Hallo Gemeinde,
ich habe bei Hetzner einen VPS und darauf einen Strongswan IPSec IKEv2 Server installiert. Von einem Android und einem PC mit Windows 10 in Europa kann ich mich einwandfrei verbinden.
Vom eigentlich zu verwendenden Client aus China ist dies nicht möglich, Windows zeigt die Fehlermeldung: "Die Netzwerkverbindung zwischen Ihrem Computer und dem VPN-Server konnte nicht hergestellt werden, da der Remoteserver nicht antwortet. Das Verbindungsproblem wird möglicherweise verursacht, weil eines der Netzwerkgeräte (zum Beispiel Firewalls, NAT, Router usw.) zwischen Ihrem Computer und dem Remoteserver nicht für das Zulassen von VPN-Verbindungen konfiguriert ist. Wenden Sie sich an den Administrator oder den Dienstanbieter, um zu ermitteln, welches Gerät das Problem verursacht."
syslog sieht folgendermaßen aus:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 | Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 09[NET] received packet: from 114.219.152.248[56667] to 172.31.1.100[500] Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 09[NET] waiting for data on sockets Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[MGR] checkout IKE_SA by message Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[MGR] created IKE_SA (unnamed)[50] Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[NET] received packet: from 114.219.152.248[56667] to 172.31.1.100[500] (880 bytes) Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] looking for an ike config for 172.31.1.100...114.219.152.248 Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] candidate: %any...%any, prio 28 Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] found matching ike config: %any...%any with prio 28 Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] received MS-Negotiation Discovery Capable vendor ID Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] received Vid-Initial-Contact vendor ID Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] 114.219.152.248 is initiating an IKE_SA Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] IKE_SA (unnamed)[50] state change: CREATED => CONNECTING Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selecting proposal: Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selecting proposal: Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selecting proposal: Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selecting proposal: Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] proposal matches Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024 Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/AES_CBC_128/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_4096/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_GCM_16_256/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_12_128/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_4096/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] local host is behind NAT, sending keep alives Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] remote host is behind NAT Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] sending cert request for "C=DE, O=Eugenia Raff, CN=strongSwan Root CA" Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[NET] sending packet: from 172.31.1.100[500] to 114.219.152.248[56667] (337 bytes) Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 10[NET] sending packet: from 172.31.1.100[500] to 114.219.152.248[56667] Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[MGR] checkin IKE_SA (unnamed)[50] Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[MGR] check-in of IKE_SA successful. Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] checkout IKE_SA Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] IKE_SA (unnamed)[50] successfully checked out Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[IKE] sending keep alive to 114.219.152.248[56667] Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] checkin IKE_SA (unnamed)[50] Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] check-in of IKE_SA successful. Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 10[NET] sending packet: from 172.31.1.100[500] to 114.219.152.248[56667] Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] check-in of IKE_SA successful. Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 10[NET] sending packet: from 172.31.1.100[500] to 114.219.152.248[56667] Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 09[NET] received packet: from 114.219.152.248[56667] to 172.31.1.100[500] Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 09[NET] waiting for data on sockets Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[MGR] checkout IKE_SA by message Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[MGR] created IKE_SA (unnamed)[51] Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[NET] received packet: from 114.219.152.248[56667] to 172.31.1.100[500] (880 bytes) Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] looking for an ike config for 172.31.1.100...114.219.152.248 Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] candidate: %any...%any, prio 28 Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] found matching ike config: %any...%any with prio 28 Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] received MS-Negotiation Discovery Capable vendor ID Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] received Vid-Initial-Contact vendor ID Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] 114.219.152.248 is initiating an IKE_SA Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] IKE_SA (unnamed)[51] state change: CREATED => CONNECTING Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selecting proposal: Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selecting proposal: Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selecting proposal: Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selecting proposal: Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] proposal matches Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024 Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/AES_CBC_128/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_4096/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_GCM_16_256/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_12_128/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_4096/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] local host is behind NAT, sending keep alives Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] remote host is behind NAT Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] sending cert request for "C=DE, O=Eugenia Raff, CN=strongSwan Root CA" Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[NET] sending packet: from 172.31.1.100[500] to 114.219.152.248[56667] (337 bytes) Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 10[NET] sending packet: from 172.31.1.100[500] to 114.219.152.248[56667] Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[MGR] checkin IKE_SA (unnamed)[51] Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[MGR] check-in of IKE_SA successful. Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] checkout IKE_SA Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] IKE_SA (unnamed)[50] successfully checked out Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[JOB] deleting half open IKE_SA after timeout Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] checkin and destroy IKE_SA (unnamed)[50] Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[JOB] deleting half open IKE_SA after timeout Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] checkin and destroy IKE_SA (unnamed)[50] Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[IKE] IKE_SA (unnamed)[50] state change: CONNECTING => DESTROYING Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] check-in and destroy of IKE_SA successful Oct 10 14:54:31 Ubuntu-1604-xenial-64-minimal charon: 04[MGR] checkout IKE_SA |
Kann ich etwas an der Konfiguration verändern, damit es auch von China aus funktioniert?
Vielen Dank Oliver