[strongSwan-dev] Cisco Tunnel Group

William Bloom william.bloom at kinetx.com
Wed Jun 30 04:38:38 CEST 2010

I've configured a StrongSwan client in my lab with a 'conn' ipsec.conf  
section containing...


...for establishment of a tunnel to a Cisco ASA.  I've specified  
ikeversion=ikev1 and, for now, authby=psk.

Soon after negotiation begins (a few IKE messaged are exchanged), a  
message appears in the ASA log reporting that the incoming connection  
is for group '' (my client's IP address) and the negotiation  
is then aborted since the tunnel group is named 'TunnelGroupSiteA'  
rather than ''.

My reading of the wiki page that describes the ipsec.conf 'conn'  
section is that the value of 'leftid' is, by default, taken to be the  
same as the value of 'left' but that a 'leftid' assignment in the  
'conn' section will be used instead if specified.

However, in this case, it appears that my 'leftid' specification is  
being ignored.  Searching the web, I see that others have had success  
by creating a tunnel group on the ASA that has a name that is  
identical to the 'left' value (an IP address), but I do not have that  
flexibility since the production deployment will ultimately need to  
accommodate a large number of clients.  The management overhead of  
configuring a tunnel for each would be unacceptable to the customer  
(and I wouldn't blame them, for that matter).

One forum posting I saw claimed that I need to specify the hex value  
of the tunnel group name ala...


...but this doesn't solve the problem.  What's the correct solution  
for this?  How do I get StrongSwan to use the 'leftid' value as the  
ASA tunnel group ID?

William Bloom
williambloom at mac.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20100629/4bc28c89/attachment.html>

More information about the Dev mailing list