SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0001416: IPsec VPN, Remote ID parameter added in ipsec.conf with symbol '@' - MantisBT
MantisBT - Endian Firewall
View Issue Details
0001416Endian FirewallNetwork related (VPN, uplinks)public2008-10-31 11:562009-10-27 12:21
skrew 
peter-endian 
normalmajoralways
closedfixed 
2.2-rc3 
2.32.3 
0001416: IPsec VPN, Remote ID parameter added in ipsec.conf with symbol '@'
In IPsec Connections, then I add Remote ID to configuration, in /etc/ipsec/ipsec.conf it appears as rightid=@xxx.xxx.xxx.xxx instead of just rightid=xxx.xxx.xxx.xxx.
With this behaviour I had to SSH on server, edit it by hand to remove '@' and then restart ipsec.
needsfix
Issue History
2008-10-31 11:56skrewNew Issue
2008-10-31 11:56skrewAssigned To => peter-endian
2008-10-31 14:19peter-endianNote Added: 0001764
2008-10-31 14:19peter-endianStatusnew => closed
2008-10-31 14:19peter-endianResolutionopen => no change required
2008-10-31 14:31skrewNote Added: 0001765
2008-10-31 14:31skrewStatusclosed => feedback
2008-10-31 14:31skrewResolutionno change required => reopened
2008-10-31 14:31skrewNote Edited: 0001765
2008-10-31 14:31skrewNote Edited: 0001765
2008-11-05 13:32skrewNote Added: 0001772
2009-03-23 12:41jzdrzalekNote Added: 0002074
2009-03-24 21:09peter-endianTarget Version => future
2009-03-27 07:54jzdrzalekNote Added: 0002088
2009-03-27 17:28peter-endianTag Attached: needsfix
2009-04-06 13:30peter-endianNote Added: 0002103
2009-04-06 13:30peter-endianStatusfeedback => resolved
2009-04-06 13:30peter-endianFixed in Version => 2.3
2009-04-06 13:30peter-endianResolutionreopened => fixed
2009-10-27 12:00peter-endianStatusresolved => closed
2009-10-27 12:21peter-endianTarget Versionfuture => 2.3

Notes
(0001764)
peter-endian   
2008-10-31 14:19   
that's the correct syntax.
the @ means that the id should not be resolved, otherwise pluto would do a dns resolve of the id. That's what you want if you put in an id.
If the id is a hostname, then it's not really necessary to set the id, because in that case, pluto resolves the connection remote host and uses it's ip address as id.
(0001765)
skrew   
2008-10-31 14:31   
So, what should I do if there are empty field:
 pluto[]: "conn1" _58: we require peer to have ID '111.111.111.111', but peer declares '222.222.222.222'
There are 111.111.111.111 is the IP of remote VPN server (Checkpoint FW NG R55) and 222.222.222.222 is one of their external IP

If I enter IP in field Remote ID then I get:
pluto[]: "conn1" _78: we require peer to have ID '@222.222.222.222', but peer declares '222.222.222.222'

(0001772)
skrew   
2008-11-05 13:32   
Maybe functional of "resolving remote host name"(adding "@" to name/IP) should be as checkbox?
(0002074)
jzdrzalek   
2009-03-23 12:41   
today I have to switch from ipcop to a new endian 4i office. I just took all the vpn parameters and copied it over to the endian fw. I got the same error:
***
Main mode peer ID is ID_IPV4_ADDR: '172.32.1.2'
we require peer to have ID '@172.32.1.2', but peer declares '172.32.1.2'
sending encrypted notification INVALID_ID_INFORMATION to 212.8.176.228:4500
***

The other side is juniper netscreen. by leaving the right id field empty I see in the log, the endian is using other sides public ip (without @).

When remote id is supplied (172.32.1.2), local id "@172.32.1.2" doesn't match remote ID is ID_IPV4_ADDR: '172.32.1.2'

In my case I have to remove @ from rightid in /etc/ipsec.d/ipsec.conf
and again in /etc/ipsec.d/ipsec.secrets and the to restart ipsec manually
/etc/rc.d/init.d/ipsec restart

Please preserve compatibility to ipcop and other vendors.
(0002088)
jzdrzalek   
2009-03-27 07:54   
Man of ipsec.conf says:
--
leftid - how the left participant should be identified for authentication; defaults to left. Can be an IP address (in any ipsec_ttoaddr(3) syntax) or a fully-qualified domain name preceded by @ (which is used as a literal string and not resolved).
--
So it shoud by up to User to put @ in front of the hostname or an IP without that @ prefix.

Problem appies also with rightid (ID of the remote), becaouse we currently have no chance if the remote rightid is an IP. Our side prefixes with @.
(0002103)
peter-endian   
2009-04-06 13:30   
local and remote fields will now be checked whether they are ip-addresses or not.
if it no ip-address and does not start with @, an @ will be prefixed, otherwise not.