Openswan - Fehler 809

A

AllOnline

New Member
Hallo zusammen,

ich bräuchte mal wieder eure Hilfe.
Ich möchte beliebig viele Clients aus verschiedenen Netzen in ein VPN mit WindowsBoardmitteln über DebianServer erstellen.

Dazu arbeite ich gerade mit OpenSwan,
eine Verbindung wird soweit schon mal hergestellt aber es geht nicht wirklich weiter. Der Windows Client sagt Fehler 809 no response ... keine Antwort erhalten.. Firewall.

Der Server spricht auch nicht viel mehr:
Code: 
Jul  3 19:16:20 static pluto[8816]: packet from Öffentliche-Client-IP:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Jul  3 19:16:20 static pluto[8816]: packet from Öffentliche-Client-IP:500: received Vendor ID payload [RFC 3947] meth=109, but port floating is off
Jul  3 19:16:20 static pluto[8816]: packet from Öffentliche-Client-IP:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Jul  3 19:16:20 static pluto[8816]: packet from Öffentliche-Client-IP:500: ignoring Vendor ID payload [FRAGMENTATION]
Jul  3 19:16:20 static pluto[8816]: packet from Öffentliche-Client-IP:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul  3 19:16:20 static pluto[8816]: packet from Öffentliche-Client-IP:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul  3 19:16:20 static pluto[8816]: packet from Öffentliche-Client-IP:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[9] Öffentliche-Client-IP #9: responding to Main Mode from unknown peer Öffentliche-Client-IP
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[9] Öffentliche-Client-IP #9: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[9] Öffentliche-Client-IP #9: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[9] Öffentliche-Client-IP #9: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[9] Öffentliche-Client-IP #9: STATE_MAIN_R1: sent MR1, expecting MI2
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[9] Öffentliche-Client-IP #9: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[9] Öffentliche-Client-IP #9: STATE_MAIN_R2: sent MR2, expecting MI3
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[9] Öffentliche-Client-IP #9: Main mode peer ID is ID_IPV4_ADDR: '192.168.178.23'
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[9] Öffentliche-Client-IP #9: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #9: deleting connection "L2TP-PSK-NAT" instance with peer Öffentliche-Client-IP {isakmp=#0/ipsec=#0}
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #9: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #9: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #9: the peer proposed: Server-IP/32:17/1701 -> 192.168.178.23/32:17/0
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #10: responding to Quick Mode proposal {msgid:01000000}
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #10:     us: Server-IP<Server-IP>[+S=C]:17/1701
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #10:   them: Öffentliche-Client-IP[192.168.178.23,+S=C]:17/1701===192.168.178.23/32
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #10: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #10: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul  3 19:16:20 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #10: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x07fa0a68 <0x1c43da2f xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jul  3 19:16:55 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #9: received Delete SA(0x07fa0a68) payload: deleting IPSEC State #10
Jul  3 19:16:55 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #9: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Jul  3 19:16:55 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #9: received and ignored informational message
Jul  3 19:16:55 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP #9: received Delete SA payload: deleting ISAKMP State #9
Jul  3 19:16:55 static pluto[8816]: "L2TP-PSK-NAT"[10] Öffentliche-Client-IP: deleting connection "L2TP-PSK-NAT" instance with peer Öffentliche-Client-IP {isakmp=#0/ipsec=#0}
Jul  3 19:16:55 static pluto[8816]: packet from Öffentliche-Client-IP:500: received and ignored informational message

Code: 
root@static:~# nano /etc/ipsec.d/l2tp-psk.conf
  GNU nano 2.2.4                                 Datei: /etc/ipsec.d/l2tp-psk.conf

conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        #
        # Configuration for one user with any type of IPsec/L2TP client
        # including the updated Windows 2000/XP (MS KB Q818043), but
        # excluding the non-updated Windows 2000/XP.
        #
        #
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        #
        # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
        # YourIPAddress  %any: "sharedsecret"
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        left=ServerIP
        #
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "0" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port, but propose "0" instead of their port. If this does
        # not work, use 17/%any instead.
        rightprotoport=17/%any

# Normally, KLIPS drops all plaintext traffic from IP's it has a crypted
# connection with. With L2TP clients behind NAT, that's not really what
# you want. The connection below allows both l2tp/ipsec and plaintext
# connections from behind the same NAT router.
# The l2tpd use a leftprotoport, so they are more specific and will be used
# first. Then, packets for the host on different ports and protocols (eg ssh)
# will match this passthrough conn.
conn passthrough-for-non-l2tp
        type=passthrough
        left=ServerIP
        leftnexthop=Server-Gateway
        right=0.0.0.0
        rightsubnet=0.0.0.0/0

Code: 
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        # nat_traversal=yes
        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24
        interfaces=%defaultroute

# Add connections here

# sample VPN connection
conn sample
        # Left security gateway, subnet behind it, nexthop toward right.
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        #leftcert=west-cert.pem
        # Right security gateway, subnet behind it, nexthop toward left.
        #right=east.dyndns.org
        #rightsubnet=192.168.2.0/24
        #rightcert=east-cert.pem
        # To authorize this connection, but not actually start it,
        # at startup, uncomment this.
        auto=start
        right=%any
        rightsubnet=vhost:%no,%priv

include /etc/ipsec.d/l2tp-psk.conf

Wenn ich in der ipsec.conf nat_traversal=yes stelle bekomme ich folgenden Fehler:
Code: 
 received Delete SA(0xfd5fa121) payload: deleting IPSEC State #2
Jul  3 19:25:47 static pluto[12550]: "L2TP-PSK-NAT"[2] 88.152.149.81 #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory

Danke euch!
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top