LAN-LAN Kopplung, VPN droppt alle 30 Sekunden

motions · Beitrag von **motions** » 27 Dez 2009, 22:06

Konfiguration:
ZENTRALE ist ein 7011 Router, der direkt über ein ADSL2+ Modem am Internet hängt (dyndns IP Auflösung)
Darauf soll jetzt eine LAN-LAN Kopplung erfolgen von einem 1621 (FILIALE). Bisher lief die Kopplung schon etliche Monate, aber jetzt soll der 1621 vom DSL Modem abgekoppelt werden und dafür ein Speedtouch 516iV6 die DSL-Anbindung mit vollen DSL-16000 übernehmen. Der Lancom sitzt jetzt also hinter dem Internet-Router; Port 500 ist zum Lancom weitergeleitet. Die ganzen IP-Routing regeln auf den Clients sind entsprechend gesetzt.
Die VPN Verbindung funktioniert jetzt, allerdings droppt die VPN Verbindung alle 30 Sekunden.
Auf der Filial-Seite habe ich mal einen trace + vpn-status gezogen:

Code: Alles auswählen

[VPN-Status] 2009/12/27 21:54:53,430
IKE info: Delete Notification received for Phase-2 SA ipsec-0-ZENTRALE-pr0-l0-r0 peer ZENTRALE spi [0x6e9c53ee]


[VPN-Status] 2009/12/27 21:54:53,430
IKE info: Phase-2 SA removed: peer ZENTRALE rule ipsec-0-ZENTRALE-pr0-l0-r0 removed
IKE info: containing Protocol IPSEC_ESP, with spis [6e9c53ee  ] [0f7cf8b1  ]


[VPN-Status] 2009/12/27 21:54:53,440
IKE info: Delete Notification received for Phase-2 SA ipsec-0-ZENTRALE-pr0-l0-r0 peer ZENTRALE spi [0x724d1d60]


[VPN-Status] 2009/12/27 21:54:53,440
IKE info: Phase-2 SA removed: peer ZENTRALE rule ipsec-0-ZENTRALE-pr0-l0-r0 removed
IKE info: containing Protocol IPSEC_ESP, with spis [724d1d60  ] [7d806151  ]


[VPN-Status] 2009/12/27 21:54:53,450
IKE info: Delete Notification received for Phase-1 SA isakmp-peer-ZENTRALE peer ZENTRALE cookies [c12d048e3ff05b70 e3606aed2cf21ea6]


[VPN-Status] 2009/12/27 21:54:53,450
IKE info: Phase-1 SA removed: peer ZENTRALE rule ZENTRALE removed


[VPN-Status] 2009/12/27 21:54:53,450
VPN: ZENTRALE (77.111.22.111) disconnected

[VPN-Status] 2009/12/27 21:54:53,450
VPN: Disconnect info: remote-disconnected (0x4301) for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:54:53,530
VPN: selecting first remote gateway using strategy eFirst for ZENTRALE
     => CurrIdx=0, IpStr=>ZENTRALE.dyndns.com<, IpAddr=77.111.22.111, IpTtl=60s

[VPN-Status] 2009/12/27 21:54:53,530
VPN: installing ruleset for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:54:53,550
VPN: rulesets installed

[VPN-Status] 2009/12/27 21:54:54,540
VPN: connecting to ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:54:54,620
VPN: installing ruleset for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:54:54,620
IKE info: The remote server 77.111.22.111:500 peer ZENTRALE id <no_id> is Enigmatec IPSEC version 1.5.1
IKE info: The remote server 77.111.22.111:500 peer ZENTRALE id <no_id> negotiated rfc-3706-dead-peer-detection


[VPN-Status] 2009/12/27 21:54:54,630
IKE info: Phase-1 remote proposal 1 for peer ZENTRALE matched with local proposal 1


[VPN-Status] 2009/12/27 21:54:54,630
VPN: ruleset installed for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:54:54,640
VPN: start IKE negotiation for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:54:54,720
VPN: rulesets installed

