Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

'no group IKE id user, bad id type' error reported when connecting L2TP VPN with IPsec on Windows 7

0

0

Article ID: KB15949 KB Last Updated: 22 Dec 2009Version: 1.0
Summary:
'no group IKE id user, bad id type' error reported when connecting L2TP VPN with IPsec on Windows 7
Symptoms:
Client and ScreenOS firewall are configured as follows:
  • L2TP over IPSec
  • Windows7 Operating System on client
  • No NetScreen-Remote involved on client side
  • L2TP tunnel over IP Sec configuration on firewall
The following error message is reported on the ScreenOS firewall in the 'debug ike detail' debugs when the client attempts to connect (if using preshared key):
## 2009-11-21 05:18:46 : locate peer entry for (1/66.66.66.5), by identity in ip.
## 2009-11-21 05:18:46 : IKE<0.0.0.0 > no group IKE id user, bad id type <1>.    <<<<<<<<<
## 2009-11-21 05:18:46 : IKE<0.0.0.0 > Find NATT enabled peer with matching ID and ifp.    <<<<<<<<<
## 2009-11-21 05:18:46 : peer <field> is not a static-ip peer.  
## 2009-11-21 05:18:46 : IKE<0.0.0.0 > failed to find natt static peer by IKE id and ifp.  <<<<<<<<<
## 2009-11-21 05:18:46 : IKE<66.66.66.5> Phase 1: can not find peer by ID.
## 2009-11-21 05:18:46 : IKE<66.66.66.5> Packet has arrived with ID type IP Address, but no user configuration was found for that ID.


Solution:
Windows 7 uses main mode (not aggressive mode) for the dialup (L2TP with IPsec) connections.

ScreenOS firewalls can only support L2TP over IPsec using certificates with Windows 7 and cannot be implemented with using preshared keys. The reason for this is that Windows 7 uses Main mode, and in order to use Main mode on a ScreenOS firewall, it requires the ID which should be the IP address of the client, which the PC is not sending.  Therefore, the connection can only work with certificates.

If using L2TP over IPsec using certificates, the above errors will not occur.  For information on configuring a Dial-up VPN using a Windows 7 client with L2TP over IPsec (without NetScreen-Remote), refer to KB16075.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search