Contributor

Question

Received error notification from peer: INVALID_ID_INFORMATION

Forum|Forum|19 years ago
January 9, 2007
7 replies
10764 views

Hi, I am using Fortigate-200A 3.00,build0319,060724 trying to establish a site to site VPN to UK, created the IPSEC Phase 1 and Phase 2, fw address and policy The tunnel was created accroding to the information given by UK, please see the log access below. 1 2007-01-09 21:21:32 error negotiate Received error notification from peer: INVALID_ID_INFORMATION 2 2007-01-09 21:21:31 notice negotiate Initiator: sent 194.36.55.1 quick mode message #1 (OK) 3 2007-01-09 21:19:32 notice negotiate Initiator: parsed 194.36.55.1 main mode message #3 (DONE) 4 2007-01-09 21:19:31 notice negotiate Initiator: sent 194.36.55.1 main mode message #3 (OK) 5 2007-01-09 21:19:31 notice negotiate Initiator: sent 194.36.55.1 main mode message #2 (OK) 6 2007-01-09 21:19:31 notice negotiate Initiator: sent 194.36.55.1 main mode message #1 (OK) Please advise me what could have went wrong . P.S - we have had some countries such as Australia is connected to the UK network using the same network information given, which means their VPN server in UK is ready. Thanks Felix

bradhdds

New Member

i' m receiving the same info in my log. i' m trying to connect 2 fgt' s. one is running 3.0 build 219, the other is running 2.8 build 488. everything looks fine, but the tunnel will not come up. any help would be appreciated. bradley

rwpatterson

New Member

What brand/model device are you trying to connect to?

bradhdds

New Member

it' s fixed. the tunnel is from a fgt-60 to a fgt-50. the 60 is running 2.8 and the 50 is running 3.0. to fix the problem, i need to add source/destination addresses to the Quick Mode Selector. VPN --> IPSEC --> Auto Key --> Phase 2 --> Advanced --> Quick Mode Selector i added the source and destination networks and left ports/protocol at 0. the tunnel came up right away. this needs to be configured for tunnels between 3.0 and 2.8 devices as well as FGT' s running 3.0 and other vendors... PIX, SonicWall Thanks, Bradley

A

Anonymous_UserAuthor

Contributor

Thanks a lot it solved my problem. Best regards Ove Halseth

A

Anonymous_UserAuthor

Contributor

What solved your problem? I need to have a VPN between a Fortigate 100a and a cp ng ai r55 on voyager (nokia) and it seems to be impossible. Someone can explain to me where is the trick?

A

Anonymous_UserAuthor

Contributor

Hi, I have added the source and destiantio IP to the Quick Mode Selector but the problem continues See the log access event: 6 2007-01-09 21:21:32 error negotiate Received error notification from peer: INVALID_ID_INFORMATION 7 2007-01-09 21:21:31 notice negotiate Initiator: sent 194.x.x.1 quick mode message #1 (OK) 8 2007-01-09 21:19:32 notice negotiate Initiator: parsed 194.x.x.1 main mode message #3 (DONE) 9 2007-01-09 21:19:31 notice negotiate Initiator: sent 194.x.x.1 main mode message #3 (OK) 10 2007-01-09 21:19:31 notice negotiate Initiator: sent 194.x.x.1 main mode message #2 (OK) 11 2007-01-09 21:19:31 notice negotiate Initiator: sent 194.x.x.1 main mode message #1 (OK) The UK office is runnign on Checkpoint FW-1 NGAI R55. Thanks Felix

rwpatterson

New Member

Try removing PFS & DH groups from both sides of phase 2.

A

Anonymous_UserAuthor

Contributor

Hi I have removed the PFS & DH groups from P2 but the problem continues.

rwpatterson

New Member

Shoot a ticket over to Fortinet support. Make sure you have the PIX firmware version as well as the Fortigate IOS version. There may be an incompatability between the two.

A

Anonymous_UserAuthor

Contributor

Hi, i have created a ticket with Fortinet support, They have suggesed to include the fortigate IP which i have given to UK (for authentication) in the Phase 1 local ID but the problem continues..... so i far, i have tried to include the IP in the local ID, remove the PFS and DHG in Phase 2 disable the replay detection in phase 2 include the source address, destination address in quick mode selector 0 value in source and destination port in quick mode selector not sure what else we are try... I will try to buzz them again. thanks Felix

rwpatterson

New Member

I' m assuming you' re doing the same thing on both ends. . . They need to match exactly before any information can be exchanged for authentication.

red_adair

New Member

" invalid_id_information" very likely means that the " Quick mode selectors" are not compatible. (Phase2 - advanced). This should specify the src/dst Networks; as specified the opposite way on the other side. These are your friends: #diag debug ena #diag debug app ike 3 Be advised that PIX will create a separate SA for each connected Subnet.! -R.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded