[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: isakmpd: unknown id type user_fqdn
On Jun 08 at 17:18, Hakan Olsson spoke:
>
> It's ok to use a USER_FQDN ID when referring to a certificate etc, but not
> as you do here as the Local-ID in phase 2 (Quick-Mode). A phase 2 ID is
> usually an address or a network, i.e IP-addresses.
It should now be treated as a Default-phase-1-ID.
>
> > [ISAKMP-peer-west]
> > Phase= 1
> > Transport= udp
> > Local-address= 1.1.1.1
> > Address= 2.2.2.2
> > Configuration= Default-main-mode
> > Authentication= myauth
> > ID= Road-Warrior-east
> > Remote-ID= Net-west
>
> ID is ok to have here, even though you don't use X509 auth.
> Remote-ID should not be here.
I have removed the Remote-ID.
> >
> > [IPsec-east-west]
> > Phase= 2
> > ISAKMP-peer= ISAKMP-peer-west
> > Configuration= Default-quick-mode
> > Local-ID= Road-Warrior-east
> > Remote-ID= Net-west
>
> Local-ID is wrong. Remote-ID is ok.
>
I have removed the Local-ID. But now I get:
195642.982189 Default connection_record_passive: "Local-ID" is missing from section [IPsec-east-west]
195642.982215 Default connection_init: could not record connection "IPsec-east-west"
-Hanspeter