This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Linux IPSEC VPN zu Astaro

Hallo Leute.

Ich hoffe ihr könnt mir helfen.
Ich möchte von meiner Linux-FW (Debian 6 mit iptables) von zuhause einen Tunnel zu einer Astaro v8 FW herstellen.

Auf meiner Linux Box habe ich dazu openswan installiert.
eth0 - Intern
eth1 - Extern
Hier einmal meine Config:

config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none
        #plutoload=%search
        #plutostart=%search

# Astaro
conn astaro
        authby="rsasig"
        esp="aes256-md5"
        left="***.***.***.***"               # Externe IP vom Linux
        leftnexthop=%defaultroute       # Route
        leftsubnet="192.168.0.0/24"     # Internal Net
        leftid=@linux.meinhost.com
        leftrsasigkey=meinRSAkey
        right="astaro.meinhost.com"              # Externe IP von Astaro
        rightnexthop=%defaultroute      # Route
        rightsubnet="192.168.88.0/24"   # Internal Net
        rightid=@astaro.meinhost.com
        rightrsasigkey=meinRSAkey
        auto=add

Auf der Astaro hab ich einen Remote-GW und einen Tunnel konfiguriert.
Wenn ich jetzt auf dem Linux Rechner IPSec neu starte bekomme ich dies hier:

/etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.28...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY

und

ipsec auto --add astaro
023 address family inconsistency in this connection=2 host=2/nexthop=0
037 attempt to load incomplete connection

Leider hab ich von VPN eher noch wenig Ahnung.
Ich hoffe es kann mir jemand von euch helfen.

Danke.

This thread was automatically locked due to age.

0 Nr8 over 12 years ago

Ich bin schon einen Schritt weiter gekommen.
Wenn ich jetzt den Tunnel starte bekomme auch auf dem Debian Rechner diese Meldungen:

Apr  2 22:55:11 debian pluto[25537]: "astaro" #7: max number of retransmissions (2) reached STATE_MAIN_R2
Apr  2 22:55:11 debian pluto[25537]: packet from x.x.x.x:500: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]
Apr  2 22:55:11 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [Cisco-Unity]
Apr  2 22:55:11 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [XAUTH]
Apr  2 22:55:11 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [Dead Peer Detection]
Apr  2 22:55:11 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947] method set to=109
Apr  2 22:55:11 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Apr  2 22:55:11 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Apr  2 22:55:11 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Apr  2 22:55:11 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr  2 22:55:11 debian pluto[25537]: "astaro" #8: responding to Main Mode
Apr  2 22:55:11 debian pluto[25537]: "astaro" #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr  2 22:55:11 debian pluto[25537]: "astaro" #8: STATE_MAIN_R1: sent MR1, expecting MI2
Apr  2 22:55:11 debian pluto[25537]: "astaro" #8: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Apr  2 22:55:11 debian pluto[25537]: "astaro" #8: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr  2 22:55:11 debian pluto[25537]: "astaro" #8: STATE_MAIN_R2: sent MR2, expecting MI3
Apr  2 22:55:11 debian pluto[25537]: "astaro" #8: Main mode peer ID is ID_FQDN: '@astaro'
Apr  2 22:55:11 debian pluto[25537]: "astaro" #8: no suitable connection for peer '@astaro'
Apr  2 22:55:11 debian pluto[25537]: "astaro" #8: sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:500
Apr  2 22:55:21 debian pluto[25537]: "astaro" #8: Main mode peer ID is ID_FQDN: '@astaro'
Apr  2 22:55:21 debian pluto[25537]: "astaro" #8: no suitable connection for peer '@astaro'
Apr  2 22:55:21 debian pluto[25537]: "astaro" #8: sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:500
Apr  2 22:55:41 debian pluto[25537]: "astaro" #8: Main mode peer ID is ID_FQDN: '@astaro'
Apr  2 22:55:41 debian pluto[25537]: "astaro" #8: no suitable connection for peer '@astaro'
Apr  2 22:55:41 debian pluto[25537]: "astaro" #8: sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:500
Apr  2 22:56:21 debian pluto[25537]: "astaro" #8: max number of retransmissions (2) reached STATE_MAIN_R2
Apr  2 22:56:21 debian pluto[25537]: packet from x.x.x.x:500: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]
Apr  2 22:56:21 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [Cisco-Unity]
Apr  2 22:56:21 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [XAUTH]
Apr  2 22:56:21 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [Dead Peer Detection]
Apr  2 22:56:21 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947] method set to=109
Apr  2 22:56:21 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Apr  2 22:56:21 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Apr  2 22:56:21 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Apr  2 22:56:21 debian pluto[25537]: packet from x.x.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Hat hier jemand eine Idee?
Danke.
Cancel
Vote Up 0 Vote Down

Cancel