[strongSwan] INVALID_ID_INFORMATION error in ikev1
Vinay Prabhakar M
vinay.prabhakar.ext at nsn.com
Mon Apr 30 10:02:20 CEST 2012
Hi ,
I am getting INVALID_ID_INFORMATION error with certificates(attached with
this mail) and the below configuration in ikev1.
When the configuration is changed for ikev2 it is working fine and tunnel
are created.
The pluto logs for both units are also attached.
Unit1:
[root at FED14 etc]# cat ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180s
strictcrlpolicy=no
plutostart=yes
plutodebug=controlmore
charonstart=no
plutostderrlog=/tmp/plutolog.txt
ca rootca1
cacert=cacert.pem
conn %default
leftcert=/usr/local/etc/ipsec.d/certs/PC1Cert.pem
authby=pubkey
keyexchange=ikev1
auto=start
conn conn101
leftsubnet=70.70.70.7/24
rightsubnet=20.20.20.2/24
left=10.10.10.5
right=10.10.10.6
[root at linuxPC2 etc]# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.6.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.10.10.6:500
000 interface eth1/eth1 20.20.20.2:500
000 interface eth2/eth2 10.125.40.64:500
000 interface virbr0/virbr0 192.168.122.1:500
000 %myid = '%any'
000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp dnskey
pem gmp hmac xauth attr kernel-netlink resolve
000 debug options: controlmore
000
000 "conn101": 20.20.20.0/24===10.10.10.6[C=IN, ST=KAR, O=xxxxx, OU=xxxxx,
CN=PC2CERT]...10.10.10.5[10.10.10.5]===70.70.70.0/24; unrouted; eroute
owner: #0
000 "conn101": CAs: "C=IN, ST=KAR, L=BANG, O=xxxxx, OU=xxxxx,
CN=CACERT"...%any
000 "conn101": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "conn101": policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth0;
000 "conn101": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "conn101" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT
in 8s
000 #1: "conn101" STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT
in 4s
000 #1: pending Phase 2 for "conn101" replacing #0
000
Unit2:
[root at linuxPC2 etc]# cat ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180s
strictcrlpolicy=no
plutostart=yes
plutodebug=controlmore
charonstart=no
plutostderrlog=/tmp/plutolog.txt
ca rootca0
cacert=cacert.pem
conn %default
leftcert=/etc/ipsec.d/certs/PC2Cert.pem
keyexchange=ikev1
authby=pubkey
auto=start
conn conn101
leftsubnet=20.20.20.2/24
rightsubnet=70.70.70.7/24
left=10.10.10.6
right=10.10.10.5
[root at linuxPC2 etc]# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.6.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.10.10.6:500
000 interface eth1/eth1 20.20.20.2:500
000 interface eth2/eth2 10.125.40.64:500
000 interface virbr0/virbr0 192.168.122.1:500
000 %myid = '%any'
000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp dnskey
pem gmp hmac xauth attr kernel-netlink resolve
000 debug options: controlmore
000
000 "conn101": 20.20.20.0/24===10.10.10.6[C=IN, ST=KAR, O=xxxxx, OU=xxxxx,
CN=PC2CERT]...10.10.10.5[10.10.10.5]===70.70.70.0/24; unrouted; eroute
owner: #0
000 "conn101": CAs: "C=IN, ST=KAR, L=BANG, O=xxxxx, OU=xxxxx,
CN=CACERT"...%any
000 "conn101": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "conn101": policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth0;
000 "conn101": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "conn101" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT
in 8s
000 #1: "conn101" STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT
in 4s
000 #1: pending Phase 2 for "conn101" replacing #0
000
( To maintain confidentiality, I have masked the actual values, though you
can see the actual values in the logs and the certificate)
Thanks & Regards,
Vinay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/a84202bc/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: plutolog_PC1.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/a84202bc/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: PC1_ipsec_conf_secrets_statusall.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/a84202bc/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PC1Cert.pem
Type: application/octet-stream
Size: 1139 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/a84202bc/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cacert.pem
Type: application/octet-stream
Size: 1289 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/a84202bc/attachment-0001.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: PC2_ipsec_conf_secrets_statusall.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/a84202bc/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: plutolog_PC2.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/a84202bc/attachment-0003.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PC2Cert.pem
Type: application/octet-stream
Size: 1139 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120430/a84202bc/attachment-0002.obj>
More information about the Users
mailing list