Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

VPN Cisco ASDM

Hello, 

I am trying to establish a multiple VPN connections between cisco asdm, which is on Amazon Cloud, and customer side. I am not able to eastablish not event one connection because I always get the same error:

we require peer to have ID 'z.z.z.z', but peer declares 'x.x.x.x'

where z.z.z.z is the public ip 

x.x.x.x is the private ip.

The reason for this is because on amazon cloud I can only attach an Elastic IP to an interface that already has a private ip. I cannot attach the public ip directly to the interface, so when I try to eastablish the vpn connection the cisco asdm presents itself with his private ip address. I am able to ping the cisco's public address without problems and I also enabled  NAT-T but it did not help.

Do you have any idea how to solve this problem 

Best Regards 

Everyone's tags (1)
10 REPLIES
VIP Purple

To be clear, you are using

To be clear, you are using ASAv in Amazon AWS?

Hello,

Hello,

Thank you for the reply. 

Yes I am using ASAv in Amazon AWS and I am using only  IKEv1 the IKEv2 is not enabled.

Best Regads

VIP Purple

IKEv2 is much better at

IKEv2 is much better at handling tricky things like this.  Can you change to IKEv2?

I have enabled IKEv2 but

I have enabled IKEv2 but still the same issue.

I found that on the cisco ASDM(in site-to-site VPN --> configurations--> IKE parameters) there is the option "Identity sent to peer" which is set to "Address"(in the picture attached). I think that's what's causing the confusion because according to ASDM he does not know that he has a public ip attached to his private ip so he uses the private ip as an ID to establish the  vpn connection.

Please correct me if I am wrong 

Thank you very much

VIP Purple

And has the remote end

And has the remote end changed their configuration to use IKEv2 as well?

Chances are that will fix it on its own.  If not, change from using "address" as your identity to something like "email" and enter a dummy email address for yourself that the remote party can match on.

Yes I changed the

Yes I changed the configuration also at the remote end. At the remote end I am using openswan in order to do tests but still it does not work. I also chenged the parameter "Identity" but still I cannot establish the VPN.

VIP Purple

I mostly use StrongSwan, but

I mostly use StrongSwan, but this makes it much easier now you have said that.  Use these parameters (swapping left/right depending on your config):

right=<public IP of ASAv>
rightid=<private IP of ASAv>

As every client has different

As every client has different firewall most of them do not have openswan, I need to force the cisco ASDM to use the public ip as an id to establish the VPN. Is there a way to set some sort of right id(like in openswan) for the cisco ASDM so that he can use his public ip as the id?

VIP Purple

No.

No.

VIP Purple

Are you able to use IKEv2 to

Are you able to use IKEv2 to the remote peer?

52
Views
0
Helpful
10
Replies
CreatePlease to create content