VPN mit SHREW-VPN-Client und Win7, Tunnel geht, Ping etc. nicht

**ba0645** · 05.02.2011 11:59

Hallo,

ich habe den VPN-Shrew-Client wie in der Anleitung beschrieben unter Windows 7 eingerichtet. Der Tunnel wird auch aufgebaut: Ich bekomme die Meldung "tunnel enabled".
Auch im Intranator sehe ich, dass die Verbindung aufgebaut ist.
Ich kann jedoch auf kein Gerät im Netzwerk per VPN Zugreifen.
Auch den Intranator erreiche ich per Ping über den Tunnel nicht.
Hat irgendjemand diesen Client mit Windows 7 am Laufen und kann mir einen Tip geben, woran es noch liegen könnte?

Gruß
Markus

**Gerd von Egidy** · 07.02.2011 14:02

Hallo,

leider sagt die Meldung "tunnel enabled" im Shrew nicht wirklich viel aus. Bitte erstellen Sie ein Log wie hier beschrieben:

http://www.intra2net.com/de/support/...hrew-trace.php

Stellen Sie dieses Log hier vollständig rein, dann kann ich Ihnen vermutlich mehr sagen.

Herzliche Grüße,

v. Egidy

**ba0645** · 07.02.2011 21:02

11/02/07 20:57:14 <A : remote cert 'D:\Download\Intranator\makecert\intranator.phoeni x.local_cert.pem' message
11/02/07 20:57:14 <A : local cert 'D:\Download\Intranator\makecert\newcert.p12' message
11/02/07 20:57:14 !! : 'D:\Download\Intranator\makecert\newcert.p12' load failed, requesting password
11/02/07 20:57:19 <A : file password
11/02/07 20:57:19 <A : local cert 'D:\Download\Intranator\makecert\newcert.p12' message
11/02/07 20:57:19 <A : local key 'D:\Download\Intranator\makecert\newcert.p12' message
11/02/07 20:57:19 <A : peer tunnel enable message
11/02/07 20:57:19 ii : local supports nat-t ( draft v00 )
11/02/07 20:57:19 ii : local supports nat-t ( draft v01 )
11/02/07 20:57:19 ii : local supports nat-t ( draft v02 )
11/02/07 20:57:19 ii : local supports nat-t ( draft v03 )
11/02/07 20:57:19 ii : local supports nat-t ( rfc )
11/02/07 20:57:19 ii : local supports FRAGMENTATION
11/02/07 20:57:19 ii : local supports DPDv1
11/02/07 20:57:19 ii : local is SHREW SOFT compatible
11/02/07 20:57:19 ii : local is NETSCREEN compatible
11/02/07 20:57:19 ii : local is SIDEWINDER compatible
11/02/07 20:57:19 ii : local is CISCO UNITY compatible
11/02/07 20:57:19 >= : cookies faf114ca98510d5b:0000000000000000
11/02/07 20:57:19 >= : message 00000000
11/02/07 20:57:19 ii : processing phase1 packet ( 180 bytes )
11/02/07 20:57:19 =< : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:19 =< : message 00000000
11/02/07 20:57:19 ii : matched isakmp proposal #1 transform #28
11/02/07 20:57:19 ii : - transform = ike
11/02/07 20:57:19 ii : - cipher type = aes
11/02/07 20:57:19 ii : - key length = 128 bits
11/02/07 20:57:19 ii : - hash type = sha1
11/02/07 20:57:19 ii : - dh group = modp-1536
11/02/07 20:57:19 ii : - auth type = sig-rsa
11/02/07 20:57:19 ii : - life seconds = 86400
11/02/07 20:57:19 ii : - life kbytes = 0
11/02/07 20:57:19 ii : peer is CISCO UNITY compatible
11/02/07 20:57:19 ii : peer supports XAUTH
11/02/07 20:57:19 ii : peer supports DPDv1
11/02/07 20:57:19 ii : peer supports nat-t ( rfc )
11/02/07 20:57:19 >= : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:19 >= : message 00000000
11/02/07 20:57:19 ii : processing phase1 packet ( 448 bytes )
11/02/07 20:57:19 =< : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:19 =< : message 00000000
11/02/07 20:57:19 ii : nat discovery - local address is translated
11/02/07 20:57:19 ii : switching to src nat-t udp port 4500
11/02/07 20:57:19 ii : switching to dst nat-t udp port 4500
11/02/07 20:57:19 >= : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:19 >= : message 00000000
11/02/07 20:57:19 ii : processing phase1 packet ( 716 bytes )
11/02/07 20:57:19 =< : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:19 =< : message 00000000
11/02/07 20:57:19 ii : phase1 id match ( cert check only )
11/02/07 20:57:19 ii : received = asn1-dn CN=intranator.phoenix.local
11/02/07 20:57:19 ii : unable to get certificate CRL(3) at depth:0
11/02/07 20:57:19 ii : subject :/CN=intranator.phoenix.local
11/02/07 20:57:19 ii : phase1 sa established
11/02/07 20:57:19 ii : 79.209.162.182:4500 <-> 192.168.110.79:4500
11/02/07 20:57:19 ii : faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:19 ii : sending peer INITIAL-CONTACT notification
11/02/07 20:57:19 ii : - 192.168.110.79:4500 -> 79.209.162.182:4500
11/02/07 20:57:19 ii : - isakmp spi = faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:19 ii : - data size 0
11/02/07 20:57:19 >= : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:19 >= : message 2cc66541
11/02/07 20:57:19 ii : processing config packet ( 156 bytes )
11/02/07 20:57:19 =< : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:19 =< : message 6172c463
11/02/07 20:57:19 ii : received config push request
11/02/07 20:57:19 ii : building config attribute list
11/02/07 20:57:19 ii : sending config push acknowledge
11/02/07 20:57:19 >= : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:19 >= : message 6172c463
11/02/07 20:57:19 ii : creating NONE INBOUND policy ANY:79.209.162.182:* -> ANY:192.168.110.79:*
11/02/07 20:57:19 ii : creating NONE OUTBOUND policy ANY:192.168.110.79:* -> ANY:79.209.162.182:*
11/02/07 20:57:19 ii : created NONE policy route for 79.209.162.182/32
11/02/07 20:57:19 !! : unable to locate inbound policy for init phase2
11/02/07 20:57:19 ii : creating NONE INBOUND policy ANY:192.168.110.121:* -> ANY:192.168.77.1:*
11/02/07 20:57:19 ii : creating NONE OUTBOUND policy ANY:192.168.77.1:* -> ANY:192.168.110.121:*
11/02/07 20:57:19 ii : created NONE policy route for 192.168.110.121/32
11/02/07 20:57:19 !! : unable to locate inbound policy for init phase2
11/02/07 20:57:19 ii : creating IPSEC INBOUND policy ANY:0.0.0.0/0:* -> ANY:192.168.77.1:*
11/02/07 20:57:19 ii : creating IPSEC OUTBOUND policy ANY:192.168.77.1:* -> ANY:0.0.0.0/0:*
11/02/07 20:57:19 ii : created IPSEC policy route for 0.0.0.0
11/02/07 20:57:19 ii : split DNS bypassed ( no split domains defined )
11/02/07 20:57:19 >= : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:19 >= : message b0fe6c7a
11/02/07 20:57:19 >= : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:19 >= : message 46a3467c
11/02/07 20:57:19 ii : processing informational packet ( 76 bytes )
11/02/07 20:57:19 =< : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:19 =< : message 604ae251
11/02/07 20:57:19 ii : received peer INVALID-ID-INFORMATION notification
11/02/07 20:57:19 ii : - 79.209.162.182:4500 -> 192.168.110.79:4500
11/02/07 20:57:19 ii : - isakmp spi = none
11/02/07 20:57:19 ii : - data size 0
11/02/07 20:57:19 ii : processing informational packet ( 76 bytes )
11/02/07 20:57:19 =< : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:19 =< : message d8f60148
11/02/07 20:57:19 ii : received peer INVALID-ID-INFORMATION notification
11/02/07 20:57:19 ii : - 79.209.162.182:4500 -> 192.168.110.79:4500
11/02/07 20:57:19 ii : - isakmp spi = none
11/02/07 20:57:19 ii : - data size 0
11/02/07 20:57:24 -> : resend 1 phase2 packet(s) 192.168.110.79:4500 -> 79.209.162.182:4500
11/02/07 20:57:24 -> : resend 1 phase2 packet(s) 192.168.110.79:4500 -> 79.209.162.182:4500

**ba0645** · 07.02.2011 21:02

und der Rest:
11/02/07 20:57:24 ii : processing informational packet ( 76 bytes )
11/02/07 20:57:24 =< : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:24 =< : message c68204ce
11/02/07 20:57:24 ii : received peer INVALID-MESSAGE-ID notification
11/02/07 20:57:24 ii : - 79.209.162.182:4500 -> 192.168.110.79:4500
11/02/07 20:57:24 ii : - isakmp spi = none
11/02/07 20:57:24 ii : - data size 0
11/02/07 20:57:24 ii : processing informational packet ( 76 bytes )
11/02/07 20:57:24 =< : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:24 =< : message 5c833648
11/02/07 20:57:24 ii : received peer INVALID-MESSAGE-ID notification
11/02/07 20:57:24 ii : - 79.209.162.182:4500 -> 192.168.110.79:4500
11/02/07 20:57:24 ii : - isakmp spi = none
11/02/07 20:57:24 ii : - data size 0
11/02/07 20:57:29 -> : resend 1 phase2 packet(s) 192.168.110.79:4500 -> 79.209.162.182:4500
11/02/07 20:57:29 -> : resend 1 phase2 packet(s) 192.168.110.79:4500 -> 79.209.162.182:4500
11/02/07 20:57:29 ii : processing informational packet ( 76 bytes )
11/02/07 20:57:29 =< : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:29 =< : message f33119da
11/02/07 20:57:29 ii : received peer INVALID-MESSAGE-ID notification
11/02/07 20:57:29 ii : - 79.209.162.182:4500 -> 192.168.110.79:4500
11/02/07 20:57:29 ii : - isakmp spi = none
11/02/07 20:57:29 ii : - data size 0
11/02/07 20:57:29 ii : processing informational packet ( 76 bytes )
11/02/07 20:57:29 =< : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:29 =< : message 6dab35d9
11/02/07 20:57:29 ii : received peer INVALID-MESSAGE-ID notification
11/02/07 20:57:29 ii : - 79.209.162.182:4500 -> 192.168.110.79:4500
11/02/07 20:57:29 ii : - isakmp spi = none
11/02/07 20:57:29 ii : - data size 0
11/02/07 20:57:34 ii : sending peer DPDV1-R-U-THERE notification
11/02/07 20:57:34 ii : - 192.168.110.79:4500 -> 79.209.162.182:4500
11/02/07 20:57:34 ii : - isakmp spi = faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:34 ii : - data size 4
11/02/07 20:57:34 >= : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:34 >= : message abdd3375
11/02/07 20:57:34 ii : processing informational packet ( 92 bytes )
11/02/07 20:57:34 =< : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:34 =< : message de4081c1
11/02/07 20:57:34 ii : received peer DPDV1-R-U-THERE-ACK notification
11/02/07 20:57:34 ii : - 79.209.162.182:4500 -> 192.168.110.79:4500
11/02/07 20:57:34 ii : - isakmp spi = faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:34 ii : - data size 4
11/02/07 20:57:34 -> : resend 1 phase2 packet(s) 192.168.110.79:4500 -> 79.209.162.182:4500
11/02/07 20:57:34 -> : resend 1 phase2 packet(s) 192.168.110.79:4500 -> 79.209.162.182:4500
11/02/07 20:57:34 ii : processing informational packet ( 76 bytes )
11/02/07 20:57:34 =< : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:34 =< : message b9ec02af
11/02/07 20:57:34 ii : received peer INVALID-MESSAGE-ID notification
11/02/07 20:57:34 ii : - 79.209.162.182:4500 -> 192.168.110.79:4500
11/02/07 20:57:34 ii : - isakmp spi = none
11/02/07 20:57:34 ii : - data size 0
11/02/07 20:57:34 ii : processing informational packet ( 76 bytes )
11/02/07 20:57:34 =< : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:34 =< : message 97c848ba
11/02/07 20:57:34 ii : received peer INVALID-MESSAGE-ID notification
11/02/07 20:57:34 ii : - 79.209.162.182:4500 -> 192.168.110.79:4500
11/02/07 20:57:34 ii : - isakmp spi = none
11/02/07 20:57:34 ii : - data size 0
11/02/07 20:57:39 ii : resend limit exceeded for phase2 exchange
11/02/07 20:57:39 ii : phase2 removal before expire time
11/02/07 20:57:39 ii : resend limit exceeded for phase2 exchange
11/02/07 20:57:39 ii : phase2 removal before expire time
11/02/07 20:57:49 ii : sending peer DPDV1-R-U-THERE notification
11/02/07 20:57:49 ii : - 192.168.110.79:4500 -> 79.209.162.182:4500
11/02/07 20:57:49 ii : - isakmp spi = faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:49 ii : - data size 4
11/02/07 20:57:49 >= : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:49 >= : message ddcaf290
11/02/07 20:57:49 ii : processing informational packet ( 92 bytes )
11/02/07 20:57:49 =< : cookies faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:49 =< : message 8479c508
11/02/07 20:57:49 ii : received peer DPDV1-R-U-THERE-ACK notification
11/02/07 20:57:49 ii : - 79.209.162.182:4500 -> 192.168.110.79:4500
11/02/07 20:57:49 ii : - isakmp spi = faf114ca98510d5b:380b75c644033eed
11/02/07 20:57:49 ii : - data size 4
11/02/07 20:57:53 ii : halt signal received, shutting down

**Thomas Jarosch** · 09.02.2011 09:57

Hallo,

Zitat von ba0645

und der Rest:
11/02/07 20:57:34 ii : received peer INVALID-MESSAGE-ID notification
11/02/07 20:57:34 ii : - 79.209.162.182:4500 -> 192.168.110.79:4500

Die Verbindung sieht eigentlich ganz gut aus bis auf diesen Punkt: Sie wird von der Intranator Seite abgelehnt. Vermutlich passt etwas mit den Schlüsseln nicht, jetzt wäre ein Auszug aus dem Intranator-Log interessant.

Herzliche Grüße,
Thomas Jarosch

**ba0645** · 09.02.2011 23:31

Anbei noch das Intranator-Log:

Feb 9 23:17:02 intranator pluto[2810]: packet from 88.65.71.154:4500: recvfrom 88.65.71.154:4500 too small packet (0)
Feb 9 23:17:15 intranator pluto[2810]: "C1"[1] 88.65.71.154:4500 #225: received Delete SA(0x54508731) payload: deleting IPSEC State #226
Feb 9 23:17:15 intranator vpnupdown: disconnected C1 (name "Intranator-Messe" remote 192.168.167.0/24 peer 88.65.71.154 on ppp0 via 217.0.118.156)
Feb 9 23:17:15 intranator pluto[2810]: "C1"[1] 88.65.71.154:4500 #226: down-client output:
Feb 9 23:17:15 intranator pluto[2810]: "C1"[1] 88.65.71.154:4500 #226: down-client output: Done.
Feb 9 23:17:15 intranator pluto[2810]: "C1"[1] 88.65.71.154:4500 #225: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc16cef1b) not found (maybe expired)
Feb 9 23:17:15 intranator pluto[2810]: "C1"[1] 88.65.71.154:4500 #225: received Delete SA payload: deleting ISAKMP State #225
Feb 9 23:17:15 intranator pluto[2810]: "C1"[1] 88.65.71.154:4500: deleting connection "C1" instance with peer 88.65.71.154 {isakmp=#0/ipsec=#0}
Feb 9 23:17:17 intranator pluto[2810]: packet from 88.65.71.154:500: received Vendor ID payload [RFC 3947]
Feb 9 23:17:17 intranator pluto[2810]: packet from 88.65.71.154:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb 9 23:17:17 intranator pluto[2810]: packet from 88.65.71.154:500: received Vendor ID payload [Dead Peer Detection]
Feb 9 23:17:17 intranator pluto[2810]: packet from 88.65.71.154:500: ignoring Vendor ID payload [625027749d5ab97f5616c1602765cf480a3b7d0b]
Feb 9 23:17:17 intranator pluto[2810]: "C2"[2] 88.65.71.154 #227: responding to Main Mode from unknown peer 88.65.71.154
Feb 9 23:17:17 intranator pluto[2810]: "C2"[2] 88.65.71.154 #227: NAT-Traversal: Result using RFC 3947: peer is NATed
Feb 9 23:17:19 intranator pluto[2810]: "C2"[2] 88.65.71.154 #227: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Feb 9 23:17:19 intranator pluto[2810]: "C2"[2] 88.65.71.154 #227: Peer ID is ID_USER_FQDN: 'zywall@phoenix-reisemobile.de'
Feb 9 23:17:19 intranator pluto[2810]: "C2"[2] 88.65.71.154 #227: issuer cacert not found
Feb 9 23:17:19 intranator pluto[2810]: "C2"[2] 88.65.71.154 #227: X.509 certificate rejected
Feb 9 23:17:19 intranator pluto[2810]: "C1"[2] 88.65.71.154 #227: deleting connection "C2" instance with peer 88.65.71.154 {isakmp=#0/ipsec=#0}
Feb 9 23:17:19 intranator pluto[2810]: "C1"[2] 88.65.71.154 #227: we have a cert but are not sending it without request
Feb 9 23:17:19 intranator pluto[2810]: "C1"[2] 88.65.71.154:4500 #227: sent MR3, ISAKMP SA established
Feb 9 23:17:19 intranator pluto[2810]: "C1"[2] 88.65.71.154:4500 #228: responding to Quick Mode
Feb 9 23:17:19 intranator vpnupdown: connected C1 (name "Intranator-Messe" remote 192.168.167.0/24 peer 88.65.71.154 on ppp0 via 217.0.118.156)
Feb 9 23:17:19 intranator pluto[2810]: "C1"[2] 88.65.71.154:4500 #228: up-client output:
Feb 9 23:17:19 intranator pluto[2810]: "C1"[2] 88.65.71.154:4500 #228: up-client output: Done.
Feb 9 23:17:20 intranator pluto[2810]: "C1"[2] 88.65.71.154:4500 #228: IPsec SA established {ESP=>0x9bae73aa <0xc975ad2b NATOA=0.0.0.0}
Feb 9 23:17:22 intranator pluto[2810]: packet from 88.65.71.154:4500: recvfrom 88.65.71.154:4500 too small packet (0)
Feb 9 23:17:42 intranator pluto[2810]: packet from 88.65.71.154:4500: recvfrom 88.65.71.154:4500 too small packet (0)
Feb 9 23:17:51 intranator pluto[2810]: packet from 88.65.71.154:6: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb 9 23:17:51 intranator pluto[2810]: packet from 88.65.71.154:6: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Feb 9 23:17:51 intranator pluto[2810]: packet from 88.65.71.154:6: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Feb 9 23:17:51 intranator pluto[2810]: packet from 88.65.71.154:6: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Feb 9 23:17:51 intranator pluto[2810]: packet from 88.65.71.154:6: received Vendor ID payload [RFC 3947]
Feb 9 23:17:51 intranator pluto[2810]: packet from 88.65.71.154:6: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Feb 9 23:17:51 intranator pluto[2810]: packet from 88.65.71.154:6: received Vendor ID payload [Dead Peer Detection]
Feb 9 23:17:51 intranator pluto[2810]: packet from 88.65.71.154:6: ignoring Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
Feb 9 23:17:51 intranator pluto[2810]: packet from 88.65.71.154:6: ignoring Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
Feb 9 23:17:51 intranator pluto[2810]: packet from 88.65.71.154:6: ignoring Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
Feb 9 23:17:51 intranator pluto[2810]: packet from 88.65.71.154:6: ignoring Vendor ID payload [Cisco-Unity]
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: responding to Main Mode from unknown peer 88.65.71.154:6
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (256), HMAC_MD5, MODP_3072] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (256), HMAC_MD5, MODP_2048] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (256), HMAC_MD5, MODP_1536] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (256), HMAC_MD5, MODP_1024] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: MODP_768 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_3072] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_1536] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_1024] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: MODP_768 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (192), HMAC_MD5, MODP_3072] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (192), HMAC_MD5, MODP_2048] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (192), HMAC_MD5, MODP_1536] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (192), HMAC_MD5, MODP_1024] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: MODP_768 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (192), HMAC_SHA1, MODP_3072] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (192), HMAC_SHA1, MODP_1536] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (192), HMAC_SHA1, MODP_1024] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: MODP_768 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (128), HMAC_MD5, MODP_3072] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (128), HMAC_MD5, MODP_2048] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (128), HMAC_MD5, MODP_1536] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (128), HMAC_MD5, MODP_1024] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: MODP_768 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (128), HMAC_SHA1, MODP_3072] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Oakley Transform [AES_CBC (128), HMAC_SHA1, MODP_2048] refused due to strict flag
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: NAT-Traversal: Result using RFC 3947: peer is NATed
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: Peer ID is ID_DER_ASN1_DN: 'CN=Notebook Markus'

**ba0645** · 09.02.2011 23:31

Und Teil2:

Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: issuer cacert not found
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: X.509 certificate rejected
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:6 #229: we have a cert and are sending it upon request
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: sent MR3, ISAKMP SA established
Feb 9 23:17:51 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: sending ModeCfg set
Feb 9 23:17:52 intranator pluto[2810]: acquired existing lease for address 192.168.77.1 in pool 'P192.168.77.1'
Feb 9 23:17:52 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: assigning virtual IP 192.168.77.1 to peer
Feb 9 23:17:52 intranator pluto[2810]: packet from 88.65.71.154:1029: Informational Exchange is for an unknown (expired?) SA
Feb 9 23:17:52 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: parsing ModeCfg ack
Feb 9 23:17:52 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: received ModeCfg ack, established
Feb 9 23:17:52 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===79.209.157.81:4500[CN=intranator.phoenix.local]...88.65.71.154:1029[CN=Notebook Markus]===192.168.77.1/32
Feb 9 23:17:52 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: sending encrypted notification INVALID_ID_INFORMATION to 88.65.71.154:1029
Feb 9 23:17:52 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===79.209.157.81:4500[CN=intranator.phoenix.local]...88.65.71.154:1029[CN=Notebook Markus]===192.168.77.1/32
Feb 9 23:17:52 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: sending encrypted notification INVALID_ID_INFORMATION to 88.65.71.154:1029
Feb 9 23:17:57 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xce255892 (perhaps this is a duplicated packet)
Feb 9 23:17:57 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: sending encrypted notification INVALID_MESSAGE_ID to 88.65.71.154:1029
Feb 9 23:17:57 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xea17160e (perhaps this is a duplicated packet)
Feb 9 23:17:57 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: sending encrypted notification INVALID_MESSAGE_ID to 88.65.71.154:1029
Feb 9 23:18:02 intranator pluto[2810]: packet from 88.65.71.154:4500: recvfrom 88.65.71.154:4500 too small packet (0)
Feb 9 23:18:02 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xea17160e (perhaps this is a duplicated packet)
Feb 9 23:18:02 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: sending encrypted notification INVALID_MESSAGE_ID to 88.65.71.154:1029
Feb 9 23:18:02 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xce255892 (perhaps this is a duplicated packet)
Feb 9 23:18:02 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: sending encrypted notification INVALID_MESSAGE_ID to 88.65.71.154:1029
Feb 9 23:18:07 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xce255892 (perhaps this is a duplicated packet)
Feb 9 23:18:07 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: sending encrypted notification INVALID_MESSAGE_ID to 88.65.71.154:1029
Feb 9 23:18:07 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xea17160e (perhaps this is a duplicated packet)
Feb 9 23:18:07 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: sending encrypted notification INVALID_MESSAGE_ID to 88.65.71.154:1029
Feb 9 23:18:21 intranator kernel: DENY IN=eth1 OUT= MACSRC=00:1a:4f:eb:68:e2 MACDST=01:00:5e:00:00:01 MACPROTO=0800 SRC=192.168.2.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x80 TTL=1 ID=2528 DF PROTO=2
Feb 9 23:18:22 intranator pluto[2810]: packet from 88.65.71.154:4500: recvfrom 88.65.71.154:4500 too small packet (0)
Feb 9 23:18:30 intranator kernel: REJECT local IN=eth2 OUT= MACSRC=00:80:77:38:d9:0e MACDST=ff:ff:ff:ff:ff:ff MACPROTO=0800 SRC=10.100.1.244 DST=255.255.255.255 LEN=229 TOS=0x00 PREC=0x00 TTL=60 ID=35143 PROTO=UDP SPT=138 DPT=138 LEN=209
Feb 9 23:18:41 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: received Delete SA payload: deleting ISAKMP State #229
Feb 9 23:18:41 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029: deleting connection "C2" instance with peer 88.65.71.154 {isakmp=#0/ipsec=#0}
Feb 9 23:18:42 intranator pluto[2810]: packet from 88.65.71.154:4500: recvfrom 88.65.71.154:4500 too small packet (0)

**bjoerns** · 10.02.2011 16:22

Hallo,

Feb 9 23:17:52 intranator pluto[2810]: "C2"[3] 88.65.71.154:1029 #229: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===79.209.157.81:4500[CN=intranator.phoenix.local]...88.65.71.154:1029[CN=Notebook Markus]===192.168.77.1/32

der Intranator kann die Angeforderten Netzwerkparameter keiner Ihm bekannten Verbindung zuordnen. Der ShrewSoft Client will sich zu folgendem Netz auf dem Intranator verbinden:

0.0.0.0/0 (Netz auf dem Intranator) === 79.209.157.81 (Intranator IP)

Er sendet also eine Anfrage an "ALLE" Netze hinter dem Intranator. Im Intranator ist aber wahrscheinlich nur das lokale Netz konfiguriert.

Stellen Sie doch im ShrewSoft Client im Reiter "Policy" den "Policy generation level" auf "require" und tragen unten das Netz auf dem Intranator ein.

Nachtrag: Nach der Konfig Änderung am ShrewSoft Client, diesen bitte neu starten. Der hat manchmal Probleme die Konfiguration zu übernehmen.

MFG Björn

**ba0645** · 12.02.2011 16:26

Habe das Netz eingetragen. Problem ist immer noch vorhanden.
Versuche nun noch einmal das Intranatorlog auszuwerten.

**ba0645** · 18.02.2011 19:11

Habe immer noch keine Lösung gefunden.
Wenn ich nach dem Tunnelaufbau einen Ping vom Client auf die VPN-Client-IP machem, dann geht nur ganz selten ein Ping hin. Kann es sein, das hier Windows 7 das Problem ist? Hat irgendjemand den Shrewsoft-VPN-Client mit Windows 7 am Laufen und bekommt eine Verbindung? Gibt es einen anderen VPN-Client der einfacher, besser und stabiler läuft?
Habe derzeit keine neuen Ideen oder Erkentnisse und würde mich über eine Hilfestellung sehr freuen.

**Gerd von Egidy** · 21.02.2011 16:46

Hallo,

wenn Sie etwas an der Konfiguration verändern und es weiterhin nicht funktioniert, passt vermutlich ein anderer Teil noch nicht - die Verbindung wird stufenweise aufgebaut und man sieht daher nicht auf einmal was alles falsch ist.

Um Ihnen weiterhelfen zu können, bräuchten wir also Logs eines Verbindungsaufbauversuchs von Intranator und Client in der aktuellen Konfiguration.

Wir haben den Shrew Client hier auf verschiedenen Windows-Versionen (u.a. auch Win 7, 32 und 64 Bit) getestet. Auch von vielen Kunden wissen wir von zuverlässigen Konfigurationen.

Herzliche Grüße,

v. Egidy

**ba0645** · 21.02.2011 17:07

Logdatei ist leider zu groß um diese hier zu posten.
Habe daher heute ein Ticket geöffnet und die Logs heute per Mail geschickt.
Ticket# t123006

Thema: VPN mit SHREW-VPN-Client und Win7, Tunnel geht, Ping etc. nicht

Themen-Optionen

Thema bewerten

Anzeige

VPN mit SHREW-VPN-Client und Win7, Tunnel geht, Ping etc. nicht

Stichworte

Berechtigungen