I am trying to establish a multiple VPN connections between cisco asdm, which is on Amazon Cloud, and customer side. I am not able to eastablish not event one connection because I always get the same error:
we require peer to have ID 'z.z.z.z', but peer declares 'x.x.x.x'
where z.z.z.z is the public ip
x.x.x.x is the private ip.
The reason for this is because on amazon cloud I can only attach an Elastic IP to an interface that already has a private ip. I cannot attach the public ip directly to the interface, so when I try to eastablish the vpn connection the cisco asdm presents itself with his private ip address. I am able to ping the cisco's public address without problems and I also enabled NAT-T but it did not help.
Do you have any idea how to solve this problem
I have enabled IKEv2 but still the same issue.
I found that on the cisco ASDM(in site-to-site VPN --> configurations--> IKE parameters) there is the option "Identity sent to peer" which is set to "Address"(in the picture attached). I think that's what's causing the confusion because according to ASDM he does not know that he has a public ip attached to his private ip so he uses the private ip as an ID to establish the vpn connection.
Please correct me if I am wrong
Thank you very much
And has the remote end changed their configuration to use IKEv2 as well?
Chances are that will fix it on its own. If not, change from using "address" as your identity to something like "email" and enter a dummy email address for yourself that the remote party can match on.
Yes I changed the configuration also at the remote end. At the remote end I am using openswan in order to do tests but still it does not work. I also chenged the parameter "Identity" but still I cannot establish the VPN.
I mostly use StrongSwan, but this makes it much easier now you have said that. Use these parameters (swapping left/right depending on your config):
right=<public IP of ASAv>
rightid=<private IP of ASAv>
As every client has different firewall most of them do not have openswan, I need to force the cisco ASDM to use the public ip as an id to establish the VPN. Is there a way to set some sort of right id(like in openswan) for the cisco ASDM so that he can use his public ip as the id?