44
Bearbeitungen
Änderungen
Log-File nutze um die richtigen Cretentials zu ermitteln und das Bild einer erfolgreichen Verbindung
== LogFile bei dem Aufbau einer IPSec Verbindung: ==
'''Router Konfigurierte Netze:'''<br />
WLAN-Netz: 192.168.0.0/24 -> DHCP Adressbereich = 192.168.0.10 - 192.168.0.30<br />
IPsec-Netz: 192.168.100.0/24 -> DHCP Adressbereich = Pool = 192.168.100.10 - 192.168.100.20<br />
---------------------------------------------------<br />
===== Anfrage kommt an (Router): =====<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): identified ip 192.168.100.1 <- ip 192.168.0.12<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): ip 192.168.100.1 <- ip 192.168.0.12: proposal mismatch<br />
===== konfiguriert am Router: =====<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): local configuration: 1 proposals<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): proposal[0]: 1 protocols<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): protocol[0][0]=ISAKMP(1): 1 transforms<br />
... attributes encr(1)=aes-cbc(7) key-len(14)=256 hash(2)=sha2-256(4) auth(3)=pre_shared_key (XAUTH)(65001) group(4)=14 life-type(11)=Seconds(1) life-duration(12)=3600<br />
===== vorhandene Möglichkeiten am Client (werden als Antwort an den Rotuer geschickt): =====<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): remote proposal: 1 proposals<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): proposal[1]: 1 protocols<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): protocol[1][0]=ISAKMP(1): 8 transforms<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=aes-cbc(7) key-len(14)=256 auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=sha1(2) group(4)=2<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=aes-cbc(7) key-len(14)=256 auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=md5(1) group(4)=2<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=aes-cbc(7) key-len(14)=128 auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=sha1(2) group(4)=2<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=aes-cbc(7) key-len(14)=128 auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=md5(1) group(4)=2<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=3des-cbc(5) auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=sha1(2) group(4)=2<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=3des-cbc(5) auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=md5(1) group(4)=2<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=des-cbc(1) auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=sha1(2) group(4)=2<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=des-cbc(1) auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=md5(1) group(4)=2<br />
----------------------------------------------------<br />
===== korrigierte Phase1-Authendifizierung: =====<br />
Verschlüsselung = encr(1) => aes key-len(14)=256 (XAUTH)(65001) hash(2)=sha1(2) group(4)=2<br />
Authentifizierung = hash(2) => sha1<br />
DH-Gruppe = group(4) => 2<br />
Authentifizierungsmethode = auth(3) => pre_shared_key<br />
Lebensdauer = life-duration(12) => 28800<br />
- wird in der PEER-Konfiguration eingetragen <(XAUTH)(65001)> -<br />
'''-- Ergebnis -->>'''<br />
08:46:24 DEBUG/IPSEC: P1: peer 0 () sa 72 (R): new ip 192.168.100.1 <- ip 192.168.0.12<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is '4048b7d56ebce88525e7de7f00d6c2d380000000'<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is '4a131c81070358455c5728f20e95452f'<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is 'draft-ietf-ipsec-nat-t-ike-02'<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is 'draft-ietf-ipsec-nat-t-ike-02'<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is 'draft-ietf-ipsec-nat-t-ike-00'<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is 'draft-ietf-ipsra-isakmp-xauth-06'<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is '12f5f28c457168a9702d9fe274cc0100'<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is 'Dead Peer Detection (DPD, RFC 3706)'<br />
08:46:24 DEBUG/IPSEC: P1: peer 6 (andreoid) sa 72 (R): '''identified''' ip 192.168.100.1 <- ip 192.168.0.12<br />
08:46:25 INFO/IPSEC: P1: peer 6 (andreoid) sa 72 (R): '''done id fqdn(any:0,[0..3]=vpn1)''' <- id key_id(any:0,[0..7]=andreoid) AG[11b48364 3e2dddd0 : 427604e7 705d1980]<br />
08:46:25 INFO/IPSEC: XAUTH: peer 6 (andreoid) sa 72 (I): request client for extended authentication<br />
08:46:25 DEBUG/IPSEC: P1: peer 6 (andreoid) sa 72 (R): Notify "Initial contact notification" from 192.168.0.12:500 for protocol ISAKMP spi[16]=11B48364<br />
08:46:25 INFO/IPSEC: XAUTH: peer 6 (andreoid) sa 72 (I): reply for extended authentication received<br />
08:46:25 INFO/IPSEC: XAUTH: peer 6 (andreoid) sa 72 (I): '''extended authentication for user 'iphone' succeeded'''<br />
08:46:25 INFO/IPSEC: CFG: peer 6 (andreoid) sa 72 (R): '''request for ip address received'''<br />
08:46:25 INFO/IPSEC: CFG: peer 6 (andreoid) sa 72 (R): '''ip address 192.168.100.10 assigned'''<br />
'''''>> Tunnel ist verbunden'''''<br />
--------------------------------------------------<br />
proposal mismatch : teilt mit, dass es in den Einstellungen nicht stimmig sind<br />
Es findet kein Verbindugnsaufbau statt<br />
'''Router Konfigurierte Netze:'''<br />
WLAN-Netz: 192.168.0.0/24 -> DHCP Adressbereich = 192.168.0.10 - 192.168.0.30<br />
IPsec-Netz: 192.168.100.0/24 -> DHCP Adressbereich = Pool = 192.168.100.10 - 192.168.100.20<br />
---------------------------------------------------<br />
===== Anfrage kommt an (Router): =====<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): identified ip 192.168.100.1 <- ip 192.168.0.12<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): ip 192.168.100.1 <- ip 192.168.0.12: proposal mismatch<br />
===== konfiguriert am Router: =====<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): local configuration: 1 proposals<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): proposal[0]: 1 protocols<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): protocol[0][0]=ISAKMP(1): 1 transforms<br />
... attributes encr(1)=aes-cbc(7) key-len(14)=256 hash(2)=sha2-256(4) auth(3)=pre_shared_key (XAUTH)(65001) group(4)=14 life-type(11)=Seconds(1) life-duration(12)=3600<br />
===== vorhandene Möglichkeiten am Client (werden als Antwort an den Rotuer geschickt): =====<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): remote proposal: 1 proposals<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): proposal[1]: 1 protocols<br />
08:24:20 DEBUG/IPSEC: P1: peer 5 (iphone) sa 69 (R): protocol[1][0]=ISAKMP(1): 8 transforms<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=aes-cbc(7) key-len(14)=256 auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=sha1(2) group(4)=2<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=aes-cbc(7) key-len(14)=256 auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=md5(1) group(4)=2<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=aes-cbc(7) key-len(14)=128 auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=sha1(2) group(4)=2<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=aes-cbc(7) key-len(14)=128 auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=md5(1) group(4)=2<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=3des-cbc(5) auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=sha1(2) group(4)=2<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=3des-cbc(5) auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=md5(1) group(4)=2<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=des-cbc(1) auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=sha1(2) group(4)=2<br />
... attributes life-type(11)=Seconds(1) life-duration(12)=28800 encr(1)=des-cbc(1) auth(3)=pre_shared_key (XAUTH)(65001) hash(2)=md5(1) group(4)=2<br />
----------------------------------------------------<br />
===== korrigierte Phase1-Authendifizierung: =====<br />
Verschlüsselung = encr(1) => aes key-len(14)=256 (XAUTH)(65001) hash(2)=sha1(2) group(4)=2<br />
Authentifizierung = hash(2) => sha1<br />
DH-Gruppe = group(4) => 2<br />
Authentifizierungsmethode = auth(3) => pre_shared_key<br />
Lebensdauer = life-duration(12) => 28800<br />
- wird in der PEER-Konfiguration eingetragen <(XAUTH)(65001)> -<br />
'''-- Ergebnis -->>'''<br />
08:46:24 DEBUG/IPSEC: P1: peer 0 () sa 72 (R): new ip 192.168.100.1 <- ip 192.168.0.12<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is '4048b7d56ebce88525e7de7f00d6c2d380000000'<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is '4a131c81070358455c5728f20e95452f'<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is 'draft-ietf-ipsec-nat-t-ike-02'<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is 'draft-ietf-ipsec-nat-t-ike-02'<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is 'draft-ietf-ipsec-nat-t-ike-00'<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is 'draft-ietf-ipsra-isakmp-xauth-06'<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is '12f5f28c457168a9702d9fe274cc0100'<br />
08:46:24 INFO/IPSEC: P1: peer 0 () sa 72 (R): Vendor ID: 192.168.0.12:500 (No Id) is 'Dead Peer Detection (DPD, RFC 3706)'<br />
08:46:24 DEBUG/IPSEC: P1: peer 6 (andreoid) sa 72 (R): '''identified''' ip 192.168.100.1 <- ip 192.168.0.12<br />
08:46:25 INFO/IPSEC: P1: peer 6 (andreoid) sa 72 (R): '''done id fqdn(any:0,[0..3]=vpn1)''' <- id key_id(any:0,[0..7]=andreoid) AG[11b48364 3e2dddd0 : 427604e7 705d1980]<br />
08:46:25 INFO/IPSEC: XAUTH: peer 6 (andreoid) sa 72 (I): request client for extended authentication<br />
08:46:25 DEBUG/IPSEC: P1: peer 6 (andreoid) sa 72 (R): Notify "Initial contact notification" from 192.168.0.12:500 for protocol ISAKMP spi[16]=11B48364<br />
08:46:25 INFO/IPSEC: XAUTH: peer 6 (andreoid) sa 72 (I): reply for extended authentication received<br />
08:46:25 INFO/IPSEC: XAUTH: peer 6 (andreoid) sa 72 (I): '''extended authentication for user 'iphone' succeeded'''<br />
08:46:25 INFO/IPSEC: CFG: peer 6 (andreoid) sa 72 (R): '''request for ip address received'''<br />
08:46:25 INFO/IPSEC: CFG: peer 6 (andreoid) sa 72 (R): '''ip address 192.168.100.10 assigned'''<br />
'''''>> Tunnel ist verbunden'''''<br />
--------------------------------------------------<br />
proposal mismatch : teilt mit, dass es in den Einstellungen nicht stimmig sind<br />
Es findet kein Verbindugnsaufbau statt<br />