VPN LAN-LAN Kopplung (Lancom 1721 <-> Defendo)

[wiesi]

Hallo miteinander,

ich hab ein kleines Probelm bei einer LAN - LAN Kopplung. Zwischen einem 1721 und einem Defendo (linux Appliance)

Das VPN - Tunnel wird aufgebaut und funktioniert auch trennt sich aber wieder nach kurzer Zeit und verbindet dann wieder. Hab einen
trace laufen lassen und mal show VPN gemacht:

[VPN-Status] 1900/01/01 02:24:13,540
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm 3DES <-> local No
1, esp algorithm AES
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm keylen 0 <-> local
No 1, esp algorithm keylen 128,128:256
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm 3DES <-> local No
2, esp algorithm BLOWFISH
IKE info: Phase-2 proposal failed: remote No 1, esp algorithm keylen 0 <-> local
No 2, esp algorithm keylen 128,128:448
IKE info: Phase-2 proposal failed: remote No 1, esp hmac HMAC_MD5 <-> local No 2
, esp hmac HMAC_SHA
IKE info: Phase-2 proposal failed: remote No 1, number of protos 1 <-> local No
3, number of protos 2
IKE info: Phase-2 remote proposal 1 for peer XXXHEN matched with local
proposal 4


[VPN-Status] 1900/01/01 02:24:13,700
IKE info: Phase-2 [responder] done with 2 SAS for peer XXXHEN rule ipse
c-1-XXXHEN-pr0-l0-r0
IKE info: rule:' ipsec 192.168.0.0/255.255.255.0 <-> 192.168.20.0/255.255.255.0
'
IKE info: SA ESP [0x66a51cb5] alg 3DES keylength 192 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x3e9eceb4] alg 3DES keylength 192 +hmac HMAC_MD5 incoming
IKE info: life soft( 29160 sec/0 kb) hard (32400 sec/0 kb)
IKE info: tunnel between src: xx.xxx.xxx.190 dst: xx.xxx.xxx.187


[VPN-Status] 1900/01/01 02:24:23,710
IKE info: Phase-2 failed for peer XXXHEN: no rule matches the phase-2 i
ds xx.xxx.xxx.187 <-> xx.xxx.xxx.190
IKE log: 022423 Default message_negotiate_sa: no compatible proposal found
IKE log: 022423 Default dropped message from xx.xxx.xxx.187 port 500 due to noti
fication type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer XXXHEN xx.xxx.xxx.187 port 500 due
to notification type NO_PROPOSAL_CHOSEN


[VPN-Status] 1900/01/01 02:24:23,710
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for XXXHEN (xx.xxx.xxx
.187)

[VPN-Status] 1900/01/01 02:24:24,240
VPN: poll timeout for XXXHEN (xx.xxx.xxx.187)
remote site did not answer during interval
setting poll time to 1 sec.
(5 retries left)
send poll frame to xx.xxx.xxx.187

[VPN-Status] 1900/01/01 02:24:25,240
VPN: poll timeout for xxxHEN (xx.xxx.xxx.187)
remote site did not answer during interval
(4 retries left)
send poll frame to xx.xxx.xxx.187

[VPN-Status] 1900/01/01 02:24:26,240
VPN: poll timeout for XXXHEN (xx.xxx.xxx1.187)
remote site did not answer during interval
(3 retries left)
send poll frame to xx.xxx.xxx.187

[VPN-Status] 1900/01/01 02:24:27,240
VPN: poll timeout for XXXHEN (.187)
remote site did not answer during interval
(2 retries left)
send poll frame to xx.xxx.xxx.187

[VPN-Status] 1900/01/01 02:24:28,240
VPN: poll timeout for XXXHEN (xx.xxx.xxx.187)
remote site did not answer during interval
(1 retries left)
send poll frame to xx.xxx.xxx.187

[VPN-Status] 1900/01/01 02:24:29,240
VPN: poll timeout for XXXHEN (xx.xxx.xxx.187)
remote site did not answer during interval
no retries left, disconnect channel

[VPN-Status] 1900/01/01 02:24:29,240
VPN: Error: IFC-X-Line-polling-failed (0x1307) for XXXHEN (xx.xxx.xx.1
87)

[VPN-Status] 1900/01/01 02:24:29,240
VPN: disconnecting XXXHEN (84.145.121.187)

[VPN-Status] 1900/01/01 02:24:29,250
IKE info: Delete Notificaton sent for Phase-2 SA ipsec-1-XXXHEN-pr0-l0-
r0 to peer XXXHEN, spi [0x3e9eceb4]


[VPN-Status] 1900/01/01 02:24:29,250
IKE info: Phase-2 SA removed: peer XXXHEN rule ipsec-1-XXXHEN-
pr0-l0-r0 removed
IKE info: containing Protocol IPSEC_ESP, with spis [66a51cb5 ] [3e9eceb4 ]


[VPN-Status] 1900/01/01 02:24:29,250
IKE info: Delete Notificaton sent for Phase-1 SA to peer XXXHEN


[VPN-Status] 1900/01/01 02:24:29,250
IKE info: Phase-1 SA removed: peer XXXHEN rule XXXHEN removed


[VPN-Status] 1900/01/01 02:24:29,300
VPN: selecting next remote gateway using strategy eFirst for XXXHEN
=> no remote gateway selected

[VPN-Status] 1900/01/01 02:24:29,300
VPN: selecting first remote gateway using strategy eFirst for XXXHEN
=> CurrIdx=0, IpStr=>i1.dyndns.biz<, IpAddr=xxx.xxx.xxx.187
, IpTtl=60s

[VPN-Status] 1900/01/01 02:24:29,300
VPN: installing ruleset for XXXHEN (84.145.121.187)

[VPN-Status] 1900/01/01 02:24:29,300
VPN: XXXHEN (84.145.121.187) disconnected

[VPN-Status] 1900/01/01 02:24:29,320
VPN: rulesets installed

[VPN-Status] 1900/01/01 02:24:29,390
IKE log: 022429 Default message_recv: invalid cookie(s) da513e3a2fa37cba 98b868c
fe895ad64


[VPN-Status] 1900/01/01 02:24:29,390
IKE log: 022429 Default dropped message from xx.xxx.xxx.xxx port 500 due to noti
fication type INVALID_COOKIE


[VPN-Status] 1900/01/01 02:24:29,390
IKE info: dropped message from peer unknown xx.xx.xxx.187 port 500 due to notif
ication type INVALID_COOKIE

trace # vpn-status
VPN-Status OFF

Vielleicht kann mir ja jemand helfen, wär echt super.

Danke im voraus.

wiesi

[COMCARGRU]

VPN-Status] 1900/01/01 02:24:29,240
VPN: poll timeout for XXXHEN (xx.xxx.xxx.187)
remote site did not answer during interval
no retries left, disconnect channel

[backslash]

Hi wiesi,

das Problem liegt hier:

[VPN-Status] 1900/01/01 02:24:23,710
IKE info: Phase-2 failed for peer XXXHEN: no rule matches the phase-2 i
ds xx.xxx.xxx.187 <-> xx.xxx.xxx.190
IKE log: 022423 Default message_negotiate_sa: no compatible proposal found

Da versucht die Gegenseite eine Phase-2 für die direkte Verbindung zwischen den Gateways auszuhandeln, das klappt natürlich nicht...

Weil das LANCOM der Gegenseite daraufhin ein "no proposal chosen" schickt, scheint diese die komplette Verbindung zu schmeissen. Deher werden dann auch die Poll-Pings des LANCOMs nicht mehr beantwortet, worauf das LANCOM irgendwann die Verbindung ebenfalls abbaut.

Schau dir also mal die Konfiguration der Linux-Kiste ganz genau an - da läuft etwas völlig schief...

Gruß
Backslash