[strongSwan] [IKE] received INVALID_ID_INFORMATION error notify - but why?
Andreas Kemper
a_kemper at gmx.de
Fri Feb 28 20:05:14 CET 2014
Hi,
I'm about to connect Strongswan as client to AVM Fritzbox as server.
Right now it seems I've an almost complete configuration, but finally
struggling with a strange error:
*Server config*
vpncfg {
connections {
enabled = yes;
conn_type = conntype_user;
name = "FB-ipsec-vserver";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 192.168.42.10;
remoteid {
key_id = "FB-ipsec-vserver";
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "xxxxxx";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
}
use_cfgmode = no;
}
phase2remoteid {
ipaddr = 192.168.42.10;
}
phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";
accesslist =
"permit ip 192.168.42.0 255.255.255.0
192.168.42.10 255.255.255.255";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
*ipsec.conf*
config setup
#charondebug="ike 4, cfg 2"
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=psk
conn FB-ipsec-vserver
aggressive=yes
ike=aes256-sha1-modp1024
left=x.x.x.x
leftid=@#46422d69707365632d76736572766572
leftsourceip=192.168.42.10
right=xxx.dyndns.org
rightid=%any
rightsubnet=192.168.42.0/24
auto=start
Syslog after starting strongswan:
<...>
charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux
3.2.0-59-generic, x86_64)
charon: 00[CFG] loading ca certificates from
'/usr/local/etc/ipsec.d/cacerts'
charon: 00[CFG] loading aa certificates from
'/usr/local/etc/ipsec.d/aacerts'
charon: 00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
charon: 00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
charon: 00[CFG] loaded IKE secret for %any
charon: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink
resolve socket-default stroke updown xauth-generic
charon: 00[LIB] unable to load 6 plugin features (6 due to unmet
dependencies)
charon: 00[JOB] spawning 16 worker threads
charon: 06[CFG] received stroke: add connection 'FB-ipsec-vserver'
charon: 06[CFG] added configuration 'FB-ipsec-vserver'
charon: 12[CFG] received stroke: initiate 'FB-ipsec-vserver'
charon: 12[IKE] initiating Aggressive Mode IKE_SA FB-ipsec-vserver[1] to
y.y.y.y
charon: 12[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V ]
charon: 12[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (388
bytes)
charon: 14[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (524
bytes)
charon: 14[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH
N((24576)) V V V V V NAT-D NAT-D NAT-D NAT-D NAT-D ]
charon: 14[IKE] received XAuth vendor ID
charon: 14[IKE] received DPD vendor ID
charon: 14[IKE] received NAT-T (RFC 3947) vendor ID
charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
charon: 14[ENC] received unknown vendor ID:
a2:22:6f:c3:64:50:0f:56:34:ff:77:db:3b:74:f4:1b
charon: 14[IKE] remote host is behind NAT
charon: 14[IKE] IKE_SA FB-ipsec-vserver[1] established between
x.x.x.x[FB-ipsec-vserver]...y.y.y.y[y.y.y.y]
charon: 14[IKE] scheduling reauthentication in 86190s
charon: 14[IKE] maximum IKE_SA lifetime 86370s
charon: 14[ENC] generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
charon: 14[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (108
bytes)
charon: 14[ENC] generating TRANSACTION request 2425221354 [ HASH
CPRQ(ADDR DNS) ]
charon: 14[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (76
bytes)
charon: 15[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (76
bytes)
charon: 15[ENC] parsed TRANSACTION response 2425221354 [ HASH CPRP(ADDR
DNS) ]
charon: 15[IKE] installing DNS server 192.168.42.1 via resolvconf
charon: 15[IKE] installing new virtual IP 192.168.42.10
charon: 15[ENC] generating QUICK_MODE request 2957451007 [ HASH SA No ID
ID ]
charon: 15[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (236
bytes)
charon: 04[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (76
bytes)
charon: 04[ENC] parsed INFORMATIONAL_V1 request 1178518468 [ HASH
N(INVAL_ID) ]
charon: 04[IKE] received INVALID_ID_INFORMATION error notify
<...>
When enabling extended debugging with "charondebug="ike 4, cfg 2"
unfortunately I don't see anymore the last line containing "received
INVALID_ID_INFORMATION error notify". Hence could someone give me
additional hints on debugging? I've already tried different configs with
either mode_config or manually defining "leftsubnet=192.168.42.0/24".
But all relevant trials end up with the same logline and I don't see an
option to do debugging on server (Fritzbox) side.
Thanks a lot,
Andreas
More information about the Users
mailing list