SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0001416: IPsec VPN, Remote ID parameter added in ipsec.conf with symbol '@' - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001416Endian FirewallNetwork related (VPN, uplinks)public2008-10-31 11:562009-10-27 12:21
Reporterskrew 
Assigned Topeter-endian 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.2-rc3 
Target Version2.3Fixed in Version2.3 
Summary0001416: IPsec VPN, Remote ID parameter added in ipsec.conf with symbol '@'
DescriptionIn IPsec Connections, then I add Remote ID to configuration, in /etc/ipsec/ipsec.conf it appears as rightid=@xxx.xxx.xxx.xxx instead of just rightid=xxx.xxx.xxx.xxx.
With this behaviour I had to SSH on server, edit it by hand to remove '@' and then restart ipsec.
Tagsneedsfix
Attached Files

- Relationships

-  Notes
(0001764)
peter-endian (administrator)
2008-10-31 14:19

that's the correct syntax.
the @ means that the id should not be resolved, otherwise pluto would do a dns resolve of the id. That's what you want if you put in an id.
If the id is a hostname, then it's not really necessary to set the id, because in that case, pluto resolves the connection remote host and uses it's ip address as id.
(0001765)
skrew (reporter)
2008-10-31 14:31
edited on: 2008-10-31 14:31

So, what should I do if there are empty field:
 pluto[]: "conn1" _58: we require peer to have ID '111.111.111.111', but peer declares '222.222.222.222'
There are 111.111.111.111 is the IP of remote VPN server (Checkpoint FW NG R55) and 222.222.222.222 is one of their external IP

If I enter IP in field Remote ID then I get:
pluto[]: "conn1" _78: we require peer to have ID '@222.222.222.222', but peer declares '222.222.222.222'

(0001772)
skrew (reporter)
2008-11-05 13:32

Maybe functional of "resolving remote host name"(adding "@" to name/IP) should be as checkbox?
(0002074)
jzdrzalek (reporter)
2009-03-23 12:41

today I have to switch from ipcop to a new endian 4i office. I just took all the vpn parameters and copied it over to the endian fw. I got the same error:
***
Main mode peer ID is ID_IPV4_ADDR: '172.32.1.2'
we require peer to have ID '@172.32.1.2', but peer declares '172.32.1.2'
sending encrypted notification INVALID_ID_INFORMATION to 212.8.176.228:4500
***

The other side is juniper netscreen. by leaving the right id field empty I see in the log, the endian is using other sides public ip (without @).

When remote id is supplied (172.32.1.2), local id "@172.32.1.2" doesn't match remote ID is ID_IPV4_ADDR: '172.32.1.2'

In my case I have to remove @ from rightid in /etc/ipsec.d/ipsec.conf
and again in /etc/ipsec.d/ipsec.secrets and the to restart ipsec manually
/etc/rc.d/init.d/ipsec restart

Please preserve compatibility to ipcop and other vendors.
(0002088)
jzdrzalek (reporter)
2009-03-27 07:54

Man of ipsec.conf says:
--
leftid - how the left participant should be identified for authentication; defaults to left. Can be an IP address (in any ipsec_ttoaddr(3) syntax) or a fully-qualified domain name preceded by @ (which is used as a literal string and not resolved).
--
So it shoud by up to User to put @ in front of the hostname or an IP without that @ prefix.

Problem appies also with rightid (ID of the remote), becaouse we currently have no chance if the remote rightid is an IP. Our side prefixes with @.
(0002103)
peter-endian (administrator)
2009-04-06 13:30

local and remote fields will now be checked whether they are ip-addresses or not.
if it no ip-address and does not start with @, an @ will be prefixed, otherwise not.

- Issue History
Date Modified Username Field Change
2008-10-31 11:56 skrew New Issue
2008-10-31 11:56 skrew Assigned To => peter-endian
2008-10-31 14:19 peter-endian Note Added: 0001764
2008-10-31 14:19 peter-endian Status new => closed
2008-10-31 14:19 peter-endian Resolution open => no change required
2008-10-31 14:31 skrew Note Added: 0001765
2008-10-31 14:31 skrew Status closed => feedback
2008-10-31 14:31 skrew Resolution no change required => reopened
2008-10-31 14:31 skrew Note Edited: 0001765
2008-10-31 14:31 skrew Note Edited: 0001765
2008-11-05 13:32 skrew Note Added: 0001772
2009-03-23 12:41 jzdrzalek Note Added: 0002074
2009-03-24 21:09 peter-endian Target Version => future
2009-03-27 07:54 jzdrzalek Note Added: 0002088
2009-03-27 17:28 peter-endian Tag Attached: needsfix
2009-04-06 13:30 peter-endian Note Added: 0002103
2009-04-06 13:30 peter-endian Status feedback => resolved
2009-04-06 13:30 peter-endian Fixed in Version => 2.3
2009-04-06 13:30 peter-endian Resolution reopened => fixed
2009-10-27 12:00 peter-endian Status resolved => closed
2009-10-27 12:21 peter-endian Target Version future => 2.3

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker