Lancom hinter LTE Router

[WWW-KR]

Hallo,

ich habe hier leider für 1/4 Jahr ein Lancom hinter einem LTE Router stehen. Der Lancom soll die Verbindung zu Zentrale aufbauen, dort steht eine Sophos UTM 9.7.
Ich habe die Policys manuell auf beiden Seiten gesetzt und ein Verbindungsversuch kommt zu Stande, aber der Lancom scheint die interne IP (kommt vom LTE Router) mit anzugeben und die UTM verweigert die VPN-Verbindung.

So sieht es in den Logs des Lancoms aus:

Code: Alles auswählen

[VPN-Status] 2019/12/27 14:22:23,702  Devicetime: 2019/12/27 14:22:21,055
VPN: WAN state changed to WanCall for SOPHOS-UTM (80.xxx.xxx.159), called by: 01a5633c

[VPN-Status] 2019/12/27 14:22:23,703  Devicetime: 2019/12/27 14:22:21,056
VPN: connecting to SOPHOS-UTM (80.xxx.xxx.159 ikev1)

[VPN-Status] 2019/12/27 14:22:23,703  Devicetime: 2019/12/27 14:22:21,056
vpn-maps[32], remote: SOPHOS-UTM, nego, static-name, connected-by-name

[VPN-Status] 2019/12/27 14:22:23,703  Devicetime: 2019/12/27 14:22:21,056
vpn-maps[32], remote: SOPHOS-UTM, nego, static-name, connected-by-name

[VPN-Status] 2019/12/27 14:22:23,703  Devicetime: 2019/12/27 14:22:21,072
vpn-maps[32], remote: SOPHOS-UTM, nego, static-name, connected-by-name

[VPN-Status] 2019/12/27 14:22:23,748  Devicetime: 2019/12/27 14:22:21,072
VPN: start IKE negotiation for SOPHOS-UTM (80.xxx.xxx.159)

[VPN-Status] 2019/12/27 14:22:23,748  Devicetime: 2019/12/27 14:22:21,072
VPN: WAN state changed to WanProtocol for SOPHOS-UTM (80.xxx.xxx.159), called by: 01a5633c

[VPN-Status] 2019/12/27 14:22:23,751  Devicetime: 2019/12/27 14:22:21,073
IKE info: Phase-1 negotiation started for peer SOPHOS-UTM rule isakmp-peer-SOPHOS-UTM using MAIN mode

[VPN-Status] 2019/12/27 14:22:23,751  Devicetime: 2019/12/27 14:22:21,079
Received Connection-Request for SOPHOS-UTM (ikev1)
transport: [id: 89639, UDP (17) {outgoing, fixed source address}, dst: 80.xxx.xxx.159, tag 1 (U), src: 192.168.1.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: LTE (20), next hop: 192.168.1.1], local port: 500, remote port: 500
Establishing connection(s): IPSEC-0-SOPHOS-UTM-PR0-L0-R0

Phase-1 SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE Cookies 0xC4B9D01283AB26CB0000000000000000) entered to SADB

[VPN-Status] 2019/12/27 14:22:23,751  Devicetime: 2019/12/27 14:22:21,080
Received Connection-Request for SOPHOS-UTM (ikev1)
transport: [id: 89640, UDP (17) {outgoing, fixed source address}, dst: 80.xxx.xxx.159, tag 1 (U), src: 192.168.1.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: LTE (20), next hop: 192.168.1.1], local port: 500, remote port: 500
Establishing connection(s): IPSEC-0-SOPHOS-UTM-PR0-L0-R0

[VPN-Status] 2019/12/27 14:22:23,805  Devicetime: 2019/12/27 14:22:21,140
IKE info: The remote server 80.xxx.xxx.159:500 (UDP) peer SOPHOS-UTM id <no_id> supports draft-ietf-ipsec-isakmp-xauth
IKE info: The remote server 80.xxx.xxx.159:500 (UDP) peer SOPHOS-UTM id <no_id> negotiated rfc-3706-dead-peer-detection
IKE info: The remote peer SOPHOS-UTM supports NAT-T in RFC mode

[VPN-Status] 2019/12/27 14:22:23,805  Devicetime: 2019/12/27 14:22:21,140
IKE info: Phase-1 remote proposal 1 for peer SOPHOS-UTM matched with local proposal 1

[VPN-Status] 2019/12/27 14:22:23,897  Devicetime: 2019/12/27 14:22:21,262
IKE info: Phase-1 SASA Rekeying Timeout (Soft-Event) for peer SOPHOS-UTM set to 69120 seconds (Initiator)

[VPN-Status] 2019/12/27 14:22:23,897  Devicetime: 2019/12/27 14:22:21,262
IKE info: Phase-1 SASA Timeout (Hard-Event) for peer SOPHOS-UTM set to 86400 seconds (Initiator)

[VPN-Status] 2019/12/27 14:22:23,897  Devicetime: 2019/12/27 14:22:21,262
Phase-1 [initiator] for peer SOPHOS-UTM initiator id  192.168.1.254, responder id  80.xxx.xxx.159
initiator cookie: 0xC4B9D01283AB26CB, responder cookie: 0x6417BE2866F447A5
NAT-T enabled in mode rfc. We are  behind a nat, the remote side is not behind a nat
SA ISAKMP for peer SOPHOS-UTM encryption aes-cbc authentication SHA-256
life time soft 12/28/2019 09:34:21 (in 69120 sec) / 0 kb
life time hard 12/28/2019 14:22:21 (in 86400 sec) / 0 kb
DPD: 60 sec

[VPN-Status] 2019/12/27 14:22:23,949  Devicetime: 2019/12/27 14:22:21,309
IKE info: NOTIFY received of type INVALID_ID_INFORMATION for peer SOPHOS-UTM

[VPN-Status] 2019/12/27 14:22:24,716  Devicetime: 2019/12/27 14:22:22,081
Received Connection-Request for SOPHOS-UTM (ikev1)
transport: [id: 89639, UDP (17) {outgoing, fixed source address}, dst: 80.xxx.xxx.159, tag 1 (U), src: 192.168.1.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: LTE (20), next hop: 192.168.1.1], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
Establishing connection(s): IPSEC-0-SOPHOS-UTM-PR0-L0-R0


[VPN-Status] 2019/12/27 14:22:31,025  Devicetime: 2019/12/27 14:22:28,391
IKE info: NOTIFY received of type INVALID_MESSAGE_ID for peer SOPHOS-UTM


[VPN-Status] 2019/12/27 14:22:36,021  Devicetime: 2019/12/27 14:22:33,392
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE sent for Phase-1 SA to peer SOPHOS-UTM, sequence nr 0x1223501b

[VPN-Status] 2019/12/27 14:22:36,072  Devicetime: 2019/12/27 14:22:33,431
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE_ACK for peer SOPHOS-UTM Seq-Nr 0x1223501b, expected 0x1223501b

[VPN-Status] 2019/12/27 14:22:36,762  Devicetime: 2019/12/27 14:22:34,081
Received Connection-Request for SOPHOS-UTM (ikev1)
transport: [id: 89639, UDP (17) {outgoing, fixed source address}, dst: 80.xxx.xxx.159, tag 1 (U), src: 192.168.1.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: LTE (20), next hop: 192.168.1.1], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
Establishing connection(s): IPSEC-0-SOPHOS-UTM-PR0-L0-R0

[VPN-Status] 2019/12/27 14:22:39,867  Devicetime: 2019/12/27 14:22:37,232
IKE info: NOTIFY received of type INVALID_MESSAGE_ID for peer SOPHOS-UTM


[VPN-Status] 2019/12/27 14:22:43,866  Devicetime: 2019/12/27 14:22:41,232
Peer SOPHOS-UTM: NAT-T keep-alive (0xFF) sent physically
transport: [id: 89639, UDP (17) {outgoing, fixed source address}, dst: 80.xxx.xxx.159, tag 1 (U), src: 192.168.1.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: LTE (20), next hop: 192.168.1.1], local port: 4500, remote port: 4500

[VPN-Status] 2019/12/27 14:22:45,711  Devicetime: 2019/12/27 14:22:43,082
Received Connection-Request for SOPHOS-UTM (ikev1)
transport: [id: 89639, UDP (17) {outgoing, fixed source address}, dst: 80.xxx.xxx.159, tag 1 (U), src: 192.168.1.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: LTE (20), next hop: 192.168.1.1], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
Establishing connection(s): IPSEC-0-SOPHOS-UTM-PR0-L0-R0


[VPN-Status] 2019/12/27 14:22:50,905  Devicetime: 2019/12/27 14:22:48,272
IKE info: NOTIFY received of type INVALID_MESSAGE_ID for peer SOPHOS-UTM

[VPN-Status] 2019/12/27 14:22:53,756  Devicetime: 2019/12/27 14:22:51,072
VPN: connection for SOPHOS-UTM (80.xxx.xxx.159) timed out: no response

[VPN-Status] 2019/12/27 14:22:53,756  Devicetime: 2019/12/27 14:22:51,072
VPN: disconnecting SOPHOS-UTM (80.xxx.xxx.159)

[VPN-Status] 2019/12/27 14:22:53,756  Devicetime: 2019/12/27 14:22:51,072
VPN: Error: IFC-I-Connection-timeout-IKE-IPSEC (0x1106) for SOPHOS-UTM (80.xxx.xxx.159)

[VPN-Status] 2019/12/27 14:22:53,756  Devicetime: 2019/12/27 14:22:51,080
IKE info: Delete Notification sent for Phase-1 SA to peer SOPHOS-UTM, cookies [0xc4b9d01283ab26cb 0x6417be2866f447a5]

[VPN-Status] 2019/12/27 14:22:53,779  Devicetime: 2019/12/27 14:22:51,091
Disconnect Request for peer SOPHOS-UTM (ikev1)
Phase-2 SA (UNKNOWN, 'UNKNOWN') removed from SADB
  Containing Protocol IPSEC_ESP Inbound-SPI 0x206C42BE
Phase-2 SA (UNKNOWN, 'UNKNOWN') freed
  Containing Protocol IPSEC_ESP Inbound-SPI 0x206C42BE
Phase-1 SA (SOPHOS-UTM, 'ISAKMP-PEER-SOPHOS-UTM' IPSEC_IKE Cookies 0xC4B9D01283AB26CB6417BE2866F447A5) removed from SADB
  Freeing exchanges...IKE-DISCONNECT-INDICATION sent for handle 32
Phase-1 SA (SOPHOS-UTM, 'ISAKMP-PEER-SOPHOS-UTM' IPSEC_IKE Cookies 0xC4B9D01283AB26CB6417BE2866F447A5) freed

DISCONNECT-RESPONSE sent for handle 32

[VPN-Status] 2019/12/27 14:22:53,779  Devicetime: 2019/12/27 14:22:51,091
vpn-maps[32], remote: SOPHOS-UTM, idle, static-name

[VPN-Status] 2019/12/27 14:22:53,779  Devicetime: 2019/12/27 14:22:51,097
selecting next remote gateway using strategy eFirst for SOPHOS-UTM
     => no remote gateway selected

[VPN-Status] 2019/12/27 14:22:53,779  Devicetime: 2019/12/27 14:22:51,097
selecting first remote gateway using strategy eFirst for SOPHOS-UTM
     => CurrIdx=0, IpStr=>80.xxx.xxx.159<, IpAddr=80.xxx.xxx.159, IpTtl=0s

[VPN-Status] 2019/12/27 14:22:53,779  Devicetime: 2019/12/27 14:22:51,097
VPN: installing ruleset for SOPHOS-UTM (80.xxx.xxx.159)

[VPN-Status] 2019/12/27 14:22:53,779  Devicetime: 2019/12/27 14:22:51,097
VPN: WAN state changed to WanDisconnect for SOPHOS-UTM (80.xxx.xxx.159), called by: 01a5633c

[VPN-Status] 2019/12/27 14:22:53,779  Devicetime: 2019/12/27 14:22:51,098
VPN: WAN state changed to WanIdle for SOPHOS-UTM (80.xxx.xxx.159), called by: 01a5633c

[VPN-Status] 2019/12/27 14:22:53,779  Devicetime: 2019/12/27 14:22:51,098
VPN: SOPHOS-UTM (80.xxx.xxx.159)  disconnected

[VPN-Status] 2019/12/27 14:22:53,779  Devicetime: 2019/12/27 14:22:51,098
vpn-maps[32], remote: SOPHOS-UTM, idle, static-name

[VPN-Status] 2019/12/27 14:22:53,779  Devicetime: 2019/12/27 14:22:51,100
vpn-maps[32], remote: SOPHOS-UTM, idle, static-name

Hat jemand eine Idee, wie ich es dem Lancom abgewöhne die IP 192.168.1.254 zu senden?

Danke + Gruß

[GrandDixence]

IKEv1 sollte aus Sicherheitsgründen durch IKEv2 ersetzt werden. Unterstützt der VPN-Endpunkt (hier: Sophos) kein IKEv2, gehört diese Hardware in den Elektroschrott. VPN-Anleitungen für IKEv2 findet man unter:
fragen-zum-thema-vpn-f14/vpn-via-androi ... tml#p97795

[WWW-KR]

IKEv1 sollte aus Sicherheitsgründen durch IKEv2 ersetzt werden. Unterstützt der VPN-Endpunkt (hier: Sophos) kein IKEv2, gehört diese Hardware in den Elektroschrott. VPN-Anleitungen für IKEv2 findet man unter:
fragen-zum-thema-vpn-f14/vpn-via-androi ... tml#p97795

Danke GrandDixence für diesen überaus wertlosen Beitrag. Aber wenn man sich an Hardware orientiert in einem Forum für Business Geräte, dann gilt: "Wenn man keine Ahnung hat, einfach mal die ... halten".

Danke & Gruß

[backslash]

Hi WWW-KR

aber der Lancom scheint die interne IP (kommt vom LTE Router) mit anzugeben

welche soll es denn sonst angeben... die öffentliche des LTE-Routers kann es nicht kennen. Der LTE-Router und/oder der Provoider machen auf demn Weg zur Sophos dann noch mindestens ein NAT...

Hat jemand eine Idee, wie ich es dem Lancom abgewöhne die IP 192.168.1.254 zu senden?

gar nicht - wozu auch, die Adresse ist ja nicht das Problem...

Hier ist das Problem, daß nur die Phase-1 SA (IKE-SA) ausgehandelt wird, nicht aber die Phase 2 SA (IPSec-SA) für die Netzbeziehungen. Den Aushandlungsversuch beantwortet die Sophos mit

[VPN-Status] 2019/12/27 14:22:23,949 Devicetime: 2019/12/27 14:22:21,309
IKE info: NOTIFY received of type INVALID_ID_INFORMATION for peer SOPHOS-UTM

Das deutet darauf hin, daß du die Netzbeziehungen falsch (also nicht kreuzweise gleich) konfiguriert hast. Da mußt du schon auf die Sophos schauen, was sie nicht mag...

BTW: Zu deinem Bashing an GrandDixence: lieber selbst mal die ... halten, wenn man selbst keine Ahnung hat... Der Hinweis von GrandDixence auf IKEv2 ist nämlich nicht von der Hand zu weisen...

Gruß
Backslash