This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASC-Connection Fails with invalid id information

Hello all,

I am testing ASC and am having an issue getting it to connect to the firewall. I believe that I have followed the how to step by step but something must be missing.

In my logs on the client I am getting this:

7/27/2005 4:54:53 PM  Protecting RAS adapter - 0
7/27/2005 4:54:55 PM  IPSDIALCHAN::start building connection
7/27/2005 4:54:55 PM  NCPIKE-phase1:name(Work) - outgoing connect request - main mode.
7/27/2005 4:54:55 PM  XMIT_MSG1_MAIN - Work
7/27/2005 4:54:55 PM  RECV_MSG2_MAIN - Work
7/27/2005 4:54:55 PM  IKE phase I: Setting LifeTime to 7800 seconds
7/27/2005 4:54:55 PM  Work ->Support for NAT-T version - 3
7/27/2005 4:54:55 PM  XMIT_MSG3_MAIN - Work
7/27/2005 4:54:55 PM  IPSDIAL->FINAL_TUNNEL_ENDPOINT:X.X.X.X
7/27/2005 4:54:55 PM  RECV_MSG4_MAIN - Work
7/27/2005 4:54:55 PM  XMIT_MSG5_MAIN - Work
7/27/2005 4:54:55 PM  XMIT_MSG5_MAIN_RESUME - Work
7/27/2005 4:54:55 PM  RECV_MSG6_MAIN - Work
7/27/2005 4:54:55 PM  RECV_MSG6_MAIN_RESUME - Work
7/27/2005 4:54:55 PM  NCPIKE-phase1:name(Work) - connected
7/27/2005 4:54:55 PM  XMIT_MSG1_QUICK - Work
7/27/2005 4:54:55 PM  NOTIFY : Work : RECEIVED : INVALID_ID_INFORMATION
7/27/2005 4:55:06 PM  NCPIKE-phase2:name(Work) - error - retry timeout - max retries
7/27/2005 4:55:06 PM  IPSDIAL  - disconnected from Work on channel 1.

I have two clients using SSH Sentinal connecting to this connection just fine.  [:S]

I am sure this is something simple but after one looks at problem too long...the error does not appear!

Thanks,

ChaoticRyan

This thread was automatically locked due to age.

0 Xeno over 20 years ago

Coud you please also send the part of the ipsec log on ASL?

Xeno
Cancel
Vote Up 0 Vote Down

Cancel
0 ChaoticRyan over 20 years ago in reply to Xeno

Sorry, I should have added that originally.

2005:07:28-06:32:47 (none) pluto[2982]: "D_RoadWarrior__Remote__Connections_2"[1] 192.168.10.100 #7: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
2005:07:28-06:32:47 (none) pluto[2982]: | inserting event EVENT_SA_REPLACE, timeout in 6930 seconds for #7
2005:07:28-06:32:47 (none) pluto[2982]: "D_RoadWarrior__Remote__Connections_2"[1] 192.168.10.100 #7: sent MR3, ISAKMP SA established
2005:07:28-06:32:47 (none) pluto[2982]: | next event EVENT_NAT_T_KEEPALIVE in 12 seconds
2005:07:28-06:32:47 (none) pluto[2982]: |
2005:07:28-06:32:47 (none) pluto[2982]: | *received 380 bytes from 192.168.10.100:500 on eth1
2005:07:28-06:32:47 (none) pluto[2982]: | **parse ISAKMP Message:
2005:07:28-06:32:47 (none) pluto[2982]: | initiator cookie:
2005:07:28-06:32:47 (none) pluto[2982]: | d6 e4 a2 6c f8 a1 57 85
2005:07:28-06:32:47 (none) pluto[2982]: | responder cookie:
2005:07:28-06:32:47 (none) pluto[2982]: | 38 3a 24 c5 38 08 a1 3a
2005:07:28-06:32:47 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_HASH
2005:07:28-06:32:47 (none) pluto[2982]: | ISAKMP version: ISAKMP Version 1.0
2005:07:28-06:32:47 (none) pluto[2982]: | exchange type: ISAKMP_XCHG_QUICK
2005:07:28-06:32:47 (none) pluto[2982]: | flags: ISAKMP_FLAG_ENCRYPTION
2005:07:28-06:32:47 (none) pluto[2982]: | message ID: ec e9 8f 3c
2005:07:28-06:32:47 (none) pluto[2982]: | length: 380
2005:07:28-06:32:47 (none) pluto[2982]: | The xchg type is ISAKMP_XCHG_QUICK (32)
2005:07:28-06:32:47 (none) pluto[2982]: | ICOOKIE: d6 e4 a2 6c f8 a1 57 85
2005:07:28-06:32:47 (none) pluto[2982]: | RCOOKIE: 38 3a 24 c5 38 08 a1 3a
2005:07:28-06:32:47 (none) pluto[2982]: | peer: c0 a8 0a 64
2005:07:28-06:32:47 (none) pluto[2982]: | state hash entry 25
2005:07:28-06:32:47 (none) pluto[2982]: | peer and cookies match, provided msgid ece98f3c vs 00000000
2005:07:28-06:32:47 (none) pluto[2982]: | state object not found
2005:07:28-06:32:47 (none) pluto[2982]: | ICOOKIE: d6 e4 a2 6c f8 a1 57 85
2005:07:28-06:32:47 (none) pluto[2982]: | RCOOKIE: 38 3a 24 c5 38 08 a1 3a
2005:07:28-06:32:47 (none) pluto[2982]: | peer: c0 a8 0a 64
2005:07:28-06:32:47 (none) pluto[2982]: | state hash entry 25
2005:07:28-06:32:47 (none) pluto[2982]: | peer and cookies match, provided msgid 00000000 vs 00000000
2005:07:28-06:32:47 (none) pluto[2982]: | state object #7 found, in STATE_MAIN_R3
2005:07:28-06:32:47 (none) pluto[2982]: | ***parse ISAKMP Hash Payload:
2005:07:28-06:32:47 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_SA
2005:07:28-06:32:47 (none) pluto[2982]: | length: 20
2005:07:28-06:32:47 (none) pluto[2982]: | ***parse ISAKMP Security Association Payload:
2005:07:28-06:32:47 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_NONCE
2005:07:28-06:32:47 (none) pluto[2982]: | length: 60
2005:07:28-06:32:47 (none) pluto[2982]: | DOI: ISAKMP_DOI_IPSEC
2005:07:28-06:32:47 (none) pluto[2982]: | ***parse ISAKMP Nonce Payload:
2005:07:28-06:32:47 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_KE
2005:07:28-06:32:47 (none) pluto[2982]: | length: 44
2005:07:28-06:32:47 (none) pluto[2982]: | ***parse ISAKMP Key Exchange Payload:
2005:07:28-06:32:47 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_ID
2005:07:28-06:32:47 (none) pluto[2982]: | length: 196
2005:07:28-06:32:47 (none) pluto[2982]: | ***parse ISAKMP Identification Payload (IPsec DOI):
2005:07:28-06:32:47 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_ID
2005:07:28-06:32:47 (none) pluto[2982]: | length: 12
2005:07:28-06:32:47 (none) pluto[2982]: | ID type: ID_IPV4_ADDR
2005:07:28-06:32:47 (none) pluto[2982]: | Protocol ID: 0
2005:07:28-06:32:47 (none) pluto[2982]: | port: 0
2005:07:28-06:32:47 (none) pluto[2982]: | ***parse ISAKMP Identification Payload (IPsec DOI):
2005:07:28-06:32:47 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_NONE
2005:07:28-06:32:47 (none) pluto[2982]: | length: 16
2005:07:28-06:32:47 (none) pluto[2982]: | ID type: ID_IPV4_ADDR_SUBNET
2005:07:28-06:32:47 (none) pluto[2982]: | Protocol ID: 0
2005:07:28-06:32:47 (none) pluto[2982]: | port: 0
2005:07:28-06:32:47 (none) pluto[2982]: | removing 4 bytes of padding
2005:07:28-06:32:47 (none) pluto[2982]: | peer client is 176.16.21.101/32
