4x VPN-Option-2x L-54 dual-2x L54ag-2x O-18a
Nach oben
itechc
Beiträge: 1
Registriert: 08 Jan 2007, 09:32

Beitrag von itechc »

Hallo zusammen,

ist einer von Euch der Lösung schon näher gekommen?

Habe das gleiche Problem mit einer Firebox III 1000 und einem Lancom 1611+- Allerdings benutze ich IPSec im Main Mode.

MfG
itechc
Nach oben
PWV
Beiträge: 2
Registriert: 20 Apr 2007, 11:39

Beitrag von PWV »

Hallo Community,

ich habe heute eine Lancom 1711 VPN Verbindung mit einer Watchguard eingerichtet.
Folgende Tipps kann ich euch geben:
LANCOM
- den Assistenten zum Einrichten einer Verbindung nehmen, dann müssen jedoch alle Einstellungenüberprüft werden
- IKE, IPSEC Parameter am besten für die Verbindung neu anlegen, nicht die vom Wizard nehmen
- auf die Lifetimes achten, dass diese bei den Geräte (Lancom, Watchguard) gleich sind, ebenso die KB

WATCHGUARD
- Die Watchguard kommt mit den Proposel Listen der Lancom / Cisco Router nicht zu Recht. d.h. schlägt beim ersten Schlüsselaustausch dieser fehl, gibts es keine Verbindung u. die weiteren Proposels werden / können nicht probiert werden.

-> D.h. es darf nur einen Proposel geben (für IKE, IPSEC) und dieser muss beim ersten Mal gleich matchen, dann sollte eine Verbindung zu stande kommen.

So das erstmal was ich berichten kann.

MfG :wink:
Nach oben
Antworten

Zurück zu „Fragen zum Thema VPN“