<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><span>Hi everyone,</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span><br></span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">Finally I am able to connect successfully two linux machines runinng strongswan as net-net topology using IKE1 and PSK. You can see below the log data from<span style="font-weight: bold;"> >>ipsec up conn</span>e command and <span style="font-weight: bold;">>>>ipsec stausall</span></div><div style="font-family: 'times
new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">.But I can't still see any ESP packet when I ping the other machine. Tcpdump still shows plain ip packet. </div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">I am following this example: <a href="http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/">http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/</a></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">Thanks for the help,</div><div style="font-family:
'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">Farid</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div style="background-color: transparent;">root@LMU5k:~# ipsec up lmu55</div><div style="background-color: transparent;">initiating Main Mode IKE_SA lmu55[1] to 192.168.1.56</div><div style="background-color: transparent;">generating ID_PROT request 0 [ SA V V V V ]</div><div style="background-color: transparent;">sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (224 bytes)</div><div style="background-color: transparent;">received packet: from 192.168.1.56[500] to
192.168.1.55[500] (136 bytes)</div><div style="background-color: transparent;">parsed ID_PROT response 0 [ SA V V V ]</div><div style="background-color: transparent;">received XAuth vendor ID</div><div style="background-color: transparent;">received DPD vendor ID</div><div style="background-color: transparent;">received NAT-T (RFC 3947) vendor ID</div><div style="background-color: transparent;">generating ID_PROT request 0 [ KE No NAT-D NAT-D ]</div><div style="background-color: transparent;">sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (372 bytes)</div><div style="background-color: transparent;">received packet: from 192.168.1.56[500] to 192.168.1.55[500] (372 bytes)</div><div style="background-color: transparent;">parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]</div><div style="background-color: transparent;">generating ID_PROT request 0 [ ID HASH ]</div><div style="background-color: transparent;">sending packet: from 192.168.1.55[500]
to 192.168.1.56[500] (92 bytes)</div><div style="background-color: transparent;">received packet: from 192.168.1.56[500] to 192.168.1.55[500] (92 bytes)</div><div style="background-color: transparent;">parsed ID_PROT response 0 [ ID HASH ]</div><div style="background-color: transparent;">IKE_SA lmu55[1] established between 192.168.1.55[lmu55.strongswan.com]...192.168.1.56[lmu56.strongswan.com]</div><div style="background-color: transparent;">scheduling reauthentication in 3253s</div><div style="background-color: transparent;">maximum IKE_SA lifetime 3433s</div><div style="background-color: transparent;">generating QUICK_MODE request 3127380485 [ HASH SA No ID ID ]</div><div style="background-color: transparent;">sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (236 bytes)</div><div style="background-color: transparent;">received packet: from 192.168.1.56[500] to 192.168.1.55[500] (188 bytes)</div><div style="background-color:
transparent;">parsed QUICK_MODE response 3127380485 [ HASH SA No ID ID ]</div><div style="background-color: transparent;"><span style="font-weight: bold;">connection 'lmu55' established successfully</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div style="background-color: transparent;"> <span style="background-color: transparent;">root@LMU8:~# ipsec statusall</span></div><div style="background-color: transparent;">Status of IKE charon daemon (strongSwan 5.0.4, Linux 3.3.8, armv5tejl):</div><div style="background-color: transparent;"> uptime: 2 minutes, since Jul 25 00:01:40 2013</div><div style="background-color: transparent;">
malloc: sbrk 94208, mmap 0, used 79688, free 14520</div><div style="background-color: transparent;"> worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 2</div><div style="background-color: transparent;"> loaded plugins: charon aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown</div><div style="background-color: transparent;">Listening IP addresses:</div><div style="background-color: transparent;"> 192.168.1.56</div><div style="background-color: transparent;"> 10.1.201.2</div><div style="background-color: transparent;"> 10.5.125.142</div><div style="background-color: transparent;">Connections:</div><div style="background-color: transparent;"> lmu56: 192.168.1.56...192.168.1.55 IKEv1</div><div style="background-color: transparent;"> lmu56: local: [lmu56.strongswan.com] uses pre-shared
key authentication</div><div style="background-color: transparent;"> lmu56: remote: [lmu55.strongswan.com] uses pre-shared key authentication</div><div style="background-color: transparent;"> lmu56: child: 10.1.201.0/24 === 10.0.201.0/24 TUNNEL</div><div style="background-color: transparent;">Security Associations (1 up, 0 connecting):</div><div style="background-color: transparent;"> lmu56[1]: ESTABLISHED 2 minutes ago, 192.168.1.56[lmu56.strongswan.com]...192.168.1.55[lmu55.strongswan.com]</div><div style="background-color: transparent;"> lmu56[1]: IKEv1 SPIs: 77df8f5e925d19d7_i* a0153d6dae17c55b_r, pre-shared key reauthentication in 52 minutes</div><div style="background-color: transparent;"> lmu56[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</div><div style="font-family: 'times
new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span><br></span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div> <div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"> <div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1"> <font size="2" face="Arial"> <b><span style="font-weight:bold;">From:</span></b> Farid Farid <farid21657@yahoo.com><br> <b><span style="font-weight: bold;">To:</span></b> "users@lists.strongswan.org"
<users@lists.strongswan.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Wednesday, July 24, 2013 10:59 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> [strongSwan] ipsec connectivity fails on phase2 with error: [ HASH N(INVAL_ID) ]<br> </font> </div> <div class="y_msg_container"><br><div id="yiv0376769015"><div><div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">Hi everyone,</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">I am trying to setup a simple ipsec tunnel ( net-to-net) using PSK following the example
showing here in strongswan website: <a rel="nofollow" target="_blank" href="http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/" style="font-size:12pt;">http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/</a></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">I am running strongswan 5.0.1 on both sides and I am using the exact set up shown in this example.</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">My left gateway is lmu55=192.168.1.55 and right gateway is lmu56=192.168.1.56. When I start the strongswan on
both side and issue the command >>ipsec -up lmu55</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">(lmu55 is connection name for the left side)from the left side I get the following messages and connection fails . I looked at the tcpdump data and it seems it
completes phase1 but fails on phase2. I can also see in the stablishment of SA :</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span style="font-size:16px;">....... </span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span style="font-size:16px;">KE_SA lmu55[1] established between 192.168.1.55[lmu55.strongswan.com]...192.168.1.56[lmu56.strongswan.com]</span><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">....</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div
style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">Error is [ HASH N(INVAL_ID) ] which you can see below in the output of ipsec command</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">I am wonder what I am missing here in my setup. </div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">I appreciate your help in advance.</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0);
background-color: transparent; font-style: normal;">Farid</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">root@LMU5k:~# ipsec up lmu55</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">initiating Main Mode IKE_SA lmu55[1] to 192.168.1.56</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">generating ID_PROT request 0 [ SA V V V V ]</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times,
serif">sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (224 bytes)</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">received packet: from 192.168.1.56[500] to 192.168.1.55[500] (136 bytes)</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">parsed ID_PROT response 0 [ SA V V V ]</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">received XAuth vendor ID</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">received DPD vendor ID</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">received NAT-T (RFC 3947) vendor ID</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">generating ID_PROT request 0 [ KE No
NAT-D NAT-D ]</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (372 bytes)</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">received packet: from 192.168.1.56[500] to 192.168.1.55[500] (372 bytes)</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">generating ID_PROT request 0 [ ID HASH ]</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (92 bytes)</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times,
serif">received packet: from 192.168.1.56[500] to 192.168.1.55[500] (92 bytes)</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">parsed ID_PROT response 0 [ ID HASH ]</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">IKE_SA lmu55[1] established between 192.168.1.55[lmu55.strongswan.com]...192.168.1.56[lmu56.strongswan.com]</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">scheduling reauthentication in 10258s</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">maximum IKE_SA lifetime 10798s</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">generating QUICK_MODE request 1597565745 [ HASH SA No ID ID ]</font></div><div style="background-color:transparent;"><font
face="times new roman, new york, times, serif">sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (236 bytes)</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">received packet: from 192.168.1.56[500] to 192.168.1.55[500] (76 bytes)</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">parsed INFORMATIONAL_V1 request 4090518834 [ HASH N(INVAL_ID) ]</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">received INVALID_ID_INFORMATION error notify</font></div><div style="background-color:transparent;"><font face="times new roman, new york, times, serif">establishing connection 'lmu55' failed</font></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div></div></div></div><br>_______________________________________________<br>Users mailing
list<br><a ymailto="mailto:Users@lists.strongswan.org" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br><br></div> </div> </div> </div></body></html>