Verbindungsabbrüche

Forum zum Thema allgemeinen Fragen zu VPN

Moderator: Lancom-Systems Moderatoren

Antworten
butch1988
Beiträge: 9
Registriert: 22 Dez 2013, 01:15

Verbindungsabbrüche

Beitrag von butch1988 »

Hallo liebe Experten,

ich hab schon ein paar Tunnel eingerichtet und nie Probleme gehabt. Aber mit diesem hier, stoße ich langsam an meine Grenzen, zumal ich kein VPN Experte bin.
Szenario: Zwei Router, ein Lancom 1611+ und ein Hermes X Pro (leider keinen Einfluss auf den) sollen einen permanenten Tunnel aufbauen.

So weit so gut, alles eingerichtet, funktioniert auf anhieb. Doch die Verbindung geht immer wieder verloren. Bei meiner Fehlersuche sind mir dann ein paar seltsame Dinge aufgefallen.
Beim Lancom kann ich mir die aktuellen ESP anschauen, wenn die ablaufen, werden komplett andere verwendet. Der Hermes schaltet genau dann auf inaktiv, der Lancom ist weiterhin der Meinung er hat einen Tunnel, hilft mir nur nicht.

Mir kommt es zudem so vor, als wenn beide gleichzeitig versuchen den Tunnel aufzubauen, beim Lancom habe ich bisher nichts gefunden, wie man das ausstellen könnte.

Um das ganze ein wenig sprechender zu machen, habe ich hier einige Screenshots, die zeigen was ich meine:
Bild

Bild

Über Hilfe/Tipps würde ich mich freuen,
Viele Grüße,
Butch

Ps.: Ja, ich weiß:
2x Ddns ist blöd, der Hermes ist auch blöd. ;-)
Nach oben
Benutzeravatar
Bernie137
Beiträge: 1700
Registriert: 17 Apr 2013, 21:50
Wohnort: zw. Chemnitz und Annaberg-Buchholz

Re: Verbindungsabbrüche

Beitrag von Bernie137 »

Moin,

Ich würde es lancomseitig mit einem VPN Status trace mal untersuchen. Vielleicht erhält man dann brauchbare Ansätze.

Vg Heiko
Man lernt nie aus.
Nach oben
butch1988
Beiträge: 9
Registriert: 22 Dez 2013, 01:15

Re: Verbindungsabbrüche

Beitrag von butch1988 »

unten der Trace.
Es sieht für mich immer noch so aus, als wenn beide probieren würden, die Verbindung aufzubauen. Wenn der Lancom es zuerst schafft, funktioniert der Hermes nicht mehr.

Jemand eine Idee?
Kann ich beim Lancom ausschalten, dass er die Verbindung innitieren möchte?

Code: Alles auswählen

unten der Trace.
Es sieht für mich immer noch so aus, als wenn beide probieren würden, die Verbindung aufzubauen. Wenn der Lancom es zuerst schafft, funktioniert der Hermes nicht mehr.

Jemand eine Idee?
Kann ich beim Lancom ausschalten, dass er die Verbindung innitieren möchte?

[code][VPN-Status] 2013/12/23 10:29:39,033
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL S                                                                             eq-Nr 0xc34, expected 0xc34


[VPN-Status] 2013/12/23 10:29:39,034
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, s                                                                             equence nr 0xc34


[VPN-Status] 2013/12/23 10:29:49,394
IKE info: The remote peer ARAKIEL supports NAT-T in draft mode
IKE info: The remote peer ARAKIEL supports NAT-T in draft mode
IKE info: The remote peer ARAKIEL supports NAT-T in RFC mode
IKE info: The remote server xxx.xxx.xxx.xxx:500 (UDP) peer ARAKIEL id <no_id> negotiated rfc-3706-dead-peer-detection


[VPN-Status] 2013/12/23 10:29:49,395
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 1 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 2 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 3 encryption algorithm = BLOWFISH_                               CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 4 encryption algorithm = BLOWFISH_                               CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 5 encryption algorithm = CAST_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 6 encryption algorithm = CAST_CBC
IKE info: phase-1 proposal failed: remote No 1 hash algorithm = SHA <-> local No 7 hash algorithm = MD5
IKE info: Phase-1 remote proposal 1 for peer ARAKIEL matched with local proposal 8


[VPN-Status] 2013/12/23 10:29:49,783
IKE info: Phase-1 [responder] for peer ARAKIEL between initiator id alteratskiel.dyn.promedisoft.com, responder id  84.144.165                               .13 done
IKE info: SA ISAKMP for peer ARAKIEL encryption 3des-cbc authentication sha1
IKE info: life time ( 3600 sec/ 0 kb)


[VPN-Status] 2013/12/23 10:29:49,784
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer ARAKIEL set to 3240 seconds (Responder)


[VPN-Status] 2013/12/23 10:29:49,784
IKE info: Phase-1 SA Timeout (Hard-Event) for peer ARAKIEL set to 3600 seconds (Responder)


[VPN-Status] 2013/12/23 10:30:01,491
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x6517, expected 0x6517


[VPN-Status] 2013/12/23 10:30:01,492
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x6517


[VPN-Status] 2013/12/23 10:30:04,500
IKE info: Delete Notificaton sent for Phase-1 SA to peer ARAKIEL


[VPN-Status] 2013/12/23 10:30:04,500
IKE info: Phase-1 SA removed: peer ARAKIEL rule ARAKIEL removed


[VPN-Status] 2013/12/23 10:30:13,580
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x6518, expected 0x6518


[VPN-Status] 2013/12/23 10:30:13,581
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x6518


[VPN-Status] 2013/12/23 10:30:25,649
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x6519, expected 0x6519


[VPN-Status] 2013/12/23 10:30:25,650
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x6519


[VPN-Status] 2013/12/23 10:30:37,748
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x651a, expected 0x651a


[VPN-Status] 2013/12/23 10:30:37,749
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x651a


[VPN-Status] 2013/12/23 10:30:49,907
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x651b, expected 0x651b


[VPN-Status] 2013/12/23 10:30:49,907
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x651b


[VPN-Status] 2013/12/23 10:31:02,006
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x651c, expected 0x651c


[VPN-Status] 2013/12/23 10:31:02,006
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x651c


[VPN-Status] 2013/12/23 10:31:06,260
suppress DNS resolution for ARAKIEL
IpStr=>alteratskiel.dyn.promedisoft.com<, IpAddr=xxx.xxx.xxx.xxx, IpTtl=10s

[VPN-Status] 2013/12/23 10:31:14,077
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x651d, expected 0x651d


[VPN-Status] 2013/12/23 10:31:14,078
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x651d


[VPN-Status] 2013/12/23 10:31:26,114
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x651e, expec


[VPN-Status] 2013/12/23 10:31:26,115
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x651e


[VPN-Status] 2013/12/23 10:31:38,193
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x651f, expec


[VPN-Status] 2013/12/23 10:31:38,194
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x651f


[VPN-Status] 2013/12/23 10:31:50,332
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x6520, expec


[VPN-Status] 2013/12/23 10:31:50,333
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x6520


[VPN-Status] 2013/12/23 10:32:02,371
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x6521, expected 0x6521


[VPN-Status] 2013/12/23 10:32:02,371
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x6521


[VPN-Status] 2013/12/23 10:32:14,500
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x6522, expected 0x6522


[VPN-Status] 2013/12/23 10:32:14,500
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x6522


[VPN-Status] 2013/12/23 10:32:15,700
suppress DNS resolution for ARAKIEL
IpStr=>alteratskiel.dyn.promedisoft.com<, IpAddr=xxx.xxx.xxx.xxx, IpTtl=10s

[VPN-Status] 2013/12/23 10:32:20,510
IKE info: Phase-2 SA Soft-Event occured for peer ARAKIEL (Responder)


[VPN-Status] 2013/12/23 10:32:20,518
IKE info: soft event: rekeying started for peer ARAKIEL, rule ipsec-0-ARAKIEL-pr0-l0-r0


[VPN-Status] 2013/12/23 10:32:20,645
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer ARAKIEL set to 23040 seconds (Initiator)


[VPN-Status] 2013/12/23 10:32:20,645
IKE info: Phase-2 SA Timeout (Hard-Event) for peer ARAKIEL set to 28800 seconds (Initiator)


[VPN-Status] 2013/12/23 10:32:20,646
IKE info: Phase-2 [inititiator] done with 2 SAS for peer ARAKIEL rule ipsec-0-ARAKIEL-pr0-l0-r0
IKE info: rule:' ipsec 10.1.110.0/255.255.255.0 <-> 10.46.20.0/255.255.255.0 '
IKE info: SA ESP [0xb5be3d24]  alg AES keylength 256 +hmac HMAC_SHA outgoing
IKE info: SA ESP [0x1aa96493]  alg AES keylength 256 +hmac HMAC_SHA incoming
IKE info: life soft( 23040 sec/1600000 kb) hard (28800 sec/2000000 kb)
IKE info: tunnel between src: xxx.xxx.xxx.xxx dst: xxx.xxx.xxx.xxx


[VPN-Status] 2013/12/23 10:32:26,679
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x6523, expected 0x6523


[VPN-Status] 2013/12/23 10:32:26,679
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x6523


[VPN-Status] 2013/12/23 10:32:35,690
IKE info: Delete Notificaton sent for Phase-2 SA ipsec-0-ARAKIEL-pr0-l0-r0 to peer ARAKIEL, spi [0x1115e07e]


[VPN-Status] 2013/12/23 10:32:35,690
IKE info: Phase-2 SA removed: peer ARAKIEL rule ipsec-0-ARAKIEL-pr0-l0-r0 removed
IKE info: containing Protocol IPSEC_ESP, with spis [53e40800  ] [1115e07e  ]


[VPN-Status] 2013/12/23 10:32:38,747
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x6524, expected 0x6524


[VPN-Status] 2013/12/23 10:32:38,748
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x6524


[VPN-Status] 2013/12/23 10:32:50,906
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x6525, expected 0x6525


[VPN-Status] 2013/12/23 10:32:50,907
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x6525


[VPN-Status] 2013/12/23 10:33:03,025
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x6526, expected 0x6526


[VPN-Status] 2013/12/23 10:33:03,026
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAKIEL, sequence nr 0x6526
[/code]
Zuletzt geändert von butch1988 am 23 Dez 2013, 13:05, insgesamt 1-mal geändert.
Nach oben
butch1988
Beiträge: 9
Registriert: 22 Dez 2013, 01:15

Re: Verbindungsabbrüche

Beitrag von butch1988 »

hier noch mal der Teil, wo der nicht Lancom die Verbindung aufbaut (was funktioniert)

Code: Alles auswählen

[VPN-Status] 2013/12/23 10:56:33,631
VPN: rulesets installed

[VPN-Status] 2013/12/23 10:56:34,122
VPN: WAN state changed to WanCall for ARAKIEL (xxx.xxx.xxx.xxx), called by: 00194cf7

[VPN-Status] 2013/12/23 10:56:34,122
VPN: connecting to ARAKIEL (xxx.xxx.xxx.xxx)

[VPN-Status] 2013/12/23 10:56:34,123
vpn-maps[14], remote: ARAKIEL, nego, dns-name, static-name, connected-by-name

[VPN-Status] 2013/12/23 10:56:34,123
vpn-maps[14], remote: ARAKIEL, nego, dns-name, static-name, connected-by-name

[VPN-Status] 2013/12/23 10:56:34,124
vpn-maps[14], remote: ARAKIEL, nego, dns-name, static-name, connected-by-name

[VPN-Status] 2013/12/23 10:56:34,124
VPN: installing ruleset for ARAKIEL (xxx.xxx.xxx.xxx)

[VPN-Status] 2013/12/23 10:56:34,125
IKE info: Phase-1 negotiation started for peer ARAKIEL rule isakmp-peer-ARAKIEL using MAIN mode


[VPN-Status] 2013/12/23 10:56:34,139
VPN: ruleset installed for ARAKIEL (xxx.xxx.xxx.xxx)

[VPN-Status] 2013/12/23 10:56:34,140
VPN: start IKE negotiation for ARAKIEL (xxx.xxx.xxx.xxx)

[VPN-Status] 2013/12/23 10:56:34,140
VPN: WAN state changed to WanProtocol for ARAKIEL (xxx.xxx.xxx.xxx), called by: 00194cf7

[VPN-Status] 2013/12/23 10:56:34,140
VPN: rulesets installed

[VPN-Status] 2013/12/23 10:56:34,519
IKE info: The remote peer ARAKIEL supports NAT-T in draft mode
IKE info: The remote peer ARAKIEL supports NAT-T in draft mode
IKE info: The remote peer ARAKIEL supports NAT-T in RFC mode
IKE info: The remote server xxx.xxx.xxx.xxx:500 (UDP) peer ARAKIEL id <no_id> negotiated rfc-3706-dead-peer-detection


[VPN-Status] 2013/12/23 10:56:34,520
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 1 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 2 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 3 encryption algorithm = BLOWFISH_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 4 encryption algorithm = BLOWFISH_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 5 encryption algorithm = CAST_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 6 encryption algorithm = CAST_CBC
IKE info: phase-1 proposal failed: remote No 1 hash algorithm = SHA <-> local No 7 hash algorithm = MD5
IKE info: Phase-1 remote proposal 1 for peer ARAKIEL matched with local proposal 8


[VPN-Status] 2013/12/23 10:56:35,041
IKE info: Phase-1 [responder] for peer ARAKIEL between initiator id alteratskiel.dyn.promedisoft.com, responder id  xxx.xxx.xxx.xxx done
IKE info: SA ISAKMP for peer ARAKIEL encryption 3des-cbc authentication sha1
IKE info: life time ( 3600 sec/ 0 kb)


[VPN-Status] 2013/12/23 10:56:35,041
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer ARAKIEL set to 3240 seconds (Responder)


[VPN-Status] 2013/12/23 10:56:35,041
IKE info: Phase-1 SA Timeout (Hard-Event) for peer ARAKIEL set to 3600 seconds (Responder)


[VPN-Status] 2013/12/23 10:56:35,189
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm 3DES <-> local No 1, esp algorithm AES
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm keylen 0 <-> local No 1, esp algorithm keylen 256,256:256
IKE info: Phase-2 proposal failed: remote No 1, esp hmac HMAC_MD5 <-> local No 1, esp hmac HMAC_SHA
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm 3DES <-> local No 2, esp algorithm AES
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm keylen 0 <-> local No 2, esp algorithm keylen 128,128:256
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm 3DES <-> local No 3, esp algorithm BLOWFISH
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm keylen 0 <-> local No 3, esp algorithm keylen 128,128:448
IKE info: Phase-2 proposal failed: remote No 1, esp hmac HMAC_MD5 <-> local No 3, esp hmac HMAC_SHA
IKE info: Phase-2 proposal failed: remote No 1, number of protos 1 <-> local No 4,  number of protos 2
IKE info: Phase-2 remote proposal 1 for peer ARAKIEL matched with local proposal 5


[VPN-Status] 2013/12/23 10:56:35,349
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer ARAKIEL set to 1080 seconds (Responder)


[VPN-Status] 2013/12/23 10:56:35,350
IKE info: Phase-2 SA Timeout (Hard-Event) for peer ARAKIEL set to 1200 seconds (Responder)


[VPN-Status] 2013/12/23 10:56:35,351
IKE info: Phase-2 [responder] done with 2 SAS for peer ARAKIEL rule ipsec-0-ARAKIEL-pr0-l0-r0
IKE info: rule:' ipsec 10.1.110.0/255.255.255.0 <-> 10.46.20.0/255.255.255.0 '
IKE info: SA ESP [0xb9293cb8]  alg 3DES keylength 192 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x4de44ce2]  alg 3DES keylength 192 +hmac HMAC_MD5 incoming
IKE info: life soft( 1080 sec/0 kb) hard (1200 sec/0 kb)
IKE info: tunnel between src: xxx.xxx.xxx.xxx dst: xxx.xxx.xxx.xxx


[VPN-Status] 2013/12/23 10:56:36,353
VPN: ARAKIEL connected

[VPN-Status] 2013/12/23 10:56:36,353
VPN: WAN state changed to WanConnect for ARAKIEL (xxx.xxx.xxx.xxx), called by: 00194cf7

[VPN-Status] 2013/12/23 10:56:36,354
vpn-maps[14], remote: ARAKIEL, connected, dns-name, static-name, connected-by-name

[VPN-Status] 2013/12/23 10:56:46,707
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAKIEL Seq-Nr 0x416a, expected 0x416a
Zuletzt geändert von butch1988 am 23 Dez 2013, 13:07, insgesamt 2-mal geändert.
Nach oben
Benutzeravatar
Bernie137
Beiträge: 1700
Registriert: 17 Apr 2013, 21:50
Wohnort: zw. Chemnitz und Annaberg-Buchholz

Re: Verbindungsabbrüche

Beitrag von Bernie137 »

Hi,

Ist doch schon mal ne Aussage bei ike Phase 1: Remote 3des-cbc und lokal aes-cbc, mach das doch mal gleich ;)

Vg Heiko

Edit: So jetzt vom PC aus mit Zitat:

Code: Alles auswählen

[VPN-Status] 2013/12/23 10:56:34,520
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 1 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 2 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 3 encryption algorithm = BLOWFISH_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 4 encryption algorithm = BLOWFISH_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 5 encryption algorithm = CAST_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 6 encryption algorithm = CAST_CBC
IKE info: phase-1 proposal failed: remote No 1 hash algorithm = SHA <-> local No 7 hash algorithm = MD5
IKE info: Phase-1 remote proposal 1 for peer ARAKIEL matched with local proposal 8
Erst Proposal 8 greift. Setz es mal an erste stelle für diese Verbindung. Und mach dann noch mal schöne Traces. Lass bitte die öffentliche IP hier im Forum verschwinden und setze da paar XXX.XXX.XXX.XXX hin.
Man lernt nie aus.
Nach oben
butch1988
Beiträge: 9
Registriert: 22 Dez 2013, 01:15

Re: Verbindungsabbrüche

Beitrag von butch1988 »

Habe ich geändert, mal schauen ob es was bewirkt.

Zwischendurch habe ich auch:
- Firmwareupdate gemacht
- Kbyte restrictions in allen Ipsec proposals rausgenommen (da im Handbuch Seite 68 steht, dass dies nicht aktzeptiert wird.)

Eventuell sind im Handbuch auch Hinweise die ich nicht verstehe.
Nach oben
butch1988
Beiträge: 9
Registriert: 22 Dez 2013, 01:15

Re: Verbindungsabbrüche

Beitrag von butch1988 »

Update:
Der Phase1 Fehler scheint weg.
Dafür jetzt einen ähnlichen Phase2 Fehler.

Ich guck mal, ob ich da auch 5 an Position 1 setzen kann.

Code: Alles auswählen

funktioniert

[VPN-Status] 2013/12/23 13:21:34,581
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAPOKIEL, sequence nr 0x1ece


[VPN-Status] 2013/12/23 13:21:36,240
suppress DNS resolution for ARAPOKIEL
IpStr=>alteratskiel.dyn.promedisoft.com<, IpAddr=xxx.xxx.xxx.xxx, IpTtl=60s

[VPN-Status] 2013/12/23 13:21:41,590
IKE info: Phase-2 SA Soft-Event occured for peer ARAPOKIEL (Responder)


[VPN-Status] 2013/12/23 13:21:41,600
IKE info: soft event: rekeying started for peer ARAPOKIEL, rule ipsec-0-ARAPOKIEL-pr0-l0-r0


[VPN-Status] 2013/12/23 13:21:41,645
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer ARAPOKIEL set to 23040 seconds (Initiator)


[VPN-Status] 2013/12/23 13:21:41,645
IKE info: Phase-2 SA Timeout (Hard-Event) for peer ARAPOKIEL set to 28800 seconds (Initiator)


[VPN-Status] 2013/12/23 13:21:41,646
IKE info: Phase-2 [inititiator] done with 2 SAS for peer ARAPOKIEL rule ipsec-0-ARAPOKIEL-pr0-l0-r0
IKE info: rule:' ipsec 10.1.110.0/255.255.255.0 <-> 10.46.20.0/255.255.255.0 '
IKE info: SA ESP [0x08473bfb]  alg AES keylength 256 +hmac HMAC_SHA outgoing
IKE info: SA ESP [0x36c1024f]  alg AES keylength 256 +hmac HMAC_SHA incoming
IKE info: life soft( 23040 sec/0 kb) hard (28800 sec/0 kb)
IKE info: tunnel between src: xxx.xxx.xxx.xxx dst: xxx.xxx.xxx.xxx


[VPN-Status] 2013/12/23 13:21:46,619
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAPOKIEL Seq-Nr 0x1ecf, expected 0x1ecf


[VPN-Status] 2013/12/23 13:21:46,620
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAPOKIEL, sequence nr 0x1ecf


[VPN-Status] 2013/12/23 13:21:48,922
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm 3DES <-> local No 1, esp algorithm AES
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm keylen 0 <-> local No 1, esp algorithm keylen 256,256:256
IKE info: Phase-2 proposal failed: remote No 1, esp hmac HMAC_MD5 <-> local No 1, esp hmac HMAC_SHA
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm 3DES <-> local No 2, esp algorithm AES
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm keylen 0 <-> local No 2, esp algorithm keylen 128,128:256
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm 3DES <-> local No 3, esp algorithm BLOWFISH
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm keylen 0 <-> local No 3, esp algorithm keylen 128,128:448
IKE info: Phase-2 proposal failed: remote No 1, esp hmac HMAC_MD5 <-> local No 3, esp hmac HMAC_SHA
IKE info: Phase-2 proposal failed: remote No 1, number of protos 1 <-> local No 4,  number of protos 2
IKE info: Phase-2 remote proposal 1 for peer ARAPOKIEL matched with local proposal 5


[VPN-Status] 2013/12/23 13:21:48,967
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer ARAPOKIEL set to 1080 seconds (Responder)


[VPN-Status] 2013/12/23 13:21:48,967
IKE info: Phase-2 SA Timeout (Hard-Event) for peer ARAPOKIEL set to 1200 seconds (Responder)


[VPN-Status] 2013/12/23 13:21:48,968
IKE info: Phase-2 [responder] done with 2 SAS for peer ARAPOKIEL rule ipsec-0-ARAPOKIEL-pr0-l0-r0
IKE info: rule:' ipsec 10.1.110.0/255.255.255.0 <-> 10.46.20.0/255.255.255.0 '
IKE info: SA ESP [0xbfbf8e3d]  alg 3DES keylength 192 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x4bc44f2e]  alg 3DES keylength 192 +hmac HMAC_MD5 incoming
IKE info: life soft( 1080 sec/0 kb) hard (1200 sec/0 kb)
IKE info: tunnel between src: xxx.xxx.xxx.xxx dst: xxx.xxx.xxx.xxx


[VPN-Status] 2013/12/23 13:21:56,960
IKE info: Delete Notification sent for Phase-2 SA ipsec-0-ARAPOKIEL-pr0-l0-r0 to


[VPN-Status] 2013/12/23 13:21:56,960
IKE info: Phase-2 SA removed: peer ARAPOKIEL rule ipsec-0-ARAPOKIEL-pr0-l0-r0 re
IKE info: containing Protocol IPSEC_ESP, with spis [f3632246  ] [284f0a24  ]


[VPN-Status] 2013/12/23 13:21:58,658
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAPOKIEL


[VPN-Status] 2013/12/23 13:21:58,659
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAPOKIEL,


[VPN-Status] 2013/12/23 13:22:03,670
IKE info: Delete Notification sent for Phase-2 SA ipsec-0-ARAPOKIEL-pr0-l0-r0 to


[VPN-Status] 2013/12/23 13:22:03,670
IKE info: Phase-2 SA removed: peer ARAPOKIEL rule ipsec-0-ARAPOKIEL-pr0-l0-r0 re
IKE info: containing Protocol IPSEC_ESP, with spis [08473bfb  ] [36c1024f  ]


[VPN-Status] 2013/12/23 13:22:10,687
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for p


[VPN-Status] 2013/12/23 13:22:10,688
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to pe


[VPN-Status] 2013/12/23 13:22:22,740
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for p


[VPN-Status] 2013/12/23 13:22:22,741
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to pe


[VPN-Status] 2013/12/23 13:22:34,803
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for p


[VPN-Status] 2013/12/23 13:22:34,803
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to pe


[VPN-Status] 2013/12/23 13:22:47,094
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for p                                                                                           Seq-Nr 0x1ed4, expected 0x1ed4


[VPN-Status] 2013/12/23 13:22:47,095
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to pe                                                                                           sequence nr 0x1ed4


[VPN-Status] 2013/12/23 13:22:59,353
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for p                                                                                           Seq-Nr 0x1ed5, expected 0x1ed5


[VPN-Status] 2013/12/23 13:22:59,354
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to pe                                                                                           sequence nr 0x1ed5


[VPN-Status] 2013/12/23 13:23:11,462
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for p                                                                                          eer ARAPOKIEL Seq-Nr 0x1ed6, expected 0x1ed6


[VPN-Status] 2013/12/23 13:23:11,463
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to pe                                                                                          er ARAPOKIEL, sequence nr 0x1ed6


[VPN-Status] 2013/12/23 13:23:23,530
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for p                                                                                          eer ARAPOKIEL Seq-Nr 0x1ed7, expected 0x1ed7


[VPN-Status] 2013/12/23 13:23:23,531
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to pe                                                                                          er ARAPOKIEL, sequence nr 0x1ed7


[VPN-Status] 2013/12/23 13:23:35,670
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer ARAPOKIEL Seq-Nr 0x1ed8, expected 0x1ed8


[VPN-Status] 2013/12/23 13:23:35,671
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer ARAPOKIEL, sequence nr 0x1ed8
Nach oben
butch1988
Beiträge: 9
Registriert: 22 Dez 2013, 01:15

Re: Verbindungsabbrüche

Beitrag von butch1988 »

Verbindung läuft jetzt mit deutlich höherer Haltezeit. Sieht aus als wäre es damit behoben.
Ich werde beobachten und mich dazu melden. :)
Nach oben
Antworten

Zurück zu „Fragen zum Thema VPN“