[strongSwan] received INVALID_ID_INFORMATION error notify

Noel Kuntze noel at familie-kuntze.de
Fri May 23 16:38:20 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Rolf,

I think the error you get is caused by wrong ID information in phase two. I never got that error and don't use a fritzbox, but I think you should look at the IPsec documentation of it.
The low latency when you ping implies, that a local host is pinged and not your remote one.
Examine the kernel's ipsec policies (ip xfrm policy) to see, if there is an SA installed, which is used when you ping.

Regards,
Noel Kuntze

Am 23.05.2014 16:27, schrieb Rolf Schöpfer:
> Hi
>
> After hours of reading and troubleshoot no solution so far. Still "received INVALID_ID_INFORMATION error notify ". That happens when I ping for remote (right) to local (left).
>
> BUT... when I ping from local(left) to remote(right) it works!?
>
> # ping 192.168.1.1
> PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
> 64 bytes from 192.168.1.1: icmp_req=1 ttl=254 time=0.962 ms
>
> In /varLog/syslog is nothing to see when I ping. And there are no Security Associations:
>
> # ipsec statusall
> ...
> Connections:
>   host-rslan:  88.88.88.88...99.99.99.99  IKEv1, dpddelay=60s
>   host-rslan:   local:  [88.88.88.88] uses pre-shared key authentication
>   host-rslan:   remote: [99.99.99.99] uses pre-shared key authentication
>   host-rslan:   child:  10.10.200.182/32 === 192.168.1.0/24 TUNNEL, dpdaction=hold
> Security Associations (0 up, 0 connecting):
>   none
>
>
> Is this how it should work? I don't understand and I'm close to give up...
>
> Any ideas?
>
> Regards, Rolf
>
>
> Am 22.05.2014 16:19, schrieb Rolf Schöpfer:
>> Hi
>>
>> VPN fritzbox - strongswan still not working:
>>
>> May 22 16:06:06 development charon: 15[ENC] parsed QUICK_MODE request 1573336936 [ HASH SA No KE ID ID ]
>> May 22 16:06:06 development charon: 15[CFG] looking for a child config for 10.10.200.182/32 === 192.168.1.0/24
>> May 22 16:06:06 development charon: 15[CFG] proposing traffic selectors for us:
>> May 22 16:06:06 development charon: 15[CFG]  10.10.200.182/32
>> May 22 16:06:06 development charon: 15[CFG] proposing traffic selectors for other:
>> May 22 16:06:06 development charon: 15[CFG]  192.168.1.0/24
>> May 22 16:06:06 development charon: 15[CFG]   candidate "host-rslan" with prio 5+5
>> May 22 16:06:06 development charon: 15[CFG] found matching child config "host-rslan" with prio 10
>> May 22 16:06:06 development charon: 15[CFG] selecting traffic selectors for other:
>> May 22 16:06:06 development charon: 15[CFG]  config: 192.168.1.0/24, received: 192.168.1.0/24 => match: 192.168.1.0/24
>> May 22 16:06:06 development charon: 15[CFG] selecting traffic selectors for us:
>> May 22 16:06:06 development charon: 15[CFG]  config: 10.10.200.182/32, received: 10.10.200.182/32 => match: 10.10.200.182/32
>> May 22 16:06:06 development charon: 15[CFG] selecting proposal:
>> May 22 16:06:06 development charon: 15[CFG]   proposal matches
>> May 22 16:06:06 development charon: 15[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
>> May 22 16:06:06 development charon: 15[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
>> May 22 16:06:06 development charon: 15[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
>> May 22 16:06:06 development charon: 15[ESP] allocating SPI for reqid {8}
>> May 22 16:06:06 development charon: 15[ESP] allocated SPI cbc74bc2 for reqid {8}
>> May 22 16:06:06 development charon: 15[ENC] generating QUICK_MODE response 1573336936 [ HASH SA No KE ID ID ]
>> May 22 16:06:06 development charon: 13[ENC] parsed INFORMATIONAL_V1 request 2104682989 [ HASH N(INVAL_ID) ]
>> May 22 16:06:06 development charon: 13[IKE] received INVALID_ID_INFORMATION error notify
>>
>> I guess this is still Phase1? What ID should I check? Here is my ipsec.conf:
>>
>> config setup
>>         charondebug="ike 2, esp 2, chd 1, cfg 2, net 0, enc 1, knl 1"
>>
>> conn %default
>>         ikelifetime=60m
>>         keylife=60m
>>         rekeymargin=3m
>>         keyingtries=1
>>         authby=secret
>>         keyexchange=ikev1
>>         mobike=no
>> ...
>> conn host-rslan
>>         leftid=88.88.88.88 <---- not real IP
>>         left=88.88.88.88
>>         leftsubnet=10.10.200.182/32
>>         rightid=99.99.99.99 <--- not real IP
>>         right=99.99.99.99
>>         rightsubnet=192.168.1.0/24
>>         ike=aes256-sha1-modp1024!
>>         esp=3des-sha1-modp1024!                   #P2
>>         auto=add
>>
>> Unfortunately there is no Log message from fritzbox which makes is very difficult to troubleshoot
>>
>> Thanks for any hint.
>>
>> Regards, Rolf
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTf11cAAoJEDg5KY9j7GZYWXoP/22KDby72DlmZ+hFQl9NTJae
Byn5pzm5Xf7yQj7nFpmQp342s0cAbYcxso9jUFfgySYy5nZHr0gohoR5Gd0oWrBr
R9YnRFhQNeiJgqfmNzYJ5lVS8cLoc3mkPCU/WDL+qRe4prkNljJBImtRfVyeMECA
7OrWOkHyGdgMrGC9A7XWjZ9VlYZyWoCG0fb9hMGNFDEQ8XMWisgLtIN+Hw1YPxhD
eT/EabbQp1Du+G2Me40SU+auUkAyrwbSiuHJinte3rEDCI3YL0DQqZbeJ62tkgrV
8vADukgJIdeJ701L41KrULgTXRcCG9AT2ZfnOtQhHAk3KdqLJXc0//v6NHG2ccS0
o8Trb+huU+bF6g0hseJi+l0pQEdqidfOkTXwG80Dg3E9aje+H7ytKDXVyZVtfo2w
5x2TkeAmyslxTrpfROWM5tLW207pK+hbqIlBazuS/A7cib56oKd+DjRRswzMzzmj
rBw4cwTRPvWjKw6EdYAIhINIffVpTyz7wsiczMZFrg1D3FakNbjafo5nwZPwpu5Y
ECapj6w+C+D/Z4zefA0vENqodrfGYzy7g+aw4hjfigA3Bkl2tBEIuejZAfQMGnMq
RHS59Ue2NHmD9cxgGcOjqcNlpeIvbL2+YGvh7naWV8RZg26TfmM4SQQrTvNQa7Iu
lq3b/1Ledtqlyg+YNO7N
=kh43
-----END PGP SIGNATURE-----



More information about the Users mailing list