VPN + Openswan - no suitable connection for peer
Hallo,
ich bin grad (d.h. seit einer Woche) am verzweifeln mit einem Versuch eine
VPN Verbindung zu erstellen. Habe schon vieles probiert und bin echt am
verzweifeln. Die angefügte Konfiguration schien mir noch die besten
Ergebnisse zu liefern, bei alle anderen Konstellationen brach der Vorgang
immer etwas früher ab.
Ich bin dankbar für jeden (auch noch so kleinen) Hinweis oder Tipp oder
Denkanstoss.
Bitte helft mir, bekomme jetzt auch wirklich zeit probleme.
Es handelt sich um einen Linux Server (als Gateway) (mit Kernel
kernel-image-2.6.7-hardened [empfohlen von Openswan.org]) und einem WinXP
SP2 (als Client).
Client IP: 10.254.254.155/24
Server IP: eth0 10.254.254.200/24
eth1 10.254.0.200/24
Ach ja...es gibt noch einen Server der auf der 10.254.0.1/24 sitzt
Auszug aus der c:\Programme\IPsec\ipsec.conf (vom Client)
============================================================================
conn Roadwarrior
left=%any
right=10.254.254.200
rightsubnet=10.254.0.0/24
rightca="C=DE, S=Saxony, L=Dresden, O=Enrico Gusek bIT, OU=WAN,
CN=CA Enrico Gusek bIT"
network=lan
auto=start
pfs=yes
Hier kommt alles vom Server
Auszug aus der /etc/ipsec.conf
============================================================================
==================================
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
#interfaces="ipsec0=eth0"
plutodebug=none
klipsdebug=none
uniqueids=no
#plutodebug="control"
#klipsdebug=none
#plutodebug=all
#klipsdebug=all
conn %default
keyingtries=0
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
left=%defaultroute
#left=10.254.254.200
leftsubnet=10.254.0.0/24
leftid="C=DE, ST=Saxony, O=Enrico Gusek bIT, OU=WAN, CN=SVRVPN"
conn Roadwarrior
right=%any
#right=10.254.254.155
type=tunnel
keyexchange=ike
pfs=yes
auto=add
#auto=start
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
Auszug aus ipsec whack --status
============================================================================
==================================
svrvpn:/home/enrico# ipsec whack --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.254.254.200
000 interface eth1/eth1 10.254.0.200
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "Roadwarrior": 10.254.0.0/24===10.254.254.200[C=DE, ST=Saxony, O=Enrico
Gusek bIT, OU=WAN, CN=SVRVPN]---10.254.254.254...%any; unrouted; eroute
owner: #0
000 "Roadwarrior": srcip=unset; dstip=unset
000 "Roadwarrior": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "Roadwarrior": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,32;
interface: eth0;
000 "Roadwarrior": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
Auszug aus ipsec verify
============================================================================
==================================
svrvpn:/home/enrico# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.3.0/K2.6.7-hardened (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets)
[FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
[N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: svrvpn
[MISSING]
svrvpn does not exist, try again
Does the machine have at least one non-private address?
[FAILED]
Auszug aus der /var/log/auth.log
============================================================================
==================================
Mar 30 20:17:33 svrvpn ipsec__plutorun: Starting Pluto subsystem...
Mar 30 20:17:34 svrvpn pluto[11639]: Starting Pluto (Openswan Version 2.3.0
X.509-1.5.4 PLUTO_USES_KEYRR)
Mar 30 20:17:34 svrvpn pluto[11639]: Setting port floating to off
Mar 30 20:17:34 svrvpn pluto[11639]: port floating activate 0/1
Mar 30 20:17:34 svrvpn pluto[11639]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Mar 30 20:17:35 svrvpn pluto[11639]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Mar 30 20:17:35 svrvpn pluto[11639]: starting up 1 cryptographic helpers
Mar 30 20:17:36 svrvpn pluto[11639]: started helper pid=11640 (fd:6)
Mar 30 20:17:37 svrvpn pluto[11639]: Using Linux 2.6 IPsec interface code
Mar 30 20:17:38 svrvpn pluto[11639]: Changing to directory
'/etc/ipsec.d/cacerts'
Mar 30 20:17:38 svrvpn pluto[11639]: loaded CA cert file 'caCert.pem'
(1554 bytes)
Mar 30 20:17:38 svrvpn pluto[11639]: Changing to directory
'/etc/ipsec.d/aacerts'
Mar 30 20:17:38 svrvpn pluto[11639]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Mar 30 20:17:38 svrvpn pluto[11639]: Changing to directory
'/etc/ipsec.d/crls'
Mar 30 20:17:38 svrvpn pluto[11639]: loaded crl file 'crl.pem' (658 bytes)
Mar 30 20:17:42 svrvpn pluto[11639]: added connection description
"Roadwarrior"
Mar 30 20:17:42 svrvpn pluto[11639]: listening for IKE messages
Mar 30 20:17:42 svrvpn pluto[11639]: adding interface eth1/eth1 10.254.0.200
Mar 30 20:17:42 svrvpn pluto[11639]: adding interface eth0/eth0
10.254.254.200
Mar 30 20:17:42 svrvpn pluto[11639]: adding interface lo/lo 127.0.0.1
Mar 30 20:17:42 svrvpn pluto[11639]: adding interface lo/lo ::1
Mar 30 20:17:42 svrvpn pluto[11639]: loading secrets from
"/etc/ipsec.secrets"
Mar 30 20:17:42 svrvpn pluto[11639]: loaded private key file
'/etc/ipsec.d/private/gwKey.pem' (951 bytes)
Mar 30 20:17:46 svrvpn pluto[11639]: packet from 10.254.254.155:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 30 20:17:46 svrvpn pluto[11639]: packet from 10.254.254.155:500:
ignoring Vendor ID payload [FRAGMENTATION]
Mar 30 20:17:46 svrvpn pluto[11639]: packet from 10.254.254.155:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
port floating is off
Mar 30 20:17:47 svrvpn pluto[11639]: packet from 10.254.254.155:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Mar 30 20:17:47 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
responding to Main Mode from unknown peer 10.254.254.155
Mar 30 20:17:47 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 30 20:17:47 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 30 20:17:47 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Saxony, O=Enrico Gusek bIT,
OU=WAN, CN=eGusek'
Mar 30 20:17:47 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1: no
suitable connection for peer 'C=DE, ST=Saxony, O=Enrico Gusek bIT, OU=WAN,
CN=eGusek'
Mar 30 20:17:47 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
sending encrypted notification INVALID_ID_INFORMATION to 10.254.254.155:500
Mar 30 20:17:48 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Saxony, O=Enrico Gusek bIT,
OU=WAN, CN=eGusek'
Mar 30 20:17:48 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1: no
suitable connection for peer 'C=DE, ST=Saxony, O=Enrico Gusek bIT, OU=WAN,
CN=eGusek'
Mar 30 20:17:48 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
sending encrypted notification INVALID_ID_INFORMATION to 10.254.254.155:500
Mar 30 20:17:50 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Saxony, O=Enrico Gusek bIT,
OU=WAN, CN=eGusek'
Mar 30 20:17:50 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1: no
suitable connection for peer 'C=DE, ST=Saxony, O=Enrico Gusek bIT, OU=WAN,
CN=eGusek'
Mar 30 20:17:50 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
sending encrypted notification INVALID_ID_INFORMATION to 10.254.254.155:500
Mar 30 20:17:54 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Saxony, O=Enrico Gusek bIT,
OU=WAN, CN=eGusek'
Mar 30 20:17:54 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1: no
suitable connection for peer 'C=DE, ST=Saxony, O=Enrico Gusek bIT, OU=WAN,
CN=eGusek'
Mar 30 20:17:54 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
sending encrypted notification INVALID_ID_INFORMATION to 10.254.254.155:500
Mar 30 20:18:02 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Saxony, O=Enrico Gusek bIT,
OU=WAN, CN=eGusek'
Mar 30 20:18:02 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1: no
suitable connection for peer 'C=DE, ST=Saxony, O=Enrico Gusek bIT, OU=WAN,
CN=eGusek'
Mar 30 20:18:02 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
sending encrypted notification INVALID_ID_INFORMATION to 10.254.254.155:500
Reply to: