cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
926
Views
0
Helpful
9
Replies

Cisco VPN from aASA 5520 to 1941 router using gsm-hwic card (vodafone sim)

csco10865546
Level 1
Level 1

Hi all,

I have been able to make my router with gsm-hwic card browse by being able to ping google and the rest.

But now i am trying to set the vpn from my asa 5520 to the remote router ...site to site.

I keep getting this error attached and want to know if someone could help me figure out what i am doing wrong.

Please i wil really appreciate an urgent reply pls.

thanks

9 Replies 9

Yudong Wu
Level 7
Level 7

can you post the configuration from both sides?

Did you configure the pre-shared key on ASA?

HI ,

Yes i configured preshared key on both the router and the ASA.

Thanks

I think the tunnel is failing because of extended authnetication,

Could you try adding the no xauth key word beside the key, and try and connect to the VPN again ??

Let us know how it goes.

Hi,

Any particular reason why you are forcing aggressive mode on the router for this site to site VPN? If not, please try removing these commands:

crypto isakmp peer address 195.89.37.162
set aggressive-mode password ********
set aggressive-mode client-endpoint ipv4-address 195.89.37.162

And add this command:

crypto isakmp key ******** address 195.89.37.162

Also, on the ASA, please have a tunnel-group configured with the IP address of the router:

tunnel-group WAN_IP_OF_ROUTER type ipsec-l2l

tunnel-group WAN_IP_OF_ROUTER ipsec-attributes

pre-shared-key ********

Let me know if this helps!!

Regards,

Prapanch

On ASA5520, you configured dynamic crypto map. Therefore, the preshared-key under tunnel-group "REMOTE-1941" won't be used.

In lan-2-lan vpn, ASA will use the tunnel-group whose name matchs the peer's IP, otherwise, it will use the default lan-2-lan tunnel group "DefaultL2LGroup", you can do the following,

1. as what is suggested by Prapanch, configure a tunnel-group with peer's IP adddress as the name. You must add a tunnel-group for each remote sites.

or

2. configure the following and all remote site will use this shared key.

tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
   authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
   pre-shared-key


@Avinash...Is the no xauth keyword to be added on the ASA end (just want to confirm that before I go ahead please )

@Prapanah...I need to force the aggresive mode because the remote router doesnt have a static IP address (using a vodafone sim card on it with ipcp negotiated)

Will try your suggestions (Yudong ,Avinash and Prapanah) tomorrow morning at work and will update you guys.

Thanks for your contribution .

Cheers

Hi All,

I have tried the suggestions but unfortunately the same errors .........

did you add the following in ASA?

tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
   authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
   pre-shared-key

If it still does not work, please provide the debug output from both side?
ON Router
--------------
debug cry isa

On ASA
--------------
debug cry isa 255

If you have multiple peers terminated on this ASA, you can use "debug cry condition peer x.x.x.x" to filter the debug output.

Hi Yudong,

yes I applied those commands and still didnt work.

The errors and debugs are the same ones in the earlier post.

Thanks