VPN Cisco ASDM

aleksandar.shopovski · ‎04-20-2017

Hello,

I am trying to establish a multiple VPN connections between cisco asdm, which is on Amazon Cloud, and customer side. I am not able to eastablish not event one connection because I always get the same error:

we require peer to have ID 'z.z.z.z', but peer declares 'x.x.x.x'

where z.z.z.z is the public ip

x.x.x.x is the private ip.

The reason for this is because on amazon cloud I can only attach an Elastic IP to an interface that already has a private ip. I cannot attach the public ip directly to the interface, so when I try to eastablish the vpn connection the cisco asdm presents itself with his private ip address. I am able to ping the cisco's public address without problems and I also enabled NAT-T but it did not help.

Do you have any idea how to solve this problem

Best Regards

Philip D'Ath · ‎04-20-2017

To be clear, you are using ASAv in Amazon AWS?

aleksandar.shopovski · ‎04-20-2017

Hello,

Thank you for the reply.

Yes I am using ASAv in Amazon AWS and I am using only IKEv1 the IKEv2 is not enabled.

Best Regads

Philip D'Ath · ‎04-20-2017

IKEv2 is much better at handling tricky things like this. Can you change to IKEv2?

aleksandar.shopovski · ‎04-20-2017

I have enabled IKEv2 but still the same issue.

I found that on the cisco ASDM(in site-to-site VPN --> configurations--> IKE parameters) there is the option "Identity sent to peer" which is set to "Address"(in the picture attached). I think that's what's causing the confusion because according to ASDM he does not know that he has a public ip attached to his private ip so he uses the private ip as an ID to establish the vpn connection.

Please correct me if I am wrong

Thank you very much

Philip D'Ath · ‎04-20-2017

And has the remote end changed their configuration to use IKEv2 as well?

Chances are that will fix it on its own. If not, change from using "address" as your identity to something like "email" and enter a dummy email address for yourself that the remote party can match on.

aleksandar.shopovski · ‎04-20-2017

Yes I changed the configuration also at the remote end. At the remote end I am using openswan in order to do tests but still it does not work. I also chenged the parameter "Identity" but still I cannot establish the VPN.

Philip D'Ath · ‎04-20-2017

I mostly use StrongSwan, but this makes it much easier now you have said that. Use these parameters (swapping left/right depending on your config):

right=<public IP of ASAv>
rightid=<private IP of ASAv>

aleksandar.shopovski · ‎04-20-2017

As every client has different firewall most of them do not have openswan, I need to force the cisco ASDM to use the public ip as an id to establish the VPN. Is there a way to set some sort of right id(like in openswan) for the cisco ASDM so that he can use his public ip as the id?

Philip D'Ath · ‎04-20-2017

No.

Philip D'Ath · ‎04-20-2017

Are you able to use IKEv2 to the remote peer?

lukefranzelas · ‎09-11-2018

I am having the same issue and can't find any document about how to terminate a site to site vpn tunnel on an ASAv with an elastic IP. Did you ever get a resolution and can you point me to it?

Roy Harrington · ‎09-13-2018

Please configure:

debug cry con peer (peer ip)

debug cry ikev2 pro 127

debug cry ikev2 plat 127

Then attempt to establish the tunnel by sending over traffic and send the output of what you receive from the debugs. When you are finished do "undebug all".