VPN CLient behind a Router does not work

Unanswered Question
May 8th, 2007

Hello everybody!

Situation description:

Cisco 2811 router is gateway to internet.

the dialer interface is nat outside.

There is also a vpn site-2-site connection.

problem:

user wants to connect from inside with a vpn client to a external side.

vpn connection is established, but no data goes through this connection.

On the Cisco router I see this message in the log:

May 8 09:44:24.123 CEST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=217.91.38.253, prot=50, spi=0x7B9200C8(2073166024), srcaddr=195.243.107.30

So It seems like NAT does not work for this?

I configured the router with the SDM.

Here's the config:

version 12.4

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxx address 222.222.222.2222

!

!

crypto ipsec transform-set IPSEC_Proposal_Gateprotect esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to222.222.222.2222

set peer 222.222.222.2222

set transform-set IPSEC_Proposal_Gateprotect

match address 100

!

!

!

!

interface FastEthernet0/0

description $ETH-WAN$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

no mop enabled

!

interface FastEthernet0/0/0

switchport access vlan 2

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

!

interface Dialer0

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname [email protected]

ppp chap password xxx

crypto map SDM_CMAP_1

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

ip nat inside source static tcp 192.168.2.10 1723 interface Dialer0 1723

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip nat inside source static tcp 192.168.2.199 25 interface Dialer0 25

ip nat inside source static tcp 192.168.2.10 80 interface Dialer0 80

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 101 permit ip 192.168.6.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

end

Any hints?

Kind regards

Marcel

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fmeetz Mon, 05/14/2007 - 10:22

This error occurs when the peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers can then reestablish successfully. I think you will have to reenter preshare keys manually. Enter these commands:

isakmp nat

sysopt connection tcpmss 1300

This error also may appear when there is an attack from outside. Following link may help you

http://www.cisco.com/en/US/products/ps6120/products_system_message_guide_book09186a00803bbeb5.html

m-reuter Thu, 05/17/2007 - 07:28

Hi!

Thanks for your answer!

The problem is not the VPN site-2-site connection which is made by the Router itself, it is that a user inside the local network can not use a VPN connection with some Client from his workstation.

When the user starts HIS VPN connection, then it looks like established, but there is no data flow.

And on the router I see this error message

no valid SA found.

Maybe it is a problem, when the router makes a site-2site vpn and NAT outside on the same interface?

Regards

Marcel

stephan.ochs Wed, 05/23/2007 - 21:41

Hi

I'm working on the same problem.

I have Routers with a L2L VPN for management and clients behind the router establishing VPN to central site.

Sometimes the management VPN gets lost and if I take a look to "sh ip nat trans" I can see that there are two nat translations:

(roIP=router outside IP, cLIP=client LAN IP, csVPNg=central site VPN gateway)

Pro Inside global Inside local Outside local Outside global

udp roIP:500 cLIP:500 csVPNg:500 csVPNg:500

udp roIP:4500 cLIP:4500 csVPNg:4500 csVPNg:4500

This naturally collides with the routers management VPN connection from roIP:500 to csVPNg:500.

Astonishing is that it works for a certain time.

Until now I didn't find a solution.

The only thing I have in mind is to change the routers VPN to another UDP-Port or TCP.

But maybe there's an easier solution?

Stephan

m-reuter Sat, 07/21/2007 - 00:00

Hi!

My problem was a IOS software bug, with the 12.4(13).

I used another version and this works without a problem.

Marcel

Actions

This Discussion