IPSec VPN, GRE Tunnel interface and a 2821

Unanswered Question
Jul 8th, 2008


I'm trying to get a VPN connection working, and for now, it's impossible. The situation is that I have a 2821 with two GbEth interfaces, one inside and the other outside. But the outside is not a real "outside". It is a connection to our providers router, which has one FastEth in our side and one Serial in theirs. The connection wih us uses private addresses, as well as all the path between them and the remote side, in our DataCenter. This is the topology:

(Office):2821(ours):Eth<--->Eth:2600(provider):S0<----(FR Network)-->S0:2600(provider):Eth<--->Router(our CPD)<--------->Internet

There is a PAT with a public address we have configured at the 2821 external interface, translating the 192.168.0.x to this public address. We need a VPN connection to our office for some homework, so I decided to make use of the EasyVPN Server included in the 2821 and the Cisco VPN Client.

Well, if I try to make the VPN using the 2821 external interface as the crypto interface, I cannot point the VPN client to the private address configured there, so I tried the public PAT'ed one. All I've got is this series of log messages:


414 12:16:59.259 07/08/2008 Sev=Warning/2 IKE/0xC300009B

Invalid SPI size (PayloadNotify:116)

415 12:16:59.259 07/08/2008 Sev=Info/4 IKE/0xC30000A6

Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

416 12:16:59.259 07/08/2008 Sev=Warning/3 IKE/0x83000058

Received malformed message or negotiation no longer active (message id: 0x00000000)


So, I've supposed that the problem is to try to connect to an IP that doesn't belong to a physical interface, and I changed the topology, virtually: I made a GRE tunnel between the two remote sites, to avoid the part we are not in control, using the PAT ip as the address for the Tunnel interface. This is the new schema:

(Office):2821(ours):Tunnel0<-------(FR Network)----->Tunnel0:Router(our CPD)<--------->Internet

PAT is now between the tunnel interface and the inside private addresses. I changed the VPN to reflect this, and... no luck. At least I've got now the xAuth login window, but the secure channel never gets up. This is the VPN client log with the infamous NO_PROPOSAL_CHOSEN:


573 12:32:30.314 07/08/2008 Sev=Info/4 IKE/0x43000014



I've made the VPN by CLI as well as the SDM, and, apart from the names of the policies and maps, nothing changes. So, I'm lost. Don't know what to do now. Any idea?

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
laloperez Wed, 07/09/2008 - 01:14

sorry for the delay, here it is, sanitized and without some parts not relevant at all for the purpose of this issue

(see attachment)



This Discussion