[strongSwan] INVALID_ID_INFORMATION in ikev1

Vinay Prabhakar M vinay.prabhakar.ext at nsn.com
Mon Apr 30 10:00:48 CEST 2012 

Hi ,
 
 I am getting  INVALID_ID_INFORMATION  error with certificates(attached with
this mail) and the below configuration in ikev1.
 When the configuration is changed for ikev2 it is working fine and tunnel
are created. 
 The pluto logs for both units are also attached.
 
 
Unit 1:
[root at FED14 etc]# cat ipsec.conf 
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
  crlcheckinterval=180s
  strictcrlpolicy=no
  plutostart=yes
  plutodebug=controlmore
  charonstart=no
  plutostderrlog=/tmp/plutolog.txt
 
ca rootca1
  cacert=cacert.pem
 
conn %default
  leftcert=/usr/local/etc/ipsec.d/certs/PC1Cert.pem
  authby=pubkey
  keyexchange=ikev1
  auto=start
 
conn conn101
  leftsubnet=70.70.70.7/24
  rightsubnet=20.20.20.2/24
  left=10.10.10.5
  right=10.10.10.6
 
[root at linuxPC2 etc]# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.6.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.10.10.6:500
000 interface eth1/eth1 20.20.20.2:500
000 interface eth2/eth2 10.125.40.64:500
000 interface virbr0/virbr0 192.168.122.1:500
000 %myid = '%any'
000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp dnskey
pem gmp hmac xauth attr kernel-netlink resolve
000 debug options: controlmore
000 
000 "conn101": 20.20.20.0/24===10.10.10.6[C=IN, ST=KAR, O=xxxxx, OU=xxxxx,
CN=PC2CERT]...10.10.10.5[10.10.10.5]===70.70.70.0/24; unrouted; eroute
owner: #0
000 "conn101":   CAs: "C=IN, ST=KAR, L=BANG, O=xxxxx, OU=xxxxx,
CN=CACERT"...%any
000 "conn101":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "conn101":   policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth0; 
000 "conn101":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 
000 #2: "conn101" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT
in 8s
000 #1: "conn101" STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT
in 4s
000 #1: pending Phase 2 for "conn101" replacing #0
000 
 
Unit 2:
[root at linuxPC2 etc]# cat ipsec.conf 
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
  crlcheckinterval=180s
  strictcrlpolicy=no
  plutostart=yes
  plutodebug=controlmore
  charonstart=no
  plutostderrlog=/tmp/plutolog.txt
 
ca rootca0
  cacert=cacert.pem
 
conn %default
  leftcert=/etc/ipsec.d/certs/PC2Cert.pem
  keyexchange=ikev1
  authby=pubkey
  auto=start
 
conn conn101
  leftsubnet=20.20.20.2/24
  rightsubnet=70.70.70.7/24
  left=10.10.10.6
  right=10.10.10.5
 

[root at linuxPC2 etc]# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.6.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.10.10.6:500
000 interface eth1/eth1 20.20.20.2:500
000 interface eth2/eth2 10.125.40.64:500
000 interface virbr0/virbr0 192.168.122.1:500
000 %myid = '%any'
000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp dnskey
pem gmp hmac xauth attr kernel-netlink resolve
000 debug options: controlmore
000 
000 "conn101": 20.20.20.0/24===10.10.10.6[C=IN, ST=KAR, O=xxxxx, OU=xxxxx,
CN=PC2CERT]...10.10.10.5[10.10.10.5]===70.70.70.0/24; unrouted; eroute
owner: #0
000 "conn101":   CAs: "C=IN, ST=KAR, L=BANG, O=xxxxx, OU=xxxxx,
CN=CACERT"...%any
000 "conn101":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "conn101":   policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth0; 
000 "conn101":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 
000 #2: "conn101" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT
in 8s
000 #1: "conn101" STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT
in 4s
000 #1: pending Phase 2 for "conn101" replacing #0
000 
 
( To maintain confidentiality, I have masked the actual values, though you
can see the actual values in the logs and the certificate)

Thanks & Regards,
Vinay
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/f4d1d9e0/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: plutolog_PC1.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/f4d1d9e0/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: PC1_ipsec_conf_secrets_statusall.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/f4d1d9e0/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PC1Cert.pem
Type: application/octet-stream
Size: 1139 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/f4d1d9e0/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cacert.pem
Type: application/octet-stream
Size: 1289 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/f4d1d9e0/attachment-0001.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: PC2_ipsec_conf_secrets_statusall.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/f4d1d9e0/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: plutolog_PC2.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/f4d1d9e0/attachment-0003.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PC2Cert.pem
Type: application/octet-stream
Size: 1139 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/f4d1d9e0/attachment-0002.obj>

More information about the Users mailing list