Windows 10 mit IKEv2 VLAN

Forum zum Thema allgemeinen Fragen zu VPN

Moderator: Lancom-Systems Moderatoren

Antworten
at0m
Beiträge: 35
Registriert: 13 Jan 2019, 14:33

Re: Windows 10 mit IKEv2 VLAN

Beitrag von at0m »

Da ich Fehler immer zuerst bei mir suche, habe ich jetzt noch einmal die Konfiguration gelöscht und noch einmal gemacht. Leider mit dem identischen Resultat. Ich werde jetzt mal den kompletten Trace hochladen. Der 1906VA hat 25 VPN Lizenzen dabei. Das Netz 192.168.10.0/24 ist bei mir nicht in Benutzung.

Zuerst wählt sich Client1(1.1.1.1) aus dem T-Mobile-Netz und danach Client2(2.2.2.2) vom Unitymedia-Kabel am Router(9.9.9.9) am Telekom DSL-Anschluss an. Vielleicht ist ein kompletter Trace hilfreicher.

USER1

Code: Alles auswählen

[VPN-Debug] 2020/01/18 14:18:14,167  Devicetime: 2020/01/18 14:18:13,348
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 544 bytes
Gateways: 9.9.9.9:500<--1.1.1.1:500
SPIs: 0x34541AA277DB85B50000000000000000, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), VENDOR, VENDOR, VENDOR, VENDOR
QUB-DATA: 9.9.9.9:500<---1.1.1.1:500 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86832, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 500, remote port: 500
+No IKE_SA found

[VPN-Status] 2020/01/18 14:18:14,167  Devicetime: 2020/01/18 14:18:13,348
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 544 bytes
Gateways: 9.9.9.9:500<--1.1.1.1:500
SPIs: 0x34541AA277DB85B50000000000000000, Message-ID 0
Peer identified: DEFAULT
IKEv2 COOKIE challenge is active
No NOTIFY(COOKIE) found
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0x34541AA277DB85B504E4043DB4E77B8F) entered to SADB
Received 3 notifications: 
  +IKEV2_FRAGMENTATION_SUPPORTED (STATUS)
  +NAT_DETECTION_SOURCE_IP(0xFA38556867E290E8C81D053D03192816B4585793) (STATUS)
  +NAT_DETECTION_DESTINATION_IP(0x9482D1F21269432556A99E6CD7FEA18D933D66AC) (STATUS)

[VPN-Debug] 2020/01/18 14:18:14,167  Devicetime: 2020/01/18 14:18:13,348
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 44 bytes (responder)
Gateways: 9.9.9.9:500-->1.1.1.1:500, tag 0 (UDP)
SPIs: 0x34541AA277DB85B50000000000000000, Message-ID 0
Payloads: NOTIFY(COOKIE)

[VPN-Status] 2020/01/18 14:18:14,167  Devicetime: 2020/01/18 14:18:13,348
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Adding COOKIE(0x153DDA3BE2BC5F82)
Sending an IKE_SA_INIT-RESPONSE of 44 bytes (responder)
Gateways: 9.9.9.9:500-->1.1.1.1:500, tag 0 (UDP)
SPIs: 0x34541AA277DB85B50000000000000000, Message-ID 0

[VPN-Debug] 2020/01/18 14:18:14,167  Devicetime: 2020/01/18 14:18:13,349
IKE-TRANSPORT freed

[VPN-Status] 2020/01/18 14:18:14,167  Devicetime: 2020/01/18 14:18:13,349
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0x34541AA277DB85B50000000000000000) removed from SADB
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0x34541AA277DB85B50000000000000000) freed

[VPN-Debug] 2020/01/18 14:18:14,214  Devicetime: 2020/01/18 14:18:13,453
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 560 bytes
Gateways: 9.9.9.9:500<--1.1.1.1:500
SPIs: 0x34541AA277DB85B50000000000000000, Message-ID 0
Payloads: NOTIFY(COOKIE), SA, KE, NONCE, NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), VENDOR, VENDOR, VENDOR, VENDOR
QUB-DATA: 9.9.9.9:500<---1.1.1.1:500 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 500, remote port: 500
+No IKE_SA found
Counting consumed licenses by active channels...
  Consumed connected licenses   : 0
  Negotiating connections       : 0
  IKE negotiations              : 0
  MPPE connections              : 0
  Licenses in use               : 0 < 25
  +Passive connection request accepted (87 micro seconds)
Looking for payload VENDOR (43)...Found 4 payloads.
  +Windows-8
  +FB1DE3CDF341B7EA16B7E5BE0855F120
  +26244D38EDDB61B3172A36E3D0CFB819
  +01528BBBC00696121849AB9A1C5B2A5100000002
Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload.
  +Computing SHA1(0x34541AA277DB85B50000000000000000|1.1.1.1:500)
  +Computing SHA1(0x34541AA277DB85B5000000000000000050BB6A9001F4)
  +Computed: 0x28B2EEE0286CCE1E7735BB681410E753437B25AD
  +Received: 0xFA38556867E290E8C81D053D03192816B4585793
  +Not equal => NAT-T enabled => switching on port 4500
Looking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload.
  +Computing SHA1(0x34541AA277DB85B50000000000000000|9.9.9.9:500)
  +Computing SHA1(0x34541AA277DB85B5000000000000000057BFB06501F4)
  +Computed: 0x9482D1F21269432556A99E6CD7FEA18D933D66AC
  +Received: 0x9482D1F21269432556A99E6CD7FEA18D933D66AC
  +Equal => NAT-T is already enabled
Looking for payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41)...Found 1 payload.
Looking for payload IKE_SA (33)...Found 1 payload.
  +Config   ENCR  transform(s): AES-CBC-256
  +Received ENCR  transform(s): AES-CBC-256
  +Best intersection: AES-CBC-256
  +Config   PRF   transform(s): PRF-HMAC-SHA-384
  +Received PRF   transform(s): PRF-HMAC-SHA-384
  +Best intersection: PRF-HMAC-SHA-384
  +Config   INTEG transform(s): HMAC-SHA-384
  +Received INTEG transform(s): HMAC-SHA-384
  +Best intersection: HMAC-SHA-384
  +Config   DH    transform(s): 14
  +Received DH    transform(s): 14
  +Best intersection: 14
Looking for payload NONCE (40)...Found 1 payload.
  +Nonce length=48 bytes
  +Nonce=0xF0AC424437016E9DD2864BC6E832C537386CC858276A559A5580297195E1C89B140501B25DAFA0740E19FF92C88CDDC5
  +SA-DATA-Ni=0xF0AC424437016E9DD2864BC6E832C537386CC858276A559A5580297195E1C89B140501B25DAFA0740E19FF92C88CDDC5

[VPN-Status] 2020/01/18 14:18:14,214  Devicetime: 2020/01/18 14:18:13,453
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 560 bytes
Gateways: 9.9.9.9:500<--1.1.1.1:500
SPIs: 0x34541AA277DB85B50000000000000000, Message-ID 0
Peer identified: DEFAULT
IKEv2 COOKIE challenge is active
+Received COOKIE is valid
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0x34541AA277DB85B5CE3452DEE1EDFD68) entered to SADB
Received 4 notifications: 
  +COOKIE(0x153DDA3BE2BC5F82) (STATUS)
  +IKEV2_FRAGMENTATION_SUPPORTED (STATUS)
  +NAT_DETECTION_SOURCE_IP(0xFA38556867E290E8C81D053D03192816B4585793) (STATUS)
  +NAT_DETECTION_DESTINATION_IP(0x9482D1F21269432556A99E6CD7FEA18D933D66AC) (STATUS)
Peer (initiator) is behind a NAT
NAT-T enabled => switching on port 4500
We (responder) are not behind a NAT. NAT-T is already enabled
+IKE-SA:
  IKE-Proposal-1  (4 transforms)
    ENCR : AES-CBC-256
    PRF  : PRF-HMAC-SHA-384
    INTEG: HMAC-SHA-384
    DH   : 14
+Received KE-DH-Group 14 (2048 bits)

[VPN-Debug] 2020/01/18 14:18:14,323  Devicetime: 2020/01/18 14:18:13,500
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Constructing payload NONCE (40):
  +Nonce length=32 bytes
  +Nonce=0x4081445F8AAEBD5C26DCEC80DFB9F84F718088CB922105E21CB6C294148D58C1
  +SA-DATA-Nr=0x4081445F8AAEBD5C26DCEC80DFB9F84F718088CB922105E21CB6C294148D58C1
Constructing payload NOTIFY(DETECTION_SOURCE_IP) (41):
  +Computing SHA1(0x34541AA277DB85B5CE3452DEE1EDFD68|9.9.9.9:500)
  +Computing SHA1(0x34541AA277DB85B5CE3452DEE1EDFD6857BFB06501F4)
  +0xAA01E685AA5D8763B13CFB948F4DCB6EC5B07BCF
Constructing payload NOTIFY(DETECTION_DESTINATION_IP) (41):
  +Computing SHA1(0x34541AA277DB85B5CE3452DEE1EDFD68|1.1.1.1:500)
  +Computing SHA1(0x34541AA277DB85B5CE3452DEE1EDFD6850BB6A9001F4)
  +0x19A0A4C720F51CDF81A01CDD57B04F732ED17D30
Constructing payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41):
Constructing payload CERTREQ (38):
  +0x0000000000000000000000000000000000000000
Constructing payload VENDOR(FRAGMENTATION) (43):
Constructing payload VENDOR(FRAGMENTATION(C0000000)) (43):
Constructing payload VENDOR(ikev2 config payload: Do not narrow my traffic selector) (43):
Constructing payload VENDOR(activate lancom-systems notification private range) (43):
Constructing payload NOTIFY(DEVICE-ID) (41):
  +Peer does not support private notifications -> ignore
+Shared secret derived in 43637 micro seconds
IKE_SA(0x34541AA277DB85B5CE3452DEE1EDFD68).EXPECTED-MSG-ID raised to 1
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 489 bytes (responder)
Gateways: 9.9.9.9:4500-->1.1.1.1:4500, tag 0 (UDP)
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), CERTREQ, VENDOR(activate lancom-systems notification private range)

[VPN-Status] 2020/01/18 14:18:14,323  Devicetime: 2020/01/18 14:18:13,500
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+IKE-SA:
  IKE-Proposal-1  (4 transforms)
    ENCR : AES-CBC-256
    PRF  : PRF-HMAC-SHA-384
    INTEG: HMAC-SHA-384
    DH   : 14
+KE-DH-Group 14 (2048 bits)
Switching to port pair 4500 ( NAT-T keep-alive is off)
IKE_SA_INIT [responder] for peer DEFAULT initiator id <no ipsec id>, responder id <no ipsec id>
initiator cookie: 0x34541AA277DB85B5, responder cookie: 0xCE3452DEE1EDFD68
NAT-T enabled. We are not behind a nat, the remote side is  behind a nat
SA ISAKMP for peer DEFAULT Encryption AES-CBC-256  Integrity AUTH-HMAC-SHA-384  IKE-DH-Group 14  PRF-HMAC-SHA-384
life time soft 01/19/2020 11:54:13 (in 77760 sec) / 1800000 kb
life time hard 01/19/2020 14:18:13 (in 86400 sec) / 2000000 kb
DPD: NONE
Negotiated: IKEV2_FRAGMENTATION

Sending an IKE_SA_INIT-RESPONSE of 489 bytes (responder)
Gateways: 9.9.9.9:4500-->1.1.1.1:4500, tag 0 (UDP)
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 0

[VPN-Debug] 2020/01/18 14:18:14,370  Devicetime: 2020/01/18 14:18:13,627
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:22505 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully

[VPN-Status] 2020/01/18 14:18:14,370  Devicetime: 2020/01/18 14:18:13,628
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Ikev2 Fragment Number/Total: 1/7

[VPN-Debug] 2020/01/18 14:18:14,370  Devicetime: 2020/01/18 14:18:13,628
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:22505 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully

[VPN-Status] 2020/01/18 14:18:14,370  Devicetime: 2020/01/18 14:18:13,628
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Ikev2 Fragment Number/Total: 2/7

[VPN-Debug] 2020/01/18 14:18:14,370  Devicetime: 2020/01/18 14:18:13,630
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:22505 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully

[VPN-Status] 2020/01/18 14:18:14,370  Devicetime: 2020/01/18 14:18:13,630
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Ikev2 Fragment Number/Total: 3/7

[VPN-Debug] 2020/01/18 14:18:14,370  Devicetime: 2020/01/18 14:18:13,631
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:22505 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully

[VPN-Status] 2020/01/18 14:18:14,370  Devicetime: 2020/01/18 14:18:13,631
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Ikev2 Fragment Number/Total: 4/7

[VPN-Debug] 2020/01/18 14:18:14,370  Devicetime: 2020/01/18 14:18:13,633
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:22505 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully

[VPN-Status] 2020/01/18 14:18:14,370  Devicetime: 2020/01/18 14:18:13,633
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Ikev2 Fragment Number/Total: 5/7

[VPN-Debug] 2020/01/18 14:18:14,370  Devicetime: 2020/01/18 14:18:13,634
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:22505 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully

[VPN-Status] 2020/01/18 14:18:14,370  Devicetime: 2020/01/18 14:18:13,634
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Ikev2 Fragment Number/Total: 6/7

[VPN-Debug] 2020/01/18 14:18:14,370  Devicetime: 2020/01/18 14:18:13,636
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 300 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:22505 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86833, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
IKEv2-Fragment 1/7 decrypted successfully
IKEv2-Fragment 2/7 decrypted successfully
IKEv2-Fragment 3/7 decrypted successfully
IKEv2-Fragment 4/7 decrypted successfully
IKEv2-Fragment 5/7 decrypted successfully
IKEv2-Fragment 6/7 decrypted successfully
IKEv2-Fragment 7/7 decrypted successfully

[VPN-Status] 2020/01/18 14:18:14,370  Devicetime: 2020/01/18 14:18:13,636
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 300 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Ikev2 Fragment Number/Total: 7/7

[VPN-Debug] 2020/01/18 14:18:14,480  Devicetime: 2020/01/18 14:18:13,647
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 3221 bytes
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Payloads: IDI, CERT(X509), CERTREQ, AUTH(RSA:SHA1), NOTIFY(STATUS_MOBIKE_SUPPORTED), CP(REQUEST), SA, TSI, TSR
+IKE_SA found and assigned
+Exchange created (flags: 0x00000050)
VPN_NATEL: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===1.1.1.1---0.0.0.0/32 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) INBOUND ESP 0.0.0.0/32 port(0) protocol(0)---1.1.1.1===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
Looking for payload IDI (35)...Found 1 payload.
  +Received-ID CN=USER1:DER_ASN1_DN matches the Expected-ID CN=USER1:DER_ASN1_DN
  +Config   ENCR  transform(s): AES-CBC-256
  +Received ENCR  transform(s): AES-CBC-256
  +Best intersection: AES-CBC-256
  +Config   PRF   transform(s): PRF-HMAC-SHA-384
  +Received PRF   transform(s): PRF-HMAC-SHA-384
  +Best intersection: PRF-HMAC-SHA-384
  +Config   INTEG transform(s): HMAC-SHA-384
  +Received INTEG transform(s): HMAC-SHA-384
  +Best intersection: HMAC-SHA-384
  +Config   DH    transform(s): 14
  +Received DH    transform(s): 14
  +Best intersection: 14
Looking for payload CERT(X509) (37)...Found 1 payload.
  Subject: CN=USER1
  Issuer : CN=LANCOM CA,O=LANCOM,C=DE
VPN_NATEL: DELETE MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===1.1.1.1---0.0.0.0/32 port(0) protocol(0)
VPN_NATEL: DELETE MODE(7) INBOUND ESP 0.0.0.0/32 port(0) protocol(0)---1.1.1.1===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===1.1.1.1---192.168.10.114/32 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---1.1.1.1===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
Looking for payload TSI (44)...Found 1 payload.
  Looking for a connection...
  Trying connection 0: ipsec-0-VPN_NATEL-pr0-l0-r0
  Determining best intersection for TSi
  Expected TS :(  0,     0-65535,  192.168.10.114-192.168.10.114 )
  Received TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Intersection:(  0,     0-65535,  192.168.10.114-192.168.10.114 )
  Determining best intersection for TSi
  Expected TS :(  0,     0-65535,  192.168.10.114-192.168.10.114 )
  Received TS :(  0,     0-65535,                                      ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
  -No intersection
  Best        :(  0,     0-65535,  192.168.10.114-192.168.10.114 )
  +Valid intersection found
  TSi: (  0,     0-65535,  192.168.10.114-192.168.10.114 )
  TSr: (  0,     0-65535,         0.0.0.0-255.255.255.255)
  +TSi OK.
Looking for payload TSR (45)...Found 1 payload.
  Determining best intersection for TSr
  Expected TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Received TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Intersection:(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Determining best intersection for TSr
  Expected TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Received TS :(  0,     0-65535,                                      ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
  -No intersection
  Best        :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  +TSr OK.
Looking for payload CHILD_SA (33)...Found 1 payload.
  +Config   ENCR  transform(s): AES-GCM-16-256
  +Received ENCR  transform(s): AES-GCM-16-256
  +Best intersection: AES-GCM-16-256
  +Config   ESN   transform(s): NONE
  +Received ESN   transform(s): NONE
  +Best intersection: NONE

[VPN-Status] 2020/01/18 14:18:14,480  Devicetime: 2020/01/18 14:18:13,647
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 3221 bytes
Gateways: 9.9.9.9:4500<--1.1.1.1:4500
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
CHILD_SA (UNKNOWN, 'UNKNOWN' ) entered to SADB
Updating remote port to 22505
Received 1 notification: 
  +MOBIKE_SUPPORTED (STATUS)
+Received-ID CN=USER1:DER_ASN1_DN matches the Expected-ID CN=USER1:DER_ASN1_DN
+Peer identified: VPN_NATEL
+Peer uses AUTH(RSA:SHA1)
+Authentication successful
Request attributes:
  INTERNAL_IP4_ADDRESS()
  INTERNAL_IP4_DNS()
  INTERNAL_IP4_NBNS()
  INTERNAL_IP4_SERVER()
Assigned IPv4 config parameters:
  IP:  192.168.10.114
  DNS: 192.168.10.1, 192.168.200.254
Assigned IPv6 config parameters:
  DNS: ::
TSi: (  0,     0-65535,  192.168.10.114-192.168.10.114 )
TSr: (  0,     0-65535,         0.0.0.0-255.255.255.255)
+CHILD-SA:
  ESP-Proposal-1 Peer-SPI: 0x7D16E9E6 (2 transforms)
    ENCR : AES-GCM-16-256
    ESN  : NONE

[VPN-Debug] 2020/01/18 14:18:14,714  Devicetime: 2020/01/18 14:18:13,920
Peer VPN_NATEL: Constructing an IKE_AUTH-RESPONSE for send
Constructing payload CP(REPLY) (47):
  +INTERNAL_IP4_DNS(192.168.10.1)
  +INTERNAL_IP4_DNS(192.168.200.254)
  +INTERNAL_IP4_ADDRESS(192.168.10.114)
Constructing payload NOTIFY(STATUS_INITIAL_CONTACT) (41):
KEY-PARSE: Received SADB_GETSPI/SADB_SATYPE_ESP
KEY-GETSPI: Peer VPN_NATEL  SPI 0x8F39BC6F 
KEY-NEWSA: SA successfully created and inserted into SADB:
  State LARVAL  Protocol ESP  PID 0  refcnt 1  Hard-Timeout in 30 sec (larval_timeout)
IPSEC-SEND-UP
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
IKE_SA(0x34541AA277DB85B5CE3452DEE1EDFD68).EXPECTED-MSG-ID raised to 2
KEY-PARSE: Received SADB_ADD/SADB_SATYPE_ESP
KEY-NEWSA: SA successfully created and inserted into SADB:
  State LARVAL  Protocol ESP  PID 0  refcnt 1  Hard-Timeout in 14400 sec (key_hard_event)  Soft-Timeout in 12960 sec
KEY-SA-STATE-CHANGE: LARVAL->MATURE
KEY-ADD: Peer VPN_NATEL  handle 61  outgoing UDP-SPI 0x7D16E9E6  NAT-T  0.0.0.0/0---9.9.9.9:4500===1.1.1.1:22505---192.168.10.114/32  Hard-Timeout in 14400 sec (key_hard_event)  Soft-Timeout in 12960 sec
IPSEC-SEND-UP
KEY-PARSE: Received SADB_UPDATE/SADB_SATYPE_ESP
KEY-SA-STATE-CHANGE: LARVAL->MATURE
SA-STORE: refcnt 2
KEY-UPDATE: Peer VPN_NATEL  handle 61  incoming UDP-SPI 0x8F39BC6F  NAT-T  192.168.10.114/32---1.1.1.1:22505===9.9.9.9:4500---0.0.0.0/0  Hard-Timeout in 14400 sec (key_hard_event)  Soft-Timeout in 12960 sec
IPSEC-SEND-UP
VPN_NATEL: UPDATE MODE(1) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===1.1.1.1---192.168.10.114/32 port(0) protocol(0)
KEY-PARSE: Received SADB_X_SPDUPDATE/SADB_SATYPE_UNSPEC
KEY-SPDUPDATE: VPN_NATEL  OUTBOUND  PROTOCOL_ANY  0.0.0.0/0<->192.168.10.114/32
IPSEC-SEND-UP
VPN_NATEL: UPDATE MODE(1) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---1.1.1.1===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
KEY-PARSE: Received SADB_X_SPDUPDATE/SADB_SATYPE_UNSPEC
KEY-SPDUPDATE: VPN_NATEL  INBOUND  PROTOCOL_ANY  192.168.10.114/32<->0.0.0.0/0
IPSEC-SEND-UP
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 2086 bytes (responder)
Gateways: 9.9.9.9:4500-->1.1.1.1:22505, tag 0 (UDP)
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Sending 4 ikev2 fragment(s) of 588 bytes and last fragment of size 92 bytes
Payloads: IDR, CERT(X509), AUTH(RSA:SHA1), CP(REPLY), TSI, TSR, NOTIFY(STATUS_INITIAL_CONTACT), SA

[VPN-Status] 2020/01/18 14:18:14,714  Devicetime: 2020/01/18 14:18:13,920
Peer VPN_NATEL: Constructing an IKE_AUTH-RESPONSE for send
+Local-ID CN=gw.test.com:DER_ASN1_DN
+Peer does not support Digital-Signature Authentication (RFC-7427).
+Fallback from RSAEncryption on RSA Digital Signature (1)
+I use AUTH(RSA:SHA1)
+Signature of length 512 bytes (4096 bits) computed

IKE_SA_INIT [responder] for peer VPN_NATEL initiator id CN=USER1, responder id CN=gw.test.com
initiator cookie: 0x34541AA277DB85B5, responder cookie: 0xCE3452DEE1EDFD68
NAT-T enabled. We are not behind a nat, the remote side is  behind a nat
SA ISAKMP for peer VPN_NATEL Encryption AES-CBC-256  Integrity AUTH-HMAC-SHA-384  IKE-DH-Group 14  PRF-HMAC-SHA-384
life time soft 01/19/2020 11:54:13 (in 77760 sec) / 1800000 kb
life time hard 01/19/2020 14:18:13 (in 86400 sec) / 2000000 kb
DPD: 30 sec
Negotiated: IKEV2_FRAGMENTATION

Reply attributes:
  INTERNAL_IP4_DNS(192.168.10.1)
  INTERNAL_IP4_DNS(192.168.200.254)
  INTERNAL_IP4_ADDRESS(192.168.10.114)
+TSi 0: (  0,     0-65535,  192.168.10.114-192.168.10.114 )
+TSr 0: (  0,     0-65535,         0.0.0.0-255.255.255.255)
+CHILD-SA:
  ESP-Proposal-1 My-SPI: 0x8F39BC6F (2 transforms)
    ENCR : AES-GCM-16-256
    ESN  : NONE
Encrypted message is too big (2136 bytes) -> should be ikev2 fragmented (MTU 588)

CHILD_SA [responder] done with 2 SAS for peer VPN_NATEL rule IPSEC-0-VPN_NATEL-PR0-L0-R0
9.9.9.9:4500-->1.1.1.1:22505, Routing tag 0, Com-channel 61
rule:' ipsec 0.0.0.0/0 <-> 192.168.10.114/32
outgoing SA ESP [0x7D16E9E6]  Authenticated-Encryption AES-GCM-16-256  PFS-DH-Group None  ESN None
incoming SA ESP [0x8F39BC6F]  Authenticated-Encryption AES-GCM-16-256  PFS-DH-Group None  ESN None
life time soft 01/18/2020 17:54:13 (in 12960 sec) / 1800000 kb
life time hard 01/18/2020 18:18:13 (in 14400 sec) / 2000000 kb
tunnel between src: 9.9.9.9 dst: 1.1.1.1

Sending an IKE_AUTH-RESPONSE of 2086 bytes (responder)
Gateways: 9.9.9.9:4500-->1.1.1.1:22505, tag 0 (UDP)
SPIs: 0x34541AA277DB85B5CE3452DEE1EDFD68, Message-ID 1
Sending 4 ikev2 fragment(s) of 588 bytes and last fragment of size 92 bytes

[VPN-Debug] 2020/01/18 14:18:14,714  Devicetime: 2020/01/18 14:18:13,920
Peer VPN_NATEL: Trigger next pended request to establish an exchange
  Current request is none
  IKE_SA is not REPLACED
There are 0 pending requests

[VPN-Status] 2020/01/18 14:18:14,714  Devicetime: 2020/01/18 14:18:13,920
set_ip_transport for VPN_NATEL: [id: 86836, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0]

[VPN-Status] 2020/01/18 14:18:14,714  Devicetime: 2020/01/18 14:18:13,920
VPN: WAN state changed to WanCalled for VPN_NATEL (1.1.1.1), called by: 01f48f28

[VPN-Status] 2020/01/18 14:18:14,714  Devicetime: 2020/01/18 14:18:13,921
vpn-maps[61], remote: VPN_NATEL, nego, static-name, connected-by-name

[VPN-Status] 2020/01/18 14:18:14,714  Devicetime: 2020/01/18 14:18:13,921
VPN: wait for IKE negotiation from VPN_NATEL (1.1.1.1)

[VPN-Status] 2020/01/18 14:18:14,714  Devicetime: 2020/01/18 14:18:13,921
VPN: WAN state changed to WanProtocol for VPN_NATEL (1.1.1.1), called by: 01f48f28

[VPN-Debug] 2020/01/18 14:18:14,808  Devicetime: 2020/01/18 14:18:14,106
cryptaccess register nr:13

[VPN-Status] 2020/01/18 14:18:15,643  Devicetime: 2020/01/18 14:18:14,928
VPN: VPN_NATEL connected

[VPN-Status] 2020/01/18 14:18:15,643  Devicetime: 2020/01/18 14:18:14,928
VPN: WAN state changed to WanConnect for VPN_NATEL (1.1.1.1), called by: 01f48f28

[VPN-Status] 2020/01/18 14:18:15,643  Devicetime: 2020/01/18 14:18:14,928
vpn-maps[61], remote: VPN_NATEL, connected, static-name, connected-by-name
USER2

Code: Alles auswählen

[VPN-Debug] 2020/01/18 14:18:25,374  Devicetime: 2020/01/18 14:18:24,610
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 544 bytes
Gateways: 9.9.9.9:500<--2.2.2.2:65024
SPIs: 0xA4291BFF05C17E280000000000000000, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), VENDOR, VENDOR, VENDOR, VENDOR
QUB-DATA: 9.9.9.9:500<---2.2.2.2:65024 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86840, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 500, remote port: 65024
+No IKE_SA found

[VPN-Status] 2020/01/18 14:18:25,374  Devicetime: 2020/01/18 14:18:24,610
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 544 bytes
Gateways: 9.9.9.9:500<--2.2.2.2:65024
SPIs: 0xA4291BFF05C17E280000000000000000, Message-ID 0
Peer identified: DEFAULT
IKEv2 COOKIE challenge is active
No NOTIFY(COOKIE) found
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0xA4291BFF05C17E281BAD0BC88CA5079E) entered to SADB
Received 3 notifications: 
  +IKEV2_FRAGMENTATION_SUPPORTED (STATUS)
  +NAT_DETECTION_SOURCE_IP(0xB508BB875F4BFAA9980B61AC3EF9F88E1D503689) (STATUS)
  +NAT_DETECTION_DESTINATION_IP(0x7A6026CE384969A2F2088E5B686521260EEF088F) (STATUS)

[VPN-Debug] 2020/01/18 14:18:25,374  Devicetime: 2020/01/18 14:18:24,611
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 44 bytes (responder)
Gateways: 9.9.9.9:500-->2.2.2.2:65024, tag 0 (UDP)
SPIs: 0xA4291BFF05C17E280000000000000000, Message-ID 0
Payloads: NOTIFY(COOKIE)

[VPN-Status] 2020/01/18 14:18:25,374  Devicetime: 2020/01/18 14:18:24,611
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Adding COOKIE(0x1501EA49A95C3098)
Sending an IKE_SA_INIT-RESPONSE of 44 bytes (responder)
Gateways: 9.9.9.9:500-->2.2.2.2:65024, tag 0 (UDP)
SPIs: 0xA4291BFF05C17E280000000000000000, Message-ID 0

[VPN-Debug] 2020/01/18 14:18:25,374  Devicetime: 2020/01/18 14:18:24,611
IKE-TRANSPORT freed

[VPN-Status] 2020/01/18 14:18:25,374  Devicetime: 2020/01/18 14:18:24,611
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0xA4291BFF05C17E280000000000000000) removed from SADB
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0xA4291BFF05C17E280000000000000000) freed

[VPN-Debug] 2020/01/18 14:18:25,421  Devicetime: 2020/01/18 14:18:24,661
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 560 bytes
Gateways: 9.9.9.9:500<--2.2.2.2:65024
SPIs: 0xA4291BFF05C17E280000000000000000, Message-ID 0
Payloads: NOTIFY(COOKIE), SA, KE, NONCE, NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), VENDOR, VENDOR, VENDOR, VENDOR
QUB-DATA: 9.9.9.9:500<---2.2.2.2:65024 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86841, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 500, remote port: 65024
+No IKE_SA found
Counting consumed licenses by active channels...
     1: (VPN_NATEL       , 1.1.1.1 , ikev2) : no DEVICE-ID -> 1
  Consumed connected licenses   : 1
  Negotiating connections       : 0
  IKE negotiations              : 0
  MPPE connections              : 0
  Licenses in use               : 1 < 25
  +Passive connection request accepted (99 micro seconds)
Looking for payload VENDOR (43)...Found 4 payloads.
  +Windows-8
  +FB1DE3CDF341B7EA16B7E5BE0855F120
  +26244D38EDDB61B3172A36E3D0CFB819
  +01528BBBC00696121849AB9A1C5B2A5100000002
Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload.
  +Computing SHA1(0xA4291BFF05C17E280000000000000000|2.2.2.2:65024)
  +Computing SHA1(0xA4291BFF05C17E28000000000000000025C92EBFFE00)
  +Computed: 0x9848BDBE764FDB97DDD5E7FADE286ADB2FA387D5
  +Received: 0xB508BB875F4BFAA9980B61AC3EF9F88E1D503689
  +Not equal => NAT-T enabled => switching on port 4500
Looking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload.
  +Computing SHA1(0xA4291BFF05C17E280000000000000000|9.9.9.9:500)
  +Computing SHA1(0xA4291BFF05C17E28000000000000000057BFB06501F4)
  +Computed: 0x7A6026CE384969A2F2088E5B686521260EEF088F
  +Received: 0x7A6026CE384969A2F2088E5B686521260EEF088F
  +Equal => NAT-T is already enabled
Looking for payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41)...Found 1 payload.
Looking for payload IKE_SA (33)...Found 1 payload.
  +Config   ENCR  transform(s): AES-CBC-256
  +Received ENCR  transform(s): AES-CBC-256
  +Best intersection: AES-CBC-256
  +Config   PRF   transform(s): PRF-HMAC-SHA-384
  +Received PRF   transform(s): PRF-HMAC-SHA-384
  +Best intersection: PRF-HMAC-SHA-384
  +Config   INTEG transform(s): HMAC-SHA-384
  +Received INTEG transform(s): HMAC-SHA-384
  +Best intersection: HMAC-SHA-384
  +Config   DH    transform(s): 14
  +Received DH    transform(s): 14
  +Best intersection: 14
Looking for payload NONCE (40)...Found 1 payload.
  +Nonce length=48 bytes
  +Nonce=0x10C4B0302F464C9630FA1D5A48B94D67068097FFBAE20783985E2A402BCA7D0E79995A1DFDF4A7F508CBD0CD4AB83257
  +SA-DATA-Ni=0x10C4B0302F464C9630FA1D5A48B94D67068097FFBAE20783985E2A402BCA7D0E79995A1DFDF4A7F508CBD0CD4AB83257

[VPN-Status] 2020/01/18 14:18:25,421  Devicetime: 2020/01/18 14:18:24,661
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 560 bytes
Gateways: 9.9.9.9:500<--2.2.2.2:65024
SPIs: 0xA4291BFF05C17E280000000000000000, Message-ID 0
Peer identified: DEFAULT
IKEv2 COOKIE challenge is active
+Received COOKIE is valid
IKE_SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE SPIs 0xA4291BFF05C17E28DA0375CABD5748C6) entered to SADB
Received 4 notifications: 
  +COOKIE(0x1501EA49A95C3098) (STATUS)
  +IKEV2_FRAGMENTATION_SUPPORTED (STATUS)
  +NAT_DETECTION_SOURCE_IP(0xB508BB875F4BFAA9980B61AC3EF9F88E1D503689) (STATUS)
  +NAT_DETECTION_DESTINATION_IP(0x7A6026CE384969A2F2088E5B686521260EEF088F) (STATUS)
Peer (initiator) is behind a NAT
NAT-T enabled => switching on port 4500
We (responder) are not behind a NAT. NAT-T is already enabled
+IKE-SA:
  IKE-Proposal-1  (4 transforms)
    ENCR : AES-CBC-256
    PRF  : PRF-HMAC-SHA-384
    INTEG: HMAC-SHA-384
    DH   : 14
+Received KE-DH-Group 14 (2048 bits)

[VPN-Debug] 2020/01/18 14:18:25,484  Devicetime: 2020/01/18 14:18:24,709
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
Constructing payload NONCE (40):
  +Nonce length=32 bytes
  +Nonce=0x4213E8F9CA4E14D28AE4E0A50930E63B4497F7F87561C4C070AD7DD35F98D1E5
  +SA-DATA-Nr=0x4213E8F9CA4E14D28AE4E0A50930E63B4497F7F87561C4C070AD7DD35F98D1E5
Constructing payload NOTIFY(DETECTION_SOURCE_IP) (41):
  +Computing SHA1(0xA4291BFF05C17E28DA0375CABD5748C6|9.9.9.9:500)
  +Computing SHA1(0xA4291BFF05C17E28DA0375CABD5748C657BFB06501F4)
  +0x4A6089BA085C6202A42A3881149888056CFE26A4
Constructing payload NOTIFY(DETECTION_DESTINATION_IP) (41):
  +Computing SHA1(0xA4291BFF05C17E28DA0375CABD5748C6|2.2.2.2:65024)
  +Computing SHA1(0xA4291BFF05C17E28DA0375CABD5748C625C92EBFFE00)
  +0xA4D8A37C6EA3FA803F7F32069B67BAB1B0022CA7
Constructing payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41):
Constructing payload CERTREQ (38):
  +0x0000000000000000000000000000000000000000
Constructing payload VENDOR(FRAGMENTATION) (43):
Constructing payload VENDOR(FRAGMENTATION(C0000000)) (43):
Constructing payload VENDOR(ikev2 config payload: Do not narrow my traffic selector) (43):
Constructing payload VENDOR(activate lancom-systems notification private range) (43):
Constructing payload NOTIFY(DEVICE-ID) (41):
  +Peer does not support private notifications -> ignore
+Shared secret derived in 43636 micro seconds
IKE_SA(0xA4291BFF05C17E28DA0375CABD5748C6).EXPECTED-MSG-ID raised to 1
+(request, response) pair inserted into retransmission map
Sending an IKE_SA_INIT-RESPONSE of 489 bytes (responder)
Gateways: 9.9.9.9:4500-->2.2.2.2:4500, tag 0 (UDP)
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 0
Payloads: SA, KE, NONCE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), CERTREQ, VENDOR(activate lancom-systems notification private range)

[VPN-Status] 2020/01/18 14:18:25,484  Devicetime: 2020/01/18 14:18:24,709
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+IKE-SA:
  IKE-Proposal-1  (4 transforms)
    ENCR : AES-CBC-256
    PRF  : PRF-HMAC-SHA-384
    INTEG: HMAC-SHA-384
    DH   : 14
+KE-DH-Group 14 (2048 bits)
Switching to port pair 4500 ( NAT-T keep-alive is off)
IKE_SA_INIT [responder] for peer DEFAULT initiator id <no ipsec id>, responder id <no ipsec id>
initiator cookie: 0xA4291BFF05C17E28, responder cookie: 0xDA0375CABD5748C6
NAT-T enabled. We are not behind a nat, the remote side is  behind a nat
SA ISAKMP for peer DEFAULT Encryption AES-CBC-256  Integrity AUTH-HMAC-SHA-384  IKE-DH-Group 14  PRF-HMAC-SHA-384
life time soft 01/19/2020 11:54:24 (in 77760 sec) / 1800000 kb
life time hard 01/19/2020 14:18:24 (in 86400 sec) / 2000000 kb
DPD: NONE
Negotiated: IKEV2_FRAGMENTATION

Sending an IKE_SA_INIT-RESPONSE of 489 bytes (responder)
Gateways: 9.9.9.9:4500-->2.2.2.2:4500, tag 0 (UDP)
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 0

[VPN-Debug] 2020/01/18 14:18:25,531  Devicetime: 2020/01/18 14:18:24,786
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---2.2.2.2:65021 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86841, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully

[VPN-Status] 2020/01/18 14:18:25,531  Devicetime: 2020/01/18 14:18:24,786
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Ikev2 Fragment Number/Total: 1/6

[VPN-Debug] 2020/01/18 14:18:25,531  Devicetime: 2020/01/18 14:18:24,787
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---2.2.2.2:65021 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86841, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully

[VPN-Status] 2020/01/18 14:18:25,531  Devicetime: 2020/01/18 14:18:24,787
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Ikev2 Fragment Number/Total: 2/6

[VPN-Debug] 2020/01/18 14:18:25,531  Devicetime: 2020/01/18 14:18:24,788
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---2.2.2.2:65021 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86841, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully

[VPN-Status] 2020/01/18 14:18:25,531  Devicetime: 2020/01/18 14:18:24,788
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Ikev2 Fragment Number/Total: 3/6

[VPN-Debug] 2020/01/18 14:18:25,531  Devicetime: 2020/01/18 14:18:24,789
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---2.2.2.2:65021 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86841, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully

[VPN-Status] 2020/01/18 14:18:25,531  Devicetime: 2020/01/18 14:18:24,789
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Ikev2 Fragment Number/Total: 4/6

[VPN-Debug] 2020/01/18 14:18:25,531  Devicetime: 2020/01/18 14:18:24,790
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---2.2.2.2:65021 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86841, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully

[VPN-Status] 2020/01/18 14:18:25,531  Devicetime: 2020/01/18 14:18:24,790
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Ikev2 Fragment Number/Total: 5/6

[VPN-Debug] 2020/01/18 14:18:25,531  Devicetime: 2020/01/18 14:18:24,791
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: ENCRYPTED_FRAGMENT
QUB-DATA: 9.9.9.9:4500<---2.2.2.2:65021 rtg_tag 0 physical-channel WAN(2)
transport: [id: 86841, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
IKEv2-Fragment 1/6 decrypted successfully
IKEv2-Fragment 2/6 decrypted successfully
IKEv2-Fragment 3/6 decrypted successfully
IKEv2-Fragment 4/6 decrypted successfully
IKEv2-Fragment 5/6 decrypted successfully
IKEv2-Fragment 6/6 decrypted successfully

[VPN-Status] 2020/01/18 14:18:25,531  Devicetime: 2020/01/18 14:18:24,791
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 588 bytes (encrypted)
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Ikev2 Fragment Number/Total: 6/6

[VPN-Debug] 2020/01/18 14:18:25,593  Devicetime: 2020/01/18 14:18:24,803
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 3003 bytes
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: IDI, CERT(X509), CERTREQ, AUTH(RSA:SHA1), NOTIFY(STATUS_MOBIKE_SUPPORTED), CP(REQUEST), SA, TSI, TSR
+IKE_SA found and assigned
+Exchange created (flags: 0x00000050)
VPN_NATEL: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===2.2.2.2---192.168.10.114/32 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---2.2.2.2===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
Looking for payload IDI (35)...Found 1 payload.
  Compare: -Received-ID CN=USER2:DER_ASN1_DN != Expected-ID CN=USER1:DER_ASN1_DN
  Compare: -Received-ID CN=USER2:DER_ASN1_DN != Expected-ID CN=USER1:DER_ASN1_DN
  +Received-ID CN=USER2:DER_ASN1_DN matches the Expected-ID CN=USER2:DER_ASN1_DN
  +Config   ENCR  transform(s): AES-CBC-256
  +Received ENCR  transform(s): AES-CBC-256
  +Best intersection: AES-CBC-256
  +Config   PRF   transform(s): PRF-HMAC-SHA-384
  +Received PRF   transform(s): PRF-HMAC-SHA-384
  +Best intersection: PRF-HMAC-SHA-384
  +Config   INTEG transform(s): HMAC-SHA-384
  +Received INTEG transform(s): HMAC-SHA-384
  +Best intersection: HMAC-SHA-384
  +Config   DH    transform(s): 14
  +Received DH    transform(s): 14
  +Best intersection: 14
Looking for payload CERT(X509) (37)...Found 1 payload.
  Subject: CN=USER2
  Issuer : CN=LANCOM CA,O=LANCOM,C=DE
VPN_NATEL: DELETE MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===2.2.2.2---192.168.10.114/32 port(0) protocol(0)
VPN_NATEL: DELETE MODE(7) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---2.2.2.2===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===2.2.2.2---192.168.10.114/32 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---2.2.2.2===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
Looking for payload TSI (44)...Found 1 payload.
  Looking for a connection...
  Trying connection 0: ipsec-0-VPN_NATEL-pr0-l0-r0
  Determining best intersection for TSi
  Expected TS :(  0,     0-65535,  192.168.10.114-192.168.10.114 )
  Received TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Intersection:(  0,     0-65535,  192.168.10.114-192.168.10.114 )
  Determining best intersection for TSi
  Expected TS :(  0,     0-65535,  192.168.10.114-192.168.10.114 )
  Received TS :(  0,     0-65535,                                      ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
  -No intersection
  Best        :(  0,     0-65535,  192.168.10.114-192.168.10.114 )
  +Valid intersection found
  TSi: (  0,     0-65535,  192.168.10.114-192.168.10.114 )
  TSr: (  0,     0-65535,         0.0.0.0-255.255.255.255)
  +TSi OK.
Looking for payload TSR (45)...Found 1 payload.
  Determining best intersection for TSr
  Expected TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Received TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Intersection:(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Determining best intersection for TSr
  Expected TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Received TS :(  0,     0-65535,                                      ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
  -No intersection
  Best        :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  +TSr OK.
Looking for payload CHILD_SA (33)...Found 1 payload.
  +Config   ENCR  transform(s): AES-GCM-16-256
  +Received ENCR  transform(s): AES-GCM-16-256
  +Best intersection: AES-GCM-16-256
  +Config   ESN   transform(s): NONE
  +Received ESN   transform(s): NONE
  +Best intersection: NONE

[VPN-Status] 2020/01/18 14:18:25,593  Devicetime: 2020/01/18 14:18:24,803
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 3003 bytes
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
CHILD_SA (UNKNOWN, 'UNKNOWN' ) entered to SADB
Updating remote port to 65021
Received 1 notification: 
  +MOBIKE_SUPPORTED (STATUS)
+Received-ID CN=USER2:DER_ASN1_DN matches the Expected-ID CN=USER2:DER_ASN1_DN
+Peer identified: VPN_NATEL
+Peer uses AUTH(RSA:SHA1)
+Authentication successful
Request attributes:
  INTERNAL_IP4_ADDRESS()
  INTERNAL_IP4_DNS()
  INTERNAL_IP4_NBNS()
  INTERNAL_IP4_SERVER()
Assigned IPv4 config parameters:
  IP:  192.168.10.114
  DNS: 192.168.10.1, 192.168.10.1
Assigned IPv6 config parameters:
  DNS: ::
TSi: (  0,     0-65535,  192.168.10.114-192.168.10.114 )
TSr: (  0,     0-65535,         0.0.0.0-255.255.255.255)
+CHILD-SA:
  ESP-Proposal-1 Peer-SPI: 0xEA2D17AA (2 transforms)
    ENCR : AES-GCM-16-256
    ESN  : NONE

[VPN-Debug] 2020/01/18 14:18:25,890  Devicetime: 2020/01/18 14:18:25,074
Peer VPN_NATEL: Constructing an IKE_AUTH-RESPONSE for send
Constructing payload CP(REPLY) (47):
  +INTERNAL_IP4_DNS(192.168.10.1)
  +INTERNAL_IP4_DNS(192.168.10.1)
  +INTERNAL_IP4_ADDRESS(192.168.10.114)
Constructing payload NOTIFY(STATUS_INITIAL_CONTACT) (41):
KEY-PARSE: Received SADB_GETSPI/SADB_SATYPE_ESP
KEY-GETSPI: Peer VPN_NATEL  SPI 0xD0D8C533 
KEY-NEWSA: SA successfully created and inserted into SADB:
  State LARVAL  Protocol ESP  PID 0  refcnt 1  Hard-Timeout in 30 sec (larval_timeout)
IPSEC-SEND-UP
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
IKE_SA(0xA4291BFF05C17E28DA0375CABD5748C6).EXPECTED-MSG-ID raised to 2
KEY-PARSE: Received SADB_ADD/SADB_SATYPE_ESP
KEY-NEWSA: SA successfully created and inserted into SADB:
  State LARVAL  Protocol ESP  PID 0  refcnt 1  Hard-Timeout in 14400 sec (key_hard_event)  Soft-Timeout in 12960 sec
KEY-SA-STATE-CHANGE: LARVAL->MATURE
KEY-ADD: Peer VPN_NATEL  handle 61  outgoing UDP-SPI 0xEA2D17AA  NAT-T  0.0.0.0/0---9.9.9.9:4500===2.2.2.2:65021---192.168.10.114/32  Hard-Timeout in 14400 sec (key_hard_event)  Soft-Timeout in 12960 sec
IPSEC-SEND-UP
KEY-PARSE: Received SADB_UPDATE/SADB_SATYPE_ESP
KEY-SA-STATE-CHANGE: LARVAL->MATURE
SA-STORE: refcnt 2
KEY-UPDATE: Peer VPN_NATEL  handle 61  incoming UDP-SPI 0xD0D8C533  NAT-T  192.168.10.114/32---2.2.2.2:65021===9.9.9.9:4500---0.0.0.0/0  Hard-Timeout in 14400 sec (key_hard_event)  Soft-Timeout in 12960 sec
IPSEC-SEND-UP
VPN_NATEL: UPDATE MODE(1) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===2.2.2.2---192.168.10.114/32 port(0) protocol(0)
KEY-PARSE: Received SADB_X_SPDUPDATE/SADB_SATYPE_UNSPEC
KEY-SPDUPDATE: VPN_NATEL  OUTBOUND  PROTOCOL_ANY  0.0.0.0/0<->192.168.10.114/32
IPSEC-SEND-UP
VPN_NATEL: UPDATE MODE(1) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---2.2.2.2===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
KEY-PARSE: Received SADB_X_SPDUPDATE/SADB_SATYPE_UNSPEC
KEY-SPDUPDATE: VPN_NATEL  INBOUND  PROTOCOL_ANY  192.168.10.114/32<->0.0.0.0/0
IPSEC-SEND-UP
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 2086 bytes (responder)
Gateways: 9.9.9.9:4500-->2.2.2.2:65021, tag 0 (UDP)
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Sending 4 ikev2 fragment(s) of 588 bytes and last fragment of size 92 bytes
Payloads: IDR, CERT(X509), AUTH(RSA:SHA1), CP(REPLY), TSI, TSR, NOTIFY(STATUS_INITIAL_CONTACT), SA

[VPN-Status] 2020/01/18 14:18:25,890  Devicetime: 2020/01/18 14:18:25,074
Peer VPN_NATEL: Constructing an IKE_AUTH-RESPONSE for send
+Local-ID CN=gw.test.com:DER_ASN1_DN
+Peer does not support Digital-Signature Authentication (RFC-7427).
+Fallback from RSAEncryption on RSA Digital Signature (1)
+I use AUTH(RSA:SHA1)
+Signature of length 512 bytes (4096 bits) computed

IKE_SA_INIT [responder] for peer VPN_NATEL initiator id CN=USER2, responder id CN=gw.test.com
initiator cookie: 0xA4291BFF05C17E28, responder cookie: 0xDA0375CABD5748C6
NAT-T enabled. We are not behind a nat, the remote side is  behind a nat
SA ISAKMP for peer VPN_NATEL Encryption AES-CBC-256  Integrity AUTH-HMAC-SHA-384  IKE-DH-Group 14  PRF-HMAC-SHA-384
life time soft 01/19/2020 11:54:25 (in 77760 sec) / 1800000 kb
life time hard 01/19/2020 14:18:25 (in 86400 sec) / 2000000 kb
DPD: 30 sec
Negotiated: IKEV2_FRAGMENTATION

Reply attributes:
  INTERNAL_IP4_DNS(192.168.10.1)
  INTERNAL_IP4_DNS(192.168.10.1)
  INTERNAL_IP4_ADDRESS(192.168.10.114)
+TSi 0: (  0,     0-65535,  192.168.10.114-192.168.10.114 )
+TSr 0: (  0,     0-65535,         0.0.0.0-255.255.255.255)
+CHILD-SA:
  ESP-Proposal-1 My-SPI: 0xD0D8C533 (2 transforms)
    ENCR : AES-GCM-16-256
    ESN  : NONE
Encrypted message is too big (2136 bytes) -> should be ikev2 fragmented (MTU 588)

CHILD_SA [responder] done with 2 SAS for peer VPN_NATEL rule IPSEC-0-VPN_NATEL-PR0-L0-R0
9.9.9.9:4500-->2.2.2.2:65021, Routing tag 0, Com-channel 61
rule:' ipsec 0.0.0.0/0 <-> 192.168.10.114/32
outgoing SA ESP [0xEA2D17AA]  Authenticated-Encryption AES-GCM-16-256  PFS-DH-Group None  ESN None
incoming SA ESP [0xD0D8C533]  Authenticated-Encryption AES-GCM-16-256  PFS-DH-Group None  ESN None
life time soft 01/18/2020 17:54:25 (in 12960 sec) / 1800000 kb
life time hard 01/18/2020 18:18:25 (in 14400 sec) / 2000000 kb
tunnel between src: 9.9.9.9 dst: 2.2.2.2

Sending an IKE_AUTH-RESPONSE of 2086 bytes (responder)
Gateways: 9.9.9.9:4500-->2.2.2.2:65021, tag 0 (UDP)
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Sending 4 ikev2 fragment(s) of 588 bytes and last fragment of size 92 bytes

[VPN-Debug] 2020/01/18 14:18:25,890  Devicetime: 2020/01/18 14:18:25,074
Peer VPN_NATEL: Trigger next pended request to establish an exchange
  Current request is none
  IKE_SA is not REPLACED
There are 0 pending requests

[VPN-Status] 2020/01/18 14:18:25,890  Devicetime: 2020/01/18 14:18:25,074
set_ip_transport for VPN_NATEL: [id: 86843, UDP (17) {incoming unicast, fixed source address}, dst: 2.2.2.2, tag 0 (U), src: 9.9.9.9, hop limit: 64, pmtu: 1492, iface: T-ADSL (9), mac address: ff:ff:ff:ff:ff:ff, port 0]

[VPN-Debug] 2020/01/18 14:18:25,968  Devicetime: 2020/01/18 14:18:25,174
cryptaccess register nr:1
Nach oben
ittk
Beiträge: 1244
Registriert: 27 Apr 2006, 09:56

Re: Windows 10 mit IKEv2 VLAN

Beitrag von ittk »

Zwei Mal diesselbe vergebene IP-Adresse, da wird es schwierig beim simultaner "Einwahl":

Code: Alles auswählen

INTERNAL_IP4_ADDRESS(192.168.10.114)
12x 1621 Anx. B-21x 1711 VPN-3x 1722 Anx. B-7x 1723 VoIP-1x 1811 DSL, 1x 7011 VPN-1 x 7111 VPN-1x 8011 VPN-10er Pack Adv. VPN Client (2x V1.3-3x 2.0)-Hotspot Option-Adv. VoIP Client/P250 Handset-Adv.VoIP Option-4x VPN-Option-2x L-54 dual-2x L54ag-2x O-18a
Nach oben
GrandDixence
Beiträge: 1180
Registriert: 19 Aug 2014, 22:41

Re: Windows 10 mit IKEv2 VLAN

Beitrag von GrandDixence »

Welche LCOS-Version wird eingesetzt?

Kurz für den Überblick: Der VPN-Tunnelaufbau beim Einsatz von IKEv2/IPSec erfolgt mit 4 IKE-Telegramme. Vereinfacht erklärt:

- 2 Telegramme sind für die Aushandlung der Verschlüsselung (des Steuerkanals IKE) => IKE_SA_INIT-REQUEST + IKE_SA_INIT-RESPONSE.
- 2 Telegramme sind für die Authentifizierung der beiden VPN-Endpunkte => IKE_AUTH-REQUEST + IKE_AUTH-RESPONSE.
https://www.datenschutzbeauftragter-inf ... risierung/

Zuerst erfolgt der Austausch der IKE_SA_INIT-Telegramme, danach kommen die IKE_AUTH-Telegramme. Die IKE_SA_INIT-Telegramme werden unverschlüsselt übertragen. Die IKE_AUTH-Telegramme sind bereits verschlüsselt. Die REQUEST-Telegramme kommen immer vom Initiator des VPN-Tunnels (hier: VPN-Client). Die RESPONSE-Telegramme werden immer vom Responder versendet (hier: VPN-Server).

Die Probleme beginnen nach dem Erhalt des 3. IKE-Telegramms beim VPN-Tunnelaufbau, dem IKE_AUTH-REQUEST-Telegramm:

Code: Alles auswählen

[VPN-Debug] 2020/01/18 14:18:25,593  Devicetime: 2020/01/18 14:18:24,803
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 3003 bytes
Gateways: 9.9.9.9:4500<--2.2.2.2:4500
SPIs: 0xA4291BFF05C17E28DA0375CABD5748C6, Message-ID 1
Payloads: IDI, CERT(X509), CERTREQ, AUTH(RSA:SHA1), NOTIFY(STATUS_MOBIKE_SUPPORTED), CP(REQUEST), SA, TSI, TSR
+IKE_SA found and assigned
+Exchange created (flags: 0x00000050)
VPN_NATEL: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===2.2.2.2---192.168.10.114/32 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---2.2.2.2===9.9.9.9---0.0.0.0/0 port(0) protocol(0)]
Diese "ADD MODE"-Zeilen des USER2 sollten den IP-Adressbereich 0.0.0.0/32 anstelle von 192.168.10.114/32 enthalten. Siehe auch:
fragen-zum-thema-vpn-f14/frage-zu-vorde ... tml#p96893

Der LANCOM-Router weist im 4. IKE-Telegramm (IKE_AUTH-RESPONSE) dem VPN-Client USER2 die DNS-Server-IPv4-Adressen 192.168.10.1:

Code: Alles auswählen

[VPN-Debug] 2020/01/18 14:18:25,890  Devicetime: 2020/01/18 14:18:25,074
Peer VPN_NATEL: Constructing an IKE_AUTH-RESPONSE for send
Constructing payload CP(REPLY) (47):
  +INTERNAL_IP4_DNS(192.168.10.1)
  +INTERNAL_IP4_DNS(192.168.10.1)
  +INTERNAL_IP4_ADDRESS(192.168.10.114)
2x zu. Im IKE_AUTH-RESPONSE-Telegramm für USER1 werden aber andere DNS-Server zugewiesen (192.168.10.1 + 192.168.200.254):

Code: Alles auswählen

[VPN-Debug] 2020/01/18 14:18:14,714  Devicetime: 2020/01/18 14:18:13,920
Peer VPN_NATEL: Constructing an IKE_AUTH-RESPONSE for send
Constructing payload CP(REPLY) (47):
  +INTERNAL_IP4_DNS(192.168.10.1)
  +INTERNAL_IP4_DNS(192.168.200.254)
  +INTERNAL_IP4_ADDRESS(192.168.10.114)
Dieses Verhalten der unterschiedlichen Zuweisung von DNS-Servern an VPN-Clients bei Einwahlverbindungen (RAS) ist nicht erklärbar, wenn der VPN-Server im LANCOM-Router gemäss den oben genannten VPN-Anleitungen konfiguriert wurde. Offenbar wird für USER1 eine andere Konfiguration des IPv4-Adresspools von IKE-CFG (/Setup/VPN/IKEv2/IKE-CFG/IPv4 und /Setup/VPN/IKEv2/Gegenstellen > IPv4-CFG-Pool) verwendet, als für USER2!?

=> USER1 und USER2 müssen den genau gleichen IPv4-Adresspool von IKE-CFG verwenden (gleicher Name). Ansonsten gibt es Probleme mit der Zuweisung der IPv4-Adressen durch IKE-CFG.
Nach oben
at0m
Beiträge: 35
Registriert: 13 Jan 2019, 14:33

Re: Windows 10 mit IKEv2 VLAN

Beitrag von at0m »

Vielen Dank grandDixence erstmal für die detaillierte Erklärung des Traces. Die Firmwareversion ist 10.32RU5.

Der DNS-Server 192.168.200.254 ist der Standard-DNS für diesen Lancom, den habe ich aber bei dem IKEv2-Setup nirgendwo angegeben. Vielleicht ist das ein ähnliches Problem, dass ich kein DHCP-konfiguriert habe und trotzdem DHCP-Fehlermeldungen auftauchen. Der Lancom selber hat eine feste IP.

Für die Remote-Einwahl nutze ich ein eigenes Netz, so wie in der Anleitung auch vorgeschlagen ist.

Den Adresspool habe ich wie im Beispiel konfiguriert:

Code: Alles auswählen

ls /Setup/VPN/IKEv2/IKE-CFG/IPv4

Name              Start-Address-Pool  End-Address-Pool    Primary-DNS      Secondary-DNS
==================------------------------------------------------------------------------
VPN_NATEL         192.168.10.2        192.168.10.254      192.168.10.1     0.0.0.0
Und die Gegenstelle sieht auch so aus wie im Beispiel:

Code: Alles auswählen

ls /Setup/VPN/IKEv2/Peers/

Peer                  Active   SH-Time     Remote-Gateway                                                    Rtg-tag     Encryption            Authentication        General               Lifetimes             IKE-CFG     IPv4-CFG-Pool     IPv6-CFG-Pool     Split-DNS-Profile  Rule-creation  IPv4-Rules                                                       IPv6-Rules                                                       Routing                          RADIUS-Authorization             RADIUS-Accounting                IPv6              Comment
======================---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
VPN_NATEL             Yes      0                                                                             10          NATEL                 NATEL                 VPN_NATEL             VPN_NATEL             Server      VPN_NATEL                                              manually       VPN_NATEL_NETZ
Ich bin nur an zwei Stellen von der Anleitung abgewichen:

Code: Alles auswählen

Schutz vor DDOS-Angriffe aktivieren:
Ist jetzt /Setup/VPN/IKEv2/Cookie-Challenge und nicht /Setup/VPN/Cookie-Challenge
und bei der Verschlüsselung habe ich DH19 nicht zum laufen bekommen, da habe ich DH14 genommen. Das hat mit dem "Set-VpnConnectionIPSecConfiguration" Kommando aus der Anleitung scheinbar nicht gepasst.
Nach oben
GrandDixence
Beiträge: 1180
Registriert: 19 Aug 2014, 22:41

Re: Windows 10 mit IKEv2 VLAN

Beitrag von GrandDixence »

at0m hat geschrieben: 18 Jan 2020, 21:25 Der DNS-Server 192.168.200.254 ist der Standard-DNS für diesen Lancom, den habe ich aber bei dem IKEv2-Setup nirgendwo angegeben.
Gut möglich, dass als zweiter DNS-Server der unter:
Setup/IP-Router/Tag-Tabelle/
konfigurierte DNS-Server verwendet wird, wenn unter:
/Setup/VPN/IKEv2/IKE-CFG/IPv4
Zweiter-DNS:=0.0.0.0
konfiguriert ist. Trotzdem sollte sich LCOS für USER1, wie auch für USER2 identisch verhalten.
at0m hat geschrieben: 18 Jan 2020, 21:25Vielleicht ist das ein ähnliches Problem, dass ich kein DHCP-konfiguriert habe und trotzdem DHCP-Fehlermeldungen auftauchen. Der Lancom selber hat eine feste IP.
Mit dem Logbucheintrag (SYSLOG):
DHCP: Rx (WAN, VPN_NATEL): (bad interface) => Discard;
wird vermerkt, dass der DHCP-Server über den VPN-Tunnel vom VPN-Client ein DHCP-Paket erhalten hat. Was nicht zulässig ist, da der DHCP-Server aus Sicherheitsgründen nur auf Anfragen vom LAN reagiert. Und sowieso nicht sinnvoll ist, da ja IKE-CFG im Einsatz ist. Deshalb wird dieses DHCP-Paket gelöscht/verworfen. Die Übertragung von diesem DHCP-Paket durch den VPN-Tunnel sollte mit dem entsprechenden VPN-Trace (heisst glaub ich vpn-packet) gut ersichtlich sein.

at0m hat geschrieben: 18 Jan 2020, 21:25und bei der Verschlüsselung habe ich DH19 nicht zum laufen bekommen, da habe ich DH14 genommen. Das hat mit dem "Set-VpnConnectionIPSecConfiguration" Kommando aus der Anleitung scheinbar nicht gepasst.
Dies könnte je nach eingesetzter Windows-Build-Version variieren. Vielleicht mal im "Set-VpnConnectionIPSecConfiguration" Kommando den Parameter:

- -DHGroup ECP256

ausprobieren (ECP256 = DH19 => siehe BSI RT-02102-3, Kapitel 3.2.4). Und im:
/Setup/VPN/IKEv2/Verschluesselung/ > IKE-SA-Verschluesselungsliste

mal mit "AES-GCM-128" ausprobieren. Die mit "Set-VpnConnectionIPSecConfiguration" auf dem VPN-Client konfigurierte Verschlüsselung passt offenbar in der oben genannten VPN-Anleitung nicht zur auf dem VPN-Server konfigurierte Verschlüsselung. => Mit den entsprechenden Traces (vpn-packet + vpn-debug) den Inhalt der beiden IKE-SA-INIT-Telegramme auswerten und die Verschlüsselungskonfiguration entsprechend anpassen.
Nach oben
at0m
Beiträge: 35
Registriert: 13 Jan 2019, 14:33

Re: Windows 10 mit IKEv2 VLAN

Beitrag von at0m »

DNS:

Sowohl in /Setup/IP-Router/Tag-Tabelle,

Code: Alles auswählen

Peer              Rtg-tag  Start-WAN-Pool   End-WAN-Pool     DNS-Default      DNS-Backup       NBNS-Default     NBNS-Backup
==================-------------------------------------------------------------------------------------------------------------
VPN_NATEL         10       192.168.10.2     192.168.10.254   192.168.10.1     0.0.0.0          0.0.0.0          0.0.0.0
als auch in /Setup/VPN/IKEv2/IKE-CFG/IPv4 ist der zweite DNS 0.0.0.0.

Code: Alles auswählen

Name              Start-Address-Pool  End-Address-Pool    Primary-DNS      Secondary-DNS
==================------------------------------------------------------------------------
VPN_NATEL         192.168.10.2        192.168.10.254      192.168.10.1     0.0.0.0
Wie auch immer. Ich habe werde jetzt einen anderen Weg verfolgen (müssen).
Dazu werde ich die Einträge in /Setup/VPN/IKEv2/Auth/Addit.-Remote-ID-List/ und /Setup/VPN/IKEv2/Auth/Addit.-Remote-IDs löschen und die Einträge stattdessen in /Setup/VPN/IKEv2/Auth/Parameter/ ohne die Spalte "Addit.-Remote-ID-List"

Code: Alles auswählen

Name              Local-Auth            Local-Dig-Sig-Profile      Local-ID-Type         Local-ID                                                                                                                                                                                                                                                        Local-Password                                                    Remote-Auth           Remote-Dig-Sig-Profile     Remote-ID-Type        Remote-ID                                                                                                                                                                                                                                                       Remote-Password                                                   Addit.-Remote-ID-List  Local-Certificate                                                                                                                                                                                                                                               Remote-Cert-ID-Check    OCSP-Check
==================------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
NATEL1             Digital-Signature     WINDOWS                    Distinguished-Name    CN=gw.test.com                                                                                                                                                                                                                                                                                                                Digital-Signature     WINDOWS                    Distinguished-Name    CN=USER1                                                                                                                                                                                                                                                                                                                                              VPN1                                                                                                                                                                                                                                                            Yes                     No
NATEL2            Digital-Signature     WINDOWS                    Distinguished-Name    CN=gw.test.com                                                                                                                                                                                                                                                                                                                Digital-Signature     WINDOWS                    Distinguished-Name    CN=USER2                                                                                                                                                                                                                                                                                                                                            VPN1                                                                                                                                                                                                                                                            Yes                     No
und /Setup/VPN/IKEv2/Gegenstellen machen.

Code: Alles auswählen

Peer                  Active   SH-Time     Remote-Gateway                                                    Rtg-tag     Encryption            Authentication        General               Lifetimes             IKE-CFG     IPv4-CFG-Pool     IPv6-CFG-Pool     Split-DNS-Profile  Rule-creation  IPv4-Rules                                                       IPv6-Rules                                                       Routing                          RADIUS-Authorization             RADIUS-Accounting                IPv6              Comment
======================---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
VPN_NATEL1             Yes      0                                                                             10          NATEL                 NATEL1                 VPN_NATEL             VPN_NATEL             Server      VPN_NATEL                                              manually       VPN_NATEL_NETZ                                                                                                                                                                                                                                         VPN_NATEL1
VPN_NATEL2            Yes      0                                                                             10          NATEL                 NATEL2                VPN_NATEL             VPN_NATEL             Server      VPN_NATEL                                              manually       VPN_NATEL_NETZ                                                                                                                                                                                                                                         VPN_NATEL2
Und dann abschließend den Eintrag in der /Setup/IP-Router/Gegenstelle mit einem '*' versehen, so dass ich hier nicht jeden Eintrag einzeln pflegen muss.

Code: Alles auswählen

Peer              Rtg-tag  Start-WAN-Pool   End-WAN-Pool     DNS-Default      DNS-Backup       NBNS-Default     NBNS-Backup
==================-------------------------------------------------------------------------------------------------------------
VPN_NATEL*        10       192.168.10.2     192.168.10.254   192.168.10.1     0.0.0.0          0.0.0.0          0.0.0.0
Mit dieser Konfiguration funktionieren auch mehrere VPN-Tunnel aus dem selben Netz.


DHCP:

Ich weiß nur nicht welcher DHCP-Server hier antworten soll. Es läuft ja keiner. Die IP-Adressen sind aus dem IKE-CFG-Adressbereich.

Code: Alles auswählen

[DHCP] 2020/01/19 13:07:10,212  Devicetime: 2020/01/19 13:07:08,851
DHCP Aging 
DHCP Aging complete

[DHCP] 2020/01/19 13:07:11,434  Devicetime: 2020/01/19 13:07:10,069
DHCP Rx (WAN, VPN_NATEL1): 
DHCP Client Message (request) from 192.168.10.181: DHCPINFORM
  Op    = 01       | HType = 08   | HLen  = 00   | Hops  = 00
  XId   = 67294C3A | Secs  = 0600 | Flags = 0000
  CIAdr =   192.168.10.181 | YIAdr =          0.0.0.0
  SIAdr =          0.0.0.0 | GIAdr =          0.0.0.0
  CHAdr = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 (bad interface) => Discard

[DHCPv6-Dns-Queries] 2020/01/19 13:07:13,200  Devicetime: 2020/01/19 13:07:11,834   DNS query handler
Query for wpad yields:

[DHCP] 2020/01/19 13:07:13,371  Devicetime: 2020/01/19 13:07:12,007
DHCP Rx (WAN, VPN_NATEL1): 
DHCP Client Message (request) from 192.168.10.181: DHCPINFORM
  Op    = 01       | HType = 08   | HLen  = 00   | Hops  = 00
  XId   = 67294C3A | Secs  = 0700 | Flags = 0000
  CIAdr =   192.168.10.181 | YIAdr =          0.0.0.0
  SIAdr =          0.0.0.0 | GIAdr =          0.0.0.0
  CHAdr = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 (bad interface) => Discard

[DHCPv6-Dns-Queries] 2020/01/19 13:07:14,932  Devicetime: 2020/01/19 13:07:13,566   DNS query handler
Query for wpad yields:


[DHCP] 2020/01/19 13:07:20,248  Devicetime: 2020/01/19 13:07:18,887
DHCP Rx (WAN, VPN_NATEL2): 
DHCP Client Message (request) from 192.168.10.41: DHCPINFORM
  Op    = 01       | HType = 08   | HLen  = 00   | Hops  = 00
  XId   = 761D8363 | Secs  = 0600 | Flags = 0000
  CIAdr =    192.168.10.41 | YIAdr =          0.0.0.0
  SIAdr =          0.0.0.0 | GIAdr =          0.0.0.0
  CHAdr = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 (bad interface) => Discard

[DHCPv6-Dns-Queries] 2020/01/19 13:07:21,310  Devicetime: 2020/01/19 13:07:19,939   DNS query handler
Query for wpad yields:

[DHCP] 2020/01/19 13:07:23,157  Devicetime: 2020/01/19 13:07:21,795
DHCP Rx (WAN, VPN_NATEL2): 
DHCP Client Message (request) from 192.168.10.41: DHCPINFORM
  Op    = 01       | HType = 08   | HLen  = 00   | Hops  = 00
  XId   = 761D8363 | Secs  = 0800 | Flags = 0000
  CIAdr =    192.168.10.41 | YIAdr =          0.0.0.0
  SIAdr =          0.0.0.0 | GIAdr =          0.0.0.0
  CHAdr = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 (bad interface) => Discard


[DHCPv6-Dns-Queries] 2020/01/19 13:07:29,986  Devicetime: 2020/01/19 13:07:28,614   DNS query handler
Query for wpad yields:


DHGroup:

Ich habe auch schon ECP256 probiert, dass sollte der Windows Client eigentlich können, aber ich habe dabei immer keine Verbindung bekommen, sondern folgende Fehlermeldung:

IKE konnte leider kein gültiges Computerzertifikat finden. Wenden Sie sich an den Administrator für die Netzwerksicherheit, um zu erfahren, wie ein gültiges Zertifikat im entsprechenden Zertifikatsspeicher installiert wird.

Aktuell benutze ich

Code: Alles auswählen

Set-VpnConnectionIpsecConfiguration -ConnectionName "Test" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -PfsGroup ECP384 -DHGroup Group14 -PassThru -Force
Nach oben
at0m
Beiträge: 35
Registriert: 13 Jan 2019, 14:33

Re: Windows 10 mit IKEv2 VLAN

Beitrag von at0m »

Das Versenden von den DHCP Inform Paketen konnte ich abschalten, so dass der DHCP-Fehler beim Verbinden nicht mehr auftritt.

Jetzt bin ich noch auf ein weiteres Problem gestossen.
Das Rekeying funktioniert nicht. Konfiguriert sind 14400 Sekunden, aber bereits nach einer knappen Stunde fängte das Neuverhandeln an und schlägt fehl. Der Tunnel bleibt offen, aber es gehen keine Daten mehr durch.
Ich habe dann mal testhalber den Windows-Client durch einen Linux-Client ersetzt. Hier läuft das fehlerfrei.

Update:
Ich habe die Verschlüsselung sukzessive schwächer gemacht - ohne Änderung.
Dann habe ich die Verbindung ohne Split-Tunnel konfiguriert - genauso.

Ich bekomme immer einen Fehler: 829.

Das RASTAPI.LOG sieht so aus:

Code: Alles auswählen

[5700] 16:55:09: AsyncEventsThread: Got a line event
[5700] 16:55:09: ProcessEvent: Event(000001B41443DE38), msg(0x2), ht_line(0x4c0000), ht_call(0x4e0002), p1(0000000000004000), p2(0000000000000000), p3(0000000000000100)
[5700] 02-02 16:55:09:286: RasTapicallback: msg=2 , param1=16384l , param2=0l
[5700] 02-02 16:55:09:286: RasTapicallback: linecallstate=0x4000
[5700] 16:55:09: SyncDriverRequest: Oid(GetCallStatus), devID(1), reqID(c1), hCall(0000000000000010)
[5700] 02-02 16:55:09:286: RasTapiCallback: lineGetCallStatus for VPN2-1 returned 0x4000
[5700] 02-02 16:55:09:286: RasTapiCallback: DisconnectReason mapped to 2
[5700] 02-02 16:55:09:286: RasTapiCallback: LINECALLSTATE - initiating Port Disconnect
[5700] 02-02 16:55:09:286: InitiatePortDisconnection: VPN2-1
[5700] 16:55:09: RasLineDrop...
[5700] 16:55:09: AsyncDriverRequest: Oid(Drop), devID(0x1), reqID(0xc2), hCall(0x0)
[5700] 02-02 16:55:09:286: InitiatePortDisconnection: Changing state for VPN2-1 from 3 -> 5, id=0xc2
[5700] 02-02 16:55:09:286:  
[5700] 16:55:09: ProcessEvent: LINECALLSTATE_IDLE: hCall(00000000004E0002)
[5700] 02-02 16:55:09:286: RasTapicallback: msg=2 , param1=1l , param2=0l
[5700] 02-02 16:55:09:286: RasTapicallback: linecallstate=0x1
[5700] 16:55:09: AsyncEventsThread: Got a completed request
[5700] 16:55:09: AsyncEventsThread: Request (000001B4144B8BA0) with reqID (0xc2) returned dwResult (0x0)
[5700] 16:55:09: AsyncEventsThread: Async call completed with ReqID (c2), dwResult (0)
[5700] 02-02 16:55:09:286: RasTapicallback: msg=12 , param1=194l , param2=0l
[5700] 02-02 16:55:09:286: LINE_REPLY. param1=0xc2
[5700] 02-02 16:55:09:286: RasTapiCallback: lineDropped. port VPN2-1, id=0xffffffff
[5700] 02-02 16:55:09:286: RasTapiCallback: Idle Received for port VPN2-1
[5700] 02-02 16:55:09:286: RasTapiCallback: changing state of VPN2-1. 5 -> 1
[5700] 02-02 16:55:09:286: RasTapiCallback: lineDeallocateCall for VPN2-1,hcall = 0x4e0002
[5700] 16:55:09: SyncDriverRequest: Oid(CloseCall), devID(1), reqID(c3), hCall(0000000000000010)
[5536] 02-02 16:55:09:286: PortTestSignalState: DisconnectReason = 2
[5536] 02-02 16:55:09:286: PortDisconnect: VPN2-1
[5536] 02-02 16:55:09:286:  
[5536] 02-02 16:55:09:286: PortClose: VPN2-1
[5536] 02-02 16:55:09:286: No more ports opened for dialout on this line
[5536] 02-02 16:55:09:286: Closing line
[5536] 16:55:09: RasLineClose: RasTapi line handle (00000000004C0000). Reference count (0x1)
[5536] 16:55:09: SyncDriverRequest: Oid(Close), devID(1), reqID(c4), hLine(0000000000000001)
[5536] 02-02 16:55:09:286: PortClose: Changing state for  VPN2-1 from 1 -> 0
[5536] 02-02 16:55:09:286:
Nach oben
GrandDixence
Beiträge: 1180
Registriert: 19 Aug 2014, 22:41

Re: Windows 10 mit IKEv2 VLAN

Beitrag von GrandDixence »

Fehlersuche beim Rekeying gemäss:
viewtopic.php?f=14&t=17841&p=101180
Es gibt meines Wissens einen eigenen IKE-Trace. Dieser eignet sich besonders für die Rekeying-Fehlersuche.
Nach oben
at0m
Beiträge: 35
Registriert: 13 Jan 2019, 14:33

Re: Windows 10 mit IKEv2 VLAN

Beitrag von at0m »

Der VPN-IKE-Trace für das erste Reykeying mit einem Windows Client sieht so aus:

Code: Alles auswählen

[VPN-IKE] 2020/02/03 19:35:42,429  Devicetime: 2020/02/03 19:35:41,526
[VPN_NATEL] Sending packet before encryption:
IKE 2.0 Header:
Source/Port         : 9.9.9.9:4500
Destination/Port    : 1.1.1.1:64497
Routing-tag         : 0
Com-channel         : 35
| Initiator cookie  : A1 69 56 A8 F2 3E 19 C1
| Responder cookie  : 7F 85 5A 76 5C BB 28 6B
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : CREATE_CHILD_SA
| Flags             : 0x00   
| Msg-ID            : 0
| Length            : 488 Bytes
ENCR Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 460 Bytes
| IV                : E3 3B C1 5B EC 34 1F B9 3F B6 FB 76 94 2F 1A E8
| ICV               : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|                     00 00 00 00 00 00 00 00
NOTIFY Payload
| Next Payload      : SA
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 12 Bytes
| Protocol ID       : IPSEC_ESP
| SPI size          : 4
| Message type      : STATUS_REKEY_SA
| SPI               : FA 78 B0 53
SA Payload
| Next Payload      : KE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 44 Bytes
| PROPOSAL Payload
| | Next Payload    : NONE
| | Reserved        : 0x00
| | Length          : 40 Bytes
| | Proposal number : 1
| | Protocol ID     : IPSEC_ESP
| | SPI size        : 4
| | #Transforms     : 3
| | SPI             : 71 A5 2F 2A
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 2048-BIT MODP (14)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: ESN (5)
| | | Reserved2     : 0x00
| | | Transform ID  : NONE (0)
| | | Attributes    : NONE
KE Payload
| Next Payload      : NONCE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 264 Bytes
| DH Group          : 14
| Reserved2         : 0x0000
| DH-Key(2048 bits) : 6B 34 11 FA 46 39 88 18 0A E0 9E 99 1A B3 32 2E
|                     B0 1E 47 34 1A 34 5A 8B 7F 7E 81 FA 53 78 74 26
|                     20 B3 82 11 AE B5 29 57 A5 92 50 EB DB 8D 6C D0
|                     00 F6 52 9B C3 F9 0E 57 BE A2 45 A8 4B 2F 2F A0
|                     01 C4 1D 15 B0 9A 7F 4E D1 59 49 1A BB 0A FF 1A
|                     F2 68 0E E0 A3 21 03 66 80 76 F3 CE 84 0E FA 7F
|                     1F 83 BC D0 69 A7 4F 6B 7D 68 7A 0E 79 1D 5D CB
|                     4E C1 43 0F E3 64 76 FE 78 1A 2B 2F DA 2D 76 DF
|                     E8 EC A5 68 ED 4D A1 D1 67 2D 2A 67 7B 56 D2 85
|                     CF 19 C8 1A F8 E4 2D 96 1D 0F 96 A2 BA F2 68 8B
|                     8B 20 24 62 DD D0 AB 48 4F 0E 8A E7 17 4B F4 9A
|                     9E 36 C0 B6 4A 1C 7F 06 EC B6 17 EB F1 EA 78 93
|                     4F F9 E2 7C 0E 73 B1 5D CE 18 C0 74 A0 59 07 17
|                     46 34 69 E6 3B F8 2F 31 3B B3 D2 A8 CC 54 54 C6
|                     F7 E7 7D 73 17 06 0F 4C 26 03 6F 5E 2C 32 7F FA
|                     69 21 58 07 57 DC A3 0D 48 C0 F2 89 D4 E5 DE FE
NONCE Payload
| Next Payload      : TSi
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 36 Bytes
| Nonce(256 bits)   : D3 98 BF 89 C9 95 49 63 E9 20 82 A6 EE 1B 6C 6B
|                     64 50 FB 2D 35 C4 FD 29 AA F2 60 E6 FA 45 1C A3
TSi Payload
| Next Payload      : TSr
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 24 Bytes
| Number of TSs     : 1
| Reserved          : 0x000000
| Traffic Selector 0
| | Type            : TS_IPV4_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 16
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : 0.0.0.0 - 255.255.255.255
TSr Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 24 Bytes
| Number of TSs     : 1
| Reserved          : 0x000000
| Traffic Selector 0
| | Type            : TS_IPV4_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 16
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : 192.168.10.114 - 192.168.10.114
Rest                : 00 00 00 00 00 00 00 00 00 00 00 0B

[VPN-IKE] 2020/02/03 19:35:42,429  Devicetime: 2020/02/03 19:35:41,530
[VPN_NATEL] Sending packet after encryption:
IKE 2.0 Header:
Source/Port         : 9.9.9.9:4500
Destination/Port    : 1.1.1.1:64497
Routing-tag         : 0
Com-channel         : 35
| Initiator cookie  : A1 69 56 A8 F2 3E 19 C1
| Responder cookie  : 7F 85 5A 76 5C BB 28 6B
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : CREATE_CHILD_SA
| Flags             : 0x00   
| Msg-ID            : 0
| Length            : 488 Bytes
ENCR Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 460 Bytes
| IV                : E3 3B C1 5B EC 34 1F B9 3F B6 FB 76 94 2F 1A E8
| Encrypted Data    : 5A EA 8D 5E 23 05 09 81 0D 4C 0D 94 A2 81 DC CA
|                     E6 2C F3 01 A2 43 89 E3 8A 40 8B AD FB 9F 45 A7
|                     45 C2 71 DA DD 11 D2 B6 23 6B 5D BE 11 AB B2 48
|                     EA 72 F3 80 1D AE 3C 48 A6 01 01 DC C2 49 12 61
|                     35 49 F3 AE 71 94 B8 D0 F6 08 AA 8C 04 68 4E 13
|                     35 61 3D DA 97 FC 15 27 0E 4F 95 9E 3F EE 64 09
|                     E5 60 7A 22 4D 98 F2 2F B4 97 DC C5 75 9F 60 29
|                     87 55 1B 18 46 B9 C1 BB 51 58 35 21 F7 10 43 62
|                     4F F4 8D A6 E7 56 83 31 4F 10 E9 BD 57 A4 3D 19
|                     2D 60 18 B4 5F 5F D9 98 45 1E B2 11 FC 26 7D 8F
|                     2D B5 FF BE BF D9 DB 5C 1A 4E 20 80 7E 6C BF DA
|                     FB F4 5B 59 96 39 30 04 78 A4 0E B2 5C B3 3F 96
|                     E5 D7 CC 0D 84 18 CF 5B AD 11 5A C2 FE 40 7C DF
|                     28 4F 9F 86 4D F4 60 C5 2E A9 77 CD 21 71 B4 FD
|                     C3 A0 83 D0 04 AD 5C 29 C1 35 21 CC 7D 02 8F 83
|                     26 9A 5E CC 5F FD C1 C3 3C 27 DC B8 41 7A 7E 59
|                     81 D3 96 78 53 76 CE 1C 84 20 5F 6D 10 67 77 9A
|                     E7 86 DF 07 F3 04 9D 15 09 93 CB FC 6E 40 D4 75
|                     3E DF D0 06 5C 5F 7A 13 95 25 22 15 26 ED 8D 3C
|                     86 BF EB B5 D7 FA 9F E7 D2 C2 A9 A7 59 16 79 44
|                     2C 46 BB 1D 5B 07 61 A2 F3 6C DD BE 18 A2 2C 9F
|                     75 8C B2 C2 35 F8 A9 9B 1B 35 45 ED E6 1F D3 26
|                     7F 1C 04 A1 70 1D 67 A3 E3 1F 4F F8 3D CB 5C 3A
|                     2C 2C BB 8E 08 E7 00 46 2E 49 5A 44 F3 FC 0A 73
|                     05 E4 81 59 B3 EA FD 0F 63 12 58 57 60 71 EE A3
|                     29 4C 8A AD 18 3A CB 5F 46 DE B0 EC BD 77 B2 5D
| ICV               : EC 6C C7 83 82 C4 AD B9 71 C7 6C F9 2B B6 89 7D
|                     41 9A 17 84 A7 FD CA 1A

[VPN-Debug] 2020/02/03 19:35:42,429  Devicetime: 2020/02/03 19:35:41,530
Peer VPN_NATEL: Received a request to establish an exchange for IPSEC-0-VPN_NATEL-PR0-L0-R0
Constructing payload NOTIFY(STATUS_REKEY_SA) (41):
  +SPI=0xFA78B053
KEY-PARSE: Received SADB_GETSPI/SADB_SATYPE_ESP
KEY-GETSPI: Peer VPN_NATEL  SPI 0x71A52F2A 
KEY-NEWSA: SA successfully created and inserted into SADB:
  State LARVAL  Protocol ESP  PID 0  refcnt 1  Hard-Timeout in 30 sec (larval_timeout)
IPSEC-SEND-UP
Constructing payload NONCE (40):
  +Nonce length=32 bytes
  +Nonce=0xD398BF89C9954963E92082A6EE1B6C6B6450FB2D35C4FD29AAF260E6FA451CA3
  +SA-DATA-Ni=0xD398BF89C9954963E92082A6EE1B6C6B6450FB2D35C4FD29AAF260E6FA451CA3
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
Sending an CREATE_CHILD_SA-REQUEST of 488 bytes (responder encrypted)
Gateways: 9.9.9.9:4500-->1.1.1.1:64497, tag 0 (UDP)
SPIs: 0xA16956A8F23E19C17F855A765CBB286B, Message-ID 0
Payloads: ENCR

[VPN-Status] 2020/02/03 19:35:42,429  Devicetime: 2020/02/03 19:35:41,530
Soft lifetime event occurred for 'IPSEC-0-VPN_NATEL-PR0-L0-R0' (responder  270/300 sec  flags 0x0000010100000008)
Establishing CREATE_CHILD_SA exchange for IPSEC-0-VPN_NATEL-PR0-L0-R0 (VPN_NATEL)
CHILD_SA (UNKNOWN, 'UNKNOWN' ) entered to SADB
Peer VPN_NATEL: Constructing an CREATE_CHILD_SA-REQUEST for send
Soft-Event occured for peer IPSEC-0-VPN_NATEL-PR0-L0-R0 (Responder, flags 0x00002101)
Starting a CHILD_SA rekeying for CHILD_SA: 
Rekeyed SA: 
  ESP outgoing [0xD29F120E], incoming [0xFA78B053]
+CHILD-SA:
  ESP-Proposal-1 My-SPI: 0x71A52F2A (3 transforms)
    ENCR : AES-GCM-16-256
    DH   : 14
    ESN  : NONE
+KE-DH-Group 14 (2048 bits)
+Rekeying TSi 0: (  0,     0-65535,         0.0.0.0-255.255.255.255)
+Rekeying TSr 0: (  0,     0-65535,  192.168.10.114-192.168.10.114 )
Message scheduled for retransmission (1) in 8.774516 seconds
Sending an CREATE_CHILD_SA-REQUEST of 488 bytes (responder encrypted)
Gateways: 9.9.9.9:4500-->1.1.1.1:64497, tag 0 (UDP)
SPIs: 0xA16956A8F23E19C17F855A765CBB286B, Message-ID 0

[VPN-Debug] 2020/02/03 19:35:42,429  Devicetime: 2020/02/03 19:35:41,530
KEY-SOFT-TIMEOUT for VPN_NATEL outgoing UDP-SPI 0xD29F120E  refcnt 2
KEY-SA-STATE-CHANGE: MATURE->DYING
IPSEC-SEND-UP

[VPN-Status] 2020/02/03 19:35:42,429  Devicetime: 2020/02/03 19:35:41,530
KEY-SOFT-TIMEOUT for VPN_NATEL outgoing UDP-SPI 0xD29F120E
Hard-Event in 30 sec / 1953 mbytes

[VPN-Debug] 2020/02/03 19:35:42,475  Devicetime: 2020/02/03 19:35:41,530
KEY-SOFT-TIMEOUT for VPN_NATEL incoming UDP-SPI 0xFA78B053  refcnt 2
KEY-SA-STATE-CHANGE: MATURE->DYING

[VPN-Status] 2020/02/03 19:35:42,475  Devicetime: 2020/02/03 19:35:41,530
KEY-SOFT-TIMEOUT for VPN_NATEL incoming UDP-SPI 0xFA78B053
Hard-Event in 30 sec / 1953 mbytes

[VPN-IKE] 2020/02/03 19:35:42,491  Devicetime: 2020/02/03 19:35:41,591
[VPN_NATEL] Received packet:
IKE 2.0 Header:
Source/Port         : 1.1.1.1:64497
Destination/Port    : 9.9.9.9:4500
Routing-tag         : 0
Com-channel         : 35
| Initiator cookie  : A1 69 56 A8 F2 3E 19 C1
| Responder cookie  : 7F 85 5A 76 5C BB 28 6B
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : CREATE_CHILD_SA
| Flags             : 0x28 Response  Initiator
| Msg-ID            : 0
| Length            : 88 Bytes
ENCR Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 60 Bytes
| IV                : FC BC 4F F4 7D CC A6 2F 3A 2A E9 F8 A8 A1 DE B9
| Encrypted Data    : B0 15 45 F4 0A 49 15 99 75 73 09 16 BA 7C 2F 6F
| ICV               : 4C 13 E0 93 83 7E 25 FB D3 A4 77 94 F6 E1 74 66
|                     F8 0C 36 61 E2 3A CA F3

[VPN-IKE] 2020/02/03 19:35:42,491  Devicetime: 2020/02/03 19:35:41,592
[VPN_NATEL] Received packet after decryption:
IKE 2.0 Header:
Source/Port         : 1.1.1.1:64497
Destination/Port    : 9.9.9.9:4500
Routing-tag         : 0
Com-channel         : 35
| Initiator cookie  : A1 69 56 A8 F2 3E 19 C1
| Responder cookie  : 7F 85 5A 76 5C BB 28 6B
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : CREATE_CHILD_SA
| Flags             : 0x28 Response  Initiator
| Msg-ID            : 0
| Length            : 88 Bytes
ENCR Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 60 Bytes
| IV                : FC BC 4F F4 7D CC A6 2F 3A 2A E9 F8 A8 A1 DE B9
| ICV               : 4C 13 E0 93 83 7E 25 FB D3 A4 77 94 F6 E1 74 66
|                     F8 0C 36 61 E2 3A CA F3
NOTIFY Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : NO_PROPOSAL_CHOSEN
Rest                : 00 00 00 00 00 00 00 07

[VPN-IKE] 2020/02/03 19:35:42,491  Devicetime: 2020/02/03 19:35:41,593
[VPN_NATEL] Sending packet before encryption:
IKE 2.0 Header:
Source/Port         : 9.9.9.9:4500
Destination/Port    : 1.1.1.1:64497
Routing-tag         : 0
Com-channel         : 35
| Initiator cookie  : A1 69 56 A8 F2 3E 19 C1
| Responder cookie  : 7F 85 5A 76 5C BB 28 6B
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : INFORMATIONAL
| Flags             : 0x00   
| Msg-ID            : 1
| Length            : 104 Bytes
ENCR Payload
| Next Payload      : DELETE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 76 Bytes
| IV                : 72 55 A4 F7 9A 46 81 AC 26 A9 82 76 DE EA E1 D9
| ICV               : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|                     00 00 00 00 00 00 00 00
DELETE Payload
| Next Payload      : DELETE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : IPSEC_IKE
| SPI size          : 0
| #SPIs             : 0
DELETE Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 12 Bytes
| Protocol ID       : IPSEC_ESP
| SPI size          : 4
| #SPIs             : 1
| SPI 000           : FA 78 B0 53
Rest                : 00 00 00 00 00 00 00 00 00 00 00 0B

[VPN-IKE] 2020/02/03 19:35:42,491  Devicetime: 2020/02/03 19:35:41,595
[VPN_NATEL] Sending packet after encryption:
IKE 2.0 Header:
Source/Port         : 9.9.9.9:4500
Destination/Port    : 1.1.1.1:64497
Routing-tag         : 0
Com-channel         : 35
| Initiator cookie  : A1 69 56 A8 F2 3E 19 C1
| Responder cookie  : 7F 85 5A 76 5C BB 28 6B
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : INFORMATIONAL
| Flags             : 0x00   
| Msg-ID            : 1
| Length            : 104 Bytes
ENCR Payload
| Next Payload      : DELETE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 76 Bytes
| IV                : 72 55 A4 F7 9A 46 81 AC 26 A9 82 76 DE EA E1 D9
| Encrypted Data    : 58 CE 70 5A 3E 92 A6 5B 4B 42 E8 C2 E5 5F 0D 98
|                     52 50 5D 73 C6 1F E2 66 86 A5 AB 4A F2 D9 87 D6
| ICV               : 49 FF 38 D7 E2 5F 59 69 8B D6 67 C9 16 5C 17 70
|                     A4 F8 4C 64 B8 BF 30 02

[VPN-Debug] 2020/02/03 19:35:42,491  Devicetime: 2020/02/03 19:35:41,595
cryptaccess unregister nr:4

[VPN-Debug] 2020/02/03 19:35:42,491  Devicetime: 2020/02/03 19:35:41,595
Peer VPN_NATEL [responder]: Received an CREATE_CHILD_SA-RESPONSE of 88 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:64497
SPIs: 0xA16956A8F23E19C17F855A765CBB286B, Message-ID 0
Payloads: ENCR
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:64497 rtg_tag 0 physical-channel WAN(2) vpn-channel 35
transport: [id: 42112, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (8), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 64497, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
Message decrypted successfully
Payloads: ENCR, NOTIFY(NO_PROPOSAL_CHOSEN[CHILD_SA])
IKE_SA(0xA16956A8F23E19C17F855A765CBB286B).SEND-MSG-ID raised to 1
Peer VPN_NATEL: Trigger next pended request to establish an exchange
  Current request is IPSEC-0-VPN_NATEL-PR0-L0-R0
  IKE_SA is not REPLACED
Pending 00:DELETE-SA-IKE,0xA16956A8F23E19C17F855A765CBB286B
There are 1 pending requests
Pending requests: "00:DELETE-SA-IKE,0xA16956A8F23E19C17F855A765CBB286B"
Peer VPN_NATEL: Received a request to establish an exchange for (ISAKMP-PEER-VPN_NATEL, 00:DELETE-SA-IKE,0xA16956A8F23E19C17F855A765CBB286B)
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
Sending an INFORMATIONAL-REQUEST of 104 bytes (responder encrypted)
Gateways: 9.9.9.9:4500-->1.1.1.1:64497, tag 0 (UDP)
SPIs: 0xA16956A8F23E19C17F855A765CBB286B, Message-ID 1
Payloads: ENCR
VPN_NATEL: Trying to disable an outgoing flow
VPN_NATEL: DELETE MODE(0) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---1.1.1.1===9.9.9.9---192.168.10.114/32 port(0) protocol(0)
KEY-PARSE: Received SADB_X_SPDDELETE/SADB_SATYPE_UNSPEC
KEY-SPDDELETE: VPN_NATEL  OUTBOUND  PROTOCOL_ANY  0.0.0.0/0<->192.168.10.114/32
IPSEC-SEND-UP
VPN_NATEL: Constructing SADB_MSG(SADB_DELETE ESP) outgoing
  EXT_SA: SPI 0xD29F120E (0x00040001D29F120E000000000000000000000000000000000000000000000000)
  EXT_SA2: (0x00020013000000000000000000000000)
  EXT_ADDRESS_SRC: 9.9.9.9:4500 port 0 (0x00030005000000000002000057BFB0650000000000000000)
  EXT_ADDRESS_DST: 1.1.1.1:64497 port 0 (0x00030006000000000002000025C92EBF0000000000000000)
  X_EXT_NAME: VPN_NATEL (0x0004001A5255422D42454E454B45000000000000000000000000000000000000)
KEY-PARSE: Received SADB_DELETE/SADB_SATYPE_ESP
KEY-SA-STATE-CHANGE: DYING->DEAD
IPSEC-SEND-UP
VPN_NATEL: Trying to disable an incoming flow
VPN_NATEL: DELETE MODE(0) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---1.1.1.1===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
KEY-PARSE: Received SADB_X_SPDDELETE/SADB_SATYPE_UNSPEC
KEY-SPDDELETE: VPN_NATEL  INBOUND  PROTOCOL_ANY  192.168.10.114/32<->0.0.0.0/0
IPSEC-SEND-UP
VPN_NATEL: Constructing SADB_MSG(SADB_DELETE ESP) incoming
  EXT_SA: SPI 0xFA78B053 (0x00040001FA78B053000000000000000000000000000000000000000000000000)
  EXT_SA2: (0x00020013000000000000000000000000)
  EXT_ADDRESS_SRC: 1.1.1.1:64497 port 0 (0x00030005000000000002000025C92EBF0000000000000000)
  EXT_ADDRESS_DST: 9.9.9.9:4500 port 0 (0x00030006000000000002000057BFB0650000000000000000)
  X_EXT_NAME: VPN_NATEL (0x0004001A5255422D42454E454B45000000000000000000000000000000000000)
KEY-PARSE: Received SADB_DELETE/SADB_SATYPE_ESP
KEY-SA-STATE-CHANGE: DYING->DEAD
SA-RELEASE: refcnt 2
KEY-DELSA: Freeing SA incoming UDP-SPI 0xFA78B053
IPSEC-SEND-UP

[VPN-Status] 2020/02/03 19:35:42,538  Devicetime: 2020/02/03 19:35:41,596
Peer VPN_NATEL [responder]: Received an CREATE_CHILD_SA-RESPONSE of 88 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:64497
SPIs: 0xA16956A8F23E19C17F855A765CBB286B, Message-ID 0
Received 1 notification: 
  +NO_PROPOSAL_CHOSEN (ERROR) -> current request fails
-Required payload SA (33) not received
-Received notificaion error(s): NOTIFY(NO_PROPOSAL_CHOSEN[CHILD_SA])
-Rekeying failed -> disconnect
Deleting IKE_SA(0xA16956A8F23E19C17F855A765CBB286B, VPN_NATEL)
CHILD_SA (VPN_NATEL, 'IPSEC-0-VPN_NATEL-PR0-L0-R0' IPSEC_ESP Outbound-SPI 0xD29F120E Inbound-SPI 0xFA78B053) removed from SADB
Peer VPN_NATEL: Constructing an INFORMATIONAL-REQUEST  for send
Message scheduled for retransmission (1) in 4.882131 seconds
Sending an INFORMATIONAL-REQUEST of 104 bytes (responder encrypted)
Gateways: 9.9.9.9:4500-->1.1.1.1:64497, tag 0 (UDP)
SPIs: 0xA16956A8F23E19C17F855A765CBB286B, Message-ID 1
IKE_SA (VPN_NATEL, 'ISAKMP-PEER-VPN_NATEL' IPSEC_IKE SPIs 0xA16956A8F23E19C17F855A765CBB286B) removed from SADB
CHILD_SA (VPN_NATEL, 'IPSEC-0-VPN_NATEL-PR0-L0-R0' IPSEC_ESP Outbound-SPI 0xD29F120E Inbound-SPI 0xFA78B053) freed
CHILD_SA (UNKNOWN, 'UNKNOWN' ) removed from SADB
CHILD_SA (UNKNOWN, 'UNKNOWN' ) freed

[VPN-Status] 2020/02/03 19:35:42,538  Devicetime: 2020/02/03 19:35:41,596
VPN: policy manager error indication: VPN_NATEL (1.1.1.1), cause: 8703

[VPN-Status] 2020/02/03 19:35:42,538  Devicetime: 2020/02/03 19:35:41,598
VPN: Error: IKE-I-General-failure (0x21ff) for VPN_NATEL (1.1.1.1)

[VPN-IKE] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,647
[VPN_NATEL] Received packet:
IKE 2.0 Header:
Source/Port         : 1.1.1.1:64497
Destination/Port    : 9.9.9.9:4500
Routing-tag         : 0
Com-channel         : 35
| Initiator cookie  : A1 69 56 A8 F2 3E 19 C1
| Responder cookie  : 7F 85 5A 76 5C BB 28 6B
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : INFORMATIONAL
| Flags             : 0x28 Response  Initiator
| Msg-ID            : 1
| Length            : 88 Bytes
ENCR Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 60 Bytes
| IV                : F4 04 85 6A 97 F4 73 4D 9B 2E CC 4B 94 5B 09 B2
| Encrypted Data    : CA A4 FA 06 2D 0C C1 EF 03 FE F4 36 B8 D3 75 F5
| ICV               : BF CF C0 1C 8A 23 1E 7C 2E 86 49 04 45 C3 E4 57
|                     94 57 93 21 B5 EE CE A9

[VPN-IKE] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,648
[VPN_NATEL] Received packet after decryption:
IKE 2.0 Header:
Source/Port         : 1.1.1.1:64497
Destination/Port    : 9.9.9.9:4500
Routing-tag         : 0
Com-channel         : 35
| Initiator cookie  : A1 69 56 A8 F2 3E 19 C1
| Responder cookie  : 7F 85 5A 76 5C BB 28 6B
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : INFORMATIONAL
| Flags             : 0x28 Response  Initiator
| Msg-ID            : 1
| Length            : 88 Bytes
ENCR Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 60 Bytes
| IV                : F4 04 85 6A 97 F4 73 4D 9B 2E CC 4B 94 5B 09 B2
| ICV               : BF CF C0 1C 8A 23 1E 7C 2E 86 49 04 45 C3 E4 57
|                     94 57 93 21 B5 EE CE A9
Rest                : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F

[VPN-Debug] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,648
Peer VPN_NATEL [responder]: Received an INFORMATIONAL-RESPONSE of 88 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:64497
SPIs: 0xA16956A8F23E19C17F855A765CBB286B, Message-ID 1
Payloads: ENCR
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:64497 rtg_tag 0 physical-channel WAN(2) vpn-channel 35
transport: [id: 42112, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (8), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 64497, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
Message decrypted successfully
Payloads: ENCR

[VPN-Status] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,648
Peer VPN_NATEL [responder]: Received an INFORMATIONAL-RESPONSE of 88 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:64497
SPIs: 0xA16956A8F23E19C17F855A765CBB286B, Message-ID 1

[VPN-Debug] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,649
IKE_SA(0xA16956A8F23E19C17F855A765CBB286B).SEND-MSG-ID raised to 2
Peer VPN_NATEL: Trigger next pended request to establish an exchange
  Current request is ISAKMP-PEER-VPN_NATEL
  IKE_SA is not REPLACED
There are 0 pending requests
No IKE_SA in SADB -> Pending requests removed
VPN_NATEL: DELETE MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===1.1.1.1---192.168.10.114/32 port(0) protocol(0)
VPN_NATEL: DELETE MODE(7) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---1.1.1.1===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===1.1.1.1---0.0.0.0/32 port(0) protocol(0)
VPN_NATEL: ADD MODE(7) INBOUND ESP 0.0.0.0/32 port(0) protocol(0)---1.1.1.1===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
DISCONNECT-RESPONSE sent for handle 35
IKE-TRANSPORT freed

[VPN-Status] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,650
IKE_SA (VPN_NATEL, 'ISAKMP-PEER-VPN_NATEL' IPSEC_IKE SPIs 0xA16956A8F23E19C17F855A765CBB286B) freed

[VPN-Status] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,650
DISCONNECT-RESPONSE sent for handle 35

[VPN-Status] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,650
vpn-maps[35], remote: VPN_NATEL, idle, static-name

[VPN-Status] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,651
selecting next remote gateway using strategy eFirst for VPN_NATEL
     => no remote gateway selected

[VPN-Status] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,651
selecting first remote gateway using strategy eFirst for VPN_NATEL
     => no remote gateway selected

[VPN-Status] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,651
VPN: installing ruleset for VPN_NATEL (0.0.0.0)

[VPN-Status] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,651
VPN: WAN state changed to WanDisconnect for VPN_NATEL (0.0.0.0), called by: 01f48f28

[VPN-Status] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,651
Config parser: Start

[VPN-Status] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,651
Config parser: Finish
  Wall clock time: 0 ms
  CPU time: 0 ms

[VPN-Status] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,651
VPN: WAN state changed to WanIdle for VPN_NATEL (0.0.0.0), called by: 01f48f28

[VPN-Debug] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,653
cryptaccess unregister nr:19

[VPN-Status] 2020/02/03 19:35:42,632  Devicetime: 2020/02/03 19:35:41,653
VPN: rulesets installed
Nach oben
GrandDixence
Beiträge: 1180
Registriert: 19 Aug 2014, 22:41

Re: Windows 10 mit IKEv2 VLAN

Beitrag von GrandDixence »

Mit "NO_PROPOSAL_CHOSEN" meldet der Windows-Client, dass im der vom LANCOM gemachte Vorschlag (AES-GCM-256, DH14) für die Verschlüsselung des Datenkanals (CHILD_SA => ESP/IPSec) nicht passt.

/Setup/VPN/IKEv2/Verschluesselung/Child-SA-Verschluesselungsliste
/Setup/VPN/IKEv2/Verschluesselung/Child-SA-Integ-Alg-Liste

und

Set-VpnConnectionIPSecConfiguration

anpassen, bis sich der VPN-Server und der VPN-Client auf einen Vorschlag für das Rekeying des Datenkanals (CHILD_SA => ESP/IPSec) einigen können. Gemäss:
fragen-zum-thema-vpn-f14/windows-phone- ... tml#p86774
konnte ich mit:

AES-GCM-128, DH19

eine Rekeying-kompatible CHILD_SA zwischen dem LANCOM-Router und dem nativen Windows VPN-Client realisieren. Für das bessere Verständnis schlüssle ich den Set-VpnConnectionIPSecConfiguration-Befehl auf:

Set-VpnConnectionIPSecConfiguration

-ConnectionName "granddixence.spdns.de"
-AuthenticationTransformConstants GCMAES128 => notwendiger Platzhalter ohne Wirkung (ansonsten wird der Befehl nicht akzeptiert)
-CipherTransformConstants GCMAES128 => Child-SA-Verschluesselungsliste (für Datenkanal => ESP/IPSec)
-DHGroup Group14 => DH-Gruppen (für Steuerkanal => IKE)
-EncryptionMethod AES128 => IKE-SA-Verschluesselungsliste (für Steuerkanal => IKE)
-IntegrityCheckMethod SHA256 => IKE-SA-Integ-Alg-Liste (für Steuerkanal => IKE)
-PfsGroup ECP256 => DH-Gruppen (für Datenkanal => ESP/IPSEC; eventuell auch für Rekeying vom Steuerkanal => IKE)
-Force
-PassThru

Wahrscheinlich ist in der oben genannten VPN-Anleitung der Parameter "-DHGroup" des Windows-Befehls Set-VpnConnectionIPSecConfiguration nicht korrekt:

korrekt: -DHGroup ECP256
falsch: -DHGroup Group14

oder die Angabe zur LANCOM-Konfiguration /Setup/VPN/IKEv2/Verschluesselung/DH-Gruppen ist nicht korrekt:

korrekt: DH14, DH19
falsch: DH19

Mir war aber, dass ich den Eintrag "DH14" irgendwann erfolgreich aus der LANCOM-Konfiguration löschen konnte...

Bitte testen und rückmelden.

=> ECP256 entspricht gemäss BSI TR der LANCOM-Konfiguration "DH-Gruppen: DH19" => Iana-Nr. 19: 256-bit random ECP group
Nach oben
at0m
Beiträge: 35
Registriert: 13 Jan 2019, 14:33

Re: Windows 10 mit IKEv2 VLAN

Beitrag von at0m »

VIelen Dank für die detaillierte Erklärung.
Ich bin davon ausgegangen, dass beim Rekeying automatisch die identischen Parameter, wie bei der initialen Aushandlung des Tunnels benutzt werden. Anscheinend ist es aber hier nicht so. Beim Rekeying wird nicht versucht DH14/AES-CBC-128 neu auszuhandeln, sondern nur mit DH19/AES-GCM-128 und der Eintrag fehlte für DEFAULT.

Ich habe jetzt den Tunnel mal so aufgesetzt:

Code: Alles auswählen

Set-VpnConnectionIpsecConfiguration -ConnectionName "Test" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PfsGroup ECP256 -DHGroup Group14 -PassThru -Force
Die dazugehörigen Einträge in der Tabelle Verschlüsselung sehen so aus:

Code: Alles auswählen

Name                  DH-Groups                                             PFS              IKE-SA-Cipher-List                                                            IKE-SA-Integ-Alg-List                     Child-SA-Cipher-List                                                          Child-SA-Integ-Alg-List
======================---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DEFAULT               DH19,DH14                                             Yes              AES-CBC-128                                                                   SHA-256                                   AES-GCM-128                                                                   SHA-256
VPN_NATEL               DH19,DH14                                             Yes              AES-CBC-128                                                                   SHA-256                                   AES-GCM-128                                                                   SHA-256
Jetzt funktioniert das Rekeying und der Tunnel bleibt stehen, allerdings wird jetzt bei jedem Rekeying ein Fehlereintrag ins syslog geschrieben.

VPN: Error for peer VPN_NATEL: IKE-I-General-failure

Im Trace sieht das so aus:

Code: Alles auswählen

[VPN-IKE] 2020/02/04 16:23:18,310  Devicetime: 2020/02/04 16:23:17,050
[VPN_NATEL] Sending packet before encryption:
IKE 2.0 Header:
Source/Port         : 9.9.9.9:4500
Destination/Port    : 1.1.1.1:64682
Routing-tag         : 0
Com-channel         : 36
| Initiator cookie  : 99 21 75 62 65 E7 ED E6
| Responder cookie  : 6D CC 25 8A F6 51 E2 F2
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : CREATE_CHILD_SA
| Flags             : 0x00   
| Msg-ID            : 49
| Length            : 480 Bytes
ENCR Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 452 Bytes
| IV                : 90 D1 31 BA 3D 99 B4 5E 28 C5 26 9A FA 39 C2 3A
| ICV               : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NOTIFY Payload
| Next Payload      : SA
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 12 Bytes
| Protocol ID       : IPSEC_ESP
| SPI size          : 4
| Message type      : STATUS_REKEY_SA
| SPI               : 62 F4 33 B2
SA Payload
| Next Payload      : KE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 52 Bytes
| PROPOSAL Payload
| | Next Payload    : NONE
| | Reserved        : 0x00
| | Length          : 48 Bytes
| | Proposal number : 1
| | Protocol ID     : IPSEC_ESP
| | SPI size        : 4
| | #Transforms     : 4
| | SPI             : FD 50 0E 13
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 256-BIT RANDOM ECP (19)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 2048-BIT MODP (14)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: ESN (5)
| | | Reserved2     : 0x00
| | | Transform ID  : NONE (0)
| | | Attributes    : NONE
KE Payload
| Next Payload      : NONCE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 264 Bytes
| DH Group          : 14
| Reserved2         : 0x0000
| DH-Key(2048 bits) : C7 E9 2F 4F F5 E1 22 2E 63 EB 1A 9F 76 F0 1F F8
|                     F5 BF E4 41 BD C8 26 20 55 E8 C1 5B 12 56 9D 62
|                     25 01 49 BD 61 38 89 F1 48 56 FF 7D 30 95 9E 97
|                     62 5F 70 DB 41 91 12 C4 BF 7A AE F9 9C E4 AD A9
|                     34 0F B3 63 8C DF DE C1 D5 AD 54 00 A4 73 4C FD
|                     7D FD 81 0D 21 6D 4F 6B 13 79 C3 8E CF A5 D0 D9
|                     E5 20 A8 3F C4 B2 95 62 8F 2A A2 93 E0 D1 AA 67
|                     1F 9F BB 6A E2 C3 01 7E DF 34 33 3E 4A 3C 98 15
|                     17 74 97 86 4A 4D 87 15 FF 1C 3B AB 2E 6C 08 9B
|                     E7 C9 2D A2 AA 5C CD 4C 0D 88 BD 16 28 3A AC 71
|                     6A 58 9E 09 B3 B3 B0 B7 4C 01 8A D4 1C E7 81 C6
|                     23 C7 C7 FD 48 04 ED 9C CF 67 F6 FD FB 18 77 C1
|                     C3 66 0A 96 36 F9 9B E5 46 ED 9D A3 A8 1F DD E1
|                     58 42 4F 47 5D DE B6 DC 88 E3 01 83 27 45 9B 9C
|                     F0 7D D8 61 79 33 79 24 D5 66 F5 16 40 F8 20 DA
|                     32 3E A6 9B 17 64 6A E1 CF 9D AF B8 FD 97 64 53
NONCE Payload
| Next Payload      : TSi
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 36 Bytes
| Nonce(256 bits)   : 6C 47 38 08 85 EA 0F 40 2D 6A 21 5F DE F1 D9 0B
|                     7B 86 FD 25 B9 AF 1C ED 85 54 54 32 3A 43 E3 22
TSi Payload
| Next Payload      : TSr
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 24 Bytes
| Number of TSs     : 1
| Reserved          : 0x000000
| Traffic Selector 0
| | Type            : TS_IPV4_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 16
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : 0.0.0.0 - 255.255.255.255
TSr Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 24 Bytes
| Number of TSs     : 1
| Reserved          : 0x000000
| Traffic Selector 0
| | Type            : TS_IPV4_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 16
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : 192.168.10.114 - 192.168.10.114
Rest                : 00 00 00 03

[VPN-IKE] 2020/02/04 16:23:18,310  Devicetime: 2020/02/04 16:23:17,054
[VPN_NATEL] Sending packet after encryption:
IKE 2.0 Header:
Source/Port         : 9.9.9.9:4500
Destination/Port    : 1.1.1.1:64682
Routing-tag         : 0
Com-channel         : 36
| Initiator cookie  : 99 21 75 62 65 E7 ED E6
| Responder cookie  : 6D CC 25 8A F6 51 E2 F2
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : CREATE_CHILD_SA
| Flags             : 0x00   
| Msg-ID            : 49
| Length            : 480 Bytes
ENCR Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 452 Bytes
| IV                : 90 D1 31 BA 3D 99 B4 5E 28 C5 26 9A FA 39 C2 3A
| Encrypted Data    : 9B EB E3 CE F5 FA CC 18 22 14 72 19 44 42 72 74
|                     19 BE 1B 69 F8 BD B3 93 7D 66 60 56 89 57 63 4F
|                     27 6B 10 88 2A 69 B1 B0 8D 17 6C 45 1C 59 E2 C7
|                     96 30 21 51 E2 92 B0 92 37 34 07 0D A3 9B DA 35
|                     5F 18 F5 2C 64 1C FD 8E 16 58 42 33 D9 46 E2 82
|                     5A BA 3B 49 A6 20 37 83 75 4C 6B E3 B9 E2 82 5B
|                     F9 83 EE 3D B5 15 AA 9F 2F 1B CF D5 10 CE C1 E9
|                     D2 50 B0 2F 59 A4 CE 0E 32 F2 8D E3 E5 71 4B 19
|                     83 0F 8C FD C0 91 0E BE B4 69 33 EA 82 2C 8E 98
|                     29 E0 14 4D 69 F1 8D DC 3A E4 36 26 C0 75 AE F4
|                     E4 2A C0 4D A7 D2 07 E8 F3 52 45 FF 2F 75 5F 54
|                     C0 45 0A E0 C4 B8 D9 CA EB 95 A0 BF BD A5 D7 1F
|                     D5 D3 EE 7E 3C 42 91 0F 50 37 5A D6 91 46 70 AF
|                     74 16 98 0F 6A 95 6C 2A 7C AC 68 C9 95 91 66 C0
|                     A4 B2 0B 81 DD 4A D4 E8 9A 60 12 C4 DC B7 04 37
|                     05 39 76 2D F5 10 E0 78 C0 07 8A 0C 45 91 AE 5B
|                     F6 1B 5F 58 E1 E5 D2 A5 B7 D4 FF C1 FE E7 5A 29
|                     A0 1A 69 29 D8 54 51 19 D9 2C C4 E1 48 50 CC 27
|                     D5 A4 15 23 89 BB 71 60 19 E9 47 8D 85 C2 1C 49
|                     03 BE F7 B9 98 10 AF A7 BE B7 39 CB 27 B4 3D 2A
|                     CD 46 08 31 01 0D BD 01 14 A0 C7 76 03 BB 44 44
|                     29 50 CA DF CB 65 C5 30 80 07 B5 39 3E 72 14 A8
|                     C1 95 82 A1 AD DF 27 90 E0 66 A7 8C AE 15 26 E2
|                     35 C0 5B 85 3C 40 5E B6 2C AA 4C 93 E5 5F 7E F8
|                     81 7E 4D E9 B1 BD AF 19 DE BF 10 DC 11 9F 2B A6
|                     A0 DA A0 DD E6 FB FC D4 A6 33 D9 A6 92 11 26 D5
| ICV               : AB 99 7C 7B 28 59 E0 90 06 10 C9 EE 54 44 DB F2

[VPN-Debug] 2020/02/04 16:23:18,326  Devicetime: 2020/02/04 16:23:17,054
Peer VPN_NATEL: Received a request to establish an exchange for IPSEC-0-VPN_NATEL-PR0-L0-R0
Constructing payload NOTIFY(STATUS_REKEY_SA) (41):
  +SPI=0x62F433B2
KEY-PARSE: Received SADB_GETSPI/SADB_SATYPE_ESP
KEY-GETSPI: Peer VPN_NATEL  SPI 0xFD500E13 
KEY-NEWSA: SA successfully created and inserted into SADB:
  State LARVAL  Protocol ESP  PID 0  refcnt 1  Hard-Timeout in 30 sec (larval_timeout)
IPSEC-SEND-UP
Constructing payload NONCE (40):
  +Nonce length=32 bytes
  +Nonce=0x6C47380885EA0F402D6A215FDEF1D90B7B86FD25B9AF1CED855454323A43E322
  +SA-DATA-Ni=0x6C47380885EA0F402D6A215FDEF1D90B7B86FD25B9AF1CED855454323A43E322
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
Sending an CREATE_CHILD_SA-REQUEST of 480 bytes (responder encrypted)
Gateways: 9.9.9.9:4500-->1.1.1.1:64682, tag 0 (UDP)
SPIs: 0x9921756265E7EDE66DCC258AF651E2F2, Message-ID 49
Payloads: ENCR

[VPN-Status] 2020/02/04 16:23:18,326  Devicetime: 2020/02/04 16:23:17,054
Soft lifetime event occurred for 'IPSEC-0-VPN_NATEL-PR0-L0-R0' (initiator  144/180 sec  flags 0x0000010100000008)
Establishing CREATE_CHILD_SA exchange for IPSEC-0-VPN_NATEL-PR0-L0-R0 (VPN_NATEL)
CHILD_SA (UNKNOWN, 'UNKNOWN' ) entered to SADB
Peer VPN_NATEL: Constructing an CREATE_CHILD_SA-REQUEST for send
Soft-Event occured for peer IPSEC-0-VPN_NATEL-PR0-L0-R0 (Initiator, flags 0x00002101)
Starting a CHILD_SA rekeying for CHILD_SA: 
Rekeyed SA: 
  ESP outgoing [0x9F53387C], incoming [0x62F433B2]
+CHILD-SA:
  ESP-Proposal-1 My-SPI: 0xFD500E13 (4 transforms)
    ENCR : AES-GCM-16-128
    DH   : 19 14
    ESN  : NONE
+KE-DH-Group 14 (2048 bits)
+Rekeying TSi 0: (  0,     0-65535,         0.0.0.0-255.255.255.255)
+Rekeying TSr 0: (  0,     0-65535,  192.168.10.114-192.168.10.114 )
Message scheduled for retransmission (1) in 6.233589 seconds
Sending an CREATE_CHILD_SA-REQUEST of 480 bytes (responder encrypted)
Gateways: 9.9.9.9:4500-->1.1.1.1:64682, tag 0 (UDP)
SPIs: 0x9921756265E7EDE66DCC258AF651E2F2, Message-ID 49

[VPN-Debug] 2020/02/04 16:23:18,326  Devicetime: 2020/02/04 16:23:17,054
KEY-SOFT-TIMEOUT for VPN_NATEL outgoing UDP-SPI 0x9F53387C  refcnt 2
KEY-SA-STATE-CHANGE: MATURE->DYING
IPSEC-SEND-UP

[VPN-Status] 2020/02/04 16:23:18,326  Devicetime: 2020/02/04 16:23:17,054
KEY-SOFT-TIMEOUT for VPN_NATEL outgoing UDP-SPI 0x9F53387C
Hard-Event in 36 sec / 1953 mbytes

[VPN-Debug] 2020/02/04 16:23:18,357  Devicetime: 2020/02/04 16:23:17,054
KEY-SOFT-TIMEOUT for VPN_NATEL incoming UDP-SPI 0x62F433B2  refcnt 2
KEY-SA-STATE-CHANGE: MATURE->DYING

[VPN-Status] 2020/02/04 16:23:18,357  Devicetime: 2020/02/04 16:23:17,054
KEY-SOFT-TIMEOUT for VPN_NATEL incoming UDP-SPI 0x62F433B2
Hard-Event in 36 sec / 1953 mbytes

[VPN-IKE] 2020/02/04 16:23:18,389  Devicetime: 2020/02/04 16:23:17,112
[VPN_NATEL] Received packet:
IKE 2.0 Header:
Source/Port         : 1.1.1.1:64682
Destination/Port    : 9.9.9.9:4500
Routing-tag         : 0
Com-channel         : 36
| Initiator cookie  : 99 21 75 62 65 E7 ED E6
| Responder cookie  : 6D CC 25 8A F6 51 E2 F2
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : CREATE_CHILD_SA
| Flags             : 0x28 Response  Initiator
| Msg-ID            : 49
| Length            : 80 Bytes
ENCR Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 52 Bytes
| IV                : 87 1B 12 5C CC F8 8A 9A B4 31 4A 00 91 1C D5 8E
| Encrypted Data    : 84 EF F8 46 2C 45 0F 64 C7 69 A3 21 1D 29 1B 6F
| ICV               : FA 4A 4E 7E 0D BC F8 CF 88 02 90 65 D9 95 34 D4

[VPN-IKE] 2020/02/04 16:23:18,389  Devicetime: 2020/02/04 16:23:17,113
[VPN_NATEL] Received packet after decryption:
IKE 2.0 Header:
Source/Port         : 1.1.1.1:64682
Destination/Port    : 9.9.9.9:4500
Routing-tag         : 0
Com-channel         : 36
| Initiator cookie  : 99 21 75 62 65 E7 ED E6
| Responder cookie  : 6D CC 25 8A F6 51 E2 F2
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : CREATE_CHILD_SA
| Flags             : 0x28 Response  Initiator
| Msg-ID            : 49
| Length            : 80 Bytes
ENCR Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 52 Bytes
| IV                : 87 1B 12 5C CC F8 8A 9A B4 31 4A 00 91 1C D5 8E
| ICV               : FA 4A 4E 7E 0D BC F8 CF 88 02 90 65 D9 95 34 D4
NOTIFY Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 10 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : INVALID_KE_PAYLOAD
| Notif. data       : 00 13
Rest                : 00 00 00 00 00 05

[VPN-Debug] 2020/02/04 16:23:18,389  Devicetime: 2020/02/04 16:23:17,113
Peer VPN_NATEL [responder]: Received an CREATE_CHILD_SA-RESPONSE of 80 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:64682
SPIs: 0x9921756265E7EDE66DCC258AF651E2F2, Message-ID 49
Payloads: ENCR
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:64682 rtg_tag 0 physical-channel WAN(2) vpn-channel 36
transport: [id: 31930, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (8), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 64682, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
Message decrypted successfully
Payloads: ENCR, NOTIFY(INVALID_KE_PAYLOAD[0x0013])
IKE_SA(0x9921756265E7EDE66DCC258AF651E2F2).SEND-MSG-ID raised to 50
Peer VPN_NATEL: Trigger next pended request to establish an exchange
  Current request is IPSEC-0-VPN_NATEL-PR0-L0-R0
  IKE_SA is not REPLACED
There are 0 pending requests

[VPN-Status] 2020/02/04 16:23:18,389  Devicetime: 2020/02/04 16:23:17,113
Peer VPN_NATEL [responder]: Received an CREATE_CHILD_SA-RESPONSE of 80 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:64682
SPIs: 0x9921756265E7EDE66DCC258AF651E2F2, Message-ID 49
Received 1 notification: 
  +INVALID_KE_PAYLOAD(0x0013) (ERROR) -> current request fails
-Required payload SA (33) not received
-Received notificaion error(s): NOTIFY(INVALID_KE_PAYLOAD[0x0013])
Received INVALID_KE_PAYLOAD(19)
+Renegotiating DH-Group 19...
CHILD_SA (UNKNOWN, 'UNKNOWN' ) removed from SADB
CHILD_SA (UNKNOWN, 'UNKNOWN' ) freed

[VPN-IKE] 2020/02/04 16:23:18,389  Devicetime: 2020/02/04 16:23:17,115
[VPN_NATEL] Sending packet before encryption:
IKE 2.0 Header:
Source/Port         : 9.9.9.9:4500
Destination/Port    : 1.1.1.1:64682
Routing-tag         : 0
Com-channel         : 36
| Initiator cookie  : 99 21 75 62 65 E7 ED E6
| Responder cookie  : 6D CC 25 8A F6 51 E2 F2
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : CREATE_CHILD_SA
| Flags             : 0x00   
| Msg-ID            : 50
| Length            : 288 Bytes
ENCR Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 260 Bytes
| IV                : 21 2B AF 81 6E 91 F5 5A C8 E1 BE 07 00 57 0C 47
| ICV               : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NOTIFY Payload
| Next Payload      : SA
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 12 Bytes
| Protocol ID       : IPSEC_ESP
| SPI size          : 4
| Message type      : STATUS_REKEY_SA
| SPI               : 62 F4 33 B2
SA Payload
| Next Payload      : KE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 52 Bytes
| PROPOSAL Payload
| | Next Payload    : NONE
| | Reserved        : 0x00
| | Length          : 48 Bytes
| | Proposal number : 1
| | Protocol ID     : IPSEC_ESP
| | SPI size        : 4
| | #Transforms     : 4
| | SPI             : EB 1B 03 9A
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 256-BIT RANDOM ECP (19)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 2048-BIT MODP (14)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: ESN (5)
| | | Reserved2     : 0x00
| | | Transform ID  : NONE (0)
| | | Attributes    : NONE
KE Payload
| Next Payload      : NONCE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 72 Bytes
| DH Group          : 19
| Reserved2         : 0x0000
| DH-Key(512 bits)  : 22 F4 BD 96 0F F3 80 78 84 E4 C9 0A 7B 07 57 43
|                     2D D3 B4 15 51 41 D1 F9 F5 05 B7 7C 81 A7 6C F4
|                     94 3A E5 BE 28 65 55 B5 55 E1 D2 75 2E FF C8 14
|                     24 09 61 8A E4 5E 8C F1 00 18 D0 D9 26 CA 12 B2
NONCE Payload
| Next Payload      : TSi
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 36 Bytes
| Nonce(256 bits)   : 84 60 87 5F BB CF FA B3 50 E8 32 C1 6A B8 31 D7
|                     72 02 68 8B 5E 74 C9 81 08 2C AC 47 29 34 05 89
TSi Payload
| Next Payload      : TSr
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 24 Bytes
| Number of TSs     : 1
| Reserved          : 0x000000
| Traffic Selector 0
| | Type            : TS_IPV4_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 16
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : 0.0.0.0 - 255.255.255.255
TSr Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 24 Bytes
| Number of TSs     : 1
| Reserved          : 0x000000
| Traffic Selector 0
| | Type            : TS_IPV4_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 16
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : 192.168.10.114 - 192.168.10.114
Rest                : 00 00 00 03

[VPN-Status] 2020/02/04 16:23:18,404  Devicetime: 2020/02/04 16:23:17,115
VPN: policy manager error indication: VPN_NATEL (1.1.1.1), cause: 8703

[VPN-Status] 2020/02/04 16:23:18,404  Devicetime: 2020/02/04 16:23:17,122
VPN: Error: IKE-I-General-failure (0x21ff) for VPN_NATEL (1.1.1.1)

[VPN-IKE] 2020/02/04 16:23:18,404  Devicetime: 2020/02/04 16:23:17,126
[VPN_NATEL] Sending packet after encryption:
IKE 2.0 Header:
Source/Port         : 9.9.9.9:4500
Destination/Port    : 1.1.1.1:64682
Routing-tag         : 0
Com-channel         : 36
| Initiator cookie  : 99 21 75 62 65 E7 ED E6
| Responder cookie  : 6D CC 25 8A F6 51 E2 F2
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : CREATE_CHILD_SA
| Flags             : 0x00   
| Msg-ID            : 50
| Length            : 288 Bytes
ENCR Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 260 Bytes
| IV                : 21 2B AF 81 6E 91 F5 5A C8 E1 BE 07 00 57 0C 47
| Encrypted Data    : 81 D9 6A 4A 4C 9B 2A 39 EC 77 4A 6E 32 89 07 DA
|                     08 6B C9 3C F3 04 A7 F3 8E 0F 28 04 61 BE C8 E3
|                     97 78 DD 63 BA 70 F4 10 2D D4 49 89 32 EE 62 74
|                     6D C4 24 06 B6 43 53 56 3E 02 11 B6 C6 E7 0B 90
|                     FB C1 3C 15 D1 03 50 4F F8 84 69 3E 52 66 AD 6D
|                     A2 63 D0 D8 71 F7 E8 A6 AC AC B7 1E 6C B9 55 7E
|                     D0 59 4B FD 0E CD 68 D6 A6 30 C0 B1 94 34 9E 18
|                     70 5E A0 9D F0 55 6A 95 44 9B 59 EE BE D7 DC FD
|                     7F 87 7C 57 24 B8 64 63 B7 E2 DB 30 3C 4A 57 05
|                     11 8F 42 B4 92 BF 7B DE F2 FB EE DF B9 37 A2 09
|                     B5 67 9C 59 9E 81 1E C9 53 B0 C7 1F AE B4 5D 42
|                     AC 66 F3 04 A1 AF 4B 85 20 AF E0 74 FC 7A 33 8F
|                     D7 34 6F E2 40 D7 13 E9 20 9B 49 7C 76 26 AB 00
|                     8B B3 91 68 76 B5 C8 B2 6D EB 3F 8F 28 01 F2 2A
| ICV               : 75 DD 6B 45 8D C3 F2 C2 35 7B 44 8C 2B 74 2C 45

[VPN-Debug] 2020/02/04 16:23:18,404  Devicetime: 2020/02/04 16:23:17,126
Peer VPN_NATEL: Received a request to establish an exchange for IPSEC-0-VPN_NATEL-PR0-L0-R0
Constructing payload NOTIFY(STATUS_REKEY_SA) (41):
  +SPI=0x62F433B2
KEY-PARSE: Received SADB_GETSPI/SADB_SATYPE_ESP
KEY-GETSPI: Peer VPN_NATEL  SPI 0xEB1B039A 
KEY-NEWSA: SA successfully created and inserted into SADB:
  State LARVAL  Protocol ESP  PID 0  refcnt 1  Hard-Timeout in 30 sec (larval_timeout)
IPSEC-SEND-UP
Constructing payload NONCE (40):
  +Nonce length=32 bytes
  +Nonce=0x8460875FBBCFFAB350E832C16AB831D77202688B5E74C981082CAC4729340589
  +SA-DATA-Ni=0x8460875FBBCFFAB350E832C16AB831D77202688B5E74C981082CAC4729340589
Message encrypted successfully
Message authenticated successfully
Non-ESP-Marker Prepended
Sending an CREATE_CHILD_SA-REQUEST of 288 bytes (responder encrypted)
Gateways: 9.9.9.9:4500-->1.1.1.1:64682, tag 0 (UDP)
SPIs: 0x9921756265E7EDE66DCC258AF651E2F2, Message-ID 50
Payloads: ENCR

[VPN-Status] 2020/02/04 16:23:18,435  Devicetime: 2020/02/04 16:23:17,126
Peer VPN_NATEL: Renegotiating PFS-DH-Group 19
Establishing CREATE_CHILD_SA exchange for IPSEC-0-VPN_NATEL-PR0-L0-R0 (VPN_NATEL)
CHILD_SA (UNKNOWN, 'UNKNOWN' ) entered to SADB
Peer VPN_NATEL: Constructing an CREATE_CHILD_SA-REQUEST for send
Soft-Event occured for peer IPSEC-0-VPN_NATEL-PR0-L0-R0 (Initiator, flags 0x00002101)
Starting a CHILD_SA rekeying for CHILD_SA: 
Rekeyed SA: 
  ESP outgoing [0x9F53387C], incoming [0x62F433B2]
+CHILD-SA:
  ESP-Proposal-1 My-SPI: 0xEB1B039A (4 transforms)
    ENCR : AES-GCM-16-128
    DH   : 19 14
    ESN  : NONE
+KE-DH-Group 19 (512 bits)
+Rekeying TSi 0: (  0,     0-65535,         0.0.0.0-255.255.255.255)
+Rekeying TSr 0: (  0,     0-65535,  192.168.10.114-192.168.10.114 )
Message scheduled for retransmission (1) in 7.568966 seconds
Sending an CREATE_CHILD_SA-REQUEST of 288 bytes (responder encrypted)
Gateways: 9.9.9.9:4500-->1.1.1.1:64682, tag 0 (UDP)
SPIs: 0x9921756265E7EDE66DCC258AF651E2F2, Message-ID 50

[VPN-IKE] 2020/02/04 16:23:18,466  Devicetime: 2020/02/04 16:23:17,180
[VPN_NATEL] Received packet:
IKE 2.0 Header:
Source/Port         : 1.1.1.1:64682
Destination/Port    : 9.9.9.9:4500
Routing-tag         : 0
Com-channel         : 36
| Initiator cookie  : 99 21 75 62 65 E7 ED E6
| Responder cookie  : 6D CC 25 8A F6 51 E2 F2
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : CREATE_CHILD_SA
| Flags             : 0x28 Response  Initiator
| Msg-ID            : 50
| Length            : 288 Bytes
ENCR Payload
| Next Payload      : SA
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 260 Bytes
| IV                : 3A 68 EC 6B 3E 90 81 19 99 42 4E 40 B4 07 AB F8
| Encrypted Data    : A1 39 8E 6D A2 6E 14 4C 56 31 0E 14 56 A9 EB E2
|                     38 7B 84 76 95 51 4E DB 22 18 20 D1 3B DC F7 FB
|                     25 5D 2F 1B 60 25 C4 F3 93 1D AA 33 D9 8D AB D3
|                     03 97 AF D1 32 90 50 D3 80 10 B9 39 6A 7A CF 67
|                     89 01 2F AF F2 2A 15 C5 9C A7 7E BB 2D 00 0A F0
|                     54 87 9E 37 AC 47 A2 EE 76 51 DC CA 13 27 32 B9
|                     BE 12 FE E2 A5 4F 35 EE A0 45 E2 63 7E 0A 74 CE
|                     02 51 18 B0 46 D2 94 1C C2 43 7F 34 89 B5 38 BD
|                     D6 AE 94 D9 A2 31 D7 FA 4B 10 08 2C 53 9B 01 87
|                     E2 CB 3A 11 12 F2 B8 8D D1 34 D7 31 B2 D4 1E BE
|                     13 EB 7C A0 52 36 49 AD 7C 7D D1 09 FF 6D 17 B7
|                     FF EF 6C 60 D9 00 28 98 BF 90 E9 83 8F 69 C2 83
|                     F7 91 40 3D 5C 8F 1F DF ED 17 8F AD 7A F1 FD 88
|                     E2 75 E0 56 62 70 48 51 96 1F 91 55 F5 D5 32 EC
| ICV               : 80 99 C9 BD 7B 6D B5 A7 24 A4 A9 37 A2 CC DA 7A

[VPN-IKE] 2020/02/04 16:23:18,466  Devicetime: 2020/02/04 16:23:17,182
[VPN_NATEL] Received packet after decryption:
IKE 2.0 Header:
Source/Port         : 1.1.1.1:64682
Destination/Port    : 9.9.9.9:4500
Routing-tag         : 0
Com-channel         : 36
| Initiator cookie  : 99 21 75 62 65 E7 ED E6
| Responder cookie  : 6D CC 25 8A F6 51 E2 F2
| Next Payload      : ENCR
| Version           : 2.0
| Exchange type     : CREATE_CHILD_SA
| Flags             : 0x28 Response  Initiator
| Msg-ID            : 50
| Length            : 288 Bytes
ENCR Payload
| Next Payload      : SA
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 260 Bytes
| IV                : 3A 68 EC 6B 3E 90 81 19 99 42 4E 40 B4 07 AB F8
| ICV               : 80 99 C9 BD 7B 6D B5 A7 24 A4 A9 37 A2 CC DA 7A
SA Payload
| Next Payload      : NONCE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 44 Bytes
| PROPOSAL Payload
| | Next Payload    : NONE
| | Reserved        : 0x00
| | Length          : 40 Bytes
| | Proposal number : 1
| | Protocol ID     : IPSEC_ESP
| | SPI size        : 4
| | #Transforms     : 3
| | SPI             : 9B 57 F8 20
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-GCM-16 (20)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 256-BIT RANDOM ECP (19)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: ESN (5)
| | | Reserved2     : 0x00
| | | Transform ID  : NONE (0)
| | | Attributes    : NONE
NONCE Payload
| Next Payload      : TSi
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 52 Bytes
| Nonce(384 bits)   : 46 33 F5 8A CE DD 7B 30 23 FE E8 68 64 38 91 6B
|                     99 5D 18 50 3F 07 1A 04 6A 2C AA 49 F7 D3 56 EE
|                     F9 F9 AB 31 CA 64 FD C3 6C 43 B4 20 58 15 96 1E
TSi Payload
| Next Payload      : TSr
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 24 Bytes
| Number of TSs     : 1
| Reserved          : 0x000000
| Traffic Selector 0
| | Type            : TS_IPV4_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 16
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : 0.0.0.0 - 255.255.255.255
TSr Payload
| Next Payload      : KE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 24 Bytes
| Number of TSs     : 1
| Reserved          : 0x000000
| Traffic Selector 0
| | Type            : TS_IPV4_ADDR_RANGE
| | Protocol        : ANY
| | Length          : 16
| | Start Port      : 0
| | End   Port      : 65535
| | Address Range   : 192.168.10.114 - 192.168.10.114
KE Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 72 Bytes
| DH Group          : 19
| Reserved2         : 0x0000
| DH-Key(512 bits)  : 76 20 1D C1 93 6F 83 8E D4 9E B8 33 55 5B AA B1
|                     56 FA 61 85 6E A7 5A 1D 95 C5 48 09 70 3C 08 55
|                     22 85 09 31 1A 8C 91 A6 59 9F 5C F5 CC 59 C9 08
|                     D9 63 09 6F 5A 94 CA E0 17 13 AD C8 0E 09 C9 2B
Rest                : 00 00 00 00 00 00 00 07

[VPN-Debug] 2020/02/04 16:23:18,466  Devicetime: 2020/02/04 16:23:17,193
Peer VPN_NATEL [responder]: Received an CREATE_CHILD_SA-RESPONSE of 288 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:64682
SPIs: 0x9921756265E7EDE66DCC258AF651E2F2, Message-ID 50
Payloads: ENCR
QUB-DATA: 9.9.9.9:4500<---1.1.1.1:64682 rtg_tag 0 physical-channel WAN(2) vpn-channel 36
transport: [id: 31930, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1492, iface: T-ADSL (8), mac address: ff:ff:ff:ff:ff:ff, port 0], local port: 4500, remote port: 64682, flags: UDP_ENCAPSULATION
+IKE_SA found and assigned
Message verified successfully
Message decrypted successfully
Payloads: ENCR, SA, NONCE, TSI, TSR, KE
Looking for payload TSI (44)...Found 1 payload.
  Looking for connection "IPSEC-0-VPN_NATEL-PR0-L0-R0"...Found
  Determining best intersection for TSi
  Expected TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Received TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Intersection:(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Best        :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  +Valid intersection found
  TSi: (  0,     0-65535,         0.0.0.0-255.255.255.255)
  TSr: (  0,     0-65535,  192.168.10.114-192.168.10.114 )
  +TSi OK.
Looking for payload TSR (45)...Found 1 payload.
  Determining best intersection for TSr
  Expected TS :(  0,     0-65535,  192.168.10.114-192.168.10.114 )
  Received TS :(  0,     0-65535,  192.168.10.114-192.168.10.114 )
  Intersection:(  0,     0-65535,  192.168.10.114-192.168.10.114 )
  Best        :(  0,     0-65535,  192.168.10.114-192.168.10.114 )
  +TSr OK.
Looking for payload CHILD_SA (33)...Found 1 payload.
  +Config   ENCR  transform(s): AES-GCM-16-128
  +Received ENCR  transform(s): AES-GCM-16-128
  +Best intersection: AES-GCM-16-128
  +Config   DH    transform(s): 19 14
  +Received DH    transform(s): 19
  +Best intersection: 19
  +Config   ESN   transform(s): NONE
  +Received ESN   transform(s): NONE
  +Best intersection: NONE
Looking for payload NONCE (40)...Found 1 payload.
  +Nonce length=48 bytes
  +Nonce=0x4633F58ACEDD7B3023FEE8686438916B995D18503F071A046A2CAA49F7D356EEF9F9AB31CA64FDC36C43B4205815961E
  +SA-DATA-Nr=0x4633F58ACEDD7B3023FEE8686438916B995D18503F071A046A2CAA49F7D356EEF9F9AB31CA64FDC36C43B4205815961E
+Shared secret derived in 7540 micro seconds
KEY-PARSE: Received SADB_ADD/SADB_SATYPE_ESP
KEY-NEWSA: SA successfully created and inserted into SADB:
  State LARVAL  Protocol ESP  PID 0  refcnt 1  Hard-Timeout in 180 sec (key_hard_event)  Soft-Timeout in 144 sec
KEY-SA-STATE-CHANGE: LARVAL->MATURE
KEY-ADD: Peer VPN_NATEL  handle 36  outgoing UDP-SPI 0x9B57F820  NAT-T  0.0.0.0/0---9.9.9.9:4500===1.1.1.1:64682---192.168.10.114/32  Hard-Timeout in 180 sec (key_hard_event)  Soft-Timeout in 144 sec
IPSEC-SEND-UP
KEY-PARSE: Received SADB_UPDATE/SADB_SATYPE_ESP
KEY-SA-STATE-CHANGE: LARVAL->MATURE
SA-STORE: refcnt 2
KEY-UPDATE: Peer VPN_NATEL  handle 36  incoming UDP-SPI 0xEB1B039A  NAT-T  192.168.10.114/32---1.1.1.1:64682===9.9.9.9:4500---0.0.0.0/0  Hard-Timeout in 180 sec (key_hard_event)  Soft-Timeout in 144 sec
IPSEC-SEND-UP
VPN_NATEL: UPDATE MODE(1) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---9.9.9.9===1.1.1.1---192.168.10.114/32 port(0) protocol(0)
KEY-PARSE: Received SADB_X_SPDUPDATE/SADB_SATYPE_UNSPEC
KEY-SPDUPDATE: VPN_NATEL  OUTBOUND  PROTOCOL_ANY  0.0.0.0/0<->192.168.10.114/32
IPSEC-SEND-UP
VPN_NATEL: UPDATE MODE(1) INBOUND ESP 192.168.10.114/32 port(0) protocol(0)---1.1.1.1===9.9.9.9---0.0.0.0/0 port(0) protocol(0)
KEY-PARSE: Received SADB_X_SPDUPDATE/SADB_SATYPE_UNSPEC
KEY-SPDUPDATE: VPN_NATEL  INBOUND  PROTOCOL_ANY  192.168.10.114/32<->0.0.0.0/0
IPSEC-SEND-UP

[VPN-Status] 2020/02/04 16:23:18,529  Devicetime: 2020/02/04 16:23:17,193
Peer VPN_NATEL [responder]: Received an CREATE_CHILD_SA-RESPONSE of 288 bytes (encrypted)
Gateways: 9.9.9.9:4500<--1.1.1.1:64682
SPIs: 0x9921756265E7EDE66DCC258AF651E2F2, Message-ID 50
TSi: (  0,     0-65535,         0.0.0.0-255.255.255.255)
TSr: (  0,     0-65535,  192.168.10.114-192.168.10.114 )
+CHILD-SA:
  ESP-Proposal-1 Peer-SPI: 0x9B57F820 (3 transforms)
    ENCR : AES-GCM-16-128
    DH   : 19
    ESN  : NONE
+Received KE-DH-Group 19 (512 bits)

CHILD_SA [initiator] done with 2 SAS for peer VPN_NATEL rule IPSEC-0-VPN_NATEL-PR0-L0-R0
9.9.9.9:4500<--1.1.1.1:64682, Routing tag 0, Com-channel 36
rule:' ipsec 0.0.0.0/0 <-> 192.168.10.114/32
outgoing SA ESP [0x9B57F820]  Authenticated-Encryption AES-GCM-16-128  PFS-DH-Group 19  ESN None
incoming SA ESP [0xEB1B039A]  Authenticated-Encryption AES-GCM-16-128  PFS-DH-Group 19  ESN None
life time soft 02/04/2020 16:25:41 (in 144 sec) / 1600000 kb
life time hard 02/04/2020 16:26:17 (in 180 sec) / 2000000 kb
tunnel between src: 9.9.9.9 dst: 1.1.1.1
Rekeyed CHILD_SA[outgoing 0x9F53387C incoming 0x62F433B2] marked as REPLACED. Hard-Timeout in 15 sec

[VPN-Debug] 2020/02/04 16:23:18,529  Devicetime: 2020/02/04 16:23:17,193
IKE_SA(0x9921756265E7EDE66DCC258AF651E2F2).SEND-MSG-ID raised to 51
Peer VPN_NATEL: Trigger next pended request to establish an exchange
  Current request is IPSEC-0-VPN_NATEL-PR0-L0-R0
  IKE_SA is not REPLACED
There are 0 pending requests

[VPN-Status] 2020/02/04 16:23:18,529  Devicetime: 2020/02/04 16:23:17,194
set_ip_transport for VPN_NATEL: [id: 48590, UDP (17) {incoming unicast, fixed source address}, dst: 1.1.1.1, tag 0 (U), src: 9.9.9.9, hop limit: 64, pmtu: 1492, iface: T-ADSL (8), mac address: ff:ff:ff:ff:ff:ff, port 0]

Wenn ich versuche den Tunnel mit "Set-VpnConnectionIpsecConfiguration .... -DHGroup ECP256...." zu benutzen, dann bekomme ich folgende Fehlermeldung beim Tunnelaufbau:

Benutzername und Kennwort werden überprüft...IKE konnte kein gültiges Computerzertifikat finden. Wenden Sie sich an den Administrator für die Netzwerksicherheit, um zu erfahren, wie ein gültiges Zertifikat im entsprechenden Zertifikatspeicher installiert wird. Keine Verbindungen
Nach oben
GrandDixence
Beiträge: 1180
Registriert: 19 Aug 2014, 22:41

Re: Windows 10 mit IKEv2 VLAN

Beitrag von GrandDixence »

Der LANCOM-Router meldet im ersten CREATE_CHILD_SA-IKE-Telegramm dem VPN-Client, dass er DH19 und DH14 unterstützt. In diesem Telegramm hat aber nur ein KE Payload (Key Exchange => Schlüsselaustausch) Platz. Der LANCOM-Router entscheidet sich für das Mitsenden des Materials für die Aushandlung von DH14 im KE Payload (2048 Bit). Der VPN-Client wünscht aber DH19 und fordert den VPN-Server mit einem INVALID_KE_PAYLOAD zur zweiten Verhandlungsrunde auf. Mit dem INVALID_KE_PAYLOAD wird dem VPN-Server (LANCOM-Router) signalisiert, dass die erste Verhandlungsrunde gescheitert ist.

Im CREATE_CHILD_SA der zweiten Verhandlungsrunde schickt dann der LANCOM-Router im KE Payload das Material für die Aushandlung von DH19 (512 Bit => wieso nicht 256 Bit?).

Das INVALID_KE_PAYLOAD von der ersten Verhandlungsrunde löst den "IKE-I-General-failure"-Fehlereintrag im SYSLOG aus.
Nach oben
at0m
Beiträge: 35
Registriert: 13 Jan 2019, 14:33

Re: Windows 10 mit IKEv2 VLAN

Beitrag von at0m »

Wenn ich das richtig verstanden habe, dann wird hier https://social.technet.microsoft.com/Fo ... 7bc07f6df2 behauptet, dass Microsoft den Zusammenhang zwischen DH Gruppe, PFS Gruppe und Zertifikat hart codiert hat.
Das würde - für mein Verständnis - erklären, warum beim Rekeying mit "-PfsGroup ECP256 -DHGroup Group14" der Tunnel mit DH14 geöffnet wird und dann das Rekeying mit DH19 probiert wird. Und das würde auch erklären, warum ich Zertifikatsfehler bekomme, wenn ich DHGroup ECP256 nehme.
Ist das soweit korrekt ?

Ich habe den Tunnel jetzt so erstellt und das Rekeying läuft fehlerfrei:

Code: Alles auswählen

Set-VpnConnectionIpsecConfiguration -ConnectionName "Test" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -DHGroup Group14 -PassThru -Force
Die entsprechenden Einträge in Verschlüsselungstabelle sehen so aus:
DEFAULT

Code: Alles auswählen

Name                     INFO:    DEFAULT
DH-Groups                VALUE:   DH14
PFS                      VALUE:   Yes
IKE-SA-Cipher-List       VALUE:   AES-CBC-256
IKE-SA-Integ-Alg-List    VALUE:   SHA-256
Child-SA-Cipher-List     VALUE:   AES-GCM-256
Child-SA-Integ-Alg-List  VALUE:   SHA-256
VPN_NATEL

Code: Alles auswählen

Name                     INFO:    VPN_NATEL
DH-Groups                VALUE:   DH14
PFS                      VALUE:   Yes
IKE-SA-Cipher-List       VALUE:   AES-CBC-256
IKE-SA-Integ-Alg-List    VALUE:   SHA-256
Child-SA-Cipher-List     VALUE:   AES-GCM-256
Child-SA-Integ-Alg-List  VALUE:   SHA-256
Wenn ich das Dokument https://www.lancom-systems.de/docs/LCOS ... ation.html richtig verstanden habe, dann kann ich stärke Verschlüsselung (ECP256,ECP384) nur dann nehmen, wenn ich die Zertifikate außerhalb vom Lancom erzeugt habe und hier nur hochlade, oder ?
Zuletzt geändert von at0m am 06 Feb 2020, 18:06, insgesamt 1-mal geändert.
Nach oben
GrandDixence
Beiträge: 1180
Registriert: 19 Aug 2014, 22:41

Re: Windows 10 mit IKEv2 VLAN

Beitrag von GrandDixence »

Nein, das wurde falsch verstanden. In den beiden Links geht es um die Authentifizierung:
https://www.datenschutzbeauftragter-inf ... risierung/
und nicht um das asymmetrische Kryptoverfahren. Mit den Parametern "DHGroup" und "PfsGroup" im Windows-Befehl "Set-VpnConnectionIPsecConfiguration" wird das asymmetrische Kryptoverfahren konfiguriert.

Für die Authentifizierung wird gemäss der oben verlinkten VPN-Anleitung ein RSA-Zertifikat mit dem Signaturverfahren RSASSA gemäss dem Standard PKCS#1 Version 1.5 (RSASSA-PKCS1-v1_5) verwendet.
https://en.wikipedia.org/wiki/PKCS_1#Schemes

In den beiden Links geht es aber um die Authentifizierung mit einem ECDSA-Zertifikat.
https://blog.cloudflare.com/ecdsa-the-d ... -internet/

Eine verschlüsselte Kommunikation zwischen Alice und Bob "steht" im wesentlichen "auf vier Pfeilern":

=> Definition von Alice, Bob und Eve siehe Kapitel "Schlüsseltauschproblem":
https://de.wikipedia.org/wiki/Diffie-He ... schproblem

=> Eve kann auch als MITM fungieren => Man-in-the-Middle:
https://de.wikipedia.org/wiki/Man-in-the-Middle-Angriff

1.) Verschlüsselung der Nutzdaten mit einem symmetrischen Verschlüsselungsverfahren
2.) Integritätsschutz der zu übertragenden Daten
3.) Schlüsselvereinbarung über ein asymmetrisches Kryptoverfahren
4.) Authentifizierung des Kommunikationspartners mit einem Signaturverfahren

1.) Damit Eve nicht die zu übertragenden Nutzdaten lesen kann.
2.) Damit Eve nicht die zu übertragenden Nutzdaten manipulieren kann oder gar per Datenmanipulation die Verschlüsselung knacken kann.
3.) Sichere Aushandlung der Verschlüsselungs-Schlüsseln für das symmetrische Verschlüsselungsverfahren über eine unsichere Netzwerkverbindung. => Eve hört alles mit und kriegt die Verschlüsselungsschlüsseln trotzdem nicht in seine Hände...

4.) Sicher stellen, dass Alice mit dem erwünschten Kommunikationspartner kommuniziert. Kommuniziert Alice über den verschlüsselten Kommunikationskanal mit Bob oder mit Eve?

Hier die Zuweisung der Kapiteln des BSI TR 02102-3 zum jeweiligen der vier Pfeilern:

1.) 3.2.1; 3.3.1
2.) 3.2.3; 3.3.2 (3.2.1+3.3.1 => AES-GCM)
3.) 3.2.4
4.) 3.2.5

Die sichere Realisierung des vierten Pfeilers (Authentifizierung) ist die schwierigste Aufgabe!

Anschauungsunterricht zu "Schlüsselvereinbarung über ein asymmetrisches Kryptoverfahren" bietet:
https://ksr-ugc.imgix.net/assets/002/53 ... 75b64fd87a
Zuletzt geändert von GrandDixence am 05 Feb 2020, 23:54, insgesamt 2-mal geändert.
Nach oben
GrandDixence
Beiträge: 1180
Registriert: 19 Aug 2014, 22:41

Re: Windows 10 mit IKEv2 VLAN

Beitrag von GrandDixence »

at0m hat geschrieben: 05 Feb 2020, 14:27 warum beim Rekeying mit "-PfsGroup ECP256 -DHGroup Group14" der Tunnel mit DH14 geöffnet wird und dann das Rekeying mit DH19 probiert wird.
Beim Aufbau des VPN-Tunnels wird das für den Datenkanal (ESP/IPSec) zu verwendende Schlüsselmaterial vom Schlüsselmaterial des Steuerkanal (IKE) abgeleitet. Es kommt also beim Aufbau des VPN-Tunnels für das Schlüsselmaterial des Datenkanals (ESP/IPSec) kein "echtes" PFS zum Einsatz!

https://wiki.strongswan.org/projects/st ... ekey#IKEv2

Erst beim Rekeying des Datenkanals (ESP/IPSec) kommt PFS erstmalig für den Datenkanal (ESP/IPSec) zum Einsatz.

=> Altes Schlüsselmaterial wird komplett verworfen.
=> Neues Schlüsselmaterial (Sitzungsschlüssel) wird komplett neu ausgehandelt.

Und erst dann kommt der Parameter "-PfsGroup" erstmalig zum Einsatz!

PFS => Perfect Forward Secrecy
https://de.wikipedia.org/wiki/Perfect_Forward_Secrecy

Anschauungsunterricht zu Sitzungsschlüssel+Perfect Forward Secrecy bietet:
https://ksr-ugc.imgix.net/assets/002/34 ... 2e0e0a854f
Nach oben
Antworten

Zurück zu „Fragen zum Thema VPN“