[Openswan Users] NAT-T and rightid

Giovanni Carbone G.Carbone at reitek.com
Thu Aug 8 09:05:40 UTC 2013


With %any in the secrets files it seems to work but still I can’t remove the right id from the conf file (I got the usual “but peer declares...” error).



Well, it seems that this issue must be solved on the ASA (it should have a way to declare a peer ID different from its own private IP).

Thanks for your help.



Best regards,



Giovanni.


From: Nick Howitt [mailto:n1ck.h0w1tt at gmail.com]
Sent: Wednesday, August 7, 2013 11:24 PM
To: Giovanni Carbone
Cc: users at lists.openswan.org
Subject: RE: [Openswan Users] NAT-T and rightid


You could try %any in the secrets file and perhaps remove the right id.

On 2013-08-07 16:54, Giovanni Carbone wrote:

If I do that I get this error " Can't authenticate: no preshared key found for ‘A.A.A.A.’ and ‘192.168.1.1’ ".

Besides that I'd still have the ASA's private IP declared statically in the connection.



Best regards,



Giovanni.







From: users-bounces at lists.openswan.org<mailto:users-bounces at lists.openswan.org> [mailto:users-bounces at lists.openswan.org<mailto:users-bounces at lists.openswan.org>] On Behalf Of Nick Howitt

Sent: Wednesday, August 7, 2013 4:57 PM

To: users at lists.openswan.org<mailto:users at lists.openswan.org>

Subject: Re: [Openswan Users] NAT-T and rightid



Change the secrets file back to B.B.B.B.



On 2013-08-07 09:03, Giovanni Carbone wrote:

Hello,



Thanks for your reply, I tried to change the configuration like you suggested but it doesn't work, I got a "address family inconsistency in this/that connection" error.

So I'm going to give you more details on this configuration (I guess I should have did it since the beginning :) ).



This is my initial configuration (it's a lan-2-lan vpn with multiple subnets on both sides):



ciscoasa.conf file:



conn CISCOASA

      left=A.A.A.A

      right=B.B.B.B

      leftsubnets={subnet_a/mask subnet_b/mask}

      rightsubnets={subnet_c/mask subnet_d/mask}

      ...other stuff...



ciscoasa.secrets file:



A.A.A.A B.B.B.B : PSK "sharedsecret"



With this configuration it doesn't work, the negotiation just fails with this error:



003 "CISCOASA" #199593: we require peer to have ID 'B.B.B.B', but peer declares '192.168.1.1'



Of course 192.168.1.1 is the ASA's the private IP (which is behind a natting firewall).

So, in order to make it work, I changed the configuration by adding the rightid parameter like this:



conn CISCOASA

      left=A.A.A.A

      right=B.B.B.B

      rightid=192.168.1.1

      leftsubnets={subnet_a/mask subnet_b/mask}

      rightsubnets={subnet_c/mask subnet_d/mask}

      ...other stuff...



secrets file:



A.A.A.A 192.168.1.1 : PSK "sharedsecret"





Best regards,



Giovanni.







From: Leto [mailto:letoams at gmail.com<mailto:letoams at gmail.com>]

Sent: Monday, August 5, 2013 8:25 PM

To: Giovanni Carbone

Cc: users at openswan.org<mailto:users at openswan.org>

Subject: Re: [Openswan Users] NAT-T and rightid



you probably want something like rightsubnet=vhost:%priv



sent from a tiny device



On 2013-08-05, at 15:10, Giovanni Carbone <G.Carbone at reitek.com<mailto:G.Carbone at reitek.com>> wrote:

Hi,



i’m having a little issue with a tunnel (PSK auth) with a Cisco ASA behind a nat. The tunnels goes up and everything works only if I set the rightid with the private IP of the ASA (I think it’s the way it is supposed to work).



The problem is the other end doesn’t want me to have one of their private IPs configured statically on my side; they may change it “anytime” and they don’t want to have to notify me of this change in order to keep up the tunnel (they say that they have many other tunnels working without having to deal with the ASA’s private IP on the other end).



So, is there a way to tell Openswan to work only with the ASA’s public IP?



Best regards,



Giovanni.









Informativa Privacy - Ai sensi del D. Lgs n. 196/2003 (Codice Privacy) precisiamo che le informazioni contenute in questo messaggio sono riservate e a uso esclusivo del destinatario. Ogni uso, copia o distribuzione non autorizzata è proibita e passibile di sanzioni ai termini di legge. Reitek non è responsabile di eventuali copie o distribuzioni non autorizzate. Se questo messaggio è stato ricevuto per errore, preghiamo gentilmente di eliminarlo e di informare il mittente. Grazie.

_______________________________________________

Users at lists.openswan.org<mailto:Users at lists.openswan.org>

https://lists.openswan.org/mailman/listinfo/users

Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy

Building and Integrating Virtual Private Networks with Openswan:

http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

_______________________________________________

Users at lists.openswan.org<mailto:Users at lists.openswan.org>

https://lists.openswan.org/mailman/listinfo/users

Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy

Building and Integrating Virtual Private Networks with Openswan:

http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130808/e7eb10a5/attachment.html>


More information about the Users mailing list