SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
| Anonymous | Login | 2022-05-21 00:02 UTC |  |
| Main | My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0001416 | Endian Firewall | Network related (VPN, uplinks) | public | 2008-10-31 11:56 | 2009-10-27 12:21 | ||||
| Reporter | skrew | ||||||||
| Assigned To | peter-endian | ||||||||
| Priority | normal | Severity | major | Reproducibility | always | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 2.2-rc3 | ||||||||
| Target Version | 2.3 | Fixed in Version | 2.3 | ||||||
| Summary | 0001416: IPsec VPN, Remote ID parameter added in ipsec.conf with symbol '@' | ||||||||
| Description | In IPsec Connections, then I add Remote ID to configuration, in /etc/ipsec/ipsec.conf it appears as rightid=@xxx.xxx.xxx.xxx instead of just rightid=xxx.xxx.xxx.xxx. With this behaviour I had to SSH on server, edit it by hand to remove '@' and then restart ipsec. | ||||||||
| Tags | needsfix | ||||||||
| Attached Files | |||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0001764) peter-endian (administrator) 2008-10-31 14:19 |
that's the correct syntax. the @ means that the id should not be resolved, otherwise pluto would do a dns resolve of the id. That's what you want if you put in an id. If the id is a hostname, then it's not really necessary to set the id, because in that case, pluto resolves the connection remote host and uses it's ip address as id. |
|
(0001765) skrew (reporter) 2008-10-31 14:31 edited on: 2008-10-31 14:31 |
So, what should I do if there are empty field: pluto[]: "conn1" _58: we require peer to have ID '111.111.111.111', but peer declares '222.222.222.222' There are 111.111.111.111 is the IP of remote VPN server (Checkpoint FW NG R55) and 222.222.222.222 is one of their external IP If I enter IP in field Remote ID then I get: pluto[]: "conn1" _78: we require peer to have ID '@222.222.222.222', but peer declares '222.222.222.222' |
|
(0001772) skrew (reporter) 2008-11-05 13:32 |
Maybe functional of "resolving remote host name"(adding "@" to name/IP) should be as checkbox? |
|
(0002074) jzdrzalek (reporter) 2009-03-23 12:41 |
today I have to switch from ipcop to a new endian 4i office. I just took all the vpn parameters and copied it over to the endian fw. I got the same error: *** Main mode peer ID is ID_IPV4_ADDR: '172.32.1.2' we require peer to have ID '@172.32.1.2', but peer declares '172.32.1.2' sending encrypted notification INVALID_ID_INFORMATION to 212.8.176.228:4500 *** The other side is juniper netscreen. by leaving the right id field empty I see in the log, the endian is using other sides public ip (without @). When remote id is supplied (172.32.1.2), local id "@172.32.1.2" doesn't match remote ID is ID_IPV4_ADDR: '172.32.1.2' In my case I have to remove @ from rightid in /etc/ipsec.d/ipsec.conf and again in /etc/ipsec.d/ipsec.secrets and the to restart ipsec manually /etc/rc.d/init.d/ipsec restart Please preserve compatibility to ipcop and other vendors. |
|
(0002088) jzdrzalek (reporter) 2009-03-27 07:54 |
Man of ipsec.conf says: -- leftid - how the left participant should be identified for authentication; defaults to left. Can be an IP address (in any ipsec_ttoaddr(3) syntax) or a fully-qualified domain name preceded by @ (which is used as a literal string and not resolved). -- So it shoud by up to User to put @ in front of the hostname or an IP without that @ prefix. Problem appies also with rightid (ID of the remote), becaouse we currently have no chance if the remote rightid is an IP. Our side prefixes with @. |
|
(0002103) peter-endian (administrator) 2009-04-06 13:30 |
local and remote fields will now be checked whether they are ip-addresses or not. if it no ip-address and does not start with @, an @ will be prefixed, otherwise not. |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2008-10-31 11:56 | skrew | New Issue | |
| 2008-10-31 11:56 | skrew | Assigned To | => peter-endian |
| 2008-10-31 14:19 | peter-endian | Note Added: 0001764 | |
| 2008-10-31 14:19 | peter-endian | Status | new => closed |
| 2008-10-31 14:19 | peter-endian | Resolution | open => no change required |
| 2008-10-31 14:31 | skrew | Note Added: 0001765 | |
| 2008-10-31 14:31 | skrew | Status | closed => feedback |
| 2008-10-31 14:31 | skrew | Resolution | no change required => reopened |
| 2008-10-31 14:31 | skrew | Note Edited: 0001765 | |
| 2008-10-31 14:31 | skrew | Note Edited: 0001765 | |
| 2008-11-05 13:32 | skrew | Note Added: 0001772 | |
| 2009-03-23 12:41 | jzdrzalek | Note Added: 0002074 | |
| 2009-03-24 21:09 | peter-endian | Target Version | => future |
| 2009-03-27 07:54 | jzdrzalek | Note Added: 0002088 | |
| 2009-03-27 17:28 | peter-endian | Tag Attached: needsfix | |
| 2009-04-06 13:30 | peter-endian | Note Added: 0002103 | |
| 2009-04-06 13:30 | peter-endian | Status | feedback => resolved |
| 2009-04-06 13:30 | peter-endian | Fixed in Version | => 2.3 |
| 2009-04-06 13:30 | peter-endian | Resolution | reopened => fixed |
| 2009-10-27 12:00 | peter-endian | Status | resolved => closed |
| 2009-10-27 12:21 | peter-endian | Target Version | future => 2.3 |
|
Issue History |
| Copyright © 2000 - 2012 MantisBT Group |
 |