ich versuche nun schon seit längerem eine VPN-Verbindung von einem Shrew-VPN-Client zu meinem Lancom-Router aufzubauen.
Der Lancom hängt hinter einem Glasfaseranschluss (ohne Zugangsdaten, direkt per IP-Adresse wir die Internet-Verbindung aufgebaut).
Nun habe ich es mal mit dem VPN-Multiconnect-Tool V1.2 versucht, jedoch leider auch ohne Erfolg...
Hier die Konfig für den Shrew:
Code: Alles auswählen
n:version:4
s:network-host:XXX.XXX.XXX.XXX (feste IP-Adresse des Anschlusses)
n:network-ike-port:500
s:client-auto-mode:pull
n:network-mtu-size:1380
s:client-iface:virtual
n:client-addr-auto:1
s:network-natt-mode:enable
n:network-natt-port:4500
n:network-natt-rate:15
s:network-frag-mode:enable
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:1
n:client-wins-auto:1
s:auth-method:mutual-psk
s:ident-client-type:fqdn
s:ident-server-type:fqdn
s:ident-client-data:shrew@remote.de
s:ident-server-data:lancom@local.de
b:auth-mutual-psk:XXXX (VPN-Key)
s:phase1-exchange:aggressive
n:phase1-dhgroup:2
s:phase1-cipher:aes
n:phase1-keylen:128
s:phase1-hash:md5
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
s:phase2-transform:esp-aes
n:phase2-keylen:128
s:phase2-hmac:md5
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
s:policy-level:auto
n:policy-nailed:0
n:policy-list-auto:0
s:policy-list-include:172.23.55.0 / 255.255.255.0 (Hauptnetzwerk des Lancom-Routers, VLan-ID=0)
s:client-saved-username:
Code: Alles auswählen
# Shrew VPN-Client vs. LANCOM
# Scriptvorlage für LANCOM Router
# (c) M. Busche, 2012
# elpatron_kiel@users.sourceforge.net
#
# verwendete Platzhalter:
# /PSK/ Preshared Key der Verbindung
# /ID_LOCAL/ Full qualified Domain Name des LANCOM
# /ID_REMOTE/ Full qualified Domain Name der Fritz!Box
# /LOCAL_PEER-NAME/ Name der Gegenstelle
#
#
lang English
flash No
cd /
cd /Setup/IP-Router/Firewall/Rules
# Name Prot. Source Destination Action Linked Prio Firewall- VPN-Rule Stateful Rtg-tag Comment
# ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
add "VPN-CLIENT_SHREW" {Prot.} "ANY" {Source} "ANYHOST" {Destination} "%HSHREW" {Action} "%Lcds0 %A" {Linked} No {Prio} 0 {Firewall-Rule} No {VPN-Rule} Yes {Stateful} Yes {Rtg-tag} 0 {Comment} "VPN-Zugang SHREW"
cd /
cd /Setup/VPN/VPN-Peers
# Peer SH-Time Extranet-Address Remote-Gw Rtg-tag Layer dynamic IKE-Exchange Rule-creation DPD-Inact-Timeout IKE-CFG XAUTH SSL-Encaps.
# -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
add "SHREW" {SH-Time} 0 {Extranet-Address} 0.0.0.0 {Remote-Gw} "0.0.0.0" {Rtg-tag} 0 {Layer} "P-SHREW" {dynamic} No {IKE-Exchange} Aggressive-Mode {Rule-creation} manually {DPD-Inact-Timeout} 90 {IKE-CFG} Server {XAUTH} Off {SSL-Encaps.} No
cd /
cd /Setup/VPN/Layer
# Name PFS-Grp IKE-Grp IKE-Prop-List IPSEC-Prop-List IKE-Key
# ------------------------------------------------------------------------------------------------
add "P-SHREW" {PFS-Grp} 2 {IKE-Grp} 2 {IKE-Prop-List} "IKE-SHREW" {IPSEC-Prop-List} "IPS-SHREW" {IKE-Key} "KEY-SHREW"
cd /
cd /Setup/VPN/Proposals/IKE
# Name IKE-Crypt-Alg IKE-Crypt-Keylen IKE-Auth-Alg IKE-Auth-Mode Lifetime-Sec Lifetime-KB
# ----------------------------------------------------------------------------------------------------------------------------------
add "PSK-SHREW" {IKE-Crypt-Alg} AES-CBC {IKE-Crypt-Keylen} 128 {IKE-Auth-Alg} MD5 {IKE-Auth-Mode} Preshared-Key {Lifetime-Sec} 3600 {Lifetime-KB} 0
cd /
cd /Setup/VPN/Proposals/IPSEC
# Name Encaps-Mode ESP-Crypt-Alg ESP-Crypt-Keylen ESP-Auth-Alg AH-Auth-Alg IPCOMP-Alg Lifetime-Sec Lifetime-KB
# ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
add "TN-AES-SHREW" {Encaps-Mode} Tunnel {ESP-Crypt-Alg} AES-CBC {ESP-Crypt-Keylen} 128 {ESP-Auth-Alg} HMAC-MD5 {AH-Auth-Alg} none {IPCOMP-Alg} none {Lifetime-Sec} 28800 {Lifetime-KB} 2000000
cd /
cd /Setup/VPN/Proposals/IKE-Proposal-Lists
# IKE-Proposal-List IKE-Proposal-1 IKE-Proposal-2 IKE-Proposal-3 IKE-Proposal-4 IKE-Proposal-5 IKE-Proposal-6 IKE-Proposal-7 IKE-Proposal-8
# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
add "IKE-SHREW" {IKE-Proposal-1} "PSK-SHREW"
cd /
cd /Setup/VPN/Proposals/IPSEC-Proposal-Lists
# IPSEC-Proposal-List IPSEC-Proposal-1 IPSEC-Proposal-2 IPSEC-Proposal-3 IPSEC-Proposal-4 IPSEC-Proposal-5 IPSEC-Proposal-6 IPSEC-Proposal-7 IPSEC-Proposal-8
# --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
add "IPS-SHREW" {IPSEC-Proposal-1} "TN-AES-SHREW"
cd /
cd /Setup/VPN/Certificates-and-Keys/IKE-Keys
# Name Local-ID-Type Local-Identity Remote-ID-Type Remote-Identity Shared-Sec Shared-Sec-File
# -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
add "KEY-SHREW" {Local-ID-Type} Domain-Name {Local-Identity} "lancom@local.de" {Remote-ID-Type} Domain-Name {Remote-Identity} "shrew@remote.de" {Shared-Sec} "XXXX" {Shared-Sec-File} ""
cd /
flash Yes
# done
exit
config loaded for site 'LANCOM'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
negotiation timout occurred
tunnel disabled
detached from key daemon
Im Lancom-Log steht garnichts.
Kann mir hier jemand weiterhelfen?
...ich bin echt am Verzweifeln...
Vielen Dank schon mal vorab!
Gruß
Mario