[Openswan Users] Problem interacting with Cisco ASA - we require peer to have ID '<IP address>', but peer declares '@<peer FQDN>'

Avesh Agarwal avagarwa at redhat.com
Thu Jul 22 12:23:30 EDT 2010 

On 07/22/2010 12:03 PM, Dan Eriksson wrote:
> Hi list,
>
> I am having problems creating an IPSec tunnel to a Cisco ASA (remote end
> which I have no control over), when I try to connect I receive the
> following information,
>
> Main mode peer ID is ID_FQDN: '@peerfqdn'
> we require peer to have ID 'ddd.ccc.bbb.aaa', but peer declares
> '@peerfqdn'
>
> Error:
> state transition function for STATE_MAIN_I3 failed:
> INVALID_ID_INFORMATION
>
> See attached log openswan.log for the whole log.
>
> My configuration looks like this,
>
> conn qfnet
>          leftsubnet=     192.168.48.0/22
>          also=           qfno
>
> conn qfno
>          type=           tunnel
>          authby=         secret
>          keylife=        3600s
>          left=           aaa.bbb.ccc.ddd
>          leftnexthop=    %defaultroute
>          right=          ddd.ccc.bbb.aaa
>          rightsubnet=    192.168.0.0/21
>          auth=           esp
>          esp=            3des-md5;modp1024
>          keyexchange=    ike
>          ike=            3des-md5-modp1024
>          ikelifetime=    86400s
>          pfs=            no
>          auto=           start
>
> "peerfqdn" is not an address that is resolvable from my side, it seems
> like it is only internal.
>
> I found information about using "rightid", which seems to have solved
> the problem for a lot of people, so I tried it as well, configuration,
>
> conn qfnet
>          leftsubnet=     192.168.48.0/22
>          also=           qfno
>
> conn qfno
>          type=           tunnel
>          authby=         secret
>          keylife=        3600s
>          left=           aaa.bbb.ccc.ddd
>          leftnexthop=    %defaultroute
>          right=          ddd.ccc.bbb.aaa
>          rightid=        @peerfqdn
>          rightsubnet=    192.168.0.0/21
>          auth=           esp
>          esp=            3des-md5;modp1024
>          keyexchange=    ike
>          ike=            3des-md5-modp1024
>          ikelifetime=    86400s
>          pfs=            no
>          auto=           start
>
>
> I also made the appropriate changes in ipsec.secrets,
>
> aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa @peerfqdn : PSK "mysupersecret"
>
>    
One way may be to try following:

@peerfqdn : PSK "mysupersecret"

And see how it goes.

Avesh

> I let the previous PSK stay in the file as well,
>
> aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa : PSK "mysupersecret"
>
> I have also tried the following combination,
> aaa.bbb.ccc.ddd @peerfqdn : PSK "mysupersecret"
>
>    


> without success.
>
> But now when I try to connect it can't find the appropriate PSK,
>
> Can't authenticate: no preshared key found for `aaa.bbb.ccc.ddd' and
> `@peerfqdn'.  Attribute OAKLEY_AUTHENTICATION_METHO
> STATE_MAIN_I1 failed: NO_PROPOSAL_CHOSEN
>
> See log file, nopsk.log, for the whole file.
>
> Does anyone have any idea what I am doing wrong?
>
> Thanks in advance for any help!
>
> Best regards,
> Dan
>    
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>    

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100722/6a58fec2/attachment.html

More information about the Users mailing list