Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1309
Views
0
Helpful
1
Replies

Problems with VPN Tunnel (IPSEC Spoof)

Maccatron
Level 1
Level 1

‎03-27-2008 03:07 AM - edited ‎02-21-2020 03:38 PM

Hi,

Basically we have a tunnel between two sites (obviously).

We are both on a network on the inside interfaces (there's is 10.20.x.x / 255.255.0.0 and ours is 172.16.0.0)

The tunnel comes up fine. If he then tries to ping me it fails. I have added the ACL rule in for his IP and the destination IP and the error it comes up with iss:

Result (ipsec-spoof) IPSEC Spoof Detected

If the tunnel is down when I do the trace the packet is allowed.

Any ideas - the full trace for the allowed telnet is below:

ASA# packet-tracer input outside tcp 10.20.15.171 25 172.16.4.60 25

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.16.0.0 255.255.0.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp host 10.20.15.171 host 172.16.

4.60

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside) 0 access-list outside_nat0_outbound

nat (inside) 1 172.16.0.0 255.255.0.0

match ip inside 172.16.0.0 255.255.0.0 outside any

dynamic translation to pool 1 (82.33.211.83 [Interface PAT])

translate_hits = 198, untranslate_hits = 3

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 0 access-list outside_nat0_outbound

nat (inside) 1 172.16.0.0 255.255.0.0

match ip inside 172.16.0.0 255.255.0.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (ipsec-spoof) IPSEC Spoof detected

Thanks for looking!

Labels:
0 Helpful
1 Reply 1

irisrios
Level 6
Level 6

‎04-02-2008 07:04 AM

You get this message when a packet which is not encrypted is received. Check on other side if you have any ACL configured that is blocking ESP.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents