Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

VPN tunnel ASA 5515 to DIGICOM 8E4571

Hi all,

I'm trying to create a VPN tunnel between my ASA5515 router and a DIGICOM 8E4571 Modem3G.

Could you help me about this configuration??

 

Belove the error messages that 3Grouter returns me:

 

17-10-24 10:22:07 <3> ipsec: "IPsec_Tunnel_1" #172: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
17-10-24 10:22:07 <3> ipsec: "IPsec_Tunnel_1" #172: received Hash Payload does not match computed value
17-10-24 10:22:07 <3> ipsec: "IPsec_Tunnel_1" #172: sending notification INVALID_HASH_INFORMATION to 217.56.112.75:500
17-10-24 10:22:15 <3> ipsec: "IPsec_Tunnel_1" #172: discarding duplicate packet; already STATE_AGGR_I1
17-10-24 10:22:23 <3> ipsec: "IPsec_Tunnel_1" #172: discarding duplicate packet; already STATE_AGGR_I1
17-10-24 10:22:31 <3> ipsec: "IPsec_Tunnel_1" #172: discarding duplicate packet; already STATE_AGGR_I1
17-10-24 10:22:39 <3> ipsec: "IPsec_Tunnel_1" #172: encrypted Informational Exchange message is invalid because no key is known

 

 

I can't find where error is...please help me

Everyone's tags (4)
8 REPLIES
Hall of Fame Super Gold

Re: VPN tunnel ASA 5515 to DIGICOM 8E4571

In the output that you selected I see two messages that appear to be significant:

17-10-24 10:22:07 <3> ipsec: "IPsec_Tunnel_1" #172: received Hash Payload does not match computed value

If the computed value does not match the transmitted value then perhaps it indicates some issue in transmission. Can you successfully do a ping between the address used for the VPN to the interface on the peer used for the VPN?

 

17-10-24 10:22:39 <3> ipsec: "IPsec_Tunnel_1" #172: encrypted Informational Exchange message is invalid because no key is known

This suggests that there is not a key configured for the address of the peer. Can you post the config?

 

HTH

 

Rick

Re: VPN tunnel ASA 5515 to DIGICOM 8E4571

No, I can't perform a ping to remote device.

The connection isn't established.

 

Attached there's the ASA 5515 config file

Re: VPN tunnel ASA 5515 to DIGICOM 8E4571

....and here is DIGICOM 3G Modem IpSec configuration file.

 

Hope this will be helpful

 

BR

Hall of Fame Super Gold

Re: VPN tunnel ASA 5515 to DIGICOM 8E4571

Thanks for the additional information and the config from the ASA. I see several potential issues.

- your ASA config does nat for all traffic going through the outside interface. This would include the VPN traffic. You probably need a nat for the VPN traffic that specifies that no translation be done for the VPN traffic.

- You have configured the VPN tunnel for both IKEv1 and IKEv2. It is not clear what the other end is doing. I am not sure whether it is an issue or not. My experience is that I have always configured a VPN for one or the other.

- your crypto access list indicates that the remote LAN is 192.168.10.0. Your crypto map indicates that the remote peer address is 192.168.10.1. That seems problematic for several reasons, most especially since you are using a public IP on the ASA interface it suggests that you are connecting to the Internet. But 192.168 addresses are not routable on the Internet.

 

HTH

 

Rick

Re: VPN tunnel ASA 5515 to DIGICOM 8E4571

Thanks a lot Rick,

i'll try to follow your tips and i'll let you know

 

BR

Gianmaria

Hall of Fame Super Gold

Re: VPN tunnel ASA 5515 to DIGICOM 8E4571

Thanks for also sending the config for digicom. I am not familiar with this device so there are some things that it is difficult for me to identify. But what I am seeing so far includes these things.

- I do not any reference in digicom config for the address of the ASA 217.56.112.75. I see references for some other addresses in that subnet, but nothing that matches the ASA.

- The ASA config indicates that the remote LAN is 192.168.10.0 but I do not see that subnet on digicom. I do see reference to one address in that subnet but not anything else.

- I see multiple configs for ISAKMP but not anything that clarifies whether it is IKEv1 or IKEv2 or both.

 

Perhaps you can point me to the parts of the digicom config that are for the ASA VPN?

 

HTH

 

Rick

Re: VPN tunnel ASA 5515 to DIGICOM 8E4571

Hi rick,

here is the right config file.

Sorry about that

Hall of Fame Super Gold

Re: VPN tunnel ASA 5515 to DIGICOM 8E4571

Gianmaria

 

Thank you for sending the different config file. I see these lines which seem to point to 192.168.1.0 as the remote LAN whereas the ASA identifies 192.168.2.0 as its LAN.

<Remote_Subnet default="" range="0-16">192.168.1.0</Remote_Subnet>

<Remote_ID default="" range="0-64">192.168.1.1</Remote_ID>

 

HTH

 

Rick

867
Views
0
Helpful
8
Replies
CreatePlease to create content