Problems with VPN Tunnel (IPSEC Spoof)

Unanswered Question
Mar 27th, 2008
User Badges:

Hi,


Basically we have a tunnel between two sites (obviously).


We are both on a network on the inside interfaces (there's is 10.20.x.x / 255.255.0.0 and ours is 172.16.0.0)


The tunnel comes up fine. If he then tries to ping me it fails. I have added the ACL rule in for his IP and the destination IP and the error it comes up with iss:


Result (ipsec-spoof) IPSEC Spoof Detected


If the tunnel is down when I do the trace the packet is allowed.


Any ideas - the full trace for the allowed telnet is below:


ASA# packet-tracer input outside tcp 10.20.15.171 25 172.16.4.60 25


Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow


Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.16.0.0 255.255.0.0 inside


Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp host 10.20.15.171 host 172.16.

4.60

Additional Information:


Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:


Phase: 6

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:


Phase: 7

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside) 0 access-list outside_nat0_outbound

nat (inside) 1 172.16.0.0 255.255.0.0

match ip inside 172.16.0.0 255.255.0.0 outside any

dynamic translation to pool 1 (82.33.211.83 [Interface PAT])

translate_hits = 198, untranslate_hits = 3

Additional Information:


Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 0 access-list outside_nat0_outbound

nat (inside) 1 172.16.0.0 255.255.0.0

match ip inside 172.16.0.0 255.255.0.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:


Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 11

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:


Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (ipsec-spoof) IPSEC Spoof detected


Thanks for looking!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
irisrios Wed, 04/02/2008 - 07:04
User Badges:
  • Silver, 250 points or more

You get this message when a packet which is not encrypted is received. Check on other side if you have any ACL configured that is blocking ESP.

Actions

This Discussion