Hello, <br><div class="gmail_quote"><div><br></div><div>I am trying from a linux box to setup an IPsec to a cisco ASA 5520. Cisco is managed from a telco opeartor.</div><div><br></div><div><font size="4">My ipsec.conf is (based on the telco specs file i attach):</font></div>
<div><br></div><div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"># /etc/ipsec.conf - Openswan IPsec configuration file</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
#</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"># Manual: ipsec.conf.5</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">#</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
# Please place your own config files in /etc/ipsec.d/ ending in .conf</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">version 2.0 # conforms to second version of ipsec.conf specification</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"># basic configuration</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">config setup</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
# Debug-logging controls: "none" for (almost) none, "all" for lots.</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> # klipsdebug=none</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
# plutodebug="control parsing"</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
interfaces=%defaultroute</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> klipsdebug=none</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
plutodebug=none</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> protostack=netkey</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> nat_traversal=no</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> #virtual_private=</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> #oe=off</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
# Enable this if you see "failed to find any available worker"</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> # nhelpers=0</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">conn cyta</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> type=tunnel</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
#Define your IKEI policy</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> authby=secret</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> pfs=no</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> ike=3des-sha1;modp1024</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> ikelifetime="86400"</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> #Define IPSec policy</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> phase2=esp</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
phase2alg=3des-sha1</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> #ah=hmac-sha1</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> keylife="3600"</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> #ikev2=insist</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> # Left security Linux, (Linux side)</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> left= 198.101.222.60 #REAL IP LINUX SERVER</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> leftsubnet= <a href="http://198.101.222.0/24" target="_blank" style="color:rgb(17,85,204)">198.101.222.0/24</a> #Net address assigned to the other side</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> leftnexthop= 198.101.222.60 #Real IP Gateway</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> # Right security gateway, (ASA SIDE)</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> right= 212.31.96.133 # ASA IP</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> rightsubnet= <a href="http://212.31.96.0/24" target="_blank" style="color:rgb(17,85,204)">212.31.96.0/24</a> # Net address assigned to the other side</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> rightnexthop= 212.31.96.135 #Real IP Gateway</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> # Type of cryptogrphy used on the VPN Tunnel</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> #keyexchange= ike</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> auto= start</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
#include /etc/ipsec.d/*.conf</div></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif">
<font size="4">The output I get is:</font></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: adding interface eth1/eth1 <a href="http://10.178.111.55:500/" target="_blank" style="color:rgb(17,85,204)">10.178.111.55:500</a></div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: adding interface eth0/eth0 <a href="http://198.101.222.60:500/" target="_blank" style="color:rgb(17,85,204)">198.101.222.60:500</a></div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: adding interface lo/lo <a href="http://127.0.0.1:500/" target="_blank" style="color:rgb(17,85,204)">127.0.0.1:500</a></div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: adding interface lo/lo ::1:500</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">
Aug 5 17:35:20 apllo-i1 pluto[21371]: loading secrets from "/etc/ipsec.secrets"</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: initiating Main Mode</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">
Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: STATE_MAIN_I2: sent MI2, expecting MR2</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: received Vendor ID payload [Cisco-Unity]</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">
Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: received Vendor ID payload [XAUTH]</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: ignoring unknown Vendor ID payload [07d0985db9d41de43dc9b2c01cd3102f]</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">
Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: STATE_MAIN_I3: sent MI3, expecting MR3</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: received Vendor ID payload [Dead Peer Detection]</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">
Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: Main mode peer ID is ID_IPV4_ADDR: '212.31.96.133'</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:29f85155 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=no-pfs}</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">
Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: received and ignored informational message</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: received Delete SA payload: deleting ISAKMP State #1</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug 5 17:35:20 apllo-i1 pluto[21371]: packet from <a href="http://212.31.96.133:500/" target="_blank" style="color:rgb(17,85,204)">212.31.96.133:500</a>: received and ignored informational message</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Can you please verify that I've set the ipsec.conf file correctly? I believe so.</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Can this "INVALID_ID_INFORMATION" error message be related to a bug issue?</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">
<br></div><div><font color="#222222" face="arial, sans-serif">I would much appreciate your input on this.</font></div><div><font color="#222222" face="arial, sans-serif"><br></font></div><div><font color="#222222" face="arial, sans-serif">Regards</font></div>
<div><font color="#222222" face="arial, sans-serif">Savilak </font></div></div></div>