[strongSwan] received INVALID_ID_INFORMATION error notify
Rolf Schöpfer
rolf at samplezone.ch
Fri May 23 16:27:25 CEST 2014
Hi
After hours of reading and troubleshoot no solution so far. Still "received INVALID_ID_INFORMATION error notify ". That happens when I ping for remote (right) to local (left).
BUT... when I ping from local(left) to remote(right) it works!?
# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_req=1 ttl=254 time=0.962 ms
In /varLog/syslog is nothing to see when I ping. And there are no Security Associations:
# ipsec statusall
...
Connections:
host-rslan: 88.88.88.88...99.99.99.99 IKEv1, dpddelay=60s
host-rslan: local: [88.88.88.88] uses pre-shared key authentication
host-rslan: remote: [99.99.99.99] uses pre-shared key authentication
host-rslan: child: 10.10.200.182/32 === 192.168.1.0/24 TUNNEL, dpdaction=hold
Security Associations (0 up, 0 connecting):
none
Is this how it should work? I don't understand and I'm close to give up...
Any ideas?
Regards, Rolf
Am 22.05.2014 16:19, schrieb Rolf Schöpfer:
> Hi
>
> VPN fritzbox - strongswan still not working:
>
> May 22 16:06:06 development charon: 15[ENC] parsed QUICK_MODE request 1573336936 [ HASH SA No KE ID ID ]
> May 22 16:06:06 development charon: 15[CFG] looking for a child config for 10.10.200.182/32 === 192.168.1.0/24
> May 22 16:06:06 development charon: 15[CFG] proposing traffic selectors for us:
> May 22 16:06:06 development charon: 15[CFG] 10.10.200.182/32
> May 22 16:06:06 development charon: 15[CFG] proposing traffic selectors for other:
> May 22 16:06:06 development charon: 15[CFG] 192.168.1.0/24
> May 22 16:06:06 development charon: 15[CFG] candidate "host-rslan" with prio 5+5
> May 22 16:06:06 development charon: 15[CFG] found matching child config "host-rslan" with prio 10
> May 22 16:06:06 development charon: 15[CFG] selecting traffic selectors for other:
> May 22 16:06:06 development charon: 15[CFG] config: 192.168.1.0/24, received: 192.168.1.0/24 => match: 192.168.1.0/24
> May 22 16:06:06 development charon: 15[CFG] selecting traffic selectors for us:
> May 22 16:06:06 development charon: 15[CFG] config: 10.10.200.182/32, received: 10.10.200.182/32 => match: 10.10.200.182/32
> May 22 16:06:06 development charon: 15[CFG] selecting proposal:
> May 22 16:06:06 development charon: 15[CFG] proposal matches
> May 22 16:06:06 development charon: 15[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
> May 22 16:06:06 development charon: 15[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
> May 22 16:06:06 development charon: 15[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
> May 22 16:06:06 development charon: 15[ESP] allocating SPI for reqid {8}
> May 22 16:06:06 development charon: 15[ESP] allocated SPI cbc74bc2 for reqid {8}
> May 22 16:06:06 development charon: 15[ENC] generating QUICK_MODE response 1573336936 [ HASH SA No KE ID ID ]
> May 22 16:06:06 development charon: 13[ENC] parsed INFORMATIONAL_V1 request 2104682989 [ HASH N(INVAL_ID) ]
> May 22 16:06:06 development charon: 13[IKE] received INVALID_ID_INFORMATION error notify
>
> I guess this is still Phase1? What ID should I check? Here is my ipsec.conf:
>
> config setup
> charondebug="ike 2, esp 2, chd 1, cfg 2, net 0, enc 1, knl 1"
>
> conn %default
> ikelifetime=60m
> keylife=60m
> rekeymargin=3m
> keyingtries=1
> authby=secret
> keyexchange=ikev1
> mobike=no
> ...
> conn host-rslan
> leftid=88.88.88.88 <---- not real IP
> left=88.88.88.88
> leftsubnet=10.10.200.182/32
> rightid=99.99.99.99 <--- not real IP
> right=99.99.99.99
> rightsubnet=192.168.1.0/24
> ike=aes256-sha1-modp1024!
> esp=3des-sha1-modp1024! #P2
> auto=add
>
> Unfortunately there is no Log message from fritzbox which makes is very difficult to troubleshoot
>
> Thanks for any hint.
>
> Regards, Rolf
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
>
More information about the Users
mailing list