UTM/VPN/IPSec-Troubleshooting v12.2.3

notempty

Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty

Der Artikel für die neueste Version steht hier

notempty

Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht

12.2.3

12.2 11.7 11.6.12

Log-Level: 12.2.3

}}

SSH

[[Datei: ]]

Dienst	Nachricht

IPSec(charon)	10[IKE] IKE_SA Standort_1_2[1] established between 198.51.100.75[198.51.100.75]...198.51.100.1[198.51.100.1]

Dienst	Nachricht

'
IPSec(charon)	10[IKE] received NO_PROPOSAL_CHOSEN notify error
'
Dienst	Nachricht
IPSec(charon)	05[CFG] selecting proposal:
IPSec(charon)	05[CFG] no acceptable ENCRYPTION_ALGORITHM found
IPSec(charon)	05[CFG] selecting proposal:
IPSec(charon)	05[CFG] received proposals: IKE:BLOWFISH_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_8192
IPSec(charon)	05[CFG] configured proposals:IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_512/256/AES_XCBC_96/AES_CMAC_96/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_512/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP_ECP_512_BP,IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP__521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
IPSec(charon)	10[IKE] received proposals inacceptable

Dienst	Nachricht

'
IPSec(charon)	11[CFG] looking for an ike config for 198.51.100.75...195.51.100.1
IPSec(charon)	11[IKE] no IKE config found for 198.51.100.75...195.51.100.1, sending NO_PROPOSAL_CHOSEN

Dienst	Nachricht

'
IPSec(charon)	09[IKE] received AUTHENTICATION_FAILED error notify
'
Dienst	Nachricht
IPSec(charon)	07[CFG] looking for pre-shared key peer configs matching 198.51.100.75...198.51.100.1[blubb]
IPSec(charon)	07[IKE] no peer config found

Dienst	Nachricht

'
IPSec(charon)	05[IKE] IDir 'blubb' does not match to '198.51.100.75'

Dienst	Nachricht

'
IPSec(charon)	15[IKE] message parsing failed
IPSec(charon)	15[IKE] ignore malformed INFORMATIONAL request
IPSec(charon)	15[IKE] INFORMATIONAL_V1 request with message ID 1054289493 processing failed
'
Dienst	Nachricht
IPSec(charon)	14[IKE] message parsing failed
IPSec(charon)	14[IKE] ID_PROT request with message ID 0 processing failed

Dienst	Nachricht

'
IPSec(charon)	15[IKE] authentication of 'Filiale' (myself) succesful
IPSec(charon)	16[IKE] received AUTHENTICATION_FAILED error notify
'
Dienst	Nachricht
IPSec(charon)	14[CFG] looking for RSA signature peer configs matching 198.51.100.75...198.51.100.1[Filiale]
IPSec(charon)	14[CFG] candidate "Standort1_4", match: 1/20/28 (me/other/ike)
IPSec(charon)	14[CFG] selected peer config "Standort1_4"
IPSec(charon)	14[CFG] using trusted certificate "Filiale"
IPSec(charon)	14[IKE] ignature validation failed, looking for another key
IPSec(charon)	14[IKE] no trusted RSA public key found for 'Filiale'

Dienst	Nachricht

'
IPSec(charon)	16[CFG] authentication of 'Filiale' (myself) succesful
IPSec(charon)	16[IKE] using trusted certificate "Zentrale"
IPSec(charon)	16[IKE] signature validation failed, looking for another key
IPSec(charon)	15[IKE] no trusted RSA public key found for 'Zentrale'
'
Dienst	Nachricht
IPSec(charon)	10[CFG] looking for RSA signature peer configs matching 198.51.100.75...198.51.100.1[Filiale]
IPSec(charon)	10[CFG] candidate "Standort1_4", match: 1/20/28 (me/other/ike)
IPSec(charon)	10[CFG] selected peer config "Standort1_4"
IPSec(charon)	10[CFG] using trusted certificate "Filiale"
IPSec(charon)	10[IKE] authentication of 'Filiale' with RSA succesful
IPSec(charon)	10[IKE] authentication of 'Zentrale' (myself) succesful
IPSec(charon)	10[IKE] IKE_SA Standort1_4[1] established between 198.51.100.75[Zentrale]...198.51.100.1[Filiale]
IPSec(charon)	10[IKE] IKE_SA Standort1_4[1] established between 198.51.100.75[Zentrale]...198.51.100.1[Filiale]
IPSec(charon)	10[IKE] scheduling reauthentication in 2593s
IPSec(charon)	10[IKE] maximum IKE_SA lifetime 3133s
IPSec(charon)	13[IKE] received DELETE for IKE_SA Standort_4[1]

Dienst	Nachricht

&
IPSec(charon)	05[IKE] CHILD_SA Zentrale_2{1} established with SPIs ca7520e3_i c562f9d6_o and TS 10.1.10.0/24 === 10.0.0.0/24
IPSec(charon)	05[IKE] CHILD_SA Zentrale_2{1} established with SPIs ca7520e3_i c562f9d6_o and TS 10.1.10.0/24 === 10.0.0.0/24

Dienst	Nachricht

'
IPSec(charon)	13[CFH] proposing traffic selectors for us:
IPSec(charon)	13[CFG] 10.1.0.0/24
IPSec(charon)	13[CFG] proposing traffic selectors for other:
IPSec(charon)	13[CFG] 11.0.0.0/24
IPSec(charon)	05[IKE] received INVALID_ID_INFORMATION error notify
'
Dienst	Nachricht
IPSec(charon)	11[CFG] looking for a child config for 11.0.0.0/24 === 10.1.0.0/24
IPSec(charon)	11[CFG] proposing traffic selectors for us:
IPSec(charon)	11[CFG] 10.0.0.0/24
IPSec(charon)	11[CFG] proposing traffic selectors for other:
IPSec(charon)	11[CFG] 10.1.0.0/24
IPSec(charon)	11[IKE] no matching CHILD_SA config found

[[Datei: |hochkant=2|mini| ]]

Dienst	Nachricht

&
IPSec(charon)	11[CFG] selected proposal_ ESP_AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
IPSec(charon)	11[CFG] selecting traffic selectors for us:
IPSec(charon)	11[CFG] config: 10.1.0.0/24, received: 10.1.0.0/24 => match: 10.1.0.0/24
IPSec(charon)	11[CFG] selecting traffic selectors for ther:
IPSec(charon)	11[CFG] config: 10.0.0.0/24, received: 10.0.0.0/24 0 => match: 10.0.0.0/24
IPSec(charon)	11[IKE] CHILD_SA Zentrale_3{2} established with SPIs c24bb346_i c8e52c94_o and T S 10.1.0.0/24 === 10.0.0.0/24
IPSec(charon)	11[IKE] CHILD_SA Zentrale_3{2} established with SPIs c24bb346_i c8e52c94_o and T S 10.1.0.0/24 === 10.0.0.0/24

Dienst	Nachricht

'
IPSec(charon)	11[CFG] looking for an ike config fo 198.51.100.75...198.51.100.1
IPSec(charon)	11[IKE] no IKE config for 198.51.100.75...198.51.100.1, sending NO_PROPOSAL_CHOSEN

Dienst	Nachricht

'
IPSec(charon)	09[IKE] received AUTHENTICATION_FAILED error notify
'
Dienst	Nachricht
IPSec(charon)	07[CFG] looking for pre-shared key peer configs matching 198.51.100.75...198.51.100.1[blubb]
IPSec(charon)	07[IKE] no peer config found

Dienst	Nachricht

'
IPSec(charon)	05[IKE] IDir 'blubb' does not match to '198.51.100.75'

Dienst	Nachricht

'
IPSec(charon)	13[IKE] received AUTHENTICATION_FAILED notify error
'
Dienst	Nachricht
IPSec(charon)	10[IKE] tried 2 shared keys for '198.51.100.75' - '198.51.100.1', but MAC mismatched

Dienst	Nachricht

'
IPSec(charon)	10[IKE] received T S_UNACCEPTABLE notify, no CHILD_SA built
IPSec(charon)	10[IKE] failed to establish CHILD_SA, keeping IKE_SA
'
Dienst	Nachricht
IPSec(charon)	05[CFG] looking for a child config for 10.0.0.0/24 === 11.1.0.0/24
IPSec(charon)	05[CFG] proposing traffic selectors for us:
IPSec(charon)	05[CFG] 10.0.0.0/24
IPSec(charon)	05[CFG] proposing traffic selectors for other:
IPSec(charon)	05[CFG] 10.1.0.0/24
IPSec(charon)	10[IKE] traffic selectors 10.0.0.0/24 === 11.1.0.0/24 inacceptable
IPSec(charon)	10[IKE] failed to establish CHILD_SA, keeping IKE_SA