<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 07/22/2010 12:03 PM, Dan Eriksson wrote:
<blockquote cite="mid:1279814608.3646.113.camel@localhost.localdomain"
type="cite">
<pre wrap="">Hi list,
I am having problems creating an IPSec tunnel to a Cisco ASA (remote end
which I have no control over), when I try to connect I receive the
following information,
Main mode peer ID is ID_FQDN: '@peerfqdn'
we require peer to have ID 'ddd.ccc.bbb.aaa', but peer declares
'@peerfqdn'
Error:
state transition function for STATE_MAIN_I3 failed:
INVALID_ID_INFORMATION
See attached log openswan.log for the whole log.
My configuration looks like this,
conn qfnet
leftsubnet= 192.168.48.0/22
also= qfno
conn qfno
type= tunnel
authby= secret
keylife= 3600s
left= aaa.bbb.ccc.ddd
leftnexthop= %defaultroute
right= ddd.ccc.bbb.aaa
rightsubnet= 192.168.0.0/21
auth= esp
esp= 3des-md5;modp1024
keyexchange= ike
ike= 3des-md5-modp1024
ikelifetime= 86400s
pfs= no
auto= start
"peerfqdn" is not an address that is resolvable from my side, it seems
like it is only internal.
I found information about using "rightid", which seems to have solved
the problem for a lot of people, so I tried it as well, configuration,
conn qfnet
leftsubnet= 192.168.48.0/22
also= qfno
conn qfno
type= tunnel
authby= secret
keylife= 3600s
left= aaa.bbb.ccc.ddd
leftnexthop= %defaultroute
right= ddd.ccc.bbb.aaa
rightid= @peerfqdn
rightsubnet= 192.168.0.0/21
auth= esp
esp= 3des-md5;modp1024
keyexchange= ike
ike= 3des-md5-modp1024
ikelifetime= 86400s
pfs= no
auto= start
I also made the appropriate changes in ipsec.secrets,
aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa @peerfqdn : PSK "mysupersecret"
</pre>
</blockquote>
One way may be to try following:<br>
<br>
@peerfqdn : PSK "mysupersecret"
<br>
<br>
And see how it goes.<br>
<br>
Avesh<br>
<br>
<blockquote cite="mid:1279814608.3646.113.camel@localhost.localdomain"
type="cite">
<pre wrap="">I let the previous PSK stay in the file as well,
aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa : PSK "mysupersecret"
I have also tried the following combination,
aaa.bbb.ccc.ddd @peerfqdn : PSK "mysupersecret"
</pre>
</blockquote>
<br>
<br>
<blockquote cite="mid:1279814608.3646.113.camel@localhost.localdomain"
type="cite">
<pre wrap="">without success.
But now when I try to connect it can't find the appropriate PSK,
Can't authenticate: no preshared key found for `aaa.bbb.ccc.ddd' and
`@peerfqdn'. Attribute OAKLEY_AUTHENTICATION_METHO
STATE_MAIN_I1 failed: NO_PROPOSAL_CHOSEN
See log file, nopsk.log, for the whole file.
Does anyone have any idea what I am doing wrong?
Thanks in advance for any help!
Best regards,
Dan
</pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</body>
</html>