Cannot Establish IPSec VPN with Cisco ASA



I am having trouble establishing IPSec VPN between the Pepwave MAX BR1 and a Cisco ASA. On the ASA side, a static IP is in use and on the BR1, we use cellular connection where the wireless carrier assigns a static IP.

On both sides, we are using:

  • Main Mode
  • Phase 1 (and Phase 2) Proposal is 3DES & SHA1
  • DH Group is 2 in both proposals

The ASA shows the session as being up. The BR1 does not show the session as being connected. However, in the log of the BR1 we get:

  • Initiating Main Mode connection…
  • Malformed payload, please verify the Preshared Key or other settings
  • IKE Proposal refused, please verify Phase 1 (IKE) settings

Please help!


Have you tried using AES for Phase 1 (IKE) Proposal?



It looks like you are using Main mode with static IP’s on each side so that is good, however in some cases(watchguard) we’ve seen that the local/remote ID needed to be filled in (even though it should not need it when in Main Mode) and things then came up, so it may be worth trying. Also as Ron mentioned, you may want to try another method such as AES if at all possible as 3des is deprecated. Ensure all phases/pre-shared key match on each side.

example for the local/remote ID

Peplink Settings:
Local ID: Peplink@Watchguard
Remote ID: Watchguard@Peplink

Other Unit Settings:
Local ID: Watchguard@Peplink
Remote ID: Peplink@Watchguard

Keep in mind that the “@” is required