IPsec Watchguard <-> Lancom 1793VA klappt nicht

[dorjjj]

Hi,

Ich habe hier Probleme einen Tunnel zwischen diesen beiden Geräten herzustellen. Debug trace gibt leider nur einen general Ike Fehler aus bzw TS_UNACCEPTABLE. Das IKE_SA not found am Anfang irritiert mich auch ungemein...

Code: Alles auswählen

[VPN-Debug] 2024/10/22 23:47:10,394 [Tunnel-Groups] Peer SGI without group requested gateway and suggested 2.2.2.50, ignored

[VPN-Debug] 2024/10/22 23:47:10,397
Establishing connection(s): IPSEC-0-SGI-PR0-L0-R0
IKE_SA not found
(IKEv2-Exchange 'SGI', 'ISAKMP-PEER-SGI' 0x87E2F5A99BB4ED19000000000000000000000000, P1, INITIATOR, comchannel 42): Setting Negotiation SA
  Referencing (IKE_SA, 0x87E2F5A99BB4ED19000000000000000000000000, initiator): use_count 3
IKE_SA_INIT (34) exchange created:
  SGI, ISAKMP-PEER-SGI, ComChan 42
  SPI 0x87E2F5A99BB4ED190000000000000000, MSG-ID 0x00000000, flags 0x00000001
Peer SGI: Constructing an IKE_SA_INIT-REQUEST for send
Starting an IKEv2 negotiation
Constructing payload NONCE (40):
  +Nonce length=32 bytes
  +Nonce=0x2CFEBE469F8FA3D895BD8060A4465A615BAA54F737D66DBDA10425067D60364C
  +SA-DATA-Ni=0x2CFEBE469F8FA3D895BD8060A4465A615BAA54F737D66DBDA10425067D60364C
Constructing payload NOTIFY(REDIRECT_SUPPORTED) (41):
Constructing payload NOTIFY(DETECTION_SOURCE_IP) (41):
  +Computing SHA1(0x87E2F5A99BB4ED190000000000000000|1.1.1.134:500)
  +Computing SHA1(0x87E2F5A99BB4ED190000000000000000B213D18601F4)
  +0x23A0CB7DA54888467CC6CF4C91A27B9EBFB3FB11
Constructing payload NOTIFY(DETECTION_DESTINATION_IP) (41):
  +Computing SHA1(0x87E2F5A99BB4ED190000000000000000|2.2.2.50:500)
  +Computing SHA1(0x87E2F5A99BB4ED1900000000000000003EDA223201F4)
  +0xDD94864E35509250B85A5C9AA03D3DA71D6C1C36
Constructing payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41):
Constructing payload VENDOR(FRAGMENTATION) (43):
Constructing payload VENDOR(ikev2 config payload: Do not narrow my traffic selector) (43):
Constructing payload VENDOR(activate lancom-systems notification private range) (43):
Constructing payload NOTIFY(DEVICE-ID) (41):
  Notifying my DEVICE-ID: 0x24EE79523A4784AFC299DA136BAFB3ACA8B3A787C52C4107B8C3E1C5B9F81388
Constructing payload NOTIFY(SHORTCUT_TUNNEL) (41):
Sending an IKE_SA_INIT-REQUEST of 524 bytes (initiator)
Gateways: 1.1.1.134:500-->2.2.2.50:500, tag 0 (UDP)
SPIs: 0x87E2F5A99BB4ED190000000000000000, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(REDIRECT_SUPPORTED), NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), VENDOR(FRAGMENTATION), VENDOR(activate lancom-systems notification private range), NOTIFY(DEVICE-ID)

[VPN-Debug] 2024/10/22 23:47:10,594
Peer <UNKNOWN> [initiator]: Received an IKE_SA_INIT-RESPONSE of 488 bytes
Gateways: 1.1.1.134:500<--2.2.2.50:500
SPIs: 0x87E2F5A99BB4ED19622C9289636F5CD9, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), VENDOR
Establishing connection(s): IPSEC-0-SGI-PR0-L0-R0
IKE_SA not found
Exchange already exists. Pending requests IPSEC-0-SGI-PR0-L0-R0
IKE-TRANSPORT freed
QUB-DATA: 1.1.1.134:500<---2.2.2.50:500 rtg_tag 0 physical-channel WAN(13) vpn-channel 42
transport: [id: 27725364, UDP (17) {outgoing}, dst: 2.2.2.50, tag 0 (U), src: 1.1.1.134, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: INTERNET (9), next hop: 1.1.1.133], local port: 500, remote port: 500
+IKE_SA found and assigned
+IKE_SA-SPIs upgraded
+Exchange-SPIs upgraded
Looking for payload VENDOR (43)...Found 1 payload.
  +BFC22E9856BA993611C11E48A6D20807A95BEDB393026A49E60FAC327BB9601B566B34394D5449754D5441754E434243546A30334D4449794D54633D
Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload.
  +Computing SHA1(0x87E2F5A99BB4ED19622C9289636F5CD9|2.2.2.50:500)
  +Computing SHA1(0x87E2F5A99BB4ED19622C9289636F5CD93EDA223201F4)
  +Computed: 0x8FF4795D84653A8F4E587612955D5B4C1A96D116
  +Received: 0x8FF4795D84653A8F4E587612955D5B4C1A96D116
  +Equal => NAT-T is disabled
Looking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload.
  +Computing SHA1(0x87E2F5A99BB4ED19622C9289636F5CD9|1.1.1.134:500)
  +Computing SHA1(0x87E2F5A99BB4ED19622C9289636F5CD9B213D18601F4)
  +Computed: 0x98A2CF1C604408FF491F923184ADD7DBB886867A
  +Received: 0x98A2CF1C604408FF491F923184ADD7DBB886867A
  +Equal => NAT-T is disabled
Looking for payload IKE_SA (33)...Found 1 payload.
  +Config   ENCR  transform(s): AES-GCM-16-256
  +Received ENCR  transform(s): AES-GCM-16-256
  +Best intersection: AES-GCM-16-256
  +Config   PRF   transform(s): PRF-HMAC-SHA-256
  +Received PRF   transform(s): PRF-HMAC-SHA-256
  +Best intersection: PRF-HMAC-SHA-256
  +Config   DH    transform(s): 14
  +Received DH    transform(s): 14
  +Best intersection: 14
Looking for payload NONCE (40)...Found 1 payload.
  +Nonce length=32 bytes
  +Nonce=0xA5AFBAA529CEA65847B01EA900C29285A5C6206E41E483CC30E500AEA79FFB68
  +SA-DATA-Nr=0xA5AFBAA529CEA65847B01EA900C29285A5C6206E41E483CC30E500AEA79FFB68
+Shared secret derived in 79499 micro seconds
IKE_SA(0x87E2F5A99BB4ED19622C9289636F5CD9).SEND-MSG-ID raised to 1

[VPN-Debug] 2024/10/22 23:47:10,596
Peer SGI: Received a request to establish an exchange for IPSEC-0-SGI-PR0-L0-R0
(IKEv2-Exchange 'SGI', 'IPSEC-0-SGI-PR0-L0-R0' 0x87E2F5A99BB4ED19622C9289636F5CD900000001, P2, INITIATOR, comchannel 42): Setting Negotiation SA
  Referencing (CHILD_SA, 0x87E2F5A99BB4ED19622C9289636F5CD900000001, initiator): use_count 3
Constructing payload NOTIFY(MANAGEMENT_IP4_ADDRESS) (41):
Constructing payload NOTIFY(MANAGEMENT_IP6_ADDRESS) (41):
Constructing payload NOTIFY(INITIAL_CONTACT) (41):
Message encrypted and authenticated successfully
Sending an IKE_AUTH-REQUEST of 201 bytes (initiator encrypted)
Gateways: 1.1.1.134:500-->2.2.2.50:500, tag 0 (UDP)
SPIs: 0x87E2F5A99BB4ED19622C9289636F5CD9, Message-ID 1
Payloads: ENCR

[VPN-Debug] 2024/10/22 23:47:10,596
(IKEv2-Exchange 'SGI', 'ISAKMP-PEER-SGI' 0x87E2F5A99BB4ED19622C9289636F5CD900000000, P1, INITIATOR, comchannel 42): Resetting Negotiation SA
  (IKE_SA, 'SGI', 'ISAKMP-PEER-SGI', 0x87E2F5A99BB4ED19622C9289636F5CD900000000, initiator): use_count --6

[VPN-Debug] 2024/10/22 23:47:10,638
Peer SGI [initiator]: Received an IKE_AUTH-RESPONSE of 120 bytes (encrypted)
Gateways: 1.1.1.134:500<--2.2.2.50:500
SPIs: 0x87E2F5A99BB4ED19622C9289636F5CD9, Message-ID 1
Payloads: ENCR
QUB-DATA: 1.1.1.134:500<---2.2.2.50:500 rtg_tag 0 physical-channel WAN(13) vpn-channel 42
transport: [id: 27725364, UDP (17) {outgoing}, dst: 2.2.2.50, tag 0 (U), src: 1.1.1.134, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: INTERNET (9), next hop: 1.1.1.133], local port: 500, remote port: 500
+IKE_SA found and assigned
Message verified and decrypted successfully
Payloads: ENCR, IDR, AUTH(PSK), NOTIFY(TS_UNACCEPTABLE)
Looking for payload IDR (36)...Found 1 payload.
  +Received-ID  2.2.2.50:IPV4_ADDR matches the Expected-ID 2.2.2.50:IPV4_ADDR
IKE_SA(0x87E2F5A99BB4ED19622C9289636F5CD9).SEND-MSG-ID raised to 2
Peer SGI: Trigger next pended request to establish an exchange
  Current request is IPSEC-0-SGI-PR0-L0-R0
  IKE_SA is not REPLACED
There are 0 pending requests
LCVPEI: IKE-I-General-failure

[VPN-Debug] 2024/10/22 23:47:40,380
SGI: Rescheduling DPD-Timer in 30s 0us (dpd should start)
Peer SGI: Received a request to establish an exchange for (ISAKMP-PEER-SGI, SEND-DPD)
INFORMATIONAL (37) exchange created:
  SGI, ISAKMP-PEER-SGI, ComChan 42
  SPI 0x87E2F5A99BB4ED19622C9289636F5CD9, MSG-ID 0x00000002, flags 0x00000001
Peer SGI: Constructing an INFORMATIONAL-REQUEST (DPD-REQUEST) for send
Message encrypted and authenticated successfully
Sending an INFORMATIONAL-REQUEST (DPD-REQUEST) of 57 bytes (initiator encrypted)
Gateways: 1.1.1.134:500-->2.2.2.50:500, tag 0 (UDP)
SPIs: 0x87E2F5A99BB4ED19622C9289636F5CD9, Message-ID 2
Payloads: ENCR

[VPN-Debug] 2024/10/22 23:47:40,395 [Tunnel-Groups] Peer SGI without group failed to connect (timeout), ignored

[VPN-Debug] 2024/10/22 23:47:40,395
Peer SGI: Received a request to establish an exchange for (ISAKMP-PEER-SGI, DELETE-SA). Current request is ISAKMP-PEER-SGI
Pending DELETE-SA-IKE Request(00:DELETE-SA-IKE,0x87E2F5A99BB4ED19622C9289636F5CD9) (inserted)
Pending requests: "00:DELETE-SA-IKE,0x87E2F5A99BB4ED19622C9289636F5CD9"

[VPN-Debug] 2024/10/22 23:47:40,396 [Tunnel-Groups] Peer SGI without group has disconnected, ignored

[VPN-Debug] 2024/10/22 23:47:40,414
Peer  SGI [initiator]: Received an INFORMATIONAL-RESPONSE of 72 bytes (encrypted)
Gateways: 1.1.1.134:500<--2.2.2.50:500
SPIs: 0x87E2F5A99BB4ED19622C9289636F5CD9, Message-ID 2
Payloads: ENCR
QUB-DATA: 1.1.1.134:500<---2.2.2.50:500 rtg_tag 0 physical-channel WAN(13) vpn-channel 42
transport: [id: 27725364, UDP (17) {outgoing}, dst: 2.2.2.50, tag 0 (U), src: 1.1.1.134, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: INTERNET (9), next hop: 1.1.1.133], local port: 500, remote port: 500
+IKE_SA found and assigned
Message verified and decrypted successfully
Payloads: ENCR

[VPN-Debug] 2024/10/22 23:47:40,415
IKE_SA(0x87E2F5A99BB4ED19622C9289636F5CD9).SEND-MSG-ID raised to 3
Peer  SGI: Trigger next pended request to establish an exchange
  Current request is ISAKMP-PEER-SGI
  IKE_SA is not REPLACED
There are 1 pending requests
Pending requests: "00:DELETE-SA-IKE,0x87E2F5A99BB4ED19622C9289636F5CD9"
Peer SGI: Received a request to establish an exchange for (ISAKMP-PEER-SGI, 00:DELETE-SA-IKE,0x87E2F5A99BB4ED19622C9289636F5CD9)
Message encrypted and authenticated successfully
Sending an INFORMATIONAL-REQUEST of 65 bytes (initiator encrypted)
Gateways: 1.1.1.134:500-->2.2.2.50:500, tag 0 (UDP)
SPIs: 0x87E2F5A99BB4ED19622C9289636F5CD9, Message-ID 3
Payloads: ENCR

[VPN-Debug] 2024/10/22 23:47:40,450
Peer SGI [initiator]: Received an INFORMATIONAL-RESPONSE of 72 bytes (encrypted)
Gateways: 1.1.1.134:500<--2.2.2.50:500
SPIs: 0x87E2F5A99BB4ED19622C9289636F5CD9, Message-ID 3
Payloads: ENCR
QUB-DATA: 1.1.1.134:500<---2.2.2.50:500 rtg_tag 0 physical-channel WAN(13) vpn-channel 42
transport: [id: 27725364, UDP (17) {outgoing}, dst: 2.2.2.50, tag 0 (U), src: 1.1.1.134, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: INTERNET (9), next hop: 1.1.1.133], local port: 500, remote port: 500
+IKE_SA found and assigned
Message verified and decrypted successfully
Payloads: ENCR

[VPN-Debug] 2024/10/22 23:47:40,450
IKE_SA(0x87E2F5A99BB4ED19622C9289636F5CD9).SEND-MSG-ID raised to 4
Peer SGI: Trigger next pended request to establish an exchange
  Current request is ISAKMP-PEER-SGI
  IKE_SA is not REPLACED
There are 0 pending requests
No IKE_SA in SADB -> Pending requests removed
DISCONNECT-RESPONSE sent for handle 42
IKE-TRANSPORT freed

[VPN-Debug] 2024/10/22 23:47:40,451 [Tunnel-Groups] Peer SGI without group has disconnected, ignored

IP-Adressen wurden abgeändert, hier noch die ursprünglichen Config-Vorgaben:

VPN-Gateway
Hardware:
Watchguard 2.2.2.50
LANCOM 1793VA 1.1.1.134


VPN Interesting Traffic
10.11.53.238/32 192.168.71.12/30
10.11.54.204/32
10.12.201.16/32




Encryption Phase 1 (IKE)
Key Management: IKEv2
Diffie-Hellman Group: 14
Encrypt Algorithm: AES256
Data Integrity: SHA256
Authentication Method:
Life Time 86400 Sekunden / 24 Stunden

Encryption Phase 2 (IPSec)
Encapsulation: ESP
Encyrption Algorithm used: AES256
Data Integrity: SHA256
Perfect Forward Secrecy: Yes
Diffie-Hellman Group: 14
Life Time: 3600 Sekunden / 1 Stunde

Im Anhang noch die relevanten Einstellungen vom Lancom, auf die Watchguard habe ich keinen Zugriff.

Ich hoffe jemand kann mir hier helfen Licht ins dunkle zu bringen, bin schon ein paar Tage lang zusammen mit dem Watchguard-Kollegen am verzweifeln.

[dorjjj]

Hier noch ein paar weitere Screenshots

[dorjjj]

Und der letzte:

[Dr.Einstein]

Wechsel mal die VPN Regelerzeugung von Automatisch auf Manuell und belasse den aktuell ausgewählten Eintrag.

[dorjjj]

Hat leider nichts gebracht, debug trace sieht immer noch gleich aus. Habe auch "Generic-RAS-ACCESS-FOR-WIZ" getestet danach, auch keine Änderung

[Dr.Einstein]

TS_UNACCEPTABLE kommt an sich immer dann, wenn die Netzbeziehung zwischen den Geräten nicht passt. Kann es sein, dass die Watchguard keine 0.0.0.0 / 0.0.0.0 aufmacht sondern einzelne SAs für deine Netze/Routen? Entsprechend musst dann 1:1 auch so im Lancom angelegt werden. Du baust dann dafür statt der RAS-ACCESS-FOR-WIZ Liste eine eigene Liste. Aber du solltest zuerst auf der Watchguard Seite schauen, was ihr nicht gefällt. Ich glaube, im VPN-IKE Trace müsstest du dazu etwas sehen können.

[dorjjj]

Ich habe dem Kollegen geschrieben er soll mir mal die Watchguard logs durchgeben. Für den Fall dass ich eine eigene Liste bauen muss, gibt es dafür ein Tutorial? Bisher habe ich nur Tunnel mit automatischer Regelerzeugung gebaut.

[Dr.Einstein]

Du gehst unter VPN / Allgemein / Netzwerkregeln IPv4-Regeln an, ein Eintrag für jede Beziehung:

Habe jetzt dein VPN Interesting Traffic nicht ganz verstanden aber es könnte zB so aussehen:

10.12.201.16/32 <> 10.11.54.204/32
10.12.201.16/32 <> 192.168.71.12/30
10.12.201.16/32 <> 10.11.53.238/32

Also eigentlich lokales Netz/Lokale IP <> Entferntes Netz

Und diese Einzelregeln fasst du unter IPv4-Regelliste zusammen und hinterlegst diese beim IKEv2-Peer.

[dorjjj]

Vielen Dank, das war die Lösung. Jetzt läuft alles