VPN mit Shrew Soft Client und Pre shared key (PSK)

[kerrbenok]

Hallo liebes Forum!

Seit einiger Zeit beiße ich mir die Zähne daran aus, den Shrew Soft VPN Client auf den Intranator zu verbinden.
Ich bin in diesem Fall aus verschiedenen Gründen auf Shrew Soft und PSK angewiesen.

Die Verbindung scheint ein Problem mit dem IPSec SA request wegen IP-Adressen zu haben. Möglich ist auch ein Problem mit der IPSec ID, aber ganz blicke ich nicht durch.

Nachfolgend poste ich das log, der Fehler hängt wohl in der Zeile "cannot respond to IPse c SA request......", aber das habe ich schon mehrfach geprüft. :-(

Weiß jemand Rat? Der Shrew Soft Client soll ja irgendwie mit dem Intranator gehen!

ov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: responding to Main Mode from unknown peer 213.39.163.105
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_MD5, OAKLEY_GROUP_MODP3072] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_MD5, OAKLEY_GROUP_MODP2048] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_MD5, OAKLEY_GROUP_MODP1536] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA, OAKLEY_GROUP_MODP3072] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA, OAKLEY_GROUP_MODP2048] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA, OAKLEY_GROUP_MODP1536] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (192), OAKLEY_MD5, OAKLEY_GROUP_MODP3072] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (192), OAKLEY_MD5, OAKLEY_GROUP_MODP2048] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (192), OAKLEY_MD5, OAKLEY_GROUP_MODP1536] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (192), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (192), OAKLEY_SHA, OAKLEY_GROUP_MODP3072] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (192), OAKLEY_SHA, OAKLEY_GROUP_MODP2048] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (192), OAKLEY_SHA, OAKLEY_GROUP_MODP1536] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (192), OAKLEY_SHA, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_MD5, OAKLEY_GROUP_MODP3072] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_MD5, OAKLEY_GROUP_MODP2048] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_MD5, OAKLEY_GROUP_MODP1536] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA, OAKLEY_GROUP_MODP3072] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA, OAKLEY_GROUP_MODP2048] refused due to strict flag
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: NAT-Traversal: Result using RFC 3947: peer is NATed
Nov 21 01:11:34 intranator pluto[2861]: "C2"[1] 213.39.163.105 #160: Peer ID is ID_IPV4_ADDR: '192.168.1.165'
Nov 21 01:11:34 intranator pluto[2861]: "C2"[2] 213.39.163.105 #160: deleting connection "C2" instance with peer 213.39.163.105 {isakmp=#0/ipsec=#0}
Nov 21 01:11:35 intranator pluto[2861]: "C2"[2] 213.39.163.105:53794 #160: sent MR3, ISAKMP SA established
Nov 21 01:11:35 intranator pluto[2861]: "C2"[2] 213.39.163.105:53794 #160: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 21 01:11:35 intranator pluto[2861]: "C2"[2] 213.39.163.105:53794 #160: cannot respond to IPsec SA request because no connection is known for 192.168.5.0/24===84.142.11.117:4500[127.0.0.1]...213.39.163.105:53794[192.168.1.165]===192.168.1.165/32
Nov 21 01:11:35 intranator pluto[2861]: "C2"[2] 213.39.163.105:53794 #160: sending encrypted notification INVALID_ID_INFORMATION to 213.39.163.105:53794
Nov 21 01:11:45 intranator pluto[2861]: "C2"[2] 213.39.163.105:53794 #160: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd9b01198 (perhaps this is a duplicated packet)
Nov 21 01:11:45 intranator pluto[2861]: "C2"[2] 213.39.163.105:53794 #160: sending encrypted notification INVALID_MESSAGE_ID to 213.39.163.105:53794
Nov 21 01:11:55 intranator pluto[2861]: "C2"[2] 213.39.163.105:53794 #160: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd9b01198 (perhaps this is a duplicated packet)
Nov 21 01:11:55 intranator pluto[2861]: "C2"[2] 213.39.163.105:53794 #160: sending encrypted notification INVALID_MESSAGE_ID to 213.39.163.105:53794

[kerrbenok]

Aha,

da kann ich mir die Antwort gleich selbst geben!
Bei einer Vergleichsinstallation mit dem NCP Client und dem Durcharbeiten des Installationsleitfadens im Referenzhandbuch von Intra2Net fiel mir auf, dass auf dem Intranator die virtuelle VPN-Adapter-IP des Clients eingetragen werden muss.
Der virtuelle VPN-Adapter des Clients muss somit der Angabe "Netz auf Gegenseite" auf dem Intranator entsprechen.

Habe den Anlass genutzt um einen Leitfaden (Schritt für Schritt) für Intranator und Shrew-VPN Verbindungen aufzuschreiben.

Hoffentlich beißen sich dadurch andere Leute nicht so lange die Zähne aus wie ich...

Siehe Anhang!

+++Uuups: Es dürfen nur 100kb Anhang hochgeladen werden. Den Leitfaden mit Screenshots bekomme ich aber nicht unter 400kb gequetscht.
Hey Intranator - Team: Könnt Ihr den Leitfaden (PDF) zur allgemeinen Erleichterung ;-) nicht manuell hier anhängen wenn ich ihn Euch zumaile?+++