Hallo zusammen,
ich habe heute auf die schnelle versucht ein IKEv2 VPN von einem Router Swisscom Centro Business 3.0 zu einem 1900EF zu konfigurieren. Auf die Schnelle ging es schon mal nicht.
Die Verschlüsselung im 1900EF habe ich neu angelegt und für den Swisscom Router angepasst.
Im Swisscom die WAN IP vom 1900EF, IP Netz hinter dem 1900EF sowie den PSK angegeben (mehr kann man nicht konfigurieren).
Im Swisscom Router alles gespeichert und auf Enable gesetzt.
Swisscom Router mach den Verbindungsaufbau zum Lancom Router.
Hat schon jemand einen Swisscom Centro Business 3.0 mit einem LCOS Router per VPN verbunden?
Danke und Grüße
Alex
VPN von Router Swisscom Centro Business 3.0 zu 1900EF
Moderator: Lancom-Systems Moderatoren
-
Dr.Einstein
- Beiträge: 3387
- Registriert: 12 Jan 2010, 14:10
Re: VPN von Router Swisscom Centro Business 3.0 zu 1900EF
Via SSH (oder LanTracer) auf den Lancom einloggen,
trace # vpn-status vpn-debug vpn-ike
starten und warten, bis der Swisscomm Router zu dir einen Verbindungsaufbau startet. Und dann mal schauen, in welchem Schritt er ablehnt. Vieles kannst du selbst lesen, z.B. wenn kein passendes Verschlüsselungspaar gefunden wurde, oder die IDs nicht passen. Ansonsten bedenke, solltest du keine feste IP auf der Gegenseite besitzen, muss im Lancom das DEFAULT Profil bzw Gegenstelle vorhanden sein. Erst später im Verhandlungsaufbau erfolgt dann der Wechseln auf die eigentliche Gegenstelle.
Kannst auch die reduzierte Ausgabe hier posten falls du nicht weiterkommst.
trace # vpn-status vpn-debug vpn-ike
starten und warten, bis der Swisscomm Router zu dir einen Verbindungsaufbau startet. Und dann mal schauen, in welchem Schritt er ablehnt. Vieles kannst du selbst lesen, z.B. wenn kein passendes Verschlüsselungspaar gefunden wurde, oder die IDs nicht passen. Ansonsten bedenke, solltest du keine feste IP auf der Gegenseite besitzen, muss im Lancom das DEFAULT Profil bzw Gegenstelle vorhanden sein. Erst später im Verhandlungsaufbau erfolgt dann der Wechseln auf die eigentliche Gegenstelle.
Kannst auch die reduzierte Ausgabe hier posten falls du nicht weiterkommst.
Re: VPN von Router Swisscom Centro Business 3.0 zu 1900EF
Hallo Dr. Einstein,
ich hatte gestern schon ein vpn-debug trace gemacht (nur debug) und erst wieder heute Nachmittag die Mögliochkeit zu tracen.
"IP Swisscom Router" steht für die WAN IP am Swisscom Router.
Die 192.168.0.254 ist die WAN IP des 1900EF (dahinter kommt ein Provider Router).
[VPN-Debug] 2025/10/20 17:14:11,145 Devicetime: 2025/10/20 17:14:11,447
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 900 bytes
Gateways: 192.168.0.254:500<--IP Swisscom Router:500
SPIs: 0x2F83F6C67214A0800000000000000000, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(SIGNATURE_HASH_ALGORITHMS), NOTIFY(REDIRECT_SUPPORTED)
QUB-DATA: 192.168.0.254:500<---IP Swisscom Router:500 rtg_tag 0 physical-channel WAN(1)
transport: [id: 14168363, UDP (17) {incoming unicast, fixed source address}, dst: IP Swisscom Router, tag 0 (U), src: 192.168.0.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTERNET (4), mac address: 70:fc:8c:49:5b:e0, port 0], local port: 500, remote port: 500
+No IKE_SA found
Counting consumed licenses by active channels...
1:
...
20:
Consumed connected licenses : 20
Negotiating connections : 0
IKE negotiations : 0
MPPE connections : 0
LTA licenses : 0
Licenses in use : 20 < 25
+Passive connection request accepted (510 micro seconds)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x2F83F6C67214A080F3E20C8120C8352D00000000, P1, RESPONDER): Setting Negotiation SA
Referencing (IKE_SA, 0x2F83F6C67214A080F3E20C8120C8352D00000000, responder): use_count 3
Looking for payload NOTIFY(REDIRECT_SUPPORTED) (41)...Found 1 payload.
+Redirection is not required
Looking for payload NOTIFY(SIGNATURE_HASH_ALGORITHMS) (41)...Found 1 payload.
+Received signature hash algorithms: SHA-256, SHA-384, SHA-512, Identity
Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload.
+Computing SHA1(0x2F83F6C67214A0800000000000000000|85.2.109.210:500)
+Computing SHA1(0x2F83F6C67214A080000000000000000055026DD201F4)
+Computed: 0xBD8E332A52CF47AE8F0D6DA11994B6BF2FAE8264
+Received: 0xBD8E332A52CF47AE8F0D6DA11994B6BF2FAE8264
+Equal => NAT-T is disabled
Looking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload.
+Computing SHA1(0x2F83F6C67214A0800000000000000000|192.168.0.254:500)
+Computing SHA1(0x2F83F6C67214A0800000000000000000C0A800FE01F4)
+Computed: 0x1E9FBEF84BE85ADFE86435F96396D2087AC4E604
+Received: 0x8C38E9E362AEEF148AE313CB19C8D4515037C1DB
+Not equal => NAT-T enabled => switching on port 4500
Looking for payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41)...Found 1 payload.
Looking for payload IKE_SA (33)...Found 1 payload.
+Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA-256
+Best intersection: HMAC-SHA-256
+Config DH transform(s): 30 29 28 21 20 16 19 15 14
+Received DH transform(s): 31
-No intersection
-DH transform is obligatory for IKE-Protocol
-Skipping proposal 1
+Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA1
+Best intersection: PRF-HMAC-SHA1
+Config INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA1
+Best intersection: HMAC-SHA1
+Config DH transform(s): 30 29 28 21 20 16 19 15 14
+Received DH transform(s): 31
-No intersection
-DH transform is obligatory for IKE-Protocol
-Skipping proposal 2
+Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256
+Received ENCR transform(s): AES-CBC-128
-No intersection
+Config PRF transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA-256
+Best intersection: HMAC-SHA-256
+Config DH transform(s): 30 29 28 21 20 16 19 15 14
+Received DH transform(s): 31
-No intersection
-ENCR/DH transforms are obligatory for IKE-Protocol
-Skipping proposal 3
+Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256
+Received ENCR transform(s): AES-CBC-128
-No intersection
+Config PRF transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA1
+Best intersection: PRF-HMAC-SHA1
+Config INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA1
+Best intersection: HMAC-SHA1
+Config DH transform(s): 30 29 28 21 20 16 19 15 14
+Received DH transform(s): 31
-No intersection
-ENCR/DH transforms are obligatory for IKE-Protocol
-Skipping proposal 4
+Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA-256
+Best intersection: HMAC-SHA-256
+Config DH transform(s): 30 29 28 21 20 16 19 15 14
+Received DH transform(s): 18
-No intersection
-DH transform is obligatory for IKE-Protocol
-Skipping proposal 5
+Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA-256
+Best intersection: HMAC-SHA-256
+Config DH transform(s): 30 29 28 21 20 16 19 15 14
+Received DH transform(s): 20
+Best intersection: 20
[VPN-Debug] 2025/10/20 17:14:11,154 Devicetime: 2025/10/20 17:14:11,448
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 38 bytes (responder)
Gateways: 192.168.0.254:500-->IP Swisscom Router:500, tag 0 (UDP)
SPIs: 0x2F83F6C67214A0800000000000000000, Message-ID 0
Payloads: NOTIFY(INVALID_KE_PAYLOAD[0x0014])
[VPN-Debug] 2025/10/20 17:14:11,192 Devicetime: 2025/10/20 17:14:11,473
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 964 bytes
Gateways: 192.168.0.254:500<--IP Swisscom Router:500
SPIs: 0x2F83F6C67214A0800000000000000000, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(SIGNATURE_HASH_ALGORITHMS), NOTIFY(REDIRECT_SUPPORTED)
QUB-DATA: 192.168.0.254:500<---IP Swisscom Router:500 rtg_tag 0 physical-channel WAN(1)
transport: [id: 14168364, UDP (17) {incoming unicast, fixed source address}, dst: IP Swisscom Router, tag 0 (U), src: 192.168.0.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTERNET (4), mac address: 70:fc:8c:49:5b:e0, port 0], local port: 500, remote port: 500
+No IKE_SA found
Counting consumed licenses by active channels...
1:
...
20:
Consumed connected licenses : 20
Negotiating connections : 0
IKE negotiations : 0
MPPE connections : 0
LTA licenses : 0
Licenses in use : 20 < 25
+Passive connection request accepted (505 micro seconds)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x2F83F6C67214A080FFB5AFDA676EB48700000000, P1, RESPONDER): Setting Negotiation SA
Referencing (IKE_SA, 0x2F83F6C67214A080FFB5AFDA676EB48700000000, responder): use_count 3
Looking for payload NOTIFY(REDIRECT_SUPPORTED) (41)...Found 1 payload.
+Redirection is not required
Looking for payload NOTIFY(SIGNATURE_HASH_ALGORITHMS) (41)...Found 1 payload.
+Received signature hash algorithms: SHA-256, SHA-384, SHA-512, Identity
Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload.
+Computing SHA1(0x2F83F6C67214A0800000000000000000|85.2.109.210:500)
+Computing SHA1(0x2F83F6C67214A080000000000000000055026DD201F4)
+Computed: 0xBD8E332A52CF47AE8F0D6DA11994B6BF2FAE8264
+Received: 0xBD8E332A52CF47AE8F0D6DA11994B6BF2FAE8264
+Equal => NAT-T is disabled
Looking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload.
+Computing SHA1(0x2F83F6C67214A0800000000000000000|192.168.0.254:500)
+Computing SHA1(0x2F83F6C67214A0800000000000000000C0A800FE01F4)
+Computed: 0x1E9FBEF84BE85ADFE86435F96396D2087AC4E604
+Received: 0x8C38E9E362AEEF148AE313CB19C8D4515037C1DB
+Not equal => NAT-T enabled => switching on port 4500
Looking for payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41)...Found 1 payload.
Looking for payload IKE_SA (33)...Found 1 payload.
+Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA-256
+Best intersection: HMAC-SHA-256
+Config DH transform(s): 30 29 28 21 20 16 19 15 14
+Received DH transform(s): 20
+Best intersection: 20
Looking for payload NONCE (40)...Found 1 payload.
+Nonce length=32 bytes
+Nonce=0x950893DBE719E2581FE23AA516E58556A444EB72D1B03997353DA412292CF873
+SA-DATA-Ni=0x950893DBE719E2581FE23AA516E58556A444EB72D1B03997353DA412292CF873
[VPN-Debug] 2025/10/20 17:14:11,198 Devicetime: 2025/10/20 17:14:11,494
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Constructing payload NOTIFY(REDIRECT) (41):
+No Redirection
Constructing payload NONCE (40):
+Nonce length=32 bytes
+Nonce=0xA1B60FBFC09CAC032049650A5E841F0343363FCC8D3CEA5B41708BEBA99E0D8B
+SA-DATA-Nr=0xA1B60FBFC09CAC032049650A5E841F0343363FCC8D3CEA5B41708BEBA99E0D8B
Constructing payload NOTIFY(DETECTION_SOURCE_IP) (41):
+Computing SHA1(0x2F83F6C67214A080FFB5AFDA676EB487|192.168.0.254:500)
+Computing SHA1(0x2F83F6C67214A080FFB5AFDA676EB487C0A800FE01F4)
+0xF97283BA95C1EA9FF053AC505B748012A390893C
Constructing payload NOTIFY(DETECTION_DESTINATION_IP) (41):
+Computing SHA1(0x2F83F6C67214A080FFB5AFDA676EB487|85.2.109.210:500)
+Computing SHA1(0x2F83F6C67214A080FFB5AFDA676EB48755026DD201F4)
+0x29F56F209BE89D7EB4F158F0CD061B650BADC9E9
Constructing payload NOTIFY(SIGNATURE_HASH_ALGORITHMS) (41):
+Signature hash algorithms: SHA-256,SHA-384,SHA-512
Constructing payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41):
Constructing payload CERTREQ (38):
+0x0000000000000000000000000000000000000000
Constructing payload VENDOR(FRAGMENTATION) (43):
Constructing payload VENDOR(FRAGMENTATION(C0000000)) (43):
Constructing payload VENDOR(ikev2 config payload: Do not narrow my traffic selector) (43):
Constructing payload VENDOR(activate lancom-systems notification private range) (43):
Constructing payload NOTIFY(DEVICE-ID) (41):
+Peer does not support private notifications -> ignore
+Shared secret derived in 11538 micro seconds
IKE_SA(0x2F83F6C67214A080FFB5AFDA676EB487).EXPECTED-MSG-ID raised to 1
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x2F83F6C67214A080FFB5AFDA676EB48700000000, P1, RESPONDER): Resetting Negotiation SA
(IKE_SA, 'DEFAULT', 'ISAKMP-PEER-DEFAULT', 0x2F83F6C67214A080FFB5AFDA676EB48700000000, responder): use_count --5
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 343 bytes (responder)
Gateways: 192.168.0.254:4500-->IP Swisscom Router:4500, tag 0 (UDP)
SPIs: 0x2F83F6C67214A080FFB5AFDA676EB487, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(SIGNATURE_HASH_ALGORITHMS), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), CERTREQ, VENDOR(activate lancom-systems notification private range)
[VPN-Debug] 2025/10/20 17:14:11,198 Devicetime: 2025/10/20 17:14:11,502
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 544 bytes (encrypted)
Gateways: 192.168.0.254:4500<--IP Swisscom Router:4500
SPIs: 0x2F83F6C67214A080FFB5AFDA676EB487, Message-ID 1
Payloads: ENCR
QUB-DATA: 192.168.0.254:4500<---IP Swisscom Router:4500 rtg_tag 0 physical-channel WAN(1)
transport: [id: 14168364, UDP (17) {incoming unicast, fixed source address}, dst: IP Swisscom Router, tag 0 (U), src: 192.168.0.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTERNET (4), mac address: 70:fc:8c:49:5b:e0, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000000)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, IDI, NOTIFY(INITIAL_CONTACT), CERTREQ, IDR, AUTH(PSK), NOTIFY(ESP_TFC_PADDING_NOT_SUPPORTED), SA, TSI, TSR, NOTIFY(MOBIKE_SUPPORTED), NOTIFY(ADDITIONAL_IP4_ADDRESS), NOTIFY(ADDITIONAL_IP4_ADDRESS), NOTIFY(ADDITIONAL_IP4_ADDRESS), NOTIFY(ADDITIONAL_IP6_ADDRESS), NOTIFY(ADDITIONAL_IP6_ADDRESS), NOTIFY(ADDITIONAL_IP6_ADDRESS), NOTIFY(EAP_ONLY_AUTHENTICATION), NOTIFY(MESSAGE_ID_SYNC_SUPPORTED)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x2F83F6C67214A080FFB5AFDA676EB48700000001, P2, RESPONDER): Setting Negotiation SA
Referencing (CHILD_SA, 0x2F83F6C67214A080FFB5AFDA676EB4870000000100, responder): use_count 3
Looking for payload IDI (35)...Found 1 payload.
-ID-Type 'No-Identity' does not make sense for peers with unknown remote gateway address -> skipping
-Received-ID:AUTH IP Swisscom Router:IPV4_ADDR:PRESHARED_KEY != Expected-ID:AUTH ID_NONE:ID_NONE:DIGITAL SIGNATURE
-Received-ID:AUTH IP Swisscom Router:IPV4_ADDR:PRESHARED_KEY != Expected-ID:AUTH ID_NONE:ID_NONE:DIGITAL SIGNATURE
-Received-ID:AUTH IP Swisscom Router:IPV4_ADDR:PRESHARED_KEY != Expected-ID:AUTH ID_NONE:ID_NONE:DIGITAL SIGNATURE
[VPN-Debug] 2025/10/20 17:14:11,209 Devicetime: 2025/10/20 17:14:11,503
Peer DEFAULT: Constructing an IKE_AUTH-RESPONSE for send
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 80 bytes (responder encrypted)
Gateways: 192.168.0.254:4500-->IP Swisscom Router:4500, tag 0 (UDP)
SPIs: 0x2F83F6C67214A080FFB5AFDA676EB487, Message-ID 1
Payloads: ENCR
Danke und Grüße
Alex
ich hatte gestern schon ein vpn-debug trace gemacht (nur debug) und erst wieder heute Nachmittag die Mögliochkeit zu tracen.
"IP Swisscom Router" steht für die WAN IP am Swisscom Router.
Die 192.168.0.254 ist die WAN IP des 1900EF (dahinter kommt ein Provider Router).
[VPN-Debug] 2025/10/20 17:14:11,145 Devicetime: 2025/10/20 17:14:11,447
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 900 bytes
Gateways: 192.168.0.254:500<--IP Swisscom Router:500
SPIs: 0x2F83F6C67214A0800000000000000000, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(SIGNATURE_HASH_ALGORITHMS), NOTIFY(REDIRECT_SUPPORTED)
QUB-DATA: 192.168.0.254:500<---IP Swisscom Router:500 rtg_tag 0 physical-channel WAN(1)
transport: [id: 14168363, UDP (17) {incoming unicast, fixed source address}, dst: IP Swisscom Router, tag 0 (U), src: 192.168.0.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTERNET (4), mac address: 70:fc:8c:49:5b:e0, port 0], local port: 500, remote port: 500
+No IKE_SA found
Counting consumed licenses by active channels...
1:
...
20:
Consumed connected licenses : 20
Negotiating connections : 0
IKE negotiations : 0
MPPE connections : 0
LTA licenses : 0
Licenses in use : 20 < 25
+Passive connection request accepted (510 micro seconds)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x2F83F6C67214A080F3E20C8120C8352D00000000, P1, RESPONDER): Setting Negotiation SA
Referencing (IKE_SA, 0x2F83F6C67214A080F3E20C8120C8352D00000000, responder): use_count 3
Looking for payload NOTIFY(REDIRECT_SUPPORTED) (41)...Found 1 payload.
+Redirection is not required
Looking for payload NOTIFY(SIGNATURE_HASH_ALGORITHMS) (41)...Found 1 payload.
+Received signature hash algorithms: SHA-256, SHA-384, SHA-512, Identity
Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload.
+Computing SHA1(0x2F83F6C67214A0800000000000000000|85.2.109.210:500)
+Computing SHA1(0x2F83F6C67214A080000000000000000055026DD201F4)
+Computed: 0xBD8E332A52CF47AE8F0D6DA11994B6BF2FAE8264
+Received: 0xBD8E332A52CF47AE8F0D6DA11994B6BF2FAE8264
+Equal => NAT-T is disabled
Looking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload.
+Computing SHA1(0x2F83F6C67214A0800000000000000000|192.168.0.254:500)
+Computing SHA1(0x2F83F6C67214A0800000000000000000C0A800FE01F4)
+Computed: 0x1E9FBEF84BE85ADFE86435F96396D2087AC4E604
+Received: 0x8C38E9E362AEEF148AE313CB19C8D4515037C1DB
+Not equal => NAT-T enabled => switching on port 4500
Looking for payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41)...Found 1 payload.
Looking for payload IKE_SA (33)...Found 1 payload.
+Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA-256
+Best intersection: HMAC-SHA-256
+Config DH transform(s): 30 29 28 21 20 16 19 15 14
+Received DH transform(s): 31
-No intersection
-DH transform is obligatory for IKE-Protocol
-Skipping proposal 1
+Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA1
+Best intersection: PRF-HMAC-SHA1
+Config INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA1
+Best intersection: HMAC-SHA1
+Config DH transform(s): 30 29 28 21 20 16 19 15 14
+Received DH transform(s): 31
-No intersection
-DH transform is obligatory for IKE-Protocol
-Skipping proposal 2
+Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256
+Received ENCR transform(s): AES-CBC-128
-No intersection
+Config PRF transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA-256
+Best intersection: HMAC-SHA-256
+Config DH transform(s): 30 29 28 21 20 16 19 15 14
+Received DH transform(s): 31
-No intersection
-ENCR/DH transforms are obligatory for IKE-Protocol
-Skipping proposal 3
+Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256
+Received ENCR transform(s): AES-CBC-128
-No intersection
+Config PRF transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA1
+Best intersection: PRF-HMAC-SHA1
+Config INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA1
+Best intersection: HMAC-SHA1
+Config DH transform(s): 30 29 28 21 20 16 19 15 14
+Received DH transform(s): 31
-No intersection
-ENCR/DH transforms are obligatory for IKE-Protocol
-Skipping proposal 4
+Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA-256
+Best intersection: HMAC-SHA-256
+Config DH transform(s): 30 29 28 21 20 16 19 15 14
+Received DH transform(s): 18
-No intersection
-DH transform is obligatory for IKE-Protocol
-Skipping proposal 5
+Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA-256
+Best intersection: HMAC-SHA-256
+Config DH transform(s): 30 29 28 21 20 16 19 15 14
+Received DH transform(s): 20
+Best intersection: 20
[VPN-Debug] 2025/10/20 17:14:11,154 Devicetime: 2025/10/20 17:14:11,448
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 38 bytes (responder)
Gateways: 192.168.0.254:500-->IP Swisscom Router:500, tag 0 (UDP)
SPIs: 0x2F83F6C67214A0800000000000000000, Message-ID 0
Payloads: NOTIFY(INVALID_KE_PAYLOAD[0x0014])
[VPN-Debug] 2025/10/20 17:14:11,192 Devicetime: 2025/10/20 17:14:11,473
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 964 bytes
Gateways: 192.168.0.254:500<--IP Swisscom Router:500
SPIs: 0x2F83F6C67214A0800000000000000000, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(SIGNATURE_HASH_ALGORITHMS), NOTIFY(REDIRECT_SUPPORTED)
QUB-DATA: 192.168.0.254:500<---IP Swisscom Router:500 rtg_tag 0 physical-channel WAN(1)
transport: [id: 14168364, UDP (17) {incoming unicast, fixed source address}, dst: IP Swisscom Router, tag 0 (U), src: 192.168.0.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTERNET (4), mac address: 70:fc:8c:49:5b:e0, port 0], local port: 500, remote port: 500
+No IKE_SA found
Counting consumed licenses by active channels...
1:
...
20:
Consumed connected licenses : 20
Negotiating connections : 0
IKE negotiations : 0
MPPE connections : 0
LTA licenses : 0
Licenses in use : 20 < 25
+Passive connection request accepted (505 micro seconds)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x2F83F6C67214A080FFB5AFDA676EB48700000000, P1, RESPONDER): Setting Negotiation SA
Referencing (IKE_SA, 0x2F83F6C67214A080FFB5AFDA676EB48700000000, responder): use_count 3
Looking for payload NOTIFY(REDIRECT_SUPPORTED) (41)...Found 1 payload.
+Redirection is not required
Looking for payload NOTIFY(SIGNATURE_HASH_ALGORITHMS) (41)...Found 1 payload.
+Received signature hash algorithms: SHA-256, SHA-384, SHA-512, Identity
Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload.
+Computing SHA1(0x2F83F6C67214A0800000000000000000|85.2.109.210:500)
+Computing SHA1(0x2F83F6C67214A080000000000000000055026DD201F4)
+Computed: 0xBD8E332A52CF47AE8F0D6DA11994B6BF2FAE8264
+Received: 0xBD8E332A52CF47AE8F0D6DA11994B6BF2FAE8264
+Equal => NAT-T is disabled
Looking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload.
+Computing SHA1(0x2F83F6C67214A0800000000000000000|192.168.0.254:500)
+Computing SHA1(0x2F83F6C67214A0800000000000000000C0A800FE01F4)
+Computed: 0x1E9FBEF84BE85ADFE86435F96396D2087AC4E604
+Received: 0x8C38E9E362AEEF148AE313CB19C8D4515037C1DB
+Not equal => NAT-T enabled => switching on port 4500
Looking for payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41)...Found 1 payload.
Looking for payload IKE_SA (33)...Found 1 payload.
+Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256
+Received ENCR transform(s): AES-CBC-256
+Best intersection: AES-CBC-256
+Config PRF transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-256 PRF-HMAC-SHA1
+Received PRF transform(s): PRF-HMAC-SHA-256
+Best intersection: PRF-HMAC-SHA-256
+Config INTEG transform(s): HMAC-SHA-512 HMAC-SHA-256 HMAC-SHA1
+Received INTEG transform(s): HMAC-SHA-256
+Best intersection: HMAC-SHA-256
+Config DH transform(s): 30 29 28 21 20 16 19 15 14
+Received DH transform(s): 20
+Best intersection: 20
Looking for payload NONCE (40)...Found 1 payload.
+Nonce length=32 bytes
+Nonce=0x950893DBE719E2581FE23AA516E58556A444EB72D1B03997353DA412292CF873
+SA-DATA-Ni=0x950893DBE719E2581FE23AA516E58556A444EB72D1B03997353DA412292CF873
[VPN-Debug] 2025/10/20 17:14:11,198 Devicetime: 2025/10/20 17:14:11,494
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Constructing payload NOTIFY(REDIRECT) (41):
+No Redirection
Constructing payload NONCE (40):
+Nonce length=32 bytes
+Nonce=0xA1B60FBFC09CAC032049650A5E841F0343363FCC8D3CEA5B41708BEBA99E0D8B
+SA-DATA-Nr=0xA1B60FBFC09CAC032049650A5E841F0343363FCC8D3CEA5B41708BEBA99E0D8B
Constructing payload NOTIFY(DETECTION_SOURCE_IP) (41):
+Computing SHA1(0x2F83F6C67214A080FFB5AFDA676EB487|192.168.0.254:500)
+Computing SHA1(0x2F83F6C67214A080FFB5AFDA676EB487C0A800FE01F4)
+0xF97283BA95C1EA9FF053AC505B748012A390893C
Constructing payload NOTIFY(DETECTION_DESTINATION_IP) (41):
+Computing SHA1(0x2F83F6C67214A080FFB5AFDA676EB487|85.2.109.210:500)
+Computing SHA1(0x2F83F6C67214A080FFB5AFDA676EB48755026DD201F4)
+0x29F56F209BE89D7EB4F158F0CD061B650BADC9E9
Constructing payload NOTIFY(SIGNATURE_HASH_ALGORITHMS) (41):
+Signature hash algorithms: SHA-256,SHA-384,SHA-512
Constructing payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41):
Constructing payload CERTREQ (38):
+0x0000000000000000000000000000000000000000
Constructing payload VENDOR(FRAGMENTATION) (43):
Constructing payload VENDOR(FRAGMENTATION(C0000000)) (43):
Constructing payload VENDOR(ikev2 config payload: Do not narrow my traffic selector) (43):
Constructing payload VENDOR(activate lancom-systems notification private range) (43):
Constructing payload NOTIFY(DEVICE-ID) (41):
+Peer does not support private notifications -> ignore
+Shared secret derived in 11538 micro seconds
IKE_SA(0x2F83F6C67214A080FFB5AFDA676EB487).EXPECTED-MSG-ID raised to 1
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x2F83F6C67214A080FFB5AFDA676EB48700000000, P1, RESPONDER): Resetting Negotiation SA
(IKE_SA, 'DEFAULT', 'ISAKMP-PEER-DEFAULT', 0x2F83F6C67214A080FFB5AFDA676EB48700000000, responder): use_count --5
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 343 bytes (responder)
Gateways: 192.168.0.254:4500-->IP Swisscom Router:4500, tag 0 (UDP)
SPIs: 0x2F83F6C67214A080FFB5AFDA676EB487, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(SIGNATURE_HASH_ALGORITHMS), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), CERTREQ, VENDOR(activate lancom-systems notification private range)
[VPN-Debug] 2025/10/20 17:14:11,198 Devicetime: 2025/10/20 17:14:11,502
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 544 bytes (encrypted)
Gateways: 192.168.0.254:4500<--IP Swisscom Router:4500
SPIs: 0x2F83F6C67214A080FFB5AFDA676EB487, Message-ID 1
Payloads: ENCR
QUB-DATA: 192.168.0.254:4500<---IP Swisscom Router:4500 rtg_tag 0 physical-channel WAN(1)
transport: [id: 14168364, UDP (17) {incoming unicast, fixed source address}, dst: IP Swisscom Router, tag 0 (U), src: 192.168.0.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INTERNET (4), mac address: 70:fc:8c:49:5b:e0, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
+Exchange created (flags: 0x00000000)
Message verified successfully
Message decrypted successfully
Payloads: ENCR, IDI, NOTIFY(INITIAL_CONTACT), CERTREQ, IDR, AUTH(PSK), NOTIFY(ESP_TFC_PADDING_NOT_SUPPORTED), SA, TSI, TSR, NOTIFY(MOBIKE_SUPPORTED), NOTIFY(ADDITIONAL_IP4_ADDRESS), NOTIFY(ADDITIONAL_IP4_ADDRESS), NOTIFY(ADDITIONAL_IP4_ADDRESS), NOTIFY(ADDITIONAL_IP6_ADDRESS), NOTIFY(ADDITIONAL_IP6_ADDRESS), NOTIFY(ADDITIONAL_IP6_ADDRESS), NOTIFY(EAP_ONLY_AUTHENTICATION), NOTIFY(MESSAGE_ID_SYNC_SUPPORTED)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x2F83F6C67214A080FFB5AFDA676EB48700000001, P2, RESPONDER): Setting Negotiation SA
Referencing (CHILD_SA, 0x2F83F6C67214A080FFB5AFDA676EB4870000000100, responder): use_count 3
Looking for payload IDI (35)...Found 1 payload.
-ID-Type 'No-Identity' does not make sense for peers with unknown remote gateway address -> skipping
-Received-ID:AUTH IP Swisscom Router:IPV4_ADDR:PRESHARED_KEY != Expected-ID:AUTH ID_NONE:ID_NONE:DIGITAL SIGNATURE
-Received-ID:AUTH IP Swisscom Router:IPV4_ADDR:PRESHARED_KEY != Expected-ID:AUTH ID_NONE:ID_NONE:DIGITAL SIGNATURE
-Received-ID:AUTH IP Swisscom Router:IPV4_ADDR:PRESHARED_KEY != Expected-ID:AUTH ID_NONE:ID_NONE:DIGITAL SIGNATURE
[VPN-Debug] 2025/10/20 17:14:11,209 Devicetime: 2025/10/20 17:14:11,503
Peer DEFAULT: Constructing an IKE_AUTH-RESPONSE for send
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 80 bytes (responder encrypted)
Gateways: 192.168.0.254:4500-->IP Swisscom Router:4500, tag 0 (UDP)
SPIs: 0x2F83F6C67214A080FFB5AFDA676EB487, Message-ID 1
Payloads: ENCR
Danke und Grüße
Alex
-
Dr.Einstein
- Beiträge: 3387
- Registriert: 12 Jan 2010, 14:10
Re: VPN von Router Swisscom Centro Business 3.0 zu 1900EF
Hey Alex,
der Router kommt nicht aus dem DEFAULT-Peer raus, d.h. die Zuordnung über IDs und/oder der Public IP klappt nicht:
Im VPN-IKE Trace sollte zu sehen sein, mit welche ID und welchem ID-Typ der Swiss Router kommt. Ich tippe auf den Typ IPv4 und als Wert die Public IP. Kannst ja mal testweise eintragen in deiner benamten Gegenstelle. Local / Remote Typ: IPv4-Address, Local ID: Deine WAN-Adresse, Remote ID: Die WAN-IP deines Swiss Routers. Solltest du auf einer der beiden Seiten einen DynDNS-Namen verwenden, dann statt IPv4 FQDN eintragen und den entsprechenden Hostnamen von DynDNS.
der Router kommt nicht aus dem DEFAULT-Peer raus, d.h. die Zuordnung über IDs und/oder der Public IP klappt nicht:
Code: Alles auswählen
-ID-Type 'No-Identity' does not make sense for peers with unknown remote gateway address -> skippingRe: VPN von Router Swisscom Centro Business 3.0 zu 1900EF
Hallo Dr. Einstein,
das war der richtige Weg ...
Lokale und Entfernte Identität auf IPv4 und die jeweiligen WAN IP Adressen.
VIELEN DANK!!!
Alex
das war der richtige Weg ...
Lokale und Entfernte Identität auf IPv4 und die jeweiligen WAN IP Adressen.
VIELEN DANK!!!
Alex