[Openswan Users] [SPAM-HEADER -] - Problem interacting with Cisco ASA - we require peer to have ID '<IP address>', but peer declares '@<peer FQDN>'

Pascal Fuks Pascal at financial-art.be
Thu Jul 22 12:53:01 EDT 2010 

Hello,
One question: do you use KLIPS or NETKEY?
anyway, I've got a lot of working systems connected to ASA.
You should not change the secret. The secret must stay with the IP addresses only
aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa: PSK "MySuperKey"



Here is a sample working config:

conn Canada
   authby=secret
   pfs=no
   auto=start
   keyingtries=3
   disablearrivalcheck=no
   keyexchange=ike
   ikelifetime=240m
   type=tunnel
   auth=esp
   compress=no
   keylife=60m
   left=aaa.bbb.ccc.ddd
   leftsubnet=172.16.0/23
   leftnexthop=aaa.bbb.ccc.gwip
   right=ddd.ccc.bbb.aaa
   rightsubnet=172.16.30.0/24
   rightnexthop=ddd.ccc.bbb.gw2ip


In the ASA:
access-list WavreTunnel extended permit ip ddd.ccc.bbb.0 255.255.255.0 aaa.bbb.ccc.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map CanadaWavre 20 match address aaa.bbb.ccc.ddd
crypto map CanadaWavre 20 set peer aaa.bbb.ccc.ddd
crypto map CanadaWavre 20 set transform-set ESP-3DES-SHA
crypto map CanadaWavre interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
tunnel-group aaa.bbb.ccc.ddd type ipsec-l2l
tunnel-group aaa.bbb.ccc.ddd ipsec-attributes
 pre-shared-key MySuperKey

On 22 Jul 2010, at 18:03, Dan Eriksson wrote:

Hi list,

I am having problems creating an IPSec tunnel to a Cisco ASA (remote end
which I have no control over), when I try to connect I receive the
following information,

Main mode peer ID is ID_FQDN: '@peerfqdn'
we require peer to have ID 'ddd.ccc.bbb.aaa', but peer declares
'@peerfqdn'

Error:
state transition function for STATE_MAIN_I3 failed:
INVALID_ID_INFORMATION

See attached log openswan.log for the whole log.

My configuration looks like this,

conn qfnet
       leftsubnet=     192.168.48.0/22
       also=           qfno

conn qfno
       type=           tunnel
       authby=         secret
       keylife=        3600s
       left=           aaa.bbb.ccc.ddd
       leftnexthop=    %defaultroute
       right=          ddd.ccc.bbb.aaa
       rightsubnet=    192.168.0.0/21
       auth=           esp
       esp=            3des-md5;modp1024
       keyexchange=    ike
       ike=            3des-md5-modp1024
       ikelifetime=    86400s
       pfs=            no
       auto=           start

"peerfqdn" is not an address that is resolvable from my side, it seems
like it is only internal.

I found information about using "rightid", which seems to have solved
the problem for a lot of people, so I tried it as well, configuration,

conn qfnet
       leftsubnet=     192.168.48.0/22
       also=           qfno

conn qfno
       type=           tunnel
       authby=         secret
       keylife=        3600s
       left=           aaa.bbb.ccc.ddd
       leftnexthop=    %defaultroute
       right=          ddd.ccc.bbb.aaa
       rightid=        @peerfqdn
       rightsubnet=    192.168.0.0/21
       auth=           esp
       esp=            3des-md5;modp1024
       keyexchange=    ike
       ike=            3des-md5-modp1024
       ikelifetime=    86400s
       pfs=            no
       auto=           start


I also made the appropriate changes in ipsec.secrets,

aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa @peerfqdn : PSK "mysupersecret"

I let the previous PSK stay in the file as well,

aaa.bbb.ccc.ddd ddd.ccc.bbb.aaa : PSK "mysupersecret"

I have also tried the following combination,
aaa.bbb.ccc.ddd @peerfqdn : PSK "mysupersecret"

without success.

But now when I try to connect it can't find the appropriate PSK,

Can't authenticate: no preshared key found for `aaa.bbb.ccc.ddd' and
`@peerfqdn'.  Attribute OAKLEY_AUTHENTICATION_METHO
STATE_MAIN_I1 failed: NO_PROPOSAL_CHOSEN

See log file, nopsk.log, for the whole file.

Does anyone have any idea what I am doing wrong?

Thanks in advance for any help!

Best regards,
Dan
<openswan.log><psk.log>_______________________________________________
Users at openswan.org<mailto:Users at openswan.org>
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Pascal Fuks
Network & Security Consultant,
CEO / Administrateur délégué,

Tel. : +32 2 387 08 00
Fax : +32 2 387 07 06
Email : pascal at financial-art.be<mailto:veronique at financialart.be>
IM: pascal at financial-art (MSN)
Free/Busy Time: http://tinyurl.com/pfukscal

<http://www.financial-art.be/>
www.financial-art.be<http://www.financial-art.be/>
Avant d’imprimer cet email, réfléchissez à l’impact sur l’environnement.  Please consider the environment before printing this mail.




**** DISCLAIMER ****

"This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. 
Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. 
If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".

Thank you for your cooperation.

* This e-mail was scanned against known viruses by MDaemon-DKAV
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100722/6fbb5f29/attachment-0001.html

More information about the Users mailing list