Hi Tobias,
this is what I see in logs:
b-test strongswan: 10[CFG] <25> looking for peer configs matching
server-side[%any]...client-side[ciscoasa]
b-test charon-systemd[130481]: looking for peer configs matching
server-side[%any]...client-side[ciscoasa]
b-test strongswan: 10[CFG] <25> peer config "ikev2-eap", ike match: 1052
(server-side...%any IKEv2)
b-test strongswan: 10[CFG] <25> local id match: 1 (ID_ANY: )
b-test strongswan: 10[CFG] <25> remote id match: 1 (ID_KEY_ID:
63:69:73:63:6f:61:73:61)
b-test strongswan: 10[CFG] <25> candidate "ikev2-eap", match: 1/1/1052
(me/other/ike)
b-test strongswan: 10[CFG] <25> peer config "ikev2-psk-whl", ike match: 1052
(server-side...%any IKEv2)
b-test strongswan: 10[CFG] <25> local id match: 1 (ID_ANY: )
b-test strongswan: 10[CFG] <25> remote id match: 0 (ID_KEY_ID:
63:69:73:63:6f:61:73:61)
b-test strongswan: 10[CFG] <25> peer config "ikev2-psk-ciscoasa", ike match:
1052 (server-side...%any IKEv2)
b-test strongswan: 10[CFG] <25> local id match: 1 (ID_ANY: )
b-test strongswan: 10[CFG] <25> remote id match: 0 (ID_KEY_ID:
63:69:73:63:6f:61:73:61)
b-test strongswan: 10[CFG] <ikev2-eap|25> selected peer config 'ikev2-eap'
There are three connections:
connections {
ikev2-eap {
remote_addrs = %any
local { ... }
remote {
auth = eap-radius
id = %any
eap_id = %any
}
}
ikev2-whl {
remote_addrs = x.x.x.x
local { ... }
remote {
auth = psk
id = x.x.x.x
}
}
ikev2-cisoasa {
remote_addrs = %any
local { ... }
remote {
auth = psk
id = @#636973636f617361
# id = ciscoasa
# id = @#ciscoasa
}
}
}
It seems, remote side sends ID_KEY_ID: 63:69:73:63:6f:61:73:61, but no
one of three IDs matches received ID.
On the other hand, when I switch to FQDN ID
connections {
[ ... ]
ikev2-cisoasa {
remote_addrs = %any
local { ... }
remote {
auth = psk
id = ciscoasa
}
}
}
I see the correct behavior:
b-test strongswan: 08[CFG] <38> looking for peer configs matching
server-side[%any]...client-side[ciscoasa]
b-test strongswan: 08[CFG] <38> peer config "ikev2-eap", ike match: 1052
(server-side...%any IKEv2)
b-test strongswan: 08[CFG] <38> local id match: 1 (ID_ANY: )
b-test strongswan: 08[CFG] <38> remote id match: 1 (ID_FQDN:
63:69:73:63:6f:61:73:61)
b-test strongswan: 08[CFG] <38> candidate "ikev2-eap", match: 1/1/1052
(me/other/ike)
b-test strongswan: 08[CFG] <38> peer config "ikev2-psk-194_44_66_2", ike match:
1052 (server-side...%any IKEv2)
b-test strongswan: 08[CFG] <38> local id match: 1 (ID_ANY: )
b-test strongswan: 08[CFG] <38> remote id match: 0 (ID_FQDN:
63:69:73:63:6f:61:73:61)
b-test strongswan: 08[CFG] <38> peer config "ikev2-psk-ciscoasa", ike match:
1052 (server-side...%any IKEv2)
b-test strongswan: 08[CFG] <38> local id match: 1 (ID_ANY: )
b-test strongswan: 08[CFG] <38> remote id match: 20 (ID_FQDN:
63:69:73:63:6f:61:73:61)
b-test strongswan: 08[CFG] <38> candidate "ikev2-psk-ciscoasa", match:
1/20/1052 (me/other/ike)
b-test strongswan: 08[CFG] <ikev2-psk-ciscoasa|38> selected peer config
'ikev2-psk-ciscoasa'
I will appreciate any suggestions on how to work around this issue.
Thank you.
On 14.09.2020 11:56, Tobias Brunner wrote:
Hi Volodymyr,
do not work - StrongSwan do not consider this connection when choosing
between few.
Increase the log level for cfg to 3 [1] to see details about the matched
identities and read or send the log.
What is the right way to describe id for PSK connection where remote
part uses key-id type, e.g. on Cisco it is "crypto isakmp identity
key-id aa"?
Don't know what Cisco will send if you do that, so no idea. You'll see
that in the log.
And which id need to be used in 'secrets' section to achieve the result?
Should it be
It must match the identity value and type you configure in the remote
section.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
