IKEv2 Verbindung zw. iOS/MacOS und Lances wird aufgebaut, jedoch kein Traffic

Forum zum Thema allgemeinen Fragen zu VPN

Moderator: Lancom-Systems Moderatoren

Antworten
Alfred
Beiträge: 82
Registriert: 16 Dez 2004, 18:14

IKEv2 Verbindung zw. iOS/MacOS und Lances wird aufgebaut, jedoch kein Traffic

Beitrag von Alfred »

Hallo,
ich habe unsere Client-to-Site Verbindungen zwischen 2 iOS und 2 MacOS Geräten von IKEv1 auf IKEv2 umgestellt.
Die IKEv1 Verbindungen habe ich zuerst mit dem Lanconfig Assistenten entfernt und anschliessend nach folgender Anleitung (hier für MacOS) neu eingerichtet: https://support.lancom-systems.com/know ... El+Capitan
Parallel ist noch eine Site-to-Site Verbindung zu einem anderen Standort mit IKEv1 eingerichtet, diese funktioniert nach wie vor einwandfrei.

Nun zum Problem:
Über die neu eingerichteten IKEv2 Verbindungen ist keinerlei Traffic möglich, ich kann noch nicht einmal die IP-Adresse des Routers pingen. Gleiches Fehlerbild beim iPhone, iPad und zwei MacBooks.
Allerdings wird mir im MacOS/iOS wie auch im Lanmonitor die Verbindung als aufgebaut und ok angezeigt.
Ich habe noch keinerlei Erfahrung mit IKEv2, daher bin ich etwas ratlos.

Hier mal die VPN-Regeln:

Code: Alles auswählen

> show vpn

VPN SPD and IKE configuration:

  # of rules = 22

  Rule #1          ikev2        10.0.0.0/255.0.0.0:0 <-> 192.168.1.92/255.255.255.255:0 any

    Name:                       MB-RETINA
    Unique Id:                  ipsec-1-MB-RETINA-pr0-l2-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 10.0.0.0/255.0.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.123.50.56)
    Remote Gateway:             IPV4_ADDR(any:0, 109.40.3.17)
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.92/255.255.255.255)

  Rule #2          ikev2        172.16.0.0/255.240.0.0:0 <-> 192.168.1.92/255.255.255.255:0 any

    Name:                       MB-RETINA
    Unique Id:                  ipsec-1-MB-RETINA-pr0-l1-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 172.16.0.0/255.240.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.123.50.56)
    Remote Gateway:             IPV4_ADDR(any:0, 109.40.3.17)
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.92/255.255.255.255)

  Rule #3          ikev2        192.168.0.0/255.255.0.0:0 <-> 192.168.1.92/255.255.255.255:0 any

    Name:                       MB-RETINA
    Unique Id:                  ipsec-1-MB-RETINA-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.123.50.56)
    Remote Gateway:             IPV4_ADDR(any:0, 109.40.3.17)
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.92/255.255.255.255)

  Rule #4          ikev2        10.0.0.0/255.0.0.0:0 <-> 192.168.1.91/255.255.255.255:0 any

    Name:                       MACBOOK
    Unique Id:                  ipsec-1-MACBOOK-pr0-l2-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 10.0.0.0/255.0.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.91/255.255.255.255)

  Rule #5          ikev2        172.16.0.0/255.240.0.0:0 <-> 192.168.1.91/255.255.255.255:0 any

    Name:                       MACBOOK
    Unique Id:                  ipsec-1-MACBOOK-pr0-l1-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 172.16.0.0/255.240.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.91/255.255.255.255)

  Rule #6          ikev2        192.168.0.0/255.255.0.0:0 <-> 192.168.1.91/255.255.255.255:0 any

    Name:                       MACBOOK
    Unique Id:                  ipsec-1-MACBOOK-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.91/255.255.255.255)

  Rule #7          ikev2        10.0.0.0/255.0.0.0:0 <-> 192.168.1.93/255.255.255.255:0 any

    Name:                       IPHONE
    Unique Id:                  ipsec-1-IPHONE-pr0-l2-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 10.0.0.0/255.0.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.93/255.255.255.255)

  Rule #8          ikev2        172.16.0.0/255.240.0.0:0 <-> 192.168.1.93/255.255.255.255:0 any

    Name:                       IPHONE
    Unique Id:                  ipsec-1-IPHONE-pr0-l1-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 172.16.0.0/255.240.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.93/255.255.255.255)

  Rule #9          ikev2        192.168.0.0/255.255.0.0:0 <-> 192.168.1.93/255.255.255.255:0 any

    Name:                       IPHONE
    Unique Id:                  ipsec-1-IPHONE-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.93/255.255.255.255)

  Rule #10         ikev2        10.0.0.0/255.0.0.0:0 <-> 192.168.1.94/255.255.255.255:0 any

    Name:                       IPAD
    Unique Id:                  ipsec-1-IPAD-pr0-l2-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 10.0.0.0/255.0.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.94/255.255.255.255)

  Rule #11         ikev2        172.16.0.0/255.240.0.0:0 <-> 192.168.1.94/255.255.255.255:0 any

    Name:                       IPAD
    Unique Id:                  ipsec-1-IPAD-pr0-l1-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 172.16.0.0/255.240.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.94/255.255.255.255)

  Rule #12         ikev2        192.168.0.0/255.255.0.0:0 <-> 192.168.1.94/255.255.255.255:0 any

    Name:                       IPAD
    Unique Id:                  ipsec-1-IPAD-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.94/255.255.255.255)

  Rule #13         ikev2        0.0.0.0/0.0.0.0:0 <-> 0.0.0.0/255.255.255.255:0 any

    Name:                       MB-RETINA
    Unique Id:                  ipsec-0-MB-RETINA-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/0.0.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.123.50.56)
    Remote Gateway:             IPV4_ADDR(any:0, 109.40.3.17)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/255.255.255.255)

  Rule #14         ikev2        0.0.0.0/0.0.0.0:0 <-> 0.0.0.0/255.255.255.255:0 any

    Name:                       MACBOOK
    Unique Id:                  ipsec-0-MACBOOK-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/0.0.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/255.255.255.255)

  Rule #15         ikev2        192.168.1.0/255.255.255.0:0 <-> 0.0.0.0/255.255.255.255:0 any

    Name:                       IPHONE
    Unique Id:                  ipsec-0-IPHONE-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.1.0/255.255.255.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/255.255.255.255)

  Rule #16         ikev2        0.0.0.0/0.0.0.0:0 <-> 0.0.0.0/255.255.255.255:0 any

    Name:                       IPAD
    Unique Id:                  ipsec-0-IPAD-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/0.0.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/255.255.255.255)

  Rule #17         ikev1        10.0.0.0/255.0.0.0:0 <-> 192.168.100.0/255.255.255.0:0 any

    Name:                       RTR-41
    Unique Id:                  ipsec-1-RTR-41-pr0-l2-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 10.0.0.0/255.0.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.123.50.56)
    Remote Gateway:             IPV4_ADDR(any:0, 5.146.21.37)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.100.0/255.255.255.0)

  Rule #18         ikev1        172.16.0.0/255.240.0.0:0 <-> 192.168.100.0/255.255.255.0:0 any

    Name:                       RTR-41
    Unique Id:                  ipsec-1-RTR-41-pr0-l1-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 172.16.0.0/255.240.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.123.50.56)
    Remote Gateway:             IPV4_ADDR(any:0, 5.146.21.37)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.100.0/255.255.255.0)

  Rule #19         ikev1        192.168.0.0/255.255.0.0:0 <-> 192.168.100.0/255.255.255.0:0 any

    Name:                       RTR-41
    Unique Id:                  ipsec-1-RTR-41-pr0-l0-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.123.50.56)
    Remote Gateway:             IPV4_ADDR(any:0, 5.146.21.37)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.100.0/255.255.255.0)

  Rule #20         ikev1        10.0.0.0/255.0.0.0:0 <-> 192.168.4.0/255.255.255.0:0 any

    Name:                       RTR-41
    Unique Id:                  ipsec-0-RTR-41-pr0-l2-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 10.0.0.0/255.0.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.123.50.56)
    Remote Gateway:             IPV4_ADDR(any:0, 5.146.21.37)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.4.0/255.255.255.0)

  Rule #21         ikev1        172.16.0.0/255.240.0.0:0 <-> 192.168.4.0/255.255.255.0:0 any

    Name:                       RTR-41
    Unique Id:                  ipsec-0-RTR-41-pr0-l1-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 172.16.0.0/255.240.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.123.50.56)
    Remote Gateway:             IPV4_ADDR(any:0, 5.146.21.37)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.4.0/255.255.255.0)

  Rule #22         ikev1        192.168.0.0/255.255.0.0:0 <-> 192.168.4.0/255.255.255.0:0 any

    Name:                       RTR-41
    Unique Id:                  ipsec-0-RTR-41-pr0-l0-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.123.50.56)
    Remote Gateway:             IPV4_ADDR(any:0, 5.146.21.37)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.4.0/255.255.255.0)
Und auch ein VPN-Debug und VPN-IKE Trace:

Code: Alles auswählen

[VPN-IKE] 2020/08/24 16:22:01,258  Devicetime: 2020/08/24 16:22:02,022
[DEFAULT] Received packet:
IKE 2.0 Header:
Source/Port         : 109.40.3.17:27602
Destination/Port    : 87.123.50.56:500
Routing-tag         : 0
Com-channel         : 0
| Initiator cookie  : 0E 61 E6 9F E0 E1 37 A5
| Responder cookie  : 00 00 00 00 00 00 00 00
| Next Payload      : SA
| Version           : 2.0
| Exchange type     : IKE_SA_INIT
| Flags             : 0x08   Initiator
| Msg-ID            : 0
| Length            : 604 Bytes
SA Payload
| Next Payload      : KE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 220 Bytes
| PROPOSAL Payload
| | Next Payload    : PROPOSAL
| | Reserved        : 0x00
| | Length          : 44 Bytes
| | Proposal number : 1
| | Protocol ID     : IPSEC_IKE
| | SPI size        : 0
| | #Transforms     : 4
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-256 (5)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-256 (12)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 2048-BIT MODP (14)
| | | Attributes    : NONE
| PROPOSAL Payload
| | Next Payload    : PROPOSAL
| | Reserved        : 0x00
| | Length          : 44 Bytes
| | Proposal number : 2
| | Protocol ID     : IPSEC_IKE
| | SPI size        : 0
| | #Transforms     : 4
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-256 (5)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-256 (12)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 256-BIT RANDOM ECP (19)
| | | Attributes    : NONE
| PROPOSAL Payload
| | Next Payload    : PROPOSAL
| | Reserved        : 0x00
| | Length          : 44 Bytes
| | Proposal number : 3
| | Protocol ID     : IPSEC_IKE
| | SPI size        : 0
| | #Transforms     : 4
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 256
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA-256 (5)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA-256 (12)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 1536-BIT MODP (5)
| | | Attributes    : NONE
| PROPOSAL Payload
| | Next Payload    : PROPOSAL
| | Reserved        : 0x00
| | Length          : 44 Bytes
| | Proposal number : 4
| | Protocol ID     : IPSEC_IKE
| | SPI size        : 0
| | #Transforms     : 4
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 12 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : AES-CBC (12)
| | | Attribute 0
| | | | Type        : Basic, KEYLENGTH
| | | | Value       : 128
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA1 (2)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA1 (2)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 1024-BIT MODP (2)
| | | Attributes    : NONE
| PROPOSAL Payload
| | Next Payload    : NONE
| | Reserved        : 0x00
| | Length          : 40 Bytes
| | Proposal number : 5
| | Protocol ID     : IPSEC_IKE
| | SPI size        : 0
| | #Transforms     : 4
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: ENCR (1)
| | | Reserved2     : 0x00
| | | Transform ID  : 3DES (3)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: PRF (2)
| | | Reserved2     : 0x00
| | | Transform ID  : PRF-HMAC-SHA1 (2)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : TRANSFORM
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: INTEG (3)
| | | Reserved2     : 0x00
| | | Transform ID  : HMAC-SHA1 (2)
| | | Attributes    : NONE
| | TRANSFORM Payload
| | | Next Payload  : NONE
| | | Reserved      : 0x00
| | | Length        : 8 Bytes
| | | Transform Type: DH (4)
| | | Reserved2     : 0x00
| | | Transform ID  : 1024-BIT MODP (2)
| | | Attributes    : NONE
KE Payload
| Next Payload      : NONCE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 264 Bytes
| DH Group          : 14
| Reserved2         : 0x0000
| DH-Key(2048 bits) : A7 CC CE E6 C2 E5 7D 65 BC 5A 54 27 40 15 12 93
|                     89 69 DA CD 66 5B E2 6D B9 28 B2 03 5E EE 09 CE
|                     E9 C0 77 89 8D 45 C9 B6 44 A7 04 C0 D7 8C 50 F8
|                     B7 CE F6 D3 E4 17 0E F1 5A C8 7E 1D 74 05 28 B3
|                     51 D7 0F 71 54 F6 CD E7 E4 2B 80 AC AE 06 8A 3E
|                     2A 86 81 2C 81 72 1A E3 DC 69 76 D1 70 BB 36 B1
|                     43 85 44 9D D0 9A 43 D7 F0 9C 36 CB 09 58 43 24
|                     37 C9 42 7E FB A8 22 B4 FD 5A 4E B1 83 C9 72 18
|                     A6 F1 98 5F EC 61 85 3F C6 8E F1 B9 77 12 66 8D
|                     CD 8F E6 52 84 5C FC 4D 1E 7C 77 5E 5E 5F 46 41
|                     08 8B F0 DC AB 4B CF 03 94 7F 3D F0 A4 1E A7 A2
|                     D8 04 2C FC 88 7C DF 9B 03 6E EA FC CD C4 32 A5
|                     E2 A0 03 8C A5 23 AA DC CC 7A DE 87 F5 5E B4 6A
|                     85 12 DA 24 06 A9 20 07 B7 FE 19 8D CB 86 89 67
|                     23 98 92 8C 41 89 9B FD C2 25 92 D4 5F 49 CC 4B
|                     E3 8F B4 18 C6 BC 26 2C 73 46 BF C0 E7 09 BF B1
NONCE Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 20 Bytes
| Nonce(128 bits)   : B5 74 D1 7A 9D 8A 4C 9D 9F A3 8C 31 DA 9D FC A7
NOTIFY Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : REDIRECT_SUPPORTED
NOTIFY Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 28 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : STATUS_NAT_DETECTION_SOURCE_IP
| Notif. data       : 84 CC 98 34 7A A0 6C 5C E9 F5 A0 28 47 A4 7E 46
|                     3B 40 29 D1
NOTIFY Payload
| Next Payload      : NOTIFY
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 28 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : STATUS_NAT_DETECTION_DESTINATION_IP
| Notif. data       : 5C 9D 83 68 AC EF F2 69 91 79 08 19 D8 4F 76 C1
|                     37 4A 11 6F
NOTIFY Payload
| Next Payload      : NONE
| CRITICAL          : NO
| Reserved          : 0x00
| Length            : 8 Bytes
| Protocol ID       : <Unknown 0>
| SPI size          : 0
| Message type      : IKEV2_FRAGMENTATION_SUPPORTED
Irgend jemand eine Idee wo das Problem liegen könnte?

Gruss
Alfred
GrandDixence
Beiträge: 1054
Registriert: 19 Aug 2014, 22:41

Re: IKEv2 Verbindung zw. iOS/MacOS und Lances wird aufgebaut, jedoch kein Traffic

Beitrag von GrandDixence »

VPN-Konfiguration mit der entsprechenden VPN-Anleitung unter:
fragen-zum-thema-vpn-f14/vpn-via-androi ... tml#p97795
abgleichen.

LANCOM-seitige VPN-Diagnose (=> VPN-Traces) durchführen (der oben stehende VPN-Trace ist viel zu klein für eine Fehlersuche):
viewtopic.php?f=31&t=17621&p=99943#p99943
Alles andere ist Kaffeesatz lesen.
Alfred
Beiträge: 82
Registriert: 16 Dez 2004, 18:14

Re: IKEv2 Verbindung zw. iOS/MacOS und Lances wird aufgebaut, jedoch kein Traffic

Beitrag von Alfred »

Hallo,

hier noch einmal das Ergebnis eines "show VPN long":

Code: Alles auswählen

VPN SPD and IKE configuration:

  # of rules = 22

  Rule #1          ikev2        10.0.0.0/255.0.0.0:0 <-> 192.168.1.92/255.255.255.255:0 any

    Name:                       MB-RETINA
    Unique Id:                  ipsec-1-MB-RETINA-pr0-l2-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 10.0.0.0/255.0.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.92/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-MB_RETINA-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #2          ikev2        172.16.0.0/255.240.0.0:0 <-> 192.168.1.92/255.255.255.255:0 any

    Name:                       MB-RETINA
    Unique Id:                  ipsec-1-MB-RETINA-pr0-l1-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 172.16.0.0/255.240.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.92/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-MB_RETINA-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #3          ikev2        192.168.0.0/255.255.0.0:0 <-> 192.168.1.92/255.255.255.255:0 any

    Name:                       MB-RETINA
    Unique Id:                  ipsec-1-MB-RETINA-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.92/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-MB_RETINA-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #4          ikev2        10.0.0.0/255.0.0.0:0 <-> 192.168.1.91/255.255.255.255:0 any

    Name:                       MACBOOK
    Unique Id:                  ipsec-1-MACBOOK-pr0-l2-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 10.0.0.0/255.0.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.91/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-MACBOOK-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #5          ikev2        172.16.0.0/255.240.0.0:0 <-> 192.168.1.91/255.255.255.255:0 any

    Name:                       MACBOOK
    Unique Id:                  ipsec-1-MACBOOK-pr0-l1-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 172.16.0.0/255.240.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.91/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-MACBOOK-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #6          ikev2        192.168.0.0/255.255.0.0:0 <-> 192.168.1.91/255.255.255.255:0 any

    Name:                       MACBOOK
    Unique Id:                  ipsec-1-MACBOOK-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.91/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-MACBOOK-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #7          ikev2        10.0.0.0/255.0.0.0:0 <-> 192.168.1.93/255.255.255.255:0 any

    Name:                       IPHONE
    Unique Id:                  ipsec-1-IPHONE-pr0-l2-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 10.0.0.0/255.0.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.93/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-IPHONE-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #8          ikev2        172.16.0.0/255.240.0.0:0 <-> 192.168.1.93/255.255.255.255:0 any

    Name:                       IPHONE
    Unique Id:                  ipsec-1-IPHONE-pr0-l1-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 172.16.0.0/255.240.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.93/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-IPHONE-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #9          ikev2        192.168.0.0/255.255.0.0:0 <-> 192.168.1.93/255.255.255.255:0 any

    Name:                       IPHONE
    Unique Id:                  ipsec-1-IPHONE-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.93/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-IPHONE-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #10         ikev2        10.0.0.0/255.0.0.0:0 <-> 192.168.1.94/255.255.255.255:0 any

    Name:                       IPAD
    Unique Id:                  ipsec-1-IPAD-pr0-l2-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 10.0.0.0/255.0.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.94/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-IPAD-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #11         ikev2        172.16.0.0/255.240.0.0:0 <-> 192.168.1.94/255.255.255.255:0 any

    Name:                       IPAD
    Unique Id:                  ipsec-1-IPAD-pr0-l1-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 172.16.0.0/255.240.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.94/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-IPAD-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #12         ikev2        192.168.0.0/255.255.0.0:0 <-> 192.168.1.94/255.255.255.255:0 any

    Name:                       IPAD
    Unique Id:                  ipsec-1-IPAD-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR(any:0, 192.168.1.94/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-IPAD-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #13         ikev2        0.0.0.0/0.0.0.0:0 <-> 0.0.0.0/255.255.255.255:0 any

    Name:                       MB-RETINA
    Unique Id:                  ipsec-0-MB-RETINA-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/0.0.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-MB_RETINA-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #14         ikev2        0.0.0.0/0.0.0.0:0 <-> 0.0.0.0/255.255.255.255:0 any

    Name:                       MACBOOK
    Unique Id:                  ipsec-0-MACBOOK-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/0.0.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-MACBOOK-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #15         ikev2        192.168.1.0/255.255.255.0:0 <-> 0.0.0.0/255.255.255.255:0 any

    Name:                       IPHONE
    Unique Id:                  ipsec-0-IPHONE-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.1.0/255.255.255.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-IPHONE-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #16         ikev2        0.0.0.0/0.0.0.0:0 <-> 0.0.0.0/255.255.255.255:0 any

    Name:                       IPAD
    Unique Id:                  ipsec-0-IPAD-pr0-l0-r0
    Flags:                      IKE_SA_INIT
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/0.0.0.0)
    Local  Gateway:             unspecified
    Remote Gateway:             unspecified
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 0.0.0.0/255.255.255.255)
    IKE Proposal      :         IKE-PROPOSAL-IPAD-1
      ENCR-Transforms :         AES-CBC-256
      PRF-Transforms  :         PRF-HMAC-SHA-256,PRF-HMAC-SHA1
      INTEG-Transforms:         HMAC-SHA-256,HMAC-SHA1
      DH-Transforms   :         14
      Lifetime (hard) :         0 kb
      Lifetime (hard) :         108000 sec
    IKE Identities and Keys:
      Local  Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Remote Identity      :    (PRESHARED_KEY, xxxxxxxxxxxxxxxxxx:USER_FQDN)
      Local/Remote Keys    :    *
    IPSec Protocol         :    ESP
      ENCR-Transforms      :    AES-CBC-256
      INTEG-Transforms     :    HMAC-SHA-256,HMAC-SHA1
      DH-Transforms        :    none
      ESN-Transforms       :    NONE
      Lifetime (hard)      :    2000000 kb
      Lifetime (hard)      :    28800 sec

  Rule #17         ikev1        10.0.0.0/255.0.0.0:0 <-> 192.168.100.0/255.255.255.0:0 any

    Name:                       RTR-41
    Unique Id:                  ipsec-1-RTR-41-pr0-l2-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 10.0.0.0/255.0.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.122.222.218)
    Remote Gateway:             IPV4_ADDR(any:0, 5.146.21.37)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.100.0/255.255.255.0)
    IKE Proposal List:          isakmp-WIZ-IKE-PRESH-KEY-gr16
      # of proposals = 1
      IKE Proposal #1:          prop-WIZ-PSK-AESSHA256-ike-gr16
        IKE Encryption:         AES_CBC
        IKE Hash:               SHA-256
        Authentication:         PRE_SHARED
        IKE Group:              MODP_4096
        Lifetime (sec, hard):   108000,0:108000
        Lifetime (KB, hard):    ANY
    IKE Identities and Key:
      Key:                      *
    IPSec Proposal List:        ipsec-IPS-RTR-41-gr16
      # of proposals = 1
      IPSec Proposal #1:        IPSEC_ESP AES_CBC(256,256:256) HMAC-SHA-256
          Encapsulation Mode:   TUNNEL
          PFS Group:            MODP_4096
          Lifetime (sec, hard): 28800,0:28800
          Lifetime (KB, hard):  2000000,0:2000000

  Rule #18         ikev1        172.16.0.0/255.240.0.0:0 <-> 192.168.100.0/255.255.255.0:0 any

    Name:                       RTR-41
    Unique Id:                  ipsec-1-RTR-41-pr0-l1-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 172.16.0.0/255.240.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.122.222.218)
    Remote Gateway:             IPV4_ADDR(any:0, 5.146.21.37)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.100.0/255.255.255.0)
    IKE Proposal List:          isakmp-WIZ-IKE-PRESH-KEY-gr16
      # of proposals = 1
      IKE Proposal #1:          prop-WIZ-PSK-AESSHA256-ike-gr16
        IKE Encryption:         AES_CBC
        IKE Hash:               SHA-256
        Authentication:         PRE_SHARED
        IKE Group:              MODP_4096
        Lifetime (sec, hard):   108000,0:108000
        Lifetime (KB, hard):    ANY
    IKE Identities and Key:
      Key:                      *
    IPSec Proposal List:        ipsec-IPS-RTR-41-gr16
      # of proposals = 1
      IPSec Proposal #1:        IPSEC_ESP AES_CBC(256,256:256) HMAC-SHA-256
          Encapsulation Mode:   TUNNEL
          PFS Group:            MODP_4096
          Lifetime (sec, hard): 28800,0:28800
          Lifetime (KB, hard):  2000000,0:2000000

  Rule #19         ikev1        192.168.0.0/255.255.0.0:0 <-> 192.168.100.0/255.255.255.0:0 any

    Name:                       RTR-41
    Unique Id:                  ipsec-1-RTR-41-pr0-l0-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.122.222.218)
    Remote Gateway:             IPV4_ADDR(any:0, 5.146.21.37)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.100.0/255.255.255.0)
    IKE Proposal List:          isakmp-WIZ-IKE-PRESH-KEY-gr16
      # of proposals = 1
      IKE Proposal #1:          prop-WIZ-PSK-AESSHA256-ike-gr16
        IKE Encryption:         AES_CBC
        IKE Hash:               SHA-256
        Authentication:         PRE_SHARED
        IKE Group:              MODP_4096
        Lifetime (sec, hard):   108000,0:108000
        Lifetime (KB, hard):    ANY
    IKE Identities and Key:
      Key:                      *
    IPSec Proposal List:        ipsec-IPS-RTR-41-gr16
      # of proposals = 1
      IPSec Proposal #1:        IPSEC_ESP AES_CBC(256,256:256) HMAC-SHA-256
          Encapsulation Mode:   TUNNEL
          PFS Group:            MODP_4096
          Lifetime (sec, hard): 28800,0:28800
          Lifetime (KB, hard):  2000000,0:2000000

  Rule #20         ikev1        10.0.0.0/255.0.0.0:0 <-> 192.168.4.0/255.255.255.0:0 any

    Name:                       RTR-41
    Unique Id:                  ipsec-0-RTR-41-pr0-l2-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 10.0.0.0/255.0.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.122.222.218)
    Remote Gateway:             IPV4_ADDR(any:0, 5.146.21.37)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.4.0/255.255.255.0)
    IKE Proposal List:          isakmp-WIZ-IKE-PRESH-KEY-gr16
      # of proposals = 1
      IKE Proposal #1:          prop-WIZ-PSK-AESSHA256-ike-gr16
        IKE Encryption:         AES_CBC
        IKE Hash:               SHA-256
        Authentication:         PRE_SHARED
        IKE Group:              MODP_4096
        Lifetime (sec, hard):   108000,0:108000
        Lifetime (KB, hard):    ANY
    IKE Identities and Key:
      Key:                      *
    IPSec Proposal List:        ipsec-IPS-RTR-41-gr16
      # of proposals = 1
      IPSec Proposal #1:        IPSEC_ESP AES_CBC(256,256:256) HMAC-SHA-256
          Encapsulation Mode:   TUNNEL
          PFS Group:            MODP_4096
          Lifetime (sec, hard): 28800,0:28800
          Lifetime (KB, hard):  2000000,0:2000000

  Rule #21         ikev1        172.16.0.0/255.240.0.0:0 <-> 192.168.4.0/255.255.255.0:0 any

    Name:                       RTR-41
    Unique Id:                  ipsec-0-RTR-41-pr0-l1-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 172.16.0.0/255.240.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.122.222.218)
    Remote Gateway:             IPV4_ADDR(any:0, 5.146.21.37)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.4.0/255.255.255.0)
    IKE Proposal List:          isakmp-WIZ-IKE-PRESH-KEY-gr16
      # of proposals = 1
      IKE Proposal #1:          prop-WIZ-PSK-AESSHA256-ike-gr16
        IKE Encryption:         AES_CBC
        IKE Hash:               SHA-256
        Authentication:         PRE_SHARED
        IKE Group:              MODP_4096
        Lifetime (sec, hard):   108000,0:108000
        Lifetime (KB, hard):    ANY
    IKE Identities and Key:
      Key:                      *
    IPSec Proposal List:        ipsec-IPS-RTR-41-gr16
      # of proposals = 1
      IPSec Proposal #1:        IPSEC_ESP AES_CBC(256,256:256) HMAC-SHA-256
          Encapsulation Mode:   TUNNEL
          PFS Group:            MODP_4096
          Lifetime (sec, hard): 28800,0:28800
          Lifetime (KB, hard):  2000000,0:2000000

  Rule #22         ikev1        192.168.0.0/255.255.0.0:0 <-> 192.168.4.0/255.255.255.0:0 any

    Name:                       RTR-41
    Unique Id:                  ipsec-0-RTR-41-pr0-l0-r0
    Flags:                      main-mode
    Local  Network:             IPV4_ADDR_SUBNET(any:0, 192.168.0.0/255.255.0.0)
    Local  Gateway:             IPV4_ADDR(any:0, 87.122.222.218)
    Remote Gateway:             IPV4_ADDR(any:0, 5.146.21.37)
    Remote Network:             IPV4_ADDR_SUBNET(any:0, 192.168.4.0/255.255.255.0)
    IKE Proposal List:          isakmp-WIZ-IKE-PRESH-KEY-gr16
      # of proposals = 1
      IKE Proposal #1:          prop-WIZ-PSK-AESSHA256-ike-gr16
        IKE Encryption:         AES_CBC
        IKE Hash:               SHA-256
        Authentication:         PRE_SHARED
        IKE Group:              MODP_4096
        Lifetime (sec, hard):   108000,0:108000
        Lifetime (KB, hard):    ANY
    IKE Identities and Key:
      Key:                      *
    IPSec Proposal List:        ipsec-IPS-RTR-41-gr16
      # of proposals = 1
      IPSec Proposal #1:        IPSEC_ESP AES_CBC(256,256:256) HMAC-SHA-256
          Encapsulation Mode:   TUNNEL
          PFS Group:            MODP_4096
          Lifetime (sec, hard): 28800,0:28800
          Lifetime (KB, hard):  2000000,0:2000000
Die Einstellungen habe ich schon mehrfach nach bestem Wissen und Gewissen überprüft, ich habe auch schon eine leere Konfiguration erzeugt und den Assistenten die VPN-Verbindungen dort erstellen lassen und die Ergebnisse verglichen.

Ein längerer VPN-Trace bringt auch keinerlei andere Ergebnisse ausser sich exakt wiederholende Einträge. Ich habe den Trace schon bis zu 10 Minuten laufen lassen ohne das dabei mehr Informationen bei raus gekommen wären.
Falls noch andere Traces ausser VPN-IKE und VPN-Debug helfen könnten, kann ich diese gerne nachreichen.

Gruss
Alfred
Antworten