Router terminating and passing VPN traffic

Unanswered Question
Sep 30th, 2007


I have a situation where I would like to allow clients on the inside of my network to VPN to other 3rd parties (the clients will get NATed to the outside interface of the router), while at the same time there are site-to-site VPNs to others. When I configure it the router logs %CRYPTO-4-RECVD_PKT_INV_SPI when the client tries to connect to the remote VPN server, which I assume is because the router is trying to decrypt the packet rather than forwarding it to the internal client that sent.

Is this configuration possible?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Fri, 10/05/2007 - 08:46

It's normal to see this Invalid SPI message once a few hours because of the IPSec Phase 2 rekey, unless you face lot of connectivity issues. If you are only getting these messages occasionaly, it is usually because the SA is being renegotiated. This periodic renegotiation of SAs is, itself, a security feature designed to make the environment more robust so the occasional appearance of these messages is normal.


This Discussion