Ständiger Abbruch der VPN-Verbindung

Forum zum Thema allgemeinen Fragen zu VPN

Moderator: Lancom-Systems Moderatoren

Antworten
phoenixz
Beiträge: 76
Registriert: 15 Nov 2008, 21:14
Wohnort: Köln

Ständiger Abbruch der VPN-Verbindung

Beitrag von phoenixz »

Hallo zusammen,

folgende Konfiguration:
2x Lancom 1723 an zwei unterschiedlichen Standorten mit jeweils fester IP

Ich versuche über den VPN-Wizard einen VPN-Tunnel zwischen beiden Lancoms herzustellen. Die VPN-Verbindung wird aufgebaut und steht, bis ich einen Ping an ein nachgelagertes Gerät (in diesem Fall ein Netzwerkdrucker) sende. Die Pings kommen eine Zeit lang durch, bis die VPN-Verbindung dann nach einigen Sekunden/Minuten gekappt wird mit der Meldung:

Keine Regel für ID's gefunden - unbekannte Verbindung oder fehlerhafte ID (z.B. IP-Netzwerkdefinition) (Responder, IPSec) [0x3201]

Ich werde aus dem Trace überhaupt nicht schlau. Wäre jemand so lieb und würde mir einen Hinweis auf die Fehlerquelle geben?

Herzlichen Dank im Voraus!

Code: Alles auswählen

[VPN-Status] 2011/11/21 20:38:58,881  Devicetime: 2011/11/21 20:38:58,260
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE sent for Phase-1 SA to peer AP_VPN, sequence nr 0x76c93d3b

[VPN-Status] 2011/11/21 20:38:58,990  Devicetime: 2011/11/21 20:38:58,290
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE_ACK for peer AP_VPN Seq-Nr 0x76c93d3b, expected 0x76c93d3b


[VPN-Status] 2011/11/21 20:39:06,318  Devicetime: 2011/11/21 20:39:05,700
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer AP_VPN

[VPN-Status] 2011/11/21 20:39:06,318  Devicetime: 2011/11/21 20:39:05,700
policy manager error indication: AP_VPN (88.79.167.42), cause: 12546

[VPN-Status] 2011/11/21 20:39:06,318  Devicetime: 2011/11/21 20:39:05,700
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:39:09,646  Devicetime: 2011/11/21 20:39:09,000
IKE info: Delete Notification received for Phase-1 SA isakmp-peer-AP_VPN peer AP_VPN cookies [732e184968ec3513 16a522050dc571f7]

[VPN-Status] 2011/11/21 20:39:09,646  Devicetime: 2011/11/21 20:39:09,000
IKE info: Phase-1 SA removed: peer AP_VPN rule AP_VPN removed

[VPN-Status] 2011/11/21 20:39:09,646  Devicetime: 2011/11/21 20:39:09,000
VPN: AP_VPN (88.79.167.42)  disconnected

[VPN-Status] 2011/11/21 20:39:09,646  Devicetime: 2011/11/21 20:39:09,000
vpn-maps[22], remote: AP_VPN, idle, static-name

[VPN-Status] 2011/11/21 20:39:09,646  Devicetime: 2011/11/21 20:39:09,010
selecting first remote gateway using strategy eFirst for AP_VPN
     => CurrIdx=0, IpStr=>88.79.167.42<, IpAddr=88.79.167.42, IpTtl=0s

[VPN-Status] 2011/11/21 20:39:09,646  Devicetime: 2011/11/21 20:39:09,010
VPN: installing ruleset for AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:39:09,646  Devicetime: 2011/11/21 20:39:09,010
VPN: WAN state changed to WanDisconnect for AP_VPN (88.79.167.42), called by: 001cfad7

[VPN-Status] 2011/11/21 20:39:09,646  Devicetime: 2011/11/21 20:39:09,010
VPN: WAN state changed to WanIdle for AP_VPN (88.79.167.42), called by: 001cfad7

[VPN-Status] 2011/11/21 20:39:10,661  Devicetime: 2011/11/21 20:39:10,010
VPN: WAN state changed to WanCall for AP_VPN (88.79.167.42), called by: 001cfad7

[VPN-Status] 2011/11/21 20:39:10,661  Devicetime: 2011/11/21 20:39:10,010
VPN: connecting to AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:39:10,661  Devicetime: 2011/11/21 20:39:10,010
vpn-maps[22], remote: AP_VPN, nego, static-name, connected-by-name

[VPN-Status] 2011/11/21 20:39:10,661  Devicetime: 2011/11/21 20:39:10,010
vpn-maps[22], remote: AP_VPN, nego, static-name, connected-by-name

[VPN-Status] 2011/11/21 20:39:10,661  Devicetime: 2011/11/21 20:39:10,020
vpn-maps[22], remote: AP_VPN, nego, static-name, connected-by-name

[VPN-Status] 2011/11/21 20:39:10,661  Devicetime: 2011/11/21 20:39:10,020
VPN: start IKE negotiation for AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:39:10,661  Devicetime: 2011/11/21 20:39:10,020
VPN: WAN state changed to WanProtocol for AP_VPN (88.79.167.42), called by: 001cfad7

[VPN-Status] 2011/11/21 20:39:10,661  Devicetime: 2011/11/21 20:39:10,020
IKE info: Phase-1 negotiation started for peer AP_VPN rule isakmp-peer-AP_VPN using MAIN mode

[VPN-Status] 2011/11/21 20:39:10,661  Devicetime: 2011/11/21 20:39:10,030
IKE info: The remote server 88.79.167.42:500 (UDP) peer AP_VPN id <no_id> is Enigmatec IPSEC version 1.5.1
IKE info: The remote server 88.79.167.42:500 (UDP) peer AP_VPN id <no_id> negotiated rfc-3706-dead-peer-detection

[VPN-Status] 2011/11/21 20:39:10,661  Devicetime: 2011/11/21 20:39:10,030
IKE info: Phase-1 remote proposal 1 for peer AP_VPN matched with local proposal 1

[VPN-Status] 2011/11/21 20:39:10,880  Devicetime: 2011/11/21 20:39:10,070
IKE info: The remote server 88.79.167.42:500 (UDP) peer AP_VPN id <no_id> is Enigmatec IPSEC version 1.5.1
IKE info: The remote server 88.79.167.42:500 (UDP) peer AP_VPN id <no_id> negotiated rfc-3706-dead-peer-detection

[VPN-Status] 2011/11/21 20:39:10,880  Devicetime: 2011/11/21 20:39:10,070
IKE info: Phase-1 remote proposal 1 for peer AP_VPN matched with local proposal 1

[VPN-Status] 2011/11/21 20:39:10,943  Devicetime: 2011/11/21 20:39:10,270
IKE info: Phase-1 [responder] got INITIAL-CONTACT from peer AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:39:10,943  Devicetime: 2011/11/21 20:39:10,270
IKE info: Phase-1 [responder] for peer AP_VPN between initiator id  192.168.11.2, responder id  92.79.183.55 done
IKE info: SA ISAKMP for peer AP_VPN encryption aes-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)

[VPN-Status] 2011/11/21 20:39:10,943  Devicetime: 2011/11/21 20:39:10,270
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer AP_VPN set to 97200 seconds (Responder)

[VPN-Status] 2011/11/21 20:39:10,943  Devicetime: 2011/11/21 20:39:10,270
IKE info: Phase-1 SA Timeout (Hard-Event) for peer AP_VPN set to 108000 seconds (Responder)

[VPN-Status] 2011/11/21 20:39:10,943  Devicetime: 2011/11/21 20:39:10,300
IKE info: Phase-1 [inititiator] got INITIAL-CONTACT from peer AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:39:10,943  Devicetime: 2011/11/21 20:39:10,300
IKE info: Phase-1 SA removed: peer AP_VPN rule AP_VPN removed

[VPN-Status] 2011/11/21 20:39:10,943  Devicetime: 2011/11/21 20:39:10,300
IKE info: Phase-1 [inititiator] for peer AP_VPN between initiator id  92.79.183.55, responder id  88.79.167.42 done
IKE info: SA ISAKMP for peer AP_VPN encryption aes-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)

[VPN-Status] 2011/11/21 20:39:10,943  Devicetime: 2011/11/21 20:39:10,300
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer AP_VPN set to 86400 seconds (Initiator)

[VPN-Status] 2011/11/21 20:39:10,943  Devicetime: 2011/11/21 20:39:10,300
IKE info: Phase-1 SA Timeout (Hard-Event) for peer AP_VPN set to 108000 seconds (Initiator)

[VPN-Status] 2011/11/21 20:39:11,083  Devicetime: 2011/11/21 20:39:10,460
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer AP_VPN set to 1600 seconds (Initiator)

[VPN-Status] 2011/11/21 20:39:11,083  Devicetime: 2011/11/21 20:39:10,460
IKE info: Phase-2 SA Timeout (Hard-Event) for peer AP_VPN set to 2000 seconds (Initiator)

[VPN-Status] 2011/11/21 20:39:11,083  Devicetime: 2011/11/21 20:39:10,460
IKE info: Phase-2 [inititiator] done with 2 SAS for peer AP_VPN rule ipsec-0-AP_VPN-pr0-l0-r0
IKE info: rule:' ipsec 192.168.2.0/255.255.255.0 <-> 192.168.11.0/255.255.255.0 '
IKE info: SA ESP [0x5e7c2537]  alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x5a8ab94c]  alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1600 sec/160000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 92.79.183.55 dst: 88.79.167.42  

[VPN-Status] 2011/11/21 20:39:12,099  Devicetime: 2011/11/21 20:39:11,460
VPN: AP_VPN connected

[VPN-Status] 2011/11/21 20:39:12,099  Devicetime: 2011/11/21 20:39:11,460
VPN: WAN state changed to WanConnect for AP_VPN (88.79.167.42), called by: 001cfad7

[VPN-Status] 2011/11/21 20:39:12,099  Devicetime: 2011/11/21 20:39:11,460
vpn-maps[22], remote: AP_VPN, connected, static-name, connected-by-name


[VPN-Status] 2011/11/21 20:39:41,660  Devicetime: 2011/11/21 20:39:41,030
IKE info: The remote server 88.79.167.42:500 (UDP) peer AP_VPN id <no_id> is Enigmatec IPSEC version 1.5.1
IKE info: The remote server 88.79.167.42:500 (UDP) peer AP_VPN id <no_id> negotiated rfc-3706-dead-peer-detection

[VPN-Status] 2011/11/21 20:39:41,660  Devicetime: 2011/11/21 20:39:41,030
IKE info: Phase-1 remote proposal 1 for peer AP_VPN matched with local proposal 1

[VPN-Status] 2011/11/21 20:39:41,832  Devicetime: 2011/11/21 20:39:41,200
IKE info: Phase-1 [responder] got INITIAL-CONTACT from peer AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:39:41,832  Devicetime: 2011/11/21 20:39:41,200
IKE info: Phase-1 SA removed: peer AP_VPN rule AP_VPN removed

[VPN-Status] 2011/11/21 20:39:41,832  Devicetime: 2011/11/21 20:39:41,200
IKE info: Phase-2 SA removed: peer AP_VPN rule ipsec-0-AP_VPN-pr0-l0-r0 removed
IKE info: containing Protocol IPSEC_ESP, with spis [5e7c2537  ] [5a8ab94c  ]

[VPN-Status] 2011/11/21 20:39:41,832  Devicetime: 2011/11/21 20:39:41,200
IKE info: Phase-1 [responder] for peer AP_VPN between initiator id  192.168.11.2, responder id  92.79.183.55 done
IKE info: SA ISAKMP for peer AP_VPN encryption aes-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)

[VPN-Status] 2011/11/21 20:39:41,832  Devicetime: 2011/11/21 20:39:41,200
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer AP_VPN set to 97200 seconds (Responder)

[VPN-Status] 2011/11/21 20:39:41,832  Devicetime: 2011/11/21 20:39:41,200
IKE info: Phase-1 SA Timeout (Hard-Event) for peer AP_VPN set to 108000 seconds (Responder)

[VPN-Status] 2011/11/21 20:39:42,035  Devicetime: 2011/11/21 20:39:41,250
IKE info: Phase-2 failed for peer AP_VPN: no rule matches the phase-2 ids  192.168.11.0/255.255.255.0 <->  192.168.118.0/255.255.255.0
IKE log: 203941.000000 Default message_negotiate_sa: no compatible proposal found
IKE log: 203941.000000 Default dropped message from 88.79.167.42 port 500 due to notification type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer AP_VPN 88.79.167.42 port 500 due to notification type NO_PROPOSAL_CHOSEN

[VPN-Status] 2011/11/21 20:39:42,035  Devicetime: 2011/11/21 20:39:41,260
policy manager error indication: AP_VPN (88.79.167.42), cause: 12801

[VPN-Status] 2011/11/21 20:39:42,035  Devicetime: 2011/11/21 20:39:41,260
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:39:42,270  Devicetime: 2011/11/21 20:39:41,640
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer AP_VPN

[VPN-Status] 2011/11/21 20:39:42,270  Devicetime: 2011/11/21 20:39:41,640
policy manager error indication: AP_VPN (88.79.167.42), cause: 12546

[VPN-Status] 2011/11/21 20:39:42,270  Devicetime: 2011/11/21 20:39:41,640
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for AP_VPN (88.79.167.42)


[VPN-Status] 2011/11/21 20:39:49,270  Devicetime: 2011/11/21 20:39:48,640
IKE info: Phase-2 failed for peer AP_VPN: no rule matches the phase-2 ids  192.168.11.0/255.255.255.0 <->  192.168.118.0/255.255.255.0
IKE log: 203948.000000 Default message_negotiate_sa: no compatible proposal found
IKE log: 203948.000000 Default dropped message from 88.79.167.42 port 500 due to notification type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer AP_VPN 88.79.167.42 port 500 due to notification type NO_PROPOSAL_CHOSEN

[VPN-Status] 2011/11/21 20:39:49,270  Devicetime: 2011/11/21 20:39:48,650
policy manager error indication: AP_VPN (88.79.167.42), cause: 12801

[VPN-Status] 2011/11/21 20:39:49,270  Devicetime: 2011/11/21 20:39:48,650
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:39:49,379  Devicetime: 2011/11/21 20:39:48,680
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer AP_VPN

[VPN-Status] 2011/11/21 20:39:49,379  Devicetime: 2011/11/21 20:39:48,680
policy manager error indication: AP_VPN (88.79.167.42), cause: 12546

[VPN-Status] 2011/11/21 20:39:49,379  Devicetime: 2011/11/21 20:39:48,680
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for AP_VPN (88.79.167.42)


[VPN-Status] 2011/11/21 20:39:58,316  Devicetime: 2011/11/21 20:39:57,690
IKE info: Phase-2 failed for peer AP_VPN: no rule matches the phase-2 ids  192.168.11.0/255.255.255.0 <->  192.168.118.0/255.255.255.0
IKE log: 203957.000000 Default message_negotiate_sa: no compatible proposal found
IKE log: 203957.000000 Default dropped message from 88.79.167.42 port 500 due to notification type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer AP_VPN 88.79.167.42 port 500 due to notification type NO_PROPOSAL_CHOSEN

[VPN-Status] 2011/11/21 20:39:58,316  Devicetime: 2011/11/21 20:39:57,700
policy manager error indication: AP_VPN (88.79.167.42), cause: 12801

[VPN-Status] 2011/11/21 20:39:58,316  Devicetime: 2011/11/21 20:39:57,700
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:39:58,441  Devicetime: 2011/11/21 20:39:57,720
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer AP_VPN

[VPN-Status] 2011/11/21 20:39:58,441  Devicetime: 2011/11/21 20:39:57,720
policy manager error indication: AP_VPN (88.79.167.42), cause: 12546

[VPN-Status] 2011/11/21 20:39:58,441  Devicetime: 2011/11/21 20:39:57,720
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:39:59,332  Devicetime: 2011/11/21 20:39:58,720
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE sent for Phase-1 SA to peer AP_VPN, sequence nr 0x42f37b0b

[VPN-Status] 2011/11/21 20:39:59,441  Devicetime: 2011/11/21 20:39:58,750
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE_ACK for peer AP_VPN Seq-Nr 0x42f37b0b, expected 0x42f37b0b


[VPN-Status] 2011/11/21 20:40:09,394  Devicetime: 2011/11/21 20:40:08,760
IKE info: Phase-2 failed for peer AP_VPN: no rule matches the phase-2 ids  192.168.11.0/255.255.255.0 <->  192.168.118.0/255.255.255.0
IKE log: 204008.000000 Default message_negotiate_sa: no compatible proposal found
IKE log: 204008.000000 Default dropped message from 88.79.167.42 port 500 due to notification type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer AP_VPN 88.79.167.42 port 500 due to notification type NO_PROPOSAL_CHOSEN

[VPN-Status] 2011/11/21 20:40:09,394  Devicetime: 2011/11/21 20:40:08,770
policy manager error indication: AP_VPN (88.79.167.42), cause: 12801

[VPN-Status] 2011/11/21 20:40:09,394  Devicetime: 2011/11/21 20:40:08,770
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:40:09,503  Devicetime: 2011/11/21 20:40:08,790
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer AP_VPN

[VPN-Status] 2011/11/21 20:40:09,503  Devicetime: 2011/11/21 20:40:08,790
policy manager error indication: AP_VPN (88.79.167.42), cause: 12546

[VPN-Status] 2011/11/21 20:40:09,503  Devicetime: 2011/11/21 20:40:08,790
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:40:11,675  Devicetime: 2011/11/21 20:40:11,030
IKE info: Delete Notification received for Phase-1 SA isakmp-peer-AP_VPN peer AP_VPN cookies [b766c2787450a7d4 6716ec9b0b443516]

[VPN-Status] 2011/11/21 20:40:11,675  Devicetime: 2011/11/21 20:40:11,030
IKE info: Phase-1 SA removed: peer AP_VPN rule AP_VPN removed

[VPN-Status] 2011/11/21 20:40:11,675  Devicetime: 2011/11/21 20:40:11,030
VPN: AP_VPN (88.79.167.42)  disconnected

[VPN-Status] 2011/11/21 20:40:11,675  Devicetime: 2011/11/21 20:40:11,030
vpn-maps[22], remote: AP_VPN, idle, static-name

[VPN-Status] 2011/11/21 20:40:11,675  Devicetime: 2011/11/21 20:40:11,040
selecting first remote gateway using strategy eFirst for AP_VPN
     => CurrIdx=0, IpStr=>88.79.167.42<, IpAddr=88.79.167.42, IpTtl=0s

[VPN-Status] 2011/11/21 20:40:11,675  Devicetime: 2011/11/21 20:40:11,040
VPN: installing ruleset for AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:40:11,675  Devicetime: 2011/11/21 20:40:11,040
VPN: WAN state changed to WanDisconnect for AP_VPN (88.79.167.42), called by: 001cfad7

[VPN-Status] 2011/11/21 20:40:11,675  Devicetime: 2011/11/21 20:40:11,050
VPN: WAN state changed to WanIdle for AP_VPN (88.79.167.42), called by: 001cfad7

[VPN-Status] 2011/11/21 20:40:12,691  Devicetime: 2011/11/21 20:40:12,040
VPN: WAN state changed to WanCall for AP_VPN (88.79.167.42), called by: 001cfad7

[VPN-Status] 2011/11/21 20:40:12,691  Devicetime: 2011/11/21 20:40:12,040
VPN: connecting to AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:40:12,691  Devicetime: 2011/11/21 20:40:12,040
vpn-maps[22], remote: AP_VPN, nego, static-name, connected-by-name

[VPN-Status] 2011/11/21 20:40:12,691  Devicetime: 2011/11/21 20:40:12,040
vpn-maps[22], remote: AP_VPN, nego, static-name, connected-by-name

[VPN-Status] 2011/11/21 20:40:12,691  Devicetime: 2011/11/21 20:40:12,050
vpn-maps[22], remote: AP_VPN, nego, static-name, connected-by-name

[VPN-Status] 2011/11/21 20:40:12,691  Devicetime: 2011/11/21 20:40:12,050
VPN: start IKE negotiation for AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:40:12,691  Devicetime: 2011/11/21 20:40:12,050
VPN: WAN state changed to WanProtocol for AP_VPN (88.79.167.42), called by: 001cfad7

[VPN-Status] 2011/11/21 20:40:12,691  Devicetime: 2011/11/21 20:40:12,050
IKE info: Phase-1 negotiation started for peer AP_VPN rule isakmp-peer-AP_VPN using MAIN mode

[VPN-Status] 2011/11/21 20:40:12,691  Devicetime: 2011/11/21 20:40:12,060
IKE info: The remote server 88.79.167.42:500 (UDP) peer AP_VPN id <no_id> is Enigmatec IPSEC version 1.5.1
IKE info: The remote server 88.79.167.42:500 (UDP) peer AP_VPN id <no_id> negotiated rfc-3706-dead-peer-detection

[VPN-Status] 2011/11/21 20:40:12,691  Devicetime: 2011/11/21 20:40:12,060
IKE info: Phase-1 remote proposal 1 for peer AP_VPN matched with local proposal 1

[VPN-Status] 2011/11/21 20:40:12,863  Devicetime: 2011/11/21 20:40:12,100
IKE info: The remote server 88.79.167.42:500 (UDP) peer AP_VPN id <no_id> is Enigmatec IPSEC version 1.5.1
IKE info: The remote server 88.79.167.42:500 (UDP) peer AP_VPN id <no_id> negotiated rfc-3706-dead-peer-detection

[VPN-Status] 2011/11/21 20:40:12,863  Devicetime: 2011/11/21 20:40:12,100
IKE info: Phase-1 remote proposal 1 for peer AP_VPN matched with local proposal 1

[VPN-Status] 2011/11/21 20:40:12,972  Devicetime: 2011/11/21 20:40:12,300
IKE info: Phase-1 [responder] got INITIAL-CONTACT from peer AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:40:12,972  Devicetime: 2011/11/21 20:40:12,300
IKE info: Phase-1 [responder] for peer AP_VPN between initiator id  192.168.11.2, responder id  92.79.183.55 done
IKE info: SA ISAKMP for peer AP_VPN encryption aes-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)

[VPN-Status] 2011/11/21 20:40:12,972  Devicetime: 2011/11/21 20:40:12,300
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer AP_VPN set to 97200 seconds (Responder)

[VPN-Status] 2011/11/21 20:40:12,972  Devicetime: 2011/11/21 20:40:12,300
IKE info: Phase-1 SA Timeout (Hard-Event) for peer AP_VPN set to 108000 seconds (Responder)

[VPN-Status] 2011/11/21 20:40:12,972  Devicetime: 2011/11/21 20:40:12,340
IKE info: Phase-1 [inititiator] got INITIAL-CONTACT from peer AP_VPN (88.79.167.42)

[VPN-Status] 2011/11/21 20:40:12,972  Devicetime: 2011/11/21 20:40:12,340
IKE info: Phase-1 SA removed: peer AP_VPN rule AP_VPN removed

[VPN-Status] 2011/11/21 20:40:12,972  Devicetime: 2011/11/21 20:40:12,340
IKE info: Phase-1 [inititiator] for peer AP_VPN between initiator id  92.79.183.55, responder id  88.79.167.42 done
IKE info: SA ISAKMP for peer AP_VPN encryption aes-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)

[VPN-Status] 2011/11/21 20:40:12,972  Devicetime: 2011/11/21 20:40:12,340
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer AP_VPN set to 86400 seconds (Initiator)

[VPN-Status] 2011/11/21 20:40:12,972  Devicetime: 2011/11/21 20:40:12,340
IKE info: Phase-1 SA Timeout (Hard-Event) for peer AP_VPN set to 108000 seconds (Initiator)

[VPN-Status] 2011/11/21 20:40:13,113  Devicetime: 2011/11/21 20:40:12,490
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer AP_VPN set to 1600 seconds (Initiator)

[VPN-Status] 2011/11/21 20:40:13,113  Devicetime: 2011/11/21 20:40:12,490
IKE info: Phase-2 SA Timeout (Hard-Event) for peer AP_VPN set to 2000 seconds (Initiator)

[VPN-Status] 2011/11/21 20:40:13,113  Devicetime: 2011/11/21 20:40:12,490
IKE info: Phase-2 [inititiator] done with 2 SAS for peer AP_VPN rule ipsec-0-AP_VPN-pr0-l0-r0
IKE info: rule:' ipsec 192.168.2.0/255.255.255.0 <-> 192.168.11.0/255.255.255.0 '
IKE info: SA ESP [0x56fac65b]  alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x36b5881b]  alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1600 sec/160000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 92.79.183.55 dst: 88.79.167.42  

[VPN-Status] 2011/11/21 20:40:14,128  Devicetime: 2011/11/21 20:40:13,490
VPN: AP_VPN connected

[VPN-Status] 2011/11/21 20:40:14,128  Devicetime: 2011/11/21 20:40:13,490
VPN: WAN state changed to WanConnect for AP_VPN (88.79.167.42), called by: 001cfad7

[VPN-Status] 2011/11/21 20:40:14,128  Devicetime: 2011/11/21 20:40:13,490
vpn-maps[22], remote: AP_VPN, connected, static-name, connected-by-name
Nach oben
backslash
Moderator
Moderator
Beiträge: 7129
Registriert: 08 Nov 2004, 21:26
Wohnort: Aachen

Beitrag von backslash »

Hi phoenixz

der Trace sagt doch ganz genau, was nicht stimmt:
IKE info: Phase-2 failed for peer AP_VPN: no rule matches the phase-2 ids 192.168.11.0/255.255.255.0 <-> 192.168.118.0/255.255.255.0
hier fordert die entfernte Seite aus dem Netz 192.168.11.0 eine Verbindung zum lokalen Netz 192.168.118.0 - und genau dafür bestehen keine Netzbeziehungen. Überprüfe auf beiden Seiten das jeweils lokale Netz, die Route in den VPN-Tunnel und ggf. manuell erstellte VPN-Regeln - sie müssen alle spiegelbildlich gleich sein

Gruß
Backslash
Nach oben
phoenixz
Beiträge: 76
Registriert: 15 Nov 2008, 21:14
Wohnort: Köln

Beitrag von phoenixz »

Hallo backslash,

vielen lieben Dank für deine Antwort. Ich habe das, was du schreibst, gestern im Trace auch schon entdeckt. Hintergrund dieser Einstellung ist, dass der Router vor unserer Servermigration auf dem Netz 192.168.118.0 lief und insofern die Einstellung richtig war.

Nachdem der Lancom eine neue IP bekommen hat (192.168.2.1), habe ich die VPN-Gegenstelle gelöscht und mit der neuen IP neu angelegt. Bloß scheint der Lancom das nicht übernehmen zu wollen.

Wo finde ich denn im LANConfig diese Einstellung? Ich habe mich gestern danach dumm gesucht (am lokalen Lancom und am Remote) und nichts gefunden...

Danke vorab und liebe Grüße!
:)
Nach oben
phoenixz
Beiträge: 76
Registriert: 15 Nov 2008, 21:14
Wohnort: Köln

Beitrag von phoenixz »

Hallo nochmals,

ich habe das Problem gelöst. Beim Firmwareupgrade haben sich eine ganze Reihe an Standard-Objekte verabschiedet. Eine Prüfung und Wiederherstellung der Objekte hat zur Lösung geführt.

Danke!
Nach oben
Antworten

Zurück zu „Fragen zum Thema VPN“