Ich versuche seit 2 Tagen eine VPN Verbindung zwischen einer ASG220 (neuse Firmware) und einer Fritzbox 7360 (neuse Firmware) einzurichten.
Beide haben eine Dynamische IP und sind per DynDNS erreichbar.
Config der Fritzbox
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "AstaroASG220";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "unt-astaro.homelinux.net";
localid {
fqdn = "unt-tmp-fritz.homelinux.net";
}
remoteid {
fqdn = "unt-astaro.homelinux.net";
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "geheim";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 172.30.0.0;
mask = 255.255.0.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.0.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-all/comp-all/pfs";
accesslist = "permit ip any 192.168.0.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
Config der UTM als Bild im Anhang
Das Log der Fritzbox enthält folgenden Fehler: VPN-Fehler: AstaroASG220, IKE-Error 0x1c
Im Live-Protokoll der UTM wird sehr viel angezeigt. (Kontrollverlauf und Kernel-Messaging an)
2013:07:24-10:58:08 FW01-1 pluto[22616]: | *received 92 bytes from 91.66.165.26:4500 on ppp0
2013:07:24-10:58:08 FW01-1 pluto[22616]: | ICOOKIE: 1d 5f 48 80 7d 99 f9 2e
2013:07:24-10:58:08 FW01-1 pluto[22616]: | RCOOKIE: c2 fb 5d 0f c9 48 f4 9d
2013:07:24-10:58:08 FW01-1 pluto[22616]: | peer: 5b 42 a5 1a
2013:07:24-10:58:08 FW01-1 pluto[22616]: | state hash entry 26
2013:07:24-10:58:08 FW01-1 pluto[22616]: | state object #80 found, in STATE_MAIN_R2
2013:07:24-10:58:08 FW01-1 pluto[22616]: "S_unt-tmp-fritz.homelinux.net" #80: Peer ID is ID_FQDN: 'unt-tmp-fritz.homelinux.net'
2013:07:24-10:58:08 FW01-1 pluto[22616]: | peer CA: %none
2013:07:24-10:58:08 FW01-1 pluto[22616]: | S_unt-tmp-fritz.homelinux.net: no match (id: no, auth: ok, trust: ok, request: ok, prio: 2048)
2013:07:24-10:58:08 FW01-1 pluto[22616]: | D_REF_IpsRoaForIngoToInter: no match (id: no, auth: no, trust: no, request: ok, prio: 2048)
2013:07:24-10:58:08 FW01-1 pluto[22616]: | D_REF_IpsRoaForIngoToInter: no match (id: no, auth: no, trust: no, request: ok, prio: 2048)
2013:07:24-10:58:08 FW01-1 pluto[22616]: "S_unt-tmp-fritz.homelinux.net" #80: no suitable connection for peer 'unt-tmp-fritz.homelinux.net'
2013:07:24-10:58:08 FW01-1 pluto[22616]: "S_unt-tmp-fritz.homelinux.net" #80: sending encrypted notification INVALID_ID_INFORMATION to 91.66.165.26:500
2013:07:24-10:58:08 FW01-1 pluto[22616]: | state transition function for STATE_MAIN_R2 failed: INVALID_ID_INFORMATION
2013:07:24-10:58:08 FW01-1 pluto[22616]: | next event EVENT_RETRANSMIT in 1 seconds for #64
2013:07:24-10:58:08 FW01-1 pluto[22616]: |
2013:07:24-10:58:08 FW01-1 pluto[22616]: | *received 476 bytes from 91.66.165.26:500 on ppp0
2013:07:24-10:58:08 FW01-1 pluto[22616]: packet from 91.66.165.26:500: received Vendor ID payload [XAUTH]
2013:07:24-10:58:08 FW01-1 pluto[22616]: packet from 91.66.165.26:500: received Vendor ID payload [Dead Peer Detection]
2013:07:24-10:58:08 FW01-1 pluto[22616]: packet from 91.66.165.26:500: received Vendor ID payload [RFC 3947]
2013:07:24-10:58:08 FW01-1 pluto[22616]: packet from 91.66.165.26:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2013:07:24-10:58:08 FW01-1 pluto[22616]: packet from 91.66.165.26:500: ignoring Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
2013:07:24-10:58:08 FW01-1 pluto[22616]: | preparse_isakmp_policy: peer requests PSK authentication
2013:07:24-10:58:08 FW01-1 pluto[22616]: | creating state object #81 at 0x96b1fa8
2013:07:24-10:58:08 FW01-1 pluto[22616]: | ICOOKIE: ad 91 3a fc 3c 82 b1 7c
2013:07:24-10:58:08 FW01-1 pluto[22616]: | RCOOKIE: c3 9b ba ca 0c 66 58 02
2013:07:24-10:58:08 FW01-1 pluto[22616]: | peer: 5b 42 a5 1a
2013:07:24-10:58:08 FW01-1 pluto[22616]: | state hash entry 31
2013:07:24-10:58:08 FW01-1 pluto[22616]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #81
2013:07:24-10:58:08 FW01-1 pluto[22616]: "S_unt-tmp-fritz.homelinux.net" #81: responding to Main Mode
2013:07:24-10:58:08 FW01-1 pluto[22616]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #81
2013:07:24-10:58:08 FW01-1 pluto[22616]: | next event EVENT_RETRANSMIT in 1 seconds for #64
2013:07:24-10:58:09 FW01-1 pluto[22616]: |
2013:07:24-10:58:09 FW01-1 pluto[22616]: | *received 300 bytes from 91.66.165.26:500 on ppp0
2013:07:24-10:58:09 FW01-1 pluto[22616]: | ICOOKIE: ad 91 3a fc 3c 82 b1 7c
2013:07:24-10:58:09 FW01-1 pluto[22616]: | RCOOKIE: c3 9b ba ca 0c 66 58 02
2013:07:24-10:58:09 FW01-1 pluto[22616]: | peer: 5b 42 a5 1a
2013:07:24-10:58:09 FW01-1 pluto[22616]: | state hash entry 31
2013:07:24-10:58:09 FW01-1 pluto[22616]: | state object #81 found, in STATE_MAIN_R1
2013:07:24-10:58:09 FW01-1 pluto[22616]: "S_unt-tmp-fritz.homelinux.net" #81: NAT-Traversal: Result using RFC 3947: peer is NATed
2013:07:24-10:58:09 FW01-1 pluto[22616]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #81
2013:07:24-10:58:09 FW01-1 pluto[22616]: | next event EVENT_RETRANSMIT in 0 seconds for #64
2013:07:24-10:58:09 FW01-1 pluto[22616]: |
2013:07:24-10:58:09 FW01-1 pluto[22616]: | *time to handle event
2013:07:24-10:58:09 FW01-1 pluto[22616]: | event after this is EVENT_RETRANSMIT in 0 seconds
2013:07:24-10:58:09 FW01-1 pluto[22616]: | handling event EVENT_RETRANSMIT for 91.66.165.26 "S_unt-tmp-fritz.homelinux.net" #64
2013:07:24-10:58:09 FW01-1 pluto[22616]: | inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #64
2013:07:24-10:58:09 FW01-1 pluto[22616]: | next event EVENT_RETRANSMIT in 0 seconds for #63
2013:07:24-10:58:09 FW01-1 pluto[22616]: |
Wo liegt der Fehler? Oder was kann ich tun um den Fehler einzugrenzen?
Ich hoffe sehr Ihr könnt mir helfen!!!
This thread was automatically locked due to age.
