[strongSwan-dev] Cisco Tunnel Group
Andreas Steffen
andreas.steffen at strongswan.org
Wed Jun 30 06:16:02 CEST 2010
Hello Bill,
a strongSwan log with plutodebug=all set in ipsec.conf would be helpful
in the diagnosis of your problem.
Regards
Andreas
On 06/30/2010 04:38 AM, William Bloom wrote:
> I've configured a StrongSwan client in my lab with a 'conn' ipsec.conf
> section containing...
>
> ...
> left=%defaultroute
> leftid=@TunnelGroupSiteA
> ...
>
> ...for establishment of a tunnel to a Cisco ASA. I've specified
> ikeversion=ikev1 and, for now, authby=psk.
>
> Soon after negotiation begins (a few IKE messaged are exchanged), a
> message appears in the ASA log reporting that the incoming connection is
> for group '172.16.1.2' (my client's IP address) and the negotiation is
> then aborted since the tunnel group is named 'TunnelGroupSiteA' rather
> than '172.16.1.2'.
>
> My reading of the wiki page that describes the ipsec.conf 'conn' section
> is that the value of 'leftid' is, by default, taken to be the same as
> the value of 'left' but that a 'leftid' assignment in the 'conn' section
> will be used instead if specified.
>
> However, in this case, it appears that my 'leftid' specification is
> being ignored. Searching the web, I see that others have had success by
> creating a tunnel group on the ASA that has a name that is identical to
> the 'left' value (an IP address), but I do not have that flexibility
> since the production deployment will ultimately need to accommodate a
> large number of clients. The management overhead of configuring a
> tunnel for each would be unacceptable to the customer (and I wouldn't
> blame them, for that matter).
>
> One forum posting I saw claimed that I need to specify the hex value of
> the tunnel group name ala...
>
> leftid=@#<hexdigits>
>
> ...but this doesn't solve the problem. What's the correct solution for
> this? How do I get StrongSwan to use the 'leftid' value as the ASA
> tunnel group ID?
>
>
> Bill
> --
> William Bloom
> williambloom at mac.com <mailto:williambloom at mac.com>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20100630/6e8815ee/attachment.bin>
More information about the Dev
mailing list