[Swan] cisco asa
Bob Miller
bob at computerisms.ca
Tue Feb 28 07:17:15 UTC 2017
Hello Gurus,
I have an existing libreswan-sonicwall vpn in place, now there is a 3rd
location going in it is has a cisco asa firewall. I have been working
with the tech at the other end, we are stuck at the beginning of phase2.
or I am, the other end will see me connect for a second, then it goes
away.
I have looked at the wiki, but I am told there is no groupname
configured at that end, and when they sent me a dump of the config, I
can find nothing that would seem an appropriate value to put. They also
tell me there is no xauth enabled on their end. so this seems a
different config than the wiki is talking about? Logs tell me this:
whse2datacenter" #3: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using
isakmp#2 msgid:10f75020 proposal=3DES(3)_000-SHA1(2)_000 pfsgroup=no-pfs}
Feb 27 23:25:58 fw-tpc pluto[10068]: "whse2datacenter" #2: ignoring
informational payload INVALID_ID_INFORMATION, msgid=00000000, length=144
When I trace through debug, I believe part where I am sending my ID is
from lines like:
***emit ISAKMP Identification Payload (IPsec DOI):
next payload type: ISAKMP_NEXT_ID
ID type: ID_USER_FQDN
Protocol ID: 0
port: 0
***emit ISAKMP Identification Payload (IPsec DOI):
next payload type: ISAKMP_NEXT_NONE
ID type: ID_USER_FQDN
Protocol ID: 0
port: 0
But I can see the cisco's response is invalid id. I am using psk, so id
is not determined from certificates, and I have already tried using my
IP address as my leftid. Presumably if I set the correct value for
leftid, the cisco will be happy? But how can I find what id the cisco
is expecting to receive?
--
Bob Miller
Computerisms
867-334-7117 / 867-633-3760
http://www.computerisms.ca
More information about the Swan
mailing list