IKEv2 Auth Problem "Computed authentication value for peer differs from what peer sent"
I've got an IKEv2 auth problem I can't figure out how to account for.
I have ASA 5505's terminating IKEv2/IPSEC on a 1921 (154-3.M2). The ASA's have dynamic IPs, that are behind cellular services/hotspots, so the NAT'ing is crazy and usually tunnels don't even match the web traffic's NAT IP (meaning your web traffic comes from one carrier IP, and tunnels come from a different carrier IP, neither are the IP of the hotspot).
I have these ASAs using a specific IKEv2 profile to separate them from the rest of the dynamic tunnels that work perfectly. The ASA has to use the static IP of the router because of a super frustrating ASA limitation.
This is the profile for these ASA's:
crypto ikev2 profile IKEV2-PROFILE_DYNAMIC-KEY-ID description ** Allows dynamic tunnels from ASA NAT issues ** match identity remote key-id xxxxx identity local address 199.27.xxx.xxx authentication remote pre-share key xxxxxx authentication local pre-share key xxxxxx
The error message seen in debug on the hub router is:
"Computed authentication value for peer differs from what peer sent"
I don't understand what this means. It could be the IP address the ASA thinks it's using and puts in the packet versus the IP address that is actually connecting to the router, but that's all NAT scenarios, right? I have IOS based DMVPN devices that can use those same cellular hotspots that work fine, and are connecting perfectly using another IKEv2 profile that matches remote any. All I know for sure is that the router is at least selecting the correct IKEv2 Profile, so that's good.
This specific error has about three hits on Google, so let's what you guys think.
This is a new product launch - Catalyst 8000 Edge Platforms Family Overview. We will go over the series Catalyst Cellular Gateway in great detail.
Speaker: David Roten, Technical Marketing Engineer at Cisco
David is a Technical Marketing Engineer for...
“Use Serviceability Features to Troubleshoot your Cat9K as a Cisco TAC Engineer”
This event took place on Tuesday 1st, December 2020 at 10hrs PDT
This event provides an introduction to the main Cat9K serviceability features. Serviceability is the pr...
Enhanced Interior Gateway Routing ProtocolEnhanced Interior Gateway Routing Protocol (EIGRP) is an interior gateway protocol suited for many diffrent topologies and media. In a well designed network, EIGRP scales well and provides extremely quick converge...