Hi
I setting up DMVPN on epa3. but vpn log have error "received INVALID_ID_INFORMATION error notify"
I was test network architecture have two site, one have static public IP, another have pppoe DHCP ip to internet. all site VYOS version is EPA3
When I finished set, and check charon log looking for "received INVALID_ID_INFORMATION error notify". and I run show IPsec sa see the DMVPN tunnel have be create and status is up.
In Spoke site information:
vyos@vyos# run show vpn ipsec sa Connection State Up Bytes In/Out Remote address Remote ID Proposal ------------------- ------- --------- -------------- ---------------- ----------- ------------------------------------------------ dmvpn-DEVELVPN-tun0 up 9 seconds N/A 116.90.86.xxx N/A AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 [edit]
vyos@vyos# run show vpn ipsec sa v
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.12-amd64-vyos, x86_64):
uptime: 93 minutes, since Jan 20 16:52:30 2019
malloc: sbrk 2973696, mmap 0, used 801616, free 2172080
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
100.64.15.xx
Connections:
dmvpn-DEVELVPN-tun0: %any...%any IKEv1
dmvpn-DEVELVPN-tun0: local: [100.64.15.xx] uses pre-shared key authentication
dmvpn-DEVELVPN-tun0: remote: uses pre-shared key authentication
dmvpn: child: dynamic[gre] === dynamic[gre] TUNNEL
Security Associations (1 up, 0 connecting):
dmvpn-DEVELVPN-tun0[1]: ESTABLISHED 12 seconds ago, 100.64.15.85[100.64.15.xx]...116.90.86.181[116.90.86.xx]
dmvpn-DEVELVPN-tun0[1]: IKEv1 SPIs: 4d01aac360352af1_i* e7603d1a516592a9_r, rekeying in 59 minutes
dmvpn-DEVELVPN-tun0[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024In Hub site have follow information
vyos@vyos:~$ show vpn ipsec sa Connection State Up Bytes In/Out Remote address Remote ID Proposal ------------------- ------- ---------- -------------- ---------------- ------------ ------------------------------------------------ dmvpn-DEVELVPM-tun1 up 74 seconds N/A 115.60.59.xxx 100.64.15.xx AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
vyos@vyos:~$ show vpn ipsec sa v
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.12-amd64-vyos, x86_64):
uptime: 92 minutes, since Jan 20 16:56:50 2019
malloc: sbrk 2973696, mmap 0, used 806496, free 2167200
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
116.90.86.xxx
Connections:
dmvpn-DEVELVPM-tun1: %any...%any IKEv1
dmvpn-DEVELVPM-tun1: local: [116.90.86.181] uses pre-shared key authentication
dmvpn-DEVELVPM-tun1: remote: uses pre-shared key authentication
dmvpn: child: dynamic[gre] === dynamic[gre] TUNNEL
Security Associations (1 up, 0 connecting):
dmvpn-DEVELVPM-tun1[2]: ESTABLISHED 2 minutes ago, 116.90.86.xxx[116.90.86.xxx]...115.60.59.xxx[100.64.15.xx]
dmvpn-DEVELVPM-tun1[2]: IKEv1 SPIs: 6aec0fcb3f7b40a0_i c00c1e63a423e9e2_r*, rekeying in 57 minutes
dmvpn-DEVELVPM-tun1[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
vyos@vyos:~$and I check log on spoke site
Jan 20 18:30:07 vyos charon: 10[CFG] vici terminate with source me 100.64.15.85 and other 116.90.86.xxx
Jan 20 18:30:07 vyos charon: 15[IKE] deleting IKE_SA dmvpn-DEVELVPN-tun0[2] between 100.64.15.85[100.64.15.85]...116.90.86.xxx[116.90.86.xxx]
Jan 20 18:30:07 vyos charon: 15[IKE] sending DELETE for IKE_SA dmvpn-DEVELVPN-tun0[2]
Jan 20 18:30:07 vyos charon: 15[ENC] generating INFORMATIONAL_V1 request 3653513929 [ HASH D ]
Jan 20 18:30:07 vyos charon: 15[NET] sending packet: from 100.64.15.85[4500] to 116.90.86.xxx[4500] (92 bytes)
Jan 20 18:30:07 vyos charon: 12[CFG] vici initiate 'dmvpn', me 100.64.15.85, other 116.90.86.xxx, limits 0
Jan 20 18:30:07 vyos charon: 10[IKE] initiating Main Mode IKE_SA dmvpn-DEVELVPN-tun0[3] to 116.90.86.xxx
Jan 20 18:30:07 vyos charon: 10[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Jan 20 18:30:07 vyos charon: 10[NET] sending packet: from 100.64.15.85[500] to 116.90.86.xxx[500] (216 bytes)
Jan 20 18:30:07 vyos charon: 13[NET] received packet: from 116.90.86.xxx[500] to 100.64.15.85[500] (160 bytes)
Jan 20 18:30:07 vyos charon: 13[ENC] parsed ID_PROT response 0 [ SA V V V V ]
Jan 20 18:30:07 vyos charon: 13[IKE] received XAuth vendor ID
Jan 20 18:30:07 vyos charon: 13[IKE] received DPD vendor ID
Jan 20 18:30:07 vyos charon: 13[IKE] received FRAGMENTATION vendor ID
Jan 20 18:30:07 vyos charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
Jan 20 18:30:07 vyos charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 20 18:30:07 vyos charon: 13[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jan 20 18:30:07 vyos charon: 13[NET] sending packet: from 100.64.15.85[500] to 116.90.86.xxx[500] (244 bytes)
Jan 20 18:30:07 vyos charon: 08[NET] received packet: from 116.90.86.xxx[500] to 100.64.15.85[500] (244 bytes)
Jan 20 18:30:07 vyos charon: 08[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jan 20 18:30:07 vyos charon: 08[IKE] local host is behind NAT, sending keep alives
Jan 20 18:30:07 vyos charon: 08[ENC] generating ID_PROT request 0 [ ID HASH ]
Jan 20 18:30:07 vyos charon: 08[NET] sending packet: from 100.64.15.85[4500] to 116.90.86.xxx[4500] (76 bytes)
Jan 20 18:30:07 vyos charon: 04[NET] received packet: from 116.90.86.xxx[4500] to 100.64.15.85[4500] (76 bytes)
Jan 20 18:30:07 vyos charon: 04[ENC] parsed ID_PROT response 0 [ ID HASH ]
Jan 20 18:30:07 vyos charon: 04[IKE] IKE_SA dmvpn-DEVELVPN-tun0[3] established between 100.64.15.85[100.64.15.85]...116.90.86.xxx[116.90.86.xxx]
Jan 20 18:30:07 vyos charon: 04[IKE] scheduling rekeying in 3579s
Jan 20 18:30:07 vyos charon: 04[IKE] maximum IKE_SA lifetime 3939s
Jan 20 18:30:07 vyos charon: 04[ENC] generating QUICK_MODE request 2482155956 [ HASH SA No KE ID ID ]
Jan 20 18:30:07 vyos charon: 04[NET] sending packet: from 100.64.15.85[4500] to 116.90.86.xxx[4500] (332 bytes)
Jan 20 18:30:07 vyos charon: 05[NET] received packet: from 116.90.86.xxx4500] to 100.64.15.85[4500] (76 bytes)
Jan 20 18:30:07 vyos charon: 05[ENC] parsed INFORMATIONAL_V1 request 627719152 [ HASH N(INVAL_ID) ]
Jan 20 18:30:07 vyos charon: 05[IKE] received INVALID_ID_INFORMATION error notify
In Hub site see follow information
Jan 20 18:30:07 vyos charon: 14[NET] received packet: from 115.60.59.223[11918] to 116.90.86.xxx[4500] (92 bytes)
Jan 20 18:30:07 vyos charon: 14[ENC] parsed INFORMATIONAL_V1 request 3653513929 [ HASH D ]
Jan 20 18:30:07 vyos charon: 14[IKE] received DELETE for IKE_SA dmvpn-DEVELVPM-tun1[2]
Jan 20 18:30:07 vyos charon: 14[IKE] deleting IKE_SA dmvpn-DEVELVPM-tun1[2] between 116.90.86.xxx[116.90.86.xxx]...115.60.59.223[100.64.15.85]
Jan 20 18:30:07 vyos charon: 06[NET] received packet: from 115.60.59.223[11917] to 116.90.86.xxx[500] (216 bytes)
Jan 20 18:30:07 vyos charon: 06[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
Jan 20 18:30:07 vyos charon: 06[IKE] received XAuth vendor ID
Jan 20 18:30:07 vyos charon: 06[IKE] received DPD vendor ID
Jan 20 18:30:07 vyos charon: 06[IKE] received FRAGMENTATION vendor ID
Jan 20 18:30:07 vyos charon: 06[IKE] received NAT-T (RFC 3947) vendor ID
Jan 20 18:30:07 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 20 18:30:07 vyos charon: 06[IKE] 115.60.59.223 is initiating a Main Mode IKE_SA
Jan 20 18:30:07 vyos charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 20 18:30:07 vyos charon: 06[ENC] generating ID_PROT response 0 [ SA V V V V ]
Jan 20 18:30:07 vyos charon: 06[NET] sending packet: from 116.90.86.xxx[500] to 115.60.59.223[11917] (160 bytes)
Jan 20 18:30:07 vyos charon: 08[NET] received packet: from 115.60.59.223[11917] to 116.90.86.xxx[500] (244 bytes)
Jan 20 18:30:07 vyos charon: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jan 20 18:30:07 vyos charon: 08[IKE] remote host is behind NAT
Jan 20 18:30:07 vyos charon: 08[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jan 20 18:30:07 vyos charon: 08[NET] sending packet: from 116.90.86.xxx[500] to 115.60.59.223[11917] (244 bytes)
Jan 20 18:30:07 vyos charon: 10[NET] received packet: from 115.60.59.223[11918] to 116.90.86.xxx[4500] (76 bytes)
Jan 20 18:30:07 vyos charon: 10[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jan 20 18:30:07 vyos charon: 10[CFG] looking for pre-shared key peer configs matching 116.90.86.xxx...115.60.59.223[100.64.15.85]
Jan 20 18:30:07 vyos charon: 10[CFG] selected peer config "dmvpn-DEVELVPM-tun1"
Jan 20 18:30:07 vyos charon: 10[IKE] IKE_SA dmvpn-DEVELVPM-tun1[3] established between 116.90.86.xxx[116.90.86.xxx]...115.60.59.223[100.64.15.85]
Jan 20 18:30:07 vyos charon: 10[IKE] scheduling rekeying in 3459s
Jan 20 18:30:07 vyos charon: 10[IKE] maximum IKE_SA lifetime 3819s
Jan 20 18:30:07 vyos charon: 10[ENC] generating ID_PROT response 0 [ ID HASH ]
Jan 20 18:30:07 vyos charon: 10[NET] sending packet: from 116.90.86.xxx[4500] to 115.60.59.223[11918] (76 bytes)
Jan 20 18:30:07 vyos charon: 12[NET] received packet: from 115.60.59.223[11918] to 116.90.86.xxx[4500] (332 bytes)
Jan 20 18:30:07 vyos charon: 12[ENC] parsed QUICK_MODE request 2482155956 [ HASH SA No KE ID ID ]
Jan 20 18:30:07 vyos charon: 12[IKE] no matching CHILD_SA config found for 100.64.15.85/32[gre] === 116.90.86.xxx/32[gre]
Jan 20 18:30:07 vyos charon: 12[ENC] generating INFORMATIONAL_V1 request 627719152 [ HASH N(INVAL_ID) ]
Jan 20 18:30:07 vyos charon: 12[NET] sending packet: from 116.90.86.xxx[4500] to 115.60.59.223[11918] (76 bytes)
I think HUB site haven't issue.
Please check that issue
Thanks
David