RV340 site-to-site ipsec vpn identifiers question

leogrande1 · ‎07-06-2019

RV340 v1.0.03.15

I have set up ikev1 site-to-site tunnels RV340 - StrongSwan (remote) and RV340 - Ubiquiti Edgerouter (remote).

Both sides are using DynDNS.

If I understand correctly, when in identifiers of FQDN type a real fqdn record is used, like vpn.somedomain.com, RV340 tries to resolve it to IP address and it causes an authentication error.

In Edgerouter 'id' (leftid) and 'remote-id' (rightid) are always in text format and are not resolved to IP address. In Strongswan '@' is used to prevent a name resolution of the identifiers in FQDN format.

I decided to use identifiers not in FQDN format but rather as a simple text string, like 'ciscorouter' and 'strongswan'/'edgerouter' and entered them in Remote Identifier boxes on RV340 and it looks like it is working.

My concern and question is whether this will survive any future firmware upgrade, my identifiers are definitely not in FQDN format. It even accepts %any. Should I consider Remote/Local FQDN as leftid and rightid in terms of formatting and disregard its restrictive name?

It doesn't seem to be a problem with ikev2 setup and a real FQDN format. And, of course, I will stick to ikev2 whenever it is possible.

In this case, I have used ikev1 to test NAT-T (which works) and tunnels with devices that do not support ikev2.

train_wreck · ‎07-08-2019

Yes, the values should remain after a firmware upgrade. And you're right that %any works in the field. I suspect Cisco is just using Strongswan underneath as well.