[Openswan Users] Problem interacting with Cisco ASA - we require peer to have ID '<IP address>', but peer declares '@<peer FQDN>'

Dan Eriksson dan.eriksson at q-free.com
Thu Jul 22 12:03:28 EDT 2010 

Hi list,

I am having problems creating an IPSec tunnel to a Cisco ASA (remote end
which I have no control over), when I try to connect I receive the
following information,

Main mode peer ID is ID_FQDN: '@peerfqdn'
we require peer to have ID 'ddd.ccc.bbb.aaa', but peer declares
'@peerfqdn'

Error:
state transition function for STATE_MAIN_I3 failed:
INVALID_ID_INFORMATION

See attached log openswan.log for the whole log.

My configuration looks like this,

conn qfnet
        leftsubnet=     192.168.48.0/22
        also=           qfno

conn qfno
        type=           tunnel
        authby=         secret
        keylife=        3600s
        left=           aaa.bbb.ccc.ddd
        leftnexthop=    %defaultroute
        right=          ddd.ccc.bbb.aaa
        rightsubnet=    192.168.0.0/21
        auth=           esp
        esp=            3des-md5;modp1024
        keyexchange=    ike
        ike=            3des-md5-modp1024
        ikelifetime=    86400s
        pfs=            no
        auto=           start

"peerfqdn" is not an address that is resolvable from my side, it seems
like it is only internal.

I found information about using "rightid", which seems to have solved
the problem for a lot of people, so I tried it as well, configuration,

conn qfnet
        leftsubnet=     192.168.48.0/22
        also=           qfno

conn qfno
        type=           tunnel
        authby=         secret
        keylife=        3600s
        left=           aaa.bbb.ccc.ddd
        leftnexthop=    %defaultroute
        right=          ddd.ccc.bbb.aaa
        rightid=        @peerfqdn
        rightsubnet=    192.168.0.0/21
        auth=           esp
        esp=            3des-md5;modp1024
        keyexchange=    ike
        ike=            3des-md5-modp1024
        ikelifetime=    86400s
        pfs=            no
        auto=           start


I also made the appropriate changes in ipsec.secrets,

aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa @peerfqdn : PSK "mysupersecret"

I let the previous PSK stay in the file as well,

aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa : PSK "mysupersecret"

I have also tried the following combination,
aaa.bbb.ccc.ddd @peerfqdn : PSK "mysupersecret"

without success.

But now when I try to connect it can't find the appropriate PSK,

Can't authenticate: no preshared key found for `aaa.bbb.ccc.ddd' and
`@peerfqdn'.  Attribute OAKLEY_AUTHENTICATION_METHO
STATE_MAIN_I1 failed: NO_PROPOSAL_CHOSEN

See log file, nopsk.log, for the whole file.

Does anyone have any idea what I am doing wrong?

Thanks in advance for any help!

Best regards,
Dan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openswan.log
Type: text/x-log
Size: 44457 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20100722/0b3168d3/attachment-0002.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: psk.log
Type: text/x-log
Size: 20124 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20100722/0b3168d3/attachment-0003.bin

More information about the Users mailing list