2xLancom1711 VPN-Problem (Keine Regel für IDs/kein Proposal)

Forum zu aktuellen Geräten der LANCOM Router/Gateway Serie

Moderator: Lancom-Systems Moderatoren

Antworten
ianeo
Beiträge: 44
Registriert: 07 Feb 2006, 16:58

2xLancom1711 VPN-Problem (Keine Regel für IDs/kein Proposal)

Beitrag von ianeo »

Hallo,

ich habe bei einem Kunden eine per Assistent angelegte VPN-Strecke mit Problemen, vielleicht kann mir ja hier jemand helfen, bin für jeden Tip dankbar !

Die VPN-Verbindung wird aufgebaut, ich bekomme dann im Lanmonitor aber folgende Fehlermeldungen:

Lancom A: Keine Regel für ID's gefunden - unbekannte Verbindung oder fehlerhafte ID (Responder, IPSec) [0x3201]
Lancom B: Kein übereinstimmendes Proposal gefunden (Initiator, IPSec) [0x3102]

Die Verbindung scheint aber zu bestehen.

Von einem Server auf Seite von Lancom A (Serveradresse 231.84.28.227) kann ich per tracert/ping die Adresse 195.38.29.42 (meistens) ohne Probleme über das VPN pingen.
Ein Ping auf die 195.38.29.54 (ein Server auf Seite von LAncom B) kommt manchmal durch, manchmal bleibt er beim trace aber auch schon hinter 231.84.28.230 hängen und geht dann icht weiter (obwohl der Ping auf 195.38.29.42 gleichzeitig normal durchgeht)...

Der Internetzugang für beide Lancoms ist über "plain IP" geregelt:

Konfiguration Lancom A (VPNRouter1) (LC1711, FW 7.52)
=====================================================
IP-Parameter Lancom A: IP-Adresse: 231.84.28.230, Netzmaske 255.255.255.248, Standard-Gateway 231.84.28.225

TCP-IP Konfiguration:
Intranet: 192.168.100.230, Subnetz 255.255.255.0
DMZ (externe Adresse für VPN): 231.84.28.230, Subnetz 255.255.255.248

Routing-Tabelle:
195.38.29.42 / 255.255.255.240 / VPNRouter2 / Maskierung Aus
195.38.29.59 / 255.255.255.240 / VPNRouter2 / Maskierung Aus
255.255.255.255 / 0.0.0.0 / Internet / Maskierung An (nur Intranet)

Konfiguration Lancom B (VPNRouter2) (LC1711, FW 7.52)
=====================================================
IP Parameter Lancom B: IP-Adresse: 195.38.29.42, Netzmaske 255.255.255.240, Standard-Gateway 195.38.29.33

TCP-IP Konfiguration:
Intranet: 195.38.29.59, Subnetz 255.255.255.240
DMZ (externe Adresse für VPN): 195.38.29.42, Subnetz 255.255.255.240

Routing-Tabelle:
231.84.28.230 / 255.255.255.248 / VPN-Router1 / Maskierung Aus
192.168.100.230 / 255.255.255.0 / VPNRouter1 / Maskierung Aus
139.158.60.0 / 255.255.252.0 / 195.38.29.49 / Maskierung Aus (das ist ein Netz des Kunden hinter seiner Firewall mit der 195.38.29.49)
255.255.255.255 / 0.0.0.0 / Internet / Maskierung Aus


Ich habe mal in beiden Lancoms einen VPN-Trace gemacht, werde aber nicht ganz schlau draus, wo ich ein Problem habe, daher hier einen Auszug pro Router:


Lancom A:
=========================================================
=========================================================


#
| LANCOM 1711 VPN
| Ver. 7.52.0058 / 25.04.2008
| SN. xxxx
| Copyright (c) LANCOM Systems

VPNRouter1, Connection No.: 002 (WAN)

Password:

root@VPNRouter1:/
> trace # vpn-status
VPN-Status ON

root@VPNRouter1:/
>
[VPN-Status] 2008/06/12 23:26:08,710
VPN: connecting to VPNRouter2 (195.38.29.42)

[VPN-Status] 2008/06/12 23:26:08,730
VPN: start dynamic VPN negotiation for VPNRouter2 (195.38.29.42) via ICMP/UDP

[VPN-Status] 2008/06/12 23:26:08,730
VPN: create dynamic VPN V2 authentication packet for VPNRouter2 (195.38.29.42)
DNS: 192.168.100.230, 0.0.0.0
NBNS: 192.168.100.230, 0.0.0.0
polling address: 192.168.100.230

[VPN-Status] 2008/06/12 23:26:08,730
VPN: installing ruleset for VPNRouter2 (195.38.29.42)

[VPN-Status] 2008/06/12 23:26:08,740
VPN: ruleset installed for VPNRouter2 (195.38.29.42)

[VPN-Status] 2008/06/12 23:26:08,740
VPN: start IKE negotiation for VPNRouter2 (195.38.29.42)

[VPN-Status] 2008/06/12 23:26:08,770
VPN: rulesets installed

[VPN-Status] 2008/06/12 23:26:08,780
VPN: received dynamic VPN V2 authentication packet from VPNRouter2 (195.38.29.42
)
DNS: 195.38.29.59, 0.0.0.0
NBNS: 195.38.29.59, 0.0.0.0
polling address: 195.38.29.59

[VPN-Status] 2008/06/12 23:26:08,780
IKE info: Phase-1 negotiation started for peer VPNRouter2 rule isakmp-peer-FELLE
RVPN2 using MAIN mode


[VPN-Status] 2008/06/12 23:26:08,800
IKE info: The remote server 195.38.29.42:500 peer VPNRouter2 id <no_id> is Enigm
atec IPSEC version 1.5.1
IKE info: The remote server 195.38.29.42:500 peer VPNRouter2 id <no_id> supports
NAT-T in mode draft
IKE info: The remote server 195.38.29.42:500 peer VPNRouter2 id <no_id> supports
NAT-T in mode draft
IKE info: The remote server 195.38.29.42:500 peer VPNRouter2 id <no_id> supports
NAT-T in mode rfc
IKE info: The remote server 195.38.29.42:500 peer VPNRouter2 id <no_id> negotiat
ed rfc-3706-dead-peer-detection


[VPN-Status] 2008/06/12 23:26:08,810
IKE info: Phase-1 remote proposal 1 for peer VPNRouter2 matched with local propo
sal 1


[VPN-Status] 2008/06/12 23:26:08,810
IKE info: The remote server 195.38.29.42:500 peer VPNRouter2 id <no_id> supports
NAT-T in mode draft
IKE info: The remote server 195.38.29.42:500 peer VPNRouter2 id <no_id> supports
NAT-T in mode draft
IKE info: The remote server 195.38.29.42:500 peer VPNRouter2 id <no_id> supports
NAT-T in mode rfc
IKE info: The remote server 195.38.29.42:500 peer VPNRouter2 id <no_id> is Enigm
atec IPSEC version 1.5.1
IKE info: The remote server 195.38.29.42:500 peer VPNRouter2 id <no_id> negotiat
ed rfc-3706-dead-peer-detection


[VPN-Status] 2008/06/12 23:26:08,810
IKE info: Phase-1 remote proposal 1 for peer VPNRouter2 matched with local propo
sal 1


[VPN-Status] 2008/06/12 23:26:09,180
IKE info: Phase-1 [responder] for peer VPNRouter2 between initiator id 195.38.2
9.42, responder id 231.84.28.230 done
IKE info: SA ISAKMP for peer VPNRouter2 encryption aes-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)


[VPN-Status] 2008/06/12 23:26:09,190
IKE info: Phase-1 [inititiator] for peer VPNRouter2 between initiator id 212.88
.128.230, responder id 195.38.29.42 done
IKE info: SA ISAKMP for peer VPNRouter2 encryption aes-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)


[VPN-Status] 2008/06/12 23:26:09,230
IKE info: Phase-2 remote proposal 1 for peer VPNRouter2 matched with local propo
sal 1


[VPN-Status] 2008/06/12 23:26:09,400
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer VPNRouter2


[VPN-Status] 2008/06/12 23:26:09,400
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for VPNRouter2 (195.38.29.42)

[VPN-Status] 2008/06/12 23:26:09,400
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer VPNRouter2


[VPN-Status] 2008/06/12 23:26:09,400
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for VPNRouter2 (195.38.29.42)

[VPN-Status] 2008/06/12 23:26:09,410
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer VPNRouter2


[VPN-Status] 2008/06/12 23:26:09,410
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for VPNRouter2 (195.38.29.42)

[VPN-Status] 2008/06/12 23:26:09,570
IKE info: Phase-2 [responder] done with 2 SAS for peer VPNRouter2 rule ipsec-4-F
ELLERVPN2-pr0-l0-r0
IKE info: rule:' ipsec 192.168.100.0/255.255.255.0 <-> 195.38.29.32/255.255.255.
240 '
IKE info: SA ESP [0x7b080f5d] alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x0bc21905] alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1800 sec/180000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 231.84.28.230 dst: 195.38.29.42


[VPN-Status] 2008/06/12 23:26:09,740
IKE info: Phase-2 [responder] done with 2 SAS for peer VPNRouter2 rule ipsec-2-F
ELLERVPN2-pr0-l0-r0
IKE info: rule:' ipsec 192.168.100.0/255.255.255.0 <-> 195.38.29.48/255.255.255.
240 '
IKE info: SA ESP [0x31c21d96] alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x1c79674e] alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1800 sec/180000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 231.84.28.230 dst: 195.38.29.42


[VPN-Status] 2008/06/12 23:26:09,750
IKE info: Phase-2 [responder] done with 2 SAS for peer VPNRouter2 rule ipsec-3-F
ELLERVPN2-pr0-l0-r0
IKE info: rule:' ipsec 231.84.28.224/255.255.255.248 <-> 195.38.29.32/255.255.2
55.240 '
IKE info: SA ESP [0x202e4b00] alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x4f7b9a14] alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1800 sec/180000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 231.84.28.230 dst: 195.38.29.42


[VPN-Status] 2008/06/12 23:26:10,750
VPN: VPNRouter2 (195.38.29.42) connected, set poll timer to 30 sec

[VPN-Status] 2008/06/12 23:26:15,750
VPN: poll timeout for VPNRouter2 (195.38.29.42)
send poll frame to 195.38.29.59

[VPN-Status] 2008/06/12 23:26:15,770
VPN: Poll reply from VPNRouter2 (195.38.29.42)

[VPN-Status] 2008/06/12 23:26:16,830
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer VPNRouter2


[VPN-Status] 2008/06/12 23:26:16,850
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for VPNRouter2 (195.38.29.42)

[VPN-Status] 2008/06/12 23:26:16,860
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer VPNRouter2


[VPN-Status] 2008/06/12 23:26:16,860
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for VPNRouter2 (195.38.29.42)

[VPN-Status] 2008/06/12 23:26:16,860
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer VPNRouter2


[VPN-Status] 2008/06/12 23:26:16,860
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for VPNRouter2 (195.38.29.42)
trace # vpn-status
VPN-Status OFF
=========================================================
=========================================================


Lancom B:
=========================================================
=========================================================


#
| LANCOM 1711 VPN
| Ver. 7.52.0058 / 25.04.2008
| SN. xxxxx
| Copyright (c) LANCOM Systems

VPNRouter2, Connection No.: 002 (WAN)

Password:

root@VPNRouter2:/
> trace # vpn-status
VPN-Status ON

root@VPNRouter2:/
>
[VPN-Status] 2008/06/12 23:26:08,730
IKE info: Phase-1 [responder] for peer VPNRouter1 between initiator id 231.84.
28.230, responder id 195.38.29.42 done
IKE info: SA ISAKMP for peer VPNRouter1 encryption aes-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)


[VPN-Status] 2008/06/12 23:26:08,740
IKE info: Phase-1 [inititiator] for peer VPNRouter1 between initiator id 195.65
.29.42, responder id 231.84.28.230 done
IKE info: SA ISAKMP for peer VPNRouter1 encryption aes-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)


[VPN-Status] 2008/06/12 23:26:08,800
IKE info: Phase-2 remote proposal 1 for peer VPNRouter1 matched with local propo
sal 1


[VPN-Status] 2008/06/12 23:26:08,810
IKE info: Phase-2 failed for peer VPNRouter1: no rule matches the phase-2 ids 0
.0.0.0/0.0.0.0 <-> 195.38.29.32/255.255.255.240
IKE log: 232608 Default message_negotiate_sa: no compatible proposal found
IKE log: 232608 Default dropped message from 231.84.28.230 port 500 due to noti
fication type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer VPNRouter1 231.84.28.230 port 500 due to no
tification type NO_PROPOSAL_CHOSEN


[VPN-Status] 2008/06/12 23:26:08,810
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for VPNRouter1 (231.84.28.230)

[VPN-Status] 2008/06/12 23:26:08,810
IKE info: Phase-2 remote proposal 1 for peer VPNRouter1 matched with local propo
sal 1


[VPN-Status] 2008/06/12 23:26:08,820
IKE info: Phase-2 failed for peer VPNRouter1: no rule matches the phase-2 ids 0
.0.0.0/0.0.0.0 <-> 195.38.29.48/255.255.255.240
IKE log: 232608 Default message_negotiate_sa: no compatible proposal found
IKE log: 232608 Default dropped message from 231.84.28.230 port 500 due to noti
fication type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer VPNRouter1 231.84.28.230 port 500 due to no
tification type NO_PROPOSAL_CHOSEN


[VPN-Status] 2008/06/12 23:26:08,820
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for VPNRouter1 (231.84.28.230)

[VPN-Status] 2008/06/12 23:26:08,820
IKE info: Phase-2 failed for peer VPNRouter1: no rule matches the phase-2 ids 1
92.168.60.0/255.255.255.0 <-> 195.38.29.48/255.255.255.240
IKE log: 232608 Default message_negotiate_sa: no compatible proposal found
IKE log: 232608 Default dropped message from 231.84.28.230 port 500 due to noti
fication type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer VPNRouter1 231.84.28.230 port 500 due to no
tification type NO_PROPOSAL_CHOSEN


[VPN-Status] 2008/06/12 23:26:08,820
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for VPNRouter1 (231.84.28.230)

[VPN-Status] 2008/06/12 23:26:09,310
IKE info: Phase-2 [inititiator] done with 2 SAS for peer VPNRouter1 rule ipsec-2
-VPNRouter1-pr0-l0-r0
IKE info: rule:' ipsec 195.38.29.32/255.255.255.240 <-> 231.84.28.224/255.255.2
55.248 '
IKE info: SA ESP [0x4f7b9a14] alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x202e4b00] alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1600 sec/160000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 195.38.29.42 dst: 231.84.28.230


[VPN-Status] 2008/06/12 23:26:09,320
IKE info: Phase-2 [inititiator] done with 2 SAS for peer VPNRouter1 rule ipsec-0
-VPNRouter1-pr0-l0-r0
IKE info: rule:' ipsec 195.38.29.32/255.255.255.240 <-> 192.168.100.0/255.255.25
5.0 '
IKE info: SA ESP [0x0bc21905] alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x7b080f5d] alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1600 sec/160000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 195.38.29.42 dst: 231.84.28.230


[VPN-Status] 2008/06/12 23:26:09,320
IKE info: Phase-2 [inititiator] done with 2 SAS for peer VPNRouter1 rule ipsec-1
-VPNRouter1-pr0-l0-r0
IKE info: rule:' ipsec 195.38.29.48/255.255.255.240 <-> 192.168.100.0/255.255.25
5.0 '
IKE info: SA ESP [0x1c79674e] alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x31c21d96] alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1600 sec/160000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 195.38.29.42 dst: 231.84.28.230


[VPN-Status] 2008/06/12 23:26:10,330
VPN: VPNRouter1 (231.84.28.230) connected, set poll timer to 30 sec

[VPN-Status] 2008/06/12 23:26:15,330
VPN: poll timeout for VPNRouter1 (231.84.28.230)
send poll frame to 192.168.100.230

[VPN-Status] 2008/06/12 23:26:15,350
VPN: Poll reply from VPNRouter1 (231.84.28.230)

[VPN-Status] 2008/06/12 23:26:16,330
IKE info: Phase-2 failed for peer VPNRouter1: no rule matches the phase-2 ids 0
.0.0.0/0.0.0.0 <-> 195.38.29.32/255.255.255.240
IKE log: 232616 Default message_negotiate_sa: no compatible proposal found
IKE log: 232616 Default dropped message from 231.84.28.230 port 500 due to noti
fication type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer VPNRouter1 231.84.28.230 port 500 due to no
tification type NO_PROPOSAL_CHOSEN


[VPN-Status] 2008/06/12 23:26:16,360
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for VPNRouter1 (231.84.28.230)

[VPN-Status] 2008/06/12 23:26:16,360
IKE info: Phase-2 failed for peer VPNRouter1: no rule matches the phase-2 ids 0
.0.0.0/0.0.0.0 <-> 195.38.29.48/255.255.255.240
IKE log: 232616 Default message_negotiate_sa: no compatible proposal found
IKE log: 232616 Default dropped message from 231.84.28.230 port 500 due to noti
fication type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer VPNRouter1 231.84.28.230 port 500 due to no
tification type NO_PROPOSAL_CHOSEN


[VPN-Status] 2008/06/12 23:26:16,370
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for VPNRouter1 (231.84.28.230)

[VPN-Status] 2008/06/12 23:26:16,370
IKE info: Phase-2 failed for peer VPNRouter1: no rule matches the phase-2 ids 1
92.168.60.0/255.255.255.0 <-> 195.38.29.48/255.255.255.240
IKE log: 232616 Default message_negotiate_sa: no compatible proposal found
IKE log: 232616 Default dropped message from 231.84.28.230 port 500 due to noti
fication type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer VPNRouter1 231.84.28.230 port 500 due to no
tification type NO_PROPOSAL_CHOSEN


[VPN-Status] 2008/06/12 23:26:16,370
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for VPNRouter1 (231.84.28.230)
trace # vpn-status
VPN-Status OFF
=======================================================
=======================================================

Ich habe die Konfigurationen (Proposals etc.) von Hand verglichen, dass sieht alles gleich aus.
Hat jemand eine Idee ?

Vielen Dank im Voraus für jede Hilfe,

Grüße
Dirk
Nach oben
sexkasper
Beiträge: 2
Registriert: 29 Jun 2008, 12:56

Beitrag von sexkasper »

Hi,

das gleiche Problem hier. Es trat auf nachdem ich auf beiden Seiten ein weiteres Netz über das VPN geleitet habe. Wenn man nun die VPN-Verbindung z.B. über das Lanmonitor-Tool trennt, ist die Fehlermeldung verschwunden - bis zur nächsten Zwangstrennung durch den Provider...
Firmware 7.30.0015

LG
Nach oben
backslash
Moderator
Moderator
Beiträge: 7132
Registriert: 08 Nov 2004, 21:26
Wohnort: Aachen

Beitrag von backslash »

Hi ianeo

der Trace auf Router2 sagt doch schon, was nicht stimmt:
VPN-Status] 2008/06/12 23:26:08,810
IKE info: Phase-2 failed for peer VPNRouter1: no rule matches the phase-2 ids 0
.0.0.0/0.0.0.0 <-> 195.38.29.32/255.255.255.240
IKE log: 232608 Default message_negotiate_sa: no compatible proposal found
IKE log: 232608 Default dropped message from 231.84.28.230 port 500 due to noti
fication type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer VPNRouter1 231.84.28.230 port 500 due to no
tification type NO_PROPOSAL_CHOSEN


[VPN-Status] 2008/06/12 23:26:08,810
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for VPNRouter1 (231.84.28.230)

[VPN-Status] 2008/06/12 23:26:08,810
IKE info: Phase-2 remote proposal 1 for peer VPNRouter1 matched with local propo
sal 1


[VPN-Status] 2008/06/12 23:26:08,820
IKE info: Phase-2 failed for peer VPNRouter1: no rule matches the phase-2 ids 0
.0.0.0/0.0.0.0 <-> 195.38.29.48/255.255.255.240
IKE log: 232608 Default message_negotiate_sa: no compatible proposal found
IKE log: 232608 Default dropped message from 231.84.28.230 port 500 due to noti
fication type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer VPNRouter1 231.84.28.230 port 500 due to no
tification type NO_PROPOSAL_CHOSEN


[VPN-Status] 2008/06/12 23:26:08,820
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for VPNRouter1 (231.84.28.230)

[VPN-Status] 2008/06/12 23:26:08,820
IKE info: Phase-2 failed for peer VPNRouter1: no rule matches the phase-2 ids 1
92.168.60.0/255.255.255.0 <-> 195.38.29.48/255.255.255.240
IKE log: 232608 Default message_negotiate_sa: no compatible proposal found
IKE log: 232608 Default dropped message from 231.84.28.230 port 500 due to noti
fication type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer VPNRouter1 231.84.28.230 port 500 due to no
tification type NO_PROPOSAL_CHOSEN

Router 1 fordert Netzbeziehungen zwischen folgenden Netzen:

0.0.0.0/0.0.0.0 <-> 195.38.29.32/255.255.255.240
0.0.0.0/0.0.0.0 <-> 195.38.29.48/255.255.255.240
192.168.60.0/255.255.255.0 <-> 195.38.29.48/255.255.255.240


d.h. Router1 fordert, daß Router2 seine Defaultroute auf ihn richtet, d.h. du hast im Router1 eine Firewallregel als VPN-Regel aktiviert, die in etwa so aussieht:

Code: Alles auswählen

[x] Diese Regel wird zur Erzeugung von VPN-Regeln herangezogen

Aktion:  übertragen
Quelle:  Alle Stationen
Ziel:    Gegenstelle: VPNRouter2
Dienste: alle Dienste
Zusätzlich mußt du eine entsprechenden Regel für das 192.168.60.0/24 Netz eingerichtet haben.


Korrigiere deinen Netzbeziehungen und Firewallregeln und der Fehler wird verschwinden


@sexkasper

für dich gilt natürlich das gleiche: Achte darauf, daß ARF-Netze Routing-Tabelle und Firewallregeln die korrekten Netzbeziehungen ergeben...

Gruß
Backslash
Nach oben
sexkasper
Beiträge: 2
Registriert: 29 Jun 2008, 12:56

Beitrag von sexkasper »

Hi backslash,

danke für die Info. Es lag tatsächlich an den Netzbeziehungen. Ich hatte auf einem der Router ein Netz übersehen.


LG
Nach oben
EricDraven666
Beiträge: 16
Registriert: 14 Okt 2010, 23:44

Beitrag von EricDraven666 »

Muss den Thread hier nochmal aus der Versenkung holen.

Das Problemchen existiert bei mir so ganz ähnlich.
Hab insgesamt fünf Netze miteinander verbunden.

Netz 1
192.168.0.0
255.255.255.0

Netz 2
192.168.1.0
255.255.255.0

Netz 3
192.168.2.0
255.255.255.0

Netz 4
192.168.3.0
255.255.255.0

Netz 5
192.168.4.0
255.255.255.0

Die Netzbeziehungen bei Router 4 schauen wie folgt aus:

Code: Alles auswählen

  

#
| LANCOM 1811 Wireless DSL
| Ver. 8.00.0162Rel / 16.06.2010
| SN.  073351800035
| Copyright (c) LANCOM Systems

Dresden, Connection No.: 002 (WAN)

Password:

root@Dresden:/
> show vpn

VPN SPD and IKE configuration:

  # of connections = 11

  Connection #1                 0.0.0.0/0.0.0.0:0 <-> 0.0.0.0/255.255.255.255:0
any

    Name:                       X32-DRESDEN
    Unique Id:                  ipsec-0-X32-DRESDEN-pr0-l0-r0
    Flags:                      aggressive-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/0.0.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 86.xxx.22.48)
    Remote Gateway:             IPV4_ADDR(any:0, 0.0.0.0)
    Remote Network:             IPV4_ADDR(any:0, 0.0.0.0/255.255.255.255)

  Connection #2                 0.0.0.0/0.0.0.0:0 <-> 0.0.0.0/255.255.255.255:0
any

    Name:                       TX1-DD
    Unique Id:                  ipsec-0-TX1-DD-pr0-l0-r0
    Flags:                      aggressive-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/0.0.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 86.xxx.22.48)
    Remote Gateway:             IPV4_ADDR(any:0, 0.0.0.0)
    Remote Network:             IPV4_ADDR(any:0, 0.0.0.0/255.255.255.255)

  Connection #3                 0.0.0.0/0.0.0.0:0 <-> 0.0.0.0/255.255.255.255:0
any

    Name:                       T61P-DD
    Unique Id:                  ipsec-0-T61P-DD-pr0-l0-r0
    Flags:                      aggressive-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/0.0.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 86.xxx.22.48)
    Remote Gateway:             IPV4_ADDR(any:0, 0.0.0.0)
    Remote Network:             IPV4_ADDR(any:0, 0.0.0.0/255.255.255.255)

  Connection #4                 192.168.3.0/255.255.255.0:0 <-> 192.168.1.0/255.
255.255.0:0 any

    Name:                       ZUHAUS_192_1
    Unique Id:                  ipsec-1-ZUHAUS_192_1-pr0-l0-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.3.0/255.255.255.
0)
    Local  Gateway:             IPV4_ADDR(any:0, 86.xxx.22.48)
    Remote Gateway:             IPV4_ADDR(any:0, 217.xxx.242.234)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.1.0/255.255.255.
0)

  Connection #5                 192.168.0.0/255.255.0.0:0 <-> 192.168.1.0/255.25
5.255.0:0 any

    Name:                       ZUHAUS_192_1
    Unique Id:                  ipsec-0-ZUHAUS_192_1-pr0-l0-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 86.xxx.22.48)
    Remote Gateway:             IPV4_ADDR(any:0, 217.xxx.242.234)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.1.0/255.255.255.
0)

  Connection #6                 192.168.3.0/255.255.255.0:0 <-> 192.168.4.0/255.
255.255.0:0 any

    Name:                       WEINBERGE_21
    Unique Id:                  ipsec-1-WEINBERGE_21-pr0-l0-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.3.0/255.255.255.
0)
    Local  Gateway:             IPV4_ADDR(any:0, 86.xxx.22.48)
    Remote Gateway:             IPV4_ADDR(any:0, 217.xxx.214.234)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.4.0/255.255.255.
0)

  Connection #7                 192.168.0.0/255.255.0.0:0 <-> 192.168.4.0/255.25
5.255.0:0 any

    Name:                       WEINBERGE_21
    Unique Id:                  ipsec-0-WEINBERGE_21-pr0-l0-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 86.xxx.22.48)
    Remote Gateway:             IPV4_ADDR(any:0, 217.xxx.214.234)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.4.0/255.255.255.
0)

  Connection #8                 192.168.3.0/255.255.255.0:0 <-> 192.168.2.0/255.
255.255.0:0 any

    Name:                       KREISBAHNPLA
    Unique Id:                  ipsec-1-KREISBAHNPLA-pr0-l0-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.3.0/255.255.255.
0)
    Local  Gateway:             IPV4_ADDR(any:0, 86.xxx.22.48)
    Remote Gateway:             IPV4_ADDR(any:0, 80.xxx.153.68)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.2.0/255.255.255.
0)

  Connection #9                 192.168.0.0/255.255.0.0:0 <-> 192.168.2.0/255.25
5.255.0:0 any

    Name:                       KREISBAHNPLA
    Unique Id:                  ipsec-0-KREISBAHNPLA-pr0-l0-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 86.xxx.22.48)
    Remote Gateway:             IPV4_ADDR(any:0, 80.xxx.153.68)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.2.0/255.255.255.
0)

  Connection #10                 192.168.3.0/255.255.255.0:0 <-> 192.168.0.0/255
.255.255.0:0 any

    Name:                       HYDRO-AIR
    Unique Id:                  ipsec-1-HYDRO-AIR-pr0-l0-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.3.0/255.255.255.
0)
    Local  Gateway:             IPV4_ADDR(any:0, 86.xxx.22.48)
    Remote Gateway:             IPV4_ADDR(any:0, 80.xxx.197.157)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.255.
0)

  Connection #11                 192.168.0.0/255.255.0.0:0 <-> 192.168.0.0/255.2
55.0.0:0 any

    Name:                       HYDRO-AIR
    Unique Id:                  ipsec-0-HYDRO-AIR-pr0-l0-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 86.xxx.22.48)
    Remote Gateway:             IPV4_ADDR(any:0, 80.xxx.197.157)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)


root@Dresden:/
>
und der trace gibt mir folgenede Meldung:

Code: Alles auswählen

[VPN-Status] 2010/10/14 11:24:11,610
IKE info: Phase-2 failed for peer KREISBAHNPLA: no rule matches the phase-2 ids
 192.168.0.0/255.255.0.0 <->  192.168.1.0/255.255.255.0
IKE log: 112411.000000 Default message_negotiate_sa: no compatible proposal foun
d
IKE log: 112411.000000 Default dropped message from 80.xxx.153.68 port 500 due t
o notification type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer KREISBAHNPLA 80.xxx.153.68 port 500 due to n
otification type NO_PROPOSAL_CHOSEN
Nu scheint mir ja noch was zu fehlen, um 192.168.0.0 ordentlich auf 192.168.1.0 abbilden zu können.

Ich steck da leider noch nicht genug drin um zu sehen was fehlt...

Hilfe...

MfG Eric
Nach oben
backslash
Moderator
Moderator
Beiträge: 7132
Registriert: 08 Nov 2004, 21:26
Wohnort: Aachen

Beitrag von backslash »

Hi EricDraven666

schau dir mal die erzeugten Regeln für KREISBAHNPLA an:

Code: Alles auswählen

  Connection #8                 192.168.3.0/255.255.255.0:0 <-> 192.168.2.0/255.
255.255.0:0 any

    Name:                       KREISBAHNPLA
    Unique Id:                  ipsec-1-KREISBAHNPLA-pr0-l0-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.3.0/255.255.255.
0)
    Local  Gateway:             IPV4_ADDR(any:0, 86.xxx.22.48)
    Remote Gateway:             IPV4_ADDR(any:0, 80.xxx.153.68)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.2.0/255.255.255.
0)

  Connection #9                 192.168.0.0/255.255.0.0:0 <-> 192.168.2.0/255.25
5.255.0:0 any

    Name:                       KREISBAHNPLA
    Unique Id:                  ipsec-0-KREISBAHNPLA-pr0-l0-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 86.xxx.22.48)
    Remote Gateway:             IPV4_ADDR(any:0, 80.xxx.153.68)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.2.0/255.255.255.
0)
und du wirst sehen, daß es keine Regel für das 192.168.1.0-Netz gibt... Entweder hast du im Router KREISBAHNPLA eine falsche Regel eingerichtet, die das 192.168.1.0-Netz fordert, oder du mußt die Route auf das 192.168.1.0-Netz auf die Gegenstelle KREISBAHNPLA legen...

Gruß
Backslash
Nach oben
Antworten

Zurück zu „Fragen zur LANCOM Systems Routern und Gateways“