Hallo,
wir wollen 2 Netze mit Hilfe von 2 LC 1711+ (aktuellste Firmware installiert) verbinden. Bei der Einrichtung haben wir uns an die Anleitung von Lancom zur Einrichtung der LAN-LAN-Kopplung mit Zertifikaten gehalten (siehe hier).
Die Verbindung kann jedoch nicht hergestellt werden, im Lancom-Monitor wird folgende Fehlermeldung gelogged:
"Zeitüberschreitung während IKE- oder IPSec-Verhandlung (Initiator) [0x1106]"
Eine Trace der VPN-Verbindung ergab folgendes Fehlermeldungen:
######################################################
[VPN-Status] 2009/06/29 18:54:22,230
VPN: connecting to VC (xxx.xx.xxx.xx)
[VPN-Status] 2009/06/29 18:54:22,250
VPN: start dynamic VPN negotiation for VC (xxx.xx.xxx.xx) via ICMP/UDP
[VPN-Status] 2009/06/29 18:54:22,250
VPN: create dynamic VPN V2 authentication packet for VC (xxx.xx.xxx.xx)
DNS: 192.168.156.2, 0.0.0.0
NBNS: 192.168.156.2, 0.0.0.0
polling address: 192.168.156.2
[VPN-Status] 2009/06/29 18:54:22,250
VPN: installing ruleset for VC (xxx.xx.xxx.xx)
[VPN-Status] 2009/06/29 18:54:22,270
VPN: ruleset installed for VC (xxx.xx.xxx.xx)
[VPN-Status] 2009/06/29 18:54:22,270
VPN: start IKE negotiation for VC (xxx.xx.xxx.xx)
[VPN-Status] 2009/06/29 18:54:22,280
VPN: rulesets installed
[VPN-Status] 2009/06/29 18:54:22,290
IKE info: Phase-1 negotiation started for peer VC rule isakmp-peer-VC using MAIN mode
[VPN-Status] 2009/06/29 18:54:22,380
IKE info: unexpected cleartext message received from peer unknown and dropped in phase-2
[VPN-Status] 2009/06/29 18:54:22,380
IKE log: 185422.000000 Default dropped message from xxx.xx.xxx.xx port 500 due to notification type INVALID_FLAGS
[VPN-Status] 2009/06/29 18:54:22,380
IKE info: dropped message from peer unknown xxx.xx.xxx.xx port 500 due to notification type INVALID_FLAGS
[VPN-Status] 2009/06/29 18:54:29,460
IKE info: unexpected cleartext message received from peer unknown and dropped in phase-2
[VPN-Status] 2009/06/29 18:54:29,460
IKE log: 185429.000000 Default dropped message from xxx.xx.xxx.xx port 500 due to notification type INVALID_FLAGS
[VPN-Status] 2009/06/29 18:54:29,460
IKE info: dropped message from peer unknown xxx.xx.xxx.xx port 500 due to notification type INVALID_FLAGS
[VPN-Status] 2009/06/29 18:54:38,540
IKE info: unexpected cleartext message received from peer unknown and dropped in phase-2
[VPN-Status] 2009/06/29 18:54:38,540
IKE log: 185438.000000 Default dropped message from xxx.xx.xxx.xx port 500 due to notification type INVALID_FLAGS
[VPN-Status] 2009/06/29 18:54:38,540
IKE info: dropped message from peer unknown xxx.xx.xxx.xx port 500 due to notification type INVALID_FLAGS
[VPN-Status] 2009/06/29 18:54:49,620
IKE info: unexpected cleartext message received from peer unknown and dropped in phase-2
[VPN-Status] 2009/06/29 18:54:49,620
IKE log: 185449.000000 Default dropped message from xxx.xx.xxx.xx port 500 due to notification type INVALID_FLAGS
[VPN-Status] 2009/06/29 18:54:49,620
IKE info: dropped message from peer unknown xxx.xx.xxx.xx port 500 due to notification type INVALID_FLAGS
[VPN-Status] 2009/06/29 18:54:52,280
VPN: connection for VC (xxx.xx.xxx.xx) timed out: no response
[VPN-Status] 2009/06/29 18:54:52,280
VPN: Error: IFC-I-Connection-timeout-IKE-IPSEC (0x1106) for VC (xxx.xx.xxx.xx)
[VPN-Status] 2009/06/29 18:54:52,280
VPN: disconnecting VC (xxx.xx.xxx.xx)
[VPN-Status] 2009/06/29 18:54:52,280
VPN: Error: IFC-I-Connection-timeout-IKE-IPSEC (0x1106) for VC (xxx.xx.xxx.xx)
[VPN-Status] 2009/06/29 18:54:52,300
VPN: VC (xxx.xx.xxx.xx) disconnected
######################################################
Hat da jemand nen Ansatz? Wie können wir das Problem weiter eingrenzen?
Gruß und Danke schon mal für Antworten!
Stangl
Problem bei LAN-LAN-Kopplung mit 2x LC1711+ & Zertifikat
Moderator: Lancom-Systems Moderatoren