[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: Re: [Openswan Users] =?utf-8?q?INVALID=5FID=5FINFORMATION_between_Ope?=
From: Daniel Cave <dan.cave () me ! com>
Date: 2015-07-24 9:41:44
Message-ID: 6daa4511-0964-4799-9f24-270b81d3dd13 () me ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
As a follow up - i noticed that the LHS & RHS 'parameters are different to what \
we're using the following
The ike lifetime is 84600s, Keylife for phase2 is 28800s
_ this i know works for us _
leftid & rightid = %defaultroute <<<<<
left = public IP, right = public ip. <<< I think this is related to your \
'iNVALID_ID_INFORMATION ' errors
leftsourceip = 10.xIP, rightsourceIP = 192.168.x
left/rightsubnets = obv. the same.
No dpd (cos our third party turned it off and no PFS_)
On Jul 24, 2015, at 07:52 AM, Daniel Carraro <daniel@blinkmobile.com.au> wrote:
Hi All,
I'm running OpenSwan on an Amazon Linux EC2 Instance (inside a VPC) and am trying to \
connect to a Checkpoint 4800 Series appliance (running R75.45).
Phase 1 passes successfully, however I'm having issues with Phase 2. Specifically, \
INVALID_ID_INFORMATION gets sent from my EC2 instance back to the Client.
I'll give a quick summary of the networks:
- Our VPC is 10.200.0.0/16; the OpenSwan instance is 54.66.155.156 (10.200.0.171)
- Their Network is 192.168.187.0/24; Their Public Endpoint is 203.39.70.3 \
(192.168.187.253)
What's odd as well, I'm able to ping/telnet servers inside their network \
(192.168.187.0/24), but they're unable to ping/ssh inside my network (10.200.0.0/16)
I've included relevant config/log files below, trying to condense when possible:
/etc/ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
# custom config options
force_keepalive=yes
keep_alive=10
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment \
this. include /etc/ipsec.d/*.conf
/etc/ipsec.d/wc-vpn.conf:
conn wc-vpn
type=tunnel
auth=esp
authby=secret
left=10.200.0.171
leftid=54.66.155.156
leftnexthop=%defaultroute
leftsubnet=10.200.0.0/16
leftprotoport=0/0
right=203.39.70.3
rightid=203.39.70.3/32
rightsubnet=192.168.187.0/24
rightnexthop=192.168.187.253
rightprotoport=0/0
keyexchange=ike
ike=aes256-sha1;modp1024!
ikelifetime=28800s
phase2alg=aes256-sha1
keylife=3600s
dpddelay=3
dpdtimeout=10
dpdaction=clear
pfs=no
auto=start
forceencaps=yes
compress=no
/etc/ipsec.d/wc-vpn.secrets (with actual PSK changed):
54.66.155.156 203.39.70.3: PSK "1234567890"
Finally, a snippet from /var/log/secure:
Jul 19 23:10:28 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: sending encrypted \
notification INVALID_ID_INFORMATION to 203.39.70.3:500
Jul 19 23:10:32 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: the peer proposed: \
10.200.0.0/16:0/0 -> 203.39.70.3/32:0/0
Jul 19 23:10:32 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: cannot respond to IPsec \
SA request because no connection is known for \
10.200.0.0/16===10.200.0.171<10.200.0.171>[54.66.155.156,+S=C]...203.39.70.3<203.39.70.3>[+S=C]
Any help would be greatly appreciated.
Thanks,
Daniel
_______________________________________________
Users@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[Attachment #5 (multipart/related)]
[Attachment #7 (text/html)]
<html><body><div>As a follow up - i noticed that the LHS & RHS \
'parameters are different to what we're using the following</div><div><br>The \
ike lifetime is 84600s, Keylife for phase2 is 28800s</div><div><br></div><div>_ this \
i know works for us _ </div><div><br></div><div>leftid & rightid = \
%defaultroute <<<<<</div><div>left = public IP, right = public ip. \
<<< I think this is related to your 'iNVALID_ID_INFORMATION ' \
errors</div><div><br></div><div>leftsourceip = 10.xIP, rightsourceIP = \
192.168.x</div><div>left/rightsubnets = obv. the same.</div><div> </div><div>No \
dpd (cos our third party turned it off and no PFS_)</div><div><br>On Jul 24, 2015, at \
07:52 AM, Daniel Carraro <daniel@blinkmobile.com.au> \
wrote:<br><br></div><div><blockquote type="cite"><div class="msg-quote"><div \
dir="ltr">Hi All,<div><br></div><div>I'm running OpenSwan on an Amazon Linux EC2 \
Instance (inside a VPC) and am trying to connect to a Checkpoint 4800 Series \
appliance (running R75.45).</div><div><br></div><div>Phase 1 passes successfully, \
however I'm having issues with Phase 2. Specifically, INVALID_ID_INFORMATION gets \
sent from my EC2 instance back to the Client.</div><div><br></div><div>I'll give a \
quick summary of the networks:<br></div><div><span \
style="font-size:12.8000001907349px" data-mce-style="font-size: \
12.8000001907349px;">- Our VPC is </span><a style="font-size:12.8000001907349px" \
rel="noreferrer" href="http://10.200.0.0/16" data-mce-href="http://10.200.0.0/16" \
data-mce-style="font-size: 12.8000001907349px;">10.200.0.0/16</a><span \
style="font-size:12.8000001907349px" data-mce-style="font-size: \
12.8000001907349px;">; the </span><span class="" \
style="font-size:12.8000001907349px" data-mce-style="font-size: \
12.8000001907349px;">OpenSwan</span><span style="font-size:12.8000001907349px" \
data-mce-style="font-size: 12.8000001907349px;"> instance is 54.66.155.156 \
(10.200.0.171)</span><br style="font-size:12.8000001907349px" \
data-mce-style="font-size: 12.8000001907349px;"><span \
style="font-size:12.8000001907349px" data-mce-style="font-size: \
12.8000001907349px;">- Their Network is </span><a \
style="font-size:12.8000001907349px" rel="noreferrer" href="http://192.168.187.0/24" \
data-mce-href="http://192.168.187.0/24" data-mce-style="font-size: \
12.8000001907349px;">192.168.187.0/24</a><span style="font-size:12.8000001907349px" \
data-mce-style="font-size: 12.8000001907349px;">; Their Public Endpoint is \
203.39.70.3 (192.168.187.253)</span><br></div><div><br></div><div>What's odd as well, \
I'm able to ping/telnet servers inside their network (<a \
href="http://192.168.187.0/24" \
data-mce-href="http://192.168.187.0/24">192.168.187.0/24</a>), but they're unable to \
ping/ssh inside my network (<a href="http://10.200.0.0/16" \
data-mce-href="http://10.200.0.0/16">10.200.0.0/16</a>)<br></div><div><br></div><div>I've \
included relevant config/log files below, trying to condense when \
possible:</div><div><br></div><div>/etc/ipsec.conf:</div><div><div>version 2.0 \
# conforms to second version of ipsec.conf specification</div><div># basic \
configuration</div><div>config setup</div><div> # \
Debug-logging controls: "none" for (almost) none, "all" for \
lots.</div><div> klipsdebug=none</div><div> \
plutodebug="control parsing"</div><div> \
# For Red Hat Enterprise Linux and Fedora, leave \
protostack=netkey</div><div> \
protostack=netkey</div><div> \
nat_traversal=yes</div><div> \
virtual_private=</div><div> oe=off</div><div> \
# Enable this if you see "failed to find any available \
worker"</div><div> # nhelpers=0</div><div> \
# custom config options</div><div> \
force_keepalive=yes</div><div> \
keep_alive=10</div><div>#You may put your configuration (.conf) file in the \
"/etc/ipsec.d/" and uncomment this.</div><div>include \
/etc/ipsec.d/*.conf</div></div><div><br></div><div>/etc/ipsec.d/wc-vpn.conf:</div><div><div>conn \
wc-vpn</div><div> type=tunnel</div><div> \
auth=esp</div><div> \
authby=secret</div><div><br></div><div> \
left=10.200.0.171<br></div><div> \
leftid=54.66.155.156<br></div><div> \
leftnexthop=%defaultroute</div><div> leftsubnet=<a \
href="http://10.200.0.0/16" \
data-mce-href="http://10.200.0.0/16">10.200.0.0/16</a></div><div> \
leftprotoport=0/0</div><div><br></div><div> \
right=203.39.70.3</div><div> rightid=<a \
href="http://203.39.70.3/32" \
data-mce-href="http://203.39.70.3/32">203.39.70.3/32</a></div><div> \
rightsubnet=<a href="http://192.168.187.0/24" \
data-mce-href="http://192.168.187.0/24">192.168.187.0/24</a></div><div> \
rightnexthop=192.168.187.253<br></div><div> \
rightprotoport=0/0</div><div><br></div><div> \
keyexchange=ike<br></div><div> \
ike=aes256-sha1;modp1024!<br></div><div> \
ikelifetime=28800s<br></div><div><br></div><div> \
phase2alg=aes256-sha1<br></div><div> \
keylife=3600s</div><div><br></div><div> \
dpddelay=3<br></div><div> dpdtimeout=10</div><div> \
dpdaction=clear</div><div><br></div><div> \
pfs=no<br></div><div> \
auto=start<br></div><div> \
forceencaps=yes<br></div><div> \
compress=no</div></div><div><br></div><div>/etc/ipsec.d/wc-vpn.secrets (with actual \
PSK changed):</div><div>54.66.155.156 <a href="http://203.39.70.3" \
data-mce-href="http://203.39.70.3">203.39.70.3</a>: PSK \
"1234567890"</div><div><br></div><div>Finally, a snippet from \
/var/log/secure:</div><div><div>Jul 19 23:10:28 ip-10-200-0-171 pluto[22644]: \
"wc-vpn" #616: sending encrypted notification INVALID_ID_INFORMATION to <a \
href="http://203.39.70.3:500" \
data-mce-href="http://203.39.70.3:500">203.39.70.3:500</a></div><div>Jul 19 23:10:32 \
ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: the peer proposed: <a \
href="http://10.200.0.0/16:0/0" \
data-mce-href="http://10.200.0.0/16:0/0">10.200.0.0/16:0/0</a> -> <a \
href="http://203.39.70.3/32:0/0" \
data-mce-href="http://203.39.70.3/32:0/0">203.39.70.3/32:0/0</a></div><div>Jul 19 \
23:10:32 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: cannot respond to IPsec SA \
request because no connection is known for <a \
href="http://10.200.0.0/16===10.200.0.171" \
data-mce-href="http://10.200.0.0/16===10.200.0.171">10.200.0.0/16===10.200.0.171</a>&l \
t;10.200.0.171>[54.66.155.156,+S=C]...203.39.70.3<203.39.70.3>[+S=C]</div><div><br></div><div>Any \
help would be greatly \
appreciated.</div><div><br></div><div>Thanks,</div><div>Daniel</div></div></div><div \
class="_stretch"><span \
class="body-text-content">_______________________________________________<br><a \
href="mailto:Users@lists.openswan.org" \
data-mce-href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br><a \
href="https://lists.openswan.org/mailman/listinfo/users" \
data-mce-href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><br>Micropayments: \
<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" \
data-mce-href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building \
and Integrating Virtual Private Networks with Openswan:<br><a \
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" \
data-mce-href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=28315 \
5">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br></span></div></div></blockquote></div></body></html>
_______________________________________________
Users@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic