Hello, <br><div class="gmail_quote"><div><br></div><div>I am trying from a linux box to setup an IPsec to a cisco ASA 5520. Cisco is managed from a telco opeartor.</div><div><br></div><div><font size="4">My ipsec.conf is (based on the telco specs file i attach):</font></div>
<div><br></div><div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"># /etc/ipsec.conf - Openswan IPsec configuration file</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
#</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"># Manual:     ipsec.conf.5</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">#</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
# Please place your own config files in /etc/ipsec.d/ ending in .conf</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">version 2.0     # conforms to second version of ipsec.conf specification</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"># basic configuration</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">config setup</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
        # Debug-logging controls:  &quot;none&quot; for (almost) none, &quot;all&quot; for lots.</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        # klipsdebug=none</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
        # plutodebug=&quot;control parsing&quot;</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
        interfaces=%defaultroute</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        klipsdebug=none</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
        plutodebug=none</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        protostack=netkey</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        nat_traversal=no</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        #virtual_private=</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        #oe=off</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
        # Enable this if you see &quot;failed to find any available worker&quot;</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        # nhelpers=0</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">conn cyta</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        type=tunnel</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
        #Define your IKEI policy</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        authby=secret</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        pfs=no</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        ike=3des-sha1;modp1024</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        ikelifetime=&quot;86400&quot;</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        #Define IPSec policy</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        phase2=esp</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
        phase2alg=3des-sha1</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        #ah=hmac-sha1</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        keylife=&quot;3600&quot;</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        #ikev2=insist</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        # Left security Linux, (Linux side)</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        left= 198.101.222.60 #REAL IP LINUX SERVER</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        leftsubnet= <a href="http://198.101.222.0/24" target="_blank" style="color:rgb(17,85,204)">198.101.222.0/24</a> #Net address assigned to the other side</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        leftnexthop= 198.101.222.60 #Real IP Gateway</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        # Right security gateway, (ASA SIDE)</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        right= 212.31.96.133 # ASA IP</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        rightsubnet= <a href="http://212.31.96.0/24" target="_blank" style="color:rgb(17,85,204)">212.31.96.0/24</a> # Net address assigned to the other side</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        rightnexthop= 212.31.96.135 #Real IP Gateway</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        # Type of cryptogrphy used on the VPN Tunnel</div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        #keyexchange= ike</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">        auto= start</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">#You may put your configuration (.conf) file in the &quot;/etc/ipsec.d/&quot; and uncomment this.</div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
#include /etc/ipsec.d/*.conf</div></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif">
<font size="4">The output I get is:</font></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: adding interface eth1/eth1 <a href="http://10.178.111.55:500/" target="_blank" style="color:rgb(17,85,204)">10.178.111.55:500</a></div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: adding interface eth0/eth0 <a href="http://198.101.222.60:500/" target="_blank" style="color:rgb(17,85,204)">198.101.222.60:500</a></div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: adding interface lo/lo <a href="http://127.0.0.1:500/" target="_blank" style="color:rgb(17,85,204)">127.0.0.1:500</a></div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: adding interface lo/lo ::1:500</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">
Aug  5 17:35:20 apllo-i1 pluto[21371]: loading secrets from &quot;/etc/ipsec.secrets&quot;</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: initiating Main Mode</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">
Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: STATE_MAIN_I2: sent MI2, expecting MR2</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: received Vendor ID payload [Cisco-Unity]</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">
Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: received Vendor ID payload [XAUTH]</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: ignoring unknown Vendor ID payload [07d0985db9d41de43dc9b2c01cd3102f]</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">
Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: STATE_MAIN_I3: sent MI3, expecting MR3</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: received Vendor ID payload [Dead Peer Detection]</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">
Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: Main mode peer ID is ID_IPV4_ADDR: &#39;212.31.96.133&#39;</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:29f85155 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=no-pfs}</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">
Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: received and ignored informational message</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: &quot;cyta&quot; #1: received Delete SA payload: deleting ISAKMP State #1</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Aug  5 17:35:20 apllo-i1 pluto[21371]: packet from <a href="http://212.31.96.133:500/" target="_blank" style="color:rgb(17,85,204)">212.31.96.133:500</a>: received and ignored informational message</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Can you please verify that I&#39;ve set the ipsec.conf file correctly? I believe so.</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Can this  &quot;INVALID_ID_INFORMATION&quot; error message be related to a bug issue?</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">
<br></div><div><font color="#222222" face="arial, sans-serif">I would much appreciate your input on this.</font></div><div><font color="#222222" face="arial, sans-serif"><br></font></div><div><font color="#222222" face="arial, sans-serif">Regards</font></div>
<div><font color="#222222" face="arial, sans-serif">Savilak </font></div></div></div>