<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
mso-fareast-language:EN-US;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas","serif";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Arial","sans-serif";
color:windowtext;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Courier New";
mso-fareast-language:EN-US;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 2.0cm 2.0cm 2.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="IT" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoPlainText"><span lang="EN-US">With %any in the secrets files it seems to work but still I can’t remove the right id from the conf file (I got the usual “but peer declares...” error).<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Well, it seems that this issue must be solved on the ASA (it should have a way to declare a peer ID different from its own private IP).<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Thanks for your help.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Best regards,<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Giovanni.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""> Nick Howitt [mailto:n1ck.h0w1tt@gmail.com]
<br>
<b>Sent:</b> Wednesday, August 7, 2013 11:24 PM<br>
<b>To:</b> Giovanni Carbone<br>
<b>Cc:</b> users@lists.openswan.org<br>
<b>Subject:</b> RE: [Openswan Users] NAT-T and rightid<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p><span style="font-family:"Arial","sans-serif"">You could try %any in the secrets file and perhaps remove the right id.<o:p></o:p></span></p>
<p><span style="font-family:"Arial","sans-serif"">On 2013-08-07 16:54, Giovanni Carbone wrote:<o:p></o:p></span></p>
<blockquote style="border:none;border-left:solid #1010FF 1.5pt;padding:0cm 0cm 0cm 4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-bottom:5.0pt">
<pre>If I do that I get this error " Can't authenticate: no preshared key found for ‘A.A.A.A.’ and ‘192.168.1.1’ ".<o:p></o:p></pre>
<pre>Besides that I'd still have the ASA's private IP declared statically in the connection.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Best regards,<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Giovanni.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre>From: <a href="mailto:users-bounces@lists.openswan.org">users-bounces@lists.openswan.org</a> [mailto:<a href="mailto:users-bounces@lists.openswan.org">users-bounces@lists.openswan.org</a>] On Behalf Of Nick Howitt<o:p></o:p></pre>
<pre>Sent: Wednesday, August 7, 2013 4:57 PM<o:p></o:p></pre>
<pre>To: <a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><o:p></o:p></pre>
<pre>Subject: Re: [Openswan Users] NAT-T and rightid<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Change the secrets file back to B.B.B.B.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>On 2013-08-07 09:03, Giovanni Carbone wrote:<o:p></o:p></pre>
<pre>Hello,<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Thanks for your reply, I tried to change the configuration like you suggested but it doesn't work, I got a "address family inconsistency in this/that connection" error.<o:p></o:p></pre>
<pre>So I'm going to give you more details on this configuration (I guess I should have did it since the beginning :) ).<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>This is my initial configuration (it's a lan-2-lan vpn with multiple subnets on both sides):<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>ciscoasa.conf file:<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>conn CISCOASA<o:p></o:p></pre>
<pre> left=A.A.A.A<o:p></o:p></pre>
<pre> right=B.B.B.B<o:p></o:p></pre>
<pre> leftsubnets={subnet_a/mask subnet_b/mask}<o:p></o:p></pre>
<pre> rightsubnets={subnet_c/mask subnet_d/mask}<o:p></o:p></pre>
<pre> ...other stuff...<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>ciscoasa.secrets file:<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>A.A.A.A B.B.B.B : PSK "sharedsecret"<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>With this configuration it doesn't work, the negotiation just fails with this error:<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>003 "CISCOASA" #199593: we require peer to have ID 'B.B.B.B', but peer declares '192.168.1.1'<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Of course 192.168.1.1 is the ASA's the private IP (which is behind a natting firewall).<o:p></o:p></pre>
<pre>So, in order to make it work, I changed the configuration by adding the rightid parameter like this:<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>conn CISCOASA<o:p></o:p></pre>
<pre> left=A.A.A.A<o:p></o:p></pre>
<pre> right=B.B.B.B<o:p></o:p></pre>
<pre> rightid=192.168.1.1<o:p></o:p></pre>
<pre> leftsubnets={subnet_a/mask subnet_b/mask}<o:p></o:p></pre>
<pre> rightsubnets={subnet_c/mask subnet_d/mask}<o:p></o:p></pre>
<pre> ...other stuff...<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>secrets file:<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>A.A.A.A 192.168.1.1 : PSK "sharedsecret"<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Best regards,<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Giovanni.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre>From: Leto [mailto:<a href="mailto:letoams@gmail.com">letoams@gmail.com</a>] <o:p></o:p></pre>
<pre>Sent: Monday, August 5, 2013 8:25 PM<o:p></o:p></pre>
<pre>To: Giovanni Carbone<o:p></o:p></pre>
<pre>Cc: <a href="mailto:users@openswan.org">users@openswan.org</a><o:p></o:p></pre>
<pre>Subject: Re: [Openswan Users] NAT-T and rightid<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>you probably want something like rightsubnet=vhost:%priv<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>sent from a tiny device <o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>On 2013-08-05, at 15:10, Giovanni Carbone <<a href="mailto:G.Carbone@reitek.com">G.Carbone@reitek.com</a>> wrote:<o:p></o:p></pre>
<pre>Hi,<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>i’m having a little issue with a tunnel (PSK auth) with a Cisco ASA behind a nat. The tunnels goes up and everything works only if I set the rightid with the private IP of the ASA (I think it’s the way it is supposed to work).<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>The problem is the other end doesn’t want me to have one of their private IPs configured statically on my side; they may change it “anytime” and they don’t want to have to notify me of this change in order to keep up the tunnel (they say that they have many other tunnels working without having to deal with the ASA’s private IP on the other end).<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>So, is there a way to tell Openswan to work only with the ASA’s public IP?<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>Best regards,<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>Giovanni.<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Informativa Privacy - Ai sensi del D. Lgs n. 196/2003 (Codice Privacy) precisiamo che le informazioni contenute in questo messaggio sono riservate e a uso esclusivo del destinatario. Ogni uso, copia o distribuzione non autorizzata è proibita e passibile di sanzioni ai termini di legge. Reitek non è responsabile di eventuali copie o distribuzioni non autorizzate. Se questo messaggio è stato ricevuto per errore, preghiamo gentilmente di eliminarlo e di informare il mittente. Grazie. <o:p></o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre><a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><o:p></o:p></pre>
<pre><a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><o:p></o:p></pre>
<pre>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><o:p></o:p></pre>
<pre>Building and Integrating Virtual Private Networks with Openswan:<o:p></o:p></pre>
<pre><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><o:p></o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre><a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><o:p></o:p></pre>
<pre><a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><o:p></o:p></pre>
<pre>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><o:p></o:p></pre>
<pre>Building and Integrating Virtual Private Networks with Openswan:<o:p></o:p></pre>
<pre><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><o:p></o:p></pre>
</blockquote>
</div>
</body>
</html>