[strongSwan-dev] Cisco Tunnel Group

Andreas Steffen andreas.steffen at strongswan.org
Wed Jun 30 06:16:02 CEST 2010

Hello Bill,

a strongSwan log with plutodebug=all set in ipsec.conf would be helpful
in the diagnosis of your problem.



On 06/30/2010 04:38 AM, William Bloom wrote:
> I've configured a StrongSwan client in my lab with a 'conn' ipsec.conf
> section containing...
> ...
> left=%defaultroute
> leftid=@TunnelGroupSiteA
> ...
> ...for establishment of a tunnel to a Cisco ASA.  I've specified
> ikeversion=ikev1 and, for now, authby=psk.
> Soon after negotiation begins (a few IKE messaged are exchanged), a
> message appears in the ASA log reporting that the incoming connection is
> for group '' (my client's IP address) and the negotiation is
> then aborted since the tunnel group is named 'TunnelGroupSiteA' rather
> than ''.
> My reading of the wiki page that describes the ipsec.conf 'conn' section
> is that the value of 'leftid' is, by default, taken to be the same as
> the value of 'left' but that a 'leftid' assignment in the 'conn' section
> will be used instead if specified.
> However, in this case, it appears that my 'leftid' specification is
> being ignored.  Searching the web, I see that others have had success by
> creating a tunnel group on the ASA that has a name that is identical to
> the 'left' value (an IP address), but I do not have that flexibility
> since the production deployment will ultimately need to accommodate a
> large number of clients.  The management overhead of configuring a
> tunnel for each would be unacceptable to the customer (and I wouldn't
> blame them, for that matter).
> One forum posting I saw claimed that I need to specify the hex value of
> the tunnel group name ala...
> leftid=@#<hexdigits>
> ...but this doesn't solve the problem.  What's the correct solution for
> this?  How do I get StrongSwan to use the 'leftid' value as the ASA
> tunnel group ID?  
> Bill
> --
> William Bloom
> williambloom at mac.com <mailto:williambloom at mac.com>

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20100630/6e8815ee/attachment.bin>

More information about the Dev mailing list