ich versuche eine VPN mit selbstsignierten Zertifikaten mit dem nativen Windows Client auszubauen und stoße dabei auf einen ominösen IKEv2 Fragmentierungsfehler.
Mein Router und der native Windows Client wurde mit Zertifikaten ausgestattet und passend konfiguriert.
Konstellation:
DSL-ISP->Lancom Router@10.42RU2-> LAN
Mein Notebook ist mit einem Apple IOS Hotspot verbunden und versucht hierdurch den Tunnel aufzubauen.
Die Phase 1 ist meiner Meinung nach erfolgreich, aber bei Phase Zwei kommt es zu einem Problem mit der IKEv2 Fragmentation.
Nachfolgend ein Trace-Auszug vom Router:
Code: Alles auswählen
[VPN-Status] 2021/03/13 20:42:14,021 Devicetime: 2021/03/13 20:42:13,415
Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 352 bytes
Gateways: 87.X.X.X:500<--80.X.X.X:500
SPIs: "", Message-ID 0
Peer identified: DEFAULT
IKE_SA ('', '' IPSEC_IKE SPIs "") entered to SADB
Received 3 notifications:
+IKEV2_FRAGMENTATION_SUPPORTED (STATUS)
+NAT_DETECTION_SOURCE_IP("") (STATUS)
+NAT_DETECTION_DESTINATION_IP("") (STATUS)
Peer (initiator) is behind a NAT
NAT-T enabled => switching on port 4500
We (responder) are not behind a NAT. NAT-T is already enabled
+IKE-SA:
IKE-Proposal-1 (4 transforms)
ENCR : AES-CBC-256
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 19
+Received KE-DH-Group 19 (512 bits)
[VPN-Status] 2021/03/13 20:42:14,021 Devicetime: 2021/03/13 20:42:13,425
Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send
+IKE-SA:
IKE-Proposal-1 (4 transforms)
ENCR : AES-CBC-256
PRF : PRF-HMAC-SHA-256
INTEG: HMAC-SHA-256
DH : 19
+KE-DH-Group 19 (512 bits)
Switching to port pair 4500 ( NAT-T keep-alive is off)
IKE_SA_INIT [responder] for peer DEFAULT initiator id <no ipsec id>, responder id <no ipsec id>
initiator cookie: "", responder cookie: ""
NAT-T enabled. We are not behind a nat, the remote side is behind a nat
SA ISAKMP for peer DEFAULT Encryption AES-CBC-256 Integrity AUTH-HMAC-SHA-256 IKE-DH-Group 19 PRF-HMAC-SHA-256
life time soft 03/14/2021 23:42:13 (in 97200 sec) / 0 kb
life time hard 03/15/2021 02:42:13 (in 108000 sec) / 0 kb
DPD: NONE
Negotiated: IKEV2_FRAGMENTATION
Sending an IKE_SA_INIT-RESPONSE of 297 bytes (responder)
Gateways: 87.X.X.X:4500-->80.X.X.X:4500, tag 0 (UDP)
SPIs: "", Message-ID 0
[VPN-Status] 2021/03/13 20:42:14,052 Devicetime: 2021/03/13 20:42:13,521
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 580 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 2/7
[VPN-Status] 2021/03/13 20:42:14,052 Devicetime: 2021/03/13 20:42:13,522
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 580 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 5/7
[VPN-Status] 2021/03/13 20:42:14,052 Devicetime: 2021/03/13 20:42:13,522
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 580 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 1/7
[VPN-Status] 2021/03/13 20:42:14,052 Devicetime: 2021/03/13 20:42:13,523
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 580 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 3/7
[VPN-Status] 2021/03/13 20:42:14,052 Devicetime: 2021/03/13 20:42:13,522
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 580 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 1/7
[VPN-Status] 2021/03/13 20:42:14,052 Devicetime: 2021/03/13 20:42:13,523
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 580 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 3/7
[VPN-Status] 2021/03/13 20:42:14,052 Devicetime: 2021/03/13 20:42:13,523
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 580 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 6/7
[VPN-Status] 2021/03/13 20:42:14,052 Devicetime: 2021/03/13 20:42:13,524
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 580 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 4/7
[VPN-Status] 2021/03/13 20:42:15,088 Devicetime: 2021/03/13 20:42:14,516
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 580 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 1/7
IKEv2-Reassembler: This is a replayed fragment -> Silently dropped
-Error processing fragment (error 5)
[VPN-Status] 2021/03/13 20:42:15,088 Devicetime: 2021/03/13 20:42:14,517
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 580 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 2/7
IKEv2-Reassembler: This is a replayed fragment -> Silently dropped
-Error processing fragment (error 5)
[VPN-Status] 2021/03/13 20:42:15,088 Devicetime: 2021/03/13 20:42:14,518
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 580 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 3/7
IKEv2-Reassembler: This is a replayed fragment -> Silently dropped
-Error processing fragment (error 5)
[VPN-Status] 2021/03/13 20:42:15,088 Devicetime: 2021/03/13 20:42:14,519
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 580 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 4/7
IKEv2-Reassembler: This is a replayed fragment -> Silently dropped
-Error processing fragment (error 5)
[VPN-Status] 2021/03/13 20:42:15,088 Devicetime: 2021/03/13 20:42:14,520
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 580 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 5/7
IKEv2-Reassembler: This is a replayed fragment -> Silently dropped
-Error processing fragment (error 5)
[VPN-Status] 2021/03/13 20:42:15,088 Devicetime: 2021/03/13 20:42:14,521
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 580 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 6/7
IKEv2-Reassembler: This is a replayed fragment -> Silently dropped
-Error processing fragment (error 5)
[VPN-Status] 2021/03/13 20:42:15,088 Devicetime: 2021/03/13 20:42:14,523
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 388 bytes (encrypted)
Gateways: 87.X.X.X:4500<--80.X.X.X:4500
SPIs: "", Message-ID 1
Ikev2 Fragment Number/Total: 7/7
[VPN-Status] 2021/03/13 20:42:15,088 Devicetime: 2021/03/13 20:42:14,541
vpn-maps[29], remote: Name@Mail, nego, connected-by-name
[VPN-Status] 2021/03/13 20:42:15,194 Devicetime: 2021/03/13 20:42:14,639
Peer Name@mail: Constructing an IKE_AUTH-RESPONSE for send
+Local-ID 87.X.X.X:IPV4_ADDR
+I use AUTH(ECDSA-256:SHA-256)
+Signature of length 64 bytes (512 bits) computed
IKE_SA_INIT [responder] for peer Name@mail initiator id E=MeineMail,CN=MeinCN,OU="",O="",L="",ST="",C=DE, responder id 87.X.X.X
initiator cookie: "", responder cookie: ""
NAT-T enabled. We are not behind a nat, the remote side is behind a nat
SA ISAKMP for peer Name@Mail Encryption AES-CBC-256 Integrity AUTH-HMAC-SHA-256 IKE-DH-Group 19 PRF-HMAC-SHA-256
life time soft 03/14/2021 23:42:14 (in 97200 sec) / 0 kb
life time hard 03/15/2021 02:42:14 (in 108000 sec) / 0 kb
DPD: 30 sec
Negotiated: IKEV2_FRAGMENTATION
NOTIFY(INTERNAL_ADDRESS_FAILURE)
Encrypted message is too big (1104 bytes) -> should be ikev2 fragmented (MTU 580)
CHILD_SA ('', '' ) removed from SADB
CHILD_SA ('', '' ) freed
Sending an IKE_AUTH-RESPONSE of 1067 bytes (responder)
Gateways: 87.X.X.X:4500-->80.X.X.X:26108, tag 0 (UDP)
SPIs: "", Message-ID 1
Sending 2 ikev2 fragment(s) of 580 bytes and last fragment of size 100 bytes
Die VPN-Verbindung habe ich händisch in Windows 10@1909 angelegt und anschließend mit Set-VpnConnectionIPsecConfiguration die Parameter verändert, um die VPN mit ECDSA kompatibel zu machen.
Bei der Fehlermeldung: "Encrypted message is too big (1104 bytes) -> should be ikev2 fragmented (MTU 580)" bin ich ein wenig ratlos, da Windows 10 laut meiner Recherche IKEv2 Fragmentation per se unterstützt.
Ich muss dazu sagen, das ich jederzeit eine VPN über IOS mit meinem Router aufbauen kann, daher schließe ich Leitungsfehler aus.
Der Windows 10 Client bricht die VPN mit der Meldung: "Fehler beim Zuweisen der inneren Ip-Adresse zum Initiator im Tunnelmodus." ab.
Ich wünsche ein schönes WE