Site-to-Site IPSec VPN tunnel towards Cisco ASA, main mode not working

I’m trying to configure a simple main mode IPSec VPN tunnel towards Cisco ASA from WR11 router to be able to talk between their respective inside (behind NAT) networks.

Both ends have effectively static and public IP address with all-open access to and from Internet (special APN from operator and IP address lock based on SIM number), but still even IKE/Phase1 negotiation seems to fail for an unknown reason to me. Both Cisco ASA and WR11 have public and static IP address on their respective interfaces (ASA outside and WR11/PPP1).

I’ve checked the official documentation and knowledge base, there seems to be no example on similar situations, only more complex examples that are not required in this case.

From ASA vpn debug logs I can see that WR11 is trying to establish the tunnel, they even agree IKE SA proposals and ASA is trying to send an answer (IKE_DECODE SENDING), without success (IKE_DECODE RESENDING), while WR11 seems to be trying to resend the first packet again and again, as ASA sees it and logs: “Duplicate first packet detected. Ignoring Packet.”

I’m fairly familiar with Cisco ASA world and it’s configuration, but cannot seem to be able to configure WR11 to talk same language. :slight_smile:

if you are getting duplicate attempts from the wr11 is the cisco actually sending back response to the initial request

there should be more debug available from the cisco to say if it is not happy with the initial request.

you would have to see on the transport if the replies from the cisco are actually arriving



In the end this was indeed an outside network problem between same operator mobile access, nothing to do with WR11 compatibility with ASA, which seems to be working when using different operators. Thanks for the answer anyway.