So - jetzt habe ich ne Menge probiert und es funktioniert immer noch nicht richtig...
a) habe die cvpnd überschrieben mit der datei aus dem install-paket
b) habe in der config-file das UseLegacyIKEPort=0 eingetragen
nach langem hin und her startet der client jetzt, verbindet sich und ich kann auch disconnecten aber:
a) ich sende pakete, empfange nichts (in dem moment, in dem ich den client disconnecte öffnen die seiten problemlos)
b) die secured routes zeigen nur ein 0.0.0.0 an
firewall ist ausgeschaltet (habe erst nur die ports geöffnet gehabt (udp 500, 4500) und dann komplett abgeschaltet), firewall vom router ist auch aus
daran kann es also nicht liegen
die logs zeigen an, dass fleißig keepalives gesendet werden
hier mein log - verbindung besteht noch, disconnect wurde also noch nicht durchgeführt bei diesem log
Cisco Systems VPN Client Version 4.6.03 (0160)
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Mac OS X
Running on: Darwin 8.1.0 Darwin Kernel Version 8.1.0: Tue May 10 18:16:08 PDT 2005; root:xnu-792.1.5.obj~4/RELEASE_PPC Power Macintosh
564 10:48:57.564 05/22/2005 Sev=Info/4 CM/0x43100002
Begin connection process
565 10:48:57.568 05/22/2005 Sev=Info/4 CM/0x43100004
Establish secure connection using Ethernet
566 10:48:57.568 05/22/2005 Sev=Info/4 CM/0x43100024
Attempt connection with server "vpn.fu-berlin.de"
567 10:48:58.144 05/22/2005 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (0).
568 10:48:58.145 05/22/2005 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (0).
569 10:48:58.145 05/22/2005 Sev=Info/6 IKE/0x4300003B
Attempting to establish a connection with 160.45.252.202.
570 10:48:58.938 05/22/2005 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 160.45.252.202
571 10:48:58.942 05/22/2005 Sev=Info/4 IPSEC/0x43700008
IPSec driver successfully started
572 10:48:58.942 05/22/2005 Sev=Info/4 IPSEC/0x43700014
Deleted all keys
573 10:48:59.423 05/22/2005 Sev=Info/5 IKE/0x4300002F
Received ISAKMP packet: peer = 160.45.252.202
574 10:48:59.423 05/22/2005 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK AG (FRAG) from 160.45.252.202
575 10:48:59.425 05/22/2005 Sev=Info/5 IKE/0x4300002F
Received ISAKMP packet: peer = 160.45.252.202
576 10:48:59.425 05/22/2005 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK AG (FRAG) from 160.45.252.202
577 10:48:59.427 05/22/2005 Sev=Info/5 IKE/0x4300002F
Received ISAKMP packet: peer = 160.45.252.202
578 10:48:59.428 05/22/2005 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK AG (FRAG) from 160.45.252.202
579 10:48:59.430 05/22/2005 Sev=Info/5 IKE/0x4300002F
Received ISAKMP packet: peer = 160.45.252.202
580 10:48:59.430 05/22/2005 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK AG (FRAG) from 160.45.252.202
581 10:48:59.430 05/22/2005 Sev=Info/5 IKE/0x43000073
All fragments received.
582 10:48:59.430 05/22/2005 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, CERT, SIG, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?), VID(?)) from 160.45.252.202
583 10:48:59.485 05/22/2005 Sev=Info/4 CERT/0x43600013
Cert (cn=vpn.fu-berlin.de,ou=ZEDAT,o=Freie Universitaet Berlin,l=Berlin,st=Berlin,c=DE) verification succeeded.
584 10:48:59.485 05/22/2005 Sev=Info/5 IKE/0x43000001
Peer is a Cisco-Unity compliant peer
585 10:48:59.485 05/22/2005 Sev=Info/5 IKE/0x43000001
Peer supports XAUTH
586 10:48:59.485 05/22/2005 Sev=Info/5 IKE/0x43000001
Peer supports DPD
587 10:48:59.486 05/22/2005 Sev=Info/5 IKE/0x43000001
Peer supports NAT-T
588 10:48:59.487 05/22/2005 Sev=Info/5 IKE/0x43000001
Peer supports IKE fragmentation payloads
589 10:48:59.487 05/22/2005 Sev=Info/5 IKE/0x43000001
Peer supports DWR Code and DWR Text
590 10:49:00.167 05/22/2005 Sev=Info/6 IKE/0x43000001
IOS Vendor ID Contruction successful
591 10:49:00.168 05/22/2005 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NOTIFY
RESHARED_KEY_HASH, NAT-D, NAT-D, VID(?), VID(Unity)) to 160.45.252.202
592 10:49:00.169 05/22/2005 Sev=Info/6 IKE/0x43000055
Sent a keepalive on the IPSec SA
593 10:49:00.170 05/22/2005 Sev=Info/4 IKE/0x43000083
IKE Port in use - Local Port = 0xC17E, Remote Port = 0x1194
594 10:49:00.170 05/22/2005 Sev=Info/5 IKE/0x43000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
595 10:49:00.170 05/22/2005 Sev=Info/4 CM/0x4310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
596 10:49:00.239 05/22/2005 Sev=Info/5 IKE/0x4300002F
Received ISAKMP packet: peer = 160.45.252.202
597 10:49:00.239 05/22/2005 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 160.45.252.202
598 10:49:00.240 05/22/2005 Sev=Info/4 CM/0x43100015
Launch xAuth application
599 10:49:00.346 05/22/2005 Sev=Info/4 CM/0x43100017
xAuth application returned
600 10:49:00.346 05/22/2005 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 160.45.252.202
601 10:49:00.710 05/22/2005 Sev=Info/5 IKE/0x4300002F
Received ISAKMP packet: peer = 160.45.252.202
602 10:49:00.711 05/22/2005 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 160.45.252.202
603 10:49:00.711 05/22/2005 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 160.45.252.202
604 10:49:00.712 05/22/2005 Sev=Info/4 CM/0x4310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
605 10:49:00.715 05/22/2005 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 160.45.252.202
606 10:49:00.796 05/22/2005 Sev=Info/5 IKE/0x4300002F
Received ISAKMP packet: peer = 160.45.252.202
607 10:49:00.796 05/22/2005 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 160.45.252.202
608 10:49:00.797 05/22/2005 Sev=Info/5 IKE/0x43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 130.133.218.80
609 10:49:00.797 05/22/2005 Sev=Info/5 IKE/0x43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 160.45.8.8
610 10:49:00.797 05/22/2005 Sev=Info/5 IKE/0x43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 160.45.10.12
611 10:49:00.797 05/22/2005 Sev=Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
612 10:49:00.797 05/22/2005 Sev=Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
613 10:49:00.797 05/22/2005 Sev=Info/5 IKE/0x4300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc./VPN 3000 Concentrator Version 4.1.6.Rel built by vmurphy on Aug 23 2004 19:21:58
614 10:49:00.797 05/22/2005 Sev=Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
615 10:49:00.798 05/22/2005 Sev=Info/4 CM/0x43100019
Mode Config data received
616 10:49:00.808 05/22/2005 Sev=Info/4 IKE/0x43000056
Received a key request from Driver: Local IP = 192.168.2.101, GW IP = 160.45.252.202, Remote IP = 0.0.0.0
617 10:49:00.810 05/22/2005 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 160.45.252.202
618 10:49:00.915 05/22/2005 Sev=Info/5 IKE/0x4300002F
Received ISAKMP packet: peer = 160.45.252.202
619 10:49:00.916 05/22/2005 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 160.45.252.202
620 10:49:00.916 05/22/2005 Sev=Info/5 IKE/0x43000045
RESPONDER-LIFETIME notify has value of 86400 seconds
621 10:49:00.916 05/22/2005 Sev=Info/5 IKE/0x43000047
This SA has already been alive for 2 seconds, setting expiry to 86398 seconds from now
622 10:49:00.917 05/22/2005 Sev=Info/5 IKE/0x4300002F
Received ISAKMP packet: peer = 160.45.252.202
623 10:49:00.917 05/22/2005 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 160.45.252.202
624 10:49:00.918 05/22/2005 Sev=Info/5 IKE/0x43000045
RESPONDER-LIFETIME notify has value of 28800 seconds
625 10:49:00.918 05/22/2005 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK QM *(HASH) to 160.45.252.202
626 10:49:00.918 05/22/2005 Sev=Info/5 IKE/0x43000059
Loading IPsec SA (MsgID=ABBCC916 OUTBOUND SPI = 0x5EDA9509 INBOUND SPI = 0xFEEEDE39)
627 10:49:00.920 05/22/2005 Sev=Info/5 IKE/0x43000025
Loaded OUTBOUND ESP SPI: 0x5EDA9509
628 10:49:00.920 05/22/2005 Sev=Info/5 IKE/0x43000026
Loaded INBOUND ESP SPI: 0xFEEEDE39
629 10:49:00.921 05/22/2005 Sev=Info/4 CM/0x4310001A
One secure connection established
630 10:49:00.921 05/22/2005 Sev=Info/4 CVPND/0x4340001E
Privilege Separation: reducing MTU on primary interface.
631 10:49:00.922 05/22/2005 Sev=Info/4 CVPND/0x4340001B
Privilege Separation: backing up resolv.conf file.
632 10:49:00.924 05/22/2005 Sev=Info/4 CVPND/0x4340001D
Privilege Separation: chown( /var/run/resolv.conf.vpnbackup, uid=0, gid=1 ).
633 10:49:00.924 05/22/2005 Sev=Info/4 CVPND/0x43400018
Privilege Separation: opening file: (/var/run/resolv.conf).
634 10:49:00.927 05/22/2005 Sev=Info/4 CVPND/0x4340001A
Privilege Separation: sending SIGHUP to pid: (702).