Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
0
Helpful
1
Replies

Router terminating and passing VPN traffic

5d-swan
Level 1
Level 1

‎09-30-2007 03:16 PM - edited ‎02-21-2020 03:17 PM

Hi

I have a situation where I would like to allow clients on the inside of my network to VPN to other 3rd parties (the clients will get NATed to the outside interface of the router), while at the same time there are site-to-site VPNs to others. When I configure it the router logs %CRYPTO-4-RECVD_PKT_INV_SPI when the client tries to connect to the remote VPN server, which I assume is because the router is trying to decrypt the packet rather than forwarding it to the internal client that sent.

Is this configuration possible?

Thanks!

Labels:
0 Helpful
1 Reply 1

didyap
Level 6
Level 6

‎10-05-2007 08:46 AM

It's normal to see this Invalid SPI message once a few hours because of the IPSec Phase 2 rekey, unless you face lot of connectivity issues. If you are only getting these messages occasionaly, it is usually because the SA is being renegotiated. This periodic renegotiation of SAs is, itself, a security feature designed to make the environment more robust so the occasional appearance of these messages is normal.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents