Zertifikat basierte VPN-Verbindung funktioniert nicht mehr

Forum zum Thema allgemeinen Fragen zu VPN

Moderator: Lancom-Systems Moderatoren

Antworten
geppi
Beiträge: 149
Registriert: 05 Mär 2009, 18:05

Zertifikat basierte VPN-Verbindung funktioniert nicht mehr

Beitrag von geppi »

Hallo,
ich hatte in der Vergangenheit erfolgreich Zertifikat basierte VPN-Verbindungen mit IKEv2 zwischen meinem LC-1781VA und einem Android Phone sowie dem Windows 10 native VPN Client zum laufen gebracht.

Dann habe ich den VPN-Zugang über einen langen Zeitraum nicht mehr benutzt. Als ich jetzt wieder Bedarf für den Zugang hatte musste ich leider feststellen, dass es nicht mehr funktioniert.

Die funktionierende Konfiguration wurde damals unter LCOS 9.24 mit den damals aktuellen Android und Windows 10 Versionen vorgenommen.
(Weiss der Geier welche das waren :? )
Jetzt mit LCOS 10.34.0168-RU2 oder 10.42.0473-RU3 und Windows 10 20H2 oder Android 8 funktioniert es nicht mehr.

Hat sich an den akzeptierten Parametern für Verschlüsselung und Authentifizierung seit damals etwas auf Lancom Seite verändert ? Oder auf Windows und Android Seite ?

Wenn ich einen Trace mit "vpn-status ON" und "vpn-debug ON" laufen lasse sehe ich beim Versuch des Android Phone sich zu verbinden unter anderem folgendes (sensitive Informationen == <censored>):

Code: Alles auswählen

[VPN-Debug] 2021/05/18 10:02:52,220
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 2421 bytes
Gateways: 93.217.251.46:4500<--46.114.94.247:4500
SPIs: 0xC0C9F1D49A5D2975AA3693CC9A104449, Message-ID 1
Payloads: IDI, CERT(X509), CERTREQ, AUTH(DIGITAL SIGNATURE), CP(REQUEST), SA, TSI, TSR, NOTIFY(STATUS_MOBIKE_SUPPORTED), NOTIFY(STATUS_NO_ADDITIONAL_ADDRESSES), NOTIFY(STATUS_EAP_ONLY_AUTHENTICATION), NOTIFY(STATUS_IKEV2_MESSAGE_ID_SYNC_SUPPORTED)
+IKE_SA found and assigned
+Exchange created (flags: 0x00000050)
<censored>: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---93.217.251.46===46.114.94.247---0.0.0.0/32 port(0) protocol(0)
<censored>: ADD MODE(7) INBOUND ESP 0.0.0.0/32 port(0) protocol(0)---46.114.94.247===93.217.251.46---0.0.0.0/0 port(0) protocol(0)
Looking for payload IDI (35)...Found 1 payload.
  Compare: -Received-ID <censored> != Expected-ID <censored>
  Compare: -Received-ID <censored> != Expected-ID <censored>
  +Received-ID <censored> matches the Expected-ID <censored>
  +Config   ENCR  transform(s): AES-CBC-256
  +Received ENCR  transform(s): AES-CBC-256
  +Best intersection: AES-CBC-256
  +Config   PRF   transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-384 PRF-HMAC-SHA-256
  +Received PRF   transform(s): PRF-HMAC-SHA-512
  +Best intersection: PRF-HMAC-SHA-512
  +Config   INTEG transform(s): HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256
  +Received INTEG transform(s): HMAC-SHA-512
  +Best intersection: HMAC-SHA-512
  +Config   DH    transform(s): 16 14
  +Received DH    transform(s): 14
  +Best intersection: 14
Looking for payload CERT(X509) (37)...Found 1 payload.
  Subject: <censored>
  Issuer : <censored>
<censored>: DELETE MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---93.217.251.46===46.114.94.247---0.0.0.0/32 port(0) protocol(0)
<censored>: DELETE MODE(7) INBOUND ESP 0.0.0.0/32 port(0) protocol(0)---46.114.94.247===93.217.251.46---0.0.0.0/0 port(0) protocol(0)
<censored>: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---93.217.251.46===46.114.94.247---10.0.0.143/32 port(0) protocol(0)
<censored>: ADD MODE(7) INBOUND ESP 10.0.0.143/32 port(0) protocol(0)---46.114.94.247===93.217.251.46---0.0.0.0/0 port(0) protocol(0)
Looking for payload TSI (44)...Found 1 payload.
  Looking for a connection...
  Trying connection 0: ipsec-0-<censored>-pr0-l0-r0
  Determining best intersection for TSi
  Expected TS :(  0,     0-65535,      10.0.0.143-10.0.0.143     )
  Received TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Intersection:(  0,     0-65535,      10.0.0.143-10.0.0.143     )
  Best        :(  0,     0-65535,      10.0.0.143-10.0.0.143     )
  +Valid intersection found
  TSi: (  0,     0-65535,      10.0.0.143-10.0.0.143     )
  TSr: (  0,     0-65535,         0.0.0.0-255.255.255.255)
  +TSi OK.
Looking for payload TSR (45)...Found 1 payload.
  Determining best intersection for TSr
  Expected TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Received TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Intersection:(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Best        :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  +TSr OK.
Looking for payload CHILD_SA (33)...Found 1 payload.
  +Config   ENCR  transform(s): AES-CBC-256
  +Received ENCR  transform(s): AES-GCM-16-256 AES-GCM-16-128
  -No intersection
  +Config   INTEG transform(s): HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256 HMAC-SHA1
  +Received INTEG transform(s):
  -No intersection
  +Config   ESN   transform(s): NONE
  +Received ESN   transform(s): NONE
  +Best intersection: NONE
  -ENCR transform is obligatory for ESP-Protocol
  -Skipping proposal 1
  +Config   ENCR  transform(s): AES-CBC-256
  +Received ENCR  transform(s): AES-CBC-256 AES-CBC-128
  +Best intersection: AES-CBC-256
  +Config   INTEG transform(s): HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256 HMAC-SHA1
  +Received INTEG transform(s): HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256 HMAC-SHA1
  +Best intersection: HMAC-SHA-512
  +Config   ESN   transform(s): NONE
  +Received ESN   transform(s): NONE
  +Best intersection: NONE

[VPN-Status] 2021/05/18 10:02:52,220
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 2421 bytes
Gateways: 93.217.251.46:4500<--46.114.94.247:4500
SPIs: 0xC0C9F1D49A5D2975AA3693CC9A104449, Message-ID 1
CHILD_SA (UNKNOWN, 'UNKNOWN' ) entered to SADB
Updating remote port to 49277
Received 4 notifications:
  +MOBIKE_SUPPORTED (STATUS)
  +NO_ADDITIONAL_ADDRESSES (STATUS)
  +EAP_ONLY_AUTHENTICATION (STATUS)
  +MESSAGE_ID_SYNC_SUPPORTED (STATUS)
+Received-ID <censored> matches the Expected-ID <censored>
+Peer identified: <censored>
+Peer uses AUTH(DIGITAL SIGNATURE:sha384WithRSAEncryption)
+Authentication successful
Request attributes:
  INTERNAL_IP4_ADDRESS()
  INTERNAL_IP4_DNS()
Assigned IPv4 config parameters:
  IP:  10.0.0.143
  DNS: 10.0.0.1
Assigned IPv6 config parameters:
  DNS: ::
TSi: (  0,     0-65535,      10.0.0.143-10.0.0.143     )
TSr: (  0,     0-65535,         0.0.0.0-255.255.255.255)
+CHILD-SA:
  ESP-Proposal-1 Peer-SPI: 0xCA06FABE (3 transforms)
    ENCR : AES-GCM-16-256 AES-GCM-16-128
    ESN  : NONE
  ESP-Proposal-2 Peer-SPI: 0xCA06FABE (7 transforms)
    ENCR : AES-CBC-256 AES-CBC-128
    INTEG: HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256 HMAC-SHA1
    ESN  : NONE

[VPN-Debug] 2021/05/18 10:02:52,246
Peer <censored>: Constructing an IKE_AUTH-RESPONSE for send
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 1661 bytes (responder)
Gateways: 93.217.251.46:4500-->46.114.94.247:49277, tag 0 (UDP)
SPIs: 0xC0C9F1D49A5D2975AA3693CC9A104449, Message-ID 1
Sending 1 ikev2 fragment(s) of 1236 bytes and last fragment of size 580 bytes
Payloads: IDR, CERT(X509), NOTIFY(AUTHENTICATION_FAILED)

[VPN-Status] 2021/05/18 10:02:52,246
Peer <censored>: Constructing an IKE_AUTH-RESPONSE for send
+Local-ID <censored>
+I use AUTH(DIGITAL SIGNATURE:sha256WithRSAEncryption)
-Could not get private key
NOTIFY(AUTHENTICATION_FAILED)
Encrypted message is too big (1728 bytes) -> should be ikev2 fragmented (MTU 1236)
IKE_SA (<censored>, 'ISAKMP-PEER-<censored>' IPSEC_IKE SPIs 0xC0C9F1D49A5D2975AA3693CC9A104449) removed from SADB
Sending an IKE_AUTH-RESPONSE of 1661 bytes (responder)
Gateways: 93.217.251.46:4500-->46.114.94.247:49277, tag 0 (UDP)
SPIs: 0xC0C9F1D49A5D2975AA3693CC9A104449, Message-ID 1
Sending 1 ikev2 fragment(s) of 1236 bytes and last fragment of size 580 bytes

[VPN-Status] 2021/05/18 10:02:52,248
IKE log: 100252.248406 Default IKE-DISCONNECT-RESPONSE: comchannel 20 set for peer <censored> on message free


[VPN-Debug] 2021/05/18 10:02:52,248
<censored>: DELETE MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---93.217.251.46===46.114.94.247---10.0.0.143/32 port(0) protocol(0)
<censored>: DELETE MODE(7) INBOUND ESP 10.0.0.143/32 port(0) protocol(0)---46.114.94.247===93.217.251.46---0.0.0.0/0 port(0) protocol(0)
<censored>: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---93.217.251.46===46.114.94.247---0.0.0.0/32 port(0) protocol(0)
<censored>: ADD MODE(7) INBOUND ESP 0.0.0.0/32 port(0) protocol(0)---46.114.94.247===93.217.251.46---0.0.0.0/0 port(0) protocol(0)
DISCONNECT-RESPONSE sent for handle 20
IKE-TRANSPORT freed

[VPN-Status] 2021/05/18 10:02:52,249
CHILD_SA (UNKNOWN, 'UNKNOWN' ) removed from SADB
CHILD_SA (UNKNOWN, 'UNKNOWN' ) freed
IKE_SA (<censored>, 'ISAKMP-PEER-<censored>' IPSEC_IKE SPIs 0xC0C9F1D49A5D2975AA3693CC9A104449) freed

[VPN-Status] 2021/05/18 10:02:52,249
DISCONNECT-RESPONSE sent for handle 20

[VPN-Status] 2021/05/18 10:02:52,249
vpn-maps[20], remote: <censored>, idle, static-name
Mit dem Windows 10 native VPN Client sieht es wie folgt aus (sensitive Informationen == <censored>):

Code: Alles auswählen

[VPN-Debug] 2021/05/18 10:22:31,332
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 3699 bytes
Gateways: 93.217.251.46:4500<--46.114.94.247:4500
SPIs: 0x0FFD80C9D88BBAC3319DBCE284D01949, Message-ID 1
Payloads: IDI, CERT(X509), CERTREQ, AUTH(RSA:SHA1), NOTIFY(STATUS_MOBIKE_SUPPORTED), CP(REQUEST), SA, TSI, TSR
+IKE_SA found and assigned
+Exchange created (flags: 0x00000050)
<censored>: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---93.217.251.46===46.114.94.247---0.0.0.0/32 port(0) protocol(0)
<censored>: ADD MODE(7) INBOUND ESP 0.0.0.0/32 port(0) protocol(0)---46.114.94.247===93.217.251.46---0.0.0.0/0 port(0) protocol(0)
Looking for payload IDI (35)...Found 1 payload.
  +Received-ID <censored> matches the Expected-ID <censored>
  +Config   ENCR  transform(s): AES-CBC-256
  +Received ENCR  transform(s): AES-CBC-256
  +Best intersection: AES-CBC-256
  +Config   PRF   transform(s): PRF-HMAC-SHA-512 PRF-HMAC-SHA-384 PRF-HMAC-SHA-256
  +Received PRF   transform(s): PRF-HMAC-SHA-256
  +Best intersection: PRF-HMAC-SHA-256
  +Config   INTEG transform(s): HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256
  +Received INTEG transform(s): HMAC-SHA-256
  +Best intersection: HMAC-SHA-256
  +Config   DH    transform(s): 16 14
  +Received DH    transform(s): 14
  +Best intersection: 14
Looking for payload CERT(X509) (37)...Found 1 payload.
  Subject: <censored>
  Issuer : <censored>
<censored>: DELETE MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---93.217.251.46===46.114.94.247---0.0.0.0/32 port(0) protocol(0)
<censored>: DELETE MODE(7) INBOUND ESP 0.0.0.0/32 port(0) protocol(0)---46.114.94.247===93.217.251.46---0.0.0.0/0 port(0) protocol(0)
<censored>: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---93.217.251.46===46.114.94.247---10.0.0.107/32 port(0) protocol(0)
<censored>: ADD MODE(7) INBOUND ESP 10.0.0.107/32 port(0) protocol(0)---46.114.94.247===93.217.251.46---0.0.0.0/0 port(0) protocol(0)
Looking for payload TSI (44)...Found 1 payload.
  Looking for a connection...
  Trying connection 0: ipsec-0-<censored>-pr0-l0-r0
  Determining best intersection for TSi
  Expected TS :(  0,     0-65535,      10.0.0.107-10.0.0.107     )
  Received TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Intersection:(  0,     0-65535,      10.0.0.107-10.0.0.107     )
  Determining best intersection for TSi
  Expected TS :(  0,     0-65535,      10.0.0.107-10.0.0.107     )
  Received TS :(  0,     0-65535,                                      ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
  -No intersection
  Best        :(  0,     0-65535,      10.0.0.107-10.0.0.107     )
  +Valid intersection found
  TSi: (  0,     0-65535,      10.0.0.107-10.0.0.107     )
  TSr: (  0,     0-65535,         0.0.0.0-255.255.255.255)
  +TSi OK.
Looking for payload TSR (45)...Found 1 payload.
  Determining best intersection for TSr
  Expected TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Received TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Intersection:(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Determining best intersection for TSr
  Expected TS :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  Received TS :(  0,     0-65535,                                      ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
  -No intersection
  Best        :(  0,     0-65535,         0.0.0.0-255.255.255.255)
  +TSr OK.
Looking for payload CHILD_SA (33)...Found 1 payload.
  +Config   ENCR  transform(s): AES-CBC-256
  +Received ENCR  transform(s): AES-CBC-256
  +Best intersection: AES-CBC-256
  +Config   INTEG transform(s): HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256 HMAC-SHA1
  +Received INTEG transform(s): HMAC-SHA1
  +Best intersection: HMAC-SHA1
  +Config   ESN   transform(s): NONE
  +Received ESN   transform(s): NONE
  +Best intersection: NONE

[VPN-Status] 2021/05/18 10:22:31,332
Peer DEFAULT [responder]: Received an IKE_AUTH-REQUEST of 3699 bytes
Gateways: 93.217.251.46:4500<--46.114.94.247:4500
SPIs: 0x0FFD80C9D88BBAC3319DBCE284D01949, Message-ID 1
CHILD_SA (UNKNOWN, 'UNKNOWN' ) entered to SADB
Updating remote port to 50823
Received 1 notification:
  +MOBIKE_SUPPORTED (STATUS)
+Received-ID <censored> matches the Expected-ID <censored>
+Peer identified: <censored>
+Peer uses AUTH(RSA:SHA1)
+Authentication successful
Request attributes:
  INTERNAL_IP4_ADDRESS()
  INTERNAL_IP4_DNS()
  INTERNAL_IP4_NBNS()
  INTERNAL_IP4_SERVER()
  INTERNAL_IP6_ADDRESS()
  INTERNAL_IP6_DNS()
  INTERNAL_IP6_SERVER()
Assigned IPv4 config parameters:
  IP:  10.0.0.107
  DNS: 10.0.0.1
Cannot assign IPv6 config parameters to non-existent interface <censored>
TSi: (  0,     0-65535,      10.0.0.107-10.0.0.107     )
TSr: (  0,     0-65535,         0.0.0.0-255.255.255.255)
+CHILD-SA:
  ESP-Proposal-1 Peer-SPI: 0x8CECF456 (3 transforms)
    ENCR : AES-CBC-256
    INTEG: HMAC-SHA1
    ESN  : NONE
  ESP-Proposal-2 Peer-SPI: 0x8CECF456 (3 transforms)
    ENCR : 3DES
    INTEG: HMAC-SHA1
    ESN  : NONE

[VPN-Debug] 2021/05/18 10:22:31,359
Peer <censored>: Constructing an IKE_AUTH-RESPONSE for send
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
Fragment encrypted successfully
Message authenticated successfully
Don't Fragment bit is set
Non-ESP-Marker Prepended
+(request, response) pair inserted into retransmission map
Sending an IKE_AUTH-RESPONSE of 1661 bytes (responder)
Gateways: 93.217.251.46:4500-->46.114.94.247:50823, tag 0 (UDP)
SPIs: 0x0FFD80C9D88BBAC3319DBCE284D01949, Message-ID 1
Sending 3 ikev2 fragment(s) of 580 bytes and last fragment of size 180 bytes
Payloads: IDR, CERT(X509), NOTIFY(AUTHENTICATION_FAILED)

[VPN-Status] 2021/05/18 10:22:31,359
Peer <censored>: Constructing an IKE_AUTH-RESPONSE for send
+Local-ID <censored>
+Peer does not support Digital-Signature Authentication (RFC-7427).
+Fallback from RSAEncryption on RSA Digital Signature (1)
+I use AUTH(RSA:SHA1)
-Could not get private key
NOTIFY(AUTHENTICATION_FAILED)
Encrypted message is too big (1712 bytes) -> should be ikev2 fragmented (MTU 580)
IKE_SA (<censored>, 'ISAKMP-PEER-<censored>' IPSEC_IKE SPIs 0x0FFD80C9D88BBAC3319DBCE284D01949) removed from SADB
Sending an IKE_AUTH-RESPONSE of 1661 bytes (responder)
Gateways: 93.217.251.46:4500-->46.114.94.247:50823, tag 0 (UDP)
SPIs: 0x0FFD80C9D88BBAC3319DBCE284D01949, Message-ID 1
Sending 3 ikev2 fragment(s) of 580 bytes and last fragment of size 180 bytes

[VPN-Status] 2021/05/18 10:22:31,360
IKE log: 102231.360648 Default IKE-DISCONNECT-RESPONSE: comchannel 22 set for peer <censored> on message free


[VPN-Debug] 2021/05/18 10:22:31,361
<censored>: DELETE MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---93.217.251.46===46.114.94.247---10.0.0.107/32 port(0) protocol(0)
<censored>: DELETE MODE(7) INBOUND ESP 10.0.0.107/32 port(0) protocol(0)---46.114.94.247===93.217.251.46---0.0.0.0/0 port(0) protocol(0)
<censored>: ADD MODE(7) OUTBOUND ESP 0.0.0.0/0 port(0) protocol(0)---93.217.251.46===46.114.94.247---0.0.0.0/32 port(0) protocol(0)
<censored>: ADD MODE(7) INBOUND ESP 0.0.0.0/32 port(0) protocol(0)---46.114.94.247===93.217.251.46---0.0.0.0/0 port(0) protocol(0)
DISCONNECT-RESPONSE sent for handle 22
IKE-TRANSPORT freed

[VPN-Status] 2021/05/18 10:22:31,361
CHILD_SA (UNKNOWN, 'UNKNOWN' ) removed from SADB
CHILD_SA (UNKNOWN, 'UNKNOWN' ) freed
IKE_SA (<censored>, 'ISAKMP-PEER-<censored>' IPSEC_IKE SPIs 0x0FFD80C9D88BBAC3319DBCE284D01949) freed

[VPN-Status] 2021/05/18 10:22:31,361
DISCONNECT-RESPONSE sent for handle 22

[VPN-Status] 2021/05/18 10:22:31,362
vpn-maps[22], remote: <censored>, idle, static-name
Kann jemand dem Trace entnehmen wo ich hinlangen muss um das Problem zu beheben ?

Besten Dank.
GrandDixence
Beiträge: 1054
Registriert: 19 Aug 2014, 22:41

Re: Zertifikat basierte VPN-Verbindung funktioniert nicht mehr

Beitrag von GrandDixence »

Looking for payload CHILD_SA (33)...Found 1 payload.
+Config ENCR transform(s): AES-CBC-256
+Received ENCR transform(s): AES-GCM-16-256 AES-GCM-16-128
-No intersection
Der VPN-Server im LANCOM-Router ist auf die Unterstützung von GCM zu konfigurieren. Der Einsatz von GCM ist aus Sicherheitsgründen zu empfehlen (an Stelle von CBC). Siehe auch die entsprechende VPN-Anleitung unter:
fragen-zum-thema-vpn-f14/vpn-via-androi ... tml#p97795
-Could not get private key
Für den VPN-Tunnel zum Windows-Rechner ist irgendetwas mit dem zu verwendenden X.509-Zertifikat für den privaten Schlüssel auf dem LANCOM-Router nicht in Ordnung. Fehlersuche gemäss der entsprechenden VPN-Anleitung unter:
fragen-zum-thema-vpn-f14/vpn-via-androi ... tml#p97795
durchführen. Und HMAC-SHA1 sollte aus Sicherheitsgründen nicht mehr eingesetzt werden!
Antworten