This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec S2S UTM135 <-> Cisco ASA Aufbau nur von ASA möglich

Hallo Alle zusammen,

Ich habe einen IPSec Tunnel zu konfigurieren.

Aufbau

UTM <-> Fritzbox 7390 (static IP) <-> ASA (static IP) <-> interne Netze

Ich habe die Konfig anhand der FAQ V7 Cisco gemacht und habe auch nach einigen Anlaufproblemen eine Verbindung aufbauen können.

Allerdings kann ich den Tunnel nur von der ASA-Seite her aufbauen. Wenn der Tunnel einmal aufgebaut ist, funktioniert alles hervorragend.

Hier noch ein paar Bilder

Und etwas Log-file

2016:08:23-09:00:21 asg12 ipsec_starter[20471]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
2016:08:23-09:00:21 asg12 pluto[20483]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
2016:08:23-09:00:21 asg12 pluto[20483]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
2016:08:23-09:00:21 asg12 pluto[20483]: including NAT-Traversal patch (Version 0.6c)
2016:08:23-09:00:21 asg12 pluto[20483]: Using Linux 2.6 IPsec interface code
2016:08:23-09:00:21 asg12 ipsec_starter[20477]: pluto (20483) started after 20 ms
2016:08:23-09:00:21 asg12 pluto[20483]: loading ca certificates from '/etc/ipsec.d/cacerts'
2016:08:23-09:00:21 asg12 pluto[20483]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
2016:08:23-09:00:21 asg12 pluto[20483]: loading aa certificates from '/etc/ipsec.d/aacerts'
2016:08:23-09:00:21 asg12 pluto[20483]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2016:08:23-09:00:21 asg12 pluto[20483]: Changing to directory '/etc/ipsec.d/crls'
2016:08:23-09:00:21 asg12 pluto[20483]: loading attribute certificates from '/etc/ipsec.d/acerts'
2016:08:23-09:00:21 asg12 pluto[20483]: adding interface wlan0/wlan0 172.16.28.1:500
2016:08:23-09:00:21 asg12 pluto[20483]: adding interface wlan0/wlan0 172.16.28.1:4500
2016:08:23-09:00:21 asg12 pluto[20483]: adding interface eth4/eth4 172.16.20.1:500
2016:08:23-09:00:21 asg12 pluto[20483]: adding interface eth4/eth4 172.16.20.1:4500
2016:08:23-09:00:21 asg12 pluto[20483]: adding interface eth1/eth1 192.168.10.66:500
2016:08:23-09:00:21 asg12 pluto[20483]: adding interface eth1/eth1 192.168.10.66:4500
2016:08:23-09:00:21 asg12 pluto[20483]: adding interface eth0/eth0 10.228.187.185:500
2016:08:23-09:00:21 asg12 pluto[20483]: adding interface eth0/eth0 10.228.187.185:4500
2016:08:23-09:00:21 asg12 pluto[20483]: adding interface lo/lo 127.0.0.1:500
2016:08:23-09:00:21 asg12 pluto[20483]: adding interface lo/lo 127.0.0.1:4500
2016:08:23-09:00:21 asg12 pluto[20483]: adding interface lo/lo ::1:500
2016:08:23-09:00:21 asg12 pluto[20483]: loading secrets from "/etc/ipsec.secrets"
2016:08:23-09:00:21 asg12 pluto[20483]: loaded PSK secret for x.x.x.x(fritz) x.x.x.x ASA
2016:08:23-09:00:21 asg12 pluto[20483]: listening for IKE messages
2016:08:23-09:00:21 asg12 pluto[20483]: added connection description "S_LRA"
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: initiating Main Mode
2016:08:23-09:00:21 asg12 pluto[20483]: added connection description "S_LRA"
2016:08:23-09:00:21 asg12 pluto[20483]: added connection description "S_LRA"
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: received Vendor ID payload [RFC 3947]
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: enabling possible NAT-traversal with method 3
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: ignoring Vendor ID payload [Cisco-Unity]
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: received Vendor ID payload [XAUTH]
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: ignoring Vendor ID payload [ec3755d03316d64a0ee3fa31a870370f]
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: NAT-Traversal: Result using RFC 3947: i am NATed
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: received Vendor ID payload [Dead Peer Detection]
2016:08:23-09:00:21 asg12 pluto[20483]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: Peer ID is ID_IPV4_ADDR: 'x.x.x.x ASA'
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: Dead Peer Detection (RFC 3706) enabled
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: ISAKMP SA established
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2016:08:23-09:00:21 asg12 pluto[20483]: "S_LRA" #1: received Delete SA payload: deleting ISAKMP State #1

This thread was automatically locked due to age.

BAlfson over 9 years ago

(Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

My first guess would be that the 'VPN ID' in 'Preshared key settings' is not the static public IP on the Fritzbox.

MfG - Bob (Bitte auf Deutsch weiterhin.)

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
bpman over 9 years ago in reply to BAlfson

Hallo Bob,

in den Advanced Options / Preshared Key Settings ist die öffentliche Adresse der Fritzbox eingetragen.

In der Remote Gateway Konfiguration ist bei VPN ID die öffentliche Adress der ASA eingetragen.

Funktioniert auch ohne diesen Eintrag aber sicher ist sicher [:)]

Kann es sein das die UTM die Reverseauflösung beim Aufbau der Verbindung prüft? Da gibt es noch einen Fehler den ich aber gerade mit dem ISP kläre.

Ein Ping hinter der ASA in Richtung UTM baut sofort den Tunnel auf und ich kann auf beiden Seiten arbeiten.

Versuche ich aber den Tunnel von der UTM aus aufzubauen passiert nichts.

Gruß Bernd
Cancel
Vote Up 0 Vote Down

Cancel
bpman over 9 years ago in reply to bpman

Hier noch ein Auszug aus dem Log mit Debug-Option

Dabei stören mich die rot markierten Zeilen.

------------------------------------

2016:08:25-13:45:49 asg12 pluto[588]: | *received 92 bytes from x.x.x.xASA:4500 on eth1
2016:08:25-13:45:49 asg12 pluto[588]: | **parse ISAKMP Message:
2016:08:25-13:45:49 asg12 pluto[588]: | initiator cookie:
2016:08:25-13:45:49 asg12 pluto[588]: | a6 7b 13 2d 9d 40 a3 b7
2016:08:25-13:45:49 asg12 pluto[588]: | responder cookie:
2016:08:25-13:45:49 asg12 pluto[588]: | b2 e3 90 89 05 84 ee 82
2016:08:25-13:45:49 asg12 pluto[588]: | next payload type: ISAKMP_NEXT_HASH
2016:08:25-13:45:49 asg12 pluto[588]: | ISAKMP version: ISAKMP Version 1.0
2016:08:25-13:45:49 asg12 pluto[588]: | exchange type: ISAKMP_XCHG_INFO
2016:08:25-13:45:49 asg12 pluto[588]: | flags: ISAKMP_FLAG_ENCRYPTION
2016:08:25-13:45:49 asg12 pluto[588]: | message ID: 57 a8 9f bd
2016:08:25-13:45:49 asg12 pluto[588]: | length: 92
2016:08:25-13:45:49 asg12 pluto[588]: | ICOOKIE: a6 7b 13 2d 9d 40 a3 b7
2016:08:25-13:45:49 asg12 pluto[588]: | RCOOKIE: b2 e3 90 89 05 84 ee 82
2016:08:25-13:45:49 asg12 pluto[588]: | peer: 52 c1 e2 8d
2016:08:25-13:45:49 asg12 pluto[588]: | state hash entry 29
2016:08:25-13:45:49 asg12 pluto[588]: | state object #1 found, in STATE_MAIN_I4
2016:08:25-13:45:49 asg12 pluto[588]: | ***parse ISAKMP Hash Payload:
2016:08:25-13:45:49 asg12 pluto[588]: | next payload type: ISAKMP_NEXT_D
2016:08:25-13:45:49 asg12 pluto[588]: | length: 24
2016:08:25-13:45:49 asg12 pluto[588]: | ***parse ISAKMP Delete Payload:
2016:08:25-13:45:49 asg12 pluto[588]: | next payload type: ISAKMP_NEXT_NONE
2016:08:25-13:45:49 asg12 pluto[588]: | length: 28
2016:08:25-13:45:49 asg12 pluto[588]: | DOI: ISAKMP_DOI_IPSEC
2016:08:25-13:45:49 asg12 pluto[588]: | protocol ID: 1
2016:08:25-13:45:49 asg12 pluto[588]: | SPI size: 16
2016:08:25-13:45:49 asg12 pluto[588]: | number of SPIs: 1
2016:08:25-13:45:49 asg12 pluto[588]: | removing 12 bytes of padding
2016:08:25-13:45:49 asg12 pluto[588]: | ICOOKIE: a6 7b 13 2d 9d 40 a3 b7
2016:08:25-13:45:49 asg12 pluto[588]: | RCOOKIE: b2 e3 90 89 05 84 ee 82
2016:08:25-13:45:49 asg12 pluto[588]: | peer: 52 c1 e2 8d
2016:08:25-13:45:49 asg12 pluto[588]: | state hash entry 29
2016:08:25-13:45:49 asg12 pluto[588]: | state object #1 found, in STATE_MAIN_I4
2016:08:25-13:45:49 asg12 pluto[588]: "S_LRA" #1: received Delete SA payload: deleting ISAKMP State #1
2016:08:25-13:45:49 asg12 pluto[588]: | deleting unestablished phase2 state #4
2016:08:25-13:45:49 asg12 pluto[588]: | ICOOKIE: a6 7b 13 2d 9d 40 a3 b7
2016:08:25-13:45:49 asg12 pluto[588]: | RCOOKIE: b2 e3 90 89 05 84 ee 82
2016:08:25-13:45:49 asg12 pluto[588]: | peer: 52 c1 e2 8d
2016:08:25-13:45:49 asg12 pluto[588]: | state hash entry 29
2016:08:25-13:45:49 asg12 pluto[588]: | deleting unestablished phase2 state #3
2016:08:25-13:45:49 asg12 pluto[588]: | ICOOKIE: a6 7b 13 2d 9d 40 a3 b7
2016:08:25-13:45:49 asg12 pluto[588]: | RCOOKIE: b2 e3 90 89 05 84 ee 82
2016:08:25-13:45:49 asg12 pluto[588]: | peer: 52 c1 e2 8d
2016:08:25-13:45:49 asg12 pluto[588]: | state hash entry 29
2016:08:25-13:45:49 asg12 pluto[588]: | deleting unestablished phase2 state #2
2016:08:25-13:45:49 asg12 pluto[588]: | ICOOKIE: a6 7b 13 2d 9d 40 a3 b7
2016:08:25-13:45:49 asg12 pluto[588]: | RCOOKIE: b2 e3 90 89 05 84 ee 82
2016:08:25-13:45:49 asg12 pluto[588]: | peer: 52 c1 e2 8d
2016:08:25-13:45:49 asg12 pluto[588]: | state hash entry 29
2016:08:25-13:45:49 asg12 pluto[588]: | del: a6 7b 13 2d 9d 40 a3 b7 b2 e3 90 89 05 84 ee 82
2016:08:25-13:45:49 asg12 pluto[588]: | next event EVENT_NAT_T_KEEPALIVE in 60 seconds

------------------------------------

Gruß Bernd
Cancel
Vote Up 0 Vote Down

Cancel
BAlfson over 9 years ago in reply to bpman

Bernd, bitte, stelle Debug ab! [;)] Und dann uns etwa 60 Zeilen zeigen.

MfG - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
bpman over 9 years ago in reply to BAlfson

Hier das UTW-Log ohne Debug Optionen

--------------------------

2016:08:26-13:15:44 asg12 ipsec_starter[5331]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
2016:08:26-13:15:44 asg12 pluto[5344]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
2016:08:26-13:15:44 asg12 pluto[5344]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
2016:08:26-13:15:44 asg12 pluto[5344]: including NAT-Traversal patch (Version 0.6c)
2016:08:26-13:15:44 asg12 pluto[5344]: Using Linux 2.6 IPsec interface code
2016:08:26-13:15:44 asg12 ipsec_starter[5338]: pluto (5344) started after 20 ms
2016:08:26-13:15:45 asg12 pluto[5344]: loading ca certificates from '/etc/ipsec.d/cacerts'
2016:08:26-13:15:45 asg12 pluto[5344]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
2016:08:26-13:15:45 asg12 pluto[5344]: loading aa certificates from '/etc/ipsec.d/aacerts'
2016:08:26-13:15:45 asg12 pluto[5344]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2016:08:26-13:15:45 asg12 pluto[5344]: Changing to directory '/etc/ipsec.d/crls'
2016:08:26-13:15:45 asg12 pluto[5344]: loading attribute certificates from '/etc/ipsec.d/acerts'
2016:08:26-13:15:45 asg12 pluto[5344]: adding interface wlan0/wlan0 172.16.28.1:500
2016:08:26-13:15:45 asg12 pluto[5344]: adding interface wlan0/wlan0 172.16.28.1:4500
2016:08:26-13:15:45 asg12 pluto[5344]: adding interface eth4/eth4 172.16.20.1:500
2016:08:26-13:15:45 asg12 pluto[5344]: adding interface eth4/eth4 172.16.20.1:4500
2016:08:26-13:15:45 asg12 pluto[5344]: adding interface eth1/eth1 192.168.10.66:500
2016:08:26-13:15:45 asg12 pluto[5344]: adding interface eth1/eth1 192.168.10.66:4500
2016:08:26-13:15:45 asg12 pluto[5344]: adding interface eth0/eth0 10.228.187.185:500
2016:08:26-13:15:45 asg12 pluto[5344]: adding interface eth0/eth0 10.228.187.185:4500
2016:08:26-13:15:45 asg12 pluto[5344]: adding interface lo/lo 127.0.0.1:500
2016:08:26-13:15:45 asg12 pluto[5344]: adding interface lo/lo 127.0.0.1:4500
2016:08:26-13:15:45 asg12 pluto[5344]: adding interface lo/lo ::1:500
2016:08:26-13:15:45 asg12 pluto[5344]: loading secrets from "/etc/ipsec.secrets"
2016:08:26-13:15:45 asg12 pluto[5344]: loaded PSK secret for 176.94.108.98 82.193.226.141
2016:08:26-13:15:45 asg12 pluto[5344]: listening for IKE messages
2016:08:26-13:15:45 asg12 pluto[5344]: added connection description "S_LRA"
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: initiating Main Mode
2016:08:26-13:15:45 asg12 pluto[5344]: added connection description "S_LRA"
2016:08:26-13:15:45 asg12 pluto[5344]: added connection description "S_LRA"
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: received Vendor ID payload [RFC 3947]
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: enabling possible NAT-traversal with method 3
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: ignoring Vendor ID payload [Cisco-Unity]
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: received Vendor ID payload [XAUTH]
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: ignoring Vendor ID payload [955941cdcf31fdd599b00805893672ec]
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: NAT-Traversal: Result using RFC 3947: i am NATed
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: received Vendor ID payload [Dead Peer Detection]
2016:08:26-13:15:45 asg12 pluto[5344]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: Peer ID is ID_IPV4_ADDR: '82.193.226.141'
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: Dead Peer Detection (RFC 3706) enabled
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: ISAKMP SA established
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2016:08:26-13:15:45 asg12 pluto[5344]: "S_LRA" #1: received Delete SA payload: deleting ISAKMP State #1

----------------------

Dazu das passende ASA log. Es muss allerdings von unten gelesen werden.

----------------------

7|Aug 26 2016|13:17:46|609002|x.x.x.x(fritz)||||Teardown local-host outside:x.x.x.x(fritz) duration 0:02:01
6|Aug 26 2016|13:17:46|302016|x.x.x.x(fritz)|4500|x.x.x.x(asa)|4500|Teardown UDP connection 388810 for outside:x.x.x.x(fritz)/4500 to identity:x.x.x.x(asa)/4500 duration 0:02:01 bytes 1376
6|Aug 26 2016|13:17:46|302016|x.x.x.x(fritz)|500|x.x.x.x(asa)|500|Teardown UDP connection 388809 for outside:x.x.x.x(fritz)/500 to identity:x.x.x.x(asa)/500 duration 0:02:01 bytes 1044
5|Aug 26 2016|13:15:45|713904|||||IP = x.x.x.x(fritz), Received encrypted packet with no matching SA, dropping
5|Aug 26 2016|13:15:45|713904|||||IP = x.x.x.x(fritz), Received encrypted packet with no matching SA, dropping
5|Aug 26 2016|13:15:45|713904|||||IP = x.x.x.x(fritz), Received encrypted packet with no matching SA, dropping
4|Aug 26 2016|13:15:45|113019|||||Group = x.x.x.x(fritz), Username = x.x.x.x(fritz), IP = x.x.x.x(fritz), Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5|Aug 26 2016|13:15:45|713259|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Session is being torn down. Reason: Phase 2 Mismatch
7|Aug 26 2016|13:15:45|713236|||||IP = x.x.x.x(fritz), IKE_DECODE SENDING Message (msgid=c42ca052) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
7|Aug 26 2016|13:15:45|715046|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), constructing qm hash payload
7|Aug 26 2016|13:15:45|715046|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), constructing IKE delete payload
7|Aug 26 2016|13:15:45|715046|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), constructing blank hash payload
7|Aug 26 2016|13:15:45|713906|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), sending delete/delete with reason message
7|Aug 26 2016|13:15:45|713906|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), IKE SA MM:d0e69e60 terminating: flags 0x0100c002, refcnt 0, tuncnt 0
7|Aug 26 2016|13:15:45|713906|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), IKE SA MM:d0e69e60 rcv'd Terminate: state MM_ACTIVE flags 0x0000c042, refcnt 1, tuncnt 0
6|Aug 26 2016|13:15:45|713213|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Deleting static route for L2L peer that came in on a dynamic map. address: 10.228.187.184, mask: 255.255.255.248
3|Aug 26 2016|13:15:45|713902|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Removing peer from correlator table failed, no match!
7|Aug 26 2016|13:15:45|713906|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), sending delete/delete with reason message
7|Aug 26 2016|13:15:45|715065|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), IKE QM Responder FSM error history (struct &0xae5de2c8) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
3|Aug 26 2016|13:15:45|713902|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), QM FSM error (P2 struct &0xae5de2c8, mess id 0x6b7e66e9)!
7|Aug 26 2016|13:15:45|713236|||||IP = x.x.x.x(fritz), IKE_DECODE SENDING Message (msgid=6f3f6fac) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
7|Aug 26 2016|13:15:45|715046|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), constructing qm hash payload
7|Aug 26 2016|13:15:45|713906|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), constructing ipsec notify payload for msg id 6b7e66e9
7|Aug 26 2016|13:15:45|715046|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), constructing blank hash payload
7|Aug 26 2016|13:15:45|713906|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), sending notify message
5|Aug 26 2016|13:15:45|713904|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), All IPSec SA proposals found unacceptable!
7|Aug 26 2016|13:15:45|715047|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), processing IPSec SA payload
7|Aug 26 2016|13:15:45|713066|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
7|Aug 26 2016|13:15:45|715059|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Aug 26 2016|13:15:45|715059|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Aug 26 2016|13:15:45|715059|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Aug 26 2016|13:15:45|715059|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Aug 26 2016|13:15:45|715059|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Aug 26 2016|13:15:45|715059|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Aug 26 2016|13:15:45|715059|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Aug 26 2016|13:15:45|715059|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Aug 26 2016|13:15:45|715059|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Aug 26 2016|13:15:45|715059|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Aug 26 2016|13:15:45|713225|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Static Crypto Map check, map SYSTEM_DEFAULT_CRYPTO_MAP, seq = 65535 is a successful match
7|Aug 26 2016|13:15:45|713222|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Static Crypto Map check, map = outside_map, seq = 21, ACL does not match proxy IDs src:10.228.187.184 dst:10.228.103.0
7|Aug 26 2016|13:15:45|713221|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Static Crypto Map check, checking map = outside_map, seq = 21...
7|Aug 26 2016|13:15:45|713223|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Static Crypto Map check, map = outside_map, seq = 10, no ACL configured
7|Aug 26 2016|13:15:45|713221|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Static Crypto Map check, checking map = outside_map, seq = 10...
7|Aug 26 2016|13:15:45|713223|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Static Crypto Map check, map = outside_map, seq = 2, no ACL configured
7|Aug 26 2016|13:15:45|713221|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Static Crypto Map check, checking map = outside_map, seq = 2...
7|Aug 26 2016|13:15:45|713222|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:10.228.187.184 dst:10.228.103.0
7|Aug 26 2016|13:15:45|713221|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Static Crypto Map check, checking map = outside_map, seq = 1...
7|Aug 26 2016|13:15:45|713906|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), QM IsRekeyed old sa not found by addr
7|Aug 26 2016|13:15:45|713034|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Received local IP Proxy Subnet data in ID Payload:   Address 10.228.103.0, Mask 255.255.255.0, Protocol 0, Port 0
7|Aug 26 2016|13:15:45|714011|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), ID_IPV4_ADDR_SUBNET ID received--10.228.103.0--255.255.255.0
7|Aug 26 2016|13:15:45|715047|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), processing ID payload
7|Aug 26 2016|13:15:45|713035|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Received remote IP Proxy Subnet data in ID Payload:   Address 10.228.187.184, Mask 255.255.255.248, Protocol 0, Port 0
7|Aug 26 2016|13:15:45|714011|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), ID_IPV4_ADDR_SUBNET ID received--10.228.187.184--255.255.255.248
7|Aug 26 2016|13:15:45|715047|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), processing ID payload
7|Aug 26 2016|13:15:45|713906|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), processing ISA_KE for PFS in phase 2
7|Aug 26 2016|13:15:45|715047|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), processing ke payload
7|Aug 26 2016|13:15:45|715047|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), processing nonce payload
7|Aug 26 2016|13:15:45|715047|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), processing SA payload
7|Aug 26 2016|13:15:45|715047|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), processing hash payload
7|Aug 26 2016|13:15:45|713236|||||IP = x.x.x.x(fritz), IKE_DECODE RECEIVED Message (msgid=6b7e66e9) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 292
7|Aug 26 2016|13:15:45|714003|||||IP = x.x.x.x(fritz), IKE Responder starting QM: msg id = 6b7e66e9
7|Aug 26 2016|13:15:45|715080|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Starting P1 rekey timer: 27360 seconds.
7|Aug 26 2016|13:15:45|713121|||||IP = x.x.x.x(fritz), Keep-alive type for this connection: DPD
5|Aug 26 2016|13:15:45|713119|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), PHASE 1 COMPLETED
6|Aug 26 2016|13:15:45|113009|||||AAA retrieved default group policy (GroupPolicy_x.x.x.x(fritz)) for user = x.x.x.x(fritz)
7|Aug 26 2016|13:15:45|713236|||||IP = x.x.x.x(fritz), IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
7|Aug 26 2016|13:15:45|715046|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), constructing dpd vid payload
7|Aug 26 2016|13:15:45|715076|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Computing hash for ISAKMP
7|Aug 26 2016|13:15:45|715046|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), constructing hash payload
7|Aug 26 2016|13:15:45|715046|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), constructing ID payload
7|Aug 26 2016|13:15:45|713906|||||IP = x.x.x.x(fritz), Connection landed on tunnel_group x.x.x.x(fritz)
6|Aug 26 2016|13:15:45|713905|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Floating NAT-T from x.x.x.x(fritz) port 500 to x.x.x.x(fritz) port 4500
6|Aug 26 2016|13:15:45|713172|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
7|Aug 26 2016|13:15:45|715076|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Computing hash for ISAKMP
7|Aug 26 2016|13:15:45|715047|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), processing hash payload
7|Aug 26 2016|13:15:45|714011|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), ID_IPV4_ADDR ID received
7|Aug 26 2016|13:15:45|715047|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), processing ID payload
7|Aug 26 2016|13:15:45|713236|||||IP = x.x.x.x(fritz), IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
6|Aug 26 2016|13:15:45|302015|x.x.x.x(fritz)|4500|x.x.x.x(asa)|4500|Built inbound UDP connection 388810 for outside:x.x.x.x(fritz)/4500 (x.x.x.x(fritz)/4500) to identity:x.x.x.x(asa)/4500 (x.x.x.x(asa)/4500)
7|Aug 26 2016|13:15:45|713236|||||IP = x.x.x.x(fritz), IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 368
7|Aug 26 2016|13:15:45|713906|||||Group = x.x.x.x(fritz), IP = x.x.x.x(fritz), Generating keys for Responder...
7|Aug 26 2016|13:15:45|713906|||||IP = x.x.x.x(fritz), Connection landed on tunnel_group x.x.x.x(fritz)
7|Aug 26 2016|13:15:45|713906|||||IP = x.x.x.x(fritz), computing NAT Discovery hash
7|Aug 26 2016|13:15:45|715046|||||IP = x.x.x.x(fritz), constructing NAT-Discovery payload
7|Aug 26 2016|13:15:45|713906|||||IP = x.x.x.x(fritz), computing NAT Discovery hash
7|Aug 26 2016|13:15:45|715046|||||IP = x.x.x.x(fritz), constructing NAT-Discovery payload
7|Aug 26 2016|13:15:45|715048|||||IP = x.x.x.x(fritz), Send Altiga/Cisco VPN3000/Cisco ASA GW VID
7|Aug 26 2016|13:15:45|715046|||||IP = x.x.x.x(fritz), constructing VID payload
7|Aug 26 2016|13:15:45|715038|||||IP = x.x.x.x(fritz), Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
7|Aug 26 2016|13:15:45|715048|||||IP = x.x.x.x(fritz), Send IOS VID
7|Aug 26 2016|13:15:45|715046|||||IP = x.x.x.x(fritz), constructing xauth V6 VID payload
7|Aug 26 2016|13:15:45|715046|||||IP = x.x.x.x(fritz), constructing Cisco Unity VID payload
7|Aug 26 2016|13:15:45|715046|||||IP = x.x.x.x(fritz), constructing nonce payload
7|Aug 26 2016|13:15:45|715046|||||IP = x.x.x.x(fritz), constructing ke payload
7|Aug 26 2016|13:15:45|713906|||||IP = x.x.x.x(fritz), computing NAT Discovery hash
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing NAT-Discovery payload
7|Aug 26 2016|13:15:45|713906|||||IP = x.x.x.x(fritz), computing NAT Discovery hash
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing NAT-Discovery payload
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing nonce payload
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing ISA_KE payload
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing ke payload
7|Aug 26 2016|13:15:45|713236|||||IP = x.x.x.x(fritz), IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 292
7|Aug 26 2016|13:15:45|713236|||||IP = x.x.x.x(fritz), IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
7|Aug 26 2016|13:15:45|715046|||||IP = x.x.x.x(fritz), constructing Fragmentation VID + extended capabilities payload
7|Aug 26 2016|13:15:45|715046|||||IP = x.x.x.x(fritz), constructing NAT-Traversal VID ver RFC payload
7|Aug 26 2016|13:15:45|715046|||||IP = x.x.x.x(fritz), constructing ISAKMP SA payload
7|Aug 26 2016|13:15:45|715028|||||IP = x.x.x.x(fritz), IKE SA Proposal # 1, Transform # 0 acceptable Matches global IKE entry # 1
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing IKE SA payload
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing VID payload
7|Aug 26 2016|13:15:45|715049|||||IP = x.x.x.x(fritz), Received NAT-Traversal ver 02 VID
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing VID payload
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing VID payload
7|Aug 26 2016|13:15:45|715049|||||IP = x.x.x.x(fritz), Received NAT-Traversal ver 03 VID
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing VID payload
7|Aug 26 2016|13:15:45|715049|||||IP = x.x.x.x(fritz), Received NAT-Traversal RFC VID
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing VID payload
7|Aug 26 2016|13:15:45|715049|||||IP = x.x.x.x(fritz), Received DPD VID
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing VID payload
7|Aug 26 2016|13:15:45|715049|||||IP = x.x.x.x(fritz), Received xauth V6 VID
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing VID payload
7|Aug 26 2016|13:15:45|715049|||||IP = x.x.x.x(fritz), Received Cisco Unity client VID
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing VID payload
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing VID payload
7|Aug 26 2016|13:15:45|713906|||||IP = x.x.x.x(fritz), Oakley proposal is acceptable
7|Aug 26 2016|13:15:45|715047|||||IP = x.x.x.x(fritz), processing SA payload
7|Aug 26 2016|13:15:45|713236|||||IP = x.x.x.x(fritz), IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
6|Aug 26 2016|13:15:45|302015|x.x.x.x(fritz)|500|x.x.x.x(asa)|500|Built inbound UDP connection 388809 for outside:x.x.x.x(fritz)/500 (x.x.x.x(fritz)/500) to identity:x.x.x.x(asa)/500 (x.x.x.x(asa)/500)
7|Aug 26 2016|13:15:45|609001|x.x.x.x(fritz)||||Built local-host outside:x.x.x.x(fritz)

-----------------------

Vielen Dank

und ein schönes Wochenende.

Gruß Bernd
Cancel
Vote Up 0 Vote Down

Cancel
BAlfson over 9 years ago in reply to bpman

"All IPSec SA proposals found unacceptable."

MfG - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
bpman over 9 years ago in reply to BAlfson

Guten Morgen? Bob,

auf welcher Seite soll ich denn die SA Einstellungen anpassen?

UTM oder ASA?

Oder besser gefragt, wie bekomme ich sie passend?

Gruß Bernd
Cancel
Vote Up 0 Vote Down

Cancel
BAlfson over 9 years ago in reply to bpman

Auf beiden Seiten - kannst uns bilder von beiden Policies zeigen?

MfG - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel