CISCO ASA 5515 to UTM 9.4 (SG230) VPN Peer ID

In your original post, you had the log line:

2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: we require peer to have ID 'abc', but peer declares 'abc'

Please insert a picture of the Edit of the Remote Gateway definition that resulted in that line.  If you haven't already opened a ticket with Sophos Support, you should get started on that now.

Cheers - Bob

Hey Bob,

I'm a colleague of J F1's. I'm attaching a screenshot of that definition. We do have a case open with support, and actually had a conference yesterday with them as well as the vendor who has the Cisco. Here's an interesting note-we currently have a Sonicwall deployed at one of our branch offices, and as a workaround, were able to route the traffic through there. However, we're retiring that Sonicwall within the next few weeks, sothis is only a temporary fix. Strangely enough, the configuration provided to us by the vendor worked just fine-no additional config needed on our end when going through the Sonicwall.

I'm following this thread as I posted a link earlier on in this:

https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/53974/ipsec-vpn-id-question

In the above thread, there is discussion about using psk's and vpn id's which could clearly apply to this issue.

Can anybody confirm that you can change the VPN ID type (and it is not transparently overidden by the UTM) when using psk's?

I can confirm that. See screenshot.

regards

mod

I can confirm that. See screenshot.

regards

mod

Cheers mod2402,

I've never set up like this so it's good to know for future reference. Did the above work in both initiate connection and respond only and both ways?

To the OP, there are some settings under advanced eg use VPN ID for preshared keys. Have you tried that?

eg on vpn host setup leave VPN ID as blank, go to advanced settings and then set it there eg try hostname and abc? shot in the dark really.

Louis-M said:

Did the above work in both initiate connection and respond only and both ways?

Yes

Louis-M said:

To the OP, there are some settings under advanced eg use VPN ID for preshared keys. Have you tried that?

That's what you must configure if the remote site need VPN Typ "dns name" for psk.

Louis-M said:

eg on vpn host setup leave VPN ID as blank, go to advanced settings and then set it there eg try hostname and abc? shot in the dark really.

 

There are two areas where the VPN TYPE ID can be placed.

1. Under "Edit remote gateway"

2. Under advanced which applies globally.

I'm just wondering if it makes any difference if hostanme is applied under either or both at the same time?

Louis-M said:

There are two areas where the VPN TYPE ID can be placed.

1. Under "Edit remote gateway"

2. Under advanced which applies globally.

I'm just wondering if it makes any difference if hostanme is applied under either or both at the same time?

 

Editing it under advanced wouldn't work for us as we have another (working) tunnel that uses a different ID. Unless editing it in the specific remote gateway supersedes the global setting. Does anyone know if that's the case?

Please, open a support case.

regards

mod

We've got one open already, but were hoping that the hivemind on here could also be helpful to us. Thanks for the responses though!

I'm stuck with a similar issue talking to an ASA5515.  Did you ever get an answer to your issue?

No luck. We had a site running on an old Sonicwall that we hadn't upgraded, so we're running the tunnel through there.

I wonder what would happen if one created a Host definition as follows?

Cheers - Bob