nat transparency and %CRYPTO-4-RECVD_PKT_INV_SPI
in [Cisco]
|
Prev: Simple Hack To Get $2500 To Your PayPal Account.
Next: Puzzling question on new NAT statements on ASA 8.3
From: Dmitry Melekhov on 21 Jul 2010 04:55 Hello! I need to establish vpn connection over internet. On one side I have cisco 3845 which is directly connected to internet. On another side I have 2801, which is behind zyxel adsl modem in router mode (i.e. real ip is on modem, modem do nat for cisco). sh crypto sess on 2801: Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 78.85.33.237 port 4500 IKE SA: local 192.168.107.1/4500 remote 78.85.133.237/4500 Active IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 host 78.85.133.237 Active SAs: 6, origin: crypto map sh crypto sess on 3845: Interface: Serial3/0.200 Session status: UP-ACTIVE Peer: 78.85.37.90 port 10017 IKE SA: local 78.85.133.237/4500 remote 78.85.137.90/10017 Active IPSEC FLOW: permit 47 host 78.85.133.237 0.0.0.0/0.0.0.0 Active SAs: 6, origin: crypto map But traffic doesn't pass. I see the same error on both sides: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.107.1, prot=17, spi=0x32040000(839122944), srcaddr=78.85.133.237 NAT-T is on: crypto ipsec nat-transparency udp-encapsulation Could you tell me how can I solve this problem?
From: bod43 on 21 Jul 2010 07:54 On 21 July, 09:55, Dmitry Melekhov <d...(a)belkam.com> wrote: > Could you tell me how can I solve this problem? No:) This does work, I have done it using Pixes:-) I don't recall any special problems. I was working remotely and was under pressure to get it to go. Boss- our new DSL (in a city 2 countries away) goes live tonight can you reconfigure the firewall. Oh by the way, the old one dies at the same time. !!!!!!!!!!!!!!! Here is a complete example. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml It uses a tunnel which may not be what you want but either the example may help you or of course you could just use the tunnel too; if you have a sufficiently recent IOS.
From: Igor Mamuzić aka Pseto on 23 Jul 2010 07:45
On 21.7.2010. 10:55, Dmitry Melekhov wrote: > Hello! > > > > I need to establish vpn connection over internet. > > On one side I have cisco 3845 which is directly connected to internet. > > On another side I have 2801, which is behind zyxel adsl modem in > router mode (i.e. real ip is on modem, modem do nat for cisco). > > > > sh crypto sess on 2801: > > > > Interface: FastEthernet0/0 > Session status: UP-ACTIVE > Peer: 78.85.33.237 port 4500 > IKE SA: local 192.168.107.1/4500 remote 78.85.133.237/4500 Active > IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 host 78.85.133.237 > Active SAs: 6, origin: crypto map > > > > > > sh crypto sess on 3845: > > > > Interface: Serial3/0.200 > Session status: UP-ACTIVE > Peer: 78.85.37.90 port 10017 > IKE SA: local 78.85.133.237/4500 remote 78.85.137.90/10017 Active > IPSEC FLOW: permit 47 host 78.85.133.237 0.0.0.0/0.0.0.0 > Active SAs: 6, origin: crypto map > > > > > > > > But traffic doesn't pass. > > > > I see the same error on both sides: > > > > %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid > spi for destaddr=192.168.107.1, prot=17, spi=0x32040000(839122944), > srcaddr=78.85.133.237 > > > > NAT-T is on: > > crypto ipsec nat-transparency udp-encapsulation > > > > > > Could you tell me how can I solve this problem? > Can you post 'show crypto ipsec sa' from both routers? btw. Can you use Zyxel as bridge only and do PPPoE on Cisco side? I strongly recommend this.You will get much more rock-proof stable connection. Try to avoid double routing/NAT on small business installations when ever possible. i |