Hi,
Basically we have a tunnel between two sites (obviously).
We are both on a network on the inside interfaces (there's is 10.20.x.x / 255.255.0.0 and ours is 172.16.0.0)
The tunnel comes up fine. If he then tries to ping me it fails. I have added the ACL rule in for his IP and the destination IP and the error it comes up with iss:
Result (ipsec-spoof) IPSEC Spoof Detected
If the tunnel is down when I do the trace the packet is allowed.
Any ideas - the full trace for the allowed telnet is below:
ASA# packet-tracer input outside tcp 10.20.15.171 25 172.16.4.60 25
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp host 10.20.15.171 host 172.16.
4.60
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 0 access-list outside_nat0_outbound
nat (inside) 1 172.16.0.0 255.255.0.0
match ip inside 172.16.0.0 255.255.0.0 outside any
dynamic translation to pool 1 (82.33.211.83 [Interface PAT])
translate_hits = 198, untranslate_hits = 3
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 0 access-list outside_nat0_outbound
nat (inside) 1 172.16.0.0 255.255.0.0
match ip inside 172.16.0.0 255.255.0.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected
Thanks for looking!