<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hello,<div>One question: do you use KLIPS or NETKEY?</div><div>anyway, I've got a lot of working systems connected to ASA.</div><div>You should not change the secret. The secret must stay with the IP addresses only</div><div>aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa: PSK "MySuperKey"</div><div><br></div><div><br></div><div><br></div><div>Here is a sample working config:</div><div><br></div><div><div>conn Canada</div><div> authby=secret</div><div> pfs=no</div><div> auto=start</div><div> keyingtries=3</div><div> disablearrivalcheck=no</div><div> keyexchange=ike</div><div> ikelifetime=240m</div><div> type=tunnel</div><div> auth=esp</div><div> compress=no</div><div> keylife=60m</div><div> left=aaa.bbb.ccc.ddd</div><div> leftsubnet=172.16.0/23</div><div> leftnexthop=aaa.bbb.ccc.gwip</div><div> right=ddd.ccc.bbb.aaa</div><div> rightsubnet=172.16.30.0/24</div><div> rightnexthop=ddd.ccc.bbb.gw2ip</div><div><br></div><div><br></div><div>In the ASA:</div><div><span class="Apple-style-span" style="font-family: Calibri, Verdana, Helvetica, Arial; font-size: 15px; ">access-list WavreTunnel extended permit ip ddd.ccc.bbb.0 255.255.255.0 aaa.bbb.ccc.0 255.255.255.0</span><span class="Apple-style-span" style="font-family: Calibri, Verdana, Helvetica, Arial; font-size: 15px; "> </span></div><div><span class="Apple-style-span" style="font-family: Calibri, Verdana, Helvetica, Arial; font-size: 15px; ">crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</span><span class="Apple-style-span" style="font-family: Calibri, Verdana, Helvetica, Arial; font-size: 15px; "> </span><span class="Apple-style-span" style="font-family: Calibri, Verdana, Helvetica, Arial; font-size: 15px; "><br></span></div><div><span class="Apple-style-span" style="font-family: Calibri, Verdana, Helvetica, Arial; font-size: 15px; ">crypto map CanadaWavre 20 match address aaa.bbb.ccc.ddd</span></div><div><span class="Apple-style-span" style="font-family: Calibri, Verdana, Helvetica, Arial; font-size: 15px; ">crypto map CanadaWavre 20 set peer aaa.bbb.ccc.ddd <br>crypto map CanadaWavre 20 set transform-set ESP-3DES-SHA</span></div><div><span class="Apple-style-span" style="font-family: Calibri, Verdana, Helvetica, Arial; font-size: 15px; ">crypto map CanadaWavre interface outside</span><span class="Apple-style-span" style="font-family: Calibri, Verdana, Helvetica, Arial; font-size: 15px; "><br></span><span class="Apple-style-span" style="font-family: Calibri, Verdana, Helvetica, Arial; font-size: 15px; ">crypto isakmp enable outside</span><span class="Apple-style-span" style="font-family: Calibri, Verdana, Helvetica, Arial; font-size: 15px; "><br></span></div><div><span class="Apple-style-span" style="font-family: Calibri, Verdana, Helvetica, Arial; font-size: 15px; ">crypto isakmp policy 10<br> authentication pre-share<br> encryption 3des<br> hash md5<br> group 2<br> lifetime 86400</span></div><div><span class="Apple-style-span" style="font-family: Calibri, Verdana, Helvetica, Arial; font-size: 15px; ">tunnel-group aaa.bbb.ccc.ddd type ipsec-l2l<br>tunnel-group aaa.bbb.ccc.ddd ipsec-attributes<br> pre-shared-key MySuperKey</span></div><div><span class="Apple-style-span" style="font-family: Calibri, Verdana, Helvetica, Arial; font-size: 15px; "><br></span></div><div><div>On 22 Jul 2010, at 18:03, Dan Eriksson wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Hi list,<br><br>I am having problems creating an IPSec tunnel to a Cisco ASA (remote end<br>which I have no control over), when I try to connect I receive the<br>following information,<br><br>Main mode peer ID is ID_FQDN: '@peerfqdn'<br>we require peer to have ID 'ddd.ccc.bbb.aaa', but peer declares<br>'@peerfqdn'<br><br>Error:<br>state transition function for STATE_MAIN_I3 failed:<br>INVALID_ID_INFORMATION<br><br>See attached log openswan.log for the whole log.<br><br>My configuration looks like this,<br><br>conn qfnet<br> leftsubnet= 192.168.48.0/22<br> also= qfno<br><br>conn qfno<br> type= tunnel<br> authby= secret<br> keylife= 3600s<br> left= aaa.bbb.ccc.ddd<br> leftnexthop= %defaultroute<br> right= ddd.ccc.bbb.aaa<br> rightsubnet= 192.168.0.0/21<br> auth= esp<br> esp= 3des-md5;modp1024<br> keyexchange= ike<br> ike= 3des-md5-modp1024<br> ikelifetime= 86400s<br> pfs= no<br> auto= start<br><br>"peerfqdn" is not an address that is resolvable from my side, it seems<br>like it is only internal.<br><br>I found information about using "rightid", which seems to have solved<br>the problem for a lot of people, so I tried it as well, configuration,<br><br>conn qfnet<br> leftsubnet= 192.168.48.0/22<br> also= qfno<br><br>conn qfno<br> type= tunnel<br> authby= secret<br> keylife= 3600s<br> left= aaa.bbb.ccc.ddd<br> leftnexthop= %defaultroute<br> right= ddd.ccc.bbb.aaa<br> rightid= @peerfqdn<br> rightsubnet= 192.168.0.0/21<br> auth= esp<br> esp= 3des-md5;modp1024<br> keyexchange= ike<br> ike= 3des-md5-modp1024<br> ikelifetime= 86400s<br> pfs= no<br> auto= start<br><br><br>I also made the appropriate changes in ipsec.secrets,<br><br>aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa @peerfqdn : PSK "mysupersecret"<br><br>I let the previous PSK stay in the file as well,<br><br>aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa : PSK "mysupersecret"<br><br>I have also tried the following combination,<br>aaa.bbb.ccc.ddd @peerfqdn : PSK "mysupersecret"<br><br>without success.<br><br>But now when I try to connect it can't find the appropriate PSK,<br><br>Can't authenticate: no preshared key found for `aaa.bbb.ccc.ddd' and<br>`@peerfqdn'. Attribute OAKLEY_AUTHENTICATION_METHO<br>STATE_MAIN_I1 failed: NO_PROPOSAL_CHOSEN<br><br>See log file, nopsk.log, for the whole file.<br><br>Does anyone have any idea what I am doing wrong?<br><br>Thanks in advance for any help!<br><br>Best regards,<br>Dan<br><span><openswan.log></span><span><psk.log></span>_______________________________________________<br><a href="mailto:Users@openswan.org">Users@openswan.org</a><br>http://lists.openswan.org/mailman/listinfo/users<br>Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br>Building and Integrating Virtual Private Networks with Openswan: <br>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br></div></blockquote></div><br><div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><span class="Apple-style-span" style="font-family: 'Times New Roman'; font-size: 16px; "><div style="margin-top: 0cm; margin-bottom: 0.0001pt; margin-right: 0cm; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; "><span lang="EN-US" style="font-size: 9pt; font-family: 'Lucida Sans Unicode', sans-serif; color: rgb(80, 80, 255); ">Pascal Fuks<br>Network & Security Consultant,<br>CEO / Administrateur délégué,<br><br></span></div><div style="margin-top: 0cm; margin-bottom: 0.0001pt; margin-right: 0cm; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; "><span lang="EN-US" style="font-size: 9pt; font-family: 'Lucida Sans Unicode', sans-serif; color: rgb(80, 80, 255); ">Tel. : +32 2 387 08 00<br>Fax : +32 2 387 07 06<br>Email : </span><span style="font-size: 9pt; font-family: 'Lucida Sans Unicode', sans-serif; color: rgb(80, 80, 255); "><span lang="EN-US" style="color: blue; "><a href="mailto:veronique@financialart.be" target="_blank" style="color: blue; text-decoration: underline; ">pascal@financial-art.be</a></span></span></div><div style="margin-top: 0cm; margin-bottom: 0.0001pt; margin-right: 0cm; margin-left: 0cm; "><font class="Apple-style-span" color="#0000FF" face="'Lucida Sans Unicode', sans-serif" size="3"><span class="Apple-style-span" style="font-size: 12px; ">IM: pascal@financial-art (MSN)<br>Free/Busy Time: <a href="http://tinyurl.com/pfukscal">http://tinyurl.com/pfukscal</a></span></font></div><div style="margin-top: 0cm; margin-bottom: 0.0001pt; margin-right: 0cm; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 9pt; font-family: 'Lucida Sans Unicode', sans-serif; color: rgb(80, 80, 255); "><span lang="EN-US" style="color: rgb(176, 0, 0); "><br><a href="http://www.financial-art.be/" target="_blank" style="color: blue; text-decoration: underline; "></a></span></span></div><div style="margin-top: 0cm; margin-bottom: 0.0001pt; margin-right: 0cm; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 9pt; font-family: 'Lucida Sans Unicode', sans-serif; color: rgb(80, 80, 255); "><span lang="EN-US" style="color: rgb(176, 0, 0); "><a href="http://www.financial-art.be/" target="_blank" style="text-decoration: none; color: blue; ">www.financial-art.be</a></span></span><span lang="EN-US" style="font-size: 9pt; font-family: 'Lucida Sans Unicode', sans-serif; color: rgb(80, 80, 255); "></span></div><div style="margin-top: 0cm; margin-bottom: 0.0001pt; margin-right: 0cm; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 8pt; color: green; ">Avant d’imprimer cet email, réfléchissez à l’impact sur l’environnement. Please consider the environment before printing this mail.</span></div><p class="MsoNormal" style="margin-top: 0cm; margin-bottom: 0.0001pt; margin-right: 0cm; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; "> </p></span></div></div></div>
</div>
<br></div><br>**** DISCLAIMER ****<br>
<br>
"This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. <br>
Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. <br>
If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".<br>
<br>
Thank you for your cooperation.<br>
<br>
* This e-mail was scanned against known viruses by MDaemon-DKAV</body></html>