Cisco ASA 5515x to UTM9.2 ASG220

So, ISAKMP is working. But, INVALID_ID_INFORMATION means the Local and Remote networks do not match on both ends. 

But they are the same.

I'm just saying, INVALID_ID_INFORMATION means a mismatch in in Remote/LAN networks. UTM uses OpenSwan for IPSec. There will be plenty of articles online relating to this issue and I'm sure they will all say the same thing.

A mismatch in policies (Key lifetime, encryption and authentication types) and PSKs would throw a different error but it might be worth checking those are matching as well. 

Is there any way to get more information from the UTM about the problem?

Because I have checked everything and they are exactly the same as far as I can tell.

I've listed each device's configuration below. I've also double-checked that the PSK is the same on both sides.

ASA:

object-group network asaSophosVPN-src
network-object 192.168.70.0 255.255.255.0
network-object 192.168.72.0 255.255.255.0
network-object 192.168.71.0 255.255.255.0
object-group network asaSophosVPN-dest
network-object 62.172.32.52 255.255.255.255

access-list asaSophosVPN-traffic extended permit ip object-group asaSophosVPN-src object-group asaSophosVPN-dest
nat (inside,outside) source static asaSophosVPN-src asaSophosVPN-src destination static asaSophosVPN-dest asaSophosVPN-dest no-proxy-arp route-lookup

crypto ipsec ikev1 transform-set asaSophosVPN-set esp-3des esp-sha-hmac

crypto map asaSophosVPN_map 1 match address asaSophosVPN-traffic
crypto map asaSophosVPN_map 1 set pfs
crypto map asaSophosVPN_map 1 set peer X.X.X.50
crypto map asaSophosVPN_map 1 set ikev1 transform-set asaSophosVPN-set
crypto map asaSophosVPN_map interface outside

crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

UTM:

# Helloyou
conn S_REF_IpsSitHelloyou_0
authby="psk"
auto="start"
compress="no"
ecn="no"
esp="3des-sha1"
ike="3des-sha1-modp1024"
ikelifetime="86400"
keyexchange="ike"
keylife="3600"
left="X.X.X.50"
leftid="X.X.X.50"
leftsourceip="X.X.X.52"
leftsubnet="X.X.X.52/32"
leftupdown="/usr/libexec/ipsec/updown classic"
pfs="yes"
pfsgroup="modp1024"
pmtu_discovery="no"
rekeymargin="540"
right="Y.Y.Y.26"
rightid="Y.Y.Y.26"
rightsubnet="192.168.72.0/24"
type="tunnel"

conn S_REF_IpsSitHelloyou_1
authby="psk"
auto="start"
compress="no"
ecn="no"
esp="3des-sha1"
ike="3des-sha1-modp1024"
ikelifetime="86400"
keyexchange="ike"
keylife="3600"
left="X.X.X.50"
leftid="X.X.X.50"
leftsourceip="X.X.X.52"
leftsubnet="X.X.X.52/32"
leftupdown="/usr/libexec/ipsec/updown classic"
pfs="yes"
pfsgroup="modp1024"
pmtu_discovery="no"
rekeymargin="540"
right="Y.Y.Y.26"
rightid="Y.Y.Y.26"
rightsubnet="192.168.71.0/24"
type="tunnel"

conn S_REF_IpsSitHelloyou_2
authby="psk"
auto="start"
compress="no"
ecn="no"
esp="3des-sha1"
ike="3des-sha1-modp1024"
ikelifetime="86400"
keyexchange="ike"
keylife="3600"
left="X.X.X.50"
leftid="X.X.X.50"
leftsourceip="X.X.X.52"
leftsubnet="X.X.X.52/32"
leftupdown="/usr/libexec/ipsec/updown classic"
pfs="yes"
pfsgroup="modp1024"
pmtu_discovery="no"
rekeymargin="540"
right="Y.Y.Y.26"
rightid="Y.Y.Y.26"
rightsubnet="192.168.70.0/24"
type="tunnel"

I am not sure then. Let's move away from what "INVALID_ID_INFORMATION" means and go over some other checks. Can you see any other key errors in the ipsec.log? Like "cannot respond to IPsec SA request because no connection is known" or something? Do you have any "VPN Identifiers" set (Depending on the authentication type you must select VPN ID type and VPN Identifier)

The Public IP you're using on each end in the IPSec configuration are correct? Either device isn't using any kind of Additional Public IP interfaces at all? 

Did you tick "Automatic Firewall Rules" when creating this IPSec VPN? Though, it might be worth double checking you're not seeing any any drops of the VPN traffic. 

Is the IPSec traffic going through any other devices that handle traffic on each end of the networks before it reaches the UTM/ASA? 

I am not sure then. Let's move away from what "INVALID_ID_INFORMATION" means and go over some other checks. Can you see any other key errors in the ipsec.log? Like "cannot respond to IPsec SA request because no connection is known" or something? Do you have any "VPN Identifiers" set (Depending on the authentication type you must select VPN ID type and VPN Identifier)

Nope

The Public IP you're using on each end in the IPSec configuration are correct? Either device isn't using any kind of Additional Public IP interfaces at all?

Yes they are correct, and no they are not using any of their public interfaces for this tunnel. 

Did you tick "Automatic Firewall Rules" when creating this IPSec VPN? Though, it might be worth double checking you're not seeing any any drops of the VPN traffic.

Yes I did. 

Is the IPSec traffic going through any other devices that handle traffic on each end of the networks before it reaches the UTM/ASA? 

No it isn't.

And get this... I replaced the object groups in the ASA with plain old network objects, and the UTM stopped complaining, and the tunnel is up. Which is really annoying because I really need all three subnets behind the ASA to participate in this tunnel. This was the only thing I changed.

Sorry, you lost me.  You said "no they are not using any of their public interfaces for this tunnel."  Then, in answer to "Is the IPSec traffic going through any other devices that handle traffic on each end of the networks before it reaches the UTM/ASA?." you said "No it isn't."  Are both endpoints of the tunnel public IPs?

I also don't understand what you're trying to say with your last paragraph.  Please insert pictures of your IPsec Connection and Remote Gateway, both open in edit.

Cheers - Bob