I’m trying to configure a simple main mode IPSec VPN tunnel towards Cisco ASA from WR11 router to be able to talk between their respective inside (behind NAT) networks.
Both ends have effectively static and public IP address with all-open access to and from Internet (special APN from operator and IP address lock based on SIM number), but still even IKE/Phase1 negotiation seems to fail for an unknown reason to me. Both Cisco ASA and WR11 have public and static IP address on their respective interfaces (ASA outside and WR11/PPP1).
I’ve checked the official documentation and knowledge base, there seems to be no example on similar situations, only more complex examples that are not required in this case.
From ASA vpn debug logs I can see that WR11 is trying to establish the tunnel, they even agree IKE SA proposals and ASA is trying to send an answer (IKE_DECODE SENDING), without success (IKE_DECODE RESENDING), while WR11 seems to be trying to resend the first packet again and again, as ASA sees it and logs: “Duplicate first packet detected. Ignoring Packet.”
I’m fairly familiar with Cisco ASA world and it’s configuration, but cannot seem to be able to configure WR11 to talk same language.