[strongSwan] received INVALID_ID_INFORMATION error notify
Rolf Schöpfer
rolf at samplezone.ch
Fri May 23 22:02:03 CEST 2014
I set debug of ike to 4 and compared ok VPN (monowall - strongswan) with nok VPN (fritzbox - strongswan):
OK VPN
==============
May 23 18:11:36 development charon: 13[ENC] generating QUICK_MODE response 3987728709 [ HASH SA No ID ID ]
May 23 18:11:36 development charon: 13[IKE] next IV for MID 3987728709 => 16 bytes @ 0x8725420
May 23 18:11:36 development charon: 13[IKE] 0: FE E1 E2 87 FF 25 0B 2B E8 9C EA 60 F2 0C F6 D0 .....%.+...`....
May 23 18:11:36 development charon: 13[NET] sending packet: from [xx.xx.xx.xx leftip][4500] to [xx.xx.xx.xx rightip][11856] (172 bytes)
May 23 18:11:36 development charon: 15[NET] received packet: from [xx.xx.xx.xx rightip][11856] to [xx.xx.xx.xx leftip][4500] (60 bytes)
May 23 18:11:36 development charon: 15[ENC] parsed QUICK_MODE request 3987728709 [ HASH ]
NOK VPN
==============
May 23 18:07:37 development charon: 02[ENC] generating QUICK_MODE response 1546379303 [ HASH SA No KE ID ID ]
May 23 18:07:37 development charon: 02[IKE] next IV for MID 1546379303 => 16 bytes @ 0x8727540
May 23 18:07:37 development charon: 02[IKE] 0: 9B 5B A0 F0 77 18 18 18 F4 BD 22 94 C0 0C 58 A1 .[..w....."...X.
May 23 18:07:37 development charon: 02[NET] sending packet: from [xx.xx.xx.xx leftip][4500] to [xx.xx.xx.xx rightip][4500] (316 bytes)
May 23 18:07:37 development charon: 01[NET] received packet: from [xx.xx.xx.xx rightip][4500] to [xx.xx.xx.xx leftip][4500] (76 bytes)
May 23 18:07:37 development charon: 01[IKE] next IV for MID 174342501 => 16 bytes @ 0x8722410
May 23 18:07:37 development charon: 01[IKE] 0: A3 11 E4 7E F1 CC 7B 7E A6 70 23 68 76 70 AC F7 ...~..{~.p#hvp..
May 23 18:07:37 development charon: 01[ENC] parsed INFORMATIONAL_V1 request 174342501 [ HASH N(INVAL_ID) ]
Is there something I can read from those HEX values? I converted hex to dec, still no meaning for me. Also quick mode response seems to be slightly different [ HASH SA No ID ID ] <-> [ HASH SA No KE
ID ID ].
Regards, Rolf
Am 23.05.2014 17:48, schrieb Rolf Schöpfer:
> Hi Noel
>
> Am 23.05.2014 16:38, schrieb Noel Kuntze:
>> Hello Rolf,
>>
>> I think the error you get is caused by wrong ID information in phase two. I never got that error and don't use a fritzbox, but I think you should look at the IPsec documentation of it.
> Is ist possible to make this ID information visible with some debug settings? There's not a lot of information about fritzbox vpn. Only a config file to fine adjust and upload in browser (admin
> interface):
>
> vpncfg {
> connections {
> enabled = yes;
> conn_type = conntype_lan;
> name = "88.88.88.88";
> always_renew = yes;
> reject_not_encrypted = no;
> dont_filter_netbios = yes;
> localip = 0.0.0.0;
> local_virtualip = 0.0.0.0;
> remoteip = 88.88.88.88;
> remote_virtualip = 0.0.0.0;
> localid {
> ipaddr = 99.99.99.99;
> }
> remoteid {
> ipaddr = 88.88.88.88;
> }
> mode = phase1_mode_idp;
> phase1ss = "alt/all/all";
> keytype = connkeytype_pre_shared;
> key = "***********";
> cert_do_server_auth = no;
> use_nat_t = yes;
> use_xauth = no;
> use_cfgmode = no;
> phase2localid {
> ipnet {
> ipaddr = 192.168.1.0;
> mask = 255.255.255.0;
> }
> }
> phase2remoteid {
> ipnet {
> ipaddr = 10.10.200.182;
> mask = 255.255.255.255;
> }
> }
> phase2ss = “esp-all-all/ah-all/comp-all/pfs”;
> accesslist = "permit ip any 10.10.200.182 255.255.255.255";
> }
> ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
> "udp 0.0.0.0:4500 0.0.0.0:4500";
> }
>
>
> I guess localid and remoteid are those id's. If I could see in logfile what strongSwan gets as ID information it might help.
>
>
>> The low latency when you ping implies, that a local host is pinged and not your remote one.
>> Examine the kernel's ipsec policies (ip xfrm policy) to see, if there is an SA installed, which is used when you ping.
> Yes you're absolutely right, this is some local reply. I'll will check why this happens. Thanks.
>
> Regards, Rolf
>> Am 23.05.2014 16:27, schrieb Rolf Schöpfer:
>>> Hi
>>>
>>> After hours of reading and troubleshoot no solution so far. Still "received INVALID_ID_INFORMATION error notify ". That happens when I ping for remote (right) to local (left).
>>>
>>> BUT... when I ping from local(left) to remote(right) it works!?
>>>
>>> # ping 192.168.1.1
>>> PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
>>> 64 bytes from 192.168.1.1: icmp_req=1 ttl=254 time=0.962 ms
>>>
>>> In /varLog/syslog is nothing to see when I ping. And there are no Security Associations:
>>>
>>> # ipsec statusall
>>> ...
>>> Connections:
>>> host-rslan: 88.88.88.88...99.99.99.99 IKEv1, dpddelay=60s
>>> host-rslan: local: [88.88.88.88] uses pre-shared key authentication
>>> host-rslan: remote: [99.99.99.99] uses pre-shared key authentication
>>> host-rslan: child: 10.10.200.182/32 === 192.168.1.0/24 TUNNEL, dpdaction=hold
>>> Security Associations (0 up, 0 connecting):
>>> none
>>>
>>>
>>> Is this how it should work? I don't understand and I'm close to give up...
>>>
>>> Any ideas?
>>>
>>> Regards, Rolf
>>>
>>>
>>> Am 22.05.2014 16:19, schrieb Rolf Schöpfer:
>>>> Hi
>>>>
>>>> VPN fritzbox - strongswan still not working:
>>>>
>>>> May 22 16:06:06 development charon: 15[ENC] parsed QUICK_MODE request 1573336936 [ HASH SA No KE ID ID ]
>>>> May 22 16:06:06 development charon: 15[CFG] looking for a child config for 10.10.200.182/32 === 192.168.1.0/24
>>>> May 22 16:06:06 development charon: 15[CFG] proposing traffic selectors for us:
>>>> May 22 16:06:06 development charon: 15[CFG] 10.10.200.182/32
>>>> May 22 16:06:06 development charon: 15[CFG] proposing traffic selectors for other:
>>>> May 22 16:06:06 development charon: 15[CFG] 192.168.1.0/24
>>>> May 22 16:06:06 development charon: 15[CFG] candidate "host-rslan" with prio 5+5
>>>> May 22 16:06:06 development charon: 15[CFG] found matching child config "host-rslan" with prio 10
>>>> May 22 16:06:06 development charon: 15[CFG] selecting traffic selectors for other:
>>>> May 22 16:06:06 development charon: 15[CFG] config: 192.168.1.0/24, received: 192.168.1.0/24 => match: 192.168.1.0/24
>>>> May 22 16:06:06 development charon: 15[CFG] selecting traffic selectors for us:
>>>> May 22 16:06:06 development charon: 15[CFG] config: 10.10.200.182/32, received: 10.10.200.182/32 => match: 10.10.200.182/32
>>>> May 22 16:06:06 development charon: 15[CFG] selecting proposal:
>>>> May 22 16:06:06 development charon: 15[CFG] proposal matches
>>>> May 22 16:06:06 development charon: 15[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
>>>> May 22 16:06:06 development charon: 15[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
>>>> May 22 16:06:06 development charon: 15[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
>>>> May 22 16:06:06 development charon: 15[ESP] allocating SPI for reqid {8}
>>>> May 22 16:06:06 development charon: 15[ESP] allocated SPI cbc74bc2 for reqid {8}
>>>> May 22 16:06:06 development charon: 15[ENC] generating QUICK_MODE response 1573336936 [ HASH SA No KE ID ID ]
>>>> May 22 16:06:06 development charon: 13[ENC] parsed INFORMATIONAL_V1 request 2104682989 [ HASH N(INVAL_ID) ]
>>>> May 22 16:06:06 development charon: 13[IKE] received INVALID_ID_INFORMATION error notify
>>>>
>>>> I guess this is still Phase1? What ID should I check? Here is my ipsec.conf:
>>>>
>>>> config setup
>>>> charondebug="ike 2, esp 2, chd 1, cfg 2, net 0, enc 1, knl 1"
>>>>
>>>> conn %default
>>>> ikelifetime=60m
>>>> keylife=60m
>>>> rekeymargin=3m
>>>> keyingtries=1
>>>> authby=secret
>>>> keyexchange=ikev1
>>>> mobike=no
>>>> ...
>>>> conn host-rslan
>>>> leftid=88.88.88.88 <---- not real IP
>>>> left=88.88.88.88
>>>> leftsubnet=10.10.200.182/32
>>>> rightid=99.99.99.99 <--- not real IP
>>>> right=99.99.99.99
>>>> rightsubnet=192.168.1.0/24
>>>> ike=aes256-sha1-modp1024!
>>>> esp=3des-sha1-modp1024! #P2
>>>> auto=add
>>>>
>>>> Unfortunately there is no Log message from fritzbox which makes is very difficult to troubleshoot
>>>>
>>>> Thanks for any hint.
>>>>
>>>> Regards, Rolf
>>>>
>>>>
>>>>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list