[strongSwan] Cisco ASA and PSK id
Volodymyr Litovka
doka.ua at gmx.com
Thu Jul 16 19:17:00 CEST 2020
Hi colleagues,
is there anybody has experience connecting Cisco ASA with Strongswan using PSK?
I have the following configuration on SS side:
ikev2-psk {
version = 2
[ . . . ]
local {
auth = pubkey
certs = fullchain.pem
id = myid
}
remote {
auth = psk
id = %any
}
children {
psk-child {
[ . . . ]
}
}
}
secrets {
ike-1 {
id = ciscoasa
secret = q1w2e3
}
}
and while I use on ASA 'crypto isakmp identity hostname’ (hostname is “ciscoasa"), this connection can be authenticated by SS:
charon-systemd[1566]: looking for peer configs matching local[%any]...remote[ciscoasa]
charon-systemd[1566]: selected peer config 'ikev2-eap-mschapv2'
charon-systemd[1566]: authentication of 'ciscoasa' with pre-shared key successful
charon-systemd[1566]: constraint check failed: EAP identity '%any' required
charon-systemd[1566]: selected peer config 'ikev2-eap-mschapv2' unacceptable: non-matching authentication done
charon-systemd[1566]: switching to peer config 'ikev2-psk'
charon-systemd[1566]: IKE_SA ikev2-psk[45] established between local[fqdn]...remote[ciscoasa]
but as soon as I switch to 'crypto isakmp identity key-id ciscoasa’, SS says there are no matching keys:
charon-systemd[1566]: looking for peer configs matching local[%any]...remote[ciscoasa]
charon-systemd[1566]: selected peer config 'ikev2-eap-mschapv2'
charon-systemd[1566]: no shared key found for '%any' - 'ciscoasa'
charon-systemd[1566]: generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Which of the following choices is my case? -
1) Cisco ASA sends key-id in the wrong way
2) SS treat received key-id in the wrong way
3) I’m missing something
Thank you.
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200716/d3bfcd63/attachment.html>
More information about the Users
mailing list