[strongSwan] received INVALID_ID_INFORMATION error notify
Rolf Schöpfer
rolf at samplezone.ch
Fri May 23 17:48:15 CEST 2014
Hi Noel
Am 23.05.2014 16:38, schrieb Noel Kuntze:
> Hello Rolf,
>
> I think the error you get is caused by wrong ID information in phase two. I never got that error and don't use a fritzbox, but I think you should look at the IPsec documentation of it.
Is ist possible to make this ID information visible with some debug settings? There's not a lot of information about fritzbox vpn. Only a config file to fine adjust and upload in browser (admin
interface):
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "88.88.88.88";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 88.88.88.88;
remote_virtualip = 0.0.0.0;
localid {
ipaddr = 99.99.99.99;
}
remoteid {
ipaddr = 88.88.88.88;
}
mode = phase1_mode_idp;
phase1ss = "alt/all/all";
keytype = connkeytype_pre_shared;
key = "***********";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.1.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 10.10.200.182;
mask = 255.255.255.255;
}
}
phase2ss = “esp-all-all/ah-all/comp-all/pfs”;
accesslist = "permit ip any 10.10.200.182 255.255.255.255";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
I guess localid and remoteid are those id's. If I could see in logfile what strongSwan gets as ID information it might help.
> The low latency when you ping implies, that a local host is pinged and not your remote one.
> Examine the kernel's ipsec policies (ip xfrm policy) to see, if there is an SA installed, which is used when you ping.
Yes you're absolutely right, this is some local reply. I'll will check why this happens. Thanks.
Regards, Rolf
> Am 23.05.2014 16:27, schrieb Rolf Schöpfer:
>> Hi
>>
>> After hours of reading and troubleshoot no solution so far. Still "received INVALID_ID_INFORMATION error notify ". That happens when I ping for remote (right) to local (left).
>>
>> BUT... when I ping from local(left) to remote(right) it works!?
>>
>> # ping 192.168.1.1
>> PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
>> 64 bytes from 192.168.1.1: icmp_req=1 ttl=254 time=0.962 ms
>>
>> In /varLog/syslog is nothing to see when I ping. And there are no Security Associations:
>>
>> # ipsec statusall
>> ...
>> Connections:
>> host-rslan: 88.88.88.88...99.99.99.99 IKEv1, dpddelay=60s
>> host-rslan: local: [88.88.88.88] uses pre-shared key authentication
>> host-rslan: remote: [99.99.99.99] uses pre-shared key authentication
>> host-rslan: child: 10.10.200.182/32 === 192.168.1.0/24 TUNNEL, dpdaction=hold
>> Security Associations (0 up, 0 connecting):
>> none
>>
>>
>> Is this how it should work? I don't understand and I'm close to give up...
>>
>> Any ideas?
>>
>> Regards, Rolf
>>
>>
>> Am 22.05.2014 16:19, schrieb Rolf Schöpfer:
>>> Hi
>>>
>>> VPN fritzbox - strongswan still not working:
>>>
>>> May 22 16:06:06 development charon: 15[ENC] parsed QUICK_MODE request 1573336936 [ HASH SA No KE ID ID ]
>>> May 22 16:06:06 development charon: 15[CFG] looking for a child config for 10.10.200.182/32 === 192.168.1.0/24
>>> May 22 16:06:06 development charon: 15[CFG] proposing traffic selectors for us:
>>> May 22 16:06:06 development charon: 15[CFG] 10.10.200.182/32
>>> May 22 16:06:06 development charon: 15[CFG] proposing traffic selectors for other:
>>> May 22 16:06:06 development charon: 15[CFG] 192.168.1.0/24
>>> May 22 16:06:06 development charon: 15[CFG] candidate "host-rslan" with prio 5+5
>>> May 22 16:06:06 development charon: 15[CFG] found matching child config "host-rslan" with prio 10
>>> May 22 16:06:06 development charon: 15[CFG] selecting traffic selectors for other:
>>> May 22 16:06:06 development charon: 15[CFG] config: 192.168.1.0/24, received: 192.168.1.0/24 => match: 192.168.1.0/24
>>> May 22 16:06:06 development charon: 15[CFG] selecting traffic selectors for us:
>>> May 22 16:06:06 development charon: 15[CFG] config: 10.10.200.182/32, received: 10.10.200.182/32 => match: 10.10.200.182/32
>>> May 22 16:06:06 development charon: 15[CFG] selecting proposal:
>>> May 22 16:06:06 development charon: 15[CFG] proposal matches
>>> May 22 16:06:06 development charon: 15[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
>>> May 22 16:06:06 development charon: 15[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
>>> May 22 16:06:06 development charon: 15[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
>>> May 22 16:06:06 development charon: 15[ESP] allocating SPI for reqid {8}
>>> May 22 16:06:06 development charon: 15[ESP] allocated SPI cbc74bc2 for reqid {8}
>>> May 22 16:06:06 development charon: 15[ENC] generating QUICK_MODE response 1573336936 [ HASH SA No KE ID ID ]
>>> May 22 16:06:06 development charon: 13[ENC] parsed INFORMATIONAL_V1 request 2104682989 [ HASH N(INVAL_ID) ]
>>> May 22 16:06:06 development charon: 13[IKE] received INVALID_ID_INFORMATION error notify
>>>
>>> I guess this is still Phase1? What ID should I check? Here is my ipsec.conf:
>>>
>>> config setup
>>> charondebug="ike 2, esp 2, chd 1, cfg 2, net 0, enc 1, knl 1"
>>>
>>> conn %default
>>> ikelifetime=60m
>>> keylife=60m
>>> rekeymargin=3m
>>> keyingtries=1
>>> authby=secret
>>> keyexchange=ikev1
>>> mobike=no
>>> ...
>>> conn host-rslan
>>> leftid=88.88.88.88 <---- not real IP
>>> left=88.88.88.88
>>> leftsubnet=10.10.200.182/32
>>> rightid=99.99.99.99 <--- not real IP
>>> right=99.99.99.99
>>> rightsubnet=192.168.1.0/24
>>> ike=aes256-sha1-modp1024!
>>> esp=3des-sha1-modp1024! #P2
>>> auto=add
>>>
>>> Unfortunately there is no Log message from fritzbox which makes is very difficult to troubleshoot
>>>
>>> Thanks for any hint.
>>>
>>> Regards, Rolf
>>>
>>>
>>>
More information about the Users
mailing list