<html><body><div>As a follow up - i noticed that the LHS & RHS 'parameters are different to what we're using the following</div><div><br>The ike lifetime is 84600s, Keylife for phase2 is 28800s</div><div><br></div><div>_ this i know works for us _ </div><div><br></div><div>leftid & rightid = %defaultroute <<<<<</div><div>left = public IP, right = public ip. <<< I think this is related to your 'iNVALID_ID_INFORMATION ' errors</div><div><br></div><div>leftsourceip = 10.xIP, rightsourceIP = 192.168.x</div><div>left/rightsubnets = obv. the same.</div><div> </div><div>No dpd (cos our third party turned it off and no PFS_)</div><div><br>On Jul 24, 2015, at 07:52 AM, Daniel Carraro <daniel@blinkmobile.com.au> wrote:<br><br></div><div><blockquote type="cite"><div class="msg-quote"><div dir="ltr">Hi All,<div><br></div><div>I'm running OpenSwan on an Amazon Linux EC2 Instance (inside a VPC) and am trying to connect to a Checkpoint 4800 Series appliance (running R75.45).</div><div><br></div><div>Phase 1 passes successfully, however I'm having issues with Phase 2. Specifically, INVALID_ID_INFORMATION gets sent from my EC2 instance back to the Client.</div><div><br></div><div>I'll give a quick summary of the networks:<br></div><div><span style="font-size:12.8000001907349px" data-mce-style="font-size: 12.8000001907349px;">- Our VPC is </span><a style="font-size:12.8000001907349px" rel="noreferrer" href="http://10.200.0.0/16" data-mce-href="http://10.200.0.0/16" data-mce-style="font-size: 12.8000001907349px;">10.200.0.0/16</a><span style="font-size:12.8000001907349px" data-mce-style="font-size: 12.8000001907349px;">; the </span><span class="" style="font-size:12.8000001907349px" data-mce-style="font-size: 12.8000001907349px;">OpenSwan</span><span style="font-size:12.8000001907349px" data-mce-style="font-size: 12.8000001907349px;"> instance is 54.66.155.156 (10.200.0.171)</span><br style="font-size:12.8000001907349px" data-mce-style="font-size: 12.8000001907349px;"><span style="font-size:12.8000001907349px" data-mce-style="font-size: 12.8000001907349px;">- Their Network is </span><a style="font-size:12.8000001907349px" rel="noreferrer" href="http://192.168.187.0/24" data-mce-href="http://192.168.187.0/24" data-mce-style="font-size: 12.8000001907349px;">192.168.187.0/24</a><span style="font-size:12.8000001907349px" data-mce-style="font-size: 12.8000001907349px;">; Their Public Endpoint is 203.39.70.3 (192.168.187.253)</span><br></div><div><br></div><div>What's odd as well, I'm able to ping/telnet servers inside their network (<a href="http://192.168.187.0/24" data-mce-href="http://192.168.187.0/24">192.168.187.0/24</a>), but they're unable to ping/ssh inside my network (<a href="http://10.200.0.0/16" data-mce-href="http://10.200.0.0/16">10.200.0.0/16</a>)<br></div><div><br></div><div>I've included relevant config/log files below, trying to condense when possible:</div><div><br></div><div>/etc/ipsec.conf:</div><div><div>version 2.0 # conforms to second version of ipsec.conf specification</div><div># basic configuration</div><div>config setup</div><div> # Debug-logging controls: "none" for (almost) none, "all" for lots.</div><div> klipsdebug=none</div><div> plutodebug="control parsing"</div><div> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey</div><div> protostack=netkey</div><div> nat_traversal=yes</div><div> virtual_private=</div><div> oe=off</div><div> # Enable this if you see "failed to find any available worker"</div><div> # nhelpers=0</div><div> # custom config options</div><div> force_keepalive=yes</div><div> keep_alive=10</div><div>#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.</div><div>include /etc/ipsec.d/*.conf</div></div><div><br></div><div>/etc/ipsec.d/wc-vpn.conf:</div><div><div>conn wc-vpn</div><div> type=tunnel</div><div> auth=esp</div><div> authby=secret</div><div><br></div><div> left=10.200.0.171<br></div><div> leftid=54.66.155.156<br></div><div> leftnexthop=%defaultroute</div><div> leftsubnet=<a href="http://10.200.0.0/16" data-mce-href="http://10.200.0.0/16">10.200.0.0/16</a></div><div> leftprotoport=0/0</div><div><br></div><div> right=203.39.70.3</div><div> rightid=<a href="http://203.39.70.3/32" data-mce-href="http://203.39.70.3/32">203.39.70.3/32</a></div><div> rightsubnet=<a href="http://192.168.187.0/24" data-mce-href="http://192.168.187.0/24">192.168.187.0/24</a></div><div> rightnexthop=192.168.187.253<br></div><div> rightprotoport=0/0</div><div><br></div><div> keyexchange=ike<br></div><div> ike=aes256-sha1;modp1024!<br></div><div> ikelifetime=28800s<br></div><div><br></div><div> phase2alg=aes256-sha1<br></div><div> keylife=3600s</div><div><br></div><div> dpddelay=3<br></div><div> dpdtimeout=10</div><div> dpdaction=clear</div><div><br></div><div> pfs=no<br></div><div> auto=start<br></div><div> forceencaps=yes<br></div><div> compress=no</div></div><div><br></div><div>/etc/ipsec.d/wc-vpn.secrets (with actual PSK changed):</div><div>54.66.155.156 <a href="http://203.39.70.3" data-mce-href="http://203.39.70.3">203.39.70.3</a>: PSK "1234567890"</div><div><br></div><div>Finally, a snippet from /var/log/secure:</div><div><div>Jul 19 23:10:28 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: sending encrypted notification INVALID_ID_INFORMATION to <a href="http://203.39.70.3:500" data-mce-href="http://203.39.70.3:500">203.39.70.3:500</a></div><div>Jul 19 23:10:32 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: the peer proposed: <a href="http://10.200.0.0/16:0/0" data-mce-href="http://10.200.0.0/16:0/0">10.200.0.0/16:0/0</a> -> <a href="http://203.39.70.3/32:0/0" data-mce-href="http://203.39.70.3/32:0/0">203.39.70.3/32:0/0</a></div><div>Jul 19 23:10:32 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: cannot respond to IPsec SA request because no connection is known for <a href="http://10.200.0.0/16===10.200.0.171" data-mce-href="http://10.200.0.0/16===10.200.0.171">10.200.0.0/16===10.200.0.171</a><10.200.0.171>[54.66.155.156,+S=C]...203.39.70.3<203.39.70.3>[+S=C]</div><div><br></div><div>Any help would be greatly appreciated.</div><div><br></div><div>Thanks,</div><div>Daniel</div></div></div><div class="_stretch"><span class="body-text-content">_______________________________________________<br><a href="mailto:Users@lists.openswan.org" data-mce-href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br><a href="https://lists.openswan.org/mailman/listinfo/users" data-mce-href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><br>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" data-mce-href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" data-mce-href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br></span></div></div></blockquote></div></body></html>