ich habe das Problem, dass beim RemoteAccess per IPSec mit dem NCP Entry Client immer häufiger mehrere Versuche benötigt werden, bevor der VPN-Tunnel aufgebaut werden kann.
Im Logfile ist dann folgender Eintrag zu finden:
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: packet from :10952: ignoring Vendor ID payload [da8e937880010000]
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: packet from :10952: received Vendor ID payload [XAUTH]
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: packet from :10952: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: packet from :10952: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: packet from :10952: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: packet from :10952: received Vendor ID payload [RFC 3947]
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: packet from :10952: received Vendor ID payload [Dead Peer Detection]
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: packet from :10952: ignoring Vendor ID payload [NCP Client]
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: packet from :10952: ignoring Vendor ID payload [c61baca1f1a60cc10800000000000000]
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: packet from :10952: ignoring Vendor ID payload [cbe79444a0870de4224a2c151fbfe099]
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: packet from :10952: ignoring Vendor ID payload [FRAGMENTATION c0000000]
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: packet from :10952: ignoring Vendor ID payload [Cisco-Unity]
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: "D_REF_IpsRoaVpnVertr_0"[33] :10952 #1248: responding to Main Mode from unknown peer :10952
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: "D_REF_IpsRoaVpnVertr_0"[33] :10952 #1248: NAT-Traversal: Result using RFC 3947: peer is NATed
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: "D_REF_IpsRoaVpnVertr_0"[33] :10952 #1248: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: "D_REF_IpsRoaVpnVertr_0"[33] :10952 #1248: Peer ID is ID_USER_FQDN: 'user@e-mail.com'
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: "D_REF_IpsRoaVpnVertr_0"[33] :10952 #1248: crl not found
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: "D_REF_IpsRoaVpnVertr_0"[33] :10952 #1248: certificate status unknown
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: "D_REF_IpsRoaVpnMobil_6"[1] :10952 #1248: deleting connection "D_REF_IpsRoaVpnVertr_0"[33] instance with peer {isakmp=#0/ipsec=#0}
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: "D_REF_IpsRoaVpnMobil_6"[1] :10952 #1248: we have a cert and are sending it
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: "D_REF_IpsRoaVpnMobil_6"[1] :10952 #1248: Dead Peer Detection (RFC 3706) enabled
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: | NAT-T: new mapping :10952/10954)
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: "D_REF_IpsRoaVpnMobil_6"[1] :10954 #1248: sent MR3, ISAKMP SA established
2013:09:17-19:47:02 SOPHOS-UTM220 pluto[6772]: "D_REF_IpsRoaVpnMobil_6"[1] :10954 #1248: sending XAUTH request
2013:09:17-19:47:12 SOPHOS-UTM220 pluto[6772]: packet from :10954: Main Mode message is part of an unknown exchange
2013:09:17-19:47:17 SOPHOS-UTM220 pluto[6772]: packet from :10954: Main Mode message is part of an unknown exchange
2013:09:17-19:47:23 SOPHOS-UTM220 pluto[6772]: packet from :10954: Main Mode message is part of an unknown exchange
2013:09:17-19:47:30 SOPHOS-UTM220 pluto[6772]: packet from :10954: Informational Exchange is for an unknown (expired?) SA
Wie gesagt nach einigen Versuchen gelingt der Aufbau des Tunnels dann meistens, aber auch nicht immer.
Die Authentifizierung erfolgt per Zertifikat und XAUTH.
Die verwendete UTM ist eine UTM220 [9.105-9].
Hat jemand eine Idee, wo hier das Problem liegen könnte?
Vielen Dank.
- pro_mrjetter -
This thread was automatically locked due to age.