'Re: [strongSwan-dev] Cisco Tunnel Group'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-announce
Subject:    Re: [strongSwan-dev] Cisco Tunnel Group
From:       Andreas Steffen <andreas.steffen () strongswan ! org>
Date:       2010-06-30 4:16:02
Message-ID: 4C2AC502.7060809 () strongswan ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]

Hello Bill,

a strongSwan log with plutodebug=all set in ipsec.conf would be helpful
in the diagnosis of your problem.

Regards

Andreas

On 06/30/2010 04:38 AM, William Bloom wrote:
> I've configured a StrongSwan client in my lab with a 'conn' ipsec.conf
> section containing...
> 
> ...
> left=%defaultroute
> leftid=@TunnelGroupSiteA
> ...
> 
> ...for establishment of a tunnel to a Cisco ASA.  I've specified
> ikeversion=ikev1 and, for now, authby=psk.
> 
> Soon after negotiation begins (a few IKE messaged are exchanged), a
> message appears in the ASA log reporting that the incoming connection is
> for group '172.16.1.2' (my client's IP address) and the negotiation is
> then aborted since the tunnel group is named 'TunnelGroupSiteA' rather
> than '172.16.1.2'.
> 
> My reading of the wiki page that describes the ipsec.conf 'conn' section
> is that the value of 'leftid' is, by default, taken to be the same as
> the value of 'left' but that a 'leftid' assignment in the 'conn' section
> will be used instead if specified.
> 
> However, in this case, it appears that my 'leftid' specification is
> being ignored.  Searching the web, I see that others have had success by
> creating a tunnel group on the ASA that has a name that is identical to
> the 'left' value (an IP address), but I do not have that flexibility
> since the production deployment will ultimately need to accommodate a
> large number of clients.  The management overhead of configuring a
> tunnel for each would be unacceptable to the customer (and I wouldn't
> blame them, for that matter).
> 
> One forum posting I saw claimed that I need to specify the hex value of
> the tunnel group name ala...
> 
> leftid=@#<hexdigits>
> 
> ...but this doesn't solve the problem.  What's the correct solution for
> this?  How do I get StrongSwan to use the 'leftid' value as the ASA
> tunnel group ID?  
> 
> 
> Bill
> --
> William Bloom
> williambloom@mac.com <mailto:williambloom@mac.com>

-- 
======================================================================
Andreas Steffen                         andreas.steffen@strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

["smime.p7s" (application/pkcs7-signature)]

_______________________________________________
Dev mailing list
Dev@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev

[prev in list] [next in list] [prev in thread] [next in thread] 