2005:07:28-06:32:47 (none) pluto[2982]: | peer client protocol/port is 0/0
2005:07:28-06:32:47 (none) pluto[2982]: | our client is subnet 0.0.0.0/0
2005:07:28-06:32:47 (none) pluto[2982]: | our client protocol/port is 0/0
2005:07:28-06:32:47 (none) pluto[2982]: "D_RoadWarrior__Remote__Connections_2"[1] 192.168.10.100 #7: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===67.103.5.35...192.168.10.100[ryan.moore@occamgroup.com]===176.16.21.101/32
2005:07:28-06:32:47 (none) pluto[2982]: "D_RoadWarrior__Remote__Connections_2"[1] 192.168.10.100 #7: sending encrypted notification INVALID_ID_INFORMATION to 192.168.10.100:500
2005:07:28-06:32:47 (none) pluto[2982]: | **emit ISAKMP Message:
2005:07:28-06:32:47 (none) pluto[2982]: | initiator cookie:
2005:07:28-06:32:47 (none) pluto[2982]: | d6 e4 a2 6c f8 a1 57 85
2005:07:28-06:32:47 (none) pluto[2982]: | responder cookie:
2005:07:28-06:32:47 (none) pluto[2982]: | 38 3a 24 c5 38 08 a1 3a
2005:07:28-06:32:47 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_HASH
2005:07:28-06:32:47 (none) pluto[2982]: | ISAKMP version: ISAKMP Version 1.0
2005:07:28-06:32:47 (none) pluto[2982]: | exchange type: ISAKMP_XCHG_INFO
2005:07:28-06:32:47 (none) pluto[2982]: | flags: ISAKMP_FLAG_ENCRYPTION
2005:07:28-06:32:47 (none) pluto[2982]: | message ID: c8 6d 40 ab
2005:07:28-06:32:47 (none) pluto[2982]: | ***emit ISAKMP Hash Payload:
2005:07:28-06:32:47 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_N
2005:07:28-06:32:47 (none) pluto[2982]: | emitting 16 zero bytes of HASH(1) into ISAKMP Hash Payload
2005:07:28-06:32:47 (none) pluto[2982]: | emitting length of ISAKMP Hash Payload: 20
2005:07:28-06:32:47 (none) pluto[2982]: | ***emit ISAKMP Notification Payload:
2005:07:28-06:32:47 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_NONE
2005:07:28-06:32:47 (none) pluto[2982]: | DOI: ISAKMP_DOI_IPSEC
2005:07:28-06:32:47 (none) pluto[2982]: | protocol ID: 1
2005:07:28-06:32:47 (none) pluto[2982]: | SPI size: 0
2005:07:28-06:32:47 (none) pluto[2982]: | Notify Message Type: INVALID_ID_INFORMATION
2005:07:28-06:32:47 (none) pluto[2982]: | emitting 0 raw bytes of spi into ISAKMP Notification Payload
2005:07:28-06:32:47 (none) pluto[2982]: | spi
2005:07:28-06:32:47 (none) pluto[2982]: | emitting length of ISAKMP Notification Payload: 12
2005:07:28-06:32:47 (none) pluto[2982]: | emitting length of ISAKMP Message: 60
2005:07:28-06:32:47 (none) pluto[2982]: | state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION
2005:07:28-06:32:47 (none) pluto[2982]: | next event EVENT_NAT_T_KEEPALIVE in 12 seconds
2005:07:28-06:32:58 (none) pluto[2982]: |
2005:07:28-06:32:58 (none) pluto[2982]: | *received 76 bytes from 192.168.10.100:500 on eth1
2005:07:28-06:32:58 (none) pluto[2982]: | **parse ISAKMP Message:
2005:07:28-06:32:58 (none) pluto[2982]: | initiator cookie:
2005:07:28-06:32:58 (none) pluto[2982]: | d6 e4 a2 6c f8 a1 57 85
2005:07:28-06:32:58 (none) pluto[2982]: | responder cookie:
2005:07:28-06:32:58 (none) pluto[2982]: | 38 3a 24 c5 38 08 a1 3a
2005:07:28-06:32:58 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_HASH
2005:07:28-06:32:58 (none) pluto[2982]: | ISAKMP version: ISAKMP Version 1.0
2005:07:28-06:32:58 (none) pluto[2982]: | exchange type: ISAKMP_XCHG_INFO
2005:07:28-06:32:58 (none) pluto[2982]: | flags: ISAKMP_FLAG_ENCRYPTION
2005:07:28-06:32:58 (none) pluto[2982]: | message ID: 74 1c 56 a1
2005:07:28-06:32:58 (none) pluto[2982]: | length: 76
2005:07:28-06:32:58 (none) pluto[2982]: | The xchg type is ISAKMP_XCHG_INFO (5)
2005:07:28-06:32:58 (none) pluto[2982]: | ICOOKIE: d6 e4 a2 6c f8 a1 57 85
2005:07:28-06:32:58 (none) pluto[2982]: | RCOOKIE: 38 3a 24 c5 38 08 a1 3a
2005:07:28-06:32:58 (none) pluto[2982]: | peer: c0 a8 0a 64
2005:07:28-06:32:58 (none) pluto[2982]: | state hash entry 25
2005:07:28-06:32:58 (none) pluto[2982]: | peer and cookies match, provided msgid 00000000 vs 00000000
2005:07:28-06:32:58 (none) pluto[2982]: | state object #7 found, in STATE_MAIN_R3
2005:07:28-06:32:58 (none) pluto[2982]: | ***parse ISAKMP Hash Payload:
2005:07:28-06:32:58 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_D
2005:07:28-06:32:58 (none) pluto[2982]: | length: 20
2005:07:28-06:32:58 (none) pluto[2982]: | ***parse ISAKMP Delete Payload:
2005:07:28-06:32:58 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_NONE
2005:07:28-06:32:58 (none) pluto[2982]: | length: 28
2005:07:28-06:32:58 (none) pluto[2982]: | DOI: ISAKMP_DOI_IPSEC
2005:07:28-06:32:58 (none) pluto[2982]: | protocol ID: 1
2005:07:28-06:32:58 (none) pluto[2982]: | SPI size: 16
2005:07:28-06:32:58 (none) pluto[2982]: | number of SPIs: 1
2005:07:28-06:32:58 (none) pluto[2982]: "D_RoadWarrior__Remote__Connections_2"[1] 192.168.10.100 #7: received Delete SA payload: deleting ISAKMP State #7
2005:07:28-06:32:58 (none) pluto[2982]: | **emit ISAKMP Message:
2005:07:28-06:32:58 (none) pluto[2982]: | initiator cookie:
2005:07:28-06:32:58 (none) pluto[2982]: | d6 e4 a2 6c f8 a1 57 85
2005:07:28-06:32:58 (none) pluto[2982]: | responder cookie:
2005:07:28-06:32:58 (none) pluto[2982]: | 38 3a 24 c5 38 08 a1 3a
2005:07:28-06:32:58 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_HASH
2005:07:28-06:32:58 (none) pluto[2982]: | ISAKMP version: ISAKMP Version 1.0
2005:07:28-06:32:58 (none) pluto[2982]: | exchange type: ISAKMP_XCHG_INFO
2005:07:28-06:32:58 (none) pluto[2982]: | flags: ISAKMP_FLAG_ENCRYPTION
2005:07:28-06:32:58 (none) pluto[2982]: | message ID: e0 7e a8 61
2005:07:28-06:32:58 (none) pluto[2982]: | ***emit ISAKMP Hash Payload:
2005:07:28-06:32:58 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_D
2005:07:28-06:32:58 (none) pluto[2982]: | emitting 16 zero bytes of HASH(1) into ISAKMP Hash Payload
2005:07:28-06:32:58 (none) pluto[2982]: | emitting length of ISAKMP Hash Payload: 20
2005:07:28-06:32:58 (none) pluto[2982]: | ***emit ISAKMP Delete Payload:
2005:07:28-06:32:58 (none) pluto[2982]: | next payload type: ISAKMP_NEXT_NONE
2005:07:28-06:32:58 (none) pluto[2982]: | DOI: ISAKMP_DOI_IPSEC
2005:07:28-06:32:58 (none) pluto[2982]: | protocol ID: 1
2005:07:28-06:32:58 (none) pluto[2982]: | SPI size: 16
2005:07:28-06:32:58 (none) pluto[2982]: | number of SPIs: 1
2005:07:28-06:32:58 (none) pluto[2982]: | emitting 16 raw bytes of delete payload into ISAKMP Delete Payload
2005:07:28-06:32:58 (none) pluto[2982]: | delete payload d6 e4 a2 6c f8 a1 57 85 38 3a 24 c5 38 08 a1 3a
2005:07:28-06:32:58 (none) pluto[2982]: | emitting length of ISAKMP Delete Payload: 28
2005:07:28-06:32:58 (none) pluto[2982]: | emitting length of ISAKMP Message: 76
2005:07:28-06:32:58 (none) pluto[2982]: | ICOOKIE: d6 e4 a2 6c f8 a1 57 85
2005:07:28-06:32:58 (none) pluto[2982]: | RCOOKIE: 38 3a 24 c5 38 08 a1 3a
2005:07:28-06:32:58 (none) pluto[2982]: | peer: c0 a8 0a 64
2005:07:28-06:32:58 (none) pluto[2982]: | state hash entry 25
2005:07:28-06:32:58 (none) pluto[2982]: "D_RoadWarrior__Remote__Connections_2"[1] 192.168.10.100: deleting connection "D_RoadWarrior__Remote__Connections_2" instance with peer 192.168.10.100
2005:07:28-06:32:58 (none) pluto[2982]: | examining state #4 (STATE_QUICK_I2), 2 vs parent=0
2005:07:28-06:32:58 (none) pluto[2982]: | examining state #2 (STATE_MAIN_I4), 0 vs parent=0
2005:07:28-06:32:58 (none) pluto[2982]: | examining state #5 (STATE_QUICK_I2), 1 vs parent=0
2005:07:28-06:32:58 (none) pluto[2982]: | examining state #1 (STATE_MAIN_I4), 0 vs parent=0
2005:07:28-06:32:58 (none) pluto[2982]: | examining state #6 (STATE_QUICK_I2), 3 vs parent=0
2005:07:28-06:32:58 (none) pluto[2982]: | examining state #3 (STATE_MAIN_I4), 0 vs parent=0
2005:07:28-06:32:58 (none) pluto[2982]: | examining state #4 (STATE_QUICK_I2), 2 vs parent=0
2005:07:28-06:32:58 (none) pluto[2982]: | examining state #2 (STATE_MAIN_I4), 0 vs parent=0
2005:07:28-06:32:58 (none) pluto[2982]: | examining state #5 (STATE_QUICK_I2), 1 vs parent=0
2005:07:28-06:32:58 (none) pluto[2982]: | examining state #1 (STATE_MAIN_I4), 0 vs parent=0
2005:07:28-06:32:58 (none) pluto[2982]: | examining state #6 (STATE_QUICK_I2), 3 vs parent=0
2005:07:28-06:32:58 (none) pluto[2982]: | examining state #3 (STATE_MAIN_I4), 0 vs parent=0
2005:07:28-06:32:58 (none) pluto[2982]: | del: d6 e4 a2 6c f8 a1 57 85 38 3a 24 c5 38 08 a1 3a
2005:07:28-06:32:58 (none) pluto[2982]: packet from 192.168.10.100:500: received and ignored informational message

It looks to me like the client is trying to use it's IP address for the connection some how.?.? [:S]apped to the cert.

Thanks again,
Ryan
Cancel
Vote Up 0 Vote Down

Cancel
0 Xeno over 20 years ago

In the log of ASL the connection is named "RoadWarrior__Remote__Connections". Is that the correct connection which fits the configuration of the ASC?
If using roadwarrior, I recommend not to use the IP address for VPN identifier, because a roadwarrior uses dynamic IP addresses. I recommend to use another VPN identifiert for roadwarriors. Email address for example. Then check your local and remote subnet configuration for the connection. Also you could use the automatic configuration download to make sure you are using a correct configuration on the client.

Xeno
Cancel
Vote Up 0 Vote Down

Cancel
0 ChaoticRyan over 20 years ago in reply to Xeno

I guess that is the question which really boils down to a clear understanding of how ASL and the Client use the certificates.

I have the remote connections setup in ASL to use certificates.

I have the certificates setup as e-mail certificates, but I have assigned a virtual IP to the remote key. (I believe this was done for SSH Sentinal).

I have downloaded the config to the client and used the import tool to import the configuration.

I have downloaded both the CA and the client Cert to the client and imported the client cert, and put the .pem key in the correct directory for the CA.

What it sounds like you are suggesting is that I remove the Virtual IP from the client cert on ASL? Then configure the client to use any ip instead of the one assigned to the cert?

Thanks again,
ChaoticRyan
Cancel
Vote Up 0 Vote Down

Cancel
0 ChaoticRyan over 20 years ago in reply to ChaoticRyan

My assumtions about what you were suggesting were correct. This was a simple oversight on my part. Thanks for all your help!

ChaoticRyan
Cancel
Vote Up 0 Vote Down

Cancel
0 Xeno over 20 years ago in reply to ChaoticRyan

OK, that was a missunderstanding. I thought you are using an IP address for "VPN ID". And I recommended to use "E-Mail Address" for "VPN ID". That can be configured at the point where you create a cert.

The virtual IP which can be configured in the menu "remote keys" is another thing. I definitly recommend to use such a virtual IP address. But make sure the subnet of the virtual IP is not used anywhere in your network yet. Use an IP from a network which is not used. Just 10.23.41.0/24 or something like that.
Also make sure this IP address is also configured in ASC manually.

Xeno
Cancel
Vote Up 0 Vote Down

Cancel