Received INVALID_ID_INFORMATION error notify



  • I'm jumping in here since I seem to have the same problem.

    Here's some log while the connection is shown as UP on both sides, but no traffic is transmitted. This block is repeated every 5-6 seconds.

    Site 1
    Dec 1 17:05:02 charon: 07[NET] <con2000|206>sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (124 bytes)
    Dec 1 17:05:02 charon: 07[ENC] <con2000|206>generating INFORMATIONAL_V1 request 111867006 [ HASH N(INVAL_ID) ]
    Dec 1 17:05:02 charon: 07[IKE] <con2000|206>no matching CHILD_SA config found
    Dec 1 17:05:02 charon: 07[IKE] <con2000|206>no matching CHILD_SA config found
    Dec 1 17:05:02 charon: 07[ENC] <con2000|206>parsed QUICK_MODE request 3497716337 [ HASH SA No KE ID ID ]
    Dec 1 17:05:02 charon: 07[NET] <con2000|206>received packet: from 2.2.2.2[500] to 1.1.1.1[500] (668 bytes)
    Dec 1 17:05:02 charon: 07[ENC] <con2000|206>received fragment #2, reassembling fragmented IKE message
    Dec 1 17:05:02 charon: 07[ENC] <con2000|206>parsed ID_PROT request 0 [ FRAG(2/2) ]
    Dec 1 17:05:02 charon: 07[NET] <con2000|206>received packet: from 2.2.2.2[500] to 1.1.1.1[500] (192 bytes)
    Dec 1 17:05:02 charon: 12[ENC] <con2000|206>received fragment #1, waiting for complete IKE message
    Dec 1 17:05:02 charon: 12[ENC] <con2000|206>parsed ID_PROT request 0 [ FRAG(1) ]
    Dec 1 17:05:02 charon: 12[NET] <con2000|206>received packet: from 2.2.2.2[500] to 1.1.1.1[500] (548 bytes)
    Dec 1 17:05:00 charon: 07[IKE] <con2000|206>received INVALID_ID_INFORMATION error notify
    Dec 1 17:05:00 charon: 07[IKE] <con2000|206>received INVALID_ID_INFORMATION error notify
    Dec 1 17:05:00 charon: 07[ENC] <con2000|206>parsed INFORMATIONAL_V1 request 4001843111 [ HASH N(INVAL_ID) ]
    Dec 1 17:05:00 charon: 07[NET] <con2000|206>received packet: from 2.2.2.2[500] to 1.1.1.1[500] (124 bytes)
    Dec 1 17:05:00 charon: 07[NET] <con2000|206>sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (192 bytes)
    Dec 1 17:05:00 charon: 07[NET] <con2000|206>sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (548 bytes)
    Dec 1 17:05:00 charon: 07[ENC] <con2000|206>generating ID_PROT request 0 [ FRAG(2/2) ]
    Dec 1 17:05:00 charon: 07[ENC] <con2000|206>generating ID_PROT request 0 [ FRAG(1) ]
    Dec 1 17:05:00 charon: 07[ENC] <con2000|206>splitting IKE message with length of 668 bytes into 2 fragments
    Dec 1 17:05:00 charon: 07[ENC] <con2000|206>generating QUICK_MODE request 2468589445 [ HASH SA No KE ID ID ]
    Dec 1 17:05:00 charon: 06[KNL] creating acquire job for policy 1.1.1.1/32|/0 === 2.2.2.2/32|/0 with reqid {195}

    Site 2
    Dec 1 17:05:02 charon: 13[IKE] <con1000|340>received INVALID_ID_INFORMATION error notify
    Dec 1 17:05:02 charon: 13[IKE] <con1000|340>received INVALID_ID_INFORMATION error notify
    Dec 1 17:05:02 charon: 13[ENC] <con1000|340>parsed INFORMATIONAL_V1 request 111867006 [ HASH N(INVAL_ID) ]
    Dec 1 17:05:02 charon: 13[NET] <con1000|340>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (124 bytes)
    Dec 1 17:05:02 charon: 13[NET] <con1000|340>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (192 bytes)
    Dec 1 17:05:02 charon: 13[NET] <con1000|340>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (548 bytes)
    Dec 1 17:05:02 charon: 13[ENC] <con1000|340>generating ID_PROT request 0 [ FRAG(2/2) ]
    Dec 1 17:05:02 charon: 13[ENC] <con1000|340>generating ID_PROT request 0 [ FRAG(1) ]
    Dec 1 17:05:02 charon: 13[ENC] <con1000|340>splitting IKE message with length of 668 bytes into 2 fragments
    Dec 1 17:05:02 charon: 13[ENC] <con1000|340>generating QUICK_MODE request 3497716337 [ HASH SA No KE ID ID ]
    Dec 1 17:05:02 charon: 13[KNL] creating acquire job for policy 2.2.2.2/32|/0 === 1.1.1.1/32|/0 with reqid {4}
    Dec 1 17:05:00 charon: 13[NET] <con1000|340>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (124 bytes)
    Dec 1 17:05:00 charon: 13[ENC] <con1000|340>generating INFORMATIONAL_V1 request 4001843111 [ HASH N(INVAL_ID) ]
    Dec 1 17:05:00 charon: 13[IKE] <con1000|340>no matching CHILD_SA config found
    Dec 1 17:05:00 charon: 13[IKE] <con1000|340>no matching CHILD_SA config found
    Dec 1 17:05:00 charon: 13[ENC] <con1000|340>parsed QUICK_MODE request 2468589445 [ HASH SA No KE ID ID ]
    Dec 1 17:05:00 charon: 13[NET] <con1000|340>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (668 bytes)
    Dec 1 17:05:00 charon: 13[ENC] <con1000|340>received fragment #2, reassembling fragmented IKE message
    Dec 1 17:05:00 charon: 13[ENC] <con1000|340>parsed ID_PROT request 0 [ FRAG(2/2) ]
    Dec 1 17:05:00 charon: 13[NET] <con1000|340>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (192 bytes)
    Dec 1 17:05:00 charon: 13[ENC] <con1000|340>received fragment #1, waiting for complete IKE message
    Dec 1 17:05:00 charon: 13[ENC] <con1000|340>parsed ID_PROT request 0 [ FRAG(1) ]
    Dec 1 17:05:00 charon: 13[NET] <con1000|340>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (548 bytes)

    I had agressive mode (from 2.1.5 times, no trouble back then) changed to main mode, DPD is enabled.</con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con1000|340></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206></con2000|206>



  • Split this to its own topic as it's not at all related to the thread you posted in.

    "received INVALID_ID_INFORMATION error notify" means your identifiers don't match. They wouldn't have before the upgrade either, racoon just (wrongly, really) didn't care. Info here:
    https://doc.pfsense.org/index.php/UpgradeGuide#Stricter_Phase_1_Identifier_Validation

    If you're using non-IP identifiers, you'll need to switch back to aggressive mode, and fix the P1s on both sides so the identifiers match.


Log in to reply