04-20-2017 12:13 AM
Hello,
I am trying to establish a multiple VPN connections between cisco asdm, which is on Amazon Cloud, and customer side. I am not able to eastablish not event one connection because I always get the same error:
we require peer to have ID 'z.z.z.z', but peer declares 'x.x.x.x'
where z.z.z.z is the public ip
x.x.x.x is the private ip.
The reason for this is because on amazon cloud I can only attach an Elastic IP to an interface that already has a private ip. I cannot attach the public ip directly to the interface, so when I try to eastablish the vpn connection the cisco asdm presents itself with his private ip address. I am able to ping the cisco's public address without problems and I also enabled NAT-T but it did not help.
Do you have any idea how to solve this problem
Best Regards
04-20-2017 12:15 AM
To be clear, you are using ASAv in Amazon AWS?
04-20-2017 12:25 AM
Hello,
Thank you for the reply.
Yes I am using ASAv in Amazon AWS and I am using only IKEv1 the IKEv2 is not enabled.
Best Regads
04-20-2017 12:55 AM
IKEv2 is much better at handling tricky things like this. Can you change to IKEv2?
04-20-2017 01:13 AM
I have enabled IKEv2 but still the same issue.
I found that on the cisco ASDM(in site-to-site VPN --> configurations--> IKE parameters) there is the option "Identity sent to peer" which is set to "Address"(in the picture attached). I think that's what's causing the confusion because according to ASDM he does not know that he has a public ip attached to his private ip so he uses the private ip as an ID to establish the vpn connection.
Please correct me if I am wrong
Thank you very much
04-20-2017 01:15 AM
And has the remote end changed their configuration to use IKEv2 as well?
Chances are that will fix it on its own. If not, change from using "address" as your identity to something like "email" and enter a dummy email address for yourself that the remote party can match on.
04-20-2017 01:41 AM
Yes I changed the configuration also at the remote end. At the remote end I am using openswan in order to do tests but still it does not work. I also chenged the parameter "Identity" but still I cannot establish the VPN.
04-20-2017 02:00 AM
I mostly use StrongSwan, but this makes it much easier now you have said that. Use these parameters (swapping left/right depending on your config):
right=<public IP of ASAv>
rightid=<private IP of ASAv>
04-20-2017 02:17 AM
As every client has different firewall most of them do not have openswan, I need to force the cisco ASDM to use the public ip as an id to establish the VPN. Is there a way to set some sort of right id(like in openswan) for the cisco ASDM so that he can use his public ip as the id?
04-20-2017 02:19 AM
No.
04-20-2017 12:16 AM
Are you able to use IKEv2 to the remote peer?
09-11-2018 12:12 PM
I am having the same issue and can't find any document about how to terminate a site to site vpn tunnel on an ASAv with an elastic IP. Did you ever get a resolution and can you point me to it?
09-13-2018 10:34 AM
Please configure:
debug cry con peer (peer ip)
debug cry ikev2 pro 127
debug cry ikev2 plat 127
Then attempt to establish the tunnel by sending over traffic and send the output of what you receive from the debugs. When you are finished do "undebug all".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide