[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: isakmpd: unknown id type user_fqdn



  On Jun 10 at 18:34, Hakan Olsson spoke:

> If you use preshared keys to authenticate, this is the "Authentication="
> tag under the relevant Phase 1 section. In the same section, you can use
> an "ID=" tag instead, to point out the Phase 1 ID to use.  Here USER_FQDN
> or FQDN normally points out a certificate, even though other types are ok
> too.
> 
> You select which authentication type to use by selecting, say, 3DES-SHA
> (for preshared) or 3DES-SHA-RSA_SIG (for X509/certificate auth). If you
> use the former, the ID= tag is not used. With the latter, Authentication=
> is ignored.

I forgot to set GRP5. Now Transforms=3DES-SHA-GRP5 in [Default-main-mode].

But it seems I need either Default-phase-1-ID in [General] or ID in 
<ISAKMP-peer>. Of cource in both cases Authentication= is present in
<ISAKMP-peer>.

Now it works. Thanks. (The peer is a Sidewinder.)
The final config is below. (Maybe some stuff is superfluas, but it works.)

#######

[General]
Listen-on=		1.1.1.1
Shared-SADB=		Defined
##Default-phase-1-ID=	Road-Warrior-east

[Phase 1]
2.2.2.2=		ISAKMP-peer-west

[Phase 2]
Connections=		IPsec-east-west

[ISAKMP-peer-west]
Phase=			1
Transport=		udp
Local-address=		1.1.1.1
Address=		2.2.2.2
Configuration=		Default-main-mode
Authentication=		somesecret
ID=			Road-Warrior-east

[IPsec-east-west]
Phase=			2
ISAKMP-peer=		ISAKMP-peer-west
Configuration=		Default-quick-mode
Local-ID=		East
Remote-ID=		Net-west

[Net-west-peer]
ID-type=		IPV4_ADDR
Address=		2.2.2.2

[Road-Warrior-east]
ID-type=		USER_FQDN
Name=			user_(_at_)_fqdn_(_dot_)_net

[East]
ID-type=		IPV4_ADDR
Address=		1.1.1.1

[Net-west]
ID-type=		IPV4_ADDR_SUBNET
Network=		3.3.3.0
Netmask=		255.255.255.0

[Default-main-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		ID_PROT
Transforms=		3DES-SHA-GRP5

[Default-quick-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-3DES-SHA-SUITE

#######

-Hanspeter



Visit your host, monkey.org