[strongSwan-dev] Cisco Tunnel Group
William Bloom
william.bloom at kinetx.com
Wed Jun 30 04:38:38 CEST 2010
I've configured a StrongSwan client in my lab with a 'conn' ipsec.conf
section containing...
...
left=%defaultroute
leftid=@TunnelGroupSiteA
...
...for establishment of a tunnel to a Cisco ASA. I've specified
ikeversion=ikev1 and, for now, authby=psk.
Soon after negotiation begins (a few IKE messaged are exchanged), a
message appears in the ASA log reporting that the incoming connection
is for group '172.16.1.2' (my client's IP address) and the negotiation
is then aborted since the tunnel group is named 'TunnelGroupSiteA'
rather than '172.16.1.2'.
My reading of the wiki page that describes the ipsec.conf 'conn'
section is that the value of 'leftid' is, by default, taken to be the
same as the value of 'left' but that a 'leftid' assignment in the
'conn' section will be used instead if specified.
However, in this case, it appears that my 'leftid' specification is
being ignored. Searching the web, I see that others have had success
by creating a tunnel group on the ASA that has a name that is
identical to the 'left' value (an IP address), but I do not have that
flexibility since the production deployment will ultimately need to
accommodate a large number of clients. The management overhead of
configuring a tunnel for each would be unacceptable to the customer
(and I wouldn't blame them, for that matter).
One forum posting I saw claimed that I need to specify the hex value
of the tunnel group name ala...
leftid=@#<hexdigits>
...but this doesn't solve the problem. What's the correct solution
for this? How do I get StrongSwan to use the 'leftid' value as the
ASA tunnel group ID?
Bill
--
William Bloom
williambloom at mac.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20100629/4bc28c89/attachment.html>
More information about the Dev
mailing list