OTP mit Lancom VPN Client
Moderator: Lancom-Systems Moderatoren
-
Frühstücksdirektor
- Beiträge: 184
- Registriert: 08 Jul 2022, 12:53
- Wohnort: Aachen
Re: OTP mit Lancom VPN Client
Leider kann aus den Angaben niemand raten, was das Problem ist. Du müsstest schon den VPN-Status und Radius Trace bemühen bzw. liefern.
Re: OTP mit Lancom VPN Client
Sorry für die wenigen Infos. Leider habe ich mit dem Trace Tool noch nicht gearbeitet, wie ich gesehen habe ist es sehr umgangreich.
Welche Häkchen unter Show bzw. Status sollte ich zum auslesen setzen? vpn, radius-client, radius-server
Wieso hängt er an den Benutzernamen 5C13 an?
[Table] 2024/07/15 10:46:00,056
Content of table: /Status/VPN/RADIUS/Authorization
Peer Remote-ID Local-Gateway Remote-Gateway State Server-Hostname CoA-Active CFG-IPv4-Address CFG-IPv4-DNS-Servers CFG-IPv4-Pool CFG-IPv6-Address CFG-IPv6-DNS-Servers CFG-IPv6-Pool Rtg-tag Framed-IPv4-Routes Framed-IPv6-Routes IKE-IPv4-Routes IKE-IPv6-Routes IKE-IPv4-tagged-Routes IKE-IPv6-tagged-Routes Load-Balancer Client-Binding Rtg-Tag-List Other-Attributes
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
BENUTZER5C13 benutzer 80.xxx.xx.xx 91.xx.xxx.xx Failed No No
[VPN-Status] 2024/07/15 11:09:43,814 Devicetime: 2024/07/15 11:09:47,134
IKE: Removing RADIUS authorization request for: BENUTZER5C13
[VPN-Debug] 2024/07/15 11:09:43,814 Devicetime: 2024/07/15 11:09:47,134
Peer BENUTZER5C13: Received a request to establish an exchange for (ISAKMP-PEER-DEFAULT, DELETE-SA)
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
Sending an INFORMATIONAL-REQUEST of 80 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->91.xx.xxx.xx:10954, tag 0 (UDP)
SPIs: 0xE2E139FA27C7D9CA0DDBF3577E6BB1FA, Message-ID 0
Payloads: ENCR
[VPN-Status] 2024/07/15 11:09:43,814 Devicetime: 2024/07/15 11:09:47,134
BENUTZER5C13: Hard lifetime event occurred for IKE_SA(0xE2E139FA27C7D9CA0DDBF3577E6BB1FA) (responder flags 0x0000c00001030300)
Deleting IKE_SA (ISAKMP-PEER-DEFAULT, BENUTZER5C13)
Peer BENUTZER5C13: Constructing an INFORMATIONAL-REQUEST for send
IKE_SA ('BENUTZER5C13', 'ISAKMP-PEER-DEFAULT' IPSEC_IKE SPIs 0xE2E139FA27C7D9CA0DDBF3577E6BB1FA) entered to SADB
Message scheduled for retransmission (1) in 5.688607 seconds
Sending an INFORMATIONAL-REQUEST of 80 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->91.xx.xxx.xx:10954, tag 0 (UDP)
SPIs: 0xE2E139FA27C7D9CA0DDBF3577E6BB1FA, Message-ID 0
IKE_SA ('BENUTZER5C13', 'ISAKMP-PEER-DEFAULT' IPSEC_IKE SPIs 0xE2E139FA27C7D9CA0DDBF3577E6BB1FA) removed from SADB
Welche Häkchen unter Show bzw. Status sollte ich zum auslesen setzen? vpn, radius-client, radius-server
Wieso hängt er an den Benutzernamen 5C13 an?
[Table] 2024/07/15 10:46:00,056
Content of table: /Status/VPN/RADIUS/Authorization
Peer Remote-ID Local-Gateway Remote-Gateway State Server-Hostname CoA-Active CFG-IPv4-Address CFG-IPv4-DNS-Servers CFG-IPv4-Pool CFG-IPv6-Address CFG-IPv6-DNS-Servers CFG-IPv6-Pool Rtg-tag Framed-IPv4-Routes Framed-IPv6-Routes IKE-IPv4-Routes IKE-IPv6-Routes IKE-IPv4-tagged-Routes IKE-IPv6-tagged-Routes Load-Balancer Client-Binding Rtg-Tag-List Other-Attributes
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
BENUTZER5C13 benutzer 80.xxx.xx.xx 91.xx.xxx.xx Failed No No
[VPN-Status] 2024/07/15 11:09:43,814 Devicetime: 2024/07/15 11:09:47,134
IKE: Removing RADIUS authorization request for: BENUTZER5C13
[VPN-Debug] 2024/07/15 11:09:43,814 Devicetime: 2024/07/15 11:09:47,134
Peer BENUTZER5C13: Received a request to establish an exchange for (ISAKMP-PEER-DEFAULT, DELETE-SA)
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
Sending an INFORMATIONAL-REQUEST of 80 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->91.xx.xxx.xx:10954, tag 0 (UDP)
SPIs: 0xE2E139FA27C7D9CA0DDBF3577E6BB1FA, Message-ID 0
Payloads: ENCR
[VPN-Status] 2024/07/15 11:09:43,814 Devicetime: 2024/07/15 11:09:47,134
BENUTZER5C13: Hard lifetime event occurred for IKE_SA(0xE2E139FA27C7D9CA0DDBF3577E6BB1FA) (responder flags 0x0000c00001030300)
Deleting IKE_SA (ISAKMP-PEER-DEFAULT, BENUTZER5C13)
Peer BENUTZER5C13: Constructing an INFORMATIONAL-REQUEST for send
IKE_SA ('BENUTZER5C13', 'ISAKMP-PEER-DEFAULT' IPSEC_IKE SPIs 0xE2E139FA27C7D9CA0DDBF3577E6BB1FA) entered to SADB
Message scheduled for retransmission (1) in 5.688607 seconds
Sending an INFORMATIONAL-REQUEST of 80 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->91.xx.xxx.xx:10954, tag 0 (UDP)
SPIs: 0xE2E139FA27C7D9CA0DDBF3577E6BB1FA, Message-ID 0
IKE_SA ('BENUTZER5C13', 'ISAKMP-PEER-DEFAULT' IPSEC_IKE SPIs 0xE2E139FA27C7D9CA0DDBF3577E6BB1FA) removed from SADB
-
Frühstücksdirektor
- Beiträge: 184
- Registriert: 08 Jul 2022, 12:53
- Wohnort: Aachen
Re: OTP mit Lancom VPN Client
Leider zeigt der Ausschnitt nicht, was interessant ist. Es würden die Traces VPN-Status, radius-client und radius-server und ggf. VPN-Debug helfen. Show Kommandos oder Status-Tabellen erst mal nicht.
Bei bestimmten VPN-Konfigurationen wird an den Gegestellennamen ein zufälliger Wert angehängt um Kollisionen zu vermeiden. Ist hier Ok und richtig.
Bei bestimmten VPN-Konfigurationen wird an den Gegestellennamen ein zufälliger Wert angehängt um Kollisionen zu vermeiden. Ist hier Ok und richtig.
Re: OTP mit Lancom VPN Client
[VPN-Debug] 2024/07/16 08:32:23,251 Devicetime: 2024/07/16 08:32:25,324
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Constructing payload NOTIFY(REDIRECT) (41):
+No Redirection
Constructing payload NONCE (40):
+Nonce length=32 bytes
+Nonce=0x4B746B41E9100F2C83EC88D3519AE87EE16355529263B266FA52C67331EB0218
+SA-DATA-Nr=0x4B746B41E9100F2C83EC88D3519AE87EE16355529263B266FA52C67331EB0218
Constructing payload NOTIFY(DETECTION_SOURCE_IP) (41):
+Computing SHA1(0x190E2A60299A4D4EE8EBB986C0CEB4B8|80.xxx.xx.xx:500)
+Computing SHA1(0x190E2A60299A4D4EE8EBB986C0CEB4B8509A4B5301F4)
+0x6DDFE4BB6FE99D9ED1230A85D75DF30D1C642F64
Constructing payload NOTIFY(DETECTION_DESTINATION_IP) (41):
+Computing SHA1(0x190E2A60299A4D4EE8EBB986C0CEB4B8|192.168.1.200:10952)
+Computing SHA1(0x190E2A60299A4D4EE8EBB986C0CEB4B8C0A801C82AC8)
+0xB0D01822DA0B9DF174660641051EF600CCF6AD61
Constructing payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41):
Constructing payload CERTREQ (38):
+0x0000000000000000000000000000000000000000
Constructing payload VENDOR(FRAGMENTATION) (43):
Constructing payload VENDOR(FRAGMENTATION(C0000000)) (43):
Constructing payload VENDOR(ikev2 config payload: Do not narrow my traffic selector) (43):
Constructing payload VENDOR(activate lancom-systems notification private range) (43):
Constructing payload NOTIFY(DEVICE-ID) (41):
+Peer does not support private notifications -> ignore
+Shared secret derived in 85336 micro seconds
IKE_SA(0x190E2A60299A4D4EE8EBB986C0CEB4B8).EXPECTED-MSG-ID raised to 1
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x190E2A60299A4D4EE8EBB986C0CEB4B800000000, P1, RESPONDER): Resetting Negotiation SA
(IKE_SA, 'DEFAULT', 'ISAKMP-PEER-DEFAULT', 0x190E2A60299A4D4EE8EBB986C0CEB4B800000000, responder): use_count --5
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 533 bytes (responder)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:4500, tag 0 (UDP)
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), CERTREQ, VENDOR(FRAGMENTATION), VENDOR(FRAGMENTATION(C0000000)), VENDOR(activate lancom-systems notification private range)
[VPN-Status] 2024/07/16 08:32:23,251 Devicetime: 2024/07/16 08:32:25,324
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+IKE-SA:
IKE-Proposal-4 (4 transforms)
ENCR : AES-CBC-256
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
+KE-DH-Group 14 (2048 bits)
Switching to port pair 4500 ( NAT-T keep-alive is off)
IKE_SA_INIT [responder] for peer DEFAULT initiator id <no ipsec id>, responder id <no ipsec id>
initiator cookie: 0x190E2A60299A4D4E, responder cookie: 0xE8EBB986C0CEB4B8
NAT-T enabled. We are not behind a nat, the remote side is behind a nat
SA ISAKMP for peer DEFAULT
Encryption : AES-CBC-256
Integrity : AUTH-HMAC-SHA-256
IKE-DH-Group : 14
PRF : PRF-HMAC-SHA-256
life time soft 07/17/2024 11:32:25 (in 97200 sec) / 0 kb
life time hard 07/17/2024 14:32:25 (in 108000 sec) / 0 kb
DPD: NONE
Negotiated: IKE_FRAGMENTATION IKEV2_FRAGMENTATION
Sending an IKE_SA_INIT-RESPONSE of 533 bytes (responder)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:4500, tag 0 (UDP)
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 0
[VPN-Debug] 2024/07/16 08:32:23,298 Devicetime: 2024/07/16 08:32:25,369
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 624 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:4500
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 1
Payloads: ENCR
QUB-DATA: 80.xxx.xx.xx:4500<---192.168.1.200:10954 rtg_tag 0 physical-channel LAN
transport: [id: 527771, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:00:00:00:00, port 5], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000000)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, IDI, NOTIFY(INITIAL_CONTACT), NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED), CERTREQ, CP(REQUEST), SA, TSI, TSR, VENDOR(ikev2 rfc-3706-dead-peer-detection), NOTIFY(MOBIKE_SUPPORTED), NOTIFY(MULTIPLE_AUTH_SUPPORTED)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x190E2A60299A4D4EE8EBB986C0CEB4B800000001, P2, RESPONDER): Setting Negotiation SA
Referencing (CHILD_SA, 0x190E2A60299A4D4EE8EBB986C0CEB4B80000000100, responder): use_count 3
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x190E2A60299A4D4EE8EBB986C0CEB4B800000001, P2, RESPONDER): Resetting Negotiation SA
(CHILD_SA, 0x190E2A60299A4D4EE8EBB986C0CEB4B80000000100, responder): use_count --3
Looking for payload IDI (35)...Found 1 payload.
+Received-ID benutzer:USER_FQDN. Assuming EAP
[VPN-Status] 2024/07/16 08:32:23,298 Devicetime: 2024/07/16 08:32:25,369
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 624 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:4500
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 1
CHILD_SA ('', '' ) entered to SADB
Updating remote port to 10954
Received 4 notifications:
+INITIAL_CONTACT (STATUS)
+HTTP_CERT_LOOKUP_SUPPORTED (STATUS)
+MOBIKE_SUPPORTED (STATUS)
+MULTIPLE_AUTH_SUPPORTED (STATUS)
+Road-warrior identified and accepted (Peer BENUTZER5C13 using <Unknown 0>)
+EAP-Authentication detected
[VPN-Debug] 2024/07/16 08:32:23,439 Devicetime: 2024/07/16 08:32:25,517
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
IKE_SA(0x190E2A60299A4D4EE8EBB986C0CEB4B8).EXPECTED-MSG-ID raised to 2
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 1216 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 1
Payloads: ENCR
[VPN-Status] 2024/07/16 08:32:23,470 Devicetime: 2024/07/16 08:32:25,517
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
+Local-ID CN=VPN-Gateway:DER_ASN1_DN
+I use AUTH(RSA:SHA1)
+Signature of length 256 bytes (2048 bits) computed
Sending an IKE_AUTH-RESPONSE of 1216 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 1
[VPN-Debug] 2024/07/16 08:32:23,470 Devicetime: 2024/07/16 08:32:25,518
Peer BENUTZER5C13: Trigger next pended request to establish an exchange
Current request is none
IKE_SA is not REPLACED
There are 0 pending requests
[RADIUS-Client] 2024/07/16 08:32:23,470 Devicetime: 2024/07/16 08:32:25,553
RADIUS-Client: register UDP listener(s) for responses
-> port is 13861
[RADIUS-Client] 2024/07/16 08:32:23,470 Devicetime: 2024/07/16 08:32:25,554
Send RADIUS Authentication Request Id 6 to 127.0.0.1:1812 Backup-Step 1
Authenticator : 7e 3f 3f 3f 3f 3f 3f bf ~??????.
ff 5f 8f e7 53 09 24 92 ._..S.$.
Message-Authenticator: 90 19 20 dd 38 f9 34 5e .. .8.4^
57 83 dd e2 c8 bb a5 19 W.......
User-Name : benutzer
Calling-Station-Id : 192.168.1.200
NAS-IP-Address : 80.xxx.xx.xx
EAP-Message:
(13 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 117
EAP Packet Len : 13
EAP Packet Type : Identity
Identity String : benutzer
Service-Type : Login-User
[VPN-Status] 2024/07/16 08:32:23,470 Devicetime: 2024/07/16 08:32:25,554
IKE: Adding RADIUS authorization request for: BENUTZER5C13
Remote ID : benutzer
Local gateway : 80.xxx.xx.xx
Remote gateway : 192.168.1.200
Initiator ID : benutzer
EAP ID : benutzer
Identifier : 0x75
RADIUS State : 0x<invalid constData pointer>
EAP-Failure : false
EAP-Success : false
EAP-Message : 13 bytes
RADIUS servers : 127.0.0.1
[VPN-Debug] 2024/07/16 08:32:23,470 Devicetime: 2024/07/16 08:32:25,554
Peer BENUTZER5C13 [responder]: Received an IKE_AUTH-REQUEST of 96 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 2
Payloads: ENCR
QUB-DATA: 80.xxx.xx.xx:4500<---192.168.1.200:10954 rtg_tag 0 physical-channel LAN
transport: [id: 527771, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:00:00:00:00, port 5], local port: 4500, remote port: 10954, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000004)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, EAP
[VPN-Status] 2024/07/16 08:32:23,470 Devicetime: 2024/07/16 08:32:25,555
Peer BENUTZER5C13 [responder]: Received an IKE_AUTH-REQUEST of 96 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 2
Updating remote port to 10954
+Forwarding EAP-RESPONSE(117/IDENTITY) to RADIUS server
[RADIUS-Client] 2024/07/16 08:32:28,470 Devicetime: 2024/07/16 08:32:30,554
Send RADIUS Authentication Request Id 6 to 127.0.0.1:1812 Backup-Step 1 Retry 1
Authenticator : 7e 3f 3f 3f 3f 3f 3f bf ~??????.
ff 5f 8f e7 53 09 24 92 ._..S.$.
Message-Authenticator: 90 19 20 dd 38 f9 34 5e .. .8.4^
57 83 dd e2 c8 bb a5 19 W.......
User-Name : benutzer
Calling-Station-Id : 192.168.1.200
NAS-IP-Address : 80.xxx.xx.xx
EAP-Message:
(13 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 117
EAP Packet Len : 13
EAP Packet Type : Identity
Identity String : benutzer
Service-Type : Login-User
[RADIUS-Client] 2024/07/16 08:32:33,470 Devicetime: 2024/07/16 08:32:35,555
Send RADIUS Authentication Request Id 6 to 127.0.0.1:1812 Backup-Step 1 Retry 2
Authenticator : 7e 3f 3f 3f 3f 3f 3f bf ~??????.
ff 5f 8f e7 53 09 24 92 ._..S.$.
Message-Authenticator: 90 19 20 dd 38 f9 34 5e .. .8.4^
57 83 dd e2 c8 bb a5 19 W.......
User-Name : benutzer
Calling-Station-Id : 192.168.1.200
NAS-IP-Address : 80.xxx.xx.xx
EAP-Message:
(13 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 117
EAP Packet Len : 13
EAP Packet Type : Identity
Identity String : benutzer
Service-Type : Login-User
[RADIUS-Server] 2024/07/16 08:32:34,455 Devicetime: 2024/07/16 08:32:36,544
Checking for dead accounting sessions:
[RADIUS-Client] 2024/07/16 08:32:38,470 Devicetime: 2024/07/16 08:32:40,555
Send RADIUS Authentication Request Id 6 to 127.0.0.1:1812 Backup-Step 1 Retry 3
Authenticator : 7e 3f 3f 3f 3f 3f 3f bf ~??????.
ff 5f 8f e7 53 09 24 92 ._..S.$.
Message-Authenticator: 90 19 20 dd 38 f9 34 5e .. .8.4^
57 83 dd e2 c8 bb a5 19 W.......
User-Name : benutzer
Calling-Station-Id : 192.168.1.200
NAS-IP-Address : 80.xxx.xx.xx
EAP-Message:
(13 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 117
EAP Packet Len : 13
EAP Packet Type : Identity
Identity String : benutzer
Service-Type : Login-User
[RADIUS-Client] 2024/07/16 08:32:43,470 Devicetime: 2024/07/16 08:32:45,556
RADIUS Request Id 6 finally timed out
[RADIUS-Client] 2024/07/16 08:32:43,470 Devicetime: 2024/07/16 08:32:45,556
RADIUS-Client:
deregister UDP listener for responses on port 13861
[VPN-Status] 2024/07/16 08:32:43,470 Devicetime: 2024/07/16 08:32:45,556
IKE: Failed RADIUS authorization request for: BENUTZER5C13
Reason : Access denied
[VPN-Status] 2024/07/16 08:32:43,470 Devicetime: 2024/07/16 08:32:45,556
-Received RADIUS-FAIL for peer BENUTZER5C13
[VPN-Debug] 2024/07/16 08:32:43,470 Devicetime: 2024/07/16 08:32:45,558
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
IKE_SA(0x190E2A60299A4D4EE8EBB986C0CEB4B8).EXPECTED-MSG-ID raised to 3
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 96 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 2
Payloads: ENCR
[VPN-Status] 2024/07/16 08:32:43,502 Devicetime: 2024/07/16 08:32:45,558
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Sending EAP-RESPONSE(117/IDENTITY)
NOTIFY(AUTHENTICATION_FAILED)
Sending an IKE_AUTH-RESPONSE of 96 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 2
[VPN-Debug] 2024/07/16 08:32:43,736 Devicetime: 2024/07/16 08:32:45,799
Peer BENUTZER5C13 [responder]: Received an INFORMATIONAL-REQUEST of 80 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 3
Payloads: ENCR
Peer BENUTZER5C13: Trigger next pended request to establish an exchange
Current request is none
IKE_SA is not REPLACED
There are 0 pending requests
QUB-DATA: 80.xxx.xx.xx:4500<---192.168.1.200:10954 rtg_tag 0 physical-channel LAN
transport: [id: 527771, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:00:00:00:00, port 5], local port: 4500, remote port: 10954, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
[VPN-Status] 2024/07/16 08:32:43,736 Devicetime: 2024/07/16 08:32:45,799
Peer BENUTZER5C13 [responder]: Received an INFORMATIONAL-REQUEST of 80 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 3
Could not create an INFORMATIONAL exchange for peer (could not set com channel handle for peer BENUTZER5C13)
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Constructing payload NOTIFY(REDIRECT) (41):
+No Redirection
Constructing payload NONCE (40):
+Nonce length=32 bytes
+Nonce=0x4B746B41E9100F2C83EC88D3519AE87EE16355529263B266FA52C67331EB0218
+SA-DATA-Nr=0x4B746B41E9100F2C83EC88D3519AE87EE16355529263B266FA52C67331EB0218
Constructing payload NOTIFY(DETECTION_SOURCE_IP) (41):
+Computing SHA1(0x190E2A60299A4D4EE8EBB986C0CEB4B8|80.xxx.xx.xx:500)
+Computing SHA1(0x190E2A60299A4D4EE8EBB986C0CEB4B8509A4B5301F4)
+0x6DDFE4BB6FE99D9ED1230A85D75DF30D1C642F64
Constructing payload NOTIFY(DETECTION_DESTINATION_IP) (41):
+Computing SHA1(0x190E2A60299A4D4EE8EBB986C0CEB4B8|192.168.1.200:10952)
+Computing SHA1(0x190E2A60299A4D4EE8EBB986C0CEB4B8C0A801C82AC8)
+0xB0D01822DA0B9DF174660641051EF600CCF6AD61
Constructing payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41):
Constructing payload CERTREQ (38):
+0x0000000000000000000000000000000000000000
Constructing payload VENDOR(FRAGMENTATION) (43):
Constructing payload VENDOR(FRAGMENTATION(C0000000)) (43):
Constructing payload VENDOR(ikev2 config payload: Do not narrow my traffic selector) (43):
Constructing payload VENDOR(activate lancom-systems notification private range) (43):
Constructing payload NOTIFY(DEVICE-ID) (41):
+Peer does not support private notifications -> ignore
+Shared secret derived in 85336 micro seconds
IKE_SA(0x190E2A60299A4D4EE8EBB986C0CEB4B8).EXPECTED-MSG-ID raised to 1
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x190E2A60299A4D4EE8EBB986C0CEB4B800000000, P1, RESPONDER): Resetting Negotiation SA
(IKE_SA, 'DEFAULT', 'ISAKMP-PEER-DEFAULT', 0x190E2A60299A4D4EE8EBB986C0CEB4B800000000, responder): use_count --5
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 533 bytes (responder)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:4500, tag 0 (UDP)
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), CERTREQ, VENDOR(FRAGMENTATION), VENDOR(FRAGMENTATION(C0000000)), VENDOR(activate lancom-systems notification private range)
[VPN-Status] 2024/07/16 08:32:23,251 Devicetime: 2024/07/16 08:32:25,324
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+IKE-SA:
IKE-Proposal-4 (4 transforms)
ENCR : AES-CBC-256
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
+KE-DH-Group 14 (2048 bits)
Switching to port pair 4500 ( NAT-T keep-alive is off)
IKE_SA_INIT [responder] for peer DEFAULT initiator id <no ipsec id>, responder id <no ipsec id>
initiator cookie: 0x190E2A60299A4D4E, responder cookie: 0xE8EBB986C0CEB4B8
NAT-T enabled. We are not behind a nat, the remote side is behind a nat
SA ISAKMP for peer DEFAULT
Encryption : AES-CBC-256
Integrity : AUTH-HMAC-SHA-256
IKE-DH-Group : 14
PRF : PRF-HMAC-SHA-256
life time soft 07/17/2024 11:32:25 (in 97200 sec) / 0 kb
life time hard 07/17/2024 14:32:25 (in 108000 sec) / 0 kb
DPD: NONE
Negotiated: IKE_FRAGMENTATION IKEV2_FRAGMENTATION
Sending an IKE_SA_INIT-RESPONSE of 533 bytes (responder)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:4500, tag 0 (UDP)
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 0
[VPN-Debug] 2024/07/16 08:32:23,298 Devicetime: 2024/07/16 08:32:25,369
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 624 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:4500
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 1
Payloads: ENCR
QUB-DATA: 80.xxx.xx.xx:4500<---192.168.1.200:10954 rtg_tag 0 physical-channel LAN
transport: [id: 527771, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:00:00:00:00, port 5], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000000)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, IDI, NOTIFY(INITIAL_CONTACT), NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED), CERTREQ, CP(REQUEST), SA, TSI, TSR, VENDOR(ikev2 rfc-3706-dead-peer-detection), NOTIFY(MOBIKE_SUPPORTED), NOTIFY(MULTIPLE_AUTH_SUPPORTED)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x190E2A60299A4D4EE8EBB986C0CEB4B800000001, P2, RESPONDER): Setting Negotiation SA
Referencing (CHILD_SA, 0x190E2A60299A4D4EE8EBB986C0CEB4B80000000100, responder): use_count 3
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x190E2A60299A4D4EE8EBB986C0CEB4B800000001, P2, RESPONDER): Resetting Negotiation SA
(CHILD_SA, 0x190E2A60299A4D4EE8EBB986C0CEB4B80000000100, responder): use_count --3
Looking for payload IDI (35)...Found 1 payload.
+Received-ID benutzer:USER_FQDN. Assuming EAP
[VPN-Status] 2024/07/16 08:32:23,298 Devicetime: 2024/07/16 08:32:25,369
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 624 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:4500
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 1
CHILD_SA ('', '' ) entered to SADB
Updating remote port to 10954
Received 4 notifications:
+INITIAL_CONTACT (STATUS)
+HTTP_CERT_LOOKUP_SUPPORTED (STATUS)
+MOBIKE_SUPPORTED (STATUS)
+MULTIPLE_AUTH_SUPPORTED (STATUS)
+Road-warrior identified and accepted (Peer BENUTZER5C13 using <Unknown 0>)
+EAP-Authentication detected
[VPN-Debug] 2024/07/16 08:32:23,439 Devicetime: 2024/07/16 08:32:25,517
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
IKE_SA(0x190E2A60299A4D4EE8EBB986C0CEB4B8).EXPECTED-MSG-ID raised to 2
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 1216 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 1
Payloads: ENCR
[VPN-Status] 2024/07/16 08:32:23,470 Devicetime: 2024/07/16 08:32:25,517
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
+Local-ID CN=VPN-Gateway:DER_ASN1_DN
+I use AUTH(RSA:SHA1)
+Signature of length 256 bytes (2048 bits) computed
Sending an IKE_AUTH-RESPONSE of 1216 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 1
[VPN-Debug] 2024/07/16 08:32:23,470 Devicetime: 2024/07/16 08:32:25,518
Peer BENUTZER5C13: Trigger next pended request to establish an exchange
Current request is none
IKE_SA is not REPLACED
There are 0 pending requests
[RADIUS-Client] 2024/07/16 08:32:23,470 Devicetime: 2024/07/16 08:32:25,553
RADIUS-Client: register UDP listener(s) for responses
-> port is 13861
[RADIUS-Client] 2024/07/16 08:32:23,470 Devicetime: 2024/07/16 08:32:25,554
Send RADIUS Authentication Request Id 6 to 127.0.0.1:1812 Backup-Step 1
Authenticator : 7e 3f 3f 3f 3f 3f 3f bf ~??????.
ff 5f 8f e7 53 09 24 92 ._..S.$.
Message-Authenticator: 90 19 20 dd 38 f9 34 5e .. .8.4^
57 83 dd e2 c8 bb a5 19 W.......
User-Name : benutzer
Calling-Station-Id : 192.168.1.200
NAS-IP-Address : 80.xxx.xx.xx
EAP-Message:
(13 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 117
EAP Packet Len : 13
EAP Packet Type : Identity
Identity String : benutzer
Service-Type : Login-User
[VPN-Status] 2024/07/16 08:32:23,470 Devicetime: 2024/07/16 08:32:25,554
IKE: Adding RADIUS authorization request for: BENUTZER5C13
Remote ID : benutzer
Local gateway : 80.xxx.xx.xx
Remote gateway : 192.168.1.200
Initiator ID : benutzer
EAP ID : benutzer
Identifier : 0x75
RADIUS State : 0x<invalid constData pointer>
EAP-Failure : false
EAP-Success : false
EAP-Message : 13 bytes
RADIUS servers : 127.0.0.1
[VPN-Debug] 2024/07/16 08:32:23,470 Devicetime: 2024/07/16 08:32:25,554
Peer BENUTZER5C13 [responder]: Received an IKE_AUTH-REQUEST of 96 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 2
Payloads: ENCR
QUB-DATA: 80.xxx.xx.xx:4500<---192.168.1.200:10954 rtg_tag 0 physical-channel LAN
transport: [id: 527771, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:00:00:00:00, port 5], local port: 4500, remote port: 10954, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000004)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, EAP
[VPN-Status] 2024/07/16 08:32:23,470 Devicetime: 2024/07/16 08:32:25,555
Peer BENUTZER5C13 [responder]: Received an IKE_AUTH-REQUEST of 96 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 2
Updating remote port to 10954
+Forwarding EAP-RESPONSE(117/IDENTITY) to RADIUS server
[RADIUS-Client] 2024/07/16 08:32:28,470 Devicetime: 2024/07/16 08:32:30,554
Send RADIUS Authentication Request Id 6 to 127.0.0.1:1812 Backup-Step 1 Retry 1
Authenticator : 7e 3f 3f 3f 3f 3f 3f bf ~??????.
ff 5f 8f e7 53 09 24 92 ._..S.$.
Message-Authenticator: 90 19 20 dd 38 f9 34 5e .. .8.4^
57 83 dd e2 c8 bb a5 19 W.......
User-Name : benutzer
Calling-Station-Id : 192.168.1.200
NAS-IP-Address : 80.xxx.xx.xx
EAP-Message:
(13 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 117
EAP Packet Len : 13
EAP Packet Type : Identity
Identity String : benutzer
Service-Type : Login-User
[RADIUS-Client] 2024/07/16 08:32:33,470 Devicetime: 2024/07/16 08:32:35,555
Send RADIUS Authentication Request Id 6 to 127.0.0.1:1812 Backup-Step 1 Retry 2
Authenticator : 7e 3f 3f 3f 3f 3f 3f bf ~??????.
ff 5f 8f e7 53 09 24 92 ._..S.$.
Message-Authenticator: 90 19 20 dd 38 f9 34 5e .. .8.4^
57 83 dd e2 c8 bb a5 19 W.......
User-Name : benutzer
Calling-Station-Id : 192.168.1.200
NAS-IP-Address : 80.xxx.xx.xx
EAP-Message:
(13 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 117
EAP Packet Len : 13
EAP Packet Type : Identity
Identity String : benutzer
Service-Type : Login-User
[RADIUS-Server] 2024/07/16 08:32:34,455 Devicetime: 2024/07/16 08:32:36,544
Checking for dead accounting sessions:
[RADIUS-Client] 2024/07/16 08:32:38,470 Devicetime: 2024/07/16 08:32:40,555
Send RADIUS Authentication Request Id 6 to 127.0.0.1:1812 Backup-Step 1 Retry 3
Authenticator : 7e 3f 3f 3f 3f 3f 3f bf ~??????.
ff 5f 8f e7 53 09 24 92 ._..S.$.
Message-Authenticator: 90 19 20 dd 38 f9 34 5e .. .8.4^
57 83 dd e2 c8 bb a5 19 W.......
User-Name : benutzer
Calling-Station-Id : 192.168.1.200
NAS-IP-Address : 80.xxx.xx.xx
EAP-Message:
(13 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 117
EAP Packet Len : 13
EAP Packet Type : Identity
Identity String : benutzer
Service-Type : Login-User
[RADIUS-Client] 2024/07/16 08:32:43,470 Devicetime: 2024/07/16 08:32:45,556
RADIUS Request Id 6 finally timed out
[RADIUS-Client] 2024/07/16 08:32:43,470 Devicetime: 2024/07/16 08:32:45,556
RADIUS-Client:
deregister UDP listener for responses on port 13861
[VPN-Status] 2024/07/16 08:32:43,470 Devicetime: 2024/07/16 08:32:45,556
IKE: Failed RADIUS authorization request for: BENUTZER5C13
Reason : Access denied
[VPN-Status] 2024/07/16 08:32:43,470 Devicetime: 2024/07/16 08:32:45,556
-Received RADIUS-FAIL for peer BENUTZER5C13
[VPN-Debug] 2024/07/16 08:32:43,470 Devicetime: 2024/07/16 08:32:45,558
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
IKE_SA(0x190E2A60299A4D4EE8EBB986C0CEB4B8).EXPECTED-MSG-ID raised to 3
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 96 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 2
Payloads: ENCR
[VPN-Status] 2024/07/16 08:32:43,502 Devicetime: 2024/07/16 08:32:45,558
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Sending EAP-RESPONSE(117/IDENTITY)
NOTIFY(AUTHENTICATION_FAILED)
Sending an IKE_AUTH-RESPONSE of 96 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 2
[VPN-Debug] 2024/07/16 08:32:43,736 Devicetime: 2024/07/16 08:32:45,799
Peer BENUTZER5C13 [responder]: Received an INFORMATIONAL-REQUEST of 80 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 3
Payloads: ENCR
Peer BENUTZER5C13: Trigger next pended request to establish an exchange
Current request is none
IKE_SA is not REPLACED
There are 0 pending requests
QUB-DATA: 80.xxx.xx.xx:4500<---192.168.1.200:10954 rtg_tag 0 physical-channel LAN
transport: [id: 527771, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:00:00:00:00, port 5], local port: 4500, remote port: 10954, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
[VPN-Status] 2024/07/16 08:32:43,736 Devicetime: 2024/07/16 08:32:45,799
Peer BENUTZER5C13 [responder]: Received an INFORMATIONAL-REQUEST of 80 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0x190E2A60299A4D4EE8EBB986C0CEB4B8, Message-ID 3
Could not create an INFORMATIONAL exchange for peer (could not set com channel handle for peer BENUTZER5C13)
Re: OTP mit Lancom VPN Client
Moin,
von VPN und IKE habe ich zwar keine Ahnung, aber ich sehe, dass das LANCOM an seinen eigenen RADIUS-Server eine Anfrage schickt (127.0.0.1), die aber dort nicht anzukommen scheint. Ist der RADIUS-Server überhaupt eingeschaltet? Auf der LCOS-CLI wäre das der Punkt 'Setup/RADIUS/Server/Authentication-Operating'.
von VPN und IKE habe ich zwar keine Ahnung, aber ich sehe, dass das LANCOM an seinen eigenen RADIUS-Server eine Anfrage schickt (127.0.0.1), die aber dort nicht anzukommen scheint. Ist der RADIUS-Server überhaupt eingeschaltet? Auf der LCOS-CLI wäre das der Punkt 'Setup/RADIUS/Server/Authentication-Operating'.
Re: OTP mit Lancom VPN Client
Hab mich an die Anleitung von LANCOM gehalten.
unter Punkt
2.9 Erstellen Sie einen neuen Eintrag und passen folgende Parameter an:
Name: Vergeben Sie einen aussagekräftigen Namen.
Server Adresse: Hinterlegen Sie die Loopback-Adresse 127.0.0.1.
Port: Stellen Sie sicher, dass der Port 1812 hinterlegt ist.
Protokolle: Stellen Sie sicher, dass das Protokoll RADIUS hinterlegt ist.
unter Punkt
2.9 Erstellen Sie einen neuen Eintrag und passen folgende Parameter an:
Name: Vergeben Sie einen aussagekräftigen Namen.
Server Adresse: Hinterlegen Sie die Loopback-Adresse 127.0.0.1.
Port: Stellen Sie sicher, dass der Port 1812 hinterlegt ist.
Protokolle: Stellen Sie sicher, dass das Protokoll RADIUS hinterlegt ist.
-
Frühstücksdirektor
- Beiträge: 184
- Registriert: 08 Jul 2022, 12:53
- Wohnort: Aachen
Re: OTP mit Lancom VPN Client
Vielen Dank. Jetzt sieht man deutlich mehr.
Der interne RADIUS Server antwortet nicht. Bitte checke mal ob der RADIUS Server aktiviert ist, d.h. Authentication.
Edit: zu spät gesendet. jemand war schon schneller.
In der Anleitung ist das Punkt 3.1
Der interne RADIUS Server antwortet nicht. Bitte checke mal ob der RADIUS Server aktiviert ist, d.h. Authentication.
Edit: zu spät gesendet. jemand war schon schneller.
In der Anleitung ist das Punkt 3.1
Re: OTP mit Lancom VPN Client
unter Punkt
3. Konfiguration der RADIUS- und OTP-Einstellungen auf dem Router:
3.1 Wechseln Sie in das Menü RADIUS → Server und aktivieren die Option RADIUS-Authentisierung aktiv, um den RADIUS-Server zu aktivieren. Stellen Sie sicher, das im Menü RADIUS-Dienste-Ports die RADIUS Ports 1.812 und 1.813 eingetragen sind (Standardeinstellung).
Die Ports einzutragen habe ich übersehen.
Authentifizierungs-Port, Accounting-Port und RADSEC-Port standen alle auf 0
Habe bei Authentifizierungs-Port:1.812 eingetragen. Accounting-Port:0 OKAY?
Verbindung wird weiterhin nicht aufgebaut, aber beim RADIUS-Server passiert jetzt mehr.
[RADIUS-Server] 2024/07/16 10:01:56,067 Devicetime: 2024/07/16 10:01:58,415
Received RADIUS Authentication Request request 20 from client 127.0.0.1:15136[#Loopback]:
-->found client in dynamic table
-->known attributes of request:
User-Name : benutzer
Service-Type : Login-User
NAS-IP-Address : 80.xxx.xx.xx
Calling-Station-Id : 192.168.1.200
Message-Authenticator: 8e 5f 31 45 40 4f 32 7c ._1E@O2|
9e ab b1 8d ef 6a f6 b7 .....j..
EAP-Message:
(13 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 107
EAP Packet Len : 13
EAP Packet Type : Identity
Identity String : benutzer
-->user name contains no realm, using empty realm
-->realm of user is ''
-->authenticating locally
-->found user 'benutzer' in database(s)
-->authenticating via EAP
-->queueing request for later response
[RADIUS-Server] 2024/07/16 10:01:56,067 Devicetime: 2024/07/16 10:01:58,416
Got Response for queued RADIUS request 20 from client 127.0.0.1:15136[#Loopback]:
-->response to access request via non-secure transport, enforce message authenticator
-->response type is Challenge, response attributes:
State : 4e a0 96 3d ca e8 c8 3e N..=...>
65 74 64 1f df 02 b1 2f etd..../
EAP-Message:
(5 bytes)
-->EAP Header
EAP Packet Code : Request
EAP Packet Id : 108
EAP Packet Len : 5
EAP Packet Type : One-Time-Passwd
One-Time-Passwd Data:
Message-Authenticator: 04 27 a0 68 51 cb 29 81 .'.hQ.).
da de e3 08 6d 91 c5 92 ....m...
(Message-Authenticator is at front of attribute list)
-->sending response
3. Konfiguration der RADIUS- und OTP-Einstellungen auf dem Router:
3.1 Wechseln Sie in das Menü RADIUS → Server und aktivieren die Option RADIUS-Authentisierung aktiv, um den RADIUS-Server zu aktivieren. Stellen Sie sicher, das im Menü RADIUS-Dienste-Ports die RADIUS Ports 1.812 und 1.813 eingetragen sind (Standardeinstellung).
Die Ports einzutragen habe ich übersehen.
Authentifizierungs-Port, Accounting-Port und RADSEC-Port standen alle auf 0Habe bei Authentifizierungs-Port:1.812 eingetragen. Accounting-Port:0 OKAY?
Verbindung wird weiterhin nicht aufgebaut, aber beim RADIUS-Server passiert jetzt mehr.
[RADIUS-Server] 2024/07/16 10:01:56,067 Devicetime: 2024/07/16 10:01:58,415
Received RADIUS Authentication Request request 20 from client 127.0.0.1:15136[#Loopback]:
-->found client in dynamic table
-->known attributes of request:
User-Name : benutzer
Service-Type : Login-User
NAS-IP-Address : 80.xxx.xx.xx
Calling-Station-Id : 192.168.1.200
Message-Authenticator: 8e 5f 31 45 40 4f 32 7c ._1E@O2|
9e ab b1 8d ef 6a f6 b7 .....j..
EAP-Message:
(13 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 107
EAP Packet Len : 13
EAP Packet Type : Identity
Identity String : benutzer
-->user name contains no realm, using empty realm
-->realm of user is ''
-->authenticating locally
-->found user 'benutzer' in database(s)
-->authenticating via EAP
-->queueing request for later response
[RADIUS-Server] 2024/07/16 10:01:56,067 Devicetime: 2024/07/16 10:01:58,416
Got Response for queued RADIUS request 20 from client 127.0.0.1:15136[#Loopback]:
-->response to access request via non-secure transport, enforce message authenticator
-->response type is Challenge, response attributes:
State : 4e a0 96 3d ca e8 c8 3e N..=...>
65 74 64 1f df 02 b1 2f etd..../
EAP-Message:
(5 bytes)
-->EAP Header
EAP Packet Code : Request
EAP Packet Id : 108
EAP Packet Len : 5
EAP Packet Type : One-Time-Passwd
One-Time-Passwd Data:
Message-Authenticator: 04 27 a0 68 51 cb 29 81 .'.hQ.).
da de e3 08 6d 91 c5 92 ....m...
(Message-Authenticator is at front of attribute list)
-->sending response
-
Frühstücksdirektor
- Beiträge: 184
- Registriert: 08 Jul 2022, 12:53
- Wohnort: Aachen
Re: OTP mit Lancom VPN Client
Jetzt fehlt wieder der interessante Teil. Bitte den Teil vom Radius-client und vpn-status posten.
Re: OTP mit Lancom VPN Client
Hab jetzt alles kopiert, da ich nicht weiß was am interessantesten ist.
[VPN-Debug] 2024/07/16 11:01:25,976 Devicetime: 2024/07/16 11:01:28,438
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 1080 bytes
Gateways: 80.xxx.xx.xx:500<--192.168.1.200:10952
SPIs: 0xC7A97E175D2429A10000000000000000, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(DETECTION_SOURCE_IP), VENDOR(ikev2 NCP LANCOM Serial Number Protocol 1.0), VENDOR, VENDOR, VENDOR(FRAGMENTATION(C0000000)), VENDOR(FRAGMENTATION), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(REDIRECT_SUPPORTED), NOTIFY(SIGNATURE_HASH_ALGORITHMS)
QUB-DATA: 80.xxx.xx.xx:500<---192.168.1.200:10952 rtg_tag 0 physical-channel LAN
transport: [id: 631979, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:xx:xx:xx:xx, port 5], local port: 500, remote port: 10952
+No IKE_SA found
Counting consumed licenses by active channels...
1: (NOTEBOOK_MK , 95.xx.xx.xx , ikev2) : no DEVICE-ID -> 1
Consumed connected licenses : 1
Negotiating connections : 0
IKE negotiations : 0
MPPE connections : 0
LTA licenses : 0
Licenses in use : 1 < 25
+Passive connection request accepted (57 micro seconds)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0xC7A97E175D2429A1BB884BE5C017C45600000000, P1, RESPONDER): Setting Negotiation SA
Referencing (IKE_SA, 0xC7A97E175D2429A1BB884BE5C017C45600000000, responder): use_count 3
Looking for payload NOTIFY(REDIRECT_SUPPORTED) (41)...Found 1 payload.
+Redirection is not required
Looking for payload NOTIFY(SIGNATURE_HASH_ALGORITHMS) (41)...Found 1 payload.
+Received signature hash algorithms: SHA1, SHA-256, SHA-384, SHA-512
Looking for payload VENDOR (43)...Found 5 payloads.
+NCP LANCOM Serial Number Protocol 1.0 with serial number 2x
+EFEE9BE0B4E52BE992E25E09B5CD9A94
+C61BACA1F1A60CC10800000000000000
+FRAGMENTATION(C0000000)
+FRAGMENTATION
Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload.
+Computing SHA1(0xC7A97E175D2429A10000000000000000|192.168.1.200:10952)
+Computing SHA1(0xC7A97E175D2429A10000000000000000C0A801C82AC8)
+Computed: 0xBAFC9B0669827763D3B433FFD16DFD0674197510
+Received: 0xB425A53A8A35DDFF1464854A9EDF7908887532BF
+Not equal => NAT-T enabled => switching on port 4500
Looking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload.
+Computing SHA1(0xC7A97E175D2429A10000000000000000|80.xxx.xx.xx:500)
+Computing SHA1(0xC7A97E175D2429A10000000000000000509A4B5301F4)
+Computed: 0x956186DDA29341EFB83A8C93B6990BAD2133CBDB
+Received: 0x956186DDA29341EFB83A8C93B6990BAD2133CBDB
+Equal => NAT-T is already enabled
Looking for payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41)...Found 1 payload.
Looking for payload IKE_SA (33)...Found 1 payload.
+Config ENCR transform(s): AES-CBC-256
+Received ENCR transform(s): AES-GCM-16-256
-No intersection
+Config PRF transform(s): PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s):
-No intersection
+Config DH transform(s): 14
+Received DH transform(s): 14
+Best intersection: 14
-ENCR transform is obligatory for IKE-Protocol
-Skipping proposal 1
+Config ENCR transform(s): AES-CBC-256
+Received ENCR transform(s): AES-GCM-16-256
-No intersection
+Config PRF transform(s): PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-384
-No intersection
+Config INTEG transform(s): HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s):
-No intersection
+Config DH transform(s): 14
+Received DH transform(s): 14
+Best intersection: 14
-ENCR/PRF transforms are obligatory for IKE-Protocol
-Skipping proposal 2
+Config ENCR transform(s): AES-CBC-256
+Received ENCR transform(s): AES-128-CTR
-No intersection
+Config PRF transform(s): PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA-256
+Best intersection: HMAC-SHA-256
+Config DH transform(s): 14
+Received DH transform(s): 14
+Best intersection: 14
-ENCR transform is obligatory for IKE-Protocol
-Skipping proposal 3
+Config ENCR transform(s): AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA-256
+Best intersection: HMAC-SHA-256
+Config DH transform(s): 14
+Received DH transform(s): 14
+Best intersection: 14
Looking for payload NONCE (40)...Found 1 payload.
+Nonce length=40 bytes
+Nonce=0x7D5B9897A6882CCEDD95ED78F8AD95E180BA81F6A63321BD8253D5DFA32E39B4F8544CC8470D3A87
+SA-DATA-Ni=0x7D5B9897A6882CCEDD95ED78F8AD95E180BA81F6A63321BD8253D5DFA32E39B4F8544CC8470D3A87
[VPN-Status] 2024/07/16 11:01:25,976 Devicetime: 2024/07/16 11:01:28,439
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 1080 bytes
Gateways: 80.xxx.xx.xx:500<--192.168.1.200:10952
SPIs: 0xC7A97E175D2429A10000000000000000, Message-ID 0
Peer identified: DEFAULT
IKE_SA ('', '' IPSEC_IKE SPIs 0xC7A97E175D2429A1BB884BE5C017C456) entered to SADB
Received 5 notifications:
+NAT_DETECTION_DESTINATION_IP(0x956186DDA29341EFB83A8C93B6990BAD2133CBDB) (STATUS)
+NAT_DETECTION_SOURCE_IP(0xB425A53A8A35DDFF1464854A9EDF7908887532BF) (STATUS)
+IKEV2_FRAGMENTATION_SUPPORTED (STATUS)
+REDIRECT_SUPPORTED (STATUS)
+SIGNATURE_HASH_ALGORITHMS(0x0001000200030004) (STATUS)
Peer (initiator) is behind a NAT
NAT-T enabled => switching on port 4500
We (responder) are not behind a NAT. NAT-T is already enabled
+IKE-SA:
IKE-Proposal-1 (3 transforms)
ENCR : AES-GCM-16-256
PRF : PRF-HMAC-SHA-256
DH : 14
IKE-Proposal-2 (3 transforms)
ENCR : AES-GCM-16-256
PRF : PRF-HMAC-SHA-384
DH : 14
IKE-Proposal-3 (4 transforms)
ENCR : AES-128-CTR
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
IKE-Proposal-4 (4 transforms)
ENCR : AES-CBC-256
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
IKE-Proposal-5 (4 transforms)
ENCR : AES-CBC-256
PRF : PRF-HMAC-SHA1
INTEG: HMAC-SHA1
DH : 14
IKE-Proposal-6 (4 transforms)
ENCR : AES-128-CTR
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
IKE-Proposal-7 (4 transforms)
ENCR : AES-CBC-192
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
IKE-Proposal-8 (4 transforms)
ENCR : AES-CBC-192
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
IKE-Proposal-9 (4 transforms)
ENCR : AES-CBC-192
PRF : PRF-HMAC-SHA1
INTEG: HMAC-SHA1
DH : 14
IKE-Proposal-10 (3 transforms)
ENCR : AES-GCM-16-128
PRF : PRF-HMAC-SHA-256
DH : 14
IKE-Proposal-11 (4 transforms)
ENCR : AES-128-CTR
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
IKE-Proposal-12 (4 transforms)
ENCR : AES-CBC-128
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
IKE-Proposal-13 (4 transforms)
ENCR : AES-CBC-128
PRF : PRF-HMAC-SHA1
INTEG: HMAC-SHA1
DH : 14
+Received KE-DH-Group 14 (2048 bits)
[VPN-Debug] 2024/07/16 11:01:26,085 Devicetime: 2024/07/16 11:01:28,600
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Constructing payload NOTIFY(REDIRECT) (41):
+No Redirection
Constructing payload NONCE (40):
+Nonce length=32 bytes
+Nonce=0x0596F0F8EF5EF6A313425DE0BDBE5B8D540CEA861519FF52A23AC1D95F7521E4
+SA-DATA-Nr=0x0596F0F8EF5EF6A313425DE0BDBE5B8D540CEA861519FF52A23AC1D95F7521E4
Constructing payload NOTIFY(DETECTION_SOURCE_IP) (41):
+Computing SHA1(0xC7A97E175D2429A1BB884BE5C017C456|80.xxx.xx.xx:500)
+Computing SHA1(0xC7A97E175D2429A1BB884BE5C017C456509A4B5301F4)
+0xDA23D7C46DBD75F6E2CE6A09D1770CEDAE98069D
Constructing payload NOTIFY(DETECTION_DESTINATION_IP) (41):
+Computing SHA1(0xC7A97E175D2429A1BB884BE5C017C456|192.168.1.200:10952)
+Computing SHA1(0xC7A97E175D2429A1BB884BE5C017C456C0A801C82AC8)
+0xF235DBDB782D29E702E75AE9168D772B0C216CA4
Constructing payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41):
Constructing payload CERTREQ (38):
+0x0000000000000000000000000000000000000000
Constructing payload VENDOR(FRAGMENTATION) (43):
Constructing payload VENDOR(FRAGMENTATION(C0000000)) (43):
Constructing payload VENDOR(ikev2 config payload: Do not narrow my traffic selector) (43):
Constructing payload VENDOR(activate lancom-systems notification private range) (43):
Constructing payload NOTIFY(DEVICE-ID) (41):
+Peer does not support private notifications -> ignore
+Shared secret derived in 82400 micro seconds
IKE_SA(0xC7A97E175D2429A1BB884BE5C017C456).EXPECTED-MSG-ID raised to 1
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0xC7A97E175D2429A1BB884BE5C017C45600000000, P1, RESPONDER): Resetting Negotiation SA
(IKE_SA, 'DEFAULT', 'ISAKMP-PEER-DEFAULT', 0xC7A97E175D2429A1BB884BE5C017C45600000000, responder): use_count --5
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 533 bytes (responder)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:4500, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), CERTREQ, VENDOR(FRAGMENTATION), VENDOR(FRAGMENTATION(C0000000)), VENDOR(activate lancom-systems notification private range)
[VPN-Status] 2024/07/16 11:01:26,085 Devicetime: 2024/07/16 11:01:28,601
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+IKE-SA:
IKE-Proposal-4 (4 transforms)
ENCR : AES-CBC-256
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
+KE-DH-Group 14 (2048 bits)
Switching to port pair 4500 ( NAT-T keep-alive is off)
IKE_SA_INIT [responder] for peer DEFAULT initiator id <no ipsec id>, responder id <no ipsec id>
initiator cookie: 0xC7A97E175D2429A1, responder cookie: 0xBB884BE5C017C456
NAT-T enabled. We are not behind a nat, the remote side is behind a nat
SA ISAKMP for peer DEFAULT
Encryption : AES-CBC-256
Integrity : AUTH-HMAC-SHA-256
IKE-DH-Group : 14
PRF : PRF-HMAC-SHA-256
life time soft 07/17/2024 14:01:28 (in 97200 sec) / 0 kb
life time hard 07/17/2024 17:01:28 (in 108000 sec) / 0 kb
DPD: NONE
Negotiated: IKE_FRAGMENTATION IKEV2_FRAGMENTATION
Sending an IKE_SA_INIT-RESPONSE of 533 bytes (responder)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:4500, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 0
[VPN-Debug] 2024/07/16 11:01:26,101 Devicetime: 2024/07/16 11:01:28,604
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 624 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:4500
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 1
Payloads: ENCR
QUB-DATA: 80.xxx.xx.xx:4500<---192.168.1.200:10954 rtg_tag 0 physical-channel LAN
transport: [id: 631979, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:xx:xx:xx:xx, port 5], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000000)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, IDI, NOTIFY(INITIAL_CONTACT), NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED), CERTREQ, CP(REQUEST), SA, TSI, TSR, VENDOR(ikev2 rfc-3706-dead-peer-detection), NOTIFY(MOBIKE_SUPPORTED), NOTIFY(MULTIPLE_AUTH_SUPPORTED)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0xC7A97E175D2429A1BB884BE5C017C45600000001, P2, RESPONDER): Setting Negotiation SA
Referencing (CHILD_SA, 0xC7A97E175D2429A1BB884BE5C017C4560000000100, responder): use_count 3
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0xC7A97E175D2429A1BB884BE5C017C45600000001, P2, RESPONDER): Resetting Negotiation SA
(CHILD_SA, 0xC7A97E175D2429A1BB884BE5C017C4560000000100, responder): use_count --3
Looking for payload IDI (35)...Found 1 payload.
+Received-ID benutzer:USER_FQDN. Assuming EAP
[VPN-Status] 2024/07/16 11:01:26,101 Devicetime: 2024/07/16 11:01:28,604
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 624 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:4500
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 1
CHILD_SA ('', '' ) entered to SADB
Updating remote port to 10954
Received 4 notifications:
+INITIAL_CONTACT (STATUS)
+HTTP_CERT_LOOKUP_SUPPORTED (STATUS)
+MOBIKE_SUPPORTED (STATUS)
+MULTIPLE_AUTH_SUPPORTED (STATUS)
+Road-warrior identified and accepted (Peer BENUTZER5C13 using <Unknown 0>)
+EAP-Authentication detected
[VPN-Debug] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,743
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
IKE_SA(0xC7A97E175D2429A1BB884BE5C017C456).EXPECTED-MSG-ID raised to 2
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 1216 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 1
Payloads: ENCR
[VPN-Status] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,743
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
+Local-ID CN=VPN-Gateway:DER_ASN1_DN
+I use AUTH(RSA:SHA1)
+Signature of length 256 bytes (2048 bits) computed
Sending an IKE_AUTH-RESPONSE of 1216 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 1
[VPN-Debug] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,744
Peer BENUTZER5C13: Trigger next pended request to establish an exchange
Current request is none
IKE_SA is not REPLACED
There are 0 pending requests
[RADIUS-Client] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,749
RADIUS-Client: register UDP listener(s) for responses
-> port is 12139
[RADIUS-Client] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,750
Send RADIUS Authentication Request Id 24 to 127.0.0.1:1812 Backup-Step 1
Authenticator : bc de 6f 17 ab 75 9a 4d ..o..u.M
86 c3 c1 40 20 90 48 a4 ...@ .H.
Message-Authenticator: 2c 24 02 6b af 10 1c 9d ,$.k....
fc 88 0e c4 e7 0a 13 c7 ........
User-Name : benutzer
Calling-Station-Id : 192.168.1.200
NAS-IP-Address : 80.xxx.xx.xx
EAP-Message:
(13 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 68
EAP Packet Len : 13
EAP Packet Type : Identity
Identity String : benutzer
Service-Type : Login-User
[VPN-Status] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,750
IKE: Adding RADIUS authorization request for: BENUTZER5C13
Remote ID : benutzer
Local gateway : 80.xxx.xx.xx
Remote gateway : 192.168.1.200
Initiator ID : benutzer
EAP ID : benutzer
Identifier : 0x44
RADIUS State : 0x<invalid constData pointer>
EAP-Failure : false
EAP-Success : false
EAP-Message : 13 bytes
RADIUS servers : 127.0.0.1
[VPN-Debug] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,751
Peer BENUTZER5C13 [responder]: Received an IKE_AUTH-REQUEST of 96 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 2
Payloads: ENCR
QUB-DATA: 80.xxx.xx.xx:4500<---192.168.1.200:10954 rtg_tag 0 physical-channel LAN
transport: [id: 631979, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:xx:xx:xx:xx, port 5], local port: 4500, remote port: 10954, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000004)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, EAP
[VPN-Status] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,751
Peer BENUTZER5C13 [responder]: Received an IKE_AUTH-REQUEST of 96 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 2
Updating remote port to 10954
+Forwarding EAP-RESPONSE(68/IDENTITY) to RADIUS server
[RADIUS-Server] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,751
Received RADIUS Authentication Request request 24 from client 127.0.0.1:12139[#Loopback]:
-->found client in dynamic table
-->known attributes of request:
User-Name : benutzer
Service-Type : Login-User
NAS-IP-Address : 80.xxx.xx.xx
Calling-Station-Id : 192.168.1.200
Message-Authenticator: 2c 24 02 6b af 10 1c 9d ,$.k....
fc 88 0e c4 e7 0a 13 c7 ........
EAP-Message:
(13 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 68
EAP Packet Len : 13
EAP Packet Type : Identity
Identity String : benutzer
-->user name contains no realm, using empty realm
-->realm of user is ''
-->authenticating locally
-->found user 'benutzer' in database(s)
-->authenticating via EAP
-->queueing request for later response
[RADIUS-Server] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,753
Got Response for queued RADIUS request 24 from client 127.0.0.1:12139[#Loopback]:
-->response to access request via non-secure transport, enforce message authenticator
-->response type is Challenge, response attributes:
State : 04 19 a6 52 02 0c d3 29 ...R...)
ec be ea b4 76 5f 75 5a ....v_uZ
EAP-Message:
(5 bytes)
-->EAP Header
EAP Packet Code : Request
EAP Packet Id : 69
EAP Packet Len : 5
EAP Packet Type : One-Time-Passwd
One-Time-Passwd Data:
Message-Authenticator: 2d 57 4b 85 91 1b 84 cd -WK.....
52 39 0a a9 5c 7d f6 4f R9..\}.O
(Message-Authenticator is at front of attribute list)
-->sending response
[RADIUS-Client] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,754
Received RADIUS Challenge Id 24 from 127.0.0.1 on Port 12139
-->found corr. request 24 to 127.0.0.1:1812,
Message-Authenticator: 2d 57 4b 85 91 1b 84 cd -WK.....
52 39 0a a9 5c 7d f6 4f R9..\}.O
State : 04 19 a6 52 02 0c d3 29 ...R...)
ec be ea b4 76 5f 75 5a ....v_uZ
EAP-Message:
(5 bytes)
-->EAP Header
EAP Packet Code : Request
EAP Packet Id : 69
EAP Packet Len : 5
EAP Packet Type : One-Time-Passwd
One-Time-Passwd Data:
-->trigger requester
[RADIUS-Client] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,754
RADIUS-Client:
deregister UDP listener for responses on port 12139
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,754
IKE: Succeeded RADIUS authorization request for: BENUTZER5C13
Server : 127.0.0.1
Response attributes:
EAP-Message : 5 bytes
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,754
Received RADIUS-SUCCESS for peer BENUTZER5C13
[VPN-Debug] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,755
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
IKE_SA(0xC7A97E175D2429A1BB884BE5C017C456).EXPECTED-MSG-ID raised to 3
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 80 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 2
Payloads: ENCR
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,755
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Sending EAP-REQUEST(69/OTP)
Sending an IKE_AUTH-RESPONSE of 80 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 2
[RADIUS-Client] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,758
RADIUS-Client: register UDP listener(s) for responses
-> port is 10624
[RADIUS-Client] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,759
Send RADIUS Authentication Request Id 25 to 127.0.0.1:1812 Backup-Step 1
Authenticator : ad 76 3b bd 7e bf 7f 9f .v;.~...
ef 57 8b 65 12 89 64 32 .W.e..d2
Message-Authenticator: e6 1f ce c6 85 c4 36 ff ......6.
56 6b d8 05 0e 37 a3 54 Vk...7.T
User-Name : benutzer
Calling-Station-Id : 192.168.1.200
NAS-IP-Address : 80.xxx.xx.xx
EAP-Message:
(39 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 69
EAP Packet Len : 39
EAP Packet Type : One-Time-Passwd
One-Time-Passwd Data: 01 08 62 65 6e 75 74 7a ..benutz
65 72 02 16 41 42 43 44 er..ABCD
45 46 47 48 49 4a 4b 4c EFGHIJKL
4d 4e 4f 50 36 36 30 38 MNOP6608
39 33 93
State : 04 19 a6 52 02 0c d3 29 ...R...)
ec be ea b4 76 5f 75 5a ....v_uZ
Service-Type : Login-User
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,759
IKE: Adding RADIUS authorization request for: BENUTZER5C13
Remote ID : benutzer
Local gateway : 80.xxx.xx.xx
Remote gateway : 192.168.1.200
Initiator ID : benutzer
EAP ID : benutzer
Identifier : 0x45
RADIUS State : 0x0419A652020CD329ECBEEAB4765F755A
EAP-Failure : false
EAP-Success : false
EAP-Message : 39 bytes
RADIUS servers : 127.0.0.1
[VPN-Debug] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,759
Peer BENUTZER5C13 [responder]: Received an IKE_AUTH-REQUEST of 112 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 3
Payloads: ENCR
Peer BENUTZER5C13: Trigger next pended request to establish an exchange
Current request is none
IKE_SA is not REPLACED
There are 0 pending requests
QUB-DATA: 80.xxx.xx.xx:4500<---192.168.1.200:10954 rtg_tag 0 physical-channel LAN
transport: [id: 631979, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:xx:xx:xx:xx, port 5], local port: 4500, remote port: 10954, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000004)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, EAP
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,759
Peer BENUTZER5C13 [responder]: Received an IKE_AUTH-REQUEST of 112 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 3
Updating remote port to 10954
+Forwarding EAP-RESPONSE(69/OTP) to RADIUS server
[RADIUS-Server] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,760
Received RADIUS Authentication Request request 25 from client 127.0.0.1:10624[#Loopback]:
-->found client in dynamic table
-->known attributes of request:
User-Name : benutzer
Service-Type : Login-User
NAS-IP-Address : 80.xxx.xx.xx
State : 04 19 a6 52 02 0c d3 29 ...R...)
ec be ea b4 76 5f 75 5a ....v_uZ
Calling-Station-Id : 192.168.1.200
Message-Authenticator: e6 1f ce c6 85 c4 36 ff ......6.
56 6b d8 05 0e 37 a3 54 Vk...7.T
EAP-Message:
(39 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 69
EAP Packet Len : 39
EAP Packet Type : One-Time-Passwd
One-Time-Passwd Data: 01 08 62 65 6e 75 74 7a ..benutz
65 72 02 16 41 42 43 44 er..ABCD
45 46 47 48 49 4a 4b 4c EFGHIJKL
4d 4e 4f 50 36 36 30 38 MNOP6608
39 33 93
-->user name contains no realm, using empty realm
-->realm of user is ''
-->authenticating locally
-->found user 'benutzer' in database(s)
-->authenticating via EAP
-->queueing request for later response
[RADIUS-Server] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,762
Got Response for queued RADIUS request 25 from client 127.0.0.1:10624[#Loopback]:
-->response to access request via non-secure transport, enforce message authenticator
-->response type is Reject, response attributes:
EAP-Message:
(4 bytes)
-->EAP Header
EAP Packet Code : Failure
EAP Packet Id : 69
EAP Packet Len : 4
Message-Authenticator: 57 9c 5f bd 0a 51 bd 2d W._..Q.-
d0 b7 93 c3 f5 ad 05 7b .......{
(Message-Authenticator is at front of attribute list)
-->sending response
[RADIUS-Client] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,763
Received RADIUS Reject Id 25 from 127.0.0.1 on Port 10624
-->found corr. request 25 to 127.0.0.1:1812,
Message-Authenticator: 57 9c 5f bd 0a 51 bd 2d W._..Q.-
d0 b7 93 c3 f5 ad 05 7b .......{
EAP-Message:
(4 bytes)
-->EAP Header
EAP Packet Code : Failure
EAP Packet Id : 69
EAP Packet Len : 4
-->trigger requester
[RADIUS-Client] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,764
RADIUS-Client:
deregister UDP listener for responses on port 10624
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,764
IKE: Failed RADIUS authorization request for: BENUTZER5C13
Reason : Access denied
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,764
-Received RADIUS-FAIL for peer BENUTZER5C13
[VPN-Debug] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,764
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
IKE_SA(0xC7A97E175D2429A1BB884BE5C017C456).EXPECTED-MSG-ID raised to 4
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 128 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 3
Payloads: ENCR
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,765
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Sending EAP-RESPONSE(69/OTP)
NOTIFY(AUTHENTICATION_FAILED)
Sending an IKE_AUTH-RESPONSE of 128 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 3
[VPN-Debug] 2024/07/16 11:01:26,570 Devicetime: 2024/07/16 11:01:29,094
Peer BENUTZER5C13 [responder]: Received an INFORMATIONAL-REQUEST of 80 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 4
Payloads: ENCR
Peer BENUTZER5C13: Trigger next pended request to establish an exchange
Current request is none
IKE_SA is not REPLACED
There are 0 pending requests
QUB-DATA: 80.xxx.xx.xx:4500<---192.168.1.200:10954 rtg_tag 0 physical-channel LAN
transport: [id: 631979, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:xx:xx:xx:xx, port 5], local port: 4500, remote port: 10954, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
[VPN-Status] 2024/07/16 11:01:26,601 Devicetime: 2024/07/16 11:01:29,094
Peer BENUTZER5C13 [responder]: Received an INFORMATIONAL-REQUEST of 80 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 4
Could not create an INFORMATIONAL exchange for peer (could not set com channel handle for peer BENUTZER5C13)
[RADIUS-Server] 2024/07/16 11:01:34,023 Devicetime: 2024/07/16 11:01:36,544
Checking for dead accounting sessions:
[VPN-Debug] 2024/07/16 11:01:25,976 Devicetime: 2024/07/16 11:01:28,438
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 1080 bytes
Gateways: 80.xxx.xx.xx:500<--192.168.1.200:10952
SPIs: 0xC7A97E175D2429A10000000000000000, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(DETECTION_SOURCE_IP), VENDOR(ikev2 NCP LANCOM Serial Number Protocol 1.0), VENDOR, VENDOR, VENDOR(FRAGMENTATION(C0000000)), VENDOR(FRAGMENTATION), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(REDIRECT_SUPPORTED), NOTIFY(SIGNATURE_HASH_ALGORITHMS)
QUB-DATA: 80.xxx.xx.xx:500<---192.168.1.200:10952 rtg_tag 0 physical-channel LAN
transport: [id: 631979, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:xx:xx:xx:xx, port 5], local port: 500, remote port: 10952
+No IKE_SA found
Counting consumed licenses by active channels...
1: (NOTEBOOK_MK , 95.xx.xx.xx , ikev2) : no DEVICE-ID -> 1
Consumed connected licenses : 1
Negotiating connections : 0
IKE negotiations : 0
MPPE connections : 0
LTA licenses : 0
Licenses in use : 1 < 25
+Passive connection request accepted (57 micro seconds)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0xC7A97E175D2429A1BB884BE5C017C45600000000, P1, RESPONDER): Setting Negotiation SA
Referencing (IKE_SA, 0xC7A97E175D2429A1BB884BE5C017C45600000000, responder): use_count 3
Looking for payload NOTIFY(REDIRECT_SUPPORTED) (41)...Found 1 payload.
+Redirection is not required
Looking for payload NOTIFY(SIGNATURE_HASH_ALGORITHMS) (41)...Found 1 payload.
+Received signature hash algorithms: SHA1, SHA-256, SHA-384, SHA-512
Looking for payload VENDOR (43)...Found 5 payloads.
+NCP LANCOM Serial Number Protocol 1.0 with serial number 2x
+EFEE9BE0B4E52BE992E25E09B5CD9A94
+C61BACA1F1A60CC10800000000000000
+FRAGMENTATION(C0000000)
+FRAGMENTATION
Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload.
+Computing SHA1(0xC7A97E175D2429A10000000000000000|192.168.1.200:10952)
+Computing SHA1(0xC7A97E175D2429A10000000000000000C0A801C82AC8)
+Computed: 0xBAFC9B0669827763D3B433FFD16DFD0674197510
+Received: 0xB425A53A8A35DDFF1464854A9EDF7908887532BF
+Not equal => NAT-T enabled => switching on port 4500
Looking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload.
+Computing SHA1(0xC7A97E175D2429A10000000000000000|80.xxx.xx.xx:500)
+Computing SHA1(0xC7A97E175D2429A10000000000000000509A4B5301F4)
+Computed: 0x956186DDA29341EFB83A8C93B6990BAD2133CBDB
+Received: 0x956186DDA29341EFB83A8C93B6990BAD2133CBDB
+Equal => NAT-T is already enabled
Looking for payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41)...Found 1 payload.
Looking for payload IKE_SA (33)...Found 1 payload.
+Config ENCR transform(s): AES-CBC-256
+Received ENCR transform(s): AES-GCM-16-256
-No intersection
+Config PRF transform(s): PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s):
-No intersection
+Config DH transform(s): 14
+Received DH transform(s): 14
+Best intersection: 14
-ENCR transform is obligatory for IKE-Protocol
-Skipping proposal 1
+Config ENCR transform(s): AES-CBC-256
+Received ENCR transform(s): AES-GCM-16-256
-No intersection
+Config PRF transform(s): PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-384
-No intersection
+Config INTEG transform(s): HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s):
-No intersection
+Config DH transform(s): 14
+Received DH transform(s): 14
+Best intersection: 14
-ENCR/PRF transforms are obligatory for IKE-Protocol
-Skipping proposal 2
+Config ENCR transform(s): AES-CBC-256
+Received ENCR transform(s): AES-128-CTR
-No intersection
+Config PRF transform(s): PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA-256
+Best intersection: HMAC-SHA-256
+Config DH transform(s): 14
+Received DH transform(s): 14
+Best intersection: 14
-ENCR transform is obligatory for IKE-Protocol
-Skipping proposal 3
+Config ENCR transform(s): AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA-256
+Best intersection: HMAC-SHA-256
+Config DH transform(s): 14
+Received DH transform(s): 14
+Best intersection: 14
Looking for payload NONCE (40)...Found 1 payload.
+Nonce length=40 bytes
+Nonce=0x7D5B9897A6882CCEDD95ED78F8AD95E180BA81F6A63321BD8253D5DFA32E39B4F8544CC8470D3A87
+SA-DATA-Ni=0x7D5B9897A6882CCEDD95ED78F8AD95E180BA81F6A63321BD8253D5DFA32E39B4F8544CC8470D3A87
[VPN-Status] 2024/07/16 11:01:25,976 Devicetime: 2024/07/16 11:01:28,439
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 1080 bytes
Gateways: 80.xxx.xx.xx:500<--192.168.1.200:10952
SPIs: 0xC7A97E175D2429A10000000000000000, Message-ID 0
Peer identified: DEFAULT
IKE_SA ('', '' IPSEC_IKE SPIs 0xC7A97E175D2429A1BB884BE5C017C456) entered to SADB
Received 5 notifications:
+NAT_DETECTION_DESTINATION_IP(0x956186DDA29341EFB83A8C93B6990BAD2133CBDB) (STATUS)
+NAT_DETECTION_SOURCE_IP(0xB425A53A8A35DDFF1464854A9EDF7908887532BF) (STATUS)
+IKEV2_FRAGMENTATION_SUPPORTED (STATUS)
+REDIRECT_SUPPORTED (STATUS)
+SIGNATURE_HASH_ALGORITHMS(0x0001000200030004) (STATUS)
Peer (initiator) is behind a NAT
NAT-T enabled => switching on port 4500
We (responder) are not behind a NAT. NAT-T is already enabled
+IKE-SA:
IKE-Proposal-1 (3 transforms)
ENCR : AES-GCM-16-256
PRF : PRF-HMAC-SHA-256
DH : 14
IKE-Proposal-2 (3 transforms)
ENCR : AES-GCM-16-256
PRF : PRF-HMAC-SHA-384
DH : 14
IKE-Proposal-3 (4 transforms)
ENCR : AES-128-CTR
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
IKE-Proposal-4 (4 transforms)
ENCR : AES-CBC-256
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
IKE-Proposal-5 (4 transforms)
ENCR : AES-CBC-256
PRF : PRF-HMAC-SHA1
INTEG: HMAC-SHA1
DH : 14
IKE-Proposal-6 (4 transforms)
ENCR : AES-128-CTR
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
IKE-Proposal-7 (4 transforms)
ENCR : AES-CBC-192
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
IKE-Proposal-8 (4 transforms)
ENCR : AES-CBC-192
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
IKE-Proposal-9 (4 transforms)
ENCR : AES-CBC-192
PRF : PRF-HMAC-SHA1
INTEG: HMAC-SHA1
DH : 14
IKE-Proposal-10 (3 transforms)
ENCR : AES-GCM-16-128
PRF : PRF-HMAC-SHA-256
DH : 14
IKE-Proposal-11 (4 transforms)
ENCR : AES-128-CTR
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
IKE-Proposal-12 (4 transforms)
ENCR : AES-CBC-128
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
IKE-Proposal-13 (4 transforms)
ENCR : AES-CBC-128
PRF : PRF-HMAC-SHA1
INTEG: HMAC-SHA1
DH : 14
+Received KE-DH-Group 14 (2048 bits)
[VPN-Debug] 2024/07/16 11:01:26,085 Devicetime: 2024/07/16 11:01:28,600
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Constructing payload NOTIFY(REDIRECT) (41):
+No Redirection
Constructing payload NONCE (40):
+Nonce length=32 bytes
+Nonce=0x0596F0F8EF5EF6A313425DE0BDBE5B8D540CEA861519FF52A23AC1D95F7521E4
+SA-DATA-Nr=0x0596F0F8EF5EF6A313425DE0BDBE5B8D540CEA861519FF52A23AC1D95F7521E4
Constructing payload NOTIFY(DETECTION_SOURCE_IP) (41):
+Computing SHA1(0xC7A97E175D2429A1BB884BE5C017C456|80.xxx.xx.xx:500)
+Computing SHA1(0xC7A97E175D2429A1BB884BE5C017C456509A4B5301F4)
+0xDA23D7C46DBD75F6E2CE6A09D1770CEDAE98069D
Constructing payload NOTIFY(DETECTION_DESTINATION_IP) (41):
+Computing SHA1(0xC7A97E175D2429A1BB884BE5C017C456|192.168.1.200:10952)
+Computing SHA1(0xC7A97E175D2429A1BB884BE5C017C456C0A801C82AC8)
+0xF235DBDB782D29E702E75AE9168D772B0C216CA4
Constructing payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41):
Constructing payload CERTREQ (38):
+0x0000000000000000000000000000000000000000
Constructing payload VENDOR(FRAGMENTATION) (43):
Constructing payload VENDOR(FRAGMENTATION(C0000000)) (43):
Constructing payload VENDOR(ikev2 config payload: Do not narrow my traffic selector) (43):
Constructing payload VENDOR(activate lancom-systems notification private range) (43):
Constructing payload NOTIFY(DEVICE-ID) (41):
+Peer does not support private notifications -> ignore
+Shared secret derived in 82400 micro seconds
IKE_SA(0xC7A97E175D2429A1BB884BE5C017C456).EXPECTED-MSG-ID raised to 1
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0xC7A97E175D2429A1BB884BE5C017C45600000000, P1, RESPONDER): Resetting Negotiation SA
(IKE_SA, 'DEFAULT', 'ISAKMP-PEER-DEFAULT', 0xC7A97E175D2429A1BB884BE5C017C45600000000, responder): use_count --5
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 533 bytes (responder)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:4500, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), CERTREQ, VENDOR(FRAGMENTATION), VENDOR(FRAGMENTATION(C0000000)), VENDOR(activate lancom-systems notification private range)
[VPN-Status] 2024/07/16 11:01:26,085 Devicetime: 2024/07/16 11:01:28,601
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+IKE-SA:
IKE-Proposal-4 (4 transforms)
ENCR : AES-CBC-256
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 14
+KE-DH-Group 14 (2048 bits)
Switching to port pair 4500 ( NAT-T keep-alive is off)
IKE_SA_INIT [responder] for peer DEFAULT initiator id <no ipsec id>, responder id <no ipsec id>
initiator cookie: 0xC7A97E175D2429A1, responder cookie: 0xBB884BE5C017C456
NAT-T enabled. We are not behind a nat, the remote side is behind a nat
SA ISAKMP for peer DEFAULT
Encryption : AES-CBC-256
Integrity : AUTH-HMAC-SHA-256
IKE-DH-Group : 14
PRF : PRF-HMAC-SHA-256
life time soft 07/17/2024 14:01:28 (in 97200 sec) / 0 kb
life time hard 07/17/2024 17:01:28 (in 108000 sec) / 0 kb
DPD: NONE
Negotiated: IKE_FRAGMENTATION IKEV2_FRAGMENTATION
Sending an IKE_SA_INIT-RESPONSE of 533 bytes (responder)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:4500, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 0
[VPN-Debug] 2024/07/16 11:01:26,101 Devicetime: 2024/07/16 11:01:28,604
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 624 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:4500
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 1
Payloads: ENCR
QUB-DATA: 80.xxx.xx.xx:4500<---192.168.1.200:10954 rtg_tag 0 physical-channel LAN
transport: [id: 631979, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:xx:xx:xx:xx, port 5], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000000)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, IDI, NOTIFY(INITIAL_CONTACT), NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED), CERTREQ, CP(REQUEST), SA, TSI, TSR, VENDOR(ikev2 rfc-3706-dead-peer-detection), NOTIFY(MOBIKE_SUPPORTED), NOTIFY(MULTIPLE_AUTH_SUPPORTED)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0xC7A97E175D2429A1BB884BE5C017C45600000001, P2, RESPONDER): Setting Negotiation SA
Referencing (CHILD_SA, 0xC7A97E175D2429A1BB884BE5C017C4560000000100, responder): use_count 3
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0xC7A97E175D2429A1BB884BE5C017C45600000001, P2, RESPONDER): Resetting Negotiation SA
(CHILD_SA, 0xC7A97E175D2429A1BB884BE5C017C4560000000100, responder): use_count --3
Looking for payload IDI (35)...Found 1 payload.
+Received-ID benutzer:USER_FQDN. Assuming EAP
[VPN-Status] 2024/07/16 11:01:26,101 Devicetime: 2024/07/16 11:01:28,604
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 624 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:4500
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 1
CHILD_SA ('', '' ) entered to SADB
Updating remote port to 10954
Received 4 notifications:
+INITIAL_CONTACT (STATUS)
+HTTP_CERT_LOOKUP_SUPPORTED (STATUS)
+MOBIKE_SUPPORTED (STATUS)
+MULTIPLE_AUTH_SUPPORTED (STATUS)
+Road-warrior identified and accepted (Peer BENUTZER5C13 using <Unknown 0>)
+EAP-Authentication detected
[VPN-Debug] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,743
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
IKE_SA(0xC7A97E175D2429A1BB884BE5C017C456).EXPECTED-MSG-ID raised to 2
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 1216 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 1
Payloads: ENCR
[VPN-Status] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,743
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
+Local-ID CN=VPN-Gateway:DER_ASN1_DN
+I use AUTH(RSA:SHA1)
+Signature of length 256 bytes (2048 bits) computed
Sending an IKE_AUTH-RESPONSE of 1216 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 1
[VPN-Debug] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,744
Peer BENUTZER5C13: Trigger next pended request to establish an exchange
Current request is none
IKE_SA is not REPLACED
There are 0 pending requests
[RADIUS-Client] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,749
RADIUS-Client: register UDP listener(s) for responses
-> port is 12139
[RADIUS-Client] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,750
Send RADIUS Authentication Request Id 24 to 127.0.0.1:1812 Backup-Step 1
Authenticator : bc de 6f 17 ab 75 9a 4d ..o..u.M
86 c3 c1 40 20 90 48 a4 ...@ .H.
Message-Authenticator: 2c 24 02 6b af 10 1c 9d ,$.k....
fc 88 0e c4 e7 0a 13 c7 ........
User-Name : benutzer
Calling-Station-Id : 192.168.1.200
NAS-IP-Address : 80.xxx.xx.xx
EAP-Message:
(13 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 68
EAP Packet Len : 13
EAP Packet Type : Identity
Identity String : benutzer
Service-Type : Login-User
[VPN-Status] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,750
IKE: Adding RADIUS authorization request for: BENUTZER5C13
Remote ID : benutzer
Local gateway : 80.xxx.xx.xx
Remote gateway : 192.168.1.200
Initiator ID : benutzer
EAP ID : benutzer
Identifier : 0x44
RADIUS State : 0x<invalid constData pointer>
EAP-Failure : false
EAP-Success : false
EAP-Message : 13 bytes
RADIUS servers : 127.0.0.1
[VPN-Debug] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,751
Peer BENUTZER5C13 [responder]: Received an IKE_AUTH-REQUEST of 96 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 2
Payloads: ENCR
QUB-DATA: 80.xxx.xx.xx:4500<---192.168.1.200:10954 rtg_tag 0 physical-channel LAN
transport: [id: 631979, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:xx:xx:xx:xx, port 5], local port: 4500, remote port: 10954, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000004)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, EAP
[VPN-Status] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,751
Peer BENUTZER5C13 [responder]: Received an IKE_AUTH-REQUEST of 96 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 2
Updating remote port to 10954
+Forwarding EAP-RESPONSE(68/IDENTITY) to RADIUS server
[RADIUS-Server] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,751
Received RADIUS Authentication Request request 24 from client 127.0.0.1:12139[#Loopback]:
-->found client in dynamic table
-->known attributes of request:
User-Name : benutzer
Service-Type : Login-User
NAS-IP-Address : 80.xxx.xx.xx
Calling-Station-Id : 192.168.1.200
Message-Authenticator: 2c 24 02 6b af 10 1c 9d ,$.k....
fc 88 0e c4 e7 0a 13 c7 ........
EAP-Message:
(13 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 68
EAP Packet Len : 13
EAP Packet Type : Identity
Identity String : benutzer
-->user name contains no realm, using empty realm
-->realm of user is ''
-->authenticating locally
-->found user 'benutzer' in database(s)
-->authenticating via EAP
-->queueing request for later response
[RADIUS-Server] 2024/07/16 11:01:26,226 Devicetime: 2024/07/16 11:01:28,753
Got Response for queued RADIUS request 24 from client 127.0.0.1:12139[#Loopback]:
-->response to access request via non-secure transport, enforce message authenticator
-->response type is Challenge, response attributes:
State : 04 19 a6 52 02 0c d3 29 ...R...)
ec be ea b4 76 5f 75 5a ....v_uZ
EAP-Message:
(5 bytes)
-->EAP Header
EAP Packet Code : Request
EAP Packet Id : 69
EAP Packet Len : 5
EAP Packet Type : One-Time-Passwd
One-Time-Passwd Data:
Message-Authenticator: 2d 57 4b 85 91 1b 84 cd -WK.....
52 39 0a a9 5c 7d f6 4f R9..\}.O
(Message-Authenticator is at front of attribute list)
-->sending response
[RADIUS-Client] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,754
Received RADIUS Challenge Id 24 from 127.0.0.1 on Port 12139
-->found corr. request 24 to 127.0.0.1:1812,
Message-Authenticator: 2d 57 4b 85 91 1b 84 cd -WK.....
52 39 0a a9 5c 7d f6 4f R9..\}.O
State : 04 19 a6 52 02 0c d3 29 ...R...)
ec be ea b4 76 5f 75 5a ....v_uZ
EAP-Message:
(5 bytes)
-->EAP Header
EAP Packet Code : Request
EAP Packet Id : 69
EAP Packet Len : 5
EAP Packet Type : One-Time-Passwd
One-Time-Passwd Data:
-->trigger requester
[RADIUS-Client] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,754
RADIUS-Client:
deregister UDP listener for responses on port 12139
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,754
IKE: Succeeded RADIUS authorization request for: BENUTZER5C13
Server : 127.0.0.1
Response attributes:
EAP-Message : 5 bytes
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,754
Received RADIUS-SUCCESS for peer BENUTZER5C13
[VPN-Debug] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,755
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
IKE_SA(0xC7A97E175D2429A1BB884BE5C017C456).EXPECTED-MSG-ID raised to 3
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 80 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 2
Payloads: ENCR
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,755
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Sending EAP-REQUEST(69/OTP)
Sending an IKE_AUTH-RESPONSE of 80 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 2
[RADIUS-Client] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,758
RADIUS-Client: register UDP listener(s) for responses
-> port is 10624
[RADIUS-Client] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,759
Send RADIUS Authentication Request Id 25 to 127.0.0.1:1812 Backup-Step 1
Authenticator : ad 76 3b bd 7e bf 7f 9f .v;.~...
ef 57 8b 65 12 89 64 32 .W.e..d2
Message-Authenticator: e6 1f ce c6 85 c4 36 ff ......6.
56 6b d8 05 0e 37 a3 54 Vk...7.T
User-Name : benutzer
Calling-Station-Id : 192.168.1.200
NAS-IP-Address : 80.xxx.xx.xx
EAP-Message:
(39 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 69
EAP Packet Len : 39
EAP Packet Type : One-Time-Passwd
One-Time-Passwd Data: 01 08 62 65 6e 75 74 7a ..benutz
65 72 02 16 41 42 43 44 er..ABCD
45 46 47 48 49 4a 4b 4c EFGHIJKL
4d 4e 4f 50 36 36 30 38 MNOP6608
39 33 93
State : 04 19 a6 52 02 0c d3 29 ...R...)
ec be ea b4 76 5f 75 5a ....v_uZ
Service-Type : Login-User
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,759
IKE: Adding RADIUS authorization request for: BENUTZER5C13
Remote ID : benutzer
Local gateway : 80.xxx.xx.xx
Remote gateway : 192.168.1.200
Initiator ID : benutzer
EAP ID : benutzer
Identifier : 0x45
RADIUS State : 0x0419A652020CD329ECBEEAB4765F755A
EAP-Failure : false
EAP-Success : false
EAP-Message : 39 bytes
RADIUS servers : 127.0.0.1
[VPN-Debug] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,759
Peer BENUTZER5C13 [responder]: Received an IKE_AUTH-REQUEST of 112 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 3
Payloads: ENCR
Peer BENUTZER5C13: Trigger next pended request to establish an exchange
Current request is none
IKE_SA is not REPLACED
There are 0 pending requests
QUB-DATA: 80.xxx.xx.xx:4500<---192.168.1.200:10954 rtg_tag 0 physical-channel LAN
transport: [id: 631979, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:xx:xx:xx:xx, port 5], local port: 4500, remote port: 10954, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000004)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, EAP
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,759
Peer BENUTZER5C13 [responder]: Received an IKE_AUTH-REQUEST of 112 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 3
Updating remote port to 10954
+Forwarding EAP-RESPONSE(69/OTP) to RADIUS server
[RADIUS-Server] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,760
Received RADIUS Authentication Request request 25 from client 127.0.0.1:10624[#Loopback]:
-->found client in dynamic table
-->known attributes of request:
User-Name : benutzer
Service-Type : Login-User
NAS-IP-Address : 80.xxx.xx.xx
State : 04 19 a6 52 02 0c d3 29 ...R...)
ec be ea b4 76 5f 75 5a ....v_uZ
Calling-Station-Id : 192.168.1.200
Message-Authenticator: e6 1f ce c6 85 c4 36 ff ......6.
56 6b d8 05 0e 37 a3 54 Vk...7.T
EAP-Message:
(39 bytes)
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 69
EAP Packet Len : 39
EAP Packet Type : One-Time-Passwd
One-Time-Passwd Data: 01 08 62 65 6e 75 74 7a ..benutz
65 72 02 16 41 42 43 44 er..ABCD
45 46 47 48 49 4a 4b 4c EFGHIJKL
4d 4e 4f 50 36 36 30 38 MNOP6608
39 33 93
-->user name contains no realm, using empty realm
-->realm of user is ''
-->authenticating locally
-->found user 'benutzer' in database(s)
-->authenticating via EAP
-->queueing request for later response
[RADIUS-Server] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,762
Got Response for queued RADIUS request 25 from client 127.0.0.1:10624[#Loopback]:
-->response to access request via non-secure transport, enforce message authenticator
-->response type is Reject, response attributes:
EAP-Message:
(4 bytes)
-->EAP Header
EAP Packet Code : Failure
EAP Packet Id : 69
EAP Packet Len : 4
Message-Authenticator: 57 9c 5f bd 0a 51 bd 2d W._..Q.-
d0 b7 93 c3 f5 ad 05 7b .......{
(Message-Authenticator is at front of attribute list)
-->sending response
[RADIUS-Client] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,763
Received RADIUS Reject Id 25 from 127.0.0.1 on Port 10624
-->found corr. request 25 to 127.0.0.1:1812,
Message-Authenticator: 57 9c 5f bd 0a 51 bd 2d W._..Q.-
d0 b7 93 c3 f5 ad 05 7b .......{
EAP-Message:
(4 bytes)
-->EAP Header
EAP Packet Code : Failure
EAP Packet Id : 69
EAP Packet Len : 4
-->trigger requester
[RADIUS-Client] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,764
RADIUS-Client:
deregister UDP listener for responses on port 10624
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,764
IKE: Failed RADIUS authorization request for: BENUTZER5C13
Reason : Access denied
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,764
-Received RADIUS-FAIL for peer BENUTZER5C13
[VPN-Debug] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,764
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
IKE_SA(0xC7A97E175D2429A1BB884BE5C017C456).EXPECTED-MSG-ID raised to 4
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 128 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 3
Payloads: ENCR
[VPN-Status] 2024/07/16 11:01:26,242 Devicetime: 2024/07/16 11:01:28,765
Peer BENUTZER5C13: Constructing an IKE_AUTH-RESPONSE for send
Sending EAP-RESPONSE(69/OTP)
NOTIFY(AUTHENTICATION_FAILED)
Sending an IKE_AUTH-RESPONSE of 128 bytes (responder encrypted)
Gateways: 80.xxx.xx.xx:4500-->192.168.1.200:10954, tag 0 (UDP)
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 3
[VPN-Debug] 2024/07/16 11:01:26,570 Devicetime: 2024/07/16 11:01:29,094
Peer BENUTZER5C13 [responder]: Received an INFORMATIONAL-REQUEST of 80 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 4
Payloads: ENCR
Peer BENUTZER5C13: Trigger next pended request to establish an exchange
Current request is none
IKE_SA is not REPLACED
There are 0 pending requests
QUB-DATA: 80.xxx.xx.xx:4500<---192.168.1.200:10954 rtg_tag 0 physical-channel LAN
transport: [id: 631979, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.1.200, tag 0 (U), src: 80.xxx.xx.xx, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTRANET (2), mac address: 08:92:xx:xx:xx:xx, port 5], local port: 4500, remote port: 10954, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
[VPN-Status] 2024/07/16 11:01:26,601 Devicetime: 2024/07/16 11:01:29,094
Peer BENUTZER5C13 [responder]: Received an INFORMATIONAL-REQUEST of 80 bytes (encrypted)
Gateways: 80.xxx.xx.xx:4500<--192.168.1.200:10954
SPIs: 0xC7A97E175D2429A1BB884BE5C017C456, Message-ID 4
Could not create an INFORMATIONAL exchange for peer (could not set com channel handle for peer BENUTZER5C13)
[RADIUS-Server] 2024/07/16 11:01:34,023 Devicetime: 2024/07/16 11:01:36,544
Checking for dead accounting sessions:
-
Frühstücksdirektor
- Beiträge: 184
- Registriert: 08 Jul 2022, 12:53
- Wohnort: Aachen
Re: OTP mit Lancom VPN Client
Der Trace hilft schon mal. Der Benutzer wird im Radius-Server gefunden. Dann schickt der Server aber ein Reject entweder für das Passwort oder den OTP.
Mal ein Schuss ins Blaue: Du verwendest eine Authenticator App unter Android oder den Microsoft Authenticator und hast Sha-256 verwendet?
Probiere das ganze mal mit SHA-1 in Bezug auf den Authenticator so wie im KB-Artikel beschrieben. Das sind in meiner Erfahrung 80% der Problemfälle. Es geht nicht um sha-1 im IKEv2.
Alternativ mal die Uhrzeit zwischen Router und Authenticator prüfen.
Mal ein Schuss ins Blaue: Du verwendest eine Authenticator App unter Android oder den Microsoft Authenticator und hast Sha-256 verwendet?
Probiere das ganze mal mit SHA-1 in Bezug auf den Authenticator so wie im KB-Artikel beschrieben. Das sind in meiner Erfahrung 80% der Problemfälle. Es geht nicht um sha-1 im IKEv2.
Alternativ mal die Uhrzeit zwischen Router und Authenticator prüfen.
Re: OTP mit Lancom VPN Client
Das würde man in einem EAP-Trace sehen.Dann schickt der Server aber ein Reject entweder für das Passwort oder den OTP.
Re: OTP mit Lancom VPN Client
Schon mal vorab. Es funktioniert JETZT!!! 
Danke für den Support. 
Am Anfang habe ich es mit meiner bevorzugten Microsoft Authenticator-App SHA-1 ausprobiert. Da der Verbindungsaufbau nicht funktioniert hat, hab ich zusätzlich den Google Authenticator-App SHA-256 installiert.
Außerdem legte ich 2 unterschiedliche Benutzer bzw. OTP-Benutzerkonten an und musste gerade feststellen, dass ich einen Zahlendreher in den Passwörtern hab.
Es lag bei mir eigentlich nur an dem fehlenden Port bei RADIUS-Dienste-Ports.
Danke und Gruß
David
Danke für den Support. Am Anfang habe ich es mit meiner bevorzugten Microsoft Authenticator-App SHA-1 ausprobiert. Da der Verbindungsaufbau nicht funktioniert hat, hab ich zusätzlich den Google Authenticator-App SHA-256 installiert.
Außerdem legte ich 2 unterschiedliche Benutzer bzw. OTP-Benutzerkonten an und musste gerade feststellen, dass ich einen Zahlendreher in den Passwörtern hab.
Es lag bei mir eigentlich nur an dem fehlenden Port bei RADIUS-Dienste-Ports.
Danke und Gruß
David