In the output that you selected I see two messages that appear to be significant:
17-10-24 10:22:07 <3> ipsec: "IPsec_Tunnel_1" #172: received Hash Payload does not match computed value
If the computed value does not match the transmitted value then perhaps it indicates some issue in transmission. Can you successfully do a ping between the address used for the VPN to the interface on the peer used for the VPN?
17-10-24 10:22:39 <3> ipsec: "IPsec_Tunnel_1" #172: encrypted Informational Exchange message is invalid because no key is known
This suggests that there is not a key configured for the address of the peer. Can you post the config?
Thanks for the additional information and the config from the ASA. I see several potential issues.
- your ASA config does nat for all traffic going through the outside interface. This would include the VPN traffic. You probably need a nat for the VPN traffic that specifies that no translation be done for the VPN traffic.
- You have configured the VPN tunnel for both IKEv1 and IKEv2. It is not clear what the other end is doing. I am not sure whether it is an issue or not. My experience is that I have always configured a VPN for one or the other.
- your crypto access list indicates that the remote LAN is 192.168.10.0. Your crypto map indicates that the remote peer address is 192.168.10.1. That seems problematic for several reasons, most especially since you are using a public IP on the ASA interface it suggests that you are connecting to the Internet. But 192.168 addresses are not routable on the Internet.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...