Re: Cisco VPN from aASA 5520 to 1941 router using gsm-hwic card

csco10865546 · ‎11-12-2010

Hi all,

I have been able to make my router with gsm-hwic card browse by being able to ping google and the rest.

But now i am trying to set the vpn from my asa 5520 to the remote router ...site to site.

I keep getting this error attached and want to know if someone could help me figure out what i am doing wrong.

Please i wil really appreciate an urgent reply pls.

thanks

Yudong Wu · ‎11-12-2010

can you post the configuration from both sides?

Did you configure the pre-shared key on ASA?

csco10865546 · ‎11-13-2010

HI ,

Yes i configured preshared key on both the router and the ASA.

Thanks

apothula · ‎11-13-2010

I think the tunnel is failing because of extended authnetication,

Could you try adding the no xauth key word beside the key, and try and connect to the VPN again ??

Let us know how it goes.

praprama · ‎11-13-2010

Hi,

Any particular reason why you are forcing aggressive mode on the router for this site to site VPN? If not, please try removing these commands:

crypto isakmp peer address 195.89.37.162
set aggressive-mode password ********
set aggressive-mode client-endpoint ipv4-address 195.89.37.162

And add this command:

crypto isakmp key ******** address 195.89.37.162

Also, on the ASA, please have a tunnel-group configured with the IP address of the router:

tunnel-group WAN_IP_OF_ROUTER type ipsec-l2l

tunnel-group WAN_IP_OF_ROUTER ipsec-attributes

pre-shared-key ********

Let me know if this helps!!

Regards,

Prapanch

Yudong Wu · ‎11-13-2010

On ASA5520, you configured dynamic crypto map. Therefore, the preshared-key under tunnel-group "REMOTE-1941" won't be used.

In lan-2-lan vpn, ASA will use the tunnel-group whose name matchs the peer's IP, otherwise, it will use the default lan-2-lan tunnel group "DefaultL2LGroup", you can do the following,

1. as what is suggested by Prapanch, configure a tunnel-group with peer's IP adddress as the name. You must add a tunnel-group for each remote sites.

or

2. configure the following and all remote site will use this shared key.

tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
   authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
   pre-shared-key

csco10865546 · ‎11-14-2010

@Avinash...Is the no xauth keyword to be added on the ASA end (just want to confirm that before I go ahead please )

@Prapanah...I need to force the aggresive mode because the remote router doesnt have a static IP address (using a vodafone sim card on it with ipcp negotiated)

Will try your suggestions (Yudong ,Avinash and Prapanah) tomorrow morning at work and will update you guys.

Thanks for your contribution .

Cheers

csco10865546 · ‎11-15-2010

Hi All,

I have tried the suggestions but unfortunately the same errors .........

Yudong Wu · ‎11-15-2010

did you add the following in ASA?

tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
   authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
   pre-shared-key 

If it still does not work, please provide the debug output from both side?
ON Router
--------------
debug cry isa

On ASA
--------------
debug cry isa 255

If you have multiple peers terminated on this ASA, you can use "debug cry condition peer x.x.x.x" to filter the debug output.

csco10865546 · ‎11-16-2010

Hi Yudong,

yes I applied those commands and still didnt work.

The errors and debugs are the same ones in the earlier post.

Thanks

Cisco VPN from aASA 5520 to 1941 router using gsm-hwic card (vodafone sim)