[VPN-Status] 2009/12/27 21:54:55,530
IKE info: Phase-1 [responder] for peer ZENTRALE between initiator id  77.111.22.111, responder id  192.168.0.253 done
IKE info: SA ISAKMP for peer ZENTRALE encryption aes-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)


[VPN-Status] 2009/12/27 21:54:55,540
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer ZENTRALE set to 97200 seconds (Responder)


[VPN-Status] 2009/12/27 21:54:55,540
IKE info: Phase-1 SA Timeout (Hard-Event) for peer ZENTRALE set to 108000 seconds (Responder)


[VPN-Status] 2009/12/27 21:54:55,570
IKE info: Phase-2 remote proposal 1 for peer ZENTRALE matched with local proposal 1


[VPN-Status] 2009/12/27 21:54:56,370
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer ZENTRALE set to 1800 seconds (Responder)


[VPN-Status] 2009/12/27 21:54:56,370
IKE info: Phase-2 SA Timeout (Hard-Event) for peer ZENTRALE set to 2000 seconds (Responder)


[VPN-Status] 2009/12/27 21:54:56,370
IKE info: Phase-2 [responder] done with 2 SAS for peer ZENTRALE rule ipsec-0-ZENTRALE-pr0-l0-r0
IKE info: rule:' ipsec 192.168.0.0/255.255.255.0 <-> 192.168.3.0/255.255.255.0 '
IKE info: SA ESP [0x698b8f90]  alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x59af1ef9]  alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1800 sec/180000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 192.168.0.253 dst: 77.111.22.111  


[VPN-Status] 2009/12/27 21:54:57,160
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer ZENTRALE set to 1600 seconds (Initiator)


[VPN-Status] 2009/12/27 21:54:57,160
IKE info: Phase-2 SA Timeout (Hard-Event) for peer ZENTRALE set to 2000 seconds (Initiator)


[VPN-Status] 2009/12/27 21:54:57,170
IKE info: Phase-2 [inititiator] done with 2 SAS for peer ZENTRALE rule ipsec-0-ZENTRALE-pr0-l0-r0
IKE info: rule:' ipsec 192.168.0.0/255.255.255.0 <-> 192.168.3.0/255.255.255.0 '
IKE info: SA ESP [0x1b8f376e]  alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x1e23987d]  alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1600 sec/160000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 192.168.0.253 dst: 77.111.22.111  


[VPN-Status] 2009/12/27 21:54:57,730
VPN: starting external DNS resolution for ZENTRALE
     IpStr=>ZENTRALE.dyndns.com<, IpAddr(old)=77.111.22.111, IpTtl(old)=60s

[VPN-Status] 2009/12/27 21:54:57,760
VPN: external DNS resolution for ZENTRALE
     IpStr=>ZENTRALE.dyndns.com<, IpAddr(old)=77.111.22.111, IpTtl(old)=60s
     IpStr=>ZENTRALE.dyndns.com<, IpAddr(new)=77.111.22.111, IpTtl(new)=60s

[VPN-Status] 2009/12/27 21:54:58,180
VPN: ZENTRALE (77.111.22.111) connected

[VPN-Status] 2009/12/27 21:55:37,470
IKE info: Delete Notification received for Phase-2 SA ipsec-0-ZENTRALE-pr0-l0-r0 peer ZENTRALE spi [0x698b8f90]


[VPN-Status] 2009/12/27 21:55:37,470
IKE info: Phase-2 SA removed: peer ZENTRALE rule ipsec-0-ZENTRALE-pr0-l0-r0 removed
IKE info: containing Protocol IPSEC_ESP, with spis [698b8f90  ] [59af1ef9  ]


[VPN-Status] 2009/12/27 21:55:37,480
IKE info: Delete Notification received for Phase-2 SA ipsec-0-ZENTRALE-pr0-l0-r0 peer ZENTRALE spi [0x1b8f376e]


[VPN-Status] 2009/12/27 21:55:37,480
IKE info: Phase-2 SA removed: peer ZENTRALE rule ipsec-0-ZENTRALE-pr0-l0-r0 removed
IKE info: containing Protocol IPSEC_ESP, with spis [1b8f376e  ] [1e23987d  ]


[VPN-Status] 2009/12/27 21:55:37,490
IKE info: Delete Notification received for Phase-1 SA isakmp-peer-ZENTRALE peer ZENTRALE cookies [3f3fa1087dc04ebd f5fb3bf6c252402f]


[VPN-Status] 2009/12/27 21:55:37,490
IKE info: Phase-1 SA removed: peer ZENTRALE rule ZENTRALE removed


[VPN-Status] 2009/12/27 21:55:37,490
VPN: ZENTRALE (77.111.22.111) disconnected

[VPN-Status] 2009/12/27 21:55:37,490
VPN: Disconnect info: remote-disconnected (0x4301) for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:55:37,580
VPN: selecting first remote gateway using strategy eFirst for ZENTRALE
     => CurrIdx=0, IpStr=>ZENTRALE.dyndns.com<, IpAddr=77.111.22.111, IpTtl=60s

[VPN-Status] 2009/12/27 21:55:37,580
VPN: installing ruleset for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:55:37,590
VPN: rulesets installed

[VPN-Status] 2009/12/27 21:55:38,580
VPN: connecting to ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:55:38,660
VPN: installing ruleset for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:55:38,660
IKE info: The remote server 77.111.22.111:500 peer ZENTRALE id <no_id> is Enigmatec IPSEC version 1.5.1
IKE info: The remote server 77.111.22.111:500 peer ZENTRALE id <no_id> negotiated rfc-3706-dead-peer-detection


[VPN-Status] 2009/12/27 21:55:38,670
IKE info: Phase-1 remote proposal 1 for peer ZENTRALE matched with local proposal 1


[VPN-Status] 2009/12/27 21:55:38,670
VPN: ruleset installed for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:55:38,670
VPN: start IKE negotiation for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:55:38,760
VPN: rulesets installed

[VPN-Status] 2009/12/27 21:55:39,620
IKE info: Phase-1 [responder] for peer ZENTRALE between initiator id  77.111.22.111, responder id  192.168.0.253 done
IKE info: SA ISAKMP for peer ZENTRALE encryption aes-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)


[VPN-Status] 2009/12/27 21:55:39,620
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer ZENTRALE set to 97200 seconds (Responder)


[VPN-Status] 2009/12/27 21:55:39,620
IKE info: Phase-1 SA Timeout (Hard-Event) for peer ZENTRALE set to 108000 seconds (Responder)


[VPN-Status] 2009/12/27 21:55:39,660
IKE info: Phase-2 remote proposal 1 for peer ZENTRALE matched with local proposal 1


[VPN-Status] 2009/12/27 21:55:40,460
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer ZENTRALE set to 1800 seconds (Responder)


[VPN-Status] 2009/12/27 21:55:40,470
IKE info: Phase-2 SA Timeout (Hard-Event) for peer ZENTRALE set to 2000 seconds (Responder)


[VPN-Status] 2009/12/27 21:55:40,470
IKE info: Phase-2 [responder] done with 2 SAS for peer ZENTRALE rule ipsec-0-ZENTRALE-pr0-l0-r0
IKE info: rule:' ipsec 192.168.0.0/255.255.255.0 <-> 192.168.3.0/255.255.255.0 '
IKE info: SA ESP [0x647acb32]  alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x23e14542]  alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1800 sec/180000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 192.168.0.253 dst: 77.111.22.111  


[VPN-Status] 2009/12/27 21:55:41,250
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer ZENTRALE set to 1600 seconds (Initiator)


[VPN-Status] 2009/12/27 21:55:41,260
IKE info: Phase-2 SA Timeout (Hard-Event) for peer ZENTRALE set to 2000 seconds (Initiator)


[VPN-Status] 2009/12/27 21:55:41,260
IKE info: Phase-2 [inititiator] done with 2 SAS for peer ZENTRALE rule ipsec-0-ZENTRALE-pr0-l0-r0
IKE info: rule:' ipsec 192.168.0.0/255.255.255.0 <-> 192.168.3.0/255.255.255.0 '
IKE info: SA ESP [0x44d1517c]  alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x3ec6cfa8]  alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1600 sec/160000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 192.168.0.253 dst: 77.111.22.111  


[VPN-Status] 2009/12/27 21:55:42,270
VPN: ZENTRALE (77.111.22.111) connected

[VPN-Status] 2009/12/27 21:55:58,760
VPN: starting external DNS resolution for ZENTRALE
     IpStr=>ZENTRALE.dyndns.com<, IpAddr(old)=77.111.22.111, IpTtl(old)=60s

[VPN-Status] 2009/12/27 21:55:58,790
VPN: external DNS resolution for ZENTRALE
     IpStr=>ZENTRALE.dyndns.com<, IpAddr(old)=77.111.22.111, IpTtl(old)=60s
     IpStr=>ZENTRALE.dyndns.com<, IpAddr(new)=77.111.22.111, IpTtl(new)=60s

[VPN-Status] 2009/12/27 21:56:21,570
IKE info: Delete Notification received for Phase-2 SA ipsec-0-ZENTRALE-pr0-l0-r0 peer ZENTRALE spi [0x647acb32]


[VPN-Status] 2009/12/27 21:56:21,570
IKE info: Phase-2 SA removed: peer ZENTRALE rule ipsec-0-ZENTRALE-pr0-l0-r0 removed
IKE info: containing Protocol IPSEC_ESP, with spis [647acb32  ] [23e14542  ]


[VPN-Status] 2009/12/27 21:56:21,580
IKE info: Delete Notification received for Phase-2 SA ipsec-0-ZENTRALE-pr0-l0-r0 peer ZENTRALE spi [0x44d1517c]


[VPN-Status] 2009/12/27 21:56:21,580
IKE info: Phase-2 SA removed: peer ZENTRALE rule ipsec-0-ZENTRALE-pr0-l0-r0 removed
IKE info: containing Protocol IPSEC_ESP, with spis [44d1517c  ] [3ec6cfa8  ]


[VPN-Status] 2009/12/27 21:56:21,590
IKE info: Delete Notification received for Phase-1 SA isakmp-peer-ZENTRALE peer ZENTRALE cookies [c270892c0989926f 34cb0de8074bc870]


[VPN-Status] 2009/12/27 21:56:21,590
IKE info: Phase-1 SA removed: peer ZENTRALE rule ZENTRALE removed


[VPN-Status] 2009/12/27 21:56:21,590
VPN: ZENTRALE (77.111.22.111) disconnected

[VPN-Status] 2009/12/27 21:56:21,590
VPN: Disconnect info: remote-disconnected (0x4301) for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:56:21,680
VPN: selecting first remote gateway using strategy eFirst for ZENTRALE
     => CurrIdx=0, IpStr=>ZENTRALE.dyndns.com<, IpAddr=77.111.22.111, IpTtl=60s

[VPN-Status] 2009/12/27 21:56:21,680
VPN: installing ruleset for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:56:21,690
VPN: rulesets installed

[VPN-Status] 2009/12/27 21:56:22,680
VPN: connecting to ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:56:22,760
VPN: installing ruleset for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:56:22,760
IKE info: The remote server 77.111.22.111:500 peer ZENTRALE id <no_id> is Enigmatec IPSEC version 1.5.1
IKE info: The remote server 77.111.22.111:500 peer ZENTRALE id <no_id> negotiated rfc-3706-dead-peer-detection


[VPN-Status] 2009/12/27 21:56:22,770
IKE info: Phase-1 remote proposal 1 for peer ZENTRALE matched with local proposal 1


[VPN-Status] 2009/12/27 21:56:22,770
VPN: ruleset installed for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:56:22,780
VPN: start IKE negotiation for ZENTRALE (77.111.22.111)

[VPN-Status] 2009/12/27 21:56:22,860
VPN: rulesets installed

[VPN-Status] 2009/12/27 21:56:23,670
IKE info: Phase-1 [responder] for peer ZENTRALE between initiator id  77.111.22.111, responder id  192.168.0.253 done
IKE info: SA ISAKMP for peer ZENTRALE encryption aes-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)


[VPN-Status] 2009/12/27 21:56:23,680
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer ZENTRALE set to 97200 seconds (Responder)


[VPN-Status] 2009/12/27 21:56:23,680
IKE info: Phase-1 SA Timeout (Hard-Event) for peer ZENTRALE set to 108000 seconds (Responder)


[VPN-Status] 2009/12/27 21:56:23,700
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE sent for Phase-1 SA to peer ZENTRALE, sequence nr 0x67761e39


[VPN-Status] 2009/12/27 21:56:23,720
IKE info: Phase-2 remote proposal 1 for peer ZENTRALE matched with local proposal 1


[VPN-Status] 2009/12/27 21:56:24,510
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE_ACK for peer ZENTRALE Seq-Nr 0x67761e39, expected 0x67761e39


[VPN-Status] 2009/12/27 21:56:24,520
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer ZENTRALE set to 1800 seconds (Responder)


[VPN-Status] 2009/12/27 21:56:24,520
IKE info: Phase-2 SA Timeout (Hard-Event) for peer ZENTRALE set to 2000 seconds (Responder)


[VPN-Status] 2009/12/27 21:56:24,530
IKE info: Phase-2 [responder] done with 2 SAS for peer ZENTRALE rule ipsec-0-ZENTRALE-pr0-l0-r0
IKE info: rule:' ipsec 192.168.0.0/255.255.255.0 <-> 192.168.3.0/255.255.255.0 '
IKE info: SA ESP [0x5f6a06d4]  alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x48af6170]  alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1800 sec/180000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 192.168.0.253 dst: 77.111.22.111  


[VPN-Status] 2009/12/27 21:56:25,310
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer ZENTRALE set to 1600 seconds (Initiator)


[VPN-Status] 2009/12/27 21:56:25,320
IKE info: Phase-2 SA Timeout (Hard-Event) for peer ZENTRALE set to 2000 seconds (Initiator)


[VPN-Status] 2009/12/27 21:56:25,320
IKE info: Phase-2 [inititiator] done with 2 SAS for peer ZENTRALE rule ipsec-0-ZENTRALE-pr0-l0-r0
IKE info: rule:' ipsec 192.168.0.0/255.255.255.0 <-> 192.168.3.0/255.255.255.0 '
IKE info: SA ESP [0x6e136b8a]  alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x4f92454f]  alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1600 sec/160000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 192.168.0.253 dst: 77.111.22.111  


[VPN-Status] 2009/12/27 21:56:26,330
VPN: ZENTRALE (77.111.22.111) connected

Der VPN droppt immer mit dieser Meldung hier:
IKE info: Delete Notification received for Phase-2 SA ipsec-0-ZENTRALE-pr0-l0-r0 peer ZENTRALE spi [0x6e9c53ee]

Liegt der Auslöser auf der ZENTRALE Seite?
Oder klemmt da noch was mit dem NAT auf der Filial-Seite?

motions · Beitrag von **motions** » 29 Dez 2009, 17:21

Ich glaube das Problem ist aus der Welt.
Ich habe noch mal alle VPN Verbindungen in allen Router gelöscht und mit dem Setup Assistent neu eingerichtet. Nun scheint alles wieder sauber zu sein.