12.6.0
Log
| Log-Level: | Default | UTMVPN [[Datei: ]] Log
| |
|
| |||
| extc value set application "ipsec" variable "DBG_LVL_IKE" value [ "2" ] appmgmt restart application ipsec | |||
|
| |||
SSH | |||
| * * | |||
IKEv1 Troubleshooting | ||
| [[Datei: ]] | ||
Phase 1 | ||
|
| ||
| IPSec | 10[IKE] IKE_SA Standort_1_2[1] established between 198.51.100.75[198.51.100.75]...198.51.100.1[198.51.100.1] | |
|
| ||
| Initiator-Log | ||
| IPSec | 10[IKE] received NO_PROPOSAL_CHOSEN notify error | |
| Responder-Log | ||
| IPSec | 05[CFG] selecting proposal: | |
| IPSec | 05[CFG] no acceptable ENCRYPTION_ALGORITHM found | |
| IPSec | 05[CFG] selecting proposal: | |
| IPSec | 05[CFG] received proposals: IKE: BLOWFISH_CBC_256 / HMAC_SHA2_512_256 / PRF_HMAC_SHA2_512 / MODP_8192 | |
| IPSec | 05[CFG] configured proposals: IKE: AES_CBC_128 / HMAC_SHA2_256_128 / PRF_HMAC_SHA2_256 / MODP_2048, IKE: AES_CBC_128 / AES_CBC_192 / AES_CBC_256 / 3DES_CBC / CAMELLIA_CBC_128 / CAMELLIA_CBC_192 / CAMELLIA_CBC_256 / AES_CTR_128 / AES_CTR_192 / AES_CTR_256 / CAMELLIA_CTR_128 / CAMELLIA_CTR_192 / CAMELLIA_CTR_256 / HMAC_MD5_96 / HMAC_SHA1_96 / HMAC_SHA2_256_128 / HMAC_SHA2_384_192 / HMAC_SHA2_512 / AES_XCBC_96 / AES_CMAC_96 / PRF_HMAC_MD5 / PRF_HMAC_SHA1 / PRF_HMAC_SHA2_256 / PRF_HMAC_SHA2_512 / 256 / AES_XCBC_96 / AES_CMAC_96 / PRF_AES128_CMAC / MODP_2048 / MODP_2048_224 / MODP_2048_256 / MODP_1536 / MODP_3072 / MODP_4096 / MODP_8192 / MODP_1024 / MODP_1024_160 / ECP_256 / ECP_384 / ECP_512 / ECP_224 / ECP_192 / ECP_224_BP / ECP_256_BP / ECP_384_BP_ECP_512_BP , IKE: AES_GCM_8_128 / AES_GCM_8_192 / AES_GCM_8_256 / AES_GCM_12_128 / AES_GCM_12_192 / AES_GCM_12_256 / AES_GCM_16_128 / AES_GCM_16_192 / AES_GCM_16_256 / PRF_HMAC_MD5 / PRF_HMAC_SHA1 / PRF_HMAC_SHA2_256 / PRF_HMAC_SHA2_384 / PRF_HMAC_SHA2_512 / PRF_AES128_XCBC / PRF_AES128_CMAC / MODP_2048 / MODP_2048_224 / MODP_2048_256 / MODP_1536 / MODP_3072 / MODP_4096 / MODP_8192 / MODP_1024 / MODP_1024_160 / ECP_256 / ECP_384 / ECP__521 / ECP_224 / ECP_192 / ECP_224_BP / ECP_256_BP / ECP_384_BP / ECP_512_BP | |
| IPSec | 10[IKE] received proposals inacceptable | |
|
| ||
| Responder-Log | ||
| IPSec | 11[CFG] looking for an ike config for 198.51.100.75...195.51.100.1 | |
| IPSec | 11[IKE] no IKE config found for 198.51.100.75...195.51.100.1, sending NO_PROPOSAL_CHOSEN | |
|
| ||
| Initiator-Log | ||
| IPSec | 09[IKE] received AUTHENTICATION_FAILED error notify | |
| Responder-Log | ||
| IPSec | 07[CFG] looking for pre-shared key peer configs matching 198.51.100.75...198.51.100.1[blubb] | |
| IPSec | 07[IKE] no peer config found | |
|
| ||
| Initiator-Log | ||
| IPSec | 05[IKE] IDir 'blubb' does not match to '198.51.100.75' | |
|
| ||
| Initiator-Log | ||
| IPSec | 15[IKE] message parsing failed | |
| IPSec | 15[IKE] ignore malformed INFORMATIONAL request | |
| IPSec | 15[IKE] INFORMATIONAL_V1 request with message ID 1054289493 processing failed | |
| Responder-Log | ||
| IPSec | 14[IKE] message parsing failed | |
| IPSec | 14[IKE] ID_PROT request with message ID 0 processing failed | |
|
| ||
| Initiator-Log | ||
| IPSec | 15[IKE] authentication of 'Filiale' (myself) succesful | |
| IPSec | 16[IKE] received AUTHENTICATION_FAILED error notify | |
| Responder-Log | ||
| IPSec | 14[CFG] looking for RSA signature peer configs matching 198.51.100.75...198.51.100.1[Filiale] | |
| IPSec | 14[CFG] candidate "Standort1_4", match: 1/20/28 (me/other/ike) | |
| IPSec | 14[CFG] selected peer config "Standort1_4" | |
| IPSec | 14[CFG] using trusted certificate "Filiale" | |
| IPSec | 14[IKE] ignature validation failed, looking for another key | |
| IPSec | 14[IKE] no trusted RSA public key found for 'Filiale' | |
|
| ||
| Initiator-Log | ||
| IPSec | 16[CFG] authentication of 'Filiale' (myself) succesful | |
| IPSec | 16[IKE] using trusted certificate "Zentrale" | |
| IPSec | 16[IKE] signature validation failed, looking for another key | |
| IPSec | 15[IKE] no trusted RSA public key found for 'Zentrale' | |
| Responder-Log | ||
| IPSec | 10[CFG] looking for RSA signature peer configs matching 198.51.100.75...198.51.100.1[Filiale] | |
| IPSec | 10[CFG] candidate "Standort1_4", match: 1/20/28 (me/other/ike) | |
| IPSec | 10[CFG] selected peer config "Standort1_4" | |
| IPSec | 10[CFG] using trusted certificate "Filiale" | |
| IPSec | 10[IKE] authentication of 'Filiale' with RSA succesful | |
| IPSec | 10[IKE] authentication of 'Zentrale' (myself) succesful | |
| IPSec | 10[IKE] IKE_SA Standort1_4[1] established between 198.51.100.75[Zentrale]...198.51.100.1[Filiale] | |
| IPSec | 10[IKE] IKE_SA Standort1_4[1] established between 198.51.100.75[Zentrale]...198.51.100.1[Filiale] | |
| IPSec | 10[IKE] scheduling reauthentication in 2593s | |
| IPSec | 10[IKE] maximum IKE_SA lifetime 3133s | |
| IPSec | 13[IKE] received DELETE for IKE_SA Standort_4[1] | |
Phase 2 | ||
|
| ||
| Initiator-Log & Responder-Log | ||
| IPSec | 05[IKE] CHILD_SA Zentrale_2{1} established with SPIs ca7520e3_i c562f9d6_o and TS 10.1.10.0/24 === 10.0.0.0/24 | |
| IPSec | 05[IKE] CHILD_SA Zentrale_2{1} established with SPIs ca7520e3_i c562f9d6_o and TS 10.1.10.0/24 === 10.0.0.0/24 | |
|
| ||
| Initiator-Log | ||
| IPSec | 13[CFH] proposing traffic selectors for us: | |
| IPSec | 13[CFG] 10.1.0.0/24 | |
| IPSec | 13[CFG] proposing traffic selectors for other: | |
| IPSec | 13[CFG] 11.0.0.0/24 | |
| IPSec | 05[IKE] received INVALID_ID_INFORMATION error notify | |
| Responder-Log | ||
| IPSec | 11[CFG] looking for a child config for 11.0.0.0/24 === 10.1.0.0/24 | |
| IPSec | 11[CFG] proposing traffic selectors for us: | |
| IPSec | 11[CFG] 10.0.0.0/24 | |
| IPSec | 11[CFG] proposing traffic selectors for other: | |
| IPSec | 11[CFG] 10.1.0.0/24 | |
| IPSec | 11[IKE] no matching CHILD_SA config found | |
IKEv2 Troubleshooting | ||
| [[Datei: ]] | ||
|
| ||
|
| ||
| Initiator-Log & Responder-Log | ||
| IPSec | 11[CFG] selected proposal_ ESP_AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ | |
| IPSec | 11[CFG] selecting traffic selectors for us: | |
| IPSec | 11[CFG] config: 10.1.0.0/24, received: 10.1.0.0/24 => match: 10.1.0.0/24 | |
| IPSec | 11[CFG] selecting traffic selectors for ther: | |
| IPSec | 11[CFG] config: 10.0.0.0/24, received: 10.0.0.0/24 0 => match: 10.0.0.0/24 | |
| IPSec | 11[IKE] CHILD_SA Zentrale_3{2} established with SPIs c24bb346_i c8e52c94_o and T S 10.1.0.0/24 === 10.0.0.0/24 | |
| IPSec | 11[IKE] CHILD_SA Zentrale_3{2} established with SPIs c24bb346_i c8e52c94_o and T S 10.1.0.0/24 === 10.0.0.0/24 | |
|
| ||
| Responder-Log | ||
| IPSec | 11[CFG] looking for an ike config fo 198.51.100.75...198.51.100.1 | |
| IPSec | 11[IKE] no IKE config for 198.51.100.75...198.51.100.1, sending NO_PROPOSAL_CHOSEN | |
|
| ||
| Initiator-Log | ||
| IPSec | 09[IKE] received AUTHENTICATION_FAILED error notify | |
| Responder-Log | ||
| IPSec | 07[CFG] looking for pre-shared key peer configs matching 198.51.100.75...198.51.100.1[blubb] | |
| IPSec | 07[IKE] no peer config found | |
|
| ||
| Initiator-Log | ||
| IPSec | 05[IKE] IDir 'blubb' does not match to '198.51.100.75' | |
|
| ||
| Initiator-Log | ||
| IPSec | 13[IKE] received AUTHENTICATION_FAILED notify error | |
| Responder-Log | ||
| IPSec | 10[IKE] tried 2 shared keys for '198.51.100.75' - '198.51.100.1', but MAC mismatched | |
|
| ||
| Initiator-Log | ||
| IPSec | 10[IKE] received T S_UNACCEPTABLE notify, no CHILD_SA built | |
| IPSec | 10[IKE] failed to establish CHILD_SA, keeping IKE_SA | |
| Responder-Log | ||
| IPSec | 05[CFG] looking for a child config for 10.0.0.0/24 === 11.1.0.0/24 | |
| IPSec | 05[CFG] proposing traffic selectors for us: | |
| IPSec | 05[CFG] 10.0.0.0/24 | |
| IPSec | 05[CFG] proposing traffic selectors for other: | |
| IPSec | 05[CFG] 10.1.0.0/24 | |
| IPSec | 10[IKE] traffic selectors 10.0.0.0/24 === 11.1.0.0/24 inacceptable | |
| IPSec | 10[IKE] failed to establish CHILD_SA, keeping IKE_SA | |