Hier die Konfig der Cisco ASA GW zu GW VPN Verbindung:
--------------------------------------------------------------------------
names
name 10.100.0.0 xy-net
access-list filter-LTL-Schweiz remark Allow any ICMP Traffic
access-list filter-LTL-Schweiz extended permit icmp any any
access-list split-VPN-Schweiz-LTL standard permit xy-net 255.255.0.0
access-list l2l_schweiz extended permit ip 192.168.5.0 255.255.255.0 xy-net 255.255.0.0
mtu External 1500
group-policy Schweiz-LTL internal
group-policy Schweiz-LTL attributes
vpn-filter value filter-LTL-Schweiz
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-VPN-Schweiz-LTL
webvpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map External_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map External_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map External_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map External_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map External_map 100 match address l2l_schweiz
crypto map External_map 100 set peer 109.164.134.46
crypto map External_map 100 set transform-set ESP-3DES-SHA
crypto map External_map 100 set security-association lifetime seconds 28800
crypto map External_map 100 set security-association lifetime kilobytes 4608000
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map External_map interface External
isakmp identity auto
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
tunnel-group 109.164.134.46 type ipsec-l2l
tunnel-group 109.164.134.46 general-attributes
default-group-policy Schweiz-LTL
tunnel-group 109.164.134.46 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
--------------------------------------------------------------------------
Hier meine Einstellungen auf der Zyxel USG 200
Phase 1 (Punkt VPN/ IPSec VPN/ Reiter VPN Gateway)
VPN Name = XY
Gateway Settings/ My Address/ Interface = wan1 (DHCP client -- 109.164.134.46/255.255.255.128)
Bemerkung dazu:
Ist eine per DHCP zugewiesene IP von Swisscom, diese ist aber schon seit einem Monat oder so immer die gleiche Und: Habe auch einen DynDNS Namen hinterlegt, dessen Name ich aber in der obigen Konfiguration der Gegenstelle (konfiguriert auf der Cisco ASA Firewall) nirgends finde
Peer Gateway Address/ Primary 195.50.134.66
Secondory 0.0.0.0
Authentication = PreShared Key = SchlüsselXY
Phase 1 Settings/ SA LifeTime 28800
Negotiation Mode = Main
Proposal/ Encryption = 3DES Authentication = SHA1
Key Group = DH2
NAT Traversal = aktiviert
Phase 2 (Punkt VPN/ IPSec VPN/ Reiter VPN Connections)
VPN Gateway/ Application Szenario = Site-to-Site
VPN Gateway = den GW angegeben, welche ich im Reiter VPN Gateway definiert habe
Policy/ local Policy = SUBNET, 192.168.5.0/24
Remote Policy = SUBNET, 10.100.0.0/16
Phase 2 Setting/ SA Life Time = 86400
Active Protocol = ESP
Encapsulation = Tunnel
Proposal = Encryption 3DES / Authentication = SHA1, MD5, SHA256
Perfect Forward Secrecy (PFS) = DH2
Related Settings/ Zone = IPSec_VPN
Das Log sagt mit dieser Konfiguration bei Verbindungsaufbau folgendes:
--------------------------------------------------------------------------
# Time Priority Category Message Source Source Interface Destination Destination Interface Protocol Note
1 2012-05-09 10:54:07 info IKE The cookie pair is : 0x1bf9b104824b3bfb / 0xd684ecc0e37cfa42 [count=5] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
2 2012-05-09 10:54:06 info IKE The cookie pair is : 0xd684ecc0e37cfa42 / 0x1bf9b104824b3bfb [count=6] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
3 2012-05-09 10:54:06 info IKE The cookie pair is : 0x1bf9b104824b3bfb / 0x0000000000000000 [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
4 2012-05-09 10:54:00 info IKE The cookie pair is : 0x3b2171c4ed26b39c / 0x6c179b97f814123b [count=5] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
5 2012-05-09 10:54:00 info IKE The cookie pair is : 0x6c179b97f814123b / 0x3b2171c4ed26b39c [count=6] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
6 2012-05-09 10:54:00 info IKE The cookie pair is : 0x3b2171c4ed26b39c / 0x0000000000000000 [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
7 2012-05-09 10:53:58 info IKE ISAKMP SA [Hess_DE_GW] is disconnected [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
8 2012-05-09 10:53:58 info IKE Received delete notification [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
9 2012-05-09 10:53:58 info IKE Recv:[HASH][DEL] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
10 2012-05-09 10:53:58 info IKE Recv:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
11 2012-05-09 10:53:58 info IKE Send:[HASH][SA][NONCE][KE][ID][ID] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
12 2012-05-09 10:53:58 info IKE Phase 1 IKE SA process done [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
13 2012-05-09 10:53:58 info IKE Recv:[ID][HASH][VID] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
14 2012-05-09 10:53:58 info IKE Send:[ID][HASH][NOTIFY:INITIAL_CONTACT] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
15 2012-05-09 10:53:58 info IKE Recv:[KE][NONCE][VID][VID][VID][VID][PRV][PRV] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
16 2012-05-09 10:53:58 info IKE Send:[KE][NONCE][PRV][PRV] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
17 2012-05-09 10:53:58 info IKE The cookie pair is : 0x3d63d827f68aea86 / 0xd0491afdd1ada1d8 [count=5] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
18 2012-05-09 10:53:57 info IKE Recv:[SA][VID][VID] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
19 2012-05-09 10:53:57 info IKE The cookie pair is : 0xd0491afdd1ada1d8 / 0x3d63d827f68aea86 [count=6] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
20 2012-05-09 10:53:57 info IKE Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
21 2012-05-09 10:53:57 info IKE Send Main Mode request to [195.50.134.66] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
22 2012-05-09 10:53:57 info IKE Tunnel [HessCH_zu_HessDE] Sending IKE request [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
23 2012-05-09 10:53:57 info IKE The cookie pair is : 0x3d63d827f68aea86 / 0x0000000000000000 [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
25 2012-05-09 10:53:44 info IKE ISAKMP SA [Hess_DE_GW] is disconnected 109.164.134.46:500 195.50.134.66:500 IKE_LOG
26 2012-05-09 10:53:44 info IKE Received delete notification 195.50.134.66:500 109.164.134.46:500 IKE_LOG
27 2012-05-09 10:53:44 info IKE Recv:[HASH][DEL] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
28 2012-05-09 10:53:44 info IKE Recv:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
29 2012-05-09 10:53:44 info IKE Send:[HASH][SA][NONCE][KE][ID][ID] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
30 2012-05-09 10:53:44 info IKE Phase 1 IKE SA process done 109.164.134.46:500 195.50.134.66:500 IKE_LOG
31 2012-05-09 10:53:44 info IKE Recv:[ID][HASH][VID] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
32 2012-05-09 10:53:44 info IKE Send:[ID][HASH][NOTIFY:INITIAL_CONTACT] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
33 2012-05-09 10:53:44 info IKE Recv:[KE][NONCE][VID][VID][VID][VID][PRV][PRV] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
34 2012-05-09 10:53:43 info IKE Send:[KE][NONCE][PRV][PRV] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
35 2012-05-09 10:53:43 info IKE The cookie pair is : 0xc9d5c43097adfd61 / 0x19093c6e36a860d7 [count=5] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
36 2012-05-09 10:53:43 info IKE Recv:[SA][VID][VID] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
37 2012-05-09 10:53:43 info IKE The cookie pair is : 0x19093c6e36a860d7 / 0xc9d5c43097adfd61 [count=6] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
38 2012-05-09 10:53:43 info IKE Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
39 2012-05-09 10:53:43 info IKE Send Main Mode request to [195.50.134.66] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
40 2012-05-09 10:53:43 info IKE Tunnel [HessCH_zu_HessDE] Sending IKE request 109.164.134.46:500 195.50.134.66:500 IKE_LOG
41 2012-05-09 10:53:43 info IKE The cookie pair is : 0xc9d5c43097adfd61 / 0x0000000000000000 [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
--------------------------------------------------------------------------
Die Verbindung kann nicht aufgebaut werden, läuft nach 30 Sekunden in ein TimeOut
Danke euch 1000 mal für die Unterstützung :-)