VPN looft nicht und FW Regel korrekt?
-
Hallo.
Nach einigen Wochen mit der pfSense komme ich an einigen Punkten nicht weiter. Versuche gerade eine VPN-Verbindung aufzubauen. Bin nach der Anleitung von IPsec Road Warrior/Mobile Client How-To gegangen. Es klappt nicht, Verbindung wird durch ein Timeout abgebrochen https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To
Hier der Log:
Nov 15 13:56:40 charon: 16[JOB] <con1|50> deleting half open IKE_SA after timeout Nov 15 13:56:36 charon: 16[NET] <con1|50> sending packet: from 79.198.26.236[500] to 109.47.2.246[36784] (432 bytes) Nov 15 13:56:36 charon: 16[IKE] <con1|50> received retransmit of request with ID 0, retransmitting response Nov 15 13:56:36 charon: 16[NET] <con1|50> received packet: from 109.47.2.246[36784] to 79.198.26.236[500] (896 bytes) Nov 15 13:56:34 charon: 10[NET] <con1|50> sending packet: from 79.198.26.236[500] to 109.47.2.246[36784] (432 bytes) Nov 15 13:56:34 charon: 10[IKE] <con1|50> sending retransmit 3 of response message ID 0, seq 1 Nov 15 13:56:34 charon: 14[NET] <con1|50> sending packet: from 79.198.26.236[500] to 109.47.2.246[36784] (432 bytes) Nov 15 13:56:34 charon: 14[IKE] <con1|50> received retransmit of request with ID 0, retransmitting response Nov 15 13:56:34 charon: 14[NET] <con1|50> received packet: from 109.47.2.246[36784] to 79.198.26.236[500] (896 bytes) Nov 15 13:56:30 charon: 10[NET] <con1|50> sending packet: from 79.198.26.236[500] to 109.47.2.246[36784] (432 bytes) Nov 15 13:56:30 charon: 10[IKE] <con1|50> received retransmit of request with ID 0, retransmitting response Nov 15 13:56:30 charon: 10[NET] <con1|50> received packet: from 109.47.2.246[36784] to 79.198.26.236[500] (896 bytes) Nov 15 13:56:27 charon: 10[NET] <con1|50> sending packet: from 79.198.26.236[500] to 109.47.2.246[36784] (432 bytes) Nov 15 13:56:27 charon: 10[IKE] <con1|50> received retransmit of request with ID 0, retransmitting response Nov 15 13:56:27 charon: 10[NET] <con1|50> received packet: from 109.47.2.246[36784] to 79.198.26.236[500] (896 bytes) Nov 15 13:56:25 charon: 16[NET] <con1|50> sending packet: from 79.198.26.236[500] to 109.47.2.246[36784] (432 bytes) Nov 15 13:56:25 charon: 16[IKE] <con1|50> received retransmit of request with ID 0, retransmitting response Nov 15 13:56:25 charon: 16[NET] <con1|50> received packet: from 109.47.2.246[36784] to 79.198.26.236[500] (896 bytes) Nov 15 13:56:21 charon: 14[NET] <con1|50> sending packet: from 79.198.26.236[500] to 109.47.2.246[36784] (432 bytes) Nov 15 13:56:21 charon: 14[IKE] <con1|50> received retransmit of request with ID 0, retransmitting response Nov 15 13:56:21 charon: 14[NET] <con1|50> received packet: from 109.47.2.246[36784] to 79.198.26.236[500] (896 bytes) Nov 15 13:56:21 charon: 16[NET] <con1|50> sending packet: from 79.198.26.236[500] to 109.47.2.246[36784] (432 bytes) Nov 15 13:56:21 charon: 16[IKE] <con1|50> sending retransmit 2 of response message ID 0, seq 1 Nov 15 13:56:19 charon: 14[NET] <con1|50> sending packet: from 79.198.26.236[500] to 109.47.2.246[36784] (432 bytes) Nov 15 13:56:19 charon: 14[IKE] <con1|50> received retransmit of request with ID 0, retransmitting response Nov 15 13:56:19 charon: 14[NET] <con1|50> received packet: from 109.47.2.246[36784] to 79.198.26.236[500] (896 bytes) Nov 15 13:56:16 charon: 13[NET] <con1|50> sending packet: from 79.198.26.236[500] to 109.47.2.246[36784] (432 bytes) Nov 15 13:56:16 charon: 13[IKE] <con1|50> received retransmit of request with ID 0, retransmitting response Nov 15 13:56:16 charon: 13[NET] <con1|50> received packet: from 109.47.2.246[36784] to 79.198.26.236[500] (896 bytes) Nov 15 13:56:14 charon: 04[NET] <con1|50> sending packet: from 79.198.26.236[500] to 109.47.2.246[36784] (432 bytes) Nov 15 13:56:14 charon: 04[IKE] <con1|50> sending retransmit 1 of response message ID 0, seq 1 Nov 15 13:56:12 charon: 16[NET] <con1|50> sending packet: from 79.198.26.236[500] to 109.47.2.246[36784] (432 bytes) Nov 15 13:56:12 charon: 16[IKE] <con1|50> received retransmit of request with ID 0, retransmitting response Nov 15 13:56:12 charon: 16[NET] <con1|50> received packet: from 109.47.2.246[36784] to 79.198.26.236[500] (896 bytes) Nov 15 13:56:10 charon: 16[NET] <con1|50> sending packet: from 79.198.26.236[500] to 109.47.2.246[36784] (432 bytes) Nov 15 13:56:10 charon: 16[ENC] <con1|50> generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ] Nov 15 13:56:10 charon: 16[CFG] <50> selected peer config "con1" Nov 15 13:56:10 charon: 16[CFG] <50> looking for XAuthInitPSK peer configs matching 79.198.26.236...109.47.2.246[vpn@pfsense.home] Nov 15 13:56:10 charon: 16[IKE] <50> 109.47.2.246 is initiating a Aggressive Mode IKE_SA Nov 15 13:56:10 charon: 16[IKE] <50> received DPD vendor ID Nov 15 13:56:10 charon: 16[IKE] <50> received Cisco Unity vendor ID Nov 15 13:56:10 charon: 16[IKE] <50> received XAuth vendor ID Nov 15 13:56:10 charon: 16[IKE] <50> received draft-ietf-ipsec-nat-t-ike-00 vendor ID Nov 15 13:56:10 charon: 16[IKE] <50> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Nov 15 13:56:10 charon: 16[IKE] <50> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Nov 15 13:56:10 charon: 16[IKE] <50> received NAT-T (RFC 3947) vendor ID Nov 15 13:56:10 charon: 16[IKE] <50> received FRAGMENTATION vendor ID Nov 15 13:56:10 charon: 16[ENC] <50> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ]</con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50>
Und paar Screenshots im Anhang:
Korrektur. VPN steht mit Debian 8 und installierten vpnc Paket. ;D ;D ;D
Und noch eine Korrektur. Win 7 mit Shrew Soft rennt auch.
Also scheitert es an den Androiden hier. Wer hat es hier am laufen? Irgendwelche Tipps?
Phase 1
http://www.directupload.net/file/d/4175/i4kjolbh_jpg.htmPhase 2
http://www.directupload.net/file/d/4175/apn9i7pk_jpg.htmUser Manager
http://www.directupload.net/file/d/4175/4l4fgt4h_jpg.htmFW Regel
http://www.directupload.net/file/d/4175/fdtdmzh2_jpg.htmAndroid Config
http://www.directupload.net/file/d/4175/7gzi22vv_jpg.htmZum zweiten. Möchte zwei Netzwerkbereiche trennen, GAMING für die Spielkonsolen am LAN-Port re2 und LAN für den Rest am LAN-Port re1 an einer apu1d4.
Der IP-Bereich lautet 192.168.3.0/24 für LAN, 192.168.9.0/24 für GAMING.Da wird dem LANnet alles erlaubt außer GAMINGnet zu nutzen. Kann man das so machen oder hat es Nachteile? Eine andereRegel block IPv4 LANnet any GAMINGnet any any hatte zur Folge, daß der Gateway nicht mehr erreichbar war.
Hier ein Screenshot
http://www.directupload.net/file/d/4175/7gzi22vv_jpg.htmDanke schon mal für die Antworten.
Mike
-
Moin.
Habe die Bilder hochgeladen, sind jetzt besser einzusehen.