IPsec SA negotiation failed due to invalid identity information

Symptom

  1. The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet.

  2. The following IKE debugging message appeared:

    Notification INVALID_ID_INFORMATION is received.
    

    Or:

    Failed to get IPsec policy when renegotiating IPsec SA. Delete IPsec SA.
    Construct notification packet: INVALID_ID_INFORMATION.
    

Analysis

Certain IPsec policy settings of the responder are incorrect. Verify the settings as follows:

  1. Use the display ike sa verbose command to verify that matching IKE profiles were found in IKE negotiation phase 1. If no matching IKE profiles were found and the IPsec policy is using an IKE profile, the IPsec SA negotiation fails.

    # Verify that matching IKE profiles were found in IKE negotiation phase 1.

    <Sysname> display ike sa verbose
       -----------------------------------------------
       Connection ID: 3
       Outside VPN:
       Inside VPN:
       Profile:
       Transmitting entity: Responder
       -----------------------------------------------
       Local IP: 192.168.222.5
       Local ID type: IPV4_ADDR
       Local ID: 192.168.222.5
    
       Remote IP: 192.168.222.71
       Remote ID type: IPV4_ADDR
       Remote ID: 192.168.222.71
    
       Authentication-method: PRE-SHARED-KEY
       Authentication-algorithm: MD5
       Encryption-algorithm: 3DES-CBC
    
       Life duration(sec): 86400
       Remaining key duration(sec): 85847
       Exchange-mode: Main
       Diffie-Hellman group: Group 1
       NAT traversal: Not detected
    

    # Verify that the IPsec policy is using an IKE profile.

    [Sysname] display ipsec policy
    -------------------------------------------
    IPsec Policy: policy1
    Interface: HundredGigE1/0/1
    -------------------------------------------
    
      -----------------------------
      Sequence number: 1
      Mode: ISAKMP
      -----------------------------
      Description:
      Security data flow: 3000
      Selector mode: aggregation
      Local address: 192.168.222.5
      Remote address: 192.168.222.71
      Transform set:  transform1
      IKE profile: profile1
      SA duration(time based):
      SA duration(traffic based):
      SA idle time:
    
  2. Verify that the ACL specified for the IPsec policy is correctly configured. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, IPsec proposal matching will fail.

    For example, if the initiator's ACL defines a flow from one network segment to another but the responder's ACL defines a flow from one host to another host, IPsec proposal matching will fail.

    # On the initiator:

    [Sysname] display acl 3000
    Advanced IPv4 ACL 3000, 1 rule,
    ACL's step is 5
     rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255
    

    # On the responder:

    [Sysname] display acl 3000
    Advanced IPv4 ACL 3000, 1 rule,
    ACL's step is 5
     rule 0 permit ip source 192.168.222.71 0 destination 192.168.222.5 0
    
  3. Verify that the IPsec policy has a remote address and an IPsec transform set configured and that the IPsec transform set has all necessary settings configured.

    If, for example, the IPsec policy has no remote address configured, the IPsec SA negotiation will fail:

    [Sysname] display ipsec policy
    -------------------------------------------
    IPsec Policy: policy1
    Interface: HundredGigE1/0/1
    -------------------------------------------
    
      -----------------------------
      Sequence number: 1
      Mode: ISAKMP
      -----------------------------
      Security data flow: 3000
      Selector mode: aggregation
      Local address: 192.168.222.5
      Remote address: 
      Transform set:  transform1
      IKE profile: profile1
      SA duration(time based):
      SA duration(traffic based):
      SA idle time:
    

Solution

  1. If the IPsec policy specifies an IKE profile but no matching IKE profiles was found in IKE negotiation, perform one of the following tasks on the responder:

    • Remove the specified IKE profile from the IPsec policy.

    • Modify the specified IKE profile to match the IKE profile of the initiator.

  2. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, modify the responder's ACL so the ACL defines a flow range equal to or greater than that of the initiator's ACL.

    For example:

    [Sysname] display acl 3000
    Advanced IPv4 ACL 3000, 2 rules,
    ACL's step is 5
     rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255
    
  3. Configure the missing settings (for example, the remote address).