grille85
Goto Top

setkey.racoon.PSK-FritzBox-WAN-GreengateVPN

Ich möchte von zu Hause auf das Firmennetzwerk zugreifen können.
Zu hause nutze ich Linux (Ubuntu&Gentoo)192.168.1.24 hinter Fritzbox192.168.1.1 (Dynamische IP)
In der Firma ist das Netzwerk auf das ich zugreifen möchte 10.27.1.0/24 hinter einem Greengate-VPN 10.27.1.3 (statische IP 80.152.xxx.xxx)

Mit NCP als Windowsclient (selber Rechner wie die Linuxmaschine) funktioniert der Tunnel ohne weitere Einstellungen an der Firtzbox vornehmen zu müssen.

Hallo,

wie oben schon in der Einleitung ersichtlich möchte ich von zu Hause ins Firmennetzwerk kommen.
IP-Adressen der einzelnen Netze und Endgeräte - siehe oben


#/etc/setkey.conf
flush;
spdflush;
spdadd 192.168.1.24/32 10.27.1.0/24 any -P out ipsec esp/tunnel/192.168.1.24-80.152.xxx.xxx/require;
spdadd 10.27.1.0/24 192.168.1.24/32 any -P in ipsec esp/tunnel/80.152.xxx.xxx-192.168.1.24/require;

#etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
log debug;
padding {
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
remote 80.152.xxx.xxx {
exchange_mode main;
my_identifier fqdn "gw@test.loc";
peers_identifier fqdn "gpg-hs-test";
#verify_identifier on;
lifetime time 1 hour; # sec,min,hour
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
nat_traversal on;
}
sainfo address 192.168.1.24/32 any address 10.27.1.0/24 any {
pfs_group 2;
lifetime time 28800 sec;
compression_algorithm deflate;
encryption_algorithm aes;
authentication_algorithm hmac_sha1, non_auth;
}


#/etc/racoon/psk.txt
#selbes passwd wie in greengate als (ASCII)
80.152.xxx.xxx testpass


$iptables -L
->> alle Chains sind leer

Starten:#########
#TERMINAL1
$setkey -f /etc/setkey.conf
$racoon -F -f /etc/racoon/racoon.conf


ERGEBNIS TERMINAL1############
Foreground mode.
2008-02-18 23:24:23: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2008-02-18 23:24:23: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
2008-02-18 23:24:24: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2008-02-18 23:24:24: DEBUG: open /var/run/racoon/racoon.sock as racoon management.
2008-02-18 23:24:24: DEBUG: my interface: fe80::213:2ff:fe4d:ce50%eth1 (eth1)
2008-02-18 23:24:24: DEBUG: my interface: ::1 (lo)
2008-02-18 23:24:24: DEBUG: my interface: 192.168.1.24 (eth1)
2008-02-18 23:24:24: DEBUG: my interface: 127.0.0.1 (lo)
2008-02-18 23:24:24: DEBUG: configuring default isakmp port.
2008-02-18 23:24:24: NOTIFY: NAT-T is enabled, autoconfiguring ports
2008-02-18 23:24:24: DEBUG: 8 addrs are configured successfully
2008-02-18 23:24:24: INFO: 127.0.0.1[500] used as isakmp port (fd=5)
2008-02-18 23:24:24: INFO: 127.0.0.1[500] used for NAT-T
2008-02-18 23:24:24: INFO: 127.0.0.1[4500] used as isakmp port (fd=6)
2008-02-18 23:24:24: INFO: 127.0.0.1[4500] used for NAT-T
2008-02-18 23:24:24: INFO: 192.168.1.24[500] used as isakmp port (fd=7)
2008-02-18 23:24:24: INFO: 192.168.1.24[500] used for NAT-T
2008-02-18 23:24:24: INFO: 192.168.1.24[4500] used as isakmp port (fd=8)
2008-02-18 23:24:24: INFO: 192.168.1.24[4500] used for NAT-T
2008-02-18 23:24:24: INFO: ::1[500] used as isakmp port (fd=9)
2008-02-18 23:24:24: INFO: ::1[4500] used as isakmp port (fd=10)
2008-02-18 23:24:24: INFO: fe80::213:2ff:fe4d:ce50%eth1[500] used as isakmp port (fd=11)
2008-02-18 23:24:24: INFO: fe80::213:2ff:fe4d:ce50%eth1[4500] used as isakmp port (fd=12)
2008-02-18 23:24:24: DEBUG: get pfkey X_SPDDUMP message
2008-02-18 23:24:24: DEBUG: get pfkey X_SPDDUMP message
2008-02-18 23:24:24: DEBUG: sub:0xbfff0d5c: 192.168.1.24/32 10.27.1.0/24 proto=any dir=out
2008-02-18 23:24:24: DEBUG: db :0x80c0968: 10.27.1.0/24 192.168.1.24/32 proto=any dir=in
2008-02-18 23:24:24: DEBUG: get pfkey X_SPDDUMP message
2008-02-18 23:24:24: DEBUG: sub:0xbfff0d5c: 10.27.1.0/24 192.168.1.24/32 proto=any dir=fwd
2008-02-18 23:24:24: DEBUG: db :0x80c0968: 10.27.1.0/24 192.168.1.24/32 proto=any dir=in
2008-02-18 23:24:24: DEBUG: sub:0xbfff0d5c: 10.27.1.0/24 192.168.1.24/32 proto=any dir=fwd
2008-02-18 23:24:24: DEBUG: db :0x80c0ba8: 192.168.1.24/32 10.27.1.0/24 proto=any dir=out


#TERMINAL2
$ping 10.27.1.3
#Ergebnis: Keine Antwort, nach langem warten Abbruch

ERGEBNIS TERMINAL1############
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
nat_traversal on;
}
sainfo address 192.168.1.24/32 any address 10.27.1.0/24 any {
pfs_group 2;
lifetime time 28800 sec;
compression_algorithm deflate;
encryption_algorithm aes;
authentication_algorithm hmac_sha1, non_auth;
}


#/etc/racoon/psk.txt
#selbes passwd wie in greengate als (ASCII)
80.152.xxx.xxx testpass


$iptables -L
->> alle Chains sind leer

Starten:#########
#TERMINAL1
$setkey -f /etc/setkey.conf
$racoon -F -f /etc/racoon/racoon.conf


ERGEBNIS TERMINAL1############
2008-02-18 23:26:14: DEBUG: get pfkey ACQUIRE message
2008-02-18 23:26:14: DEBUG: suitable outbound SP found: 192.168.1.24/32 10.27.1.0/24 proto=any dir=out.
2008-02-18 23:26:14: DEBUG: sub:0xbfff0d5c: 10.27.1.0/24 192.168.1.24/32 proto=any dir=in
2008-02-18 23:26:14: DEBUG: db :0x80c0968: 10.27.1.0/24 192.168.1.24/32 proto=any dir=in
2008-02-18 23:26:14: DEBUG: suitable inbound SP found: 10.27.1.0/24 192.168.1.24/32 proto=any dir=in.
2008-02-18 23:26:14: DEBUG: new acquire 192.168.1.24/32 10.27.1.0/24 proto=any dir=out
2008-02-18 23:26:14: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2008-02-18 23:26:14: DEBUG: (trns_id=AES encklen=128 authtype=hmac-sha)
2008-02-18 23:26:14: DEBUG: (trns_id=AES encklen=128 authtype=254)
2008-02-18 23:26:14: DEBUG: configuration found for 80.152.xxx.xxx.
2008-02-18 23:26:14: INFO: IPsec-SA request for 80.152.xxx.xxx queued due to no phase1 found.
2008-02-18 23:26:14: DEBUG: ===
2008-02-18 23:26:14: INFO: initiate new phase 1 negotiation: 192.168.1.24[500]<=>80.152.xxx.xxx[500]
2008-02-18 23:26:14: INFO: begin Identity Protection mode.
2008-02-18 23:26:14: DEBUG: new cookie:
9cc4606d2c38c9a6
2008-02-18 23:26:14: DEBUG: add payload of len 52, next type 13
2008-02-18 23:26:14: DEBUG: add payload of len 16, next type 13
2008-02-18 23:26:14: DEBUG: add payload of len 16, next type 13
2008-02-18 23:26:14: DEBUG: add payload of len 16, next type 13
2008-02-18 23:26:14: DEBUG: add payload of len 16, next type 13
2008-02-18 23:26:14: DEBUG: add payload of len 16, next type 0
2008-02-18 23:26:14: DEBUG: 184 bytes from 192.168.1.24[500] to 80.152.xxx.xxx[500]
2008-02-18 23:26:14: DEBUG: sockname 192.168.1.24[500]
2008-02-18 23:26:14: DEBUG: send packet from 192.168.1.24[500]
2008-02-18 23:26:14: DEBUG: send packet to 80.152.xxx.xxx[500]
2008-02-18 23:26:14: DEBUG: src4 192.168.1.24[500]
2008-02-18 23:26:14: DEBUG: dst4 80.152.xxx.xxx[500]
2008-02-18 23:26:14: DEBUG: 1 times of 184 bytes message will be sent to 80.152.xxx.xxx[500]
2008-02-18 23:26:14: DEBUG:
9cc4606d 2c38c9a6 00000000 00000000 01100200 00000000 000000b8 0d000038
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c0e10
80010007 800e0080 80030001 80020002 80040002 0d000014 4a131c81 07035845
5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014
90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846
9579ddcc 00000014 afcad713 68a1f1c9 6b8696fc 77570100
2008-02-18 23:26:14: DEBUG: resend phase1 packet 9cc4606d2c38c9a6:0000000000000000
2008-02-18 23:26:14: DEBUG: ===
2008-02-18 23:26:14: DEBUG: 144 bytes message received from 80.152.xxx.xxx[500] to 192.168.1.24[500]
2008-02-18 23:26:14: DEBUG:
9cc4606d 2c38c9a6 0b32d511 6822fad7 01100200 00000000 00000090 0d000038
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c0e10
80010007 800e0080 80030001 80020002 80040002 0d000014 cd604643 35df21f8
7cfdb2fc 68b6a448 0d000014 afcad713 68a1f1c9 6b8696fc 77570100 00000014
ab926d9e e113a021 9557fcc5 4e52865c
2008-02-18 23:26:14: DEBUG: begin.
2008-02-18 23:26:14: DEBUG: seen nptype=1(sa)
2008-02-18 23:26:14: DEBUG: seen nptype=13(vid)
2008-02-18 23:26:14: DEBUG: seen nptype=13(vid)
2008-02-18 23:26:14: DEBUG: seen nptype=13(vid)
2008-02-18 23:26:14: DEBUG: succeed.
2008-02-18 23:26:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2008-02-18 23:26:14: INFO: received Vendor ID: DPD
2008-02-18 23:26:14: DEBUG: received unknown Vendor ID
2008-02-18 23:26:14: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2008-02-18 23:26:14: DEBUG: total SA len=52
2008-02-18 23:26:14: DEBUG:
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c0e10
80010007 800e0080 80030001 80020002 80040002
2008-02-18 23:26:14: DEBUG: begin.
2008-02-18 23:26:14: DEBUG: seen nptype=2(prop)
2008-02-18 23:26:14: DEBUG: succeed.
2008-02-18 23:26:14: DEBUG: proposal #1 len=44
2008-02-18 23:26:14: DEBUG: begin.
2008-02-18 23:26:14: DEBUG: seen nptype=3(trns)
2008-02-18 23:26:14: DEBUG: succeed.
2008-02-18 23:26:14: DEBUG: transform #1 len=36
2008-02-18 23:26:14: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2008-02-18 23:26:14: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2008-02-18 23:26:14: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=7
2008-02-18 23:26:14: DEBUG: encryption(aes)
2008-02-18 23:26:14: DEBUG: type=Key Length, flag=0x8000, lorv=128
2008-02-18 23:26:14: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
2008-02-18 23:26:14: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2008-02-18 23:26:14: DEBUG: hash(sha1)
2008-02-18 23:26:14: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
2008-02-18 23:26:14: DEBUG: hmac(modp1024)
2008-02-18 23:26:14: DEBUG: pair 1:
2008-02-18 23:26:14: DEBUG: 0x80c1b48: next=(nil) tnext=(nil)
2008-02-18 23:26:14: DEBUG: proposal #1: 1 transform
2008-02-18 23:26:14: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
2008-02-18 23:26:14: DEBUG: trns#=1, trns-id=IKE
2008-02-18 23:26:14: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2008-02-18 23:26:14: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2008-02-18 23:26:14: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=7
2008-02-18 23:26:14: DEBUG: type=Key Length, flag=0x8000, lorv=128
2008-02-18 23:26:14: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
2008-02-18 23:26:14: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2008-02-18 23:26:14: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
2008-02-18 23:26:14: DEBUG: Compared: DB:Peer
2008-02-18 23:26:14: DEBUG: (lifetime = 3600:3600)
2008-02-18 23:26:14: DEBUG: (lifebyte = 0:0)
2008-02-18 23:26:14: DEBUG: enctype = 7:7
2008-02-18 23:26:14: DEBUG: (encklen = 128:128)
2008-02-18 23:26:14: DEBUG: hashtype = SHA:SHA
2008-02-18 23:26:14: DEBUG: authmethod = pre-shared key:pre-shared key
2008-02-18 23:26:14: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group
2008-02-18 23:26:14: DEBUG: an acceptable proposal found.
2008-02-18 23:26:14: DEBUG: hmac(modp1024)
2008-02-18 23:26:14: DEBUG: ===
2008-02-18 23:26:14: DEBUG: compute DH's private.
2008-02-18 23:26:14: DEBUG:
6470094d 4f0d574d 68f1e352 fbee2bb7 75bfb223 c2114148 340d4bb3 897a6ce5
39977712 a3317d8c d26dab19 b7c9d1b8 faf6ac6d 7abe0040 761bb9b8 773de405
349896b8 ca196d51 4a63d2a6 90889ee4 f9c37ff7 92ee2d74 883b6495 4854dc14
5317172b 43c897a1 c2f72ac0 9e5d6788 a5e786ed 9eefbe88 43acc2fe a12dea0d
2008-02-18 23:26:14: DEBUG: compute DH's public.
2008-02-18 23:26:14: DEBUG:
a64d5f21 d07a5ba1 6c2528ae 4ed504ed 3d3a22ff 9af0bb5a 48de30a5 85ae6537
e9cf45c0 4917f796 296b4f2d 702b4f8d 288c39b0 30e99a95 1b10912f 85b828cf
ad60a384 d6f830fe b2df9ec8 beeaa69d 79229b29 c198dd0e 794085b8 cda94256
ff87c669 802b27b7 ca332172 ecb0d6cc db3b28b4 e4b64b36 beed1e50 0423d618
2008-02-18 23:26:14: INFO: Hashing 80.152.xxx.xxx[500] with algo #2
2008-02-18 23:26:14: DEBUG: hash(sha1)
2008-02-18 23:26:14: INFO: Hashing 192.168.1.24[500] with algo #2
2008-02-18 23:26:14: DEBUG: hash(sha1)
2008-02-18 23:26:14: INFO: Adding remote and local NAT-D payloads.
2008-02-18 23:26:14: DEBUG: add payload of len 128, next type 10
2008-02-18 23:26:14: DEBUG: add payload of len 16, next type 130
2008-02-18 23:26:14: DEBUG: add payload of len 20, next type 130
2008-02-18 23:26:14: DEBUG: add payload of len 20, next type 0
2008-02-18 23:26:14: DEBUG: 228 bytes from 192.168.1.24[500] to 80.152.xxx.xxx[500]
2008-02-18 23:26:14: DEBUG: sockname 192.168.1.24[500]
2008-02-18 23:26:14: DEBUG: send packet from 192.168.1.24[500]
2008-02-18 23:26:14: DEBUG: send packet to 80.152.xxx.xxx[500]
2008-02-18 23:26:14: DEBUG: src4 192.168.1.24[500]
2008-02-18 23:26:14: DEBUG: dst4 80.152.xxx.xxx[500]
2008-02-18 23:26:14: DEBUG: 1 times of 228 bytes message will be sent to 80.152.xxx.xxx[500]
2008-02-18 23:26:14: DEBUG:
9cc4606d 2c38c9a6 0b32d511 6822fad7 04100200 00000000 000000e4 0a000084
a64d5f21 d07a5ba1 6c2528ae 4ed504ed 3d3a22ff 9af0bb5a 48de30a5 85ae6537
e9cf45c0 4917f796 296b4f2d 702b4f8d 288c39b0 30e99a95 1b10912f 85b828cf
ad60a384 d6f830fe b2df9ec8 beeaa69d 79229b29 c198dd0e 794085b8 cda94256
ff87c669 802b27b7 ca332172 ecb0d6cc db3b28b4 e4b64b36 beed1e50 0423d618
82000014 8a2346da 1208a07b e866f96c 40f776d7 82000018 1ea59472 cd9d745a
d2be973e f9c8b9e2 70ea7b3c 00000018 8929beb0 0a841996 1d1f30d7 9bc05afd
1350e586
2008-02-18 23:26:14: DEBUG: resend phase1 packet 9cc4606d2c38c9a6:0b32d5116822fad7
2008-02-18 23:26:14: DEBUG: ===
2008-02-18 23:26:14: DEBUG: 228 bytes message received from 80.152.xxx.xxx[500] to 192.168.1.24[500]
2008-02-18 23:26:14: DEBUG:
9cc4606d 2c38c9a6 0b32d511 6822fad7 04100200 00000000 000000e4 0a000084
f1ed4c10 d4566b53 395de4ec c972d0b1 d88084c5 901ff8e7 0db7d2ed bc0732ed
954c9956 70deb520 dd076bd9 68252b22 61aec586 40c93405 7f81b389 74b71fac
8f36b17d 2b4079d1 7e7a96d3 47872cba fd498fb9 73a0ed6e d950c046 2a65d3c9
b51ee5b6 28eef5ab d3c5a0be e8ecd1d1 5716e4d7 03203767 0d367715 780185e1
82000014 3f11614e e72a8a59 63fbe8ef 0138ddeb 82000018 65e3c406 7204ca35
5a47c526 375d9647 3596c6d4 00000018 1ea59472 cd9d745a d2be973e f9c8b9e2
70ea7b3c
2008-02-18 23:26:14: DEBUG: begin.
2008-02-18 23:26:14: DEBUG: seen nptype=4(ke)
2008-02-18 23:26:14: DEBUG: seen nptype=10(nonce)
2008-02-18 23:26:14: DEBUG: seen nptype=130(nat-d)
2008-02-18 23:26:14: DEBUG: seen nptype=130(nat-d)
2008-02-18 23:26:14: DEBUG: succeed.
2008-02-18 23:26:14: INFO: Hashing 192.168.1.24[500] with algo #2
2008-02-18 23:26:14: DEBUG: hash(sha1)
2008-02-18 23:26:14: INFO: NAT-D payload doesn't match
2008-02-18 23:26:14: INFO: Hashing 80.152.xxx.xxx[500] with algo #2
2008-02-18 23:26:14: DEBUG: hash(sha1)
2008-02-18 23:26:14: INFO: NAT-D payload #1 verified
2008-02-18 23:26:14: INFO: NAT detected: ME
2008-02-18 23:26:14: INFO: KA list add: 192.168.1.24[4500]->80.152.xxx.xxx[4500]
2008-02-18 23:26:14: DEBUG: ===
2008-02-18 23:26:14: DEBUG: compute DH's shared.
2008-02-18 23:26:14: DEBUG:
b389b5a8 2e6feeff 3bd30015 da5ad96a 35d2be8a f9e85362 c696b37e e2ab610a
97a906ed e1aa322a f7098419 4913ccec 60abaeb2 82d55538 e7bb76bc 5f2ccdb3
b65984da fb847ff1 d2938edf 16c536e0 66c59bf3 6bde5343 62f0d8d0 0856222f
72c3c6b6 b7b51f23 4367b1b1 93b70bf5 15192d54 b1273ecb bda278a4 c288469f
2008-02-18 23:26:14: DEBUG: the psk found.
2008-02-18 23:26:14: DEBUG: nonce 1: 2008-02-18 23:26:14: DEBUG:
8a2346da 1208a07b e866f96c 40f776d7
2008-02-18 23:26:14: DEBUG: nonce 2: 2008-02-18 23:26:14: DEBUG:
3f11614e e72a8a59 63fbe8ef 0138ddeb
2008-02-18 23:26:14: DEBUG: hmac(hmac_sha1)
2008-02-18 23:26:14: DEBUG: SKEYID computed:
2008-02-18 23:26:14: DEBUG:
56c72295 7e954c72 1811469e 65e61d5b 7b954d2a
2008-02-18 23:26:14: DEBUG: hmac(hmac_sha1)
2008-02-18 23:26:14: DEBUG: SKEYID_d computed:
2008-02-18 23:26:14: DEBUG:
ac87839c 433faed9 b6cb3483 8a18250f 1e5667b0
2008-02-18 23:26:14: DEBUG: hmac(hmac_sha1)
2008-02-18 23:26:14: DEBUG: SKEYID_a computed:
2008-02-18 23:26:14: DEBUG:
e6ca106d dce5e2b6 c0d3f777 51549019 5a5f12db
2008-02-18 23:26:14: DEBUG: hmac(hmac_sha1)
2008-02-18 23:26:14: DEBUG: SKEYID_e computed:
2008-02-18 23:26:14: DEBUG:
fb871305 21d85367 8d7b716b 6319f7ae 187b39cc
2008-02-18 23:26:14: DEBUG: encryption(aes)
2008-02-18 23:26:14: DEBUG: hash(sha1)
2008-02-18 23:26:14: DEBUG: final encryption key computed:
2008-02-18 23:26:14: DEBUG:
fb871305 21d85367 8d7b716b 6319f7ae
2008-02-18 23:26:14: DEBUG: hash(sha1)
2008-02-18 23:26:14: DEBUG: encryption(aes)
2008-02-18 23:26:14: DEBUG: IV computed:
2008-02-18 23:26:14: DEBUG:
bebc6a5b 2ba5b5e7 2fe5bade 0a177002
2008-02-18 23:26:14: DEBUG: use ID type of FQDN
2008-02-18 23:26:14: DEBUG: HASH with:
2008-02-18 23:26:14: DEBUG:
a64d5f21 d07a5ba1 6c2528ae 4ed504ed 3d3a22ff 9af0bb5a 48de30a5 85ae6537
e9cf45c0 4917f796 296b4f2d 702b4f8d 288c39b0 30e99a95 1b10912f 85b828cf
ad60a384 d6f830fe b2df9ec8 beeaa69d 79229b29 c198dd0e 794085b8 cda94256
ff87c669 802b27b7 ca332172 ecb0d6cc db3b28b4 e4b64b36 beed1e50 0423d618
f1ed4c10 d4566b53 395de4ec c972d0b1 d88084c5 901ff8e7 0db7d2ed bc0732ed
954c9956 70deb520 dd076bd9 68252b22 61aec586 40c93405 7f81b389 74b71fac
8f36b17d 2b4079d1 7e7a96d3 47872cba fd498fb9 73a0ed6e d950c046 2a65d3c9
b51ee5b6 28eef5ab d3c5a0be e8ecd1d1 5716e4d7 03203767 0d367715 780185e1
9cc4606d 2c38c9a6 0b32d511 6822fad7 00000001 00000001 0000002c 01010001
00000024 01010000 800b0001 800c0e10 80010007 800e0080 80030001 80020002
80040002 02000000 6777406b 69657273 70652e6c 6f63
2008-02-18 23:26:14: DEBUG: hmac(hmac_sha1)
2008-02-18 23:26:14: DEBUG: HASH computed:
2008-02-18 23:26:14: DEBUG:
62baed6d 94ff7df7 1708f2db 096eb452 8cff66dc
2008-02-18 23:26:14: DEBUG: add payload of len 18, next type 8
2008-02-18 23:26:14: DEBUG: add payload of len 20, next type 0
2008-02-18 23:26:14: DEBUG: begin encryption.
2008-02-18 23:26:14: DEBUG: encryption(aes)
2008-02-18 23:26:14: DEBUG: pad length = 2
2008-02-18 23:26:14: DEBUG:
08000016 02000000 6777406b 69657273 70652e6c 6f630000 001862ba ed6d94ff
7df71708 f2db096e b4528cff 66dc0002
2008-02-18 23:26:14: DEBUG: encryption(aes)
2008-02-18 23:26:14: DEBUG: with key:
2008-02-18 23:26:14: DEBUG:
fb871305 21d85367 8d7b716b 6319f7ae
2008-02-18 23:26:14: DEBUG: encrypted payload by IV:
2008-02-18 23:26:14: DEBUG:
bebc6a5b 2ba5b5e7 2fe5bade 0a177002
2008-02-18 23:26:14: DEBUG: save IV for next:
2008-02-18 23:26:14: DEBUG:
a526e404 7396a52b cc9b42be 93fb16bb
2008-02-18 23:26:14: DEBUG: encrypted.
2008-02-18 23:26:14: DEBUG: Adding NON-ESP marker
2008-02-18 23:26:14: DEBUG: 80 bytes from 192.168.1.24[4500] to 80.152.xxx.xxx[4500]
2008-02-18 23:26:14: DEBUG: sockname 192.168.1.24[4500]
2008-02-18 23:26:14: DEBUG: send packet from 192.168.1.24[4500]
2008-02-18 23:26:14: DEBUG: send packet to 80.152.xxx.xxx[4500]
2008-02-18 23:26:14: DEBUG: src4 192.168.1.24[4500]
2008-02-18 23:26:14: DEBUG: dst4 80.152.xxx.xxx[4500]
2008-02-18 23:26:14: DEBUG: 1 times of 80 bytes message will be sent to 80.152.xxx.xxx[4500]
2008-02-18 23:26:14: DEBUG:
00000000 9cc4606d 2c38c9a6 0b32d511 6822fad7 05100201 00000000 0000004c
27e1a3c1 cfcb9d28 ee3e4127 c7c3f19b 2671a5ba 1cace539 ddf6e51e 997a7101
a526e404 7396a52b cc9b42be 93fb16bb
2008-02-18 23:26:14: DEBUG: resend phase1 packet 9cc4606d2c38c9a6:0b32d5116822fad7
2008-02-18 23:26:14: DEBUG: ===
2008-02-18 23:26:14: DEBUG: 76 bytes message received from 80.152.xxx.xxx[4500] to 192.168.1.24[4500]
2008-02-18 23:26:14: DEBUG:
9cc4606d 2c38c9a6 0b32d511 6822fad7 05100201 00000000 0000004c f95ac0b7
509650d3 1a49c3fd 64e92b5a 049a0658 abb34b49 502449db a04de9d2 8827e8f7
9a6b2909 7743c3fc a2cce10f
2008-02-18 23:26:14: DEBUG: begin decryption.
2008-02-18 23:26:14: DEBUG: encryption(aes)
2008-02-18 23:26:14: DEBUG: IV was saved for next processing:
2008-02-18 23:26:14: DEBUG:
8827e8f7 9a6b2909 7743c3fc a2cce10f
2008-02-18 23:26:14: DEBUG: encryption(aes)
2008-02-18 23:26:14: DEBUG: with key:
2008-02-18 23:26:14: DEBUG:
fb871305 21d85367 8d7b716b 6319f7ae
2008-02-18 23:26:14: DEBUG: decrypted payload by IV:
2008-02-18 23:26:14: DEBUG:
a526e404 7396a52b cc9b42be 93fb16bb
2008-02-18 23:26:14: DEBUG: decrypted payload, but not trimed.
2008-02-18 23:26:14: DEBUG:
08000016 02000000 6767702d 68732d6b 69657273 70650000 00183173 8ebc543c
f6146400 42683bdf 605795b1 2e1d0000
2008-02-18 23:26:14: DEBUG: padding len=0
2008-02-18 23:26:14: DEBUG: skip to trim padding.
2008-02-18 23:26:14: DEBUG: decrypted.
2008-02-18 23:26:14: DEBUG:
9cc4606d 2c38c9a6 0b32d511 6822fad7 05100201 00000000 0000004c 08000016
02000000 6767702d 68732d6b 69657273 70650000 00183173 8ebc543c f6146400
42683bdf 605795b1 2e1d0000
2008-02-18 23:26:14: DEBUG: begin.
2008-02-18 23:26:14: DEBUG: seen nptype=5(id)
2008-02-18 23:26:14: DEBUG: seen nptype=8(hash)
2008-02-18 23:26:14: DEBUG: succeed.
2008-02-18 23:26:14: ERROR: Expecting IP address type in main mode, but FQDN.
2008-02-18 23:26:14: ERROR: invalid ID payload.
2008-02-18 23:26:24: DEBUG: KA: 192.168.1.24[4500]->80.152.xxx.xxx[4500]
2008-02-18 23:26:24: DEBUG: sockname 192.168.1.24[4500]
2008-02-18 23:26:24: DEBUG: send packet from 192.168.1.24[4500]
2008-02-18 23:26:24: DEBUG: send packet to 80.152.xxx.xxx[4500]
2008-02-18 23:26:24: DEBUG: src4 192.168.1.24[4500]
2008-02-18 23:26:24: DEBUG: dst4 80.152.xxx.xxx[4500]
2008-02-18 23:26:24: DEBUG: 1 times of 1 bytes message will be sent to 80.152.xxx.xxx[4500]
2008-02-18 23:26:24: DEBUG:
ff
2008-02-18 23:26:24: DEBUG: Adding NON-ESP marker
2008-02-18 23:26:24: DEBUG: 80 bytes from 192.168.1.24[4500] to 80.152.xxx.xxx[4500]
2008-02-18 23:26:24: DEBUG: sockname 192.168.1.24[4500]
2008-02-18 23:26:24: DEBUG: send packet from 192.168.1.24[4500]
2008-02-18 23:26:24: DEBUG: send packet to 80.152.xxx.xxx[4500]
2008-02-18 23:26:24: DEBUG: src4 192.168.1.24[4500]
2008-02-18 23:26:24: DEBUG: dst4 80.152.xxx.xxx[4500]
2008-02-18 23:26:24: DEBUG: 1 times of 80 bytes message will be sent to 80.152.xxx.xxx[4500]
2008-02-18 23:26:24: DEBUG:
00000000 9cc4606d 2c38c9a6 0b32d511 6822fad7 05100201 00000000 0000004c
27e1a3c1 cfcb9d28 ee3e4127 c7c3f19b 2671a5ba 1cace539 ddf6e51e 997a7101
a526e404 7396a52b cc9b42be 93fb16bb
2008-02-18 23:26:24: DEBUG: resend phase1 packet 9cc4606d2c38c9a6:0b32d5116822fad7
2008-02-18 23:26:24: DEBUG: ===
2008-02-18 23:26:24: DEBUG: 76 bytes message received from 80.152.xxx.xxx[4500] to 192.168.1.24[4500]
2008-02-18 23:26:24: DEBUG:
9cc4606d 2c38c9a6 0b32d511 6822fad7 05100201 00000000 0000004c f95ac0b7
509650d3 1a49c3fd 64e92b5a 049a0658 abb34b49 502449db a04de9d2 8827e8f7
9a6b2909 7743c3fc a2cce10f
2008-02-18 23:26:24: DEBUG: begin decryption.
2008-02-18 23:26:24: DEBUG: encryption(aes)
2008-02-18 23:26:24: DEBUG: IV was saved for next processing:
2008-02-18 23:26:24: DEBUG:
8827e8f7 9a6b2909 7743c3fc a2cce10f
2008-02-18 23:26:24: DEBUG: encryption(aes)
2008-02-18 23:26:24: DEBUG: with key:
2008-02-18 23:26:24: DEBUG:
fb871305 21d85367 8d7b716b 6319f7ae
2008-02-18 23:26:24: DEBUG: decrypted payload by IV:
2008-02-18 23:26:24: DEBUG:
a526e404 7396a52b cc9b42be 93fb16bb
2008-02-18 23:26:24: DEBUG: decrypted payload, but not trimed.
2008-02-18 23:26:24: DEBUG:
08000016 02000000 6767702d 68732d6b 69657273 70650000 00183173 8ebc543c
f6146400 42683bdf 605795b1 2e1d0000
2008-02-18 23:26:24: DEBUG: padding len=0
2008-02-18 23:26:24: DEBUG: skip to trim padding.
2008-02-18 23:26:24: DEBUG: decrypted.
2008-02-18 23:26:24: DEBUG:
9cc4606d 2c38c9a6 0b32d511 6822fad7 05100201 00000000 0000004c 08000016
02000000 6767702d 68732d6b 69657273 70650000 00183173 8ebc543c f6146400
42683bdf 605795b1 2e1d0000
2008-02-18 23:26:24: DEBUG: begin.
2008-02-18 23:26:24: DEBUG: seen nptype=5(id)
2008-02-18 23:26:24: DEBUG: seen nptype=8(hash)
2008-02-18 23:26:24: DEBUG: succeed.
2008-02-18 23:26:24: ERROR: Expecting IP address type in main mode, but FQDN.
2008-02-18 23:26:24: ERROR: invalid ID payload.
2008-02-18 23:26:34: DEBUG: Adding NON-ESP marker
2008-02-18 23:26:34: DEBUG: 80 bytes from 192.168.1.24[4500] to 80.152.xxx.xxx[4500]
2008-02-18 23:26:34: DEBUG: sockname 192.168.1.24[4500]
2008-02-18 23:26:34: DEBUG: send packet from 192.168.1.24[4500]
2008-02-18 23:26:34: DEBUG: send packet to 80.152.xxx.xxx[4500]
2008-02-18 23:26:34: DEBUG: src4 192.168.1.24[4500]
2008-02-18 23:26:34: DEBUG: dst4 80.152.xxx.xxx[4500]
2008-02-18 23:26:34: DEBUG: 1 times of 80 bytes message will be sent to 80.152.xxx.xxx[4500]
2008-02-18 23:26:34: DEBUG:
00000000 9cc4606d 2c38c9a6 0b32d511 6822fad7 05100201 00000000 0000004c
27e1a3c1 cfcb9d28 ee3e4127 c7c3f19b 2671a5ba 1cace539 ddf6e51e 997a7101
a526e404 7396a52b cc9b42be 93fb16bb
2008-02-18 23:26:34: DEBUG: resend phase1 packet 9cc4606d2c38c9a6:0b32d5116822fad7
2008-02-18 23:26:35: DEBUG: ===
2008-02-18 23:26:35: DEBUG: 76 bytes message received from 80.152.xxx.xxx[4500] to 192.168.1.24[4500]
2008-02-18 23:26:35: DEBUG:
9cc4606d 2c38c9a6 0b32d511 6822fad7 05100201 00000000 0000004c f95ac0b7
509650d3 1a49c3fd 64e92b5a 049a0658 abb34b49 502449db a04de9d2 8827e8f7
9a6b2909 7743c3fc a2cce10f
2008-02-18 23:26:35: DEBUG: begin decryption.
2008-02-18 23:26:35: DEBUG: encryption(aes)
2008-02-18 23:26:35: DEBUG: IV was saved for next processing:
2008-02-18 23:26:35: DEBUG:
8827e8f7 9a6b2909 7743c3fc a2cce10f
2008-02-18 23:26:35: DEBUG: encryption(aes)
2008-02-18 23:26:35: DEBUG: with key:
2008-02-18 23:26:35: DEBUG:
fb871305 21d85367 8d7b716b 6319f7ae
2008-02-18 23:26:35: DEBUG: decrypted payload by IV:
2008-02-18 23:26:35: DEBUG:
a526e404 7396a52b cc9b42be 93fb16bb
2008-02-18 23:26:35: DEBUG: decrypted payload, but not trimed.
2008-02-18 23:26:35: DEBUG:
08000016 02000000 6767702d 68732d6b 69657273 70650000 00183173 8ebc543c
f6146400 42683bdf 605795b1 2e1d0000
2008-02-18 23:26:35: DEBUG: padding len=0
2008-02-18 23:26:35: DEBUG: skip to trim padding.
2008-02-18 23:26:35: DEBUG: decrypted.
2008-02-18 23:26:35: DEBUG:
9cc4606d 2c38c9a6 0b32d511 6822fad7 05100201 00000000 0000004c 08000016
02000000 6767702d 68732d6b 69657273 70650000 00183173 8ebc543c f6146400
42683bdf 605795b1 2e1d0000
2008-02-18 23:26:35: DEBUG: begin.
2008-02-18 23:26:35: DEBUG: seen nptype=5(id)
2008-02-18 23:26:35: DEBUG: seen nptype=8(hash)
2008-02-18 23:26:35: DEBUG: succeed.
2008-02-18 23:26:35: ERROR: Expecting IP address type in main mode, but FQDN.
2008-02-18 23:26:35: ERROR: invalid ID payload.
2008-02-18 23:26:44: DEBUG: KA: 192.168.1.24[4500]->80.152.xxx.xxx[4500]
2008-02-18 23:26:44: DEBUG: sockname 192.168.1.24[4500]
2008-02-18 23:26:44: DEBUG: send packet from 192.168.1.24[4500]
2008-02-18 23:26:44: DEBUG: send packet to 80.152.xxx.xxx[4500]
2008-02-18 23:26:44: DEBUG: src4 192.168.1.24[4500]
2008-02-18 23:26:44: DEBUG: dst4 80.152.xxx.xxx[4500]
2008-02-18 23:26:44: DEBUG: 1 times of 1 bytes message will be sent to 80.152.xxx.xxx[4500]
2008-02-18 23:26:44: DEBUG:
ff
2008-02-18 23:26:44: DEBUG: Adding NON-ESP marker
2008-02-18 23:26:44: DEBUG: 80 bytes from 192.168.1.24[4500] to 80.152.xxx.xxx[4500]
2008-02-18 23:26:44: DEBUG: sockname 192.168.1.24[4500]
2008-02-18 23:26:44: DEBUG: send packet from 192.168.1.24[4500]
2008-02-18 23:26:44: DEBUG: send packet to 80.152.xxx.xxx[4500]
2008-02-18 23:26:44: DEBUG: src4 192.168.1.24[4500]
2008-02-18 23:26:44: DEBUG: dst4 80.152.xxx.xxx[4500]
2008-02-18 23:26:44: DEBUG: 1 times of 80 bytes message will be sent to 80.152.xxx.xxx[4500]
2008-02-18 23:26:44: DEBUG:
00000000 9cc4606d 2c38c9a6 0b32d511 6822fad7 05100201 00000000 0000004c
27e1a3c1 cfcb9d28 ee3e4127 c7c3f19b 2671a5ba 1cace539 ddf6e51e 997a7101
a526e404 7396a52b cc9b42be 93fb16bb
2008-02-18 23:26:44: DEBUG: resend phase1 packet 9cc4606d2c38c9a6:0b32d5116822fad7
2008-02-18 23:26:45: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 80.152.xxx.xxx[4500]->192.168.1.24[4500]
2008-02-18 23:26:45: INFO: delete phase 2 handler.
2008-02-18 23:26:54: DEBUG: Adding NON-ESP marker
2008-02-18 23:26:54: DEBUG: 80 bytes from 192.168.1.24[4500] to 80.152.xxx.xxx[4500]
2008-02-18 23:26:54: DEBUG: sockname 192.168.1.24[4500]
2008-02-18 23:26:54: DEBUG: send packet from 192.168.1.24[4500]
2008-02-18 23:26:54: DEBUG: send packet to 80.152.xxx.xxx[4500]
2008-02-18 23:26:54: DEBUG: src4 192.168.1.24[4500]
2008-02-18 23:26:54: DEBUG: dst4 80.152.xxx.xxx[4500]
2008-02-18 23:26:54: DEBUG: 1 times of 80 bytes message will be sent to 80.152.xxx.xxx[4500]
2008-02-18 23:26:54: DEBUG:
00000000 9cc4606d 2c38c9a6 0b32d511 6822fad7 05100201 00000000 0000004c
27e1a3c1 cfcb9d28 ee3e4127 c7c3f19b 2671a5ba 1cace539 ddf6e51e 997a7101
a526e404 7396a52b cc9b42be 93fb16bb
2008-02-18 23:26:54: DEBUG: resend phase1 packet 9cc4606d2c38c9a6:0b32d5116822fad7
2008-02-18 23:27:04: DEBUG: KA: 192.168.1.24[4500]->80.152.xxx.xxx[4500]
2008-02-18 23:27:04: DEBUG: sockname 192.168.1.24[4500]
2008-02-18 23:27:04: DEBUG: send packet from 192.168.1.24[4500]
2008-02-18 23:27:04: DEBUG: send packet to 80.152.xxx.xxx[4500]
2008-02-18 23:27:04: DEBUG: src4 192.168.1.24[4500]
2008-02-18 23:27:04: DEBUG: dst4 80.152.xxx.xxx[4500]
2008-02-18 23:27:04: DEBUG: 1 times of 1 bytes message will be sent to 80.152.xxx.xxx[4500]
2008-02-18 23:27:04: DEBUG:
ff
2008-02-18 23:27:04: DEBUG: Adding NON-ESP marker
2008-02-18 23:27:04: DEBUG: 80 bytes from 192.168.1.24[4500] to 80.152.xxx.xxx[4500]
2008-02-18 23:27:04: DEBUG: sockname 192.168.1.24[4500]
2008-02-18 23:27:04: DEBUG: send packet from 192.168.1.24[4500]
2008-02-18 23:27:04: DEBUG: send packet to 80.152.xxx.xxx[4500]
2008-02-18 23:27:04: DEBUG: src4 192.168.1.24[4500]
2008-02-18 23:27:04: DEBUG: dst4 80.152.xxx.xxx[4500]
2008-02-18 23:27:04: DEBUG: 1 times of 80 bytes message will be sent to 80.152.xxx.xxx[4500]
2008-02-18 23:27:04: DEBUG:
00000000 9cc4606d 2c38c9a6 0b32d511 6822fad7 05100201 00000000 0000004c
27e1a3c1 cfcb9d28 ee3e4127 c7c3f19b 2671a5ba 1cace539 ddf6e51e 997a7101
a526e404 7396a52b cc9b42be 93fb16bb
2008-02-18 23:27:04: DEBUG: resend phase1 packet 9cc4606d2c38c9a6:0b32d5116822fad7
2008-02-18 23:27:14: ERROR: phase1 negotiation failed due to time up. 9cc4606d2c38c9a6:0b32d5116822fad7
2008-02-18 23:27:14: INFO: KA remove: 192.168.1.24[4500]->80.152.xxx.xxx[4500]
2008-02-18 23:27:14: DEBUG: KA tree dump: 192.168.1.24[4500]->80.152.xxx.xxx[4500] (in_use=1)
2008-02-18 23:27:14: DEBUG: KA removing this one...


LOG der GREENGATE#############################
...
Feb 18 22:30:34 authpriv.warn Pluto[276]: packet from 80.144.xxx.xxx:500: responding to Main Mode from unknown peer 80.144.xxx.xxx, possibly "3:3" Feb 18 22:30:34 authpriv.warn Pluto[276]: "3:3" @80.144.xxx.xxx #146: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed Feb 18 22:30:34 authpriv.warn Pluto[276]: "3:3" @80.144.xxx.xxx #146: deleting connection "3:3" instance with peer 80.144.xxx.xxx Feb 18 22:30:34 authpriv.warn Pluto[276]: "3:3" @80.144.xxx.xxx:61845 #145: deleting state (STATE_MAIN_R3) Feb 18 22:30:34 authpriv.warn Pluto[276]: "3:3" @80.144.xxx.xxx:61845 #146: STATE_MAIN_R3: sent MR3, ISAKMP SA established


Womit Phase1 eigentlich abgeschlossen ist, und jetzt Phase2 folgen müsste?
  1. Auszug aus der Hilfe der Greengate VPN Premium
The tunnel is being started. The stage of the tunnel negotiation is displayed in square brackets:

          • [MAIN_I1] - [MAIN_I4]: Our end is initiating phase 1 (ISAKMP).
          • [MAIN_R1] - [MAIN_R3]: Our end is responding to phase 1.
          • [QUICK_I1] - [QUICK_I2]: Our end is initiating phase 2 (IPSEC).
          • [QUICK_R1] - [QUICK_R2]: Our end is responding to phase 2.



Wie gesagt, mit NCP-Client unter Windows geht alles ohne Probleme.

#Settings dort im NCP-Client:
#IPSec-Einstellungen
- Gateway 80.152.xxx.xxx
- IKE-Richtlinie: Pre-Shared-Key
- IPSec-Richtlinie: ESP - AES128 - SHA
- Exch. mode: Main Mode
- PFS-Gruppe: DH-Gruppe2 (1024Bit)
#LokaleIdentität
-Typ FullyQualifiedDomainName
-ID gw@test.loc
#VPNIPNetze
-10.27.1.0/255.255.255.0

#Settings in der Greengate:
ID-Type: Domain Name
Encryption Algorithmus: AES
Hash Algorithmus: SHA1
Diffie-Hellman Group: 2 (1024bits)
PerfectForwardScrecy: On


Habe mich schon das ganze Wochenende versucht, jedoch leider nur mit teilweise guten Erfolg.
Immerhin kommt die Anfrage schonmal an, wo sie hin soll.

Ich hoffe hier hat jemand ein Auge für vpn/ipsec tunnel und kann mir aus dem finsteren Wald helfen herauszufinden.

Tausenddank schonmal fürs viele Lesen.


Mit besten Grüßen
Christian Vielhauer

Content-Key: 81069

Url: https://administrator.de/contentid/81069

Ausgedruckt am: 29.03.2024 um 02:03 Uhr