Hi Carlos, I'm not sure I'm correctly understanding your reason for using aggressive mode but, are you sure that the other end of the connection is expecting an aggressive mode negotiation? If your only special requirement is that the other end of the connection is being initiated from an unknown peer address, then simply setting the peer to 0.0.0.0, which it looks like you've done, should work for you.
Either way, I don't think your phase 1 negotiation will complete if only one end is set to aggressive mode. This may be the reason for the INVALID_ID error. Have you tried connecting with aggrmode=no? If none of the above apply to your situation, can you reply with the VPN configuration on the remote end? Also, what type of device is it? Thanks! Robyn Dunmoodie, Carlos wrote: > Here's my config > > > > > conn peer-0.0.0.0-tunnel-1 > left=1.1.1.1 > right=%any > leftsubnet=192.168.12.0/24 > rightsubnet=192.168.10.0/24 > rekey=no > ike=3des-sha1,3des-sha1 > ike=3des-sha1,3des-sha1 > ikelifetime=3600s > aggrmode=yes > esp=3des-md5,3des-sha1 > keylife=1800s > rekeymargin=540s > type=tunnel > pfs=yes > compress=no > authby=secret > auto=add > > > > > >From the initiator I get an error message "INVALID_ID INFORMATION" > > How do you configure the user id to match the userid from the > initiator, or does that matter? > > Also does the above config look accurate for an aggressive mode. When I > configure "auto=ignore" I see no IPSEC information > > When I change auto=add, I see the IPSEC negotiations, and it doesn't > initiate, which is good. But tunnel not established > > > Carlos Dunmoodie > Network Engineer > Engineering > Office: (301) 944-2896 > Cell: (443) 864-9822 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of ken Felix > Sent: Monday, February 04, 2008 7:32 PM > To: vyatta-users@mailman.vyatta.com > Subject: [Vyatta-users] IPSec Termination > > Couldn't you get the same thing with the VPN dead peer-detect set to > HOLD? > > Under strongswan for example, their's a setting that would allow you to > auto=start or auto=ignore, if you could add this, you should be okay. > Here's how my vyatta ipsec.conf looks; > > > > > If the last line was set to auto=ignore, than I would think ipsec would > be started and the host would wait for the far-end ( right ) to > initiated the session. > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
