[Swan] unhandled id type

Computerisms Corporation bob at computerisms.ca
Tue Nov 28 20:44:19 UTC 2017 

Hi Gurus,

I recently reconfigured a system so that I could connect with a Mac to 
an IKEv2 conn.  That tested as working, and existing windows 
workstations that were using the system continued working.  I added a 
new cert and configured a windows laptop today to connect to this same 
machine.  The machine will report that it is connected, but it is 
passing no data.  The firewall will report up to certificate verified 
OK, then it spits out this:

Nov 28 11:57:11 fw-kz pluto[6011]: "rw-ikev2"[1] 50.117.141.6 #1: 
Unhandled ID type -1: 18446744073709551615??
Nov 28 11:57:11 fw-kz pluto[6011]: "rw-ikev2"[1] 50.117.141.6 #1: X509: 
Certificate rejected for this connection
Nov 28 11:57:11 fw-kz pluto[6011]: "rw-ikev2"[1] 50.117.141.6 #1: X509: 
CERT payload bogus or revoked

However, afterwards it negotiates a connection and reports ipsec SA 
established.

The machine stays connected for a few minutes, then disconnects, 
presumably dead peer detection is determining that it is not there 
because no data passes.  Tcpdump shows that after the connection is 
established, a good pile of packets are sent from the windows machine, 
but are never replied to from the firewall, and if a ping is sent from 
inside the LAN to the remote windows machine, the packets are reported 
leaving on the external interface, but never show up at the windows 
machine.

Googling the unhandled ID finds nothing of value, but then it occurred 
to me that one of the changes I had to make to get the Mac working was 
to make rightid=%myid, so I changed it to rightid=%cert and now windows 
is working as expected.

it was suggested that .mobileconfig is the way to go with the OSX, but I 
haven't gotten that mac back to make changes yet, so wondering if the 
rightid=%myid is known to not work with windows, or if there is 
something I can do to make it work?  Seems like it wants to work.  I am 
hoping to find a way to do this without breaking the mac till I can get 
my hands on it again and try the .mobileconfig thing...

-- 
Bob Miller
Cell: 867-334-7117
Office: 867-633-3760
www.computerisms.ca

More information about the Swan mailing list