IPsec SA negotiation failed due to invalid identity information
Symptom
The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet.
The following IKE debugging message appeared:
Notification INVALID_ID_INFORMATION is received.
Or:
Failed to get IPsec policy when renegotiating IPsec SA. Delete IPsec SA. Construct notification packet: INVALID_ID_INFORMATION.
Analysis
Certain IPsec policy settings of the responder are incorrect. Verify the settings as follows:
Use the display ike sa verbose command to verify that matching IKE profiles were found in IKE negotiation phase 1. If no matching IKE profiles were found and the IPsec policy is using an IKE profile, the IPsec SA negotiation fails.
# Verify that matching IKE profiles were found in IKE negotiation phase 1.
<Sysname> display ike sa verbose ----------------------------------------------- Connection ID: 3 Outside VPN: Inside VPN: Profile: Transmitting entity: Responder ----------------------------------------------- Local IP: 192.168.222.5 Local ID type: IPV4_ADDR Local ID: 192.168.222.5 Remote IP: 192.168.222.71 Remote ID type: IPV4_ADDR Remote ID: 192.168.222.71 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: MD5 Encryption-algorithm: 3DES-CBC Life duration(sec): 86400 Remaining key duration(sec): 85847 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected
# Verify that the IPsec policy is using an IKE profile.
[Sysname] display ipsec policy ------------------------------------------- IPsec Policy: policy1 Interface: HundredGigE1/0/1 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: ISAKMP ----------------------------- Description: Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: 192.168.222.71 Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time:
Verify that the ACL specified for the IPsec policy is correctly configured. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, IPsec proposal matching will fail.
For example, if the initiator's ACL defines a flow from one network segment to another but the responder's ACL defines a flow from one host to another host, IPsec proposal matching will fail.
# On the initiator:
[Sysname] display acl 3000 Advanced IPv4 ACL 3000, 1 rule, ACL's step is 5 rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255
# On the responder:
[Sysname] display acl 3000 Advanced IPv4 ACL 3000, 1 rule, ACL's step is 5 rule 0 permit ip source 192.168.222.71 0 destination 192.168.222.5 0
Verify that the IPsec policy has a remote address and an IPsec transform set configured and that the IPsec transform set has all necessary settings configured.
If, for example, the IPsec policy has no remote address configured, the IPsec SA negotiation will fail:
[Sysname] display ipsec policy ------------------------------------------- IPsec Policy: policy1 Interface: HundredGigE1/0/1 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: ISAKMP ----------------------------- Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time:
Solution
If the IPsec policy specifies an IKE profile but no matching IKE profiles was found in IKE negotiation, perform one of the following tasks on the responder:
Remove the specified IKE profile from the IPsec policy.
Modify the specified IKE profile to match the IKE profile of the initiator.
If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, modify the responder's ACL so the ACL defines a flow range equal to or greater than that of the initiator's ACL.
For example:
[Sysname] display acl 3000 Advanced IPv4 ACL 3000, 2 rules, ACL's step is 5 rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255
Configure the missing settings (for example, the remote address).