This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote IPSec verbunden, kein Traffic durch Tunnel

Hei Leute,

es ist wirklich peinlich, aber ich komme mit dem Problem nicht weiter.
Ich bin mir bewusst das gleiche Problem ist schon x-Mal hier im Forum vorhanden, aber ich finde in den bestehenden Beiträgen leider die Lösung für das Problem nicht.

Die Konfiguration für das IPSec VPN ist meiner Meinung nach korrekt, die Verbindung wird auch korrekt aufgebaut. Aber ich bekomme keine Verbindung durch den VPN Tunnel, weder ins interne Netz, noch ins internet.

Die Verbindung teste ich auf eine interne IP-Adresse per Web-Zugriff (https), somit kann ich das ICMP Problem ausschliessen. Auch DNS Auflösung ist erst mal nicht notwendig, da ich direkt auf die IP-Adresse verbinde.

Das Masquerading (SNAT) habe ich für meine IPSec Client IP-Range für die externe und die interne Schnittstelle eingerichtet.
Die Firewall Regel habe ich ebenfalls für den IPSec Client IP-Range zu any und (obwohl redundant) nochmals explizit für das interne Netz erlaubt und auch Logging darauf eingeschaltet.

Wenn nun die VPN Verbindung steht und ich versuche auf den internen Web-Dienst zuzugreifen, sehe ich auch keine Firewall-Logs dafür aufschlagen. So als ob der Client den Traffic schon gar nicht in den Tunnel rein schiebt.
Auf dem Client sehe ich jedoch, dass mit dem Aufbau der Verbindung zusätzliche Routen installiert werden.

Für den Client habe ich mein Android Phone und auch mit einem Mac getestet. Beide dasselbe Verhalten.

Ich habe schon die komplette Konfiguration abgeräumt und neu erstellt, schwächere Cipher getestet, das Routing und allfällige andere VPN Konfigurationen kontrolliert...

Die Version meiner UTM 9:

Firmware version:   9.701-6
 
Pattern version:   176976

Pls help :/

 

Hier unten das Log der IPSec Verbindung, obwohl ich das Problem nicht hier vermute:


Live Log: IPsec VPN
Filter:
Autoscroll
Reload
2020:02:16-12:30:46 UTM-Firewall pluto[19013]: | ocsp cache unlocked by 'free_ocsp_cache'
2020:02:16-12:30:46 UTM-Firewall pluto[19013]: shutting down interface lo/lo ::1
2020:02:16-12:30:46 UTM-Firewall pluto[19013]: shutting down interface lo/lo 127.0.0.1
2020:02:16-12:30:46 UTM-Firewall pluto[19013]: shutting down interface lo/lo 127.0.0.1
2020:02:16-12:30:46 UTM-Firewall pluto[19013]: shutting down interface eth0/eth0 10.xx.yy.254
2020:02:16-12:30:46 UTM-Firewall pluto[19013]: shutting down interface eth0/eth0 10.xx.yy.254
2020:02:16-12:30:46 UTM-Firewall pluto[19013]: shutting down interface eth1/eth1 178.xx.yy.249
2020:02:16-12:30:46 UTM-Firewall pluto[19013]: shutting down interface eth1/eth1 178.xx.yy.249
2020:02:16-12:30:46 UTM-Firewall ipsec_starter[17544]: pluto stopped after 280 ms
2020:02:16-12:30:46 UTM-Firewall ipsec_starter[17544]: ipsec starter stopped
2020:02:16-12:31:40 UTM-Firewall ipsec_starter[20639]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
2020:02:16-12:31:40 UTM-Firewall ipsec_starter[20645]: pluto (20652) started after 20 ms
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: including NAT-Traversal patch (Version 0.6c)
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: Using Linux 2.6 IPsec interface code
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: loading ca certificates from '/etc/ipsec.d/cacerts'
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | authcert list locked by 'add_authcert'
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | authcert inserted
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | authcert list unlocked by 'add_authcert'
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: loading aa certificates from '/etc/ipsec.d/aacerts'
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: Changing to directory '/etc/ipsec.d/crls'
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: loading attribute certificates from '/etc/ipsec.d/acerts'
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | inserting event EVENT_LOG_DAILY, timeout in 41300 seconds
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | next event EVENT_REINIT_SECRET in 3600 seconds
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: |
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | *received whack message
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | next event EVENT_REINIT_SECRET in 3600 seconds
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: |
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | *received whack message
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | found lo with address 127.0.0.1
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | found eth0 with address 10.xx.yy.254
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | found eth1 with address 178.xx.yy.249
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: adding interface eth1/eth1 178.xx.yy.249:500
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: adding interface eth1/eth1 178.xx.yy.249:4500
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: adding interface eth0/eth0 10.xx.yy.254:500
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: adding interface eth0/eth0 10.xx.yy.254:4500
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: adding interface lo/lo 127.0.0.1:500
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: adding interface lo/lo 127.0.0.1:4500
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: adding interface lo/lo ::1:500
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | certs and keys locked by 'free_preshared_secrets'
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | certs and keys unlocked by 'free_preshard_secrets'
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: loading secrets from "/etc/ipsec.secrets"
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: loaded PSK secret for 178.xx.yy.249 %any
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | certs and keys locked by 'process_secret'
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | certs and keys unlocked by 'process_secrets'
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: listening for IKE messages
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | next event EVENT_REINIT_SECRET in 3600 seconds
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: |
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | *received whack message
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | from whack: got --esp=aes256-sha2_512
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | esp proposal: AES_CBC_256/HMAC_SHA2_512, _256
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | from whack: got --ike=aes256-sha2_512-modp2048
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | ike proposal: AES_CBC_256/HMAC_SHA2_512/MODP_2048,
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: added connection description "D_VPN-HOME"
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | 0.0.0.0/0===178.xx.yy.249[178.xx.yy.249]...%any[%any]===%VPN POOL MOBILE
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | ike_life: 7800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; policy: ENCRYPT+TUNNEL+XAUTHPSK+XAUTHSERVER
2020:02:16-12:31:40 UTM-Firewall pluto[20652]: | next event EVENT_REINIT_SECRET in 3600 seconds
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: |
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | *received 444 bytes from 213.55.225.123:51152 on eth1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: packet from 213.55.225.123:51152: received Vendor ID payload [XAUTH]
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: packet from 213.55.225.123:51152: received Vendor ID payload [Dead Peer Detection]
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: packet from 213.55.225.123:51152: ignoring Vendor ID payload [Cisco-Unity]
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: packet from 213.55.225.123:51152: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: packet from 213.55.225.123:51152: received Vendor ID payload [RFC 3947]
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: packet from 213.55.225.123:51152: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | preparse_isakmp_policy: peer requests XAUTHPSK+XAUTHSERVER authentication
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | instantiated "D_VPN-HOME" for 213.55.225.123
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | creating state object #1 at 0x9a0ec58
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | ICOOKIE: 50 df d3 e3 d0 e5 50 72
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | RCOOKIE: a9 fe e6 ff 1d 18 fc a6
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer: d5 37 e1 7b
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state hash entry 1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[1] 213.55.225.123:51152 #1: responding to Main Mode from unknown peer 213.55.225.123:51152
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | next event EVENT_RETRANSMIT in 10 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: |
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | *received 268 bytes from 213.55.225.123:51152 on eth1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | ICOOKIE: 50 df d3 e3 d0 e5 50 72
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | RCOOKIE: a9 fe e6 ff 1d 18 fc a6
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer: d5 37 e1 7b
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state hash entry 1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state object #1 found, in STATE_MAIN_R1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[1] 213.55.225.123:51152 #1: NAT-Traversal: Result using RFC 3947: peer is NATed
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 60 seconds
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | next event EVENT_RETRANSMIT in 10 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: |
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | *received 92 bytes from 213.55.225.123:51145 on eth1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | ICOOKIE: 50 df d3 e3 d0 e5 50 72
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | RCOOKIE: a9 fe e6 ff 1d 18 fc a6
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer: d5 37 e1 7b
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state hash entry 1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state object #1 found, in STATE_MAIN_R2
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | NAT-T: new mapping 213.55.225.123:51152/51145)
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[1] 213.55.225.123:51145 #1: Peer ID is ID_IPV4_ADDR: '100.99.59.186'
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer CA: %none
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | D_VPN-HOME: no match (id: no, auth: ok, trust: ok, request: ok, prio: 2048)
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | D_VPN-HOME: full match (id: ok, auth: ok, trust: ok, request: ok, prio: 1216)
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | offered CA: %none
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | switched from "D_VPN-HOME" to "D_VPN-HOME"
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | instantiated "D_VPN-HOME" for 213.55.225.123
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #1: deleting connection "D_VPN-HOME"[1] instance with peer 213.55.225.123 {isakmp=#0/ipsec=#0}
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | certs and keys locked by 'delete_connection'
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | certs and keys unlocked by 'delete_connection'
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #1: Dead Peer Detection (RFC 3706) enabled
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | inserting event EVENT_DPD, timeout in 40 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | inserting event EVENT_SA_REPLACE, timeout in 7530 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #1: sent MR3, ISAKMP SA established
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | starting XAUTH server
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #1: sending XAUTH request
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | building XAUTH_USER_NAME attribute
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | building XAUTH_USER_PASSWORD attribute
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | next event EVENT_RETRANSMIT in 10 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: |
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | *received 108 bytes from 213.55.225.123:51145 on eth1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | ICOOKIE: 50 df d3 e3 d0 e5 50 72
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | RCOOKIE: a9 fe e6 ff 1d 18 fc a6
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer: d5 37 e1 7b
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state hash entry 1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state object #1 found, in STATE_XAUTH_R1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #1: parsing XAUTH reply
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | processing XAUTH_USER_NAME attribute
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | processing XAUTH_USER_PASSWORD attribute
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer xauth user name is 'USERNAME'
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #1: extended authentication was successful
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #1: sending XAUTH status
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | building XAUTH_STATUS attribute
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | next event EVENT_RETRANSMIT in 10 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: |
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | *received 92 bytes from 213.55.225.123:51145 on eth1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | ICOOKIE: 50 df d3 e3 d0 e5 50 72
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | RCOOKIE: a9 fe e6 ff 1d 18 fc a6
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer: d5 37 e1 7b
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state hash entry 1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state object #1 found, in STATE_XAUTH_R2
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #1: parsing XAUTH ack
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | processing XAUTH_STATUS attribute
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | inserting event EVENT_SA_REPLACE, timeout in 7530 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #1: received XAUTH ack, established
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | next event EVENT_DPD in 40 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: |
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | *received 92 bytes from 213.55.225.123:51145 on eth1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | ICOOKIE: 50 df d3 e3 d0 e5 50 72
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | RCOOKIE: a9 fe e6 ff 1d 18 fc a6
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer: d5 37 e1 7b
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state hash entry 1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state object not found
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | ICOOKIE: 50 df d3 e3 d0 e5 50 72
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | RCOOKIE: a9 fe e6 ff 1d 18 fc a6
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer: d5 37 e1 7b
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state hash entry 1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state object #1 found, in STATE_XAUTH_R3
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #1: parsing ModeCfg request
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | processing INTERNAL_IP4_ADDRESS attribute
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | processing INTERNAL_IP4_DNS attribute
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | processing UNITY_SPLIT_INCLUDE attribute
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | processing UNITY_LOCAL_LAN attribute
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #1: peer requested virtual IP %any
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: acquired existing lease for address 172.xx.yy.1 in pool 'VPN POOL MOBILE'
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #1: assigning virtual IP 172.xx.yy.1 to peer
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #1: sending ModeCfg reply
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | building INTERNAL_IP4_ADDRESS attribute
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | building INTERNAL_IP4_DNS attribute
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | building UNITY_DEF_DOMAIN attribute
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | inserting event EVENT_SA_REPLACE, timeout in 7530 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #1: sent ModeCfg reply, established
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | next event EVENT_DPD in 40 seconds for #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: |
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | *received 428 bytes from 213.55.225.123:51145 on eth1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | ICOOKIE: 50 df d3 e3 d0 e5 50 72
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | RCOOKIE: a9 fe e6 ff 1d 18 fc a6
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer: d5 37 e1 7b
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state hash entry 1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state object not found
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | ICOOKIE: 50 df d3 e3 d0 e5 50 72
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | RCOOKIE: a9 fe e6 ff 1d 18 fc a6
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer: d5 37 e1 7b
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state hash entry 1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state object #1 found, in STATE_MODE_CFG_R1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer client is 172.xx.yy.1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer client protocol/port is 0/0
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | our client is subnet 0.0.0.0/0
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | our client protocol/port is 0/0
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | find_client_connection starting with D_VPN-HOME
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | looking for 0.0.0.0/0:0/0 -> 172.xx.yy.1/32:0/0
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | concrete checking against sr#0 0.0.0.0/0 -> 172.xx.yy.1/32
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | fc_try trying D_VPN-HOME:0.0.0.0/0:0/0 -> 172.xx.yy.1/32:0/0 vs D_VPN-HOME:0.0.0.0/0:0/0 -> 172.xx.yy.1/32:0/0
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | fc_try concluding with D_VPN-HOME [168]
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | fc_try D_VPN-HOME gives D_VPN-HOME
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | concluding with d = D_VPN-HOME
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | duplicating state object #1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | creating state object #2 at 0x9a2ac08
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | ICOOKIE: 50 df d3 e3 d0 e5 50 72
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | RCOOKIE: a9 fe e6 ff 1d 18 fc a6
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer: d5 37 e1 7b
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state hash entry 1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #2: responding to Quick Mode
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | kernel_alg_esp_auth_keylen(auth=5, sadb_aalg=5): a_keylen=32
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | next event EVENT_RETRANSMIT in 10 seconds for #2
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: |
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | *received 76 bytes from 213.55.225.123:51145 on eth1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | ICOOKIE: 50 df d3 e3 d0 e5 50 72
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | RCOOKIE: a9 fe e6 ff 1d 18 fc a6
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | peer: d5 37 e1 7b
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state hash entry 1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | state object #2 found, in STATE_QUICK_R1
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | install_ipsec_sas() for #2: inbound and outbound
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | route owner of "D_VPN-HOME"[2] 213.55.225.123:51145 unrouted: NULL; eroute owner: NULL
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | add inbound eroute 172.xx.yy.1/32:0 -> 0.0.0.0/0:0 => tun.10000@178.xx.yy.249:0
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | sr for #2: unrouted
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | route owner of "D_VPN-HOME"[2] 213.55.225.123:51145 unrouted: NULL; eroute owner: NULL
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | route_and_eroute with c: D_VPN-HOME (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 2
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | eroute_connection add eroute 0.0.0.0/0:0 -> 172.xx.yy.1/32:0 => tun.0@213.55.225.123:0
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: | executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='D_VPN-HOME' PLUTO_NEXT_HOP='213.55.225.123' PLUTO_INTERFACE='eth1' PLUTO_REQID='16393' PLUTO_ME='178.xx.yy.249' PLUTO_MY_ID='178.xx.yy.249' PLUTO_MY_CLIENT='0.0.0.0/0' PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0.0.0.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='213.55.225.123' PLUTO_PEER_ID='100.99.59.186' PLUTO_PEER_CLIENT='172.xx.yy.1/32' PLUTO_PEER_CLIENT_NET='172.xx.yy.1' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_XAUTH_ID='USERNAME' /usr/libexec/ipsec/updown classic
2020:02:16-12:31:51 UTM-Firewall pluto[20652]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="USERNAME" variant="ipsec" srcip="213.55.225.123" virtual_ip="172.xx.yy.1"
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: updown: called /usr/bin/ras_update.plx ipsec connect username USERNAME 172.xx.yy.1 VPN-HOME (0)
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: | route_and_eroute: firewall_notified: true
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='D_VPN-HOME' PLUTO_NEXT_HOP='213.55.225.123' PLUTO_INTERFACE='eth1' PLUTO_REQID='16393' PLUTO_ME='178.xx.yy.249' PLUTO_MY_ID='178.xx.yy.249' PLUTO_MY_CLIENT='0.0.0.0/0' PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0.0.0.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='213.55.225.123' PLUTO_PEER_ID='100.99.59.186' PLUTO_PEER_CLIENT='172.xx.yy.1/32' PLUTO_PEER_CLIENT_NET='172.xx.yy.1' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_XAUTH_ID='USERNAME' /usr/libexec/ipsec/updown classic
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='D_VPN-HOME' PLUTO_NEXT_HOP='213.55.225.123' PLUTO_INTERFACE='eth1' PLUTO_REQID='16393' PLUTO_ME='178.xx.yy.249' PLUTO_MY_ID='178.xx.yy.249' PLUTO_MY_CLIENT='0.0.0.0/0' PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0.0.0.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='213.55.225.123' PLUTO_PEER_ID='100.99.59.186' PLUTO_PEER_CLIENT='172.xx.yy.1/32' PLUTO_PEER_CLIENT_NET='172.xx.yy.1' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_XAUTH_ID='USERNAME' /usr/libexec/ipsec/updown classic
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: updown: called /sbin/ip -4 route replace 172.xx.yy.1/32 dev eth1 table main proto ipsec metric 0 (0)
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: updown: called /usr/local/bin/ct -D -s 0.0.0.0/0 -d 172.xx.yy.1/32 (0)
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: | route_and_eroute: instance "D_VPN-HOME"[2] 213.55.225.123:51145, setting eroute_owner {spd=0x9a0f918,sr=0x9a0f918} to #2 (was #0) (newest_ipsec_sa=#0)
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: | inI2: instance D_VPN-HOME[2], setting newest_ipsec_sa to #2 (was #0) (spd.eroute=#2)
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: | ICOOKIE: 50 df d3 e3 d0 e5 50 72
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: | RCOOKIE: a9 fe e6 ff 1d 18 fc a6
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: | peer: d5 37 e1 7b
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: | state hash entry 1
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: | state object #1 found, in STATE_MODE_CFG_R1
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: | inserting event EVENT_DPD_UPDATE, timeout in 26 seconds for #2
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #2
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: "D_VPN-HOME"[2] 213.55.225.123:51145 #2: IPsec SA established {ESP=>0xc0dd65ef <0xef4c4f2b NATOA=0.0.0.0 DPD}
2020:02:16-12:31:52 UTM-Firewall pluto[20652]: | next event EVENT_DPD_UPDATE in 26 seconds for #2



This thread was automatically locked due to age.
Parents
  • Morgen,

     

    der Tunnel steht?
    Die Lokal und Remote Netzwerke sind im IPSec Tunnel korrekt konfiguriert?

     

    Firewall Regeln sind dementsprechend in beide Richtungen konfiguriert?

     

    Grüße Phil

  • Hi Phil,

    ja genau, der Tunnel steht grundsätzlich und bleibt auch stehen. Ist also stabil.

    Es handelt sich ja um einen Remote Access IPSec, also der VPN Pool ist definiert und als Remote Netz ist 'Any' konfiguriert.
    Auch damit habe ich herum gespielt, wenn jedoch nicht 'Any' konfiguriert ist, sondern bspw. nur der interne Range, dann baut die VPN Verbindung schon gar nicht auf.

    Firewall Regeln sind ebenfalls konfiguriert, VPN Pool zu internem Netz mit Protocol 'Any' und umgekehrt, sowie VPN Pool zu Any(/Internet) mit Protocol 'Any'.

    Gruss Jonas

Reply
  • Hi Phil,

    ja genau, der Tunnel steht grundsätzlich und bleibt auch stehen. Ist also stabil.

    Es handelt sich ja um einen Remote Access IPSec, also der VPN Pool ist definiert und als Remote Netz ist 'Any' konfiguriert.
    Auch damit habe ich herum gespielt, wenn jedoch nicht 'Any' konfiguriert ist, sondern bspw. nur der interne Range, dann baut die VPN Verbindung schon gar nicht auf.

    Firewall Regeln sind ebenfalls konfiguriert, VPN Pool zu internem Netz mit Protocol 'Any' und umgekehrt, sowie VPN Pool zu Any(/Internet) mit Protocol 'Any'.

    Gruss Jonas

Children
No Data