<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19190"></HEAD>
<BODY>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012>Hi
,</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=968092707-30042012></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012> I am
getting <SPAN lang=EN>INVALID_ID_INFORMATION error with
certificates(attached with this mail) and the below configuration in
ikev1.</SPAN></SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN
lang=EN> When the configuration is changed for ikev2 it is working fine and
tunnel are created<FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN
lang=EN>. </SPAN></SPAN></FONT></SPAN></SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN lang=EN><FONT
size=2 face=Arial><SPAN class=968092707-30042012><SPAN lang=EN> The pluto
logs for both units are also
attached.</SPAN></SPAN></FONT></SPAN></SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN
lang=EN> </SPAN></SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN
lang=EN></SPAN></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN
lang=EN>Unit1:</SPAN></SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN
lang=EN><STRONG>[root@FED14 etc]# cat ipsec.conf <BR></STRONG># /etc/ipsec.conf
- strongSwan IPsec configuration file<BR>config setup<BR>
crlcheckinterval=180s<BR> strictcrlpolicy=no<BR>
plutostart=yes<BR> plutodebug=controlmore<BR>
charonstart=no<BR>
plutostderrlog=/tmp/plutolog.txt</SPAN></SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN lang=EN>ca
rootca1<BR> cacert=cacert.pem</SPAN></SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN lang=EN>conn
%default<BR> leftcert=/usr/local/etc/ipsec.d/certs/PC1Cert.pem<BR>
authby=pubkey<BR> keyexchange=ikev1<BR>
auto=start</SPAN></SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN lang=EN>conn
conn101<BR> leftsubnet=70.70.70.7/24<BR>
rightsubnet=20.20.20.2/24<BR> left=10.10.10.5<BR>
right=10.10.10.6</SPAN></SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN
lang=EN><STRONG>[root@linuxPC2 etc]# ipsec statusall<BR></STRONG>000 Status of
IKEv1 pluto daemon (strongSwan 4.6.2):<BR>000 interface lo/lo ::1:500<BR>000
interface lo/lo 127.0.0.1:500<BR>000 interface eth0/eth0 10.10.10.6:500<BR>000
interface eth1/eth1 20.20.20.2:500<BR>000 interface eth2/eth2
10.125.40.64:500<BR>000 interface virbr0/virbr0 192.168.122.1:500<BR>000 %myid =
'%any'<BR>000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp
dnskey pem gmp hmac xauth attr kernel-netlink resolve<BR>000 debug options:
controlmore<BR>000 <BR>000 "conn101": 20.20.20.0/24===10.10.10.6[C=IN, ST=KAR,
O=xxxxx, OU=xxxxx, CN=PC2CERT]...10.10.10.5[10.10.10.5]===70.70.70.0/24;
unrouted; eroute owner: #0<BR>000 "conn101": CAs: "C=IN, ST=KAR,
L=BANG, O=xxxxx, OU=xxxxx, CN=CACERT"...%any<BR>000 "conn101":
ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 3<BR>000 "conn101": policy:
PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; <BR>000
"conn101": newest ISAKMP SA: #0; newest IPsec SA: #0; <BR>000
<BR>000 #2: "conn101" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT
in 8s<BR>000 #1: "conn101" STATE_MAIN_I3 (sent MI3, expecting MR3);
EVENT_RETRANSMIT in 4s<BR>000 #1: pending Phase 2 for "conn101" replacing
#0<BR>000 </SPAN></SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN
lang=EN></SPAN></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN
lang=EN>Unit2:</SPAN></SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN
lang=EN><STRONG>[root@linuxPC2 etc]# cat ipsec.conf <BR></STRONG>#
/etc/ipsec.conf - strongSwan IPsec configuration file<BR>config setup<BR>
crlcheckinterval=180s<BR> strictcrlpolicy=no<BR>
plutostart=yes<BR> plutodebug=controlmore<BR>
charonstart=no<BR>
plutostderrlog=/tmp/plutolog.txt</SPAN></SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN lang=EN>ca
rootca0<BR> cacert=cacert.pem</SPAN></SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN lang=EN>conn
%default<BR> leftcert=/etc/ipsec.d/certs/PC2Cert.pem<BR>
keyexchange=ikev1<BR> authby=pubkey<BR>
auto=start</SPAN></SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=968092707-30042012><SPAN lang=EN>conn
conn101<BR> leftsubnet=20.20.20.2/24<BR>
rightsubnet=70.70.70.7/24<BR> left=10.10.10.6<BR>
right=10.10.10.5</SPAN></SPAN></FONT></DIV>
<DIV> </DIV><SPAN class=968092707-30042012><SPAN lang=EN>
<DIV><BR><FONT face=Arial><FONT size=2><STRONG>[root@linuxPC2 etc]# ipsec
statusall<BR></STRONG>000 Status of IKEv1 pluto daemon (strongSwan
4.6.2):<BR>000 interface lo/lo ::1:500<BR>000 interface lo/lo
127.0.0.1:500<BR>000 interface eth0/eth0 10.10.10.6:500<BR>000 interface
eth1/eth1 20.20.20.2:500<BR>000 interface eth2/eth2 10.125.40.64:500<BR>000
interface virbr0/virbr0 192.168.122.1:500<BR>000 %myid = '%any'<BR>000 loaded
plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp dnskey pem gmp hmac
xauth attr kernel-netlink resolve<BR>000 debug options: controlmore<BR>000
<BR>000 "conn101": 20.20.20.0/24===10.10.10.6[C=IN, ST=KAR, O=<SPAN
class=968092707-30042012>xxxxx</SPAN>, OU=<SPAN
class=968092707-30042012>xxxxx</SPAN>,
CN=PC2CERT]...10.10.10.5[10.10.10.5]===70.70.70.0/24; unrouted; eroute owner:
#0<BR>000 "conn101": CAs: "C=IN, ST=KAR, L=BANG, O=<SPAN
class=968092707-30042012>xxxxx</SPAN>, OU=<SPAN
class=968092707-30042012>xxxxx</SPAN>, CN=CACERT"...%any<BR>000
"conn101": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3<BR>000 "conn101": policy:
PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; <BR>000
"conn101": newest ISAKMP SA: #0; newest IPsec SA: #0; <BR>000
<BR>000 #2: "conn101" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT
in 8s<BR>000 #1: "conn101" STATE_MAIN_I3 (sent MI3, expecting MR3);
EVENT_RETRANSMIT in 4s<BR>000 #1: pending Phase 2 for "conn101" replacing
#0<BR>000 </FONT></FONT></SPAN></SPAN></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>( To maintain confidentiality, I have masked the
actual values, though<SPAN class=968092707-30042012> </SPAN>you can see the
actual values in the logs and the certificate)<BR></FONT></DIV>
<DIV align=left><FONT size=2 face=Arial>Thanks & Regards,</FONT></DIV>
<DIV align=left><FONT size=2 face=Arial>Vinay</FONT></DIV>
<DIV> </DIV></BODY></HTML>