Unternehmen     Impressum     Kontakt
+ Antworten
Ergebnis 1 bis 8 von 8

Thema: Intranator Zertifikat erneuern/ Problem mit SmallCA

  1. 05.06.2007 16:22 #1
    ChristianSchlettig
    ChristianSchlettig ist offline Registered User
    Registriert seit
    May 2006
    Beiträge
    8

    Intranator Zertifikat erneuern/ Problem mit SmallCA

    Hallo,
    ich habe folgendes Problem mit einem Intranator VPN:
    Das Zertifikat der Intranator ist abgelaufen. Wenn ich ein neues generiere mit dem selben DN meldet mir CASign.bat:

    Code:
    ERROR:There is already a certificate for /C=DE...
The matching entry has the following details
Type      :Valid
Expires on    :080604124127Z
Serial Number :10
File name     :unknown
Subject Name  :/C=DE/O=...
    ich habe bereits versucht mit -gencrl oder -revokecert das alte Zertifikat zu entfernen. Leider ohne Erfolg.

    Ich habe ein Neues Zertifikat generiert mit anderem CN generiert, doch das nehmen unsere VPN Clients nicht an.

    Mache ich etwas falsch, oder welches ist die empfohlene Vorgehensweise?

    Danke und Grüße,
    Christian Schlettig
    Zitieren Zitieren
  2. 06.06.2007 09:41 #2
    Thomas Jarosch
    Thomas Jarosch ist offline Administrator
    Registriert seit
    Dec 2001
    Ort
    Tübingen
    Beiträge
    1.916
    Hallo Herr Schlettig,

    Zitat Zitat von ChristianSchlettig Beitrag anzeigen
    Ich habe ein Neues Zertifikat generiert mit anderem CN generiert, doch das nehmen unsere VPN Clients nicht an.

    Mache ich etwas falsch, oder welches ist die empfohlene Vorgehensweise?
    Die gängige Vorgehensweise ist ein neues Zertifikat mit einer anderen CN. Die spannende Frage ist jedoch, warum Ihr Client das neue Zertifikat mit der anderen CN nicht annehmen will. Was für eine Fehlermeldung bekommen Sie denn?

    Herzliche Grüsse,
    Thomas Jarosch
    Zitieren Zitieren
  3. 06.06.2007 17:45 #3
    ChristianSchlettig
    ChristianSchlettig ist offline Registered User
    Registriert seit
    May 2006
    Beiträge
    8

    Logdatei1

    Wir benutzen Tauvpn als Client.

