[strongSwan] Problem using asymmetric keys against Cisco IOS
Volodymyr Litovka
doka.ua at gmx.com
Wed Dec 9 08:19:56 CET 2020
Hi John,
try use "keyid:CORS89" in both configuration and secrets instead of
shortcuts.
On 08.12.2020 16:09, John Serink wrote:
> Hello:
>
> Cisco debug is showing me this:
> Dec 8 13:57:16.184: IKEv2:(SESSION ID = 93872,SA ID = 40):Stopping timer to wait for auth
> message
> Dec 8 13:57:16.184: IKEv2:(SESSION ID = 93872,SA ID = 40):Checking NAT discovery
> Dec 8 13:57:16.184: IKEv2:(SESSION ID = 93872,SA ID = 40):NAT OUTSIDE found
> Dec 8 13:57:16.184: IKEv2:(SESSION ID = 93872,SA ID = 40):NAT detected float to init port
> 48448, resp port 4500
> Dec 8 13:57:16.184: IKEv2:(SESSION ID = 93872,SA ID = 40):Searching policy based on peer's
> identity 'CORS89' of type 'FQDN'
> Dec 8 13:57:16.185: IKEv2-ERROR:(SESSION ID = 93872,SA ID = 40):% key not found.
> Dec 8 13:57:16.186: IKEv2-ERROR:(SESSION ID = 93872,SA ID = 40):: Failed to locate an item in
> the database
> Dec 8 13:57:16.186: IKEv2:(SESSION ID = 93872,SA ID = 40):Verification of peer's
> authentication data FAILED
>
> It identified my strongswan client CORS89 but it thinks its an FQDN rather than and ID.
>
> In the ipsec.conf for leftid I used '@CORS89' and in the ipsec.secrets I also used @CORS89 so
> why would the Cisco think its a FQDN rather than just a key-id?
>
> Cheers,
> John
>
>
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201209/4b0f4081/attachment.html>
More information about the Users
mailing list