In the output that you selected I see two messages that appear to be significant:
17-10-24 10:22:07 <3> ipsec: "IPsec_Tunnel_1" #172: received Hash Payload does not match computed value
If the computed value does not match the transmitted value then perhaps it indicates some issue in transmission. Can you successfully do a ping between the address used for the VPN to the interface on the peer used for the VPN?
17-10-24 10:22:39 <3> ipsec: "IPsec_Tunnel_1" #172: encrypted Informational Exchange message is invalid because no key is known
This suggests that there is not a key configured for the address of the peer. Can you post the config?
Thanks for the additional information and the config from the ASA. I see several potential issues.
- your ASA config does nat for all traffic going through the outside interface. This would include the VPN traffic. You probably need a nat for the VPN traffic that specifies that no translation be done for the VPN traffic.
- You have configured the VPN tunnel for both IKEv1 and IKEv2. It is not clear what the other end is doing. I am not sure whether it is an issue or not. My experience is that I have always configured a VPN for one or the other.
- your crypto access list indicates that the remote LAN is 192.168.10.0. Your crypto map indicates that the remote peer address is 192.168.10.1. That seems problematic for several reasons, most especially since you are using a public IP on the ASA interface it suggests that you are connecting to the Internet. But 192.168 addresses are not routable on the Internet.
Show Name: Thoughts on Security at Cisco Live US 2018 in Orlando
Contributors: Kevin Klous, David White Jr., Aaron Woland, Jeff Fanelli
Posting Date: June 2018
Description: The team goes on-site in the Cisco Live Speaker room in...
RADIUS and Symantec VIP.
I will use screenshots of ASDM, and at the end I will add the required CLI commands. the diagram below show a diagram of the steps the FW goes through when using 2FA authentication:
As you can see in Fig. 1&nbs...