Guten Abend zusammen,
ich versuche gerade in einem Test-Aufbau ein Android-Gerät per VPN mit dem Lancom 2100EF FW 10.92 zu verbinden, leider ohne Erfolg und ich sehe vor lauter Bäumen den Wald nicht und finde keine Konfig die funktioniert. Den Fehler "Could not match any proposal. See VPN-Debug trace for more information" habe ich gesehen, aber habe ich vorher noch etwas übersehen ? VPN-Debug liefert auch nicht mehr entworten, für einen kleinen Schubser in die richtige Richtung wäre ich sehr dankbar,
danke,
schönes Wochenende,
Grüße
ich versuche gerade in einem Test-Aufbau ein Android-Gerät per VPN mit dem Lancom 2100EF FW 10.92 zu verbinden, leider ohne Erfolg und ich sehe vor lauter Bäumen den Wald nicht und finde keine Konfig die funktioniert. Den Fehler "Could not match any proposal. See VPN-Debug trace for more information" habe ich gesehen, aber habe ich vorher noch etwas übersehen ? VPN-Debug liefert auch nicht mehr entworten, für einen kleinen Schubser in die richtige Richtung wäre ich sehr dankbar,
danke,
schönes Wochenende,
Grüße
Code:
[VPN-Debug] 2025/05/24 19:01:57,030 Devicetime: 2025/05/24 19:01:57,017Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 940 bytesGateways: 192.168.178.125:500<--192.168.178.79:53276SPIs: 0x91BFED4CD01206CB0000000000000000, Message-ID 0Payloads: SA, NONCE, KE, NOTIFY(DETECTION_SOURCE_IP), NOTIFY(DETECTION_DESTINATION_IP), NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED), NOTIFY(SIGNATURE_HASH_ALGORITHMS)QUB-DATA: 192.168.178.125:500<---192.168.178.79:53276 rtg_tag 0 physical-channel WAN(1)transport: [id: 1559, UDP (17) {incoming unicast, fixed source address}, dst: 192.168.178.79, tag 0 (U), src: 192.168.178.125, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1500, iface: INET_1 (3), mac address: b0:cf:cb:fa:3f:57, port 0], local port: 500, remote port: 53276+No IKE_SA foundCounting consumed licenses by active channels... Consumed connected licenses : 0 Negotiating connections : 0 IKE negotiations : 0 MPPE connections : 0 LTA licenses : 0 Licenses in use : 0 < 25 +Passive connection request accepted (16 micro seconds)(IKEv2-Exchange 'DEFAULT', 'ISAKMP-PEER-DEFAULT' 0x91BFED4CD01206CBEA4EA6F683B81FFE00000000, P1, RESPONDER): Setting Negotiation SA Referencing (IKE_SA, 0x91BFED4CD01206CBEA4EA6F683B81FFE00000000, responder): use_count 3Looking for payload NOTIFY(SIGNATURE_HASH_ALGORITHMS) (41)...Found 1 payload. +Received signature hash algorithms: SHA1, SHA-256, SHA-384, SHA-512Looking for payload NOTIFY(DETECTION_SOURCE_IP) (41)...Found 1 payload. +Computing SHA1(0x91BFED4CD01206CB0000000000000000|192.168.178.79:53276) +Computing SHA1(0x91BFED4CD01206CB0000000000000000C0A8B24FD01C) +Computed: 0xF930A90B7BA8BEDA730C0C2C9BF66421855AA4FF +Received: 0xF930A90B7BA8BEDA730C0C2C9BF66421855AA4FF +Equal => NAT-T is disabledLooking for payload NOTIFY(DETECTION_DESTINATION_IP) (41)...Found 1 payload. +Computing SHA1(0x91BFED4CD01206CB0000000000000000|192.168.178.125:500) +Computing SHA1(0x91BFED4CD01206CB0000000000000000C0A8B27D01F4) +Computed: 0x618095B7322811C1AD3CDE58710A4F17E30BDA05 +Received: 0x618095B7322811C1AD3CDE58710A4F17E30BDA05 +Equal => NAT-T is disabledLooking for payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) (41)...Found 1 payload.Looking for payload IKE_SA (33)...Found 1 payload. +Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256 +Received ENCR transform(s): AES-CBC-256 AES-CBC-192 AES-CBC-128 +Best intersection: AES-CBC-256 +Config PRF transform(s): PRF-HMAC-SHA-256 +Received PRF transform(s): PRF-HMAC-SHA1 PRF-AES128-XCBC -No intersection +Config INTEG transform(s): HMAC-SHA-256 +Received INTEG transform(s): HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256 AES-XCBC-96 +Best intersection: HMAC-SHA-256 +Config DH transform(s): 30 29 28 21 20 19 15 14 2 +Received DH transform(s): 16 15 14 +Best intersection: 15 -PRF transform is obligatory for IKE-Protocol -Skipping proposal 1 +Config ENCR transform(s): AES-GCM-16-256 AES-CBC-256 +Received ENCR transform(s): AES-GCM-16-256 AES-GCM-12 AES-GCM-8 AES-GCM-16-192 AES-GCM-12 AES-GCM-8 AES-GCM-16-128 AES-GCM-12 AES-GCM-8 +Best intersection: AES-GCM-16-256 +Config PRF transform(s): PRF-HMAC-SHA-256 +Received PRF transform(s): PRF-HMAC-SHA1 PRF-AES128-XCBC -No intersection +Config INTEG transform(s): HMAC-SHA-256 +Received INTEG transform(s): +Best intersection: ignored since ENCR-Transform is an authenticated cipher +Config DH transform(s): 30 29 28 21 20 19 15 14 2 +Received DH transform(s): 16 15 14 +Best intersection: 15 -PRF transform is obligatory for IKE-Protocol -Skipping proposal 2[VPN-Status] 2025/05/24 19:01:57,033 Devicetime: 2025/05/24 19:01:57,017Peer DEFAULT: Received an IKE_SA_INIT-REQUEST of 940 bytesGateways: 192.168.178.125:500<--192.168.178.79:53276SPIs: 0x91BFED4CD01206CB0000000000000000, Message-ID 0Peer identified: DEFAULTIKE_SA ('', '' IPSEC_IKE SPIs 0x91BFED4CD01206CBEA4EA6F683B81FFE) entered to SADBReceived 4 notifications: +NAT_DETECTION_SOURCE_IP(0xF930A90B7BA8BEDA730C0C2C9BF66421855AA4FF) (STATUS) +NAT_DETECTION_DESTINATION_IP(0x618095B7322811C1AD3CDE58710A4F17E30BDA05) (STATUS) +IKEV2_FRAGMENTATION_SUPPORTED (STATUS) +SIGNATURE_HASH_ALGORITHMS(0x0001000200030004) (STATUS)Peer (initiator) is not behind a NAT. NAT-T is disabledWe (responder) are not behind a NAT. NAT-T is disabled+IKE-SA: IKE-Proposal-1 (12 transforms) ENCR : AES-CBC-256 AES-CBC-192 AES-CBC-128 PRF : PRF-HMAC-SHA1 PRF-AES128-XCBC INTEG: HMAC-SHA-512 HMAC-SHA-384 HMAC-SHA-256 AES-XCBC-96 DH : 16 15 14 IKE-Proposal-2 (14 transforms) ENCR : AES-GCM-16-256 AES-GCM-12 AES-GCM-8 AES-GCM-16-192 AES-GCM-12 AES-GCM-8 AES-GCM-16-128 AES-GCM-12 AES-GCM-8 PRF : PRF-HMAC-SHA1 PRF-AES128-XCBC DH : 16 15 14-Could not match any proposal. See VPN-Debug trace for more information[VPN-IKE] 2025/05/24 19:01:57,033 Devicetime: 2025/05/24 19:01:57,017[DEFAULT] Sending packet:IKE 2.0 Header:Source/Port : 192.168.178.125:500Destination/Port : 192.168.178.79:53276Routing-tag : 0Com-channel : 0| Initiator cookie : 91 BF ED 4C D0 12 06 CB| Responder cookie : 00 00 00 00 00 00 00 00| Next Payload : NOTIFY| Version : 2.0| Exchange type : IKE_SA_INIT| Flags : 0x20 Response | Msg-ID : 0| Length : 36 BytesNOTIFY Payload| Next Payload : NONE| CRITICAL : NO| Reserved : 0x00| Length : 8 Bytes| Protocol ID : <Unknown 0>| SPI size : 0| Message type : NO_PROPOSAL_CHOSEN[VPN-Debug] 2025/05/24 19:01:57,092 Devicetime: 2025/05/24 19:01:57,017Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for send+(request, response) pair inserted into retransmission mapSending an IKE_SA_INIT-RESPONSE of 36 bytes (responder)Gateways: 192.168.178.125:500-->192.168.178.79:53276, tag 0 (UDP)SPIs: 0x91BFED4CD01206CB0000000000000000, Message-ID 0Payloads: NOTIFY(NO_PROPOSAL_CHOSEN[IKE_SA])[VPN-Status] 2025/05/24 19:01:57,092 Devicetime: 2025/05/24 19:01:57,017Peer DEFAULT: Constructing an IKE_SA_INIT-RESPONSE for sendNOTIFY(NO_PROPOSAL_CHOSEN)Sending an IKE_SA_INIT-RESPONSE of 36 bytes (responder)Gateways: 192.168.178.125:500-->192.168.178.79:53276, tag 0 (UDP)SPIs: 0x91BFED4CD01206CB0000000000000000, Message-ID 0[VPN-Debug] 2025/05/24 19:01:57,092 Devicetime: 2025/05/24 19:01:57,017IKE-TRANSPORT freed[VPN-Status] 2025/05/24 19:01:57,092 Devicetime: 2025/05/24 19:01:57,017IKE_SA ('', '' IPSEC_IKE SPIs 0x91BFED4CD01206CB0000000000000000) removed from SADBIKE_SA ('', '' IPSEC_IKE SPIs 0x91BFED4CD01206CB0000000000000000) freedStatistik: Verfasst von eagle1900 — Gestern, 19:08