    Code:
    6-06: 16:57:09:890:4ac isadb_schedule_kill_oldPolicy_sas: 6d9b43ca-f033-47a4-9bb5a7fef3af91b3 4
 6-06: 16:57:09:890:4ac isadb_schedule_kill_oldPolicy_sas: 5787505c-f2f5-4fbb-a869393ffaa7031f 4
 6-06: 16:57:09:890:4ac isadb_schedule_kill_oldPolicy_sas: 6ee378d4-5dcc-4d94-bc0a94ab7542c1ba 1
 6-06: 16:57:09:906:67c entered kill_old_policy_sas 4
 6-06: 16:57:09:906:67c entered kill_old_policy_sas 4
 6-06: 16:57:09:906:67c entered kill_old_policy_sas 1
 6-06: 16:57:09:906:4ac isadb_schedule_kill_oldPolicy_sas: 5787505c-f2f5-4fbb-a869393ffaa7031f 4
 6-06: 16:57:09:906:4ac isadb_schedule_kill_oldPolicy_sas: 4b1ff197-f033-466c-9f1ddd828f886eca 2
 6-06: 16:57:09:921:67c entered kill_old_policy_sas 4
 6-06: 16:57:09:921:67c entered kill_old_policy_sas 2
 6-06: 16:57:10:156:4ac isadb_schedule_kill_oldPolicy_sas: 6d9b43ca-f033-47a4-9bb5a7fef3af91b3 4
 6-06: 16:57:10:156:4ac isadb_schedule_kill_oldPolicy_sas: 73b832a4-3195-457d-8c208e59746aa57e 4
 6-06: 16:57:10:156:4ac isadb_schedule_kill_oldPolicy_sas: 9127ab8b-b6b1-44b1-a7ae60bddc8c7902 1
 6-06: 16:57:10:156:4ac isadb_schedule_kill_oldPolicy_sas: 6d9b43ca-f033-47a4-9bb5a7fef3af91b3 4
 6-06: 16:57:10:156:4ac isadb_schedule_kill_oldPolicy_sas: f5bb6954-1914-425f-adb9df2d86a48cf3 2
 6-06: 16:57:10:171:67c entered kill_old_policy_sas 4
 6-06: 16:57:10:171:67c entered kill_old_policy_sas 4
 6-06: 16:57:10:171:67c entered kill_old_policy_sas 1
 6-06: 16:57:10:171:67c entered kill_old_policy_sas 4
 6-06: 16:57:10:171:67c entered kill_old_policy_sas 2
 6-06: 16:57:10:328:4ac isadb_schedule_kill_oldPolicy_sas: 1d2dbec7-b916-4af8-9a26dc60c8637f7d 4
 6-06: 16:57:10:328:4ac isadb_schedule_kill_oldPolicy_sas: 73b832a4-3195-457d-8c208e59746aa57e 4
 6-06: 16:57:10:328:4ac isadb_schedule_kill_oldPolicy_sas: e6fb1d59-a2e6-4bbd-85468ca0b3754ef2 3
 6-06: 16:57:10:328:4ac isadb_schedule_kill_oldPolicy_sas: 525e529a-4a03-4b84-ab640f0544a81ef6 3
 6-06: 16:57:10:328:4ac isadb_schedule_kill_oldPolicy_sas: 86dfe777-b910-421e-8db833e4f2e644b7 1
 6-06: 16:57:10:328:4ac isadb_schedule_kill_oldPolicy_sas: a0192515-232f-40c1-9dbe1cba4d7823bf 2
 6-06: 16:57:10:328:4ac isadb_schedule_kill_oldPolicy_sas: 9f9061a5-3b47-400a-8f4e8df4cc94205a 2
 6-06: 16:57:10:343:67c entered kill_old_policy_sas 4
 6-06: 16:57:10:343:67c entered kill_old_policy_sas 4
 6-06: 16:57:10:343:67c entered kill_old_policy_sas 3
 6-06: 16:57:10:343:67c entered kill_old_policy_sas 3
 6-06: 16:57:10:343:67c entered kill_old_policy_sas 1
 6-06: 16:57:10:343:67c entered kill_old_policy_sas 2
 6-06: 16:57:10:343:67c entered kill_old_policy_sas 2
 6-06: 16:57:10:531:640 Acquire from driver: op=00000006 src=192.168.1.xx.0 dst=192.168.115.254.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.0, Tunnel 1, TunnelEndpt=217.82.x.y Inbound TunnelEndpt=192.168.1.xx
 6-06: 16:57:10:531:67c Filter to match: Src 217.82.x.y Dst 192.168.1.xx
 6-06: 16:57:10:546:67c MM PolicyName: 4
 6-06: 16:57:10:546:67c MMPolicy dwFlags 2 SoftSAExpireTime 3500
 6-06: 16:57:10:546:67c MMOffer[0] LifetimeSec 3500 QMLimit 1 DHGroup 2
 6-06: 16:57:10:562:67c MMOffer[0] Encrypt: Dreifach-DES CBC Hash: SHA
 6-06: 16:57:10:562:67c MMOffer[1] LifetimeSec 3500 QMLimit 1 DHGroup 2
 6-06: 16:57:10:562:67c MMOffer[1] Encrypt: Dreifach-DES CBC Hash: MD5
 6-06: 16:57:10:562:67c MMOffer[2] LifetimeSec 3500 QMLimit 1 DHGroup 1
 6-06: 16:57:10:562:67c MMOffer[2] Encrypt: DES CBC Hash: SHA
 6-06: 16:57:10:562:67c MMOffer[3] LifetimeSec 3500 QMLimit 1 DHGroup 1
 6-06: 16:57:10:562:67c MMOffer[3] Encrypt: DES CBC Hash: MD5
 6-06: 16:57:10:593:67c Auth[0]:RSA Sig C=DE, L=Ort, O=Kunden GmbH, OU=EDV, CN=Kunden  CA AuthFlags 0
 6-06: 16:57:10:593:67c QM PolicyName: Host-KundenCSKunden-Kunden.dynaccess.de filter action dwFlags 1
 6-06: 16:57:10:593:67c QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3500
 6-06: 16:57:10:593:67c QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
 6-06: 16:57:10:593:67c  Algo[0] Operation: ESP Algo: Dreifach-DES CBC HMAC: MD5
 6-06: 16:57:10:593:67c Starting Negotiation: src = 192.168.1.xx.0500, dst = 217.82.x.y.0500, proto = 00, context = 00000006, ProxySrc = 192.168.1.xx.0000, ProxyDst = 192.168.115.0.0000 SrcMask = 255.255.255.255 DstMask = 255.255.255.0
 6-06: 16:57:10:593:67c constructing ISAKMP Header
 6-06: 16:57:10:593:67c constructing SA (ISAKMP)
 6-06: 16:57:10:593:67c Constructing Vendor MS NT5 ISAKMPOAKLEY
 6-06: 16:57:10:593:67c Constructing Vendor FRAGMENTATION
 6-06: 16:57:10:593:67c Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
 6-06: 16:57:10:593:67c Constructing Vendor Vid-Initial-Contact
 6-06: 16:57:10:593:67c 
 6-06: 16:57:10:593:67c Sending: SA = 0x00100738 to 217.82.x.y:Type 2.500
 6-06: 16:57:10:593:67c ISAKMP Header: (V1.0), len = 276
 6-06: 16:57:10:593:67c   I-COOKIE ec82d71af860c1d1
 6-06: 16:57:10:593:67c   R-COOKIE 0000000000000000
 6-06: 16:57:10:593:67c   exchange: Oakley Main Mode
 6-06: 16:57:10:593:67c   flags: 0
 6-06: 16:57:10:593:67c   next payload: SA
 6-06: 16:57:10:593:67c   message ID: 00000000
 6-06: 16:57:10:593:67c Ports S:f401 D:f401
 6-06: 16:57:10:796:67c 
 6-06: 16:57:10:796:67c Receive: (get) SA = 0x00100738 from 217.82.x.y.500
 6-06: 16:57:10:796:67c ISAKMP Header: (V1.0), len = 84
 6-06: 16:57:10:796:67c   I-COOKIE ec82d71af860c1d1
 6-06: 16:57:10:796:67c   R-COOKIE 1f02e564eeb5a8ad
 6-06: 16:57:10:796:67c   exchange: Oakley Main Mode
 6-06: 16:57:10:796:67c   flags: 0
 6-06: 16:57:10:796:67c   next payload: SA
 6-06: 16:57:10:796:67c   message ID: 00000000
 6-06: 16:57:10:796:67c processing payload SA
 6-06: 16:57:10:796:67c Received Phase 1 Transform 1
 6-06: 16:57:10:796:67c      Encryption Alg Dreifach-DES CBC(5)
 6-06: 16:57:10:796:67c      Hash Alg SHA(2)
 6-06: 16:57:10:796:67c      Oakley Group 2
 6-06: 16:57:10:796:67c      Auth Method RSA-Signatur mit Zertifikaten(3)
 6-06: 16:57:10:796:67c      Life type in Seconds
 6-06: 16:57:10:796:67c      Life duration of 3500
 6-06: 16:57:10:796:67c Phase 1 SA accepted: transform=1
 6-06: 16:57:10:796:67c SA - Oakley proposal accepted
 6-06: 16:57:10:796:67c ClearFragList
 6-06: 16:57:10:796:67c constructing ISAKMP Header
 6-06: 16:57:10:859:67c constructing KE
 6-06: 16:57:10:859:67c constructing NONCE (ISAKMP)
 6-06: 16:57:10:859:67c 
 6-06: 16:57:10:859:67c Sending: SA = 0x00100738 to 217.82.x.y:Type 2.500
 6-06: 16:57:10:859:67c ISAKMP Header: (V1.0), len = 184
 6-06: 16:57:10:859:67c   I-COOKIE ec82d71af860c1d1
 6-06: 16:57:10:859:67c   R-COOKIE 1f02e564eeb5a8ad
 6-06: 16:57:10:859:67c   exchange: Oakley Main Mode
 6-06: 16:57:10:859:67c   flags: 0
 6-06: 16:57:10:859:67c   next payload: KE
 6-06: 16:57:10:859:67c   message ID: 00000000
 6-06: 16:57:10:859:67c Ports S:f401 D:f401
 6-06: 16:57:10:984:67c 
 6-06: 16:57:10:984:67c Receive: (get) SA = 0x00100738 from 217.82.x.y.500
    Zitieren Zitieren
  4. 06.06.2007 17:46 #4
    ChristianSchlettig
    ChristianSchlettig ist offline Registered User
    Registriert seit
    May 2006
    Beiträge
    8

    log2

    -------8<---------
    Code:
     6-06: 16:57:10:984:67c ISAKMP Header: (V1.0), len = 276
 6-06: 16:57:10:984:67c   I-COOKIE ec82d71af860c1d1
 6-06: 16:57:10:984:67c   R-COOKIE 1f02e564eeb5a8ad
 6-06: 16:57:10:984:67c   exchange: Oakley Main Mode
 6-06: 16:57:10:984:67c   flags: 0
 6-06: 16:57:10:984:67c   next payload: KE
 6-06: 16:57:10:984:67c   message ID: 00000000
 6-06: 16:57:10:984:67c processing payload KE
 6-06: 16:57:11:15:67c processing payload NONCE
 6-06: 16:57:11:15:67c processing payload CRP
 6-06: 16:57:11:15:67c C=DE, L=Ort, O=Kunden GmbH, OU=EDV, CN=Kunden  CA
 6-06: 16:57:11:15:67c ClearFragList
 6-06: 16:57:11:15:67c constructing ISAKMP Header
 6-06: 16:57:11:15:67c constructing ID
 6-06: 16:57:11:15:67c Looking for IPSec only cert
 6-06: 16:57:11:109:67c Trust failed.  1 100
 6-06: 16:57:11:109:67c Cert SHA Thumbprint 31758b1ed2a2dfca7c06c8a2c9bb5dff
 6-06: 16:57:11:109:67c c396d0f2
 6-06: 16:57:11:109:67c Looking for IPSec only cert
 6-06: 16:57:11:109:67c failed to get chain 80092004
 6-06: 16:57:11:109:67c Looking for any cert
 6-06: 16:57:11:109:67c Trust failed.  1 100
 6-06: 16:57:11:109:67c Cert SHA Thumbprint 31758b1ed2a2dfca7c06c8a2c9bb5dff
 6-06: 16:57:11:109:67c c396d0f2
 6-06: 16:57:11:109:67c Looking for any cert
 6-06: 16:57:11:109:67c failed to get chain 80092004
 6-06: 16:57:11:109:67c Received no valid CRPs.  Using all configured
 6-06: 16:57:11:109:67c Looking for IPSec only cert
 6-06: 16:57:11:109:67c Trust failed.  1 100
 6-06: 16:57:11:109:67c Cert SHA Thumbprint 31758b1ed2a2dfca7c06c8a2c9bb5dff
 6-06: 16:57:11:109:67c c396d0f2
 6-06: 16:57:11:109:67c Looking for IPSec only cert
 6-06: 16:57:11:109:67c failed to get chain 80092004
 6-06: 16:57:11:109:67c Looking for any cert
 6-06: 16:57:11:109:67c Trust failed.  1 100
 6-06: 16:57:11:109:67c Cert SHA Thumbprint 31758b1ed2a2dfca7c06c8a2c9bb5dff
 6-06: 16:57:11:109:67c c396d0f2
 6-06: 16:57:11:109:67c Looking for any cert
 6-06: 16:57:11:109:67c failed to get chain 80092004
 6-06: 16:57:11:109:67c ProcessFailure: sa:00100738 centry:00000000 status:35ee
 6-06: 16:57:11:109:67c isadb_set_status sa:00100738 centry:00000000 status 35ee
 6-06: 16:57:11:125:67c Schlüsselaustauschmodus (Hauptmodus)
 6-06: 16:57:11:125:67c Quell-IP-Adresse 192.168.1.xx  Quell-IP-Adressmaske 255.255.255.255  Ziel-IP-Adresse 217.82.x.y  Ziel-IP-Adressmaske 255.255.255.255  Protokoll 0  Quellport 0  Zielport 0  Lokale IKE-Adresse 192.168.1.xx  Peer-IKE-Adresse 217.82.x.y
 6-06: 16:57:11:140:67c Zertifikatsbasierte Identität.   Peerantragsteller   Peer-SHA-Fingerabdruck 0000000000000000000000000000000000000000  Peer, der die Zertifizierungsstelle ausstellt:   Stammzertifizierungsstelle   Eigener Antragsteller C=DE, O=Kunden, CN=cs, E=schlettig@evaco.de  Eigener SHA-Fingerabdruck 31758b1ed2a2dfca7c06c8a2c9bb5dffc396d0f2  Peer-IP-Adresse: 217.82.x.y
 6-06: 16:57:11:140:67c Benutzer
 6-06: 16:57:11:140:67c IKE konnte kein gültiges Computerzertifikat finden.
 6-06: 16:57:11:140:67c 0x80092004 0x100
 6-06: 16:57:11:140:67c ProcessFailure: sa:00100738 centry:00000000 status:35ee
 6-06: 16:57:11:140:67c constructing ISAKMP Header
 6-06: 16:57:11:140:67c constructing HASH (null)
 6-06: 16:57:11:140:67c constructing NOTIFY 28
 6-06: 16:57:11:140:67c constructing HASH (Notify/Delete)
 6-06: 16:57:11:140:67c 
 6-06: 16:57:11:140:67c Sending: SA = 0x00100738 to 217.82.x.y:Type 1.500
 6-06: 16:57:11:140:67c ISAKMP Header: (V1.0), len = 84
 6-06: 16:57:11:140:67c   I-COOKIE ec82d71af860c1d1
 6-06: 16:57:11:140:67c   R-COOKIE 1f02e564eeb5a8ad
 6-06: 16:57:11:140:67c   exchange: ISAKMP Informational Exchange
 6-06: 16:57:11:140:67c   flags: 1 ( encrypted )
 6-06: 16:57:11:140:67c   next payload: HASH
 6-06: 16:57:11:140:67c   message ID: 9e35b3b2
 6-06: 16:57:11:140:67c Ports S:f401 D:f401
 6-06: 16:57:15:703:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:16:875:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:18:46:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:19:234:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:20:421:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:21:203:67c 
 6-06: 16:57:21:203:67c Receive: (get) SA = 0x00100738 from 217.82.x.y.500
 6-06: 16:57:21:203:67c ISAKMP Header: (V1.0), len = 276
 6-06: 16:57:21:203:67c   I-COOKIE ec82d71af860c1d1
 6-06: 16:57:21:203:67c   R-COOKIE 1f02e564eeb5a8ad
 6-06: 16:57:21:203:67c   exchange: Oakley Main Mode
 6-06: 16:57:21:203:67c   flags: 0
 6-06: 16:57:21:203:67c   next payload: KE
 6-06: 16:57:21:203:67c   message ID: 00000000
 6-06: 16:57:21:203:67c received an unencrypted packet when crypto active
 6-06: 16:57:21:203:67c GetPacket failed 35ec
 6-06: 16:57:21:609:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:22:828:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:24:0:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:25:187:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:26:390:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:27:562:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:28:734:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:29:906:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:31:93:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:32:281:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:33:453:6ac fill_isakmp: SA 00100738 not finished
 6-06: 16:57:41:203:67c 
 6-06: 16:57:41:203:67c Receive: (get) SA = 0x00100738 from 217.82.x.y.500
 6-06: 16:57:41:203:67c ISAKMP Header: (V1.0), len = 276
 6-06: 16:57:41:203:67c   I-COOKIE ec82d71af860c1d1
 6-06: 16:57:41:203:67c   R-COOKIE 1f02e564eeb5a8ad
 6-06: 16:57:41:203:67c   exchange: Oakley Main Mode
 6-06: 16:57:41:203:67c   flags: 0
 6-06: 16:57:41:203:67c   next payload: KE
 6-06: 16:57:41:203:67c   message ID: 00000000
 6-06: 16:57:41:203:67c received an unencrypted packet when crypto active
 6-06: 16:57:41:203:67c GetPacket failed 35ec
 6-06: 16:57:42:984:4ac isadb_schedule_kill_oldPolicy_sas: 1d2dbec7-b916-4af8-9a26dc60c8637f7d 4
 6-06: 16:57:42:984:4ac isadb_schedule_kill_oldPolicy_sas: 73b832a4-3195-457d-8c208e59746aa57e 4
 6-06: 16:57:42:984:4ac isadb_schedule_kill_oldPolicy_sas: 86dfe777-b910-421e-8db833e4f2e644b7 1
 6-06: 16:57:42:984:4ac isadb_schedule_kill_oldPolicy_sas: 73b832a4-3195-457d-8c208e59746aa57e 4
 6-06: 16:57:42:984:4ac isadb_schedule_kill_oldPolicy_sas: 9f9061a5-3b47-400a-8f4e8df4cc94205a 2
 6-06: 16:57:43:0:67c entered kill_old_policy_sas 4
 6-06: 16:57:43:0:10d4 entered kill_old_policy_sas 4
 6-06: 16:57:43:0:10d4 SA Dead. sa:00100738 status:3619
 6-06: 16:57:43:0:10d4 constructing ISAKMP Header
 6-06: 16:57:43:0:10d4 constructing HASH (null)
 6-06: 16:57:43:0:10d4 constructing DELETE. MM 00100738
 6-06: 16:57:43:0:10d4 constructing HASH (Notify/Delete)
 6-06: 16:57:43:0:10d4 
 6-06: 16:57:43:0:10d4 Sending: SA = 0x00100738 to 217.82.x.y:Type 1.500
 6-06: 16:57:43:0:10d4 ISAKMP Header: (V1.0), len = 84
 6-06: 16:57:43:0:10d4   I-COOKIE ec82d71af860c1d1
 6-06: 16:57:43:0:10d4   R-COOKIE 1f02e564eeb5a8ad
 6-06: 16:57:43:0:10d4   exchange: ISAKMP Informational Exchange
 6-06: 16:57:43:0:10d4   flags: 1 ( encrypted )
 6-06: 16:57:43:0:10d4   next payload: HASH
 6-06: 16:57:43:0:10d4   message ID: d5a26c58
 6-06: 16:57:43:0:10d4 Ports S:f401 D:f401
 6-06: 16:57:43:0:10d4 entered kill_old_policy_sas 1
 6-06: 16:57:43:0:10d4 entered kill_old_policy_sas 4
 6-06: 16:57:43:0:10d4 entered kill_old_policy_sas 2
 6-06: 16:57:43:265:4ac isadb_schedule_kill_oldPolicy_sas: 1d2dbec7-b916-4af8-9a26dc60c8637f7d 4
 6-06: 16:57:43:265:4ac isadb_schedule_kill_oldPolicy_sas: 5011f218-2d67-4893-b5fb2bd15bf25155 4
 6-06: 16:57:43:265:4ac isadb_schedule_kill_oldPolicy_sas: 7c8f5cd5-91e2-4544-98ec7cf7b0719186 1
 6-06: 16:57:43:265:4ac isadb_schedule_kill_oldPolicy_sas: 1d2dbec7-b916-4af8-9a26dc60c8637f7d 4
 6-06: 16:57:43:265:4ac isadb_schedule_kill_oldPolicy_sas: a0192515-232f-40c1-9dbe1cba4d7823bf 2
 6-06: 16:57:43:328:67c entered kill_old_policy_sas 4
 6-06: 16:57:43:328:67c entered kill_old_policy_sas 4
 6-06: 16:57:43:328:67c entered kill_old_policy_sas 1
 6-06: 16:57:43:328:67c entered kill_old_policy_sas 4
 6-06: 16:57:43:328:67c entered kill_old_policy_sas 2
 6-06: 16:57:43:562:4ac isadb_schedule_kill_oldPolicy_sas: b284edac-1ad8-43bf-b6f04d081953b1dd 4
 6-06: 16:57:43:562:4ac isadb_schedule_kill_oldPolicy_sas: 5011f218-2d67-4893-b5fb2bd15bf25155 4
 6-06: 16:57:43:562:4ac isadb_schedule_kill_oldPolicy_sas: e6fb1d59-a2e6-4bbd-85468ca0b3754ef2 3
 6-06: 16:57:43:562:4ac isadb_schedule_kill_oldPolicy_sas: 525e529a-4a03-4b84-ab640f0544a81ef6 3
 6-06: 16:57:43:562:4ac isadb_schedule_kill_oldPolicy_sas:
    Zitieren Zitieren
  5. 06.06.2007 17:48 #5
    ChristianSchlettig
    ChristianSchlettig ist offline Registered User
    Registriert seit
    May 2006
    Beiträge
    8

    log3

    Code:
     866c844a-bd5a-40a0-8b5d3b133eba7fa3 1
 6-06: 16:57:43:562:4ac isadb_schedule_kill_oldPolicy_sas: 10c7f5b2-f809-4e72-8a05182a3b83fbea 2
 6-06: 16:57:43:562:4ac isadb_schedule_kill_oldPolicy_sas: 0c66159b-06a3-4f66-ab24c09cce2c19d5 2
 6-06: 16:57:43:578:67c entered kill_old_policy_sas 4
 6-06: 16:57:43:578:67c entered kill_old_policy_sas 4
 6-06: 16:57:43:578:67c entered kill_old_policy_sas 3
 6-06: 16:57:43:578:67c entered kill_old_policy_sas 3
 6-06: 16:57:43:578:67c entered kill_old_policy_sas 1
 6-06: 16:57:43:578:67c entered kill_old_policy_sas 2
 6-06: 16:57:43:578:67c entered kill_old_policy_sas 2
 6-06: 16:57:43:718:640 Acquire from driver: op=00000007 src=192.168.1.xx.0 dst=192.168.115.254.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.0, Tunnel 1, TunnelEndpt=217.82.x.y Inbound TunnelEndpt=192.168.1.xx
 6-06: 16:57:43:718:67c Filter to match: Src 217.82.x.y Dst 192.168.1.xx
 6-06: 16:57:43:734:67c MM PolicyName: 7
 6-06: 16:57:43:734:67c MMPolicy dwFlags 2 SoftSAExpireTime 3500
 6-06: 16:57:43:734:67c MMOffer[0] LifetimeSec 3500 QMLimit 1 DHGroup 2
 6-06: 16:57:43:734:67c MMOffer[0] Encrypt: Dreifach-DES CBC Hash: SHA
 6-06: 16:57:43:734:67c MMOffer[1] LifetimeSec 3500 QMLimit 1 DHGroup 2
 6-06: 16:57:43:734:67c MMOffer[1] Encrypt: Dreifach-DES CBC Hash: MD5
 6-06: 16:57:43:734:67c MMOffer[2] LifetimeSec 3500 QMLimit 1 DHGroup 1
 6-06: 16:57:43:734:67c MMOffer[2] Encrypt: DES CBC Hash: SHA
 6-06: 16:57:43:734:67c MMOffer[3] LifetimeSec 3500 QMLimit 1 DHGroup 1
 6-06: 16:57:43:734:67c MMOffer[3] Encrypt: DES CBC Hash: MD5
 6-06: 16:57:43:734:67c Auth[0]:RSA Sig C=DE, L=Ort, O=Kunden GmbH, OU=EDV, CN=Kunden  CA AuthFlags 0
 6-06: 16:57:43:734:67c QM PolicyName: Host-KundenCSKunden-Kunden.dynaccess.de filter action dwFlags 1
 6-06: 16:57:43:734:67c QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3500
 6-06: 16:57:43:734:67c QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
 6-06: 16:57:43:734:67c  Algo[0] Operation: ESP Algo: Dreifach-DES CBC HMAC: MD5
 6-06: 16:57:43:734:67c Starting Negotiation: src = 192.168.1.xx.0500, dst = 217.82.x.y.0500, proto = 00, context = 00000007, ProxySrc = 192.168.1.xx.0000, ProxyDst = 192.168.115.0.0000 SrcMask = 255.255.255.255 DstMask = 255.255.255.0
 6-06: 16:57:43:734:67c constructing ISAKMP Header
 6-06: 16:57:43:734:67c constructing SA (ISAKMP)
 6-06: 16:57:43:734:67c Constructing Vendor MS NT5 ISAKMPOAKLEY
 6-06: 16:57:43:734:67c Constructing Vendor FRAGMENTATION
 6-06: 16:57:43:734:67c Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
 6-06: 16:57:43:734:67c 
 6-06: 16:57:43:734:67c Sending: SA = 0x0018C888 to 217.82.x.y:Type 2.500 6-06: 16:57:43:734:67c ISAKMP Header: (V1.0), len = 256
 6-06: 16:57:43:734:67c   I-COOKIE aa04f7562bd1e2e2
 6-06: 16:57:43:734:67c   R-COOKIE 0000000000000000
 6-06: 16:57:43:734:67c   exchange: Oakley Main Mode
 6-06: 16:57:43:734:67c   flags: 0
 6-06: 16:57:43:734:67c   next payload: SA
 6-06: 16:57:43:734:67c   message ID: 00000000
 6-06: 16:57:43:734:67c Ports S:f401 D:f401
 6-06: 16:57:43:796:67c 
 6-06: 16:57:43:796:67c Receive: (get) SA = 0x0018c888 from 217.82.x.y.500
 6-06: 16:57:43:796:67c ISAKMP Header: (V1.0), len = 84
 6-06: 16:57:43:796:67c   I-COOKIE aa04f7562bd1e2e2
 6-06: 16:57:43:796:67c   R-COOKIE 3b599d952e77f0bc
 6-06: 16:57:43:796:67c   exchange: Oakley Main Mode
 6-06: 16:57:43:796:67c   flags: 0
 6-06: 16:57:43:796:67c   next payload: SA
 6-06: 16:57:43:796:67c   message ID: 00000000
 6-06: 16:57:43:796:67c processing payload SA
 6-06: 16:57:43:796:67c Received Phase 1 Transform 1
 6-06: 16:57:43:796:67c      Encryption Alg Dreifach-DES CBC(5)
 6-06: 16:57:43:796:67c      Hash Alg SHA(2)
 6-06: 16:57:43:796:67c      Oakley Group 2
 6-06: 16:57:43:796:67c      Auth Method RSA-Signatur mit Zertifikaten(3)
 6-06: 16:57:43:796:67c      Life type in Seconds
 6-06: 16:57:43:796:67c      Life duration of 3500
 6-06: 16:57:43:796:67c Phase 1 SA accepted: transform=1
 6-06: 16:57:43:796:67c SA - Oakley proposal accepted
 6-06: 16:57:43:796:67c ClearFragList
 6-06: 16:57:43:796:67c constructing ISAKMP Header
 6-06: 16:57:43:828:67c constructing KE
 6-06: 16:57:43:828:67c constructing NONCE (ISAKMP)
 6-06: 16:57:43:828:67c 
 6-06: 16:57:43:828:67c Sending: SA = 0x0018C888 to 217.82.x.y:Type 2.500
 6-06: 16:57:43:828:67c ISAKMP Header: (V1.0), len = 184
 6-06: 16:57:43:828:67c   I-COOKIE aa04f7562bd1e2e2
 6-06: 16:57:43:828:67c   R-COOKIE 3b599d952e77f0bc
 6-06: 16:57:43:828:67c   exchange: Oakley Main Mode
 6-06: 16:57:43:828:67c   flags: 0
 6-06: 16:57:43:828:67c   next payload: KE
 6-06: 16:57:43:828:67c   message ID: 00000000
 6-06: 16:57:43:828:67c Ports S:f401 D:f401
 6-06: 16:57:43:921:67c 
 6-06: 16:57:43:921:67c Receive: (get) SA = 0x0018c888 from 217.82.x.y.500
 6-06: 16:57:43:921:67c ISAKMP Header: (V1.0), len = 276
 6-06: 16:57:43:921:67c   I-COOKIE aa04f7562bd1e2e2
 6-06: 16:57:43:921:67c   R-COOKIE 3b599d952e77f0bc
 6-06: 16:57:43:921:67c   exchange: Oakley Main Mode
 6-06: 16:57:43:921:67c   flags: 0
 6-06: 16:57:43:921:67c   next payload: KE
 6-06: 16:57:43:921:67c   message ID: 00000000
 6-06: 16:57:43:921:67c processing payload KE
 6-06: 16:57:43:921:67c processing payload NONCE
 6-06: 16:57:43:921:67c processing payload CRP
 6-06: 16:57:43:921:67c C=DE, L=Ort, O=Kunden GmbH, OU=EDV, CN=Kunden  CA
 6-06: 16:57:43:921:67c ClearFragList
 6-06: 16:57:43:921:67c constructing ISAKMP Header
 6-06: 16:57:43:921:67c constructing ID
 6-06: 16:57:43:921:67c Looking for IPSec only cert
 6-06: 16:57:43:921:67c Trust failed.  1 100
 6-06: 16:57:43:921:67c Cert SHA Thumbprint 31758b1ed2a2dfca7c06c8a2c9bb5dff
 6-06: 16:57:43:921:67c c396d0f2
 6-06: 16:57:43:921:67c Looking for IPSec only cert
 6-06: 16:57:43:921:67c failed to get chain 80092004
 6-06: 16:57:43:921:67c Looking for any cert
 6-06: 16:57:43:937:67c Trust failed.  1 100
 6-06: 16:57:43:937:67c Cert SHA Thumbprint 31758b1ed2a2dfca7c06c8a2c9bb5dff
 6-06: 16:57:43:937:67c c396d0f2
 6-06: 16:57:43:937:67c Looking for any cert
 6-06: 16:57:43:937:67c failed to get chain 80092004
 6-06: 16:57:43:937:67c Received no valid CRPs.  Using all configured
 6-06: 16:57:43:937:67c Looking for IPSec only cert
 6-06: 16:57:43:937:67c Trust failed.  1 100
 6-06: 16:57:43:937:67c Cert SHA Thumbprint 31758b1ed2a2dfca7c06c8a2c9bb5dff
 6-06: 16:57:43:937:67c c396d0f2
 6-06: 16:57:43:937:67c Looking for IPSec only cert
 6-06: 16:57:43:937:67c failed to get chain 80092004
 6-06: 16:57:43:937:67c Looking for any cert
 6-06: 16:57:43:937:67c Trust failed.  1 100
 6-06: 16:57:43:937:67c Cert SHA Thumbprint 31758b1ed2a2dfca7c06c8a2c9bb5dff
 6-06: 16:57:43:937:67c c396d0f2
 6-06: 16:57:43:937:67c Looking for any cert
 6-06: 16:57:43:937:67c failed to get chain 80092004
 6-06: 16:57:43:937:67c ProcessFailure: sa:0018C888 centry:00000000 status:35ee
 6-06: 16:57:43:937:67c isadb_set_status sa:0018C888 centry:00000000 status 35ee
 6-06: 16:57:43:937:67c Schlüsselaustauschmodus (Hauptmodus)
 6-06: 16:57:43:937:67c Quell-IP-Adresse 192.168.1.xx  Quell-IP-Adressmaske 255.255.255.255  Ziel-IP-Adresse 217.82.x.y  Ziel-IP-Adressmaske 255.255.255.255  Protokoll 0  Quellport 0  Zielport 0  Lokale IKE-Adresse 192.168.1.xx  Peer-IKE-Adresse 217.82.x.y
 6-06: 16:57:43:937:67c Zertifikatsbasierte Identität.   Peerantragsteller   Peer-SHA-Fingerabdruck 0000000000000000000000000000000000000000  Peer, der die Zertifizierungsstelle ausstellt:   Stammzertifizierungsstelle   Eigener Antragsteller C=DE, O=Kunden, CN=cs, E=schlettig@evaco.de  Eigener SHA-Fingerabdruck 31758b1ed2a2dfca7c06c8a2c9bb5dffc396d0f2  Peer-IP-Adresse: 217.82.x.y
 6-06: 16:57:43:937:67c Benutzer
 6-06: 16:57:43:937:67c IKE konnte kein gültiges Computerzertifikat finden.
 6-06: 16:57:43:937:67c 0x80092004 0x100
 6-06: 16:57:43:937:67c ProcessFailure: sa:0018C888 centry:00000000 status:35ee
 6-06: 16:57:43:937:67c constructing ISAKMP Header
 6-06: 16:57:43:937:67c constructing HASH (null)
 6-06: 16:57:43:937:67c constructing NOTIFY 28
 6-06: 16:57:43:937:67c constructing HASH (Notify/Delete)
 6-06: 16:57:43:937:67c 
 6-06: 16:57:43:937:67c Sending: SA = 0x0018C888 to 217.82.x.y:Type 1.500
 6-06: 16:57:43:937:67c ISAKMP Header: (V1.0), len = 84
 6-06: 16:57:43:937:67c   I-COOKIE aa04f7562bd1e2e2
 6-06: 16:57:43:937:67c   R-COOKIE 3b599d952e77f0bc
 6-06: 16:57:43:937:67c   exchange: ISAKMP Informational Exchange
 6-06: 16:57:43:937:67c   flags: 1 ( encrypted )
 6-06: 16:57:43:937:67c   next payload: HASH
    Zitieren Zitieren
  6. 06.06.2007 17:49 #6
    ChristianSchlettig
    ChristianSchlettig ist offline Registered User
    Registriert seit
    May 2006
    Beiträge
    8

    log4

    Code:
     
 6-06: 16:57:43:937:67c   message ID: 3624050f
 6-06: 16:57:43:937:67c Ports S:f401 D:f401
 6-06: 16:57:48:812:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:57:48:812:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:57:49:984:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:57:49:984:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:57:51:171:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:57:51:171:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:57:52:343:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:57:52:343:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:57:53:531:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:57:53:531:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:57:54:718:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:57:54:718:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:57:55:906:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:57:55:906:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:57:57:93:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:57:57:93:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:57:58:265:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:57:58:265:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:57:59:453:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:57:59:453:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:58:00:671:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:58:00:671:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:58:01:843:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:58:01:843:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:58:02:46:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:58:02:46:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:58:03:218:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:58:03:218:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:58:04:406:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:58:04:406:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:58:05:578:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:58:05:578:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:58:06:750:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:58:06:750:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:58:14:62:67c 
 6-06: 16:58:14:62:67c Receive: (get) SA = 0x0018c888 from 217.82.x.y.500
 6-06: 16:58:14:62:67c ISAKMP Header: (V1.0), len = 276
 6-06: 16:58:14:62:67c   I-COOKIE aa04f7562bd1e2e2
 6-06: 16:58:14:62:67c   R-COOKIE 3b599d952e77f0bc
 6-06: 16:58:14:62:67c   exchange: Oakley Main Mode
 6-06: 16:58:14:62:67c   flags: 0
 6-06: 16:58:14:62:67c   next payload: KE
 6-06: 16:58:14:62:67c   message ID: 00000000
 6-06: 16:58:14:62:67c received an unencrypted packet when crypto active
 6-06: 16:58:14:62:67c GetPacket failed 35ec
 6-06: 16:58:22:0:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:58:22:0:15dc fill_isakmp: SA 00100738 dead
 6-06: 16:58:26:968:67c ClearFragList
 6-06: 16:58:42:0:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:59:02:15:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:59:22:0:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:59:42:359:15dc fill_isakmp: SA 0018C888 not finished
 6-06: 16:59:56:968:67c SA Dead. sa:0018C888 status:35f0
 6-06: 16:59:56:968:67c constructing ISAKMP Header
 6-06: 16:59:56:968:67c constructing HASH (null)
 6-06: 16:59:56:968:67c constructing DELETE. MM 0018C888
 6-06: 16:59:56:968:67c constructing HASH (Notify/Delete)
 6-06: 16:59:56:968:67c 
 6-06: 16:59:56:968:67c Sending: SA = 0x0018C888 to 217.82.x.y:Type 1.500
 6-06: 16:59:56:968:67c ISAKMP Header: (V1.0), len = 84
 6-06: 16:59:56:968:67c   I-COOKIE aa04f7562bd1e2e2
 6-06: 16:59:56:968:67c   R-COOKIE 3b599d952e77f0bc
 6-06: 16:59:56:968:67c   exchange: ISAKMP Informational Exchange
 6-06: 16:59:56:968:67c   flags: 1 ( encrypted )
 6-06: 16:59:56:968:67c   next payload: HASH
 6-06: 16:59:56:968:67c   message ID: 0031a4bd
 6-06: 16:59:56:968:67c Ports S:f401 D:f401
 6-06: 16:59:56:968:67c ClearFragList
    intranator:

    Code:
    Jun  6 17:33:30 intranator pluto[9566]: packet from 87.139.yy.yy:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jun  6 17:33:30 intranator pluto[9566]: packet from 87.139.yy.yy:500: ignoring Vendor ID payload [FRAGMENTATION]
Jun  6 17:33:30 intranator pluto[9566]: packet from 87.139.yy.yy:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jun  6 17:33:30 intranator pluto[9566]: packet from 87.139.yy.yy:500: ignoring Vendor ID payload [26244d38eddb61b3...]
Jun  6 17:33:30 intranator pluto[9566]: "C3"[2] 87.139.yy.yy#3: responding to Main Mode from unknown peer 87.139.yy.yy
Jun  6 17:33:30 intranator pluto[9566]: "C3"[2] 87.139.yy.yy #3: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA
[..]
Jun  6 17:34:40 intranator pluto[9566]: "C3"[2] 87.139.yy.yy#3: max number of retransmissions (2) reached STATE_MAIN_R2
Jun  6 17:34:40 intranator pluto[9566]: "C3"[2] 87.139.yy.yy: deleting connection "C3" instance with peer 87.139.yy.yy
[..]
Jun  6 17:35:17 intranator pluto[9566]: packet from 87.139.yy.yy:500: Informational Exchange is for an unknown (expired?) SA
    Zitieren Zitieren
  7. 11.06.2007 13:37 #7
    Thomas Jarosch
    Thomas Jarosch ist offline Administrator
    Registriert seit
    Dec 2001
    Ort
    Tübingen
    Beiträge
    1.916
    Hallo Herr Schlettig,

    Zitat Zitat von ChristianSchlettig Beitrag anzeigen
    6-06: 16:57:43:937:67c IKE konnte kein gültiges Computerzertifikat finden.
    Es sieht wohl so aus das irgendwas mit den Zertifikaten schief geht. Leider ist die Fehlermeldung nicht genauer. Wir empfehlen den Einsatz des Netgear VPN Clients. Er kostet nicht viel und ist die geschonten Nerven/gesparte Zeit doppelt Wert.

    Herzliche Grüsse,
    Thomas Jarosch
    Zitieren Zitieren
  8. 04.10.2007 18:32 #8
    ChristianSchlettig
    ChristianSchlettig ist offline Registered User
    Registriert seit
    May 2006
    Beiträge
    8

    VPN Client

    Hallo wir haben mittlerweile den NetGear VPN Client im Einsatz, der um einiges leichter zu konfigurieren ist!
    Mit freundlichen Grüßen,

    Christian Schlettig
    Zitieren Zitieren
+ Antworten
« Vorheriges Thema | Nächstes Thema »

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein

Foren-Regeln