Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
353
Views
0
Helpful
1
Replies

pb to establish VPN from ASA to Linux Openswa, thru NAT

guillerm
Level 1
Level 1

‎10-02-2008 02:12 PM

ASA 5520 V7.2.3

the ASA is connected to Internet via a NAT device

we try to establish a site-to-site VPN tunnel between this ASA

and a remote firewall based on Openswan/Freeswan Linux software,

using the usual preshared key method ;

this remote site supports the NAT-Traversal ;

unfortunately, this firewall does not seem to support the fact

that the ISAKMP packets it received from the ASA have a source

IP address different from the Identity shown inside the ISAKMP

packet itself ;

this difference is due, of course, to the NAT device between

the ASA and the Internet network ;

To try to solve this situation, I have tried to set the ISAKMP

Identity option to "hostname" instead of the default value "address",

in order to force the ASA to shown its identity in ISAKMP packets with

its hostname instead of with its outside IP address,

and so, this should avoid the IP address conflict ;

here is the CLI command :

crypto isakmp identity hostname

unfortunately, this option does not seem to be taken into account

in case of a VPN site-to-site tunnel running in main mode;

this is more or less said in the ASA Config Guide ;

here is an extract :

The security appliance uses the Phase I ID to send to the peer.

This is true for all VPN scenarios except LAN-to-LAN connections

in main mode that authenticate with preshared keys ;

although the Aggressive mode is enabled by default on the ASA, this does not force the 2 boxes to use this mode, and the ASA log shows the main mode is used ;

so, is there a way to force the ASA to use its hostname instead of its IP address as for its identity during the ISAKMP phase ?

any suggestion would be grateful

Labels:
0 Helpful
1 Reply 1

sadbulali
Level 4
Level 4

‎10-08-2008 07:43 AM

The security appliance uses the Phase I ID to send to the peer. This is true for all VPN scenarios except LAN-to-LAN connections in main mode that authenticate with preshared keys.So in LAN-to-LAN scenario pre sharedkeys are used instead of phase 1 id.The default setting is hostname.

To change the peer identification method, enter the following command:

crypto isakmp identity {address | hostname | key-id id-string | auto}

Try the command "crypto isakmp identity auto" which may solve the issue.

Refer the url below for more information on "Determining an ID Method for ISAKMP Peers":

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/ike.html#wp1052788

0 Helpful
Customers Also Viewed These Support Documents