'no group IKE id user, bad id type' error reported when connecting L2TP VPN with IPsec on Windows 7
Client and ScreenOS firewall are configured as follows:
- L2TP over IPSec
- Windows7 Operating System on client
- No NetScreen-Remote involved on client side
- L2TP tunnel over IP Sec configuration on firewall
The following error message is reported on the ScreenOS firewall in the 'debug ike detail' debugs when the client attempts to connect (if using preshared key):
## 2009-11-21 05:18:46 : locate peer entry for (1/66.66.66.5), by identity in ip.
## 2009-11-21 05:18:46 : IKE<0.0.0.0 > no group IKE id user, bad id type <1>. <<<<<<<<<
## 2009-11-21 05:18:46 : IKE<0.0.0.0 > Find NATT enabled peer with matching ID and ifp. <<<<<<<<<
## 2009-11-21 05:18:46 : peer <field> is not a static-ip peer.
## 2009-11-21 05:18:46 : IKE<0.0.0.0 > failed to find natt static peer by IKE id and ifp. <<<<<<<<<
## 2009-11-21 05:18:46 : IKE<66.66.66.5> Phase 1: can not find peer by ID.
## 2009-11-21 05:18:46 : IKE<66.66.66.5> Packet has arrived with ID type IP Address, but no user configuration was found for that ID.
Windows 7 uses main mode (not aggressive mode) for the dialup (L2TP with IPsec) connections.
ScreenOS firewalls can only support L2TP over IPsec using certificates with Windows 7 and cannot be implemented with using preshared keys. The reason for this is that Windows 7 uses Main mode, and in order to use Main mode on a ScreenOS firewall, it requires the ID which should be the IP address of the client, which the PC is not sending. Therefore, the connection can only work with certificates.
If using L2TP over IPsec using certificates, the above errors will not occur. For information on configuring a Dial-up VPN using a Windows 7 client with L2TP over IPsec (without NetScreen-Remote), refer to
KB16075.