Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2067
Views
0
Helpful
8
Replies

VPN tunnel ASA 5515 to DIGICOM 8E4571

gianmaria.vanosi@mobilcom.it
Level 1
Level 1

‎10-24-2017 06:22 AM - edited ‎03-12-2019 04:39 AM

Hi all,

I'm trying to create a VPN tunnel between my ASA5515 router and a DIGICOM 8E4571 Modem3G.

Could you help me about this configuration??

 

Belove the error messages that 3Grouter returns me:

 

17-10-24 10:22:07 <3> ipsec: "IPsec_Tunnel_1" #172: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
17-10-24 10:22:07 <3> ipsec: "IPsec_Tunnel_1" #172: received Hash Payload does not match computed value
17-10-24 10:22:07 <3> ipsec: "IPsec_Tunnel_1" #172: sending notification INVALID_HASH_INFORMATION to 217.56.112.75:500
17-10-24 10:22:15 <3> ipsec: "IPsec_Tunnel_1" #172: discarding duplicate packet; already STATE_AGGR_I1
17-10-24 10:22:23 <3> ipsec: "IPsec_Tunnel_1" #172: discarding duplicate packet; already STATE_AGGR_I1
17-10-24 10:22:31 <3> ipsec: "IPsec_Tunnel_1" #172: discarding duplicate packet; already STATE_AGGR_I1
17-10-24 10:22:39 <3> ipsec: "IPsec_Tunnel_1" #172: encrypted Informational Exchange message is invalid because no key is known

 

 

I can't find where error is...please help me

Labels:
0 Helpful
8 Replies 8

Richard Burts
Hall of Fame
Hall of Fame

‎10-24-2017 07:22 AM

In the output that you selected I see two messages that appear to be significant:

17-10-24 10:22:07 <3> ipsec: "IPsec_Tunnel_1" #172: received Hash Payload does not match computed value

If the computed value does not match the transmitted value then perhaps it indicates some issue in transmission. Can you successfully do a ping between the address used for the VPN to the interface on the peer used for the VPN?

 

17-10-24 10:22:39 <3> ipsec: "IPsec_Tunnel_1" #172: encrypted Informational Exchange message is invalid because no key is known

This suggests that there is not a key configured for the address of the peer. Can you post the config?

 

HTH

 

Rick

HTH

Rick
0 Helpful

gianmaria.vanosi@mobilcom.it
Level 1
Level 1
In response to Richard Burts

‎10-24-2017 08:47 AM

No, I can't perform a ping to remote device.

The connection isn't established.

 

Attached there's the ASA 5515 config file

Preview file
10 KB
0 Helpful

gianmaria.vanosi@mobilcom.it
Level 1
Level 1
In response to gianmaria.vanosi@mobilcom.it

‎10-24-2017 08:59 AM

....and here is DIGICOM 3G Modem IpSec configuration file.

 

Hope this will be helpful

 

BR

Preview file
16 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to gianmaria.vanosi@mobilcom.it

‎10-24-2017 09:07 AM

Thanks for the additional information and the config from the ASA. I see several potential issues.

- your ASA config does nat for all traffic going through the outside interface. This would include the VPN traffic. You probably need a nat for the VPN traffic that specifies that no translation be done for the VPN traffic.

- You have configured the VPN tunnel for both IKEv1 and IKEv2. It is not clear what the other end is doing. I am not sure whether it is an issue or not. My experience is that I have always configured a VPN for one or the other.

- your crypto access list indicates that the remote LAN is 192.168.10.0. Your crypto map indicates that the remote peer address is 192.168.10.1. That seems problematic for several reasons, most especially since you are using a public IP on the ASA interface it suggests that you are connecting to the Internet. But 192.168 addresses are not routable on the Internet.

 

HTH

 

Rick

HTH

Rick
0 Helpful

gianmaria.vanosi@mobilcom.it
Level 1
Level 1
In response to Richard Burts

‎10-24-2017 09:28 AM

Thanks a lot Rick,

i'll try to follow your tips and i'll let you know

 

BR

Gianmaria

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎10-24-2017 09:37 AM

Thanks for also sending the config for digicom. I am not familiar with this device so there are some things that it is difficult for me to identify. But what I am seeing so far includes these things.

- I do not any reference in digicom config for the address of the ASA 217.56.112.75. I see references for some other addresses in that subnet, but nothing that matches the ASA.

- The ASA config indicates that the remote LAN is 192.168.10.0 but I do not see that subnet on digicom. I do see reference to one address in that subnet but not anything else.

- I see multiple configs for ISAKMP but not anything that clarifies whether it is IKEv1 or IKEv2 or both.

 

Perhaps you can point me to the parts of the digicom config that are for the ASA VPN?

 

HTH

 

Rick

HTH

Rick
0 Helpful

gianmaria.vanosi@mobilcom.it
Level 1
Level 1
In response to Richard Burts

‎10-25-2017 07:23 AM

Hi rick,

here is the right config file.

Sorry about that

Preview file
5 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to gianmaria.vanosi@mobilcom.it

‎10-25-2017 01:52 PM

Gianmaria

 

Thank you for sending the different config file. I see these lines which seem to point to 192.168.1.0 as the remote LAN whereas the ASA identifies 192.168.2.0 as its LAN.

<Remote_Subnet default="" range="0-16">192.168.1.0</Remote_Subnet>

<Remote_ID default="" range="0-64">192.168.1.1</Remote_ID>

 

HTH

 

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents