K (Weiterleitung auf UTM/VPN/IPSec-Troubleshooting v12.2 entfernt) Markierung: Weiterleitung entfernt |
K (Textersetzung - „#WEITERLEITUNG(.*)Preview1260\n“ durch „“) Markierung: Weiterleitung entfernt |
||
(2 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt) | |||
Zeile 4: | Zeile 4: | ||
{{:UTM/VPN/IPSec-Troubleshooting.lang}} | {{:UTM/VPN/IPSec-Troubleshooting.lang}} | ||
</div>{{TOC2|Bild={{#var:Log-Level--Bild}}|cap={{#var:Log-Level--val}} }}{{ | {{var | neu--Log-Level per GUI | ||
{{Header|12. | | Das Log-Level lässt sich direkt im Admininterface einstellen | ||
* | | The log level can be set directly in the admin interface }} | ||
|[[UTM/VPN/IPSec-Troubleshooting_v12.2 | 12.2]] | |||
</div><div class="new_design"></div>{{Select_lang}}<!--{{TOC2|Bild={{#var:Log-Level--Bild}}|cap={{#var:Log-Level--val}} }}-->{{TOC2}} | |||
{{Header|12.6.0| | |||
* {{#var:neu--rwi}} | |||
* {{#var:neu--Log-Level per GUI}} | |||
|[[UTM/VPN/IPSec-Troubleshooting_v12.2.3 | 12.2.3]] | |||
[[UTM/VPN/IPSec-Troubleshooting_v12.2 | 12.2]] | |||
[[UTM/VPN/IPSec-Troubleshooting_v11.7 | 11.7]] | [[UTM/VPN/IPSec-Troubleshooting_v11.7 | 11.7]] | ||
[[UTM/VPN/IPSec-Troubleshooting_v11.6 | 11.6.12]] | [[UTM/VPN/IPSec-Troubleshooting_v11.6 | 11.6.12]] | ||
|{{Menu-UTM|VPN|IPSec|Log}} {{#var:Button}}{{button-dialog|IPSec Log|fa-chart-bar}} | |||
}} | }} | ||
---- | |||
=== {{#var:Vorbereitung}} === | |||
==== {{Reiter|Log}} ==== | |||
<div class="Einrücken"> | <div class="Einrücken"> | ||
{{#var:Log-Level--desc}} | {{#var:Log-Level--desc}} | ||
{{Hinweis- | {{Hinweis-box|{{#var:Log-Level--Hinweis}}|class=flex|fs__icon=em2}} | ||
{| class="sptable2 pd5 | </div> | ||
{| class="sptable2 pd5 zh1 einrücken" | |||
|- | |- | ||
| rowspan=4" | | rowspan="4" | {{b|Log-Level:}} || {{Button|{{#var:Rudimentär}}|dr|class=mw13}} || Default | ||
| class="Bild" rowspan="18" | {{Bild| {{#var:Log-Level--Bild}} |{{#var:Log-Level--cap}}|Log|IPSec|VPN|icon=fa-chart-bar|icon-text=IPSec Log|icon2=icon-save-and-restart|icon2-text={{#var:Speichern und neustarten}} }} | |||
| class="Bild" rowspan=" | |||
|- | |- | ||
| {{Button|{{#var:Ausführlich}}|dr|class= | | {{Button|{{#var:Ausführlich}}|dr|class=available}} || {{#var:Ausführlich--desc}} | ||
|- | |- | ||
| {{Button|{{#var:Sehr Ausführlich}}|dr|class= | | {{Button|{{#var:Sehr Ausführlich}}|dr|class=available}} || {{#var:Sehr Ausführlich--desc}}<li class="list--element__alert list--element__warning">{{#var:Sehr Ausführlich--Hinweis}}</li> | ||
|- | |- | ||
| {{Button|{{#var:Benutzerdefiniert}}|dr|class= | | {{Button|{{#var:Benutzerdefiniert}}|dr|class=available}} || {{#var:Benutzerdefiniert--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan="3" | {{#var:Speichern und neustarten--desc}} | | colspan="3" | {{#var:Speichern und neustarten--desc}} | ||
<li class="list--element__alert list--element__warning">{{#var:Speichern und neustarten--Hinweis}}</li> | <li class="list--element__alert list--element__warning">{{#var:Speichern und neustarten--Hinweis}}</li> | ||
|- class="Leerzeile" | |||
| | |||
|- class="Leerzeile" | |||
| colspan="3" | <small>{{#var:Alternative}}</small> | |||
|- class="Leerzeile" | |||
| colspan="3" | | |||
==== {{#var:CLI-Befehl}} ==== | |||
|- class="Leerzeile" | |||
| colspan="3" | {{Menu-UTM|Extras|CLI}} {{code|extc value set application "ipsec" variable "DBG_LVL_IKE" value [ "2" ] }} <li class="list--element__alert list--element__warning">{{#var:IPSec neu starten}}<p>{{code|appmgmt restart application ipsec }}</p></li> | |||
|- class="Leerzeile" | |||
| | |||
|- class="Leerzeile" | |||
| colspan="3" | <small>{{#var:Alternative}}</small> | |||
|- class="Leerzeile" | |||
| colspan="3" | | |||
==== {{#var:extc-Variable setzen}} ==== | |||
|- class="Leerzeile" | |||
| colspan="3" | {{#var:extc-Variable setzen--desc}} <li class="list--element__alert list--element__warning">{{#var:IPSec neu starten}}<p>{{#var:IPSec neu starten--Menu}}</p></li> | |||
|- class="Leerzeile" | |||
| | |||
|- class="Leerzeile" | |||
| colspan="3" | <small>{{#var:Alternative}}</small> | |||
|- class="Leerzeile" | |||
| colspan="3" | | |||
==== SSH ==== | |||
|- class="Leerzeile" | |||
| colspan="3" | {{#var:per SSH--desc}} <li class="list--element__alert list--element__positiv">{{#var:per SSH--Hinweis}}</li> * {{#var:per SSH bis 12.1.8--desc}} * {{#var:per SSH ab 12.2--desc}} | |||
|- class="Leerzeile" | |||
| | |||
|} | |} | ||
<br clear=all> | <br clear=all> | ||
---- | |||
=== {{#var:Phase 1 | {|class="sptable2 pd5 zh1 einrücken" | ||
|- class="Leerzeile" | |||
==== {{#var:Der normale Verbindungsaufbau}} ==== | | colspan="3" | | ||
=== IKEv1 Troubleshooting === | |||
|- class="Leerzeile" | |||
| colspan="2" | {{#var:IKEv1 Troubleshooting--desc}} | |||
| class="Bild" rowspan="2"| {{Bild| {{#var:IKEv1 Troubleshooting--Bild}} |{{#var:IKEv1 Troubleshooting--cap}} }} | |||
|- class="Leerzeile" | |||
| | |||
|- class="Leerzeile" | |||
| colspan="3"| | |||
==== Phase 1 ==== | |||
|- class="Leerzeile" | |||
| colspan="3"| | |||
===== {{#var:Der normale Verbindungsaufbau}} ===== | |||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:Der normale Verbindungsaufbau--desc}} | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|10[IKE] IKE_SA Standort_1_2[1] established between 198.51.100.75[198.51.100.75]...198.51.100.1[198.51.100.1]|blau}} | ||
| | |- class="Leerzeile" | ||
| | |||
|- class="Leerzeile" | |||
==== {{#var:Falsches Proposal}} ==== | | colspan="3" | | ||
===== {{#var:Falsches Proposal}} ===== | |||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:Falsches Proposal--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Initiator-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2" | {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|10[IKE] received NO_PROPOSAL_CHOSEN notify error|blau}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Responder-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2" | {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|05[CFG] selecting proposal:|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|05[CFG] no acceptable ENCRYPTION_ALGORITHM found|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|05[CFG] selecting proposal:|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|05[CFG] received proposals: IKE: BLOWFISH_CBC_256 / HMAC_SHA2_512_256 / PRF_HMAC_SHA2_512 / MODP_8192|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|05[CFG] configured proposals: IKE: AES_CBC_128 / HMAC_SHA2_256_128 / PRF_HMAC_SHA2_256 / MODP_2048, IKE: AES_CBC_128 / AES_CBC_192 / AES_CBC_256 / 3DES_CBC / CAMELLIA_CBC_128 / CAMELLIA_CBC_192 / CAMELLIA_CBC_256 / AES_CTR_128 / AES_CTR_192 / AES_CTR_256 / CAMELLIA_CTR_128 / CAMELLIA_CTR_192 / CAMELLIA_CTR_256 / HMAC_MD5_96 / HMAC_SHA1_96 / HMAC_SHA2_256_128 / HMAC_SHA2_384_192 / HMAC_SHA2_512 / AES_XCBC_96 / AES_CMAC_96 / PRF_HMAC_MD5 / PRF_HMAC_SHA1 / PRF_HMAC_SHA2_256 / PRF_HMAC_SHA2_512 / 256 / AES_XCBC_96 / AES_CMAC_96 / PRF_AES128_CMAC / MODP_2048 / MODP_2048_224 / MODP_2048_256 / MODP_1536 / MODP_3072 / MODP_4096 / MODP_8192 / MODP_1024 / MODP_1024_160 / ECP_256 / ECP_384 / ECP_512 / ECP_224 / ECP_192 / ECP_224_BP / ECP_256_BP / ECP_384_BP_ECP_512_BP , IKE: AES_GCM_8_128 / AES_GCM_8_192 / AES_GCM_8_256 / AES_GCM_12_128 / AES_GCM_12_192 / AES_GCM_12_256 / AES_GCM_16_128 / AES_GCM_16_192 / AES_GCM_16_256 / PRF_HMAC_MD5 / PRF_HMAC_SHA1 / PRF_HMAC_SHA2_256 / PRF_HMAC_SHA2_384 / PRF_HMAC_SHA2_512 / PRF_AES128_XCBC / PRF_AES128_CMAC / MODP_2048 / MODP_2048_224 / MODP_2048_256 / MODP_1536 / MODP_3072 / MODP_4096 / MODP_8192 / MODP_1024 / MODP_1024_160 / ECP_256 / ECP_384 / ECP__521 / ECP_224 / ECP_192 / ECP_224_BP / ECP_256_BP / ECP_384_BP / ECP_512_BP|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|10[IKE] received proposals inacceptable|blau}} | ||
|} | |- class="Leerzeile" | ||
| | |||
|- class="Leerzeile" | |||
| colspan="3" | | |||
===== {{#var:Falsche Remote-Gateway-Adresse}} ===== | |||
==== {{#var:Falsche Remote-Gateway-Adresse}} ==== | |||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:Falsche Remote-Gateway-Adresse--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Responder-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2" | {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|11[CFG] looking for an ike config for 198.51.100.75...195.51.100.1|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|11[IKE] no IKE config found for 198.51.100.75...195.51.100.1, sending NO_PROPOSAL_CHOSEN|blau}} | ||
|} | |- class="Leerzeile" | ||
| | |||
|- class="Leerzeile" | |||
| colspan="3" | | |||
===== {{#var:Falsche ID Initiator}} ===== | |||
==== {{#var:Falsche ID Initiator}} ==== | |||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:Falsche ID Initiator--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Initiator-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|09[IKE] received AUTHENTICATION_FAILED error notify|blau}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Responder-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|07[CFG] looking for pre-shared key peer configs matching 198.51.100.75...198.51.100.1[blubb]|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|07[IKE] no peer config found|blau}} | ||
|} | |- class="Leerzeile" | ||
| | |||
|- class="Leerzeile" | |||
| colspan="3" | | |||
===== {{#var:Falsche ID Responder}} ===== | |||
==== {{#var:Falsche ID Responder}} ==== | |||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:Falsche ID Responder--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Initiator-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2" | {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|05[IKE] IDir 'blubb' does not match to '198.51.100.75'|blau}} | ||
| | |- class="Leerzeile" | ||
| | |||
|- class="Leerzeile" | |||
| colspan="3" | | |||
==== {{#var:Falscher PSK}} ==== | ===== {{#var:Falscher PSK}} ===== | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:Falscher PSK--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Initiator-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|15[IKE] message parsing failed|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|15[IKE] ignore malformed INFORMATIONAL request|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|15[IKE] INFORMATIONAL_V1 request with message ID 1054289493 processing failed|blau}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Responder-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|14[IKE] message parsing failed|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|14[IKE] ID_PROT request with message ID 0 processing failed|blau}} | ||
| | |- class="Leerzeile" | ||
| | |||
|- class="Leerzeile" | |||
| colspan="3" | | |||
==== {{#var:Falscher RSA-Key Initiator}} ==== | ===== {{#var:Falscher RSA-Key Initiator}} ===== | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:Falscher RSA-Key Initiator--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Initiator-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2" | {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|15[IKE] authentication of 'Filiale' (myself) succesful|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|16[IKE] received AUTHENTICATION_FAILED error notify|blau}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Responder-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|14[CFG] looking for RSA signature peer configs matching 198.51.100.75...198.51.100.1[Filiale]|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|14[CFG] candidate "Standort1_4", match: 1/20/28 (me/other/ike)|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|14[CFG] selected peer config "Standort1_4"|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|14[CFG] using trusted certificate "Filiale"|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|14[IKE] ignature validation failed, looking for another key|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|14[IKE] no trusted RSA public key found for 'Filiale'|blau}} | ||
| | |- class="Leerzeile" | ||
| | |||
|- class="Leerzeile" | |||
==== {{#var:Falscher RSA-Key Responder}} ==== | | colspan="3" | | ||
===== {{#var:Falscher RSA-Key Responder}} ===== | |||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:Falscher RSA-Key Responder--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Initiator-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2" | {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|16[CFG] authentication of 'Filiale' (myself) succesful|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|16[IKE] using trusted certificate "Zentrale"|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|16[IKE] signature validation failed, looking for another key|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|15[IKE] no trusted RSA public key found for 'Zentrale'|blau}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Responder-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2" | {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|10[CFG] looking for RSA signature peer configs matching 198.51.100.75...198.51.100.1[Filiale]|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|10[CFG] candidate "Standort1_4", match: 1/20/28 (me/other/ike)|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|10[CFG] selected peer config "Standort1_4"|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|10[CFG] using trusted certificate "Filiale"|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|10[IKE] authentication of 'Filiale' with RSA succesful|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|10[IKE] authentication of 'Zentrale' (myself) succesful|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|10[IKE] IKE_SA Standort1_4[1] established between 198.51.100.75[Zentrale]...198.51.100.1[Filiale]|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|10[IKE] IKE_SA Standort1_4[1] established between 198.51.100.75[Zentrale]...198.51.100.1[Filiale]|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|10[IKE] scheduling reauthentication in 2593s|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|10[IKE] maximum IKE_SA lifetime 3133s|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2" | {{Kasten|13[IKE] received DELETE for IKE_SA Standort_4[1]|blau}} | ||
| | |- class="Leerzeile" | ||
| | |||
|- class="Leerzeile" | |||
=== | | colspan="3" | | ||
==== {{#var:Der normale Verbindungsaufbau}} ==== | ==== Phase 2 ==== | ||
|- class="Leerzeile" | |||
| colspan="3" | | |||
===== {{#var:Der normale Verbindungsaufbau}} ===== | |||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:Phase2-Der normale Verbindungsaufbau--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Initiator-Log & Responder-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|<nowiki>05[IKE] CHILD_SA Zentrale_2{1} established with SPIs ca7520e3_i c562f9d6_o and TS 10.1.10.0/24 === 10.0.0.0/24</nowiki>|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|<nowiki>05[IKE] CHILD_SA Zentrale_2{1} established with SPIs ca7520e3_i c562f9d6_o and TS 10.1.10.0/24 === 10.0.0.0/24</nowiki>|blau}} | ||
| | |- class="Leerzeile" | ||
| | |||
==== {{#var:Falsche Subnetzkonfiguration}} ==== | |- class="Leerzeile" | ||
| colspan="3" | | |||
===== {{#var:Falsche Subnetzkonfiguration}} ===== | |||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:Falsche Subnetzkonfiguration--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Initiator-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|13[CFH] proposing traffic selectors for us:|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|13[CFG] 10.1.0.0/24|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|13[CFG] proposing traffic selectors for other:|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|13[CFG] 11.0.0.0/24|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|05[IKE] received INVALID_ID_INFORMATION error notify|blau}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Responder-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|<nowiki>11[CFG] looking for a child config for 11.0.0.0/24 === 10.1.0.0/24</nowiki>|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|11[CFG] proposing traffic selectors for us:|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|11[CFG] 10.0.0.0/24|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|11[CFG] proposing traffic selectors for other:|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|11[CFG] 10.1.0.0/24|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|11[IKE] no matching CHILD_SA config found|blau}} | ||
|- class="Leerzeile" | |||
| | |||
|} | |} | ||
---- | |||
== {{#var:IKEv2 Troubleshooting}} == | {|class="sptable2 pd5 zh1 einrücken" | ||
{{ | |- class="Leerzeile" | ||
| colspan="3" | | |||
=== IKEv2 Troubleshooting === | |||
|- class="Leerzeile" | |||
=== {{#var:Verbindungsaufbau}} === | | colspan="2" | {{#var:IKEv2 Troubleshooting--desc}} | ||
| class="Bild" rowspan="2"| {{Bild| {{#var:IKEv2 Troubleshooting--Bild}} |{{#var:IKEv2 Troubleshooting--cap}} }} | |||
==== {{#var:IKEv1--Verbindung kommt zustande}} ==== | |- class="Leerzeile" | ||
| | |||
|- class="Leerzeile" | |||
| colspan="3" | | |||
==== {{#var:Verbindungsaufbau}} ==== | |||
|- class="Leerzeile" | |||
| colspan="3" | | |||
===== {{#var:IKEv1--Verbindung kommt zustande}} ===== | |||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:IKEv1--Verbindung kommt zustande--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Initiator-Log & Responder-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|11[CFG] selected proposal_ ESP_AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|11[CFG] selecting traffic selectors for us:|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|<nowiki>11[CFG] config: 10.1.0.0/24, received: 10.1.0.0/24 => match: 10.1.0.0/24</nowiki>|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|11[CFG] selecting traffic selectors for ther:|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|<nowiki>11[CFG] config: 10.0.0.0/24, received: 10.0.0.0/24 0 => match: 10.0.0.0/24</nowiki>|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|<nowiki>11[IKE] CHILD_SA Zentrale_3{2} established with SPIs c24bb346_i c8e52c94_o and T S 10.1.0.0/24 === 10.0.0.0/24</nowiki>|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|<nowiki>11[IKE] CHILD_SA Zentrale_3{2} established with SPIs c24bb346_i c8e52c94_o and T S 10.1.0.0/24 === 10.0.0.0/24</nowiki>|blau}} | ||
| | |- class="Leerzeile" | ||
| | |||
|- class="Leerzeile" | |||
==== {{#var:IKEv2: Falsche Remote-Gateway-Adresse}} ==== | | colspan="3" | | ||
===== {{#var:IKEv2: Falsche Remote-Gateway-Adresse}} ===== | |||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:IKEv2: Falsche Remote-Gateway-Adresse--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Responder-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|11[CFG] looking for an ike config fo 198.51.100.75...198.51.100.1|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|11[IKE] no IKE config for 198.51.100.75...198.51.100.1, sending NO_PROPOSAL_CHOSEN|blau}} | ||
| | |- class="Leerzeile" | ||
| | |||
|- class="Leerzeile" | |||
==== {{#var:IKEv2: Falsche ID Initiator}} ==== | | colspan="3" | | ||
===== {{#var:IKEv2: Falsche ID Initiator}} ===== | |||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:IKEv2: Falsche ID Initiator--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Initiator-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|09[IKE] received AUTHENTICATION_FAILED error notify|blau}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Responder-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|07[CFG] looking for pre-shared key peer configs matching 198.51.100.75...198.51.100.1[blubb]|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|07[IKE] no peer config found|blau}} | ||
| | |- class="Leerzeile" | ||
| | |||
|- class="Leerzeile" | |||
| colspan="3" | | |||
==== {{#var:IKEv2 Falsche ID Responder}} ==== | ===== {{#var:IKEv2 Falsche ID Responder}} ===== | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:IKEv2 Falsche ID Responder--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Initiator-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|05[IKE] IDir 'blubb' does not match to '198.51.100.75'|blau}} | ||
| | |- class="Leerzeile" | ||
| | |||
|- class="Leerzeile" | |||
==== {{#var:IKEv2: Falscher PSK}} ==== | | colspan="3" | | ||
===== {{#var:IKEv2: Falscher PSK}} ===== | |||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:XXX--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Initiator-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|13[IKE] received AUTHENTICATION_FAILED notify error|blau}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Responder-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|10[IKE] tried 2 shared keys for '198.51.100.75' - '198.51.100.1', but MAC mismatched|blau}} | ||
| | |- class="Leerzeile" | ||
| | |||
|- class="Leerzeile" | |||
==== {{#var:IKEv2: Falsche Subnetzkonfiguration}} ==== | | colspan="3" | | ||
===== {{#var:IKEv2: Falsche Subnetzkonfiguration}} ===== | |||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | {{#var:IKEv2: Falsche Subnetzkonfiguration--desc}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Initiator-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|10[IKE] received T S_UNACCEPTABLE notify, no CHILD_SA built|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|10[IKE] failed to establish CHILD_SA, keeping IKE_SA|blau}} | ||
|- class="Leerzeile" | |- class="Leerzeile" | ||
| colspan=" | | colspan="3" | '''Responder-Log''' | ||
|- | |- | ||
! Dienst !! Nachricht | ! {{#var:Dienst}} !! colspan="2"| {{#var:Nachricht}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|<nowiki>05[CFG] looking for a child config for 10.0.0.0/24 === 11.1.0.0/24</nowiki>|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|05[CFG] proposing traffic selectors for us:|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|05[CFG] 10.0.0.0/24|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|05[CFG] proposing traffic selectors for other:|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|05[CFG] 10.1.0.0/24|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|<nowiki>10[IKE] traffic selectors 10.0.0.0/24 === 11.1.0.0/24 inacceptable</nowiki>|blau}} | ||
|- | |- | ||
| | | {{Kasten|IPSec|blau}} || colspan="2"| {{Kasten|10[IKE] failed to establish CHILD_SA, keeping IKE_SA|blau}} | ||
|- class="Leerzeile" | |||
| | |||
|} | |} |
Aktuelle Version vom 16. Januar 2024, 15:17 Uhr
IPSec Troubleshooting
Letzte Anpassung zur Version: 12.6.0
Neu:
- Aktualisierung zum Redesign des Webinterfaces
- Das Log-Level lässt sich direkt im Admininterface einstellen
Vorbereitung - Log-Level erhöhen
Log
Als Voraussetzung für das erfolgreiche Troubleshooting muss das Log-Level zunächst erhöht werden.
notemptyBeim Ändern des Loglevels wird der IPSec-Dienst neu gestartet. Dabei werden alle IPSec-Verbindungen einmal unterbrochen.