Hallo zusammen,
ich habe probleme, einen Stabilen Tunnel zwischen einer ZyWALL USG 100 und einer Endian Firewall aufzubauen. Der Tunnel baut sich auch auf, bricht jedoch nach kurzer Zeit ab.
beide Standorte haben eine feste IP. Auf der USG terminieren noch andere VPN Tunnel, diese laufen ohne Probleme.
Vielen Dank im Vorraus.
Code
Oct 6 10:07:58 firewall ipsec: 14[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V ]
Oct 6 10:07:58 firewall ipsec: 14[ENC] received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
Oct 6 10:07:58 firewall ipsec: 14[ENC] received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
Oct 6 10:07:58 firewall ipsec: 14[IKE] received DPD vendor ID
Oct 6 10:07:58 firewall ipsec: 14[ENC] received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
Oct 6 10:07:58 firewall ipsec: 14[IKE] xxx.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
Oct 6 10:07:58 firewall ipsec: 14[CFG] looking for pre-shared key peer configs matching yyy.yyy.yyy.yyy...xxx.xxx.xxx.xxx[unitymedia.xxxxx.de]
Oct 6 10:07:58 firewall ipsec: 14[CFG] selected peer config "xxxxxx"
Oct 6 10:07:58 firewall ipsec: 14[ENC] generating AGGRESSIVE response 0 [ SA KE No ID HASH V V V ]
Oct 6 10:07:58 firewall ipsec: 14[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (362 bytes)
Oct 6 10:07:59 firewall ipsec: 07[NET] received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (60 bytes)
Oct 6 10:07:59 firewall ipsec: 07[ENC] parsed AGGRESSIVE request 0 [ HASH ]
Oct 6 10:07:59 firewall ipsec: 07[IKE] IKE_SA Greven[2] established between yyy.yyy.yyy.yyy[vpngateway1.mfd-net.de]...xxx.xxx.xxx.xxx[unitymedia.xxxxx.de]
Oct 6 10:07:59 firewall ipsec: 07[IKE] scheduling reauthentication in 28003s
Oct 6 10:07:59 firewall ipsec: 07[IKE] maximum IKE_SA lifetime 28543s
Oct 6 10:07:59 firewall ipsec: 07[ENC] generating TRANSACTION request 921712804 [ HASH CPRQ(ADDR DNS) ]
Oct 6 10:07:59 firewall ipsec: 07[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (76 bytes)
Oct 6 10:07:59 firewall ipsec: 12[NET] received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (332 bytes)
Oct 6 10:07:59 firewall ipsec: 12[ENC] parsed QUICK_MODE request 2218174952 [ HASH SA No KE ID ID ]
Oct 6 10:07:59 firewall ipsec: 12[ENC] generating QUICK_MODE response 2218174952 [ HASH SA No KE ID ID ]
Oct 6 10:07:59 firewall ipsec: 12[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (316 bytes)
Oct 6 10:07:59 firewall ipsec: 16[NET] received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (60 bytes)
Oct 6 10:07:59 firewall ipsec: 16[ENC] payload of type CONFIGURATION_V1 not occurred 1 times (0)
Oct 6 10:07:59 firewall ipsec: 16[IKE] message verification failed
Oct 6 10:07:59 firewall ipsec: 16[ENC] generating INFORMATIONAL_V1 request 742085961 [ HASH N(PLD_MAL) ]
Oct 6 10:07:59 firewall ipsec: 16[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (76 bytes)
Oct 6 10:07:59 firewall ipsec: 16[IKE] TRANSACTION response with message ID 921712804 processing failed
Oct 6 10:08:00 firewall ipsec: 15[NET] received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (60 bytes)
Oct 6 10:08:00 firewall ipsec: 15[ENC] parsed QUICK_MODE request 2218174952 [ HASH ]
Oct 6 10:08:00 firewall ipsec: 15[KNL] unable to install source route for 192.168.21.254
Oct 6 10:08:00 firewall ipsec: 15[IKE] CHILD_SA Greven{1} established with SPIs c8cf1e57_i b16e44da_o and TS 192.168.20.0/22 === 192.168.10.0/24
Oct 6 10:08:03 firewall ipsec: 16[IKE] sending retransmit 1 of request message ID 921712804, seq 1
Oct 6 10:08:03 firewall ipsec: 16[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (76 bytes)
Oct 6 10:08:10 firewall ipsec: 12[IKE] sending retransmit 2 of request message ID 921712804, seq 1
Oct 6 10:08:10 firewall ipsec: 12[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (76 bytes)
Oct 6 10:08:23 firewall ipsec: 09[IKE] sending retransmit 3 of request message ID 921712804, seq 1
Oct 6 10:08:23 firewall ipsec: 09[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (76 bytes)
Oct 6 10:08:46 firewall ipsec: 07[IKE] sending retransmit 4 of request message ID 921712804, seq 1
Oct 6 10:08:46 firewall ipsec: 07[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (76 bytes)
Oct 6 10:09:28 firewall ipsec: 16[IKE] sending retransmit 5 of request message ID 921712804, seq 1
Oct 6 10:09:28 firewall ipsec: 16[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (76 bytes)
Oct 6 10:10:44 firewall ipsec: 10[IKE] giving up after 5 retransmitshier die Config der endian
Code
config setup
cachecrls=yes
uniqueids=yes
charondebug="ike 4"
conn %default
keyingtries=%forever
conn Greven
left=xxx.xxx.xxx.xxx
leftnexthop=yyy.yyy.yyy.yyy
leftsubnet=192.168.20.0/22
leftsourceip=192.168.20.254
right=yyy.yyy.yyy.yyy
rightsubnet=192.168.10.0/24
leftauth=psk
rightauth=psk
leftid="@vpngateway1.xxxxxx.de"
rightid="@unitymedia.xxxxxxx.de"
ikelifetime=28800s
#ikelifetime=24h
keylife=3600s
ike=aes256-sha1-modp1024,aes256-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024
esp=aes256-sha1-modp1024,aes256-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024
auto=start
keyexchange=ikev1
keyingtries=0
compress=no
aggressive=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignorehier die Config der USG
Code
isakmp policy vpngateway1
activate
local-ip interface wan2
peer-ip xxx.xxx.xxx.xxx 0.0.0.0
authentication pre-share
encrypted-keystring <password-string>
local-id type fqdn unitymedia.xxxxxxx.de
peer-id type any
fall-back-check-interval 300
lifetime 86400
mode aggressive
group2
no natt
transform-set aes256-sha 3des-md5
xauth type server default deactivate
no dpd
!
crypto map DMZ
adjust-mss auto
activate
ipsec-isakmp vpngateway1
scenario site-to-site-static
encapsulation tunnel
transform-set esp-3des-md5 esp-aes256-sha
set security-association lifetime seconds 3600
set pfs group2
local-policy LAN1_SUBNET
remote-policy LAN_xxxxxxx_DMZ
no conn-check activate
!