05-08-2007 01:37 AM - edited 02-21-2020 03:01 PM
Hello everybody!
Situation description:
Cisco 2811 router is gateway to internet.
the dialer interface is nat outside.
There is also a vpn site-2-site connection.
problem:
user wants to connect from inside with a vpn client to a external side.
vpn connection is established, but no data goes through this connection.
On the Cisco router I see this message in the log:
May 8 09:44:24.123 CEST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=217.91.38.253, prot=50, spi=0x7B9200C8(2073166024), srcaddr=195.243.107.30
So It seems like NAT does not work for this?
I configured the router with the SDM.
Here's the config:
version 12.4
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxx address 222.222.222.2222
!
!
crypto ipsec transform-set IPSEC_Proposal_Gateprotect esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to222.222.222.2222
set peer 222.222.222.2222
set transform-set IPSEC_Proposal_Gateprotect
match address 100
!
!
!
!
interface FastEthernet0/0
description $ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
no mop enabled
!
interface FastEthernet0/0/0
switchport access vlan 2
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname blabla@t-online-com.de
ppp chap password xxx
crypto map SDM_CMAP_1
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip nat inside source static tcp 192.168.2.10 1723 interface Dialer0 1723
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.199 25 interface Dialer0 25
ip nat inside source static tcp 192.168.2.10 80 interface Dialer0 80
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.6.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
end
Any hints?
Kind regards
Marcel
05-14-2007 10:22 AM
This error occurs when the peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers can then reestablish successfully. I think you will have to reenter preshare keys manually. Enter these commands:
isakmp nat
sysopt connection tcpmss 1300
This error also may appear when there is an attack from outside. Following link may help you
http://www.cisco.com/en/US/products/ps6120/products_system_message_guide_book09186a00803bbeb5.html
05-17-2007 07:28 AM
Hi!
Thanks for your answer!
The problem is not the VPN site-2-site connection which is made by the Router itself, it is that a user inside the local network can not use a VPN connection with some Client from his workstation.
When the user starts HIS VPN connection, then it looks like established, but there is no data flow.
And on the router I see this error message
no valid SA found.
Maybe it is a problem, when the router makes a site-2site vpn and NAT outside on the same interface?
Regards
Marcel
05-23-2007 09:41 PM
Hi
I'm working on the same problem.
I have Routers with a L2L VPN for management and clients behind the router establishing VPN to central site.
Sometimes the management VPN gets lost and if I take a look to "sh ip nat trans" I can see that there are two nat translations:
(roIP=router outside IP, cLIP=client LAN IP, csVPNg=central site VPN gateway)
Pro Inside global Inside local Outside local Outside global
udp roIP:500 cLIP:500 csVPNg:500 csVPNg:500
udp roIP:4500 cLIP:4500 csVPNg:4500 csVPNg:4500
This naturally collides with the routers management VPN connection from roIP:500 to csVPNg:500.
Astonishing is that it works for a certain time.
Until now I didn't find a solution.
The only thing I have in mind is to change the routers VPN to another UDP-Port or TCP.
But maybe there's an easier solution?
Stephan
07-21-2007 12:00 AM
Hi!
My problem was a IOS software bug, with the 12.4(13).
I used another version and this works without a problem.
Marcel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: