[Openswan Users] [SPAM-HEADER -] - Problem interacting with Cisco ASA - we require peer to have ID '<IP address>', but peer declares '@<peer FQDN>'
Pascal at financial-art.be
Thu Jul 22 12:53:01 EDT 2010
One question: do you use KLIPS or NETKEY?
anyway, I've got a lot of working systems connected to ASA.
You should not change the secret. The secret must stay with the IP addresses only
aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa: PSK "MySuperKey"
Here is a sample working config:
In the ASA:
access-list WavreTunnel extended permit ip ddd.ccc.bbb.0 255.255.255.0 aaa.bbb.ccc.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map CanadaWavre 20 match address aaa.bbb.ccc.ddd
crypto map CanadaWavre 20 set peer aaa.bbb.ccc.ddd
crypto map CanadaWavre 20 set transform-set ESP-3DES-SHA
crypto map CanadaWavre interface outside
crypto isakmp enable outside
crypto isakmp policy 10
tunnel-group aaa.bbb.ccc.ddd type ipsec-l2l
tunnel-group aaa.bbb.ccc.ddd ipsec-attributes
On 22 Jul 2010, at 18:03, Dan Eriksson wrote:
I am having problems creating an IPSec tunnel to a Cisco ASA (remote end
which I have no control over), when I try to connect I receive the
Main mode peer ID is ID_FQDN: '@peerfqdn'
we require peer to have ID 'ddd.ccc.bbb.aaa', but peer declares
state transition function for STATE_MAIN_I3 failed:
See attached log openswan.log for the whole log.
My configuration looks like this,
"peerfqdn" is not an address that is resolvable from my side, it seems
like it is only internal.
I found information about using "rightid", which seems to have solved
the problem for a lot of people, so I tried it as well, configuration,
I also made the appropriate changes in ipsec.secrets,
aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa @peerfqdn : PSK "mysupersecret"
I let the previous PSK stay in the file as well,
aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa : PSK "mysupersecret"
I have also tried the following combination,
aaa.bbb.ccc.ddd @peerfqdn : PSK "mysupersecret"
But now when I try to connect it can't find the appropriate PSK,
Can't authenticate: no preshared key found for `aaa.bbb.ccc.ddd' and
`@peerfqdn'. Attribute OAKLEY_AUTHENTICATION_METHO
STATE_MAIN_I1 failed: NO_PROPOSAL_CHOSEN
See log file, nopsk.log, for the whole file.
Does anyone have any idea what I am doing wrong?
Thanks in advance for any help!
Users at openswan.org<mailto:Users at openswan.org>
Building and Integrating Virtual Private Networks with Openswan:
Network & Security Consultant,
CEO / Administrateur délégué,
Tel. : +32 2 387 08 00
Fax : +32 2 387 07 06
Email : pascal at financial-art.be<mailto:veronique at financialart.be>
IM: pascal at financial-art (MSN)
Free/Busy Time: http://tinyurl.com/pfukscal
Avant d’imprimer cet email, réfléchissez à l’impact sur l’environnement. Please consider the environment before printing this mail.
**** DISCLAIMER ****
"This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above.
Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".
Thank you for your cooperation.
* This e-mail was scanned against known viruses by MDaemon-DKAV
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users