IPSEC-VPN <-> openswan (Astaro) keine Chance

StefanS

Hallo,

ich hoffe jemand hat eine Idee.
Auf beiden Seiten die selben Einstellungen und trotzdem werden der Tunnels nicht aufgebaut.

pfsens, Astaro letzte Version

Meldungen pfsense:
Jul 4 16:56:26 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d9927ce02ffe45f:02bbb0b4ad81289c:00006e40
Jul 4 16:56:57 last message repeated 2 times
Jul 4 16:57:03 racoon: INFO: unsupported PF_KEY message REGISTER
Jul 4 16:57:03 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=26)
Jul 4 16:57:03 racoon: INFO: ::1[500] used as isakmp port (fd=27)
Jul 4 16:57:03 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=28)
Jul 4 16:57:03 racoon: INFO: fe80::20c:29ff:fedb:18e3%le1[500] used as isakmp port (fd=29)
Jul 4 16:57:03 racoon: INFO: 217.6.34.99[500] used as isakmp port (fd=30)
Jul 4 16:57:03 racoon: INFO: fe80::20c:29ff:fedb:18d9%le0[500] used as isakmp port (fd=31)
Jul 4 16:57:03 racoon: INFO: 192.168.1.44[500] used as isakmp port (fd=32)
Jul 4 16:57:36 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d9927ce02ffe45f:02bbb0b4ad81289c:0000129e
Jul 4 16:58:07 last message repeated 2 times
Jul 4 16:58:47 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d9927ce02ffe45f:02bbb0b4ad81289c:0000c909
Jul 4 16:59:17 last message repeated 2 times
Jul 4 16:59:57 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d9927ce02ffe45f:02bbb0b4ad81289c:00000802
Jul 4 17:00:27 last message repeated 2 times
Jul 4 17:01:07 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d9927ce02ffe45f:02bbb0b4ad81289c:00004b67
Jul 4 17:01:36 last message repeated 2 times
Jul 4 17:02:17 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d9927ce02ffe45f:02bbb0b4ad81289c:000019c1
Jul 4 17:02:47 last message repeated 2 times
Jul 4 17:03:27 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d9927ce02ffe45f:02bbb0b4ad81289c:0000823d
Jul 4 17:03:56 last message repeated 2 times
Jul 4 17:04:37 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d9927ce02ffe45f:02bbb0b4ad81289c:0000247f
Jul 4 17:05:07 last message repeated 2 times
Jul 4 17:05:47 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d9927ce02ffe45f:02bbb0b4ad81289c:0000fb63
Jul 4 17:06:17 last message repeated 2 times
Jul 4 17:06:57 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d9927ce02ffe45f:02bbb0b4ad81289c:000086fc
Jul 4 17:07:27 last message repeated 2 times
Jul 4 17:08:07 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d9927ce02ffe45f:02bbb0b4ad81289c:0000fde9
Jul 4 17:08:37 last message repeated 2 times
Jul 4 17:09:17 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d9927ce02ffe45f:02bbb0b4ad81289c:0000e126
Jul 4 17:09:47 last message repeated 2 times
Jul 4 17:10:27 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d9927ce02ffe45f:02bbb0b4ad81289c:00008543
Jul 4 17:10:57 last message repeated 2 times
Jul 4 17:11:37 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d9927ce02ffe45f:02bbb0b4ad81289c:0000b670
Jul 4 17:12:07 last message repeated 2 times

Astaro:
2007:07:04-16:47:07 (none) pluto[3864]: "S_REF_hovtTdsxWV_0" #528: received Vendor ID payload [Dead Peer Detection]
2007:07:04-16:47:07 (none) pluto[3864]: "S_REF_hovtTdsxWV_0" #528: Peer ID is ID_IPV4_ADDR: '217.6.34.99'
2007:07:04-16:47:07 (none) pluto[3864]: "S_REF_hovtTdsxWV_0" #528: ISAKMP SA established
2007:07:04-16:47:07 (none) pluto[3864]: "S_REF_hovtTdsxWV_0" #529: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#528}
2007:07:04-16:47:07 (none) pluto[3864]: "S_REF_hovtTdsxWV_0" #528: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2007:07:04-16:47:17 (none) pluto[3864]: packet from 217.6.34.99:500: ignoring informational payload, type INVALID_COOKIE
2007:07:04-16:47:37 (none) pluto[3864]: packet from 217.6.34.99:500: ignoring informational payload, type INVALID_COOKIE
2007:07:04-16:48:17 (none) pluto[3864]: "S_REF_hovtTdsxWV_0" #529: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2007:07:04-16:48:17 (none) pluto[3864]: "S_REF_hovtTdsxWV_0" #529: starting keying attempt 2 of an unlimited number
2007:07:04-16:48:17 (none) pluto[3864]: "S_REF_hovtTdsxWV_0" #530: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #529 {using isakmp#528}
2007:07:04-16:48:17 (none) pluto[3864]: packet from 217.6.34.99:500: ignoring informational payload, type INVALID_COOKIE
2007:07:04-16:48:27 (none) pluto[3864]: packet from 217.6.34.99:500: ignoring informational payload, type INVALID_COOKIE
2007:07:04-16:48:47 (none) pluto[3864]: packet from 217.6.34.99:500: ignoring informational payload, type INVALID_COOKIE

Irgend eine Idee

Danke und Gruß

Stefan

heiko

welche einstellungen hast du genau verwendet?

StefanS

Hallo heiko,

danke für dein rasche Antwort.
Also ich habe mit der Astaro auch andere VPN Strecken am laufen (Cisco, nortel, usw.)
Meisten macht man einen Fehler an der policy oder Key, aber ich habe dreimal kontrolliert und sehe keinen Fehler.

Ich hab dir mal ein paar Screenshots angehangen.

Da siehst du deutlich die Einstellungen der beiden Seiten.

Danke und Gruß

Stefan

policy_astaro.jpg_thumb

astaro_remote_pfsense.jpg_thumb

astaro_ipsec_connection.jpg_thumb

pfsense_tunnel_1.jpg_thumb

pfsense_tunnel_2.jpg_thumb

pfsense_tunnel_3.jpg_thumb

heiko

Hallo,

astaro hat ja einen linux 2.6 kernel, wenn ich mich recht erinnere. Ich schicke dir morgen die einstellungen an deine büroadresse, mit deinen einstellungen habe ich zu keinem 2.6 kernel einen tunnel aufgebaut bekommen, soll aber nichts heissen. die einstellungen die ich verwende, laufen auf bei mir. Wie gesagt, morgen früh schicke ich sie dir ins büro.
gruß
heiko