Ich habe das jetzt noch mal auf einem neuen Notebook ohne irgendwas anderes ausser Adv. VPN. Client und Windows 11 konfiguriert .. wieder genau nach Anleitung. Selbes ergebnis ..
Hier noch mal der Trace mit den verdächtigen Stellen:
[VPN-Debug] 2024/09/04 10:36:53,273 Devicetime: 2024/09/04 10:36:52,751
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 1851 bytes
Gateways: 217.86.178.23:4500<--192.168.57.50:4500
SPIs: 0xF370D0B564F82429438F6F3F2B398765, Message-ID 1
Payloads: IDI, CERT(X509), NOTIFY(INITIAL_CONTACT), NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED), CERTREQ, AUTH(DIGITAL SIGNATURE), CP(REQUEST), SA, TSI, TSR, VENDOR(ikev2 rfc-3706-dead-peer-detection), NOTIFY(MOBIKE_SUPPORTED), NOTIFY(MULTIPLE_AUTH_SUPPORTED)
+IKE_SA found and assigned
+Exchange created (flags: 0x00000000)
(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0xF370D0B564F82429438F6F3F2B39876500000001, P2, RESPONDER): Setting Negotiation SA
Referencing (CHILD_SA, 0xF370D0B564F82429438F6F3F2B3987650000000100, responder): use_count 3
instance rule set found in dynamic map (peer redials after a connection loss?)
Looking for payload IDI (35)...Found 1 payload.
Compare: -Received-ID CN=FWNB11,O=Gemeinde Moria,C=DE,L=Moria,SN=FWNB11,ST=Hessen,OU=10,emailAddress=
FWNB11@Moria.de,postalCode=08154:DER_ASN1_DN != Expected-ID /CN=FWNB11:DER_ASN1_DN
Compare: -Received-ID CN=FWNB11,O=Gemeinde Moria,C=DE,L=Moria,SN=FWNB11,ST=Hessen,OU=10,emailAddress=
FWNB11@Moria.de,postalCode=08154:DER_ASN1_DN != Expected-ID /CN=FWNB11:DER_ASN1_DN
Compare: -Received-ID CN=FWNB11,O=Gemeinde Moria,C=DE,L=Moria,SN=FWNB11,ST=Hessen,OU=10,emailAddress=
FWNB11@Moria.de,postalCode=08154:DER_ASN1_DN != Expected-ID /CN=HO-BLECKER-1:DER_ASN1_DN
Compare: -Received-ID CN=FWNB11,O=Gemeinde Moria,C=DE,L=Moria,SN=FWNB11,ST=Hessen,OU=10,emailAddress=
FWNB11@Moria.de,postalCode=08154:DER_ASN1_DN != Expected-ID /CN=HO-BLECKER-1:DER_ASN1_DN
Compare: -Received-ID CN=FWNB11,O=Gemeinde Moria,C=DE,L=Moria,SN=FWNB11,ST=Hessen,OU=10,emailAddress=
FWNB11@Moria.de,postalCode=08154:DER_ASN1_DN != Expected-ID /CN=HO-BLECKER-1:DER_ASN1_DN
Looking for payload VENDOR (43)...Found 1 payload.
Looking for payload CERT(X509) (37)...Found 1 payload.
Subject: CN=FWNB11,O=Gemeinde Moria,C=DE,L=Moria,SN=FWNB11,ST=Hessen,OU=10,emailAddress=
FWNB11@Moria.de,postalCode=08154
Issuer : CN=GEMEINDE Moria CA,O=IT,C=DE
Looking for payload NOTIFY(INITIAL_CONTACT) (41)...Found 1 payload.
[VPN-Status] 2024/09/04 10:36:53,273 Devicetime: 2024/09/04 10:36:52,751
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 1851 bytes
Gateways: 217.86.178.23:4500<--192.168.57.50:4500
SPIs: 0xF370D0B564F82429438F6F3F2B398765, Message-ID 1
CHILD_SA ('', '' ) entered to SADB
Updating remote port to 10954
Received 4 notifications:
+INITIAL_CONTACT (STATUS)
+HTTP_CERT_LOOKUP_SUPPORTED (STATUS)
+MOBIKE_SUPPORTED (STATUS)
+MULTIPLE_AUTH_SUPPORTED (STATUS)
+Received-ID:AUTH CN=FWNB11,O=Gemeinde Moria,C=DE,L=Moria,SN=FWNB11,ST=Hessen,OU=10,emailAddress=
FWNB11@Moria.de,postalCode=08154:DER_ASN1_DN:DIGITAL SIGNATURE matches Expected-ID:AUTH ID_NONE:ID_NONE:DIGITAL SIGNATURE
+Road-warrior identified and accepted (Peer FWNB11C00B using DIGITAL_SIGNATURE)
+Peer uses AUTH(DIGITAL SIGNATURE:RSASSA-PSS-with-SHA-256)
+Received padding scheme RSA_PKCS1_PSS_PADDING is stronger than configured padding scheme RSA_PKCS1_PADDING
+Authentication successful
IKE_SA ('FWNB11C00B', 'ISAKMP-PEER-DEFAULT' IPSEC_IKE SPIs 0xF370D0B564F82429438F6F3F2B398765) removed from SADB
IKE_SA ('FWNB11C00B', 'ISAKMP-PEER-DEFAULT' IPSEC_IKE SPIs 0xF370D0B564F82429438F6F3F2B398765) entered to SADB
Request attributes:
INTERNAL_IP4_ADDRESS()
INTERNAL_IP4_NETMASK()
INTERNAL_IP4_DNS()
INTERNAL_IP4_NBNS()
<Unknown 20002>()
INTERNAL_IP4_SUBNET()
INTERNAL_DNS_DOMAIN()
APPLICATION_VERSION()
<Unknown 28672>()
<Unknown 28673>()
<Unknown 28674>()
<Unknown 20006>()
<Unknown 20007>()
<Unknown 28675>()
<Unknown 28676>()
<Unknown 28677>()
<Unknown 28678>()
<Unknown 28679>()
<Unknown 28680>()
<Unknown 28681>()
<Unknown 20003>()
<Unknown 20004>()
<Unknown 28682>()
<Unknown 20005>(46574E423131)
<Unknown 28682>(46574E423131)
-Not configured as Server (REPLY) -> abort
[VPN-Debug] 2024/09/04 10:36:53,325 Devicetime: 2024/09/04 10:36:52,789
Peer FWNB11C00B: Constructing an IKE_AUTH-RESPONSE for send
Constructing payload NOTIFY(REDIRECT) (41):
+No Redirection
Constructing payload NOTIFY(MANAGEMENT_IP4_ADDRESS) (41):
Constructing payload NOTIFY(MANAGEMENT_IP6_ADDRESS) (41):
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
IKE_SA(0xF370D0B564F82429438F6F3F2B398765).EXPECTED-MSG-ID raised to 2
IPSEC overhead initialized to 42
(IKEv2-Exchange 'FWNB11C00B', 'ISAKMP-PEER-DEFAULT' 0xF370D0B564F82429438F6F3F2B39876500000001, P2, RESPONDER): Resetting Negotiation SA
(CHILD_SA, 0xF370D0B564F82429438F6F3F2B3987650000000100, responder): use_count --3
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 1317 bytes (responder)
Gateways: 217.86.178.23:4500-->192.168.57.50:10954, tag 0 (UDP)
SPIs: 0xF370D0B564F82429438F6F3F2B398765, Message-ID 1
Sending 1 ikev2 fragment(s) of 1076 bytes and last fragment of size 356 bytes
Payloads: IDR, CERT(X509), AUTH(DIGITAL SIGNATURE), NOTIFY(INTERNAL_ADDRESS_FAILURE)
Die CN ist richtig auf beiden Seiten eingetragen und es existiert auch nur dieses eine Zertifikat auf dem Client.
Ich weis auch nicht warum er sich das so einen komischen Namen FWNB11C00B zusammenbaut - ich habe den auch noch mal eingetragen das nutzt aber nichts. Es könnte natürlich auich ein temporärer Name sein den er für jeden Verbindung intern anlegt, da habe ich bisher nicht zu gefunden.
Irgendwie ist das sehr seltsam hier ...
)