[strongSwan] received INVALID_ID_INFORMATION error notify

Rolf Schöpfer rolf at samplezone.ch
Fri May 23 22:02:03 CEST 2014


I set debug of ike to 4 and compared ok VPN (monowall - strongswan) with nok VPN (fritzbox - strongswan):

OK VPN
==============
May 23 18:11:36 development charon: 13[ENC] generating QUICK_MODE response 3987728709 [ HASH SA No ID ID ]
May 23 18:11:36 development charon: 13[IKE] next IV for MID 3987728709 => 16 bytes @ 0x8725420
May 23 18:11:36 development charon: 13[IKE]    0: FE E1 E2 87 FF 25 0B 2B E8 9C EA 60 F2 0C F6 D0  .....%.+...`....
May 23 18:11:36 development charon: 13[NET] sending packet: from [xx.xx.xx.xx leftip][4500] to [xx.xx.xx.xx rightip][11856] (172 bytes)
May 23 18:11:36 development charon: 15[NET] received packet: from [xx.xx.xx.xx rightip][11856] to [xx.xx.xx.xx leftip][4500] (60 bytes)
May 23 18:11:36 development charon: 15[ENC] parsed QUICK_MODE request 3987728709 [ HASH ]

NOK VPN
==============
May 23 18:07:37 development charon: 02[ENC] generating QUICK_MODE response 1546379303 [ HASH SA No KE ID ID ]
May 23 18:07:37 development charon: 02[IKE] next IV for MID 1546379303 => 16 bytes @ 0x8727540
May 23 18:07:37 development charon: 02[IKE]    0: 9B 5B A0 F0 77 18 18 18 F4 BD 22 94 C0 0C 58 A1  .[..w....."...X.
May 23 18:07:37 development charon: 02[NET] sending packet: from [xx.xx.xx.xx leftip][4500] to [xx.xx.xx.xx rightip][4500] (316 bytes)
May 23 18:07:37 development charon: 01[NET] received packet: from [xx.xx.xx.xx rightip][4500] to [xx.xx.xx.xx leftip][4500] (76 bytes)
May 23 18:07:37 development charon: 01[IKE] next IV for MID 174342501 => 16 bytes @ 0x8722410
May 23 18:07:37 development charon: 01[IKE]    0: A3 11 E4 7E F1 CC 7B 7E A6 70 23 68 76 70 AC F7  ...~..{~.p#hvp..
May 23 18:07:37 development charon: 01[ENC] parsed INFORMATIONAL_V1 request 174342501 [ HASH N(INVAL_ID) ]

Is there something I can read from those HEX values? I converted hex to dec, still no meaning for me. Also quick mode response seems to be slightly different [ HASH SA No ID ID ] <-> [ HASH SA No KE 
ID ID ].

Regards, Rolf





Am 23.05.2014 17:48, schrieb Rolf Schöpfer:
> Hi Noel
>
> Am 23.05.2014 16:38, schrieb Noel Kuntze:
>> Hello Rolf,
>>
>> I think the error you get is caused by wrong ID information in phase two. I never got that error and don't use a fritzbox, but I think you should look at the IPsec documentation of it.
> Is ist possible to make this ID information visible with some debug settings? There's not a lot of information about fritzbox vpn. Only a config file to fine adjust and upload in browser (admin 
> interface):
>
> vpncfg {
>         connections {
>                 enabled = yes;
>                 conn_type = conntype_lan;
>                 name = "88.88.88.88";
>                 always_renew = yes;
>                 reject_not_encrypted = no;
>                 dont_filter_netbios = yes;
>                 localip = 0.0.0.0;
>                 local_virtualip = 0.0.0.0;
>                 remoteip = 88.88.88.88;
>                 remote_virtualip = 0.0.0.0;
>                 localid {
>                         ipaddr = 99.99.99.99;
>                 }
>                 remoteid {
>                         ipaddr = 88.88.88.88;
>                 }
>                 mode = phase1_mode_idp;
>                 phase1ss = "alt/all/all";
>                 keytype = connkeytype_pre_shared;
>                 key = "***********";
>                 cert_do_server_auth = no;
>                 use_nat_t = yes;
>                 use_xauth = no;
>                 use_cfgmode = no;
>                 phase2localid {
>                         ipnet {
>                                 ipaddr = 192.168.1.0;
>                                 mask = 255.255.255.0;
>                         }
>                 }
>                 phase2remoteid {
>                         ipnet {
>                                 ipaddr = 10.10.200.182;
>                                 mask = 255.255.255.255;
>                         }
>                 }
>                 phase2ss = “esp-all-all/ah-all/comp-all/pfs”;
>                 accesslist = "permit ip any 10.10.200.182 255.255.255.255";
>         }
>         ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
>                             "udp 0.0.0.0:4500 0.0.0.0:4500";
> }
>
>
> I guess localid and remoteid are those id's. If I could see in logfile what strongSwan gets as ID information it might help.
>
>
>> The low latency when you ping implies, that a local host is pinged and not your remote one.
>> Examine the kernel's ipsec policies (ip xfrm policy) to see, if there is an SA installed, which is used when you ping.
> Yes you're absolutely right, this is some local reply. I'll will check why this happens. Thanks.
>
> Regards, Rolf
>> Am 23.05.2014 16:27, schrieb Rolf Schöpfer:
>>> Hi
>>>
>>> After hours of reading and troubleshoot no solution so far. Still "received INVALID_ID_INFORMATION error notify ". That happens when I ping for remote (right) to local (left).
>>>
>>> BUT... when I ping from local(left) to remote(right) it works!?
>>>
>>> # ping 192.168.1.1
>>> PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
>>> 64 bytes from 192.168.1.1: icmp_req=1 ttl=254 time=0.962 ms
>>>
>>> In /varLog/syslog is nothing to see when I ping. And there are no Security Associations:
>>>
>>> # ipsec statusall
>>> ...
>>> Connections:
>>>    host-rslan:  88.88.88.88...99.99.99.99  IKEv1, dpddelay=60s
>>>    host-rslan:   local:  [88.88.88.88] uses pre-shared key authentication
>>>    host-rslan:   remote: [99.99.99.99] uses pre-shared key authentication
>>>    host-rslan:   child:  10.10.200.182/32 === 192.168.1.0/24 TUNNEL, dpdaction=hold
>>> Security Associations (0 up, 0 connecting):
>>>    none
>>>
>>>
>>> Is this how it should work? I don't understand and I'm close to give up...
>>>
>>> Any ideas?
>>>
>>> Regards, Rolf
>>>
>>>
>>> Am 22.05.2014 16:19, schrieb Rolf Schöpfer:
>>>> Hi
>>>>
>>>> VPN fritzbox - strongswan still not working:
>>>>
>>>> May 22 16:06:06 development charon: 15[ENC] parsed QUICK_MODE request 1573336936 [ HASH SA No KE ID ID ]
>>>> May 22 16:06:06 development charon: 15[CFG] looking for a child config for 10.10.200.182/32 === 192.168.1.0/24
>>>> May 22 16:06:06 development charon: 15[CFG] proposing traffic selectors for us:
>>>> May 22 16:06:06 development charon: 15[CFG] 10.10.200.182/32
>>>> May 22 16:06:06 development charon: 15[CFG] proposing traffic selectors for other:
>>>> May 22 16:06:06 development charon: 15[CFG]  192.168.1.0/24
>>>> May 22 16:06:06 development charon: 15[CFG]   candidate "host-rslan" with prio 5+5
>>>> May 22 16:06:06 development charon: 15[CFG] found matching child config "host-rslan" with prio 10
>>>> May 22 16:06:06 development charon: 15[CFG] selecting traffic selectors for other:
>>>> May 22 16:06:06 development charon: 15[CFG]  config: 192.168.1.0/24, received: 192.168.1.0/24 => match: 192.168.1.0/24
>>>> May 22 16:06:06 development charon: 15[CFG] selecting traffic selectors for us:
>>>> May 22 16:06:06 development charon: 15[CFG]  config: 10.10.200.182/32, received: 10.10.200.182/32 => match: 10.10.200.182/32
>>>> May 22 16:06:06 development charon: 15[CFG] selecting proposal:
>>>> May 22 16:06:06 development charon: 15[CFG]   proposal matches
>>>> May 22 16:06:06 development charon: 15[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
>>>> May 22 16:06:06 development charon: 15[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
>>>> May 22 16:06:06 development charon: 15[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
>>>> May 22 16:06:06 development charon: 15[ESP] allocating SPI for reqid {8}
>>>> May 22 16:06:06 development charon: 15[ESP] allocated SPI cbc74bc2 for reqid {8}
>>>> May 22 16:06:06 development charon: 15[ENC] generating QUICK_MODE response 1573336936 [ HASH SA No KE ID ID ]
>>>> May 22 16:06:06 development charon: 13[ENC] parsed INFORMATIONAL_V1 request 2104682989 [ HASH N(INVAL_ID) ]
>>>> May 22 16:06:06 development charon: 13[IKE] received INVALID_ID_INFORMATION error notify
>>>>
>>>> I guess this is still Phase1? What ID should I check? Here is my ipsec.conf:
>>>>
>>>> config setup
>>>>          charondebug="ike 2, esp 2, chd 1, cfg 2, net 0, enc 1, knl 1"
>>>>
>>>> conn %default
>>>>          ikelifetime=60m
>>>>          keylife=60m
>>>>          rekeymargin=3m
>>>>          keyingtries=1
>>>>          authby=secret
>>>>          keyexchange=ikev1
>>>>          mobike=no
>>>> ...
>>>> conn host-rslan
>>>>          leftid=88.88.88.88 <---- not real IP
>>>>          left=88.88.88.88
>>>>          leftsubnet=10.10.200.182/32
>>>>          rightid=99.99.99.99 <--- not real IP
>>>>          right=99.99.99.99
>>>>          rightsubnet=192.168.1.0/24
>>>>          ike=aes256-sha1-modp1024!
>>>>          esp=3des-sha1-modp1024!                   #P2
>>>>          auto=add
>>>>
>>>> Unfortunately there is no Log message from fritzbox which makes is very difficult to troubleshoot
>>>>
>>>> Thanks for any hint.
>>>>
>>>> Regards, Rolf
>>>>
>>>>
>>>>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users



More information about the Users mailing list