[Openswan Users] INVALID_ID_INFORMATION between OpenSwan and Checkpoint

Simon Deziel simon at xelerance.com
Wed Jul 29 11:31:59 EDT 2015


Hi Daniel,

You might find the following wiki page helpful:
https://github.com/xelerance/Openswan/wiki/Amazon-ec2-example

Regards,
Simon

On 07/24/2015 02:51 AM, Daniel Carraro wrote:
> Hi All,
> 
> I'm running OpenSwan on an Amazon Linux EC2 Instance (inside a VPC) and
> am trying to connect to a Checkpoint 4800 Series appliance (running R75.45).
> 
> Phase 1 passes successfully, however I'm having issues with Phase 2.
> Specifically, INVALID_ID_INFORMATION gets sent from my EC2 instance back
> to the Client.
> 
> I'll give a quick summary of the networks:
> - Our VPC is 10.200.0.0/16 <http://10.200.0.0/16>; the OpenSwan instance
> is 54.66.155.156 (10.200.0.171)
> - Their Network is 192.168.187.0/24 <http://192.168.187.0/24>; Their
> Public Endpoint is 203.39.70.3 (192.168.187.253)
> 
> What's odd as well, I'm able to ping/telnet servers inside their network
> (192.168.187.0/24 <http://192.168.187.0/24>), but they're unable to
> ping/ssh inside my network (10.200.0.0/16 <http://10.200.0.0/16>)
> 
> I've included relevant config/log files below, trying to condense when
> possible:
> 
> /etc/ipsec.conf:
> version 2.0     # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>          klipsdebug=none
>          plutodebug="control parsing"
>         # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=
>         oe=off
>         # Enable this if you see "failed to find any available worker"
>         # nhelpers=0
>         # custom config options
>         force_keepalive=yes
>         keep_alive=10
> #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
> uncomment this.
> include /etc/ipsec.d/*.conf
> 
> /etc/ipsec.d/wc-vpn.conf:
> conn wc-vpn
>         type=tunnel
>         auth=esp
>         authby=secret
> 
>         left=10.200.0.171
>         leftid=54.66.155.156
>         leftnexthop=%defaultroute
>         leftsubnet=10.200.0.0/16 <http://10.200.0.0/16>
>         leftprotoport=0/0
> 
>         right=203.39.70.3
>         rightid=203.39.70.3/32 <http://203.39.70.3/32>
>         rightsubnet=192.168.187.0/24 <http://192.168.187.0/24>
>         rightnexthop=192.168.187.253
>         rightprotoport=0/0
> 
>         keyexchange=ike
>         ike=aes256-sha1;modp1024!
>         ikelifetime=28800s
> 
>         phase2alg=aes256-sha1
>         keylife=3600s
> 
>         dpddelay=3
>         dpdtimeout=10
>         dpdaction=clear
> 
>         pfs=no
>         auto=start
>         forceencaps=yes
>         compress=no
> 
> /etc/ipsec.d/wc-vpn.secrets (with actual PSK changed):
> 54.66.155.156 203.39.70.3 <http://203.39.70.3>: PSK "1234567890"
> 
> Finally, a snippet from /var/log/secure:
> Jul 19 23:10:28 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: sending
> encrypted notification INVALID_ID_INFORMATION to 203.39.70.3:500
> <http://203.39.70.3:500>
> Jul 19 23:10:32 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: the peer
> proposed: 10.200.0.0/16:0/0 <http://10.200.0.0/16:0/0> ->
> 203.39.70.3/32:0/0 <http://203.39.70.3/32:0/0>
> Jul 19 23:10:32 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: cannot
> respond to IPsec SA request because no connection is known for
> 10.200.0.0/16===10.200.0.171
> <http://10.200.0.0/16===10.200.0.171><10.200.0.171>[54.66.155.156,+S=C]...203.39.70.3<203.39.70.3>[+S=C]
> 
> Any help would be greatly appreciated.
> 
> Thanks,
> Daniel
> 
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 



More information about the Users mailing list