Remote einwahl über IPSec VPN (Apple Client) auf einem Cisco 886VA (mit fester öffentlicher IP Adresse)

Hallo,
die Config von dem oben gennanten Router soll jetzt erweitert werden, das sich ein Apple Client über IPSec einwählen kann.

Ich stocher gerade so ein bisschen im Dunklen. Da mir das alles ein wenig zu komplex scheint.. (wahrscheinlich ist es da garnicht )

Mir scheint das die Verbindung nicht über phase 1 hinausgeht bevor sie abbricht. (ein debug ist weiter unten)

! Last configuration change at 18:44:24 CEST Tue Jul 30 2013 by admin
version 15.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service linenumber
!
hostname Cisco886va
!
boot-start-marker
boot system flash c880data-universalk9-mz.153-1.T.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
enable secret 4 uiMZjxdU.2QFtuntlqVsFdgbcmo9edcUUwY4bSg7YeQ
!
aaa new-model
!
!
aaa authentication login remote local
aaa authentication login groupname local
aaa authentication login defaut local
aaa authorization network remote local 
aaa authorization network groupname local 
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-2467175886
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2467175886
 revocation-check none
 rsakeypair TP-self-signed-2467175886
!
!
crypto pki certificate chain TP-self-signed-2467175886
no ip source-route
no ip gratuitous-arps
!
!
!
ip dhcp excluded-address xx.xx.xx.xx 10.0.40.19
ip dhcp excluded-address xx.xx.xx.xx 10.0.40.254
ip dhcp ping timeout 100
!
ip dhcp pool ccp-pool1
 network xx.xx.xx.xx 255.255.255.0
 dns-server xx.xxx.xx.xx 
 default-router xx.xx.xx.xx
!
!
!
ip multicast-routing 
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
license udi pid CISCO886VA-K9 sn FCZ1623C1VY
!
!
vtp mode transparent
username admin privilege 15 secret 5 xxxx
username remote1 password 7 xxxx
!
!
!
!
!
controller VDSL 0
 operating mode vdsl2
 firmware filename flash:vdsl.bin-A2pv6C035j
 description DTAG VDSL 50 Leitung
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
! 
crypto keyring L2TP  
  pre-shared-key address xx.xx.xx.xx 255.255.255.0 key xxx
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp keepalive 3600
crypto isakmp client configuration address-pool local ccp-pool1
!
crypto isakmp client configuration group remote
 key gRoup5hare85n1
 pool ccp-pool1
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set vpn1 esp-des esp-md5-hmac 
 mode tunnel
!
!
!
crypto dynamic-map dynmap 1
 set transform-set vpn1 
 reverse-route
!
!
crypto map static-map client authentication list local
crypto map static-map isakmp authorization list remote
crypto map static-map client configuration address respond
crypto map static-map 1 ipsec-isakmp dynamic dynmap 
!
bridge irb
!
!
!
!
interface Ethernet0
 description VDSL Physical Interface
 no ip address
 no ip route-cache
!
interface Ethernet0.7
 description VDSL Daten Verbindung
 encapsulation dot1Q 7
 no ip route-cache
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Ethernet0.8
 description VDSL Multicast Verbindung
 encapsulation dot1Q 8
 ip dhcp client broadcast-flag clear
 ip address dhcp
 no ip route-cache
 ip igmp version 3
 ip igmp query-interval 15
 ip igmp proxy-service
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 pvc 1/32 
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 description Netzwerk_Intern
 no ip address
!
interface FastEthernet1
 description Airport
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Virtual-Template1
 ip unnumbered Vlan1
 peer default ip address pool VPNPool
 no keepalive
 ppp mtu adaptive
 ppp encrypt mppe 128 required
 ppp authentication chap ms-chap
!
interface Vlan1
 description Lokales Heim Neitzwerk
 ip address xx.xx.xx.xx 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 ip igmp version 3
 ip igmp explicit-tracking
 ip igmp query-interval 15
 ip igmp proxy-service
!
interface Dialer0
 description VDSL Einwahl Interface
 ip address negotiated
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip inspect Firewall out
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no keepalive
 ppp authentication chap callin
 ppp chap hostname xx
 ppp chap password 7 xx
 ppp ipcp dns request
 ppp ipcp mask request
 ppp ipcp route default
 no cdp enable
 crypto map static-map
!
interface BVI1
 shutdown
!

no ip forward-protocol nd
ip http server
ip http access-class 23
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 101 interface Dialer0 overload
!
ip access-list log-update threshold 1
dialer-list 1 protocol ip list 101
no cdp run
!
access-list 23 permit xx.xx.xx.xx 0.0.0.255
access-list 101 permit ip xx.xx.xx.xx 0.0.0.255 any
access-list 102 permit udp any eq 50 any
access-list 102 permit udp any eq isakmp any
access-list 102 permit udp any eq non500-isakmp any
access-list 102 permit udp any eq domain any
access-list 102 permit tcp any eq 4500 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit tcp any eq 10000 any
access-list 102 deny   ip any any
!
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input ssh
!
!
end






*Jul 22 18:26:22.971 CEST: ISAKMP (0): received packet from xx.xx.xx.xx dport 500 sport 500 Global (N) NEW SA
*Jul 22 18:26:22.971 CEST: ISAKMP: Created a peer struct for xx.xx.xx.xx , peer port 500
*Jul 22 18:26:22.971 CEST: ISAKMP: New peer created peer = 0x8879CFE4 peer_handle = 0x80000003
*Jul 22 18:26:22.971 CEST: ISAKMP: Locking peer struct 0x8879CFE4, refcount 1 for crypto_isakmp_process_block
*Jul 22 18:26:22.971 CEST: ISAKMP:(0):Setting client config settings 89148928
*Jul 22 18:26:22.971 CEST: ISAKMP:(0):(Re)Setting client xauth list  and state
*Jul 22 18:26:22.971 CEST: ISAKMP/xauth: initializing AAA request
*Jul 22 18:26:22.971 CEST: ISAKMP: local port 500, remote port 500
*Jul 22 18:26:22.971 CEST: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 89220B08
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): processing SA payload. message ID = 0
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): processing ID payload. message ID = 0
*Jul 22 18:26:22.971 CEST: I
Cisco886va#SAKMP (0): ID payload
        next-payload : 13
        type         : 11
        group id     : remote
        protocol     : 0
        port         : 0
        length       : 14
*Jul 22 18:26:22.971 CEST: ISAKMP:(0):: peer matches *none* of the profiles
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): processing vendor id payload
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): processing IKE frag vendor id payload
*Jul 22 18:26:22.971 CEST: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): processing vendor id payload
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jul 22 18:26:22.971 CEST: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): processing vendor id payload
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): processing vendor id payload
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): processing vendor id payload
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jul 22 18:26:22.971 CEST: ISAKMP (0): vendor ID is NAT-T v7
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): processing vendor id payload
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): processing vendor id payload
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): processing vendor id payload
*Jul 22 18:26:22.971 CEST: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): processing vendor id payload
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): vendor ID is NAT-T v3
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): processing vendor id payload
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): processing vendor id payload
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): vendor ID is NAT-T v2
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): processing vendor id payload
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): vendor ID is XAUTH
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): processing vendor id payload
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): vendor ID is Unity
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): processing vendor id payload
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): vendor ID is DPD
*Jul 22 18:26:22.975 CEST: ISAKMP:(0): Authentication by xauth preshared
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jul 22 18:26:22.975 CEST: ISAKMP:      life type in seconds
*Jul 22 18:26:22.975 CEST: ISAKMP:      life duration (basic) of 3600
*Jul 22 18:26:22.975 CEST: ISAKMP:      encryption AES-CBC
*Jul 22 18:26:22.975 CEST: ISAKMP:      keylength of 256
*Jul 22 18:26:22.975 CEST: ISAKMP:      auth XAUTHInitPreShared
*Jul 22 18:26:22.975 CEST: ISAKMP:      hash SHA
*Jul 22 18:26:22.975 CEST: ISAKMP:      default group 2
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Jul 22 18:26:22.975 CEST: ISAKMP:      life type in seconds
*Jul 22 18:26:22.975 CEST: ISAKMP:      life duration (basic) of 3600
*Jul 22 18:26:22.975 CEST: ISAKMP:      encryption AES-CBC
*Jul 22 18:26:22.975 CEST: ISAKMP:      keylength of 128
*Jul 22 18:26:22.975 CEST: ISAKMP:      auth XAUTHInitPreShared
*Jul 22 18:26:22.975 CEST: ISAKMP:      hash SHA
*Jul 22 18:26:22.975 CEST: ISAKMP:      default group 2
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Jul 22 18:26:22.975 CEST: ISAKMP:      life type in seconds
*Jul 22 18:26:22.975 CEST: ISAKMP:      life duration (basic) of 3600
*Jul 22 18:26:22.975 CEST: ISAKMP:      encryption AES-CBC
*Jul 22 18:26:22.975 CEST: ISAKMP:      keylength of 256
*Jul 22 18:26:22.975 CEST: ISAKMP:      auth XAUTHInitPreShared
*Jul 22 18:26:22.975 CEST: ISAKMP:      hash MD5
*Jul 22 18:26:22.975 CEST: ISAKMP:      default group 2
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Jul 22 18:26:22.975 CEST: ISAKMP:      life type in seconds
*Jul 22 18:26:22.975 CEST: ISAKMP:      life duration (basic) of 3600
*Jul 22 18:26:22.975 CEST: ISAKMP:      encryption AES-CBC
*Jul 22 18:26:22.975 CEST: ISAKMP:      keylength of 128
*Jul 22 18:26:22.975 CEST: ISAKMP:      auth XAUTHInitPreShared
*Jul 22 18:26:22.975 CEST: ISAKMP:      hash MD5
*Jul 22 18:26:22.975 CEST: ISAKMP:      default group 2
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Jul 22 18:26:22.975 CEST: ISAKMP:      life type in seconds
*Jul 22 18:26:22.975 CEST: ISAKMP:      life duration (basic) of 3600
*Jul 22 18:26:22.975 CEST: ISAKMP:      encryption 3DES-CBC
*Jul 22 18:26:22.975 CEST: ISAKMP:      auth XAUTHInitPreShared
*Jul 22 18:26:22.975 CEST: ISAKMP:      hash SHA
*Jul 22 18:26:22.975 CEST: ISAKMP:      default group 2
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Hash algorithm offered does not match policy!
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Jul 22 18:26:22.975 CEST: ISAKMP:      life type in seconds
*Jul 22 18:26:22.975 CEST: ISAKMP:      life duration (basic) of 3600
*Jul 22 18:26:22.975 CEST: ISAKMP:      encryption 3DES-CBC
*Jul 22 18:26:22.975 CEST: ISAKMP:      auth XAUTHInitPreShared
*Jul 22 18:26:22.975 CEST: ISAKMP:      hash MD5
*Jul 22 18:26:22.975 CEST: ISAKMP:      default group 2
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):atts are acceptable. Next payload is 3
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Acceptable atts:actual life: 3600
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Acceptable atts:life: 0
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Basic life_in_seconds:3600
*Jul 22 18:26:22.975 CEST: ISAKMP:(0):Returning Actual lifetime: 3600
*Jul 22 18:26:22.979 CEST: ISAKMP:(0)::Started lifetime timer: 3600.

*Jul 22 18:26:22.979 CEST: ISAKMP:(0): processing KE payload. message ID = 0
*Jul 22 18:26:23.011 CEST: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jul 22 18:26:23.011 CEST: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jul 22 18:26:23.011 CEST: ISAKMP (0): vendor ID is NAT-T v7
*Jul 22 18:26:23.011 CEST: ISAKMP:(0): vendor ID is NAT-T v3
*Jul 22 18:26:23.011 CEST: ISAKMP:(0): vendor ID is NAT-T v2
*Jul 22 18:26:23.011 CEST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jul 22 18:26:23.011 CEST: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

*Jul 22 18:26:23.011 CEST: ISAKMP:(2002): constructed NAT-T vendor-rfc3947 ID
*Jul 22 18:26:23.011 CEST: ISAKMP:(2002):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
*Jul 22 18:26:23.011 CEST: ISAKMP (2002): ID payload
        next-payload : 10
        type         : 1
        address      : xx.xx.xx.xx
        protocol     : 0
        port         : 0
        length       : 12
*Jul 22 18:26:23.011 CEST: ISAKMP:(2002):Total payload length: 12
*Jul 22 18:26:23.011 CEST: ISAKMP:(2002): sending packet to xx..x.x.x. my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jul 22 18:26:23.011 CEST: ISAKMP:(2002):Sending an IKE IPv4 Packet.
*Jul 22 18:26:23.015 CEST: ISAKMP:(2002):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
*Jul 22 18:26:23.015 CEST: ISAKMP:(2002):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

Cisco886va#
Cisco886va#
*Jul 22 18:26:33.011 CEST: ISAKMP:(2002): retransmitting phase 1 AG_INIT_EXCH...
*Jul 22 18:26:33.011 CEST: ISAKMP (2002): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jul 22 18:26:33.011 CEST: ISAKMP:(2002): retransmitting phase 1 AG_INIT_EXCH
*Jul 22 18:26:33.011 CEST: ISAKMP:(2002): sending packet to x.x.x.x. my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jul 22 18:26:33.011 CEST: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Cisco886va#
*Jul 22 18:26:43.011 CEST: ISAKMP:(2002): retransmitting phase 1 AG_INIT_EXCH...
*Jul 22 18:26:43.011 CEST: ISAKMP (2002): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jul 22 18:26:43.011 CEST: ISAKMP:(2002): retransmitting phase 1 AG_INIT_EXCH
*Jul 22 18:26:43.011 CEST: ISAKMP:(2002): sending packet to x.x.x.x my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jul 22 18:26:43.011 CEST: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Cisco886va#sh cr
*Jul 22 18:26:53.011 CEST: ISAKMP:(2002): retransmitting phase 1 AG_INIT_EXCH...
*Jul 22 18:26:53.011 CEST: ISAKMP (2002): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jul 22 18:26:53.011 CEST: ISAKMP:(2002): retransmitting phase 1 AG_INIT_EXCH
*Jul 22 18:26:53.011 CEST: ISAKMP:(2002): sending packet to x.x.x.x. my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jul 22 18:26:53.011 CEST: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Cisco886va#
*Jul 22 18:27:03.011 CEST: ISAKMP:(2002): retransmitting phase 1 AG_INIT_EXCH...
*Jul 22 18:27:03.011 CEST: ISAKMP (2002): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jul 22 18:27:03.011 CEST: ISAKMP:(2002): retransmitting phase 1 AG_INIT_EXCH
*Jul 22 18:27:03.011 CEST: ISAKMP:(2002): sending packet tox.x.x.x my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jul 22 18:27:03.011 CEST: ISAKMP:(2002):Sending an IKE IPv4 Packet.

bisher habe ich die Access liste überprüft ob alle Ports geöffnet sind die sein sollen:

UDP 50 (IPSEC)
UDP 500 (ISAKMP)
UDP 4500 (NAT)
TCP 10000 (NAT)

.. und diverse Transform-Sets ausprobiert.

Meine Variablen dürften auch stimmen...

Wer kann mir hier weiterhelfen.
(falls ihr noch weitere Infos braucht stehe ich natürlich zur Verfügung.)

mfG

Timisi

Please also mark the comments that contributed to the solution of the article

Content-Key: 212909

Url: https://administrator.de/contentid/212909

Printed on: April 25, 2024 at 17:04 o'clock

4 Comments

Latest comment

Hi,

bei der Cisco-Konfig können dir andere Kollegen weiterhelfen, ich kann nur sagen das der Apple IPSec Client sehr unflexibel ist.
Du musst genau dessen Parameter benutzen, da die zum Großteil nicht umstellbar sind (da sollte dir eine Suchmaschine helfen können).
Auch ist das VPN ein Cisco-"Dialekt", sollte aber bei dir ja gut klappen.

Guck mal in die Richtung.

VG
Deepsys

Aktueller Stand:

Leider gibt es keine Informationen seitens Apple welche Parameter der Native Apple IPSec VPN Client für OSX hat/braucht
(nicht fürs IOS - da gibts vieles : http://help.apple.com/iosdeployment-vpn/mac/1.2/#app36c95bff) .

Durch viel testen meine ich kurz vor einer funktionierenden Config zu stehen.

Ich komme jetzt über die ISAKMP Phase 1 hinaus:

 ISAKMP:(2011):Old State = IKE_XAUTH_SET_SENT  New State = IKE_P1_COMPLETE

Ich vermute aktuell das ich meine Xauth Config nicht passt auf dem MAC werden schon username und Passwort abgefragt danach bricht es aber ab.

Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT  
 ISAKMP: Config payload REPLY
 ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
 ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
 ISAKMP:(2012):deleting node -166701176 error FALSE reason "Done with xauth request/reply exchange"  

Ich werden als nächstes die richtigen AAA Authentication und Crypto Map Parameter herausfinden.
Siehe:
ex4-1
http://www.ciscopress.com/articles/article.asp?p=421514

.

Ich versuche euch mal auf dem Laufenden zu halten.

Juhu, meine Remote IP SEC config läuft endlich. Der remote Client bekommt eine IP Adresse aus einem eigenen IP Pool zugewiesen, kann aber trotzdem die clients im netzwerk anpingen.

Bis es lief gab es 3 Probleme zu bewältigen:

1. XAUTH wird über AAA Parameter UND Crypto Map definiert:

!
aaa authentication login VPN local
aaa authorization network vpn1 local 
!

und

crypto map static-map client authentication list VPN
crypto map static-map isakmp authorization list vpn1

2. Ein eigenes IP DHCP Pool muss zugewiesen werden. Sonst funktioniert das nicht.

3. für die Phase zwei musste das richtige Transform-Set eingerichtet werden . Für IPads und Native IOS Apple Clients ist funkionieren folgende Parameter:

crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac .

Allerdings kommt jetzt mein nächstes Problem:

Der RemoteUser kann auf keinen der anderen Rechner im lokalen Netzwerk zugreifen. Anpingen geht , aber nich mehr !

Es handelt sich ausschließlich um Macs. Fest steht, das es kein Problem bis zu Network layer sein kann. Hinweg und Rückweg sind Aktiv, wie der Ping beweist. Also muss es Protokolle der Höheren Schichten betreffen die allerhöchstens durch eine Firewall blockiert werden können. Oder lieg ich da falsch?

naja, ich geh mal weiter auf die Suche.

Zitat von @Timisi:

Juhu, meine Remote IP SEC config läuft endlich.

Schön!

Der RemoteUser kann auf keinen der anderen Rechner im lokalen Netzwerk zugreifen. Anpingen geht , aber nich mehr !

Es handelt sich ausschließlich um Macs. Fest steht, das es kein Problem bis zu Network layer sein kann. Hinweg und
Rückweg sind Aktiv, wie der Ping beweist. Also muss es Protokolle der Höheren Schichten betreffen die
allerhöchstens durch eine Firewall blockiert werden können. Oder lieg ich da falsch?

Nö, das wird die Firewall sein.

German Question LAN, WAN, Wireless Networks

Hotly discussed

Check of ZFW Firewallgleixnerd - 5 Comments