VPN: Local VPN ID choices when using Pre-Shared-Key
If one side of a VPN is another product, it might not accept an 'ANY Remote VPN ID' option, while the UTM doesn't have a fixed IP.
Thus, the other VPN gateway doesn't know the UTM IP, so it cannot use the IP as peer VPN ID. UTM cannot change its local VPN ID when we set up the Authentication type as Pre-Shared Key. The default local VPN ID is the external IP address and cannot be changed.
Please support changing the local VPN ID when the Authentication type is Pre-Shared Key, then we can use hostname or email address as VPN ID.
Hi, is there any documentation on how to configure this?
Bob, this entire problem would not exist if Astaro GUI would allow use of the LEFTID setting in the StrongSWAN config file. It would allow us to tell the router to use whatever IP we want for the peer setting, and we'd select to use the router's NAT'ed public IP which would entirely eliminate this issue.
Bob Alfson commented
James, it sounds like your Remote Gateway for that other side is in "Respond only" mode. Replace that with a different Remote Gateway in "Initiate connection" and you should have the ability to do what you want. 'Respond only' is only used when the other end has to call you because you don't know their IP.
I also commented on coewar's thread link below.
Forgot one thing. This would not be complete if it also did not carry that into the ipsec.secret file. In the least, if you allow setting the MYID and LEFTID settings, those values have to carry over into the ipsec.secret file for the PSK's to work.
This is exactly what I've needed! I've been posting about this regarding Astaro being behind a routed network and being NAT'ed. I just created this feature which would accomplish this as well. http://feature.astaro.com/forums/17359-astaro-security-gateway-feature-requests/suggestions/2506490-expand-ipsec-conf-control-to-webadmin