ich habe hier leider für 1/4 Jahr ein Lancom hinter einem LTE Router stehen. Der Lancom soll die Verbindung zu Zentrale aufbauen, dort steht eine Sophos UTM 9.7.
Ich habe die Policys manuell auf beiden Seiten gesetzt und ein Verbindungsversuch kommt zu Stande, aber der Lancom scheint die interne IP (kommt vom LTE Router) mit anzugeben und die UTM verweigert die VPN-Verbindung.
So sieht es in den Logs des Lancoms aus:
Code: Alles auswählen
[VPN-Status] 2019/12/27 14:22:23,702 Devicetime: 2019/12/27 14:22:21,055
VPN: WAN state changed to WanCall for SOPHOS-UTM (80.xxx.xxx.159), called by: 01a5633c
[VPN-Status] 2019/12/27 14:22:23,703 Devicetime: 2019/12/27 14:22:21,056
VPN: connecting to SOPHOS-UTM (80.xxx.xxx.159 ikev1)
[VPN-Status] 2019/12/27 14:22:23,703 Devicetime: 2019/12/27 14:22:21,056
vpn-maps[32], remote: SOPHOS-UTM, nego, static-name, connected-by-name
[VPN-Status] 2019/12/27 14:22:23,703 Devicetime: 2019/12/27 14:22:21,056
vpn-maps[32], remote: SOPHOS-UTM, nego, static-name, connected-by-name
[VPN-Status] 2019/12/27 14:22:23,703 Devicetime: 2019/12/27 14:22:21,072
vpn-maps[32], remote: SOPHOS-UTM, nego, static-name, connected-by-name
[VPN-Status] 2019/12/27 14:22:23,748 Devicetime: 2019/12/27 14:22:21,072
VPN: start IKE negotiation for SOPHOS-UTM (80.xxx.xxx.159)
[VPN-Status] 2019/12/27 14:22:23,748 Devicetime: 2019/12/27 14:22:21,072
VPN: WAN state changed to WanProtocol for SOPHOS-UTM (80.xxx.xxx.159), called by: 01a5633c
[VPN-Status] 2019/12/27 14:22:23,751 Devicetime: 2019/12/27 14:22:21,073
IKE info: Phase-1 negotiation started for peer SOPHOS-UTM rule isakmp-peer-SOPHOS-UTM using MAIN mode
[VPN-Status] 2019/12/27 14:22:23,751 Devicetime: 2019/12/27 14:22:21,079
Received Connection-Request for SOPHOS-UTM (ikev1)
transport: [id: 89639, UDP (17) {outgoing, fixed source address}, dst: 80.xxx.xxx.159, tag 1 (U), src: 192.168.1.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: LTE (20), next hop: 192.168.1.1], local port: 500, remote port: 500
Establishing connection(s): IPSEC-0-SOPHOS-UTM-PR0-L0-R0
Phase-1 SA (UNKNOWN, 'UNKNOWN' IPSEC_IKE Cookies 0xC4B9D01283AB26CB0000000000000000) entered to SADB
[VPN-Status] 2019/12/27 14:22:23,751 Devicetime: 2019/12/27 14:22:21,080
Received Connection-Request for SOPHOS-UTM (ikev1)
transport: [id: 89640, UDP (17) {outgoing, fixed source address}, dst: 80.xxx.xxx.159, tag 1 (U), src: 192.168.1.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: LTE (20), next hop: 192.168.1.1], local port: 500, remote port: 500
Establishing connection(s): IPSEC-0-SOPHOS-UTM-PR0-L0-R0
[VPN-Status] 2019/12/27 14:22:23,805 Devicetime: 2019/12/27 14:22:21,140
IKE info: The remote server 80.xxx.xxx.159:500 (UDP) peer SOPHOS-UTM id <no_id> supports draft-ietf-ipsec-isakmp-xauth
IKE info: The remote server 80.xxx.xxx.159:500 (UDP) peer SOPHOS-UTM id <no_id> negotiated rfc-3706-dead-peer-detection
IKE info: The remote peer SOPHOS-UTM supports NAT-T in RFC mode
[VPN-Status] 2019/12/27 14:22:23,805 Devicetime: 2019/12/27 14:22:21,140
IKE info: Phase-1 remote proposal 1 for peer SOPHOS-UTM matched with local proposal 1
[VPN-Status] 2019/12/27 14:22:23,897 Devicetime: 2019/12/27 14:22:21,262
IKE info: Phase-1 SASA Rekeying Timeout (Soft-Event) for peer SOPHOS-UTM set to 69120 seconds (Initiator)
[VPN-Status] 2019/12/27 14:22:23,897 Devicetime: 2019/12/27 14:22:21,262
IKE info: Phase-1 SASA Timeout (Hard-Event) for peer SOPHOS-UTM set to 86400 seconds (Initiator)
[VPN-Status] 2019/12/27 14:22:23,897 Devicetime: 2019/12/27 14:22:21,262
Phase-1 [initiator] for peer SOPHOS-UTM initiator id 192.168.1.254, responder id 80.xxx.xxx.159
initiator cookie: 0xC4B9D01283AB26CB, responder cookie: 0x6417BE2866F447A5
NAT-T enabled in mode rfc. We are behind a nat, the remote side is not behind a nat
SA ISAKMP for peer SOPHOS-UTM encryption aes-cbc authentication SHA-256
life time soft 12/28/2019 09:34:21 (in 69120 sec) / 0 kb
life time hard 12/28/2019 14:22:21 (in 86400 sec) / 0 kb
DPD: 60 sec
[VPN-Status] 2019/12/27 14:22:23,949 Devicetime: 2019/12/27 14:22:21,309
IKE info: NOTIFY received of type INVALID_ID_INFORMATION for peer SOPHOS-UTM
[VPN-Status] 2019/12/27 14:22:24,716 Devicetime: 2019/12/27 14:22:22,081
Received Connection-Request for SOPHOS-UTM (ikev1)
transport: [id: 89639, UDP (17) {outgoing, fixed source address}, dst: 80.xxx.xxx.159, tag 1 (U), src: 192.168.1.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: LTE (20), next hop: 192.168.1.1], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
Establishing connection(s): IPSEC-0-SOPHOS-UTM-PR0-L0-R0
[VPN-Status] 2019/12/27 14:22:31,025 Devicetime: 2019/12/27 14:22:28,391
IKE info: NOTIFY received of type INVALID_MESSAGE_ID for peer SOPHOS-UTM
[VPN-Status] 2019/12/27 14:22:36,021 Devicetime: 2019/12/27 14:22:33,392
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE sent for Phase-1 SA to peer SOPHOS-UTM, sequence nr 0x1223501b
[VPN-Status] 2019/12/27 14:22:36,072 Devicetime: 2019/12/27 14:22:33,431
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE_ACK for peer SOPHOS-UTM Seq-Nr 0x1223501b, expected 0x1223501b
[VPN-Status] 2019/12/27 14:22:36,762 Devicetime: 2019/12/27 14:22:34,081
Received Connection-Request for SOPHOS-UTM (ikev1)
transport: [id: 89639, UDP (17) {outgoing, fixed source address}, dst: 80.xxx.xxx.159, tag 1 (U), src: 192.168.1.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: LTE (20), next hop: 192.168.1.1], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
Establishing connection(s): IPSEC-0-SOPHOS-UTM-PR0-L0-R0
[VPN-Status] 2019/12/27 14:22:39,867 Devicetime: 2019/12/27 14:22:37,232
IKE info: NOTIFY received of type INVALID_MESSAGE_ID for peer SOPHOS-UTM
[VPN-Status] 2019/12/27 14:22:43,866 Devicetime: 2019/12/27 14:22:41,232
Peer SOPHOS-UTM: NAT-T keep-alive (0xFF) sent physically
transport: [id: 89639, UDP (17) {outgoing, fixed source address}, dst: 80.xxx.xxx.159, tag 1 (U), src: 192.168.1.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: LTE (20), next hop: 192.168.1.1], local port: 4500, remote port: 4500
[VPN-Status] 2019/12/27 14:22:45,711 Devicetime: 2019/12/27 14:22:43,082
Received Connection-Request for SOPHOS-UTM (ikev1)
transport: [id: 89639, UDP (17) {outgoing, fixed source address}, dst: 80.xxx.xxx.159, tag 1 (U), src: 192.168.1.254, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, (R) iface: LTE (20), next hop: 192.168.1.1], local port: 4500, remote port: 4500, flags: UDP_ENCAPSULATION
Establishing connection(s): IPSEC-0-SOPHOS-UTM-PR0-L0-R0
[VPN-Status] 2019/12/27 14:22:50,905 Devicetime: 2019/12/27 14:22:48,272
IKE info: NOTIFY received of type INVALID_MESSAGE_ID for peer SOPHOS-UTM
[VPN-Status] 2019/12/27 14:22:53,756 Devicetime: 2019/12/27 14:22:51,072
VPN: connection for SOPHOS-UTM (80.xxx.xxx.159) timed out: no response
[VPN-Status] 2019/12/27 14:22:53,756 Devicetime: 2019/12/27 14:22:51,072
VPN: disconnecting SOPHOS-UTM (80.xxx.xxx.159)
[VPN-Status] 2019/12/27 14:22:53,756 Devicetime: 2019/12/27 14:22:51,072
VPN: Error: IFC-I-Connection-timeout-IKE-IPSEC (0x1106) for SOPHOS-UTM (80.xxx.xxx.159)
[VPN-Status] 2019/12/27 14:22:53,756 Devicetime: 2019/12/27 14:22:51,080
IKE info: Delete Notification sent for Phase-1 SA to peer SOPHOS-UTM, cookies [0xc4b9d01283ab26cb 0x6417be2866f447a5]
[VPN-Status] 2019/12/27 14:22:53,779 Devicetime: 2019/12/27 14:22:51,091
Disconnect Request for peer SOPHOS-UTM (ikev1)
Phase-2 SA (UNKNOWN, 'UNKNOWN') removed from SADB
Containing Protocol IPSEC_ESP Inbound-SPI 0x206C42BE
Phase-2 SA (UNKNOWN, 'UNKNOWN') freed
Containing Protocol IPSEC_ESP Inbound-SPI 0x206C42BE
Phase-1 SA (SOPHOS-UTM, 'ISAKMP-PEER-SOPHOS-UTM' IPSEC_IKE Cookies 0xC4B9D01283AB26CB6417BE2866F447A5) removed from SADB
Freeing exchanges...IKE-DISCONNECT-INDICATION sent for handle 32
Phase-1 SA (SOPHOS-UTM, 'ISAKMP-PEER-SOPHOS-UTM' IPSEC_IKE Cookies 0xC4B9D01283AB26CB6417BE2866F447A5) freed
DISCONNECT-RESPONSE sent for handle 32
[VPN-Status] 2019/12/27 14:22:53,779 Devicetime: 2019/12/27 14:22:51,091
vpn-maps[32], remote: SOPHOS-UTM, idle, static-name
[VPN-Status] 2019/12/27 14:22:53,779 Devicetime: 2019/12/27 14:22:51,097
selecting next remote gateway using strategy eFirst for SOPHOS-UTM
=> no remote gateway selected
[VPN-Status] 2019/12/27 14:22:53,779 Devicetime: 2019/12/27 14:22:51,097
selecting first remote gateway using strategy eFirst for SOPHOS-UTM
=> CurrIdx=0, IpStr=>80.xxx.xxx.159<, IpAddr=80.xxx.xxx.159, IpTtl=0s
[VPN-Status] 2019/12/27 14:22:53,779 Devicetime: 2019/12/27 14:22:51,097
VPN: installing ruleset for SOPHOS-UTM (80.xxx.xxx.159)
[VPN-Status] 2019/12/27 14:22:53,779 Devicetime: 2019/12/27 14:22:51,097
VPN: WAN state changed to WanDisconnect for SOPHOS-UTM (80.xxx.xxx.159), called by: 01a5633c
[VPN-Status] 2019/12/27 14:22:53,779 Devicetime: 2019/12/27 14:22:51,098
VPN: WAN state changed to WanIdle for SOPHOS-UTM (80.xxx.xxx.159), called by: 01a5633c
[VPN-Status] 2019/12/27 14:22:53,779 Devicetime: 2019/12/27 14:22:51,098
VPN: SOPHOS-UTM (80.xxx.xxx.159) disconnected
[VPN-Status] 2019/12/27 14:22:53,779 Devicetime: 2019/12/27 14:22:51,098
vpn-maps[32], remote: SOPHOS-UTM, idle, static-name
[VPN-Status] 2019/12/27 14:22:53,779 Devicetime: 2019/12/27 14:22:51,100
vpn-maps[32], remote: SOPHOS-UTM, idle, static-name
Danke + Gruß