1 2 Previous Next 11 Replies Latest reply: Feb 24, 2012 1:00 PM by sliedl RSS

    VPN setup to remote gateway, fails with "INVALID_ID_INFO"

    billcarlson

      Hello all,

       

      New to sidewinder products, I'm trying to setup a basic gateway-to-gateway VPN. Remote gateway is openswan-based. Local firewall is version 8.2.

       

      Doing simple PSK authentication, here's what I see in audit/debug mode:

       

      2012-02-24 10:06:37 -0500 f_isakmp_daemon a_vpn t_error p_major

      pid: 5365 logid: 0 cmd: 'ikmpd' hostname: xxxx

      vpn_name: !DYNAMIC! cky_i: c248ee7b3d039628 cky_r: 2dfdf6aede62fe3b

      local_gw: 64.250.185.67 remote_gw: 69.66.104.151

      information: [detailed info]

        [delete]

          protocol: IKE

          spi(16): |c248ee7b3d0396282dfdf6aede62fe3b|

        [error]

          MAIN_MODE exchange terminated - MAIN_MODE exchange processing failed

        [error]

          MAIN_MODE processing encountered error, exchange aborted

        [error]

          No IKE (phase 1) policy configured for peer

          [local gateway]

            IPV4_ADDR-64.250.185.67:500

          [remote gateway]

            IPV4_ADDR-69.66.104.151:500

          [remote identity]

            IPV4_ADDR-69.66.104.151:500

        [notify]

          protocol: IKE, type: INVALID_ID_INFO

      [MAIN_MODE]

        VPN: !DYNAMIC!, CKY_I: |c248ee7b3d039628|, CKY_R: |2dfdf6aede62fe3b|,

        references: 1

        [state info]

          init/resp: RESPONDER, condition: DYING,

          state_mask: ACL_CHECK_PASSED|RATE_LIMIT|REMOTE, state: SA_SETUP

        [retry info]

          counter: 1, num_trans: 1, total_time: 3, total_deviation: 0,

          timestamp_out: 1330095995, timestamp_in: 1330095997

        [local gateway] id_type: IPV4_ADDR(1), id_string: 64.250.185.67, id_proto: 0,

          id_port: 500, id_data: |40fab943|

        [remote gateway] id_type: IPV4_ADDR(1), id_string: 69.66.104.151,

          id_proto: 0, id_port: 500, id_data: |45426897|

        [exchange policy]

          protocol: IKE, options: [INITIAL_CONTACT|NO_STRICT_ID_MATCHING|NAT_T],

          version: 1, local authentication: PRE_SHARED_KEY,

      ...(cont

       

      2012-02-24 10:06:37 -0500 f_isakmp_daemon a_vpn t_error p_major

      pid: 5365 logid: 0 cmd: 'ikmpd' hostname: xxxx

      vpn_name: !DYNAMIC! cky_i: c248ee7b3d039628 cky_r: 2dfdf6aede62fe3b

      local_gw: 64.250.185.67 remote_gw: 69.66.104.151

      information: ...(cont)...

          remote authentication: PRE_SHARED_KEY, encryption: 3DES, integ: SHA1,

          DH group: 2

        [IKE info]

          allocations: 0

          [local identity]

            id_type: IPV4_ADDR(1), id_string: 64.250.185.67, id_proto: 0, id_port: 0,

            id_data: |40fab943|

          vendor ids: NATT_RFC|NATT_DRAFT3|NATT_DRAFT2B

          [chosen proposal]

            protocol: IKE

              protocol: IKE, options: [INITIAL_CONTACT|NO_STRICT_ID_MATCHING|NAT_T],

              version: 1, local authentication: PRE_SHARED_KEY,

              remote authentication: PRE_SHARED_KEY, encryption: 3DES, integ: SHA1,

              DH group: 2

       

       

       

      I've verified the IDs listed match on the remote firewall, any pointers to what else to check?

       

      Thanks in advance.

       

      Message was edited by: billcarlson on 2/24/12 10:45:39 AM CST
        1 2 Previous Next