|
|
Besucher 1260502
Ansichten 2716
Online 0 |
|
|
OPENSWAN UND IPHONS'S RACOON
| |
| Thema |
Verfasser |
Letzte Antwort |
| OPENSWAN UND IPHONS'S RACOON |
chr ( ---.dip.t-dialin.net) |
10 Feb 2010 12:46 | Hallo , schon seit ein paar Tagen kämpfe ich mit dem Iphone. Teilweise hatte ich auch schon erfolge, aber leider scheitert es nun am VPN on Demand des Iphones ... Leider kann sich das teil nicht den Xauth Namen merken ..... Ansonsten würde es funktionieren. Somit habe ich auf dem Iphone die Xauth Funktion deaktiviert. Das Problem ist nun folgenden.
cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===217.5.x00.xx<217.5.xx.6x>[@vpntestdns.ath.cx,MS+S=C]...79.211.112.103[C=DE, ST=NRW, L=DDORF, O=GRUPPE, OU=FIRMA, CN=IPHONE1, E=info@certblabla.de,MS+MC+S=C]===192.168.244.3/32
Problem. Das Iphone akzeptiert leider als Remote Identity nicht das Subject des Zertifikates sondern besteht auf den FQDN ...
Da kam ich irgendwann auf die Idee die leftid=@vpntestdns.ath.cx anzugeben. Der Tunnel kommt zu Stande, es gehen keine Pakete über den Tunnel.....
nur bei jedem Ping diese Meldung:
cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===217.5.x00.xx<217.5.xx.6x>[@vpntestdns.ath.cx,MS+S=C]...79
Bist jetzt habe diese Fehlermeldung immer mit einer Korrektur von leftsubnet oder rightsubnet in den Griff bekommen, aber leider nicht mit der FDQN Variante.
Hier meine Aktuelle Konfiguration:
version 2
config setup
protostack=klips
nat_traversal=yes
klipsdebug=tunnel
plutodebug=none
# nhelpers=0
virtual_private=%v4:192.168.245.0/24,%v4:0.0.0.0/0
conn %default
esp=3des
ike=3des
left=%defaultroute
leftnexthop=%defaultroute
authby=rsasig
leftcert=server.pem
leftsubnet=0.0.0.0/0
keyingtries=0
ikelifetime=2h
keylife=8h
type=tunnel
conn IPHONE1
right=%any
left=217.5.xxx.xxx
#leftxauthserver=yes
leftmodecfgserver=yes
#rightxauthclient=yes
leftsubnet=0.0.0.0/0
leftid="@vpntestdns.ath.cx"
rightmodecfgserver=yes
rightid="C=DE, ST=NRW, L=DDORF, O=L, OU=XXXX, CN=XXXX, E=info@xxxde"
rightnexthop=%defaultroute
rightsubnet=192.168.99.1/32 #IPHONE1 ADRESSE
rightmodecfgclient=yes
modecfgpull=yes
pfs=no
auto=add
Sobald ich XAUTH einschalte und die leftid weg nehme funktioniert der Tunnel einwandfrei.
Wo liegt mein Fehler ?
|
| ||
| RE: OPENSWAN UND IPHONS'S RACOON | Ralf ( ---.versanet.de) | 26 Jan 2010 20:35 |
Ich habe kein iPhone, daher kann ich nicht viel dazu sagen, aber hast Du mal die genauere Fehlermeldung, wenn Du XAuth abschaltest? Da hast Du nur die Hälfte angegeben. Außerdem wäre es hilfreich, die Daten des erfolgreich aufgebauten Tunnels zu sehen.
Gruß,
Ralf
| | RE: OPENSWAN UND IPHONS'S RACOON | chr ( ---.214.71.218) | 9 Feb 2010 17:21 |
Hier ein Auszug der Logdatei:
Feb 9 18:15:19 fwbest pluto[4956]: | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1
Feb 9 18:15:19 fwbest pluto[4956]: | event added after event EVENT_PENDING_PHASE2
Feb 9 18:15:19 fwbest pluto[4956]: "IPHONE1"[1] 62.214.71.219 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp1536}
Feb 9 18:15:19 fwbest pluto[4956]: | modecfg pull: noquirk policy ull not-client
Feb 9 18:15:19 fwbest pluto[4956]: | phase 1 is done, looking for phase 2 to unpend
Feb 9 18:15:19 fwbest pluto[4956]: | * processed 0 messages from cryptographic helpers
Feb 9 18:15:19 fwbest pluto[4956]: | next event EVENT_NAT_T_KEEPALIVE in 19 seconds
Feb 9 18:15:19 fwbest pluto[4956]: | next event EVENT_NAT_T_KEEPALIVE in 19 seconds
Feb 9 18:15:19 fwbest pluto[4956]: |
Feb 9 18:15:19 fwbest pluto[4956]: | *received 92 bytes from 62.214.71.219:4500 on eth1 (port=4500)
Feb 9 18:15:19 fwbest pluto[4956]: | 1e b5 97 12 29 11 d1 bb 64 58 f5 dd e8 6f aa 73
Feb 9 18:15:19 fwbest pluto[4956]: | 08 10 05 01 b8 16 fa b4 00 00 00 5c 98 f3 cb f6
Feb 9 18:15:19 fwbest pluto[4956]: | 8d 08 89 4b 35 0e 91 fa 59 d0 96 ed 83 ca f5 d2
Feb 9 18:15:19 fwbest pluto[4956]: | 6f 24 94 9e 22 f8 7f d2 ea bb 55 ab 0f fb cd cf
Feb 9 18:15:19 fwbest pluto[4956]: | 17 42 2c 19 21 88 d2 4f 92 c1 5d da dc 40 f7 5b
Feb 9 18:15:19 fwbest pluto[4956]: | 94 36 a0 79 ea 43 ce bb 88 a4 d6 cd
Feb 9 18:15:19 fwbest pluto[4956]: | **parse ISAKMP Message:
Feb 9 18:15:19 fwbest pluto[4956]: | initiator cookie:
Feb 9 18:15:19 fwbest pluto[4956]: | 1e b5 97 12 29 11 d1 bb
Feb 9 18:15:19 fwbest pluto[4956]: | responder cookie:
Feb 9 18:15:19 fwbest pluto[4956]: | 64 58 f5 dd e8 6f aa 73
Feb 9 18:15:19 fwbest pluto[4956]: | next payload type: ISAKMP_NEXT_HASH
Feb 9 18:15:19 fwbest pluto[4956]: | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
Feb 9 18:15:19 fwbest pluto[4956]: | exchange type: ISAKMP_XCHG_INFO
Feb 9 18:15:19 fwbest pluto[4956]: | flags: ISAKMP_FLAG_ENCRYPTION
Feb 9 18:15:19 fwbest pluto[4956]: | message ID: b8 16 fa b4
Feb 9 18:15:19 fwbest pluto[4956]: | length: 92
Feb 9 18:15:19 fwbest pluto[4956]: | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5)
Feb 9 18:15:19 fwbest pluto[4956]: | ICOOKIE: 1e b5 97 12 29 11 d1 bb
Feb 9 18:15:19 fwbest pluto[4956]: | RCOOKIE: 64 58 f5 dd e8 6f aa 73
Feb 9 18:15:19 fwbest pluto[4956]: | state hash entry 0
Feb 9 18:15:19 fwbest pluto[4956]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000/00000000
Feb 9 18:15:19 fwbest pluto[4956]: | p15 state object #1 found, in STATE_MAIN_R3
Feb 9 18:15:19 fwbest pluto[4956]: | processing connection IPHONE1[1] 62.214.71.219
Feb 9 18:15:19 fwbest pluto[4956]: | last Phase 1 IV: 78 d6 0e ed 72 2f b8 8b 17 0a bd c4 4d 97 c8 9e
Feb 9 18:15:19 fwbest pluto[4956]: | current Phase 1 IV: 78 d6 0e ed 72 2f b8 8b 17 0a bd c4 4d 97 c8 9e
Feb 9 18:15:19 fwbest pluto[4956]: | computed Phase 2 IV:
Feb 9 18:15:19 fwbest pluto[4956]: | 45 4d fd f6 78 32 02 1c af 30 7f be c2 1b fd 94
Feb 9 18:15:19 fwbest pluto[4956]: | 6f 1e 29 b4
Feb 9 18:15:19 fwbest pluto[4956]: | received encrypted packet from 62.214.71.219:4500
Feb 9 18:15:19 fwbest pluto[4956]: | decrypting 64 bytes using algorithm OAKLEY_AES_CBC
Feb 9 18:15:19 fwbest pluto[4956]: | decrypted:
Feb 9 18:15:19 fwbest pluto[4956]: | 0b 00 00 18 29 f4 f0 15 28 d7 d7 09 1e 63 71 7a
Feb 9 18:15:19 fwbest pluto[4956]: | ea 3a 21 e1 e1 04 75 b5 00 00 00 1c 00 00 00 01
Feb 9 18:15:19 fwbest pluto[4956]: | 01 10 60 02 1e b5 97 12 29 11 d1 bb 64 58 f5 dd
Feb 9 18:15:19 fwbest pluto[4956]: | e8 6f aa 73 00 00 00 00 00 00 00 00 00 00 00 0c
Feb 9 18:15:19 fwbest pluto[4956]: | next IV: dc 40 f7 5b 94 36 a0 79 ea 43 ce bb 88 a4 d6 cd
Feb 9 18:15:19 fwbest pluto[4956]: | got payload 0x100(ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0
Feb 9 18:15:19 fwbest pluto[4956]: | ***parse ISAKMP Hash Payload:
Feb 9 18:15:19 fwbest pluto[4956]: | next payload type: ISAKMP_NEXT_N
Feb 9 18:15:19 fwbest pluto[4956]: | length: 24
Feb 9 18:15:19 fwbest pluto[4956]: | got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
Feb 9 18:15:19 fwbest pluto[4956]: | ***parse ISAKMP Notification Payload:
Feb 9 18:15:19 fwbest pluto[4956]: | next payload type: ISAKMP_NEXT_NONE
Auf dem Iphone selber habe ich leider keine Möglichkeit in die Logdateien zu schauen
Irgendwie scheint er in der Phase 2 zu scheitern. | | RE: OPENSWAN UND IPHONS'S RACOON | chr ( ---.214.71.218) | 10 Feb 2010 12:46 |
Nach weiteren versuchen konnte ich die Logdatei auf dem Iphone finden. Folgendes teilt racoon mit.
2010-02-10 13:40:02: [139] INFO: ISAKMP-SA established 192.168.23.3[4500]-62.214.71.218[4500] spi:8e0055c3679851e4:9def5919ae928685
2010-02-10 13:40:02: [139] DEBUG: ===
2010-02-10 13:40:02: [139] DEBUG: sending vpn_control phase change status
2010-02-10 13:40:30: [139] DEBUG: received disconnect command on vpn control socket.
2010-02-10 13:40:30: [139] DEBUG: compute IV for phase2
2010-02-10 13:40:30: [139] DEBUG: phase1 last IV:
2010-02-10 13:40:30: [139] DEBUG:
93bd2d52 ebd29cae 9207d307
2010-02-10 13:40:30: [139] DEBUG: hash(sha1)
2010-02-10 13:40:30: [139] DEBUG: encryption(3des)
2010-02-10 13:40:30: [139] DEBUG: phase2 IV computed:
2010-02-10 13:40:30: [139] DEBUG:
c81932cd 4e1c3ac8
2010-02-10 13:40:30: [139] DEBUG: HASH with:
2010-02-10 13:40:30: [139] DEBUG:
9207d307 0000001c 00000001 01100001 8e0055c3 679851e4 9def5919 ae928685
2010-02-10 13:40:30: [139] DEBUG: hmac(hmac_sha1)
2010-02-10 13:40:30: [139] DEBUG: HASH computed:
2010-02-10 13:40:30: [139] DEBUG:
83e0c21b 1c9bafaf 47b6a133 4dddebb1 14e7b9fb
2010-02-10 13:40:30: [139] DEBUG: begin encryption.
2010-02-10 13:40:30: [139] DEBUG: encryption(3des)
2010-02-10 13:40:30: [139] DEBUG: pad length = 4
2010-02-10 13:40:30: [139] DEBUG:
0c000018 83e0c21b 1c9bafaf 47b6a133 4dddebb1 14e7b9fb 0000001c 00000001
01100001 8e0055c3 679851e4 9def5919 ae928685 00000004
2010-02-10 13:40:30: [139] DEBUG: encryption(3des)
2010-02-10 13:40:30: [139] DEBUG: with key:
2010-02-10 13:40:30: [139] DEBUG:
8cd7a31e 23c6fad5 8167448a fb8f60e8 0086898c bda643db
2010-02-10 13:40:30: [139] DEBUG: encrypted payload by IV:
2010-02-10 13:40:30: [139] DEBUG:
c81932cd 4e1c3ac8
2010-02-10 13:40:30: [139] DEBUG: save IV for next:
2010-02-10 13:40:30: [139] DEBUG:
56079df5 649be61f
2010-02-10 13:40:30: [139] DEBUG: encrypted.
2010-02-10 13:40:30: [139] DEBUG: Adding NON-ESP marker
2010-02-10 13:40:30: [139] DEBUG: 88 bytes from 192.168.23.3[4500] to 62.214.71.218[4500]
2010-02-10 13:40:30: [139] DEBUG: sockname 192.168.23.3[4500]
2010-02-10 13:40:30: [139] DEBUG: send packet from 192.168.23.3[4500]
2010-02-10 13:40:30: [139] DEBUG: send packet to 62.214.71.218[4500]
2010-02-10 13:40:30: [139] DEBUG: 1 times of 88 bytes message will be sent to 62.214.71.218[4500]
2010-02-10 13:40:30: [139] DEBUG:
00000000 8e0055c3 679851e4 9def5919 ae928685 08100501 9207d307 00000054
0a73548a dfce85a5 53c37656 43af9dbf 37f95d67 b7641cc2 0aaf1db4 26ffe209
1d8a098b 1aa5ba91 e01ddf9a 4bf50938 56079df5 649be61f
2010-02-10 13:40:30: [139] DEBUG: sendto Information delete.
2010-02-10 13:40:30: [139] DEBUG: unbindph12.
2010-02-10 13:40:30: [139] DEBUG: IV freed
2010-02-10 13:40:30: [139] INFO: purging ISAKMP-SA spi=8e0055c3679851e4:9def5919ae928685.
2010-02-10 13:40:30: [139] DEBUG2: no ph1bind replacement found. NULL ph1.
2010-02-10 13:40:30: [139] DEBUG: call pfkey_send_dump
2010-02-10 13:40:30: [139] INFO: purged ISAKMP-SA spi=8e0055c3679851e4:9def5919ae928685.
2010-02-10 13:40:30: [139] INFO: caught signal 13
2010-02-10 13:40:30: [139] DEBUG: vpn_control socket closed by peer.
2010-02-10 13:40:30: [139] DEBUG: vpncontrol_close_comm.
2010-02-10 13:40:30: [139] DEBUG: ===
2010-02-10 13:40:30: [139] DEBUG: 84 bytes message received from 62.214.71.218[4500] to 192.168.23.3[4500]
2010-02-10 13:40:30: [139] DEBUG:
8e0055c3 679851e4 9def5919 ae928685 08100501 edbeda72 00000054 6a9442a5
a18335e8 46051a56 fec07fb0 02b1fdb8 156ab0ea 3c2766e6 bd425381 b250e0e9
8250c774 4d434c58 a6888148 92cf811e 1a468d82
2010-02-10 13:40:30: [139] ERROR: unknown Informational exchange received.
2010-02-10 13:40:31: [139] INFO: ISAKMP-SA deleted 192.168.23.3[4500]-62.214.71.218[4500] spi:8e0055c3679851e4:9def5919ae928685
2010-02-10 13:40:31: [139] DEBUG: IV freed
2010-02-10 13:40:31: [139] DEBUG: Freeing IKE-Session to 62.214.71.218[4500].
2010-02-10 13:40:33: [139] DEBUG: performing auto exit
2010-02-10 13:40:33: [139] DEBUG: get pfkey FLUSH message
2010-02-10 13:40:33: [139] DEBUG2:
02090000 02000000 00000000 8b000000
2010-02-10 13:40:33: [139] DEBUG2: flushing all ph2 handlers...
2010-02-10 13:40:34: [139] DEBUG: call pfkey_send_dump
2010-02-10 13:40:34: [139] DEBUG: vpncontrol_close.
2010-02-10 13:40:34: [139] INFO: racoon shutdown
--------------------LOG OPENSWAN-----------------
Feb 10 13:39:40 fwbest pluto[10823]: "IPHONE1"[1] 62.214.71.219 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Feb 10 13:39:41 fwbest pluto[10823]: "IPHONE1"[1] 62.214.71.219 #3: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=NRW, L=xx, O=xx, OU=xx, CN=IPHONE1, E=info@xx.de'
Feb 10 13:39:41 fwbest pluto[10823]: "IPHONE1"[1] 62.214.71.219 #3: no crl from issuer "C=xx, ST=xx, L=xx, O=xx, OU=xx, CN=xx.dyndns.org, E=info@xx.de" found (strict=no)
Feb 10 13:39:41 fwbest pluto[10823]: "IPHONE1"[1] 62.214.71.219 #3: I am sending my cert
Feb 10 13:39:41 fwbest pluto[10823]: "IPHONE1"[1] 62.214.71.219 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 10 13:39:41 fwbest pluto[10823]: "IPHONE1"[1] 62.214.71.219 #3: new NAT mapping for #3, was 62.214.71.219:500, now 62.214.71.219:4500
Feb 10 13:39:41 fwbest pluto[10823]: "IPHONE1"[1] 62.214.71.219 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 10 13:39:41 fwbest pluto[10823]: "IPHONE1"[1] 62.214.71.219 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Feb 10 13:39:41 fwbest pluto[10823]: "IPHONE1"[1] 62.214.71.219 #3: received and ignored informational message
Feb 10 13:40:10 fwbest pluto[10823]: "IPHONE1"[1] 62.214.71.219 #3: received Delete SA payload: deleting ISAKMP State #3
Feb 10 13:40:10 fwbest pluto[10823]: packet from 62.214.71.219:4500: received and ignored informational message
vielleicht hat ja jemand eine Idee
Grüße
Christian |
[ Zurück ] Um ein neues Thema hinzu zu fügen müssen sie eingeloggt sein.
|
|
|
|
Welche Distribution verwenden Sie?
| |
|
|
|
17 Oct 2